Good point Bret. I could think some ways
toggle quoted messageShow quoted text
1) you can construct a read only fv for variable storage and provision the pk kek db there. Just use a read only FVB.
2) you can embed pk kek db to FFS. Then use a special provision driver to create these variable during boot. You just need an emulator variable driver.
You can make decision based upon current fvb driver or variable driver.
在 2021年4月7日，上午12:07，Bret Barkelew via groups.io <email@example.com> 写道：
There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.
To get you started, I’d take a look at the implementation of these:
The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).
From: Vu Dinh via groups.io<mailto:firstname.lastname@example.org>
Sent: Tuesday, April 6, 2021 7:58 AM
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration
I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.
Please tell me what should I do to customize Secure Boot configurations.