From bffee25008b2059c556118b842fc3494f51068d0 Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Tue, 21 Nov 2023 12:34:03 +0000 Subject: [PATCH 1/4] efi: remove deprecated APIs and test data --- efi/bootmanager_policy.go | 167 ---- efi/bootmanager_policy_test.go | 295 ------- efi/efi_test.go | 52 -- efi/export_test.go | 8 - efi/secureboot_policy.go | 756 ------------------ efi/secureboot_policy_test.go | 752 ----------------- efi/testdata/amd64/mockgrub1.efi.signed.1.1.1 | Bin 5048 -> 0 bytes efi/testdata/amd64/mockgrub1.efi.signed.1.2.1 | Bin 5048 -> 0 bytes .../amd64/mockkernel1.efi.signed.1.1.1 | Bin 5048 -> 0 bytes .../amd64/mockkernel1.efi.signed.1.2.1 | Bin 5048 -> 0 bytes .../amd64/mockkernel1.efi.signed.shim.1 | Bin 5056 -> 0 bytes .../amd64/mockkernel2.efi.signed.shim.1 | Bin 5056 -> 0 bytes efi/testdata/amd64/mockshim.efi.signed.1.2.1 | Bin 7304 -> 0 bytes efi/testdata/amd64/mockshim.efi.signed.2.1.1 | Bin 7344 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 983 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 987 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 983 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 1970 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 1984 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 1992 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 983 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 1938 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 1005 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 1009 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 1564 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 977 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 3147 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 3804 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 2543 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 4130 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 2543 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 874 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 4130 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 3804 -> 0 bytes efi/testdata/eventlog_sb_no_efi_action.bin | Bin 11929 -> 0 bytes efi/testdata/eventlog_sb_no_sbat.bin | Bin 12114 -> 0 bytes .../eventlog_sb_no_shim_verification.bin | Bin 11270 -> 0 bytes efi/testdata/src/certs/PkKek-1-Ubuntu.crt | 70 -- efi/testdata/src/keys/TestKek2.1.key | 27 - efi/testdata/src/keys/TestRoot2.key | 27 - efi/testdata/src/keys/TestUefiCA2.1.key | 27 - .../src/keys/TestUefiSigning1.2.1.key | 27 - .../src/keys/TestUefiSigning2.1.1.key | 27 - efi/testdata/update_mock1/db/dbupdate.bin | Bin 2513 -> 0 bytes .../dbx/dbxupdate.bin | Bin 5254 -> 0 bytes .../dbx/dbxupdate.bin | Bin 7085 -> 0 bytes .../dbx/dbxupdate_x64_1.bin | Bin 15281 -> 0 bytes tools/make-efi-testdata/apps.go | 76 -- tools/make-efi-testdata/certs.go | 69 -- tools/make-efi-testdata/dbupdates.go | 292 ------- tools/make-efi-testdata/efivars.go | 265 +----- tools/make-efi-testdata/logs.go | 3 - tools/make-efi-testdata/main.go | 6 +- 73 files changed, 2 insertions(+), 2944 deletions(-) delete mode 100644 efi/bootmanager_policy.go delete mode 100644 efi/bootmanager_policy_test.go delete mode 100644 efi/secureboot_policy.go delete mode 100644 efi/secureboot_policy_test.go delete mode 100644 efi/testdata/amd64/mockgrub1.efi.signed.1.1.1 delete mode 100644 efi/testdata/amd64/mockgrub1.efi.signed.1.2.1 delete mode 100644 efi/testdata/amd64/mockkernel1.efi.signed.1.1.1 delete mode 100644 efi/testdata/amd64/mockkernel1.efi.signed.1.2.1 delete mode 100644 efi/testdata/amd64/mockkernel1.efi.signed.shim.1 delete mode 100644 efi/testdata/amd64/mockkernel2.efi.signed.shim.1 delete mode 100644 efi/testdata/amd64/mockshim.efi.signed.1.2.1 delete mode 100644 efi/testdata/amd64/mockshim.efi.signed.2.1.1 delete mode 100644 efi/testdata/efivars_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_extra_db_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_extra_db_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_extra_db_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_extra_db_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_extra_db_ca/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_mock2/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_mock2/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_shim_vendor_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_shim_vendor_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_shim_vendor_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock1_plus_shim_vendor_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock1_plus_shim_vendor_ca/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock2/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_mock2/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_2016_dbx_update/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/eventlog_sb_no_efi_action.bin delete mode 100644 efi/testdata/eventlog_sb_no_sbat.bin delete mode 100644 efi/testdata/eventlog_sb_no_shim_verification.bin delete mode 100644 efi/testdata/src/certs/PkKek-1-Ubuntu.crt delete mode 100644 efi/testdata/src/keys/TestKek2.1.key delete mode 100644 efi/testdata/src/keys/TestRoot2.key delete mode 100644 efi/testdata/src/keys/TestUefiCA2.1.key delete mode 100644 efi/testdata/src/keys/TestUefiSigning1.2.1.key delete mode 100644 efi/testdata/src/keys/TestUefiSigning2.1.1.key delete mode 100644 efi/testdata/update_mock1/db/dbupdate.bin delete mode 100644 efi/testdata/update_modified_uefi.org_2016-08-08/dbx/dbxupdate.bin delete mode 100644 efi/testdata/update_uefi.org_2016-08-08/dbx/dbxupdate.bin delete mode 100644 efi/testdata/update_uefi.org_2020-10-12/dbx/dbxupdate_x64_1.bin delete mode 100644 tools/make-efi-testdata/dbupdates.go diff --git a/efi/bootmanager_policy.go b/efi/bootmanager_policy.go deleted file mode 100644 index 7514910b..00000000 --- a/efi/bootmanager_policy.go +++ /dev/null @@ -1,167 +0,0 @@ -// -*- Mode: Go; indent-tabs-mode: t -*- - -/* - * Copyright (C) 2019 Canonical Ltd - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 3 as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ - -package efi - -import ( - "errors" - - efi "github.com/canonical/go-efilib" - "github.com/canonical/go-tpm2" - "github.com/canonical/tcglog-parser" - - "golang.org/x/xerrors" - - secboot_tpm2 "github.com/snapcore/secboot/tpm2" -) - -// computePeImageDigest computes a hash of a PE image in accordance with the "Windows Authenticode Portable Executable Signature -// Format" specification. This function interprets the byte stream of the raw headers in some places, the layout of which are -// defined in the "PE Format" specification (https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) -func computePeImageDigest(alg tpm2.HashAlgorithmId, image Image) (tpm2.Digest, error) { - r, err := image.Open() - if err != nil { - return nil, xerrors.Errorf("cannot open image: %w", err) - } - defer r.Close() - - return efi.ComputePeImageDigest(alg.GetHash(), r, r.Size()) -} - -// bmLoadEvent binds together a ImageLoadActivity and the branch that the event needs to be applied to. -type bmLoadEvent struct { - activity ImageLoadActivity - branch *secboot_tpm2.PCRProtectionProfileBranch -} - -func newBmLoadEvents(branch *secboot_tpm2.PCRProtectionProfileBranch, activities ...ImageLoadActivity) (out []*bmLoadEvent) { - if len(activities) == 0 { - return nil - } - - bp := branch.AddBranchPoint() - for _, activity := range activities { - out = append(out, &bmLoadEvent{activity: activity, branch: bp.AddBranch()}) - } - return out -} - -func (e *bmLoadEvent) fork() []*bmLoadEvent { - return newBmLoadEvents(e.branch, e.activity.next()...) -} - -// BootManagerProfileParams provide the arguments to AddBootManagerProfile. -type BootManagerProfileParams struct { - // PCRAlgorithm is the algorithm for which to compute PCR digests for. TPMs compliant with the "TCG PC Client Platform TPM Profile - // (PTP) Specification" Level 00, Revision 01.03 v22, May 22 2017 are required to support tpm2.HashAlgorithmSHA1 and - // tpm2.HashAlgorithmSHA256. Support for other digest algorithms is optional. - PCRAlgorithm tpm2.HashAlgorithmId - - // LoadSequences is a list of EFI image load sequences for which to compute PCR digests for. - LoadSequences []ImageLoadActivity - - // Environment is an optional parameter that allows the caller to provide - // a custom EFI environment. If not set, the host's normal environment will - // be used - Environment HostEnvironment -} - -// AddBootManagerProfile adds the UEFI boot manager code and boot attempts profile to the provided PCR protection profile, in order -// to generate a PCR policy that restricts access to a sealed key to a specific set of binaries started from the UEFI boot manager and -// which are measured to PCR 4. Events that are measured to this PCR are detailed in section 2.3.4.5 of the "TCG PC Client Platform -// Firmware Profile Specification". -// -// If the firmware supports executing system preparation applications before the transition to "OS present", events corresponding to -// the launch of these applications will be measured to PCR 4. If the event log indicates that any system preparation applications -// were executed during the current boot, this function will automatically include these binaries in the generated PCR profile. Note -// that it is not possible to pre-compute PCR values for system preparation applications using this function, and so it is not -// possible to update these in a way that is atomic (if any of them are changed, a new PCR profile can only be generated after -// performing a reboot). -// -// The sequences of binaries for which to generate a PCR profile for is supplied via the LoadSequences field of params. Each -// bootloader stage in each load sequence must perform a measurement of any subsequent stage to PCR 4 in the same format as the -// events measured by the UEFI boot manager. -// -// Section 2.3.4.5 of the "TCG PC Client Platform Firmware Profile Specification" specifies that EFI applications that load additional -// pre-OS environment code must measure this to PCR 4 using the EV_COMPACT_HASH event type. This function does not support EFI -// applications that load additional pre-OS environment code that isn't otherwise authenticated via the secure boot mechanism, -// and will generate PCR profiles that aren't correct for applications that do this. -// -// If the EV_OMIT_BOOT_DEVICE_EVENTS is not recorded to PCR 4, the platform firmware will perform meaurements of all boot attempts, -// even if they fail. The generated PCR policy will not be satisfied if the platform firmware performs boot attempts that fail, -// even if the successful boot attempt is of a sequence of binaries included in this PCR profile. -func AddBootManagerProfile(branch *secboot_tpm2.PCRProtectionProfileBranch, params *BootManagerProfileParams) error { - env := params.Environment - if env == nil { - env = defaultEnv - } - - // Load event log - log, err := env.ReadEventLog() - if err != nil { - return xerrors.Errorf("cannot parse TCG event log: %w", err) - } - - if !log.Algorithms.Contains(params.PCRAlgorithm) { - return errors.New("cannot compute secure boot policy digests: the TCG event log does not have the requested algorithm") - } - - branch.AddPCRValue(params.PCRAlgorithm, bootManagerCodePCR, make(tpm2.Digest, params.PCRAlgorithm.Size())) - - // Replay the event log until we see the transition from "pre-OS" to "OS-present". The event log may contain measurements - // for system preparation applications, and spec-compliant firmware should measure a EV_EFI_ACTION “Calling EFI Application - // from Boot Option” event before the EV_SEPARATOR event, but not all firmware does this. - for _, event := range log.Events { - if event.PCRIndex != bootManagerCodePCR { - continue - } - - branch.ExtendPCR(params.PCRAlgorithm, bootManagerCodePCR, tpm2.Digest(event.Digests[params.PCRAlgorithm])) - if event.EventType == tcglog.EventTypeSeparator { - break - } - } - - bp := branch.AddBranchPoint() - - loadEvents := newBmLoadEvents(bp.AddBranch(), params.LoadSequences...) - var nextLoadEvents []*bmLoadEvent - - for len(loadEvents) > 0 { - e := loadEvents[0] - loadEvents = loadEvents[1:] - - digest, err := computePeImageDigest(params.PCRAlgorithm, e.activity.source()) - if err != nil { - return err - } - e.branch.ExtendPCR(params.PCRAlgorithm, bootManagerCodePCR, digest) - - nextLoadEvents = append(nextLoadEvents, e.fork()...) - - if len(loadEvents) == 0 { - loadEvents = nextLoadEvents - nextLoadEvents = nil - } - } - - bp.EndBranchPoint() - - return nil -} diff --git a/efi/bootmanager_policy_test.go b/efi/bootmanager_policy_test.go deleted file mode 100644 index 8475e47f..00000000 --- a/efi/bootmanager_policy_test.go +++ /dev/null @@ -1,295 +0,0 @@ -// -*- Mode: Go; indent-tabs-mode: t -*- - -/* - * Copyright (C) 2019 Canonical Ltd - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 3 as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ - -package efi_test - -import ( - "path/filepath" - "runtime" - - "github.com/canonical/go-tpm2" - tpm2_testutil "github.com/canonical/go-tpm2/testutil" - "github.com/canonical/go-tpm2/util" - - . "gopkg.in/check.v1" - - . "github.com/snapcore/secboot/efi" - "github.com/snapcore/secboot/internal/testutil" - "github.com/snapcore/secboot/internal/tpm2test" - secboot_tpm2 "github.com/snapcore/secboot/tpm2" -) - -type bootManagerPolicySuite struct{} - -var _ = Suite(&bootManagerPolicySuite{}) - -type testAddBootManagerProfileData struct { - eventLogPath string - profile *secboot_tpm2.PCRProtectionProfile - branch *secboot_tpm2.PCRProtectionProfileBranch - params *BootManagerProfileParams - values []tpm2.PCRValues -} - -func (s *bootManagerPolicySuite) testAddBootManagerProfile(c *C, data *testAddBootManagerProfileData) { - if runtime.GOARCH != "amd64" { - c.Skip("unsupported architecture") - } - - restoreEventLogPath := MockEventLogPath(data.eventLogPath) - defer restoreEventLogPath() - - profile := data.profile - branch := data.branch - switch { - case profile == nil: - c.Assert(branch, IsNil) - profile = secboot_tpm2.NewPCRProtectionProfile() - branch = profile.RootBranch() - case branch == nil: - branch = profile.RootBranch() - } - - expectedPcrs, _, _ := profile.ComputePCRDigests(nil, tpm2.HashAlgorithmSHA256) - expectedPcrs = expectedPcrs.MustMerge(tpm2.PCRSelectionList{{Hash: data.params.PCRAlgorithm, Select: []int{4}}}) - var expectedDigests tpm2.DigestList - for _, v := range data.values { - d, _ := util.ComputePCRDigest(tpm2.HashAlgorithmSHA256, expectedPcrs, v) - expectedDigests = append(expectedDigests, d) - } - - c.Assert(AddBootManagerProfile(branch, data.params), IsNil) - pcrs, digests, err := profile.ComputePCRDigests(nil, tpm2.HashAlgorithmSHA256) - c.Assert(err, IsNil) - c.Check(pcrs, tpm2_testutil.TPMValueDeepEquals, expectedPcrs) - c.Check(digests, DeepEquals, expectedDigests) - if c.Failed() { - c.Logf("Profile:\n%s", profile) - c.Logf("Values:\n%s", tpm2test.FormatPCRValuesFromPCRProtectionProfile(profile, nil)) - } -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileClassic(c *C) { - // Test with a classic style configuration - shim -> grub -> 2 kernels. - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "7873bd0e3a396175ac9c2c7fbdce2ae5b5e1f356962d990f9918a14c985bc144"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "aa6fcc43221e5a8a73af735c221e8a38762a35ba8c808fdc71ee8ec60cc7f44f"), - }, - }, - }, - }) -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileUC20(c *C) { - // Test with a UC20 style configuration: - // - shim -> grub -> 2 kernels - // - shim -> grub -> grub -> 2 kernels - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - ), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "7873bd0e3a396175ac9c2c7fbdce2ae5b5e1f356962d990f9918a14c985bc144"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "aa6fcc43221e5a8a73af735c221e8a38762a35ba8c808fdc71ee8ec60cc7f44f"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "3906452c5ed57e15ceb3a810df6cec915f0e8980797e1e2f804cca88c2570343"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "5ada03ca4d9aaa47d04b2294bb5e001ef901525d7ec25fe71645dfae16907c69"), - }, - }, - }, - }) -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileWithInitialProfile(c *C) { - // Test with a PCRProtectionProfile that already has some values in it. - profile := secboot_tpm2.NewPCRProtectionProfile() - - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - profile: profile, - branch: profile.RootBranch(). - AddPCRValue(tpm2.HashAlgorithmSHA256, 4, tpm2test.MakePCRValueFromEvents(tpm2.HashAlgorithmSHA256, "foo")). - AddPCRValue(tpm2.HashAlgorithmSHA256, 7, tpm2test.MakePCRValueFromEvents(tpm2.HashAlgorithmSHA256, "bar")), - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "7873bd0e3a396175ac9c2c7fbdce2ae5b5e1f356962d990f9918a14c985bc144"), - 7: tpm2test.MakePCRValueFromEvents(tpm2.HashAlgorithmSHA256, "bar"), - }, - }, - }, - }) -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileClassic2(c *C) { - // Test with a classic style configuration (same as 1), but with LoadSequences - // constructed differently. - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - ), - ), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "7873bd0e3a396175ac9c2c7fbdce2ae5b5e1f356962d990f9918a14c985bc144"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "aa6fcc43221e5a8a73af735c221e8a38762a35ba8c808fdc71ee8ec60cc7f44f"), - }, - }, - }, - }) -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileWithMissingEFIActionEvents(c *C) { - // Test with a classic style configuration - shim -> grub -> 2 kernels, but on - // a system that omits the ready-to-boot signal in PCR4 (should produce different - // digests compared to 1). - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb_no_efi_action.bin", - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "59b491160b7d28ef07e83b186b2c5226613a7e80aa7de3191eef5968faeec8ef"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "6f09b49bcf9e59915634c3c45a9dd65caccb4857b403265ac0e3f7a7a9daf3aa"), - }, - }, - }, - }) -} - -func (s *bootManagerPolicySuite) TestAddBootManagerProfileWithCustomEFIEnv(c *C) { - // Test with a classic style configuration - shim -> grub -> 2 kernels, but using - // a custom EFI environment. Set the log path for the "default" environment to - // the one set in the Classic test, but supply the log used in the - // WithMissingEFIActionEvents test via the custom environment to verify that the - // correct one is used. - s.testAddBootManagerProfile(c, &testAddBootManagerProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - params: &BootManagerProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1"))), - ), - ), - }, - Environment: newMockEFIEnvironmentFromFiles(c, "", "testdata/eventlog_sb_no_efi_action.bin"), - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "59b491160b7d28ef07e83b186b2c5226613a7e80aa7de3191eef5968faeec8ef"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 4: testutil.DecodeHexString(c, "6f09b49bcf9e59915634c3c45a9dd65caccb4857b403265ac0e3f7a7a9daf3aa"), - }, - }, - }, - }) -} diff --git a/efi/efi_test.go b/efi/efi_test.go index c8db0cc0..5877d12b 100644 --- a/efi/efi_test.go +++ b/efi/efi_test.go @@ -23,19 +23,13 @@ import ( "bytes" "crypto" "crypto/x509" - "encoding/binary" "errors" "fmt" "io" - "io/ioutil" - "os" - "path/filepath" - "regexp" "testing" efi "github.com/canonical/go-efilib" "github.com/canonical/go-tpm2" - "github.com/canonical/tcglog-parser" . "gopkg.in/check.v1" . "github.com/snapcore/secboot/efi" @@ -590,52 +584,6 @@ func (h *mockLoadHandler) MeasureImageLoad(ctx PcrBranchContext, image PeImageHa return LookupImageLoadHandler(ctx, image) } -func newMockEFIEnvironmentFromFiles(c *C, efivarsDir, logFile string) *efitest.MockHostEnvironment { - vars := make(efitest.MockVars) - if efivarsDir != "" { - dir, err := os.Open(efivarsDir) - c.Assert(err, IsNil) - defer dir.Close() - - entries, err := dir.Readdir(-1) - c.Assert(err, IsNil) - - r := regexp.MustCompile(`^([[:alnum:]]+)-([[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12})$`) - - for _, entry := range entries { - m := r.FindStringSubmatch(entry.Name()) - if len(m) == 0 { - continue - } - - name := m[1] - guid, err := efi.DecodeGUIDString(m[2]) - c.Assert(err, IsNil) - - data, err := ioutil.ReadFile(filepath.Join(efivarsDir, entry.Name())) - c.Assert(err, IsNil) - if len(data) < 4 { - c.Fatal(entry.Name(), "contents too short") - } - - vars[efi.VariableDescriptor{Name: name, GUID: guid}] = &efitest.VarEntry{ - Payload: data[4:], - Attrs: efi.VariableAttributes(binary.LittleEndian.Uint32(data))} - } - } - - var log *tcglog.Log - if logFile != "" { - f, err := os.Open(logFile) - c.Assert(err, IsNil) - defer f.Close() - - log, err = tcglog.ReadLog(f, &tcglog.LogOptions{}) - c.Assert(err, IsNil) - } - return efitest.NewMockHostEnvironment(vars, log) -} - type mockSecureBootNamespaceRules []*x509.Certificate func (mockSecureBootNamespaceRules) String() string { diff --git a/efi/export_test.go b/efi/export_test.go index 5e0b5468..fc4db686 100644 --- a/efi/export_test.go +++ b/efi/export_test.go @@ -138,14 +138,6 @@ func (s *ImageLoadSequences) Params() imageLoadParamsSet { return s.params } -func MockEFIVarsPath(path string) (restore func()) { - origPath := efiVarsPath - efiVarsPath = path - return func() { - efiVarsPath = origPath - } -} - func MockEventLogPath(path string) (restore func()) { origPath := eventLogPath eventLogPath = path diff --git a/efi/secureboot_policy.go b/efi/secureboot_policy.go deleted file mode 100644 index 0345c932..00000000 --- a/efi/secureboot_policy.go +++ /dev/null @@ -1,756 +0,0 @@ -// -*- Mode: Go; indent-tabs-mode: t -*- - -/* - * Copyright (C) 2019 Canonical Ltd - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 3 as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ - -package efi - -import ( - "bytes" - "errors" - "fmt" - - efi "github.com/canonical/go-efilib" - "github.com/canonical/go-tpm2" - "github.com/canonical/tcglog-parser" - - "golang.org/x/xerrors" - - secboot_tpm2 "github.com/snapcore/secboot/tpm2" -) - -const ( - mokListName = "MokList" // Unicode variable name for the shim MOK database - mokSbStateName = "MokSBState" // Unicode variable name for the shim secure boot configuration (validation enabled/disabled) - - sbKeySyncExe = "sbkeysync" -) - -var ( - efiVarsPath = "/sys/firmware/efi/efivars" // Default mount point for efivarfs -) - -// secureBootDbUpdate corresponds to an on-disk EFI signature database update. -type secureBootDbUpdate struct { - db efi.VariableDescriptor - path string -} - -func isSecureBootEvent(event *tcglog.Event) bool { - return event.PCRIndex == secureBootPCR -} - -// isSecureBootConfigMeasurementEvent determines if event corresponds to the measurement of secure -// boot configuration. -func isSecureBootConfigMeasurementEvent(event *tcglog.Event) bool { - return isSecureBootEvent(event) && event.EventType == tcglog.EventTypeEFIVariableDriverConfig -} - -// isDbMeasurementEvent determines if event corresponds to the measurement of the UEFI authorized -// signature database. -func isDbMeasurementEvent(event *tcglog.Event) bool { - if !isSecureBootConfigMeasurementEvent(event) { - return false - } - - data := event.Data.(*tcglog.EFIVariableData) - return data.VariableName == Db.GUID && data.UnicodeName == Db.Name -} - -// isSignatureDatabaseMeasurementEVent determines if event corresponds to the measurement of one -// of the UEFI signature databases. -func isSignatureDatabaseMeasurementEvent(event *tcglog.Event) bool { - if !isSecureBootConfigMeasurementEvent(event) { - return false - } - - data := event.Data.(*tcglog.EFIVariableData) - switch { - case data.VariableName == PK.GUID && data.UnicodeName == PK.Name: - return true - case data.VariableName == KEK.GUID && data.UnicodeName == KEK.Name: - return true - case data.VariableName == efi.ImageSecurityDatabaseGuid: - return true - default: - return false - } -} - -// isVerificationEvent determines if event corresponds to the verification of a EFI image. -func isVerificationEvent(event *tcglog.Event) bool { - return isSecureBootEvent(event) && event.EventType == tcglog.EventTypeEFIVariableAuthority -} - -// isShimExecutable determines if the EFI executable read from r looks like a valid shim binary (ie, it has a ".vendor_cert" section. -func isShimExecutable(image peImageHandle) bool { - return image.HasSection(".vendor_cert") -} - -// SecureBootPolicyProfileParams provide the arguments to AddSecureBootPolicyProfile. -type SecureBootPolicyProfileParams struct { - // PCRAlgorithm is the algorithm for which to compute PCR digests for. TPMs compliant with the "TCG PC Client Platform TPM Profile - // (PTP) Specification" Level 00, Revision 01.03 v22, May 22 2017 are required to support tpm2.HashAlgorithmSHA1 and - // tpm2.HashAlgorithmSHA256. Support for other digest algorithms is optional. - PCRAlgorithm tpm2.HashAlgorithmId - - // LoadSequences is a list of EFI image load sequences for which to compute PCR digests for. - LoadSequences []ImageLoadActivity - - // Environment is an optional parameter that allows the caller to provide - // a custom EFI environment. If not set, the host's normal environment will - // be used - Environment HostEnvironment -} - -// secureBootDbSet corresponds to a set of EFI signature databases. -type secureBootDbSet struct { - uefiDb *secureBootDB - shimDb *secureBootDB -} - -// secureBootPolicyGen is the main structure involved with computing secure boot policy PCR digests. It is essentially just -// a container for SecureBootPolicyProfileParams - per-branch context is maintained in secureBootPolicyGenBranch instead. -type secureBootPolicyGen struct { - pcrAlgorithm tpm2.HashAlgorithmId - env HostEnvironment - loadSequences []ImageLoadActivity - - events []*tcglog.Event -} - -// secureBootPolicyGenBranch represents a branch of a PCRProtectionProfile. It contains its own PCRProtectionProfile in to which -// instructions can be recorded, as well as some other context associated with this branch. -type secureBootPolicyGenBranch struct { - secureBootPolicyMixin - gen *secureBootPolicyGen - - profile *secboot_tpm2.PCRProtectionProfile // The PCR profile containing the instructions for this branch - subBranches []*secureBootPolicyGenBranch // Sub-branches, if this has been branched - - dbUpdateLevel int // The number of EFI signature database updates applied in this branch - dbSet secureBootDbSet // The signature database set associated with this branch - firmwareVerificationEvents tpm2.DigestList // The verification events recorded by firmware in this branch - shimVerificationEvents tpm2.DigestList // The verification events recorded by shim in this branch - shimFlags shimFlags // Flags associated with shim in this branch -} - -// branch creates a branch point in the current branch if one doesn't exist already (although inserting this branch point with -// PCRProtectionProfile.AddProfileOR is deferred until later), and creates a new sub-branch at the current branch point. Once -// this has been called, no more instructions can be inserted in to the current branch. -func (b *secureBootPolicyGenBranch) branch() *secureBootPolicyGenBranch { - c := &secureBootPolicyGenBranch{gen: b.gen, profile: secboot_tpm2.NewPCRProtectionProfile()} - b.subBranches = append(b.subBranches, c) - - // Preserve the context associated with this branch - c.dbUpdateLevel = b.dbUpdateLevel - c.dbSet = b.dbSet - c.firmwareVerificationEvents = make(tpm2.DigestList, len(b.firmwareVerificationEvents)) - copy(c.firmwareVerificationEvents, b.firmwareVerificationEvents) - c.shimVerificationEvents = make(tpm2.DigestList, len(b.shimVerificationEvents)) - copy(c.shimVerificationEvents, b.shimVerificationEvents) - c.shimFlags = b.shimFlags - - return c -} - -// extendMeasurement extends the supplied digest to this branch. -func (b *secureBootPolicyGenBranch) extendMeasurement(digest tpm2.Digest) { - if len(b.subBranches) > 0 { - panic("This branch has already been branched") - } - b.profile.ExtendPCR(b.gen.pcrAlgorithm, secureBootPCR, digest) -} - -// extendVerificationMeasurement extends the supplied digest and records that the digest has been measured by the specified source in -// to this branch. -func (b *secureBootPolicyGenBranch) extendVerificationMeasurement(digest tpm2.Digest, source ImageLoadEventSource) { - var digests *tpm2.DigestList - switch source { - case Firmware: - digests = &b.firmwareVerificationEvents - case Shim: - digests = &b.shimVerificationEvents - } - *digests = append(*digests, digest) - b.extendMeasurement(digest) -} - -// extendFirmwareVerificationMeasurement extends the supplied digest and records that the digest has been measured by the firmware -// in to this branch. -func (b *secureBootPolicyGenBranch) extendFirmwareVerificationMeasurement(digest tpm2.Digest) { - b.extendVerificationMeasurement(digest, Firmware) -} - -// omputeAndExtendVariableMeasurement computes a EFI variable measurement from the supplied arguments and extends that to -// this branch. -func (b *secureBootPolicyGenBranch) computeAndExtendVariableMeasurement(varName efi.GUID, unicodeName string, varData []byte) { - b.extendMeasurement(tcglog.ComputeEFIVariableDataDigest(b.gen.pcrAlgorithm.GetHash(), unicodeName, varName, varData)) -} - -// processSignatureDbMeasurementEvent computes a EFI signature database measurement for the specified database -// and then extends that in to this branch. -func (b *secureBootPolicyGenBranch) processSignatureDbMeasurementEvent(guid efi.GUID, name string) ([]byte, error) { - db, _, err := b.gen.env.ReadVar(name, guid) - if err != nil && err != efi.ErrVarNotExist { - return nil, xerrors.Errorf("cannot read current variable: %w", err) - } - - b.computeAndExtendVariableMeasurement(guid, name, db) - return db, nil -} - -// processDbMeasurementEvent computes a measurement of the EFI authorized signature database and then extends that -// in to this branch. The branch context is then updated to contain a list of signatures associated with the -// resulting authorized signature database contents, which is used later on when computing verification events in -// secureBootPolicyGen.computeAndExtendVerificationMeasurement. -func (b *secureBootPolicyGenBranch) processDbMeasurementEvent() error { - db, err := b.processSignatureDbMeasurementEvent(Db.GUID, Db.Name) - if err != nil { - return err - } - - sigDb, err := efi.ReadSignatureDatabase(bytes.NewReader(db)) - if err != nil { - return xerrors.Errorf("cannot decode DB contents: %w", err) - } - - b.dbSet.uefiDb = &secureBootDB{Name: Db, Contents: sigDb} - - return nil -} - -// processPreOSEvents iterates over the pre-OS secure boot policy events contained within the supplied list of events and extends -// these in to this branch. -// -// Processing of the list of events stops after transitioning from pre-OS to OS-present. This transition is indicated when an -// EV_SEPARATOR event has been measured to any of PCRs 0-6 AND PCR 7. This handles 2 different firmware behaviours: -// - Some firmware implementations signal the transition by measuring EV_SEPARATOR events to PCRs 0-7 at the same time. -// - Other firmware implementations measure a EV_SEPARATOR event to PCR 7 immediately after measuring the secure boot -// configuration, which is before the transition to OS-present. In this case, processing of pre-OS events in PCR 7 -// must continue until an EV_SEPARATOR event is encountered in PCRs 0-6. On firmware implmentations that support -// secure boot verification of EFI drivers, these verification events will be recorded to PCR 7 after the -// EV_SEPARATOR event in PCR 7 but before the EV_SEPARATOR events in PCRs 0-6. -func (b *secureBootPolicyGenBranch) processPreOSEvents(events []*tcglog.Event) error { - osPresent := false - seenSecureBootPCRSeparator := false - - for len(events) > 0 { - e := events[0] - events = events[1:] - switch { - case e.PCRIndex < secureBootPCR && e.EventType == tcglog.EventTypeSeparator: - osPresent = true - case isDbMeasurementEvent(e): - // This is the db variable - requires special handling because it updates context - // for this branch. - if err := b.processDbMeasurementEvent(); err != nil { - return xerrors.Errorf("cannot process db measurement event: %w", err) - } - case isSignatureDatabaseMeasurementEvent(e): - // This is any signature database variable other than db. - data := e.Data.(*tcglog.EFIVariableData) - if _, err := b.processSignatureDbMeasurementEvent(data.VariableName, data.UnicodeName); err != nil { - return xerrors.Errorf("cannot process %s measurement event: %w", data.UnicodeName, err) - } - case isVerificationEvent(e): - // This is a verification event corresponding to a UEFI driver or system - // preparation application. - b.extendFirmwareVerificationMeasurement(tpm2.Digest(e.Digests[b.gen.pcrAlgorithm])) - case isSecureBootEvent(e): - // This is any secure boot event that isn't a verification event or signature - // database measurement. Secure boot configuration variables that aren't signature - // databases are volatile variables mirrored by boot services code from a - // non-volatile boot services only variable (eg, SecureBoot or DeployedMode). - // The non-volatile variable can only be accessed by boot services code, so - // always replay the log digest. - b.extendMeasurement(tpm2.Digest(e.Digests[b.gen.pcrAlgorithm])) - if e.EventType == tcglog.EventTypeSeparator { - seenSecureBootPCRSeparator = true - } - } - - if osPresent && seenSecureBootPCRSeparator { - break - } - } - - return nil -} - -// processShimExecutableLaunch updates the context in this branch with the supplied shim vendor certificate so that it can be used -// later on when computing verification events in secureBootPolicyGenBranch.computeAndExtendVerificationMeasurement. -func (b *secureBootPolicyGenBranch) processShimExecutableLaunch(vendorDb efi.SignatureDatabase, flags shimFlags) { - if b.profile == nil { - // This branch is going to be excluded because it is unbootable. - return - } - - if flags&shimHasSbatVerification > 0 { - // XXX: This is a bit of a hack, just so that we are compatible with - // the latest shim. Some things to note: - // - SBAT-capable shim will initialize the SBAT variable to a known - // (compiled in) payload if the variable doesn't exist, has an older - // payload or doesn't have the correct attributes. "Older" right now - // is determined by checking a timestamp in the payload whilst the - // variable is BS+NV and not-authenticated, but would be determined by - // the signature timestamp for an authenticated variable in the future. - // - The variable is initialized as BS+NV and then mirrored to a RT - // variable by a SBAT-capable shim, which means we don't know what - // the current variable value is if we are pre-computing a PCR policy - // on a system that was booted with a pre-SBAT shim. This isn't a - // problem right now because there is only one payload, but will be - // a problem in the future as updates are published if the variable - // remains a non-authenticated BS+NV variable as opposed to a RT+BS+NV - // authenticated variable. - // - In the future and in order to do this properly, we need an authoritative - // source for the current variable value (eg, event log for BS+NV variable - // or current variable value for RT+BS+NV, like we do for other - // configuration). - // - Shim doesn't provide a way to audit the compiled-in SBAT payload, so - // we don't have a way to introspect what it will set it to, although - // we know what it is right now. - // - Future PCR value computation will be a bit more complicated than it - // is now - imagine if you have 2 shim's with different built-in SBAT - // payloads, and those are both different to the current SBAT value. - // Because shim will overwrite the SBAT variable if its built-in - // payload is newer, booting with one shim may affect the PCR values - // associated with a branch that has a different shim. - b.computeAndExtendVariableMeasurement(shimGuid, shimSbatLevelName, []byte("sbat,1,2021030218\n")) - } - - b.dbSet.shimDb = &secureBootDB{ - Name: efi.VariableDescriptor{Name: shimName, GUID: shimGuid}, - Contents: vendorDb} - b.shimVerificationEvents = nil - b.shimFlags = flags -} - -// hasVerificationEventBeenMeasuredBy determines whether the verification event with the associated digest has been measured by the -// supplied source already in this branch. -func (b *secureBootPolicyGenBranch) hasVerificationEventBeenMeasuredBy(digest tpm2.Digest, source ImageLoadEventSource) bool { - var digests *tpm2.DigestList - switch source { - case Firmware: - digests = &b.firmwareVerificationEvents - case Shim: - digests = &b.shimVerificationEvents - } - for _, d := range *digests { - if bytes.Equal(d, digest) { - return true - } - } - return false -} - -// computeAndExtendVerificationMeasurement computes a measurement for the the authentication of an EFI image using the supplied -// signatures and extends that in to this branch. If the computed measurement has already been measured by the specified source, then -// it will not be measured again. -// -// In order to compute the measurement, the CA certificate that will be used to authenticate the image using the supplied signatures, -// and the source of that certificate, needs to be determined. If the image is not signed with an authority that is trusted by a CA -// certificate that exists in this branch, then this branch will be marked as unbootable and it will be omitted from the final PCR -// profile. -func (b *secureBootPolicyGenBranch) computeAndExtendVerificationMeasurement(image peImageHandle, source ImageLoadEventSource) error { - if b.profile == nil { - // This branch is going to be excluded because it is unbootable. - return nil - } - - dbs := []*secureBootDB{b.dbSet.uefiDb} - if source == Shim { - if b.dbSet.shimDb == nil { - return errors.New("shim specified as event source without a shim executable appearing in preceding events") - } - dbs = append(dbs, b.dbSet.shimDb) - } - - authority, err := b.DetermineAuthority(dbs, image) - if err != nil { - return err - } - - // Serialize authority certificate for measurement - var varData *bytes.Buffer - switch { - case source == Shim && (b.shimFlags&shimFixVariableAuthorityEventsMatchSpec == 0 || authority.Source == b.dbSet.shimDb.Name): - // Shim measures the certificate data rather than the entire EFI_SIGNATURE_DATA - // in some circumstances. - varData = bytes.NewBuffer(authority.Signature.Data) - default: - // Firmware always measures the entire EFI_SIGNATURE_DATA including the SignatureOwner, - // and newer versions of shim do in some circumstances. - varData = new(bytes.Buffer) - if err := authority.Signature.Write(varData); err != nil { - return xerrors.Errorf("cannot encode EFI_SIGNATURE_DATA for authority: %w", err) - } - } - - // Create event data, compute digest and perform extension for verification of this executable - digest := tcglog.ComputeEFIVariableDataDigest( - b.gen.pcrAlgorithm.GetHash(), - authority.Source.Name, - authority.Source.GUID, - varData.Bytes()) - - // Don't measure events that have already been measured - if b.hasVerificationEventBeenMeasuredBy(digest, source) { - return nil - } - b.extendVerificationMeasurement(digest, source) - return nil -} - -// sbLoadEventAndBranches binds together a ImageLoadActivity and the branches that the event needs to be applied to. -type sbLoadEventAndBranches struct { - activity ImageLoadActivity - branches []*secureBootPolicyGenBranch -} - -func (e *sbLoadEventAndBranches) branch(activity ImageLoadActivity) *sbLoadEventAndBranches { - var branches []*secureBootPolicyGenBranch - for _, b := range e.branches { - if b.profile == nil { - continue - } - branches = append(branches, b.branch()) - } - return &sbLoadEventAndBranches{activity, branches} -} - -// computeAndExtendVerificationMeasurement computes a measurement for the the authentication of the EFI image obtained from r and -// extends that to the supplied branches. If the computed measurement has already been measured by the specified source in a branch, -// then it will not be measured again. -// -// In order to compute the measurement for each branch, the CA certificate that will be used to authenticate the image and the -// source of that certificate needs to be determined. If the image is not signed with an authority that is trusted by a CA -// certificate for a particular branch, then that branch will be marked as unbootable and it will be omitted from the final PCR -// profile. -func (g *secureBootPolicyGen) computeAndExtendVerificationMeasurement(branches []*secureBootPolicyGenBranch, image peImageHandle, source ImageLoadEventSource) error { - for _, b := range branches { - if err := b.computeAndExtendVerificationMeasurement(image, source); err != nil { - return err - } - } - - return nil -} - -// processShimExecutableLaunch extracts the vendor certificate from the shim executable read from r, and then updates the specified -// branches to contain a reference to the vendor certificate so that it can be used later on when computing verification events in -// secureBootPolicyGen.computeAndExtendVerificationMeasurement for images that are authenticated by shim. -func (g *secureBootPolicyGen) processShimExecutableLaunch(branches []*secureBootPolicyGenBranch, shim shimImageHandle) error { - // Extract this shim's vendor cert - db, format, err := shim.ReadVendorDB() - if err != nil { - return xerrors.Errorf("cannot extract vendor certificate: %w", err) - } - if len(db) > 0 && format != shimVendorCertIsX509 { - return errors.New("unsupported .vendor_cert section format") - } - - var flags shimFlags - - // Check if this shim has a .sbat section. We use this to make some assumptions - // about shim's behaviour below. - hasSbatSection := shim.HasSbatSection() - - if hasSbatSection { - // If this shim has a .sbat section, assume it also does SBAT verification. - // This isn't a perfect heuristic, but nobody is adding a .sbat section to a - // pre-SBAT version of shim and then signing it, so it doesn't matter. - flags |= shimHasSbatVerification - - // There isn't a good heuristic for this, but at least none of Canonical's - // pre-SBAT shim's had the fix for this, and all SBAT capable shims do - // have this fix. - // XXX: It's possible that this is broken for shims that weren't signed - // for Canonical. - flags |= shimFixVariableAuthorityEventsMatchSpec - } - - for _, b := range branches { - b.processShimExecutableLaunch(db, flags) - } - - return nil -} - -// processOSLoadEvent computes a measurement associated with the supplied image load event and extends this to the specified branches. -// If the image load corresponds to shim, then some additional processing is performed to extract the included vendor certificate -// (see secureBootPolicyGen.processShimExecutableLaunch). -func (g *secureBootPolicyGen) processOSLoadEvent(branches []*secureBootPolicyGenBranch, activity ImageLoadActivity) error { - image, err := openPeImage(activity.source()) - if err != nil { - return err - } - defer image.Close() - - isShim := isShimExecutable(image) - - var source ImageLoadEventSource - params := activity.params().Resolve(new(loadParams)) - if len(params) > 1 { - return errors.New("invalid parameters") - } - source = params[0].Source - - if err := g.computeAndExtendVerificationMeasurement(branches, image, source); err != nil { - return xerrors.Errorf("cannot compute load verification event: %w", err) - } - - if !isShim { - return nil - } - - shim := newShimImageHandle(image) - - if err := g.processShimExecutableLaunch(branches, shim); err != nil { - return xerrors.Errorf("cannot process shim executable: %w", err) - } - - return nil -} - -// run takes a TCG event log and builds a PCR profile from the supplied configuration (see SecureBootPolicyProfileParams) -func (g *secureBootPolicyGen) run(profile *secboot_tpm2.PCRProtectionProfile, sigDbUpdateQuirkMode signatureDBUpdateFirmwareQuirk) error { - // Process the pre-OS events - root := &secureBootPolicyGenBranch{gen: g, profile: secboot_tpm2.NewPCRProtectionProfile()} - if err := root.processPreOSEvents(g.events); err != nil { - return xerrors.Errorf("cannot process pre-OS events from event log: %w", err) - } - - allBranches := []*secureBootPolicyGenBranch{root} - - var loadEvents []*sbLoadEventAndBranches - var nextLoadEvents []*sbLoadEventAndBranches - - if len(g.loadSequences) == 1 { - loadEvents = append(loadEvents, &sbLoadEventAndBranches{activity: g.loadSequences[0], branches: []*secureBootPolicyGenBranch{root}}) - } else { - for _, e := range g.loadSequences { - branch := root.branch() - allBranches = append(allBranches, branch) - loadEvents = append(loadEvents, &sbLoadEventAndBranches{activity: e, branches: []*secureBootPolicyGenBranch{branch}}) - } - } - - for len(loadEvents) > 0 { - e := loadEvents[0] - loadEvents = loadEvents[1:] - - if err := g.processOSLoadEvent(e.branches, e.activity); err != nil { - return xerrors.Errorf("cannot process OS load event for %s: %w", e.activity.source(), err) - } - - if len(e.activity.next()) == 1 { - nextLoadEvents = append(nextLoadEvents, &sbLoadEventAndBranches{activity: e.activity.next()[0], branches: e.branches}) - } else { - for _, n := range e.activity.next() { - ne := e.branch(n) - allBranches = append(allBranches, ne.branches...) - nextLoadEvents = append(nextLoadEvents, ne) - } - } - - if len(loadEvents) == 0 { - loadEvents = nextLoadEvents - nextLoadEvents = nil - } - } - - for i := len(allBranches) - 1; i >= 0; i-- { - b := allBranches[i] - - if len(b.subBranches) == 0 { - // This is a leaf branch - continue - } - - var subProfiles []*secboot_tpm2.PCRProtectionProfile - for _, sb := range b.subBranches { - if sb.profile == nil { - // This sub-branch has been marked unbootable - continue - } - subProfiles = append(subProfiles, sb.profile) - } - - if len(subProfiles) == 0 { - // All sub branches are unbootable, so ensure our parent branch omits us too. - b.profile = nil - continue - } - - b.profile.AddProfileOR(subProfiles...) - } - - if root.profile == nil { - return errors.New("no bootable paths") - } - profile.AddProfileOR(root.profile) - - return nil -} - -// AddSecureBootPolicyProfile adds the UEFI secure boot policy profile to the provided PCR protection profile, in order to generate -// a PCR policy that restricts access to a sealed key to a set of UEFI secure boot policies measured to PCR 7. The secure boot policy -// information that is measured to PCR 7 is defined in section 2.3.4.8 of the "TCG PC Client Platform Firmware Profile Specification". -// -// This function can only be called if the current boot was performed with secure boot enabled. An error will be returned if the -// current boot was performed with secure boot disabled. It can only generate a PCR profile that will work when secure boot is -// enabled. -// -// The secure boot policy measurements include events that correspond to the authentication of loaded EFI images, and those events -// record the certificate of the authorities used to authenticate these images. The params argument allows the generated PCR policy -// to be restricted to a specific set of chains of trust by specifying EFI image load sequences via the LoadSequences field. This -// function will compute the measurements associated with the authentication of these load sequences. Each of the Image instances -// reachable from the LoadSequences field of params must correspond to an EFI image with one or more Authenticode signatures. These -// signatures are used to determine the CA certificate that will be used to authenticate them in order to compute authentication -// meausurement events. The digest algorithm of the Authenticode signatures must be SHA256. If there are no signatures, or the -// binary's certificate table contains non-Authenticode entries, or contains any Authenticode signatures with a digest algorithm other -// than SHA256, then an error will be returned. Note that this function assumes that any signatures are correct and does not ensure -// that they are so - it only determines if there is a chain of trust beween the signing certificate and a CA certificate in order to -// determine which certificate will be used for authentication, and what the source of that certificate is (for UEFI images that are -// loaded by shim). -// -// If none of the sequences in the LoadSequences field of params can be authenticated by the current authorized signature database -// contents, then an error will be returned. -// -// This function does not support computing measurements for images that are authenticated by an image digest rather than an -// Authenticode signature. If an image has a signature where the signer has a chain of trust to a CA certificate in the authorized -// signature database (or shim's vendor certificate) but that image is authenticated because an image digest is present in the -// authorized signature database instead, then this function will generate a PCR profile that is incorrect. -// -// If an image has a signature that can be authenticated by multiple CA certificates in the authorized signature database, this -// function assumes that the firmware will try the CA certificates in the order in which they appear in the database and authenticate -// the image with the first valid certificate. If the firmware does not do this, then this function may generate a PCR profile that is -// incorrect for binaries that have a signature that can be authenticated by more than one CA certificate. Note that the structure of -// the signature database means that it can only really be iterated in one direction anyway. -// -// For images with multiple Authenticode signatures, this function assumes that the device's firmware will iterate over the signatures -// in the order in which they appear in the binary's certificate table in an outer loop during image authentication (ie, for each -// signature, attempt to authenticate the binary using one of the CA certificates). If a device's firmware iterates over the -// authorized signature database in an outer loop instead (ie, for each CA certificate, attempt to authenticate the binary using one -// of its signatures), then this function may generate a PCR profile that is incorrect for binaries that have multiple signatures -// where both signers have a chain of trust to a different CA certificate but the signatures appear in a different order to which -// their CA certificates are enrolled. -// -// This function does not consider the contents of the forbidden signature database. This is most relevant for images with multiple -// signatures. If an image has more than one signature where the signing certificates have chains of trust to different CA -// certificates, but the first signature is not used to authenticate the image because one of the certificates in its chain is -// blacklisted, then this function will generate a PCR profile that is incorrect. -// -// In determining whether a signing certificate has a chain of trust to a CA certificate, this function expects there to be a direct -// relationship between the CA certificate and signing certificate. It does not currently detect that there is a chain of trust if -// intermediate certificates form part of the chain. This is most relevant for images with multiple signatures. If an image has more -// than one signature where the signing certificate have chains of trust to different CA certificate, but the first signature's chain -// involves intermediate certificates, then this function will generate a PCR profile that is incorrect. -// -// This function does not support computing measurements for images that are authenticated by shim using a machine owner key (MOK). -// -// The secure boot policy measurements include the secure boot configuration, which includes the contents of the UEFI signature -// databases. In order to support atomic updates of these databases with the sbkeysync tool, it is possible to generate a PCR policy -// computed from pending signature database updates. This can be done by supplying the keystore directories passed to sbkeysync via -// the SignatureDbUpdateKeystores field of the params argument. This function assumes that sbkeysync is executed with the -// "--no-default-keystores" option. When there are pending updates in the specified directories, this function will generate a PCR -// policy that is compatible with the current database contents and the database contents computed for each individual update. -// Note that sbkeysync ignores errors when applying updates - if any of the pending updates don't apply for some reason, the generated -// PCR profile will be invalid. -// -// For the most common case where there are no signature database updates pending in the specified keystore directories and each image -// load event sequence corresponds to loads of images that are all verified with the same chain of trust, this is a complicated way of -// adding a single PCR digest to the provided secboot.PCRProtectionProfile. -func AddSecureBootPolicyProfile(profile *secboot_tpm2.PCRProtectionProfile, params *SecureBootPolicyProfileParams) error { - env := params.Environment - if env == nil { - env = defaultEnv - } - - // Load event log - log, err := env.ReadEventLog() - if err != nil { - return xerrors.Errorf("cannot parse TCG event log: %w", err) - } - - if !log.Algorithms.Contains(params.PCRAlgorithm) { - return errors.New("cannot compute secure boot policy profile: the TCG event log does not have the requested algorithm") - } - - // Make sure that the current boot is sane. - seenSecureBootConfig := false - for _, event := range log.Events { - switch event.PCRIndex { - case bootManagerCodePCR: - if event.EventType == tcglog.EventTypeEFIAction && event.Data == tcglog.EFIReturningFromEFIApplicationEvent { - // Firmware should record this event if an EFI application returns to the boot manager. Bail out if this happened because the policy might not make sense. - return errors.New("cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI " + - "application that returned to the boot manager, without a reboot in between") - } - case secureBootPCR: - switch event.EventType { - case tcglog.EventTypeEFIVariableDriverConfig: - if err, isErr := event.Data.(error); isErr { - return fmt.Errorf("%s secure boot policy event has invalid event data: %v", event.EventType, err) - } - efiVarData := event.Data.(*tcglog.EFIVariableData) - if efiVarData.VariableName == efi.GlobalVariable && efiVarData.UnicodeName == sbStateName { - switch { - case seenSecureBootConfig: - // The spec says that secure boot policy must be measured again if the system supports changing it before ExitBootServices - // without a reboot. But the policy we create won't make sense, so bail out - return errors.New("cannot compute secure boot policy profile: secure boot configuration was modified after the initial " + - "configuration was measured, without performing a reboot") - case efiVarData.VariableData[0] == 0x00: - return errors.New("cannot compute secure boot policy profile: the current boot was performed with secure boot disabled in firmware") - } - seenSecureBootConfig = true - } - case tcglog.EventTypeEFIVariableAuthority: - if err, isErr := event.Data.(error); isErr { - return fmt.Errorf("%s secure boot policy event has invalid event data: %v", event.EventType, err) - } - efiVarData := event.Data.(*tcglog.EFIVariableData) - if efiVarData.VariableName == shimGuid && efiVarData.UnicodeName == mokSbStateName { - // MokSBState is set to 0x01 if secure boot enforcement is disabled in shim. The variable is deleted when secure boot enforcement - // is enabled, so don't bother looking at the value here. It doesn't make a lot of sense to create a policy if secure boot - // enforcement is disabled in shim - return errors.New("cannot compute secure boot policy profile: the current boot was performed with validation disabled in Shim") - } - } - } - } - - // Initialize the secure boot PCR to 0 - profile.AddPCRValue(params.PCRAlgorithm, secureBootPCR, make(tpm2.Digest, params.PCRAlgorithm.Size())) - - gen := &secureBootPolicyGen{params.PCRAlgorithm, env, params.LoadSequences, log.Events} - - profile1 := secboot_tpm2.NewPCRProtectionProfile() - if err := gen.run(profile1, signatureDBUpdateNoFirmwareQuirk); err != nil { - return xerrors.Errorf("cannot compute secure boot policy profile: %w", err) - } - - profile2 := secboot_tpm2.NewPCRProtectionProfile() - if err := gen.run(profile2, signatureDBUpdateFirmwareDedupIgnoresOwner); err != nil { - return xerrors.Errorf("cannot compute secure boot policy profile: %w", err) - } - - profile.AddProfileOR(profile1, profile2) - return nil -} diff --git a/efi/secureboot_policy_test.go b/efi/secureboot_policy_test.go deleted file mode 100644 index a3bf85ce..00000000 --- a/efi/secureboot_policy_test.go +++ /dev/null @@ -1,752 +0,0 @@ -// -*- Mode: Go; indent-tabs-mode: t -*- - -/* - * Copyright (C) 2019-2021 Canonical Ltd - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 3 as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - */ - -package efi_test - -import ( - "path/filepath" - "runtime" - - "github.com/canonical/go-tpm2" - tpm2_testutil "github.com/canonical/go-tpm2/testutil" - "github.com/canonical/go-tpm2/util" - - . "gopkg.in/check.v1" - - . "github.com/snapcore/secboot/efi" - "github.com/snapcore/secboot/internal/testutil" - "github.com/snapcore/secboot/internal/tpm2test" - secboot_tpm2 "github.com/snapcore/secboot/tpm2" -) - -type securebootPolicySuite struct{} - -var _ = Suite(&securebootPolicySuite{}) - -type testAddSecureBootPolicyProfileData struct { - eventLogPath string - efivars string - initial *secboot_tpm2.PCRProtectionProfile - params SecureBootPolicyProfileParams - values []tpm2.PCRValues - errMatch string -} - -func (s *securebootPolicySuite) testAddSecureBootPolicyProfile(c *C, data *testAddSecureBootPolicyProfileData) { - if runtime.GOARCH != "amd64" { - c.Skip("unsupported architecture") - } - - restoreEventLogPath := MockEventLogPath(data.eventLogPath) - defer restoreEventLogPath() - restoreReadVar := MockReadVar(data.efivars) - defer restoreReadVar() - restoreEfivarsPath := MockEFIVarsPath(data.efivars) - defer restoreEfivarsPath() - - profile := data.initial - if profile == nil { - profile = secboot_tpm2.NewPCRProtectionProfile() - } - expectedPcrs, _, _ := profile.ComputePCRDigests(nil, tpm2.HashAlgorithmSHA256) - expectedPcrs = expectedPcrs.MustMerge(tpm2.PCRSelectionList{{Hash: data.params.PCRAlgorithm, Select: []int{7}}}) - var expectedDigests tpm2.DigestList - for _, v := range data.values { - d, _ := util.ComputePCRDigest(tpm2.HashAlgorithmSHA256, expectedPcrs, v) - expectedDigests = append(expectedDigests, d) - } - - err := AddSecureBootPolicyProfile(profile, &data.params) - if data.errMatch != "" { - c.Check(err, ErrorMatches, data.errMatch) - } else { - c.Check(err, IsNil) - - pcrs, digests, err := profile.ComputePCRDigests(nil, tpm2.HashAlgorithmSHA256) - c.Check(err, IsNil) - c.Check(pcrs, tpm2_testutil.TPMValueDeepEquals, expectedPcrs) - c.Check(digests, DeepEquals, expectedDigests) - if c.Failed() { - c.Logf("Profile:\n%s", profile) - c.Logf("Values:\n%s", tpm2test.FormatPCRValuesFromPCRProtectionProfile(profile, nil)) - } - } -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileClassic(c *C) { - // Test with a classic style boot flow (shim -> grub -> 2 kernels), with - // grub and the kernel being authenticated by shim's vendor CA. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileNoSBAT(c *C) { - // Test with a shim that doesn't have a .sbat section - we assume that this - // will not measure the current SBAT variable contents. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb_no_sbat.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim_no_sbat.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "63ef227855b50bbc7fc8c3f2c351a82aa577faa729a64960821f117862697e9f"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileUC20(c *C) { - // Test with a UC20 style boot flow: - // - shim -> grub -> 2 kernels - // - shim -> grub -> grub -> 2 kernels - // ... with grub and the kernels being authenticated by shim's vendor CA. - // As this uses the same trust path, it should produce the same digest - // as Classic. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel2.efi.signed.shim.1")), Shim), - ), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileInvalidGrubSignature(c *C) { - // Test with a component that is signed by an unrecognized authority. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim_no_vendor_cert.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1"))).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1"))), - ), - ), - }, - }, - errMatch: "cannot compute secure boot policy profile: cannot process OS load event for testdata/amd64/mockgrub1.efi.signed.shim.1: cannot compute load verification event: cannot determine authority", - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileNoKernelSignature(c *C) { - // Test with a component that is missing a signature. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi")), Shim), - ), - ), - }, - }, - errMatch: "cannot compute secure boot policy profile: cannot process OS load event for testdata/amd64/mockkernel1.efi: cannot compute load verification event: no secure boot signatures", - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileShimVerificationDisabled(c *C) { - // Test with shim verification disabled on the current boot. - // XXX(chrisccoulson): There isn't really a valid reason to bail out here - - // we could generate a profile that would work once shim verification has - // been enabled. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb_no_shim_verification.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - errMatch: "cannot compute secure boot policy profile: the current boot was performed with validation disabled in Shim", - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileSecureBootDisabled(c *C) { - // Test with secure boot disabled on the current boot. This bails out because - // we don't get verification events associated with UEFI drivers in the log if - // any are loaded. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_no_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - errMatch: "cannot compute secure boot policy profile: the current boot was performed with secure boot disabled in firmware", - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileAllAuthenticatedWithDb(c *C) { - // Test with all components authenticated by a CA in the UEFI db. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.1.1.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.1.1.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "1d34d3df18188302a2e514525dd0ca0e84641bc4dc2baee3f390b37b41898f8a"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileAuthenticatedWithDbAndShim(c *C) { - // Test with one component loaded by shim being authenticated by the UEFI db and - // the other component being authenticated by the built-in vendor cert. When shim - // loads multiple executables with the same trust chain, only one verification - // event is measured and we have code to detect and handle this to ensure we compute - // the correct digest. Make sure that a second event is computed correctly if 2 - // binaries are authenticated with different certs. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.1.1.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "2377917b728cb380570fab710a463401c1f721bfafdc23ac3e71abb4526912a3"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileAuthenticateWithDbBeforeShimBasline(c *C) { - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_shim_vendor_ca", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim_no_vendor_cert.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "98f2452139898691c56bebe24aa8471990f7e849906e352ba95710f1f83710df"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileAuthenticateWithDbBeforeShim(c *C) { - // Shim will check the UEFI db before its built-in vendor CA. Verify we compute - // the correct digest where an executable can be authenticated by either. - // Should produce the same digest as AuthentiateWithDbBeforeShimBaseline. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_shim_vendor_ca", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "98f2452139898691c56bebe24aa8471990f7e849906e352ba95710f1f83710df"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileAuthenticateWithDbBeforeShimNoSBAT(c *C) { - // Old versions of shim only measured the CA certificate it authenticated a - // binary with as opposed to the entire EFI_SIGNATURE_DATA structure. Since - // https://github.com/rhboot/shim/commit/e3325f8100f5a14e0684ff80290e53975de1a5d9, - // shim measures the EFI_SIGNATURE_DATA structure for events not associated with - // its built-in vendor cert. Verify that we compute the correct digest for an older - // shim (the heuristic being whether it has a .sbat section, but this isn't generally - // correct. It is fine for Canonical shims though). - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb_no_sbat.bin", - efivars: "testdata/efivars_mock1_plus_shim_vendor_ca", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim_no_sbat.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "db4fd492da07f1922b43d0028ba53dcf203b25d62c08f4224fbe05f06a51345c"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileWithMultipleDbCerts(c *C) { - // Test that we still compute the correct digest if the UEFI db contains certs - // not used for authenticating the supplied binaries. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_ms_plus_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "7172a37992a5623a59c4367d6df5626045d984b1403c419409cd68686acd7173"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileDellEmbeddedBoxPC3000(c *C) { - // Test using an event log from a Dell Embedded Box PC 3000. - // See https://github.com/snapcore/secboot/issues/107 - // Should produce a single digest that matches the one in Classic. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/src/eventlog_dell_embedded_box_pc_3000.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileToInitialProfile(c *C) { - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1", - initial: func() *secboot_tpm2.PCRProtectionProfile { - return secboot_tpm2.NewPCRProtectionProfile(). - AddPCRValue(tpm2.HashAlgorithmSHA256, 7, tpm2test.MakePCRValueFromEvents(tpm2.HashAlgorithmSHA256, "foo")). - AddPCRValue(tpm2.HashAlgorithmSHA256, 8, tpm2test.MakePCRValueFromEvents(tpm2.HashAlgorithmSHA256, "bar")) - }(), - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - 8: testutil.DecodeHexString(c, "a98b1d896c9383603b7923fffe230c9e4df24218eb84c90c5c758e63ce62843c"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileWithCustomEnv(c *C) { - // Test with a custom EFI environment. Set the mock environment to an invalid - // one to ensure that the correct environment is used. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_no_sb.bin", - efivars: "testdata/efivars_ms", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - Environment: newMockEFIEnvironmentFromFiles(c, "testdata/efivars_mock1", "testdata/eventlog_sb.bin"), - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileUpgrageToSBATShim(c *C) { - // Test upgrading from pre-SBAT shim to a SBAT shim. This should produce 2 digests - // that match the ones in Classic and NoSBAT. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb_no_sbat.bin", - efivars: "testdata/efivars_mock1", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim_no_sbat.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "63ef227855b50bbc7fc8c3f2c351a82aa577faa729a64960821f117862697e9f"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "84c3cf3c3ca91234fda780141b06af2e32bb4c6fc809216f2c33d25b84155796"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileDbCARotation(c *C) { - // Test that an update to shim where the authenticating CA changes produces 2 digests. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_extra_db_ca", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.2.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "1addd78383c266a590898323e8524e27cf3b230396e5dd3d64fdd67c734071c1"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "8ffc5c808206b903807f1a3da88251bd376119d7e4ea214042c262e315e75812"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyProfileDbCARotation3(c *C) { - // Test that updating grub and the kernel on a system where everything is - // authenticated via the UEFI db and the authenticating CA changes produces - // 4 digests. - // (old -> old, old -> new, new -> old, new -> new) - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_extra_db_ca", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.1.1.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.1.1.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.1.2.1")), Shim), - ), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.1.2.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.1.1.1")), Shim), - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.1.2.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "8aa7d038c81499dac1e6e6c31279949ab25d2b9375ed423c2e640df23d9a8565"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "a0dd6479cc39314ba0bb6a634f5ba2d2cf740e3cbb0f282af5f1bf895b7902e0"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "c5822b1d2aef48edd31ff04aa51f2af9dae53e5bb8f8bc564c355ded1967b85e"), - }, - }, - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "662d38c6a5938245d08de02b57fe2319fcdfd39dcb5c336bc5a6fe80287d763e"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyDualSignedShimBaseline1(c *C) { - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_mock2", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.2.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "3f2a3ec3dc632b253644bac36ec831bc8828845ec7837f0caf5a81e182bf42ce"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyDualSignedShimBaseline2(c *C) { - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_mock2", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "184f3b0914408091fd62d16f0dc6a97f420881ae1e70c5aca4fdfb5547cba856"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyDualSignedShimBaseline3(c *C) { - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock2", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.2.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "d8348aafadb44d32d77b78480c8f1f82a0bf39f80ce27e241aef73189294969f"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyDualSignedShim1(c *C) { - // Test with a dual signed shim and verify that we produce a digest for - // the first signature where the UEFI db contains CAs that can authenticate - // both. Should produce the digest from DualSignedBaseline1 rather than - // DualSignedBaseline2. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock1_plus_mock2", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.2.1.1+1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "3f2a3ec3dc632b253644bac36ec831bc8828845ec7837f0caf5a81e182bf42ce"), - }, - }, - }, - }) -} - -func (s *securebootPolicySuite) TestAddSecureBootPolicyDualSignedShim2(c *C) { - // Test with a dual-signed shim and verify we produce a digest for the - // second signature where the UEFI db only contains a CA that can - // authenticate it. Should produce the same digest as DualSignedBaseline3. - s.testAddSecureBootPolicyProfile(c, &testAddSecureBootPolicyProfileData{ - eventLogPath: "testdata/eventlog_sb.bin", - efivars: "testdata/efivars_mock2", - params: SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []ImageLoadActivity{ - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockshim.efi.signed.2.1.1+1.1.1")), Firmware).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockgrub1.efi.signed.shim.1")), Shim).Loads( - NewImageLoadActivity(FileImage(filepath.Join("testdata", runtime.GOARCH, "mockkernel1.efi.signed.shim.1")), Shim), - ), - ), - }, - }, - values: []tpm2.PCRValues{ - { - tpm2.HashAlgorithmSHA256: { - 7: testutil.DecodeHexString(c, "d8348aafadb44d32d77b78480c8f1f82a0bf39f80ce27e241aef73189294969f"), - }, - }, - }, - }) -} diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.1.1.1 b/efi/testdata/amd64/mockgrub1.efi.signed.1.1.1 deleted file mode 100644 index 61408e42a202ec306fdc02563e2213ff4f06746f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5048 zcmeHKc~nzZ8ozHLA#6e8E|iBFt1QWVqPS5T5iBSI$|k7AY=j_5FpGd#rKwWH1rM#Z z3NjJVsz+_DR#2INQb%XRg<+~zQNbdL)Yi5K>kL&h_l79TIUW6D&ivuwOYVF3Tkh|D z-}mnQ@?~Dq7C-?2Xf&)=04mWPlf-uY@0VPpcJn&v29EJAcvlh;7rbLr)dnU*uT$xz z8b&VFYIR0NreyRcEu+>lAyF}mMyF7UTwR^U*rB6C0Z`=Orz3I!fQN2B0}km-lH&l0 z7!Fn-a<>l~W1nMvU&=)S1Q+ZLfKy-HAMhCZWmJiL16(wiSI2!BW>3AysLV1Vfz20u z!LixX^4yLAV5vy2OxMZnJ|ID_9N7&eD14DZYLp`070VzR7|#(i-6R2^Mr4pl@pG?Y zaRwULu21450HAL_y^a|OJ6nUp`iAed_H_)eKc<&tfQM>LpX2_L75(bhDFYgve3?pb zlCiH-Q2nvIat83vzaQ%t6Ff7PiC5|kYMs{4E=x5UGYr$jVwKvMYLbcMI*nMLD%0tV zVneE0BbKG>WMYj}trg?NB8|cc?<0gYTd!0yF}f6Erc|$FX6sB^)QezTn|^`_2KqgR z&dkgdskA1MPOlOh>?_3BOl$)aN#zGlGF+d~Q@E4$iN+^FJJBuF+G zrFsm6$S$#WwA~Us!!7O8hgK^_Myu>yD%RK~$}SP^Te~EDG_%{4=&Bfh518P@q%WqgU__pg-;Yq zBB?uZiSN(eJNLN5z(+OPEoSNxG*flZOdhpRBtatgFo@l4!WlWIV4We4L&eb?0r^fa z>ki#8<0#;UYE|h{t-=-#l5ho_2%T1;)3U?iP;BBPaGxz**6Vz*L*Zboq6BWSN`sM! z3!NR#%$mutkQwSa0ip<4XrrWI{0VF?0W|$D{TK(wcKPAe?MIAKZbEe-7!?vGMy=AS zwJPM8nHbeGBj|NeW`d7iFX2R*2?Eq!&vsu{a?~Zx$jEMC>{O#lBeXhsiW4l?UO{5 zwVvp_@*cDBZev^F&@u2-f&T2e#q#Nm9XC!5xjrM&a=HFbH`4;nG#Bp`53XDEmkRns zVeHi@8zu&H_;AU>#_uJCycspe2M;(u|GTgMRaGhESF9m6?714eL)Ox6)IRxY^2U4n z1#!a0fI51PEIq`G5lQ~Q;j)abj*b0VIdR^5kQ zSUs8^28ZMh8aeUXkLqs4=Mo?ce3Y)s^4r8bAInO~Jpj$HW9+|Ld>3H;+8`-GPKJNjN?(!;RZXMStx zTv=SV`Ev8SX$b*sjYqtaeCmW=D|U;@)>fU9I)1amIpg!SMM?SQpxi5`$4}o1kGwhX zO<~fUTZ;o8w;vwkOASxyJa%qDmCR#OTS7}~@H=WrP@~H2?i|(rajSgiPv+FQe&>AP z_9y-g-reP(f9mB4c8s^Y9sK>zzQnVeX@4%iC4<@B3;1k0OoPrZ$}8d1lNr*J zA@RQKDs&VVZQkc|5*6=U6i+u#NFbNv;Oj<_+}`qWJvSh#478a5blaKIAK-?073Hzg z@<%OH#}4-f7=4Y(2`L<%bA~5c9};;j@dR64{AqN+)~Hbp5mCFmGs-@JsKzZZXeYI$J2OZ%nMJDqB*iZ@OUFnjzsw>~oQ$d-Zkj#P(Rtb5GY*U;W^ z;nMrziq6L5Z(FiGHfN0ZGSKv(L&n=xd!{HV{Xs1zQ&*qdT0dgr;!he@UnEW>G)YR!vO50}=~;cLG^;&6^U^2hAN=aF;6K~+_aFcO diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.1.2.1 b/efi/testdata/amd64/mockgrub1.efi.signed.1.2.1 deleted file mode 100644 index fe0daa517e95dbbc70c0c148b4f3444d28a69446..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5048 zcmeHKc~nzZ8o%$okPrxj8WwScJQtKTc@Gg6EQDR_f)x=#QL;QBm<6(kh-DyctyMs4 zmqF|Zh+8YnI8YU#imgYPfy1#nj&eNUQo$Xi2qzfD2Ci{*_ofPVgcY2Vne(52)uMyFS5HNF;En!%8vpDh-rDh+8ynMkfxi*;!- zt=1scrzzE9nMx}YtEEbf7%dj56*g!eL98ep!;rDs6hoF&$BP!W$W`)n#aPBarBqFvv`#)U1`NlnV3m zcNOhTH-Ly)r$qf9YHcw%2%s>k)!A@{I&t*RfB-6~j8Rz%1Zocnu$p<^uA)X2t-`@- zy+Nu&K#(jFOGi5_K{M3S4m=zhLdbBHrAtK`i-dVDLVfFV2_MePcB}Qu^$fB!6LJ{G z0cB$Mvbo+H=WcvrhjH*S6T1_NuHzU+^C>$vH+kb+j3HP!W(BBqY#Sdo#==Z9aEw)! zPNh-PMo9RS2Z4bya<_ZlcreHOi2*X82U?&43^2eEj6M|o3NDM3du(#vz?~ENDK)5R z*xIj1T10fjCFDo#n}5V=Oy9{JWhUY*Wg?m>6JAqB;1~|wLm(EnFy^4t&MuphCE+z9JJ7%U`Y ztTI)j)TEL$Wx^(o%m{p4gbCxr*NfTUCJX~z2XgE zUg^r{3)4LFC6cBk!HWEfb4!bFmTnTA&sY@bUNuhI;P;OU&jxDKH#x)?`W*GUcC?52 zEaXW4f|yw>#ke0T);{b^JAB(NqP?SFvthb*{^465McM$jU)E#UdoR?S|E>=2-chp2 zj|f@$bk&9Z^{v^T1*OHLdnN43YYwtqH2->4MYA8zsp!D{d*WV~5|vMT!EE9F8}e(s zo(@x(#GzohcQCdlA{O5FZXa-szEv`L{b19_#!DAlXOsGz z%tlUCZbx-_XkCVWVtI+6XliG;B=6wYU4LzecyRFJd>rmgtinj?&HKWQk6}YB7J*w` zqXaO+ZXPTiWy7|H+uO>DLl6`X2?fXqrvT-KID3{e%kfA?YD-(mp?_7DiuxwCxO{kn z@3?~!BK0KJSjsui@t2BST-@8={^w(lxyLi674NxKT|M%}z^w{j3cwfre-nKcuQseop z*RS8L@Vi?PP#Y(C@4Ozblskhq2Q%#l?`NEU|Lj*&rt=3HSDfgY zF(qgXD8ib)S-uN@WW3U@O?uROWnw^R!mXUeQ;uXlU1r(;KeKox_X8#1tvi!9 z=Un@>=Iu#8fBj52rqn0yi9^NXot{YtP7m<+Po%`d zS{6N#MK1oWvt!7*GI&+Fm2N=j21>ljLc)IS_Q3|*(~s}DBBQd07w~Bnl}_2dEU%dN zNXB_2gQI=bpdA66A@pd*B z1m>&1cz><%=7h96%fqcwo{TxL)pwqFQ>i1TZ`(ivabx90!;ii9W$%4in*G4NM|J)( zzh_d)Pv?%sY!@sEKm1|;>gJw)P=7+SBr!6lMd+I7F)sG**@CLvnV&O{-%~oxP?pwi z&MutlvBD>zX!qqG?LrOW{h_5GNd9?l_*Y@^CHapik+isOi<@f6mw*1qsR`WfOOD@? z$0@&B{p`Wt4;?GstjY>jw+4Ic+;z{X^5!3^>*E@F*4&hqew4W=DZ=UW-N|teMgInJ CDEcV? diff --git a/efi/testdata/amd64/mockkernel1.efi.signed.1.1.1 b/efi/testdata/amd64/mockkernel1.efi.signed.1.1.1 deleted file mode 100644 index 858349b3f63361fb7f39f6760c04b52c3232febf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5048 zcmeHKdstIP7N2`_Nl1VM8&RpcTu`j?NbUtKR;fi4MVGBwp5lY%aq|F@3wg+^R+=JG zbfq6!T3>0z)+(Q%7AjGx;$!P7+VZ(otQ3jssuUkxyI5CRWoJTo`F&mc$A0^VpC_4n z=lsshnRCv}oSghA^?kqr01&YC^Z;OoZ$wef=YM|`Lb1^AkPy`I&-vT2xO4sq8m*Dc zGO%icOh+nYdOd3*q)JioV_5P)UirN;^ie6?^3-m1^{I-S{;%n0DSoRC*a~9 zI6e{Jkl`W$ByU%9GOj+7KS_lUfa(hU0T4VX`wbqcej3@KZGZS%LWJxiIHny6adi@rOYIQya-_wY)GFwVg@J*fJTW? zE<@|yLvR*sXxtNlivj?CpVPA#f!I@x$gLA1zoKW+z2`nXB?2BW*F16EpEBdQ_*sg8 zj#Xr2Fa|x7Nk2<&J@@5zMgaZ%htMJM(K8dsB*tLWvicAgrZJhajMJo2wbrCD%Owg{ zCpBo~ENhY)HCmlip2^CkI+<24MUy2urNEeHG%-3QRF|M(NEb)WW>&zGB@5~f85q!~ zJ0~YcqB1ayk}+nO*enTaP)l>P8Cq#Pt1{)t42;w@r%$;=rqD5Pg_-b0&SDK&tU+dS z8r{EmpKdf#qSddEWoniEYM$r1p$9|4|Ew z*b&bt%m#*xhKYoX*Q)hey&4*3!2$+H1a23{f{EbvVglTPVc_`XJnxLHwVsJ)@19*H zY3ldyxZN+$qQ*J;Ezq30U2+D=Mz?`oZptE6J1_tsP|}$5V$(4X0KwRZMT~`u^~U%QF_+E;N7K zmLC3?h@$jE zZHeA2zt(Be|N2G5x|_SjiGi&LS`}mWmOaj<#l^2R{dsg%ka5@DHiCNBT-KevdUlyr zzhvIZa`!{to3mbU((Vz~R}%c9WU_?%&wf<;_T}T7G$xNxrN<+8d{^OE_J-rE zrL?X+l(B!Ho&0I&y_DAGo>Kn4n&CpuYSAR)y2ZR)jU#5&qJ|QDbjsffKdTXlLlYka z#cX}J@aE#wA7ih6_4Bpv{4GuEFF2N`Cx>^m?)OU#Y6|pQu|rZ>)Nn@Teqysn*50D> z)DlZ%;l-1arhh=~f9Zvn0#oN-SsMPJvu1oS$5+)|cjk=-`Ispk$=9w&&(%gnwyK3U z=Bsy4d@FcS1h>iSl1J6m!={q2>s6asVa}!oxG)>qW);y7oo3vuQ>H$ zW6RMb_ErdO!QX<{ITzhz?f>WUqNRprG}}AZDc}Ay!spPQgYp?cjTsQR(IR;B!>K9s zRQly9lf%MNDd~WepaTfuugSY_ zu-^=&?+7~h%droe1FDlXCGF{r0k<_Ryyg`D4JR&?neWa~ANiL#&HBpmmABok=lma3 z2b{chxcu9i(_8A|_teJlH(0iP#70-|P71RP8^xv+e^^Z9#ZRk}ZXCWNf5MCx?&ROT zcjTQj%&p~Wo38TemnZ54Dtot8?MNsxFFI}gqy1d%T+u^&SPAiJ=*;e!dy^xq2am1V z)Vosn<`CY1t&TQV@z-?mB&$I{jJ#35E O{N;r26!U{#l>G|fD}jU*rgU(ERj){OlzYks)g$+`FJ zZ=bWz-us-hvl9`w3$OqHY}kf}0jPs-L~_gXzdv%ISm;qN1Sjp9->SowHNO>|tT7P= zBb{Va=m?cUucsM8NfE|$J)zMPA(2spj#g6=dwbp_tLhb@0I2iO>W~Bg*uhsX;NW~5 z_X0R%I7k4=!P+d0wU6X4QVs;5x|V7HcrVKS1CLa{jOw6mfD0S(=k>l!=V-Zvp)wf= zSZqNLumR4D9fWVj-SqI7i2$HB3i~{l^gpsfzeYS`hAvpkFNK8rv zTK6{u8(>4@UI?5V0Qh}PuVMtkFMfgC`cmYv^;LB5wNEdJ03YU>7q0tDX1o@^N)gb} zs?=1wGFeFr_2GxJ4w8da!0d=}gmj!!#3x^P`Lis#Bpz@Ff zHc(H?RaB^=Svc5WViZQC2$B`CRY zx51>@M4^!uLI&eFAkCb9j-7X2c;0|L#>FeloNfsHfMb|UMA~!g67s?^ip9n;8$f1q zcs?AAjhScT7`q~cOeXzDAtG`z3j-Cz-`#U2fcchBBv1kqpn(=pfPw98^dV(0=w%aI z<}V0uOT27fzOaf@k$N~kDevUvLf6Fo=O+qmHEHaq3Nx#PG_#sWGk&6ig=0804=J&l zjq#yzY8juj5PW(#14xT zsbemK%$amVB9>SfO_>-XCUntaA~=xnBME1FKN5N%BP|r?BJz`s0m$_Kr5#@6l&5xh zjMx!HsnU%U5d;$n5v57eYxGHkj5K4Oqay;hi)F?{aCkf7)LlX*DdLweyom_L8Hn-;135!pWIY+3i`UtL2`$}HPW4L2Gxb_`bZKQv-R`(*c<bcVK$qE+jNp*7-6@`YyrvR*uvv&W5Z>!NC5)HXb?^U(hYG!wiA0?ts$wo zz3j6;j_#K{nAq&R@}_9q9?}DeC$e2gr<`$@E6eS0Z$II=&mY>IG5GKP=+^P$qc;W~ zRk$%2NUL-I_~Xj^L)R1Lx(+_>+|u}=OMF#!``S0cD*9Knw{--s&5nqBu+Tm7{RZE^ zJ}^_>*E5RSx5pmUd+nX}|STLL<0nw7joub>F8`KUVpCik;fbRePRY2Dj%MyK5=Ks+1>4`xp|8?cz;dd zj4ug(QST19cyffyjBke5ITPJv&Hv}}qNT=Ww2Itr()D>7v17>uqw*P>oG>D?k%{2V z_a|q{=E!EvoZ;seM@mPeY?&vUc+~crT0c$I7kay)^_W{{Q)9`s#MViU%4Ow}+G98U z9LcPa2_l)6Od`_SJiO2PI85F-(4P?=lapMIjgOFpbI0Od zqYog=3~Vz7TuY0-_8gq^IHq8J?~mMe&v*6lrCq)qolb={Ii)cX)iI^#9+Ygm-=HY@ zu4UyPf>mj)oK*=I92>vg_0?8<0x$ouu%P4{W}`FS_@=AjXI_baaa@z)QVVD4ynj@v z;(njVT#G&QL9zS1tSWBbKE^fsI_vAd9p347znA}RHNSiIp5UHUE6-1=Te%{NX-FA7 z=zMB#ZbaEW;f>~7-x_!adbgDsT&7;hzZdJ>;?>g@-*|U|EkFC=(wYTZt21xc67EjH z+xvB3XnEUrWxEe|*Y!2+TythorfW%X&1!G^&K5ECVZgqBrrEZSXYLJ^t6VBK-#&g| SKs!*sq;)9w{py-Fr+))An-EL@ diff --git a/efi/testdata/amd64/mockkernel1.efi.signed.shim.1 b/efi/testdata/amd64/mockkernel1.efi.signed.shim.1 deleted file mode 100644 index 5c2c82cd370661cb1da981db0070d50ce57928eb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5056 zcmeHKYgAKL7C!fp@C;Z%L<;o^>Qcny-U#wg926KqKva}fT`J^p36Z=^E-w`uLyMK# zP6ac{RGie;)Q+}d8LEspR-qQVK#H~kRt8I{LI*+D;Co=s3E`o$X6%ny{o!IK=ialw zz0baT?|aV9PQse^0RaFY;TRYI;1s+gim+b)_r(asE|V)=K)FNRlv7xI-ISH-N&}_S zYZZElnvzL08ZAdjSxTR&p_CdbDlv&tYvrs^AaI;&GrcSt0C@p=IwWTR9N?`N@Np*` zp8;^l@R0!0INPu?wmFhNPeuqpb1t_5aC~0&UwCBtMRW@KW^V_zs9$dPMK(vvg&dp1 zLBQ$@x}ex>X&KU^07w<;S(R31^8o_SJVO)SzxL?VZA9MC5IL%xH5K}^8|0cM9=O#Ds=b>JArxY7c?Lux?`#u6ls@c^B} zcbvt?NX!(BW29vRoleggg}Bnw2n<-L1Fspq!F=l{5lDdnXn_i_fP-TJ`q0dCc1ddM z{P38jvsb{H0u$E9sN`*$LQBVwR!hA>P1imrCgt@{uj5*>a3eHrV1wvxF?1jPHBC3l3j4MX>z$! zc-h*eWo^57yAu}u<&owXam&B9FtC;64y(qO1}(1IwD5TSZcEU?uI4%KuFiU|p!(#e zMW<#)_9Q*1DXf0{bl=55_bWcFyTVJBnPQ4I2lahg)Q~zoqV?>x#Uc3v#UFIHtSf48 z?)%xLLXvY#-W}f%60Qu0H&*7S8~pM^+kCHgO-^#1d8j4ySV#$1O=2xq>?6vu#LRWG zprf$~o5nTe{{G$#9BxnS zU?y#_?hGGS3>zRx0_U~SZZOe4(@1C9k#7%oIFDyX5VSJ_-H;Ma1KJ01E~E$P{#oBW zrN{CV_DrM4Qh@9JTqhAc% ztnkHPAnM0JcjNXn$+A?|4n&-t%WB z{oenF!u>+gqpwz6%G6%F8|wc-W$%KIBr0`cmuHRVfr`L{bqBx1cb@3{`V;ffCf>L@ z-qtt51YYyL_22dA3; zwdz*)kBTSzN=o%9egl`Wsg>u;6TzLizWuVj8?}Eu-P7$oj_LU3z{cR6dt%II4TuB@V#(7jtBWdpu5sz_& zhkp(o#Dp+&g963kHMD3%N;1AA^`z;pTr*R4FZ%Y`#xkF_uWNUIm)1CSf;4`=u%fJ8 zJb}&~S>Vd3VAxK>B^L7^&3KGvaI`T8YaL++ckj>~)gLYV^E!2vYljIe(A%+ovGK%J&%9!L?p<|v<&GmwuZMTPf~me-x?iDe2kVljYI! W)a%6Y*x(0CJrC3tuKo%A4*nbQ(hxNO diff --git a/efi/testdata/amd64/mockkernel2.efi.signed.shim.1 b/efi/testdata/amd64/mockkernel2.efi.signed.shim.1 deleted file mode 100644 index f39ad49810ed2a158be2d9e22a0e6deab8eaa719..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5056 zcmeHKdsr0L6~FUfVR`EkR0?HyMMd15;SpZy$3v795E}>)4Z^|>%j)h9*&SXHTC%2^ z5ZkB(l`oPKl+Q;r2}q4nwFG=7MG>n!M2b;FND;My3hMUWWf3G_YX0cgKm0tqcjlho zIrq#tXYM_FHfH%oKmY(pIP`h|4#7L35X1GqUkahv+PT&m)Ce104q?%aF7X)(EtRR^ zhX$yl+KmASjo^wJ0bWb4q=Az1<-gtyy3fLq}B zEPz8sfCP|ijl;kg=SV)83LyZ^bru6)K3VoNJTm<}Is|<)Glg2zFSq+Vn-k??p3UVU zVDJT9P;ADujOkGTq=+@Fl1nrC0D)(6WK;|RAWSTi@>0m#AdH3s*)v1TIE4UEC)TD) z(R1%0I1>(}Hz{!;0Ko4{dJ!`ad8!VD)nMcN{)-si%b1>%0Sj1bCLQ;Xt7u&GuP&6c~&KZ=HfG0%E(a**=*RdWJ23s;|gQ8 zb8>RT=^B=mvD(!#E7aLir9$@9%*$H$?8XqYxeC<(q1G0Ig8;HDl`0R;EDRh%l+sjI$v_qo zY7YsJ%#OCJs8L0$aFDF!r5a=ik`Xa>wBrbxp_W!Zpx2}S9B`GfOGOeR!j3|yZyiO@ z%%GR7RlLh0O++Me7{>vv6Fd+IJ=aC9yKjY=;^jI)FNC^r3}b9)D}gX&T_na5B#xN? zI#*ymM}U!-&L79f@>O&O?K1(fp*;u;lv5SIE_4L*44+t#3bcR&O27ghjs@sLGn4F+ zRLTaA{29Wp6I*ub-Cc=?H$&OzlmqM6naXK5XNu$;g#9LI@X zWX0$=W&ypEF&4B?K)gu`MEK$`#+J55jG4$ZLM>NH)iOgo5HS@AqB*sUQ!{q-RHR}q zvPfVdprKw@r->Oy+5w@2NEFX%dFsuGMX$q?ZIFkD($q97ZyJWc&<0vQ-Nu`F2B35P zM}A1?xubr(`V&9m*t9GSONGH&Ld7ZMYK2-(F|-bIotP8&#t0o|1K%)aj_WWC934qp z9+;mwXO{R%NxvvzY1apJo92g}+a4n>VIMUlZLKM$FC0q|zoNH`4X8}+d{E6U_(!XA zjm7+`x0h6PZ8G^JChRW{)%%DZ&of27og`nWoLc6$_~^T#`_Fz-?zf|_&F7Da*?(Gh zy!xxnhh~Ql#N9tpbbR>H_EWxg7o0jb%`aW5i`=}%Z}6+lO)0O2bRKJ29I#ej{AquC z(&i@1!5^&;N^|$g`lFiy<}19S3v1VAXx-KZcDY{ebB?o_y|X=VUqC5;oW$BMn1xhj zdo!0yth$?9F%P!cFTe0!(JF9M)%Q)6+Y>&j!2V8sKG{f^cC# z!|jRf$fC7|o#AAIVS17zaFZ@t1QYG#L0Z!00yDV7O-xJ)g0@7U2r1z-pq&tBP1=)o z2L|sd?0=ig9%;58j>-*AURhUkm3BsAH*z{{Uuf5SdrElV*}TW{;|1w+u2kP5a&JaW zd@*pd!WV;qh1Y%UQZH4NytQ>+bdcL>IVaZ3!RIw*FGF9aXjp_d~%Wvx;7i#BL7M+RsusdhCy=3sr zP}{U$9qsAAE+5%mTBb>M)1SlKYwK%b!L8R^pQLSjhx_Z{fqq9@ru%%wJN_HUZ~Haf zy?e=qW})r1-&_rP@Of$5jUeTi=_m$Lhv}s#gA9H$CHNB@q&g<%F6>(vIUI z6UGJ}ejnP831D9H^Y!*#PD{q6B;!g_PSstl$rn%0oPC72sH?2jFUYr;ontwxs7TKz zZEUM4rSrxY*f2^Mw#CyDi+N6D>?blf+L)uYjxdG0cWe&pASi@eYn;bIXj6g79BTqM zeHNcJaRA7=G| zhQHxXYh?Zfi4R=7)}OgheZA|87J2Q>sX-p!e6;_AA6CXE?pfm|jJn7jU;B6{Am85S zJm2VluEXvArG(VDk-j0PLG!Q`l`|^42SS^+ex_^17tIS!ulRi0;hAnC_XLNqva$nT z+;I7KSOf>xvOl)ms@wqZ#Zu0QF@P{-@*R?Pn;Ae diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.2.1 b/efi/testdata/amd64/mockshim.efi.signed.1.2.1 deleted file mode 100644 index 033d07c6fbf7dfcfddcfb89a56f5a7a22ce7194b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7304 zcmeHL2~-qE8t$GMhEpJbf{4;0A_C5I4>za`w+Dz3#arl^ZkT~NaArUb4;U3)gG7lM zMOQ(*5fjA&QPgOnMpTe^MJ4e-@c?B7Q8$8HHG?wxqA#0ucVFJ4`c-$;_gDS>_utj^ zfBi>JS%xqX1Yv>t`Za=-gDWh2&H3Y}EFdnNcFUtS`9;R;$f*8Fo`#@h;?FWV+i+chIG!y&ddOxJ=_i&DiPE!Ga z0TjM@HuzF>3WgwY90e_r3p;H9fW`-Gok5_`#0fU8d7Lw!7N4YC$4syI;Lgg5UHG-2UGeM$id zpZ9wRWPu9pvjA16@HInqfbQle_rQo#$Dqy=pImXb!oP+Gz~1oQ=l<8QyW7f7;(-aF zVI#5V5hEjw9AjvOQY@GGVT32g8*?;r3`!A8s7O*M63b{mEJ7?xNyE~7ykfmP-n)d4 znZVVG!K`4pR4P{aVLaM{B4`gUcP~%UixiT+?t*v^oN^cV;5?f4h!;{Mj=NLt;7*_9 zNxGH%Sr0&3-~cKN$!>%j59jf4Po4*k8zm@G1a3SdT?s)Do-+JMZ{ABZlxYl{n&DQ z=94noA?j;opS80rk}B7R*3VeJ^L(Sig~)I%-C^#&GOKZ1^&*>~HOkbMY=e`puEh*I zcKyaKW=vIcO%v~D6N;EpJU<}B(b^%s{bH`y&g&Mg><{jW~Npc>Um=xZKD29nZWQ&I~$S$}KKFdhlqyYkbVQ zX-U^bWvLZMNUzkKrUBtVesb)Bys^)N{VG%IGH1*w48u&(|pSsexNx)HtF_p zU7DF3QYfVX{RjjXELg5cmMcgV;G=F@EpJu8VH~k6m6V7njV0ae<3Cs=96C)5^Dr>A zg@URL2hN}cBLYk;X%U!Cg7HC%P$^PrIzV921C@zLNC7P&G=L_R!$e{`GdvK3+F^nR zK}KlKTCG}S0zhDr2v!CXOKTHhkds1tAfi`D_ zkj@MiM4-)3a~Gu5oCa`Bri&w{XqgJpWT_-{DlI`csha2&E2P1Vey2^*WQs~8SBNuc z3V};DHdXsSr6JF;siYz{nM{|+Nh(%ElN7B$pr%+ADUi_6B#i+K5L(!+ZzHZgqfpJh z3!qyJ6xBpl!?>IgD9vOsKq$h~*ha2wl!dCj87QkT5f|a^I*1uQ5bVx{*v5WYcF0i8 z5rqg4B_c;82#u&f9S#o=WI>GA(aXY4?Xq(37^*Z_`QUipWzUL^<(pPtIK|NyxVYF? z90)7uU#MnQ1ENp`h(g(?BMQB7Yb{YQ4b65UD3Y#Jwod0bC;+*4YKz&49t^z^sUK2(>Gr%tKD9~ zXkJsWcnC9K+KU+%w;sBhzQ|t`l{k3v`m8E{<1wRel@?bGG3lANt??1J)w)39T9@l* zzx9srrpeQKbr9b?cM|u@K0)Q-%QkUBCoDKvG4a>$?3zL%8(r$!dxtj^IA(O5nV)jy z@>M@fnK|>6e(Bu$Jw<^P$x4T!0?WKXcZ2y^B`cdw9}Rh2GCy0(98z%QyUaoFCT?wn68n=A&fO^Z_Mba9aGnh~XZ`sdGpjYYJsdoM zWrO$1vZ^UwZ^&@rnI1pbW>}f*zIs!`o;|-uHfEOh+p?v&rQ=GRZ|@hcZqEI2t<8+m z%o~#}!V6o+-nd#9JUKIR%CmreQOl3Geeq09yIh%-e`CqSoigWjgKux2>T>^w9oRa? zi$jO}$-nnHF!2=T#iMpM=ld)j6xcTMQGKrQ&IgwRUjERp`1!q_(}@{w3tuy$W;-_j zdNQQdUh>ieA7A;K zy~PIC3D3=o+bVaJJs5R#^$nqKP8gffx-Zw`1ZJGqyp(S_Fp^L+W`oZ;4Qw>H_)oCw zk9;&A`gq~3-rac$v+v@)-|l{fOu|HGKV#u`T_Qcg4E!Rv80CYz;&tpBVy`<#rvksU@(v@@H}08l#lDP^;}Jv4E=X;XWaz|Hgc94MV4~pBLC>~ zj{CP1Ydvn~&AK3wxK)KR`H zs;t)MiCx2P-UOU<3&fc}*)1S^ zm_azK0l>_A#c%))_M}J+3D}HEZ+Fk@16n-_hVq2I3{nm^RXiwg!Si3h#YV15<{!hQl-KlBfLF*F&AT(kTj``8c#}+qzc*}i;^nRGO!FkpEw_{SDNq% zQv^CTSQV<2%cUBBOh|iC1nuP`^6@5pNC`PyBu?f`lS*Tttb$o!-ck z^a}a27Jy-aGbqp{yA$q0Tqwl7gbBk~`bqNs@hf>VSEZp39z z;c)q^@DRcRH-iI1K5vX7QAR2#!W^ss2#?Q=QYt8=g0R9ZAz;imiJ<|Y!XgzCPr@Fz zgD9KNpG>PY7~_Vz`Jtn5%-U3l;{>=EnrdS%BwhmkCOx#Mv%UdP1B9(b&4H0nW0n?0 zk)3mvs7uz)yVaN6{9fmBrz->87CacNw33;0R>ZnVGUI%w1)kP+C`MjCZS#b;so-+6 zqyIO_n+D!Qs?2j&jE*kray?c#92&dJBk!P|Az7dE%EGp>!(w=&pfz{)6M@3(eS)H^OhD$nLYepV~DZkv_X<5)YtI{S7V z?L6^g^?>r3mMM+pV_H8b`Qqp;l^c;YthUBNRGM>Z(y@6qA!X|Hj$Fe7PtL~-+THTq zdUnj=JI!svbA2dc>Z-hvqg||>GoS8?T4K89XnAH0JE+~LG@+mM0~hb+gb#D$0vc8F z(T@1tfygPJZyhgDwe<%QoeeiU9x3-58ngagr%j5SXH=-Qv?h03QPkVR&#JE<+qJaq z;9#$;jT_k9e8-)0!^Valwu<=Xiln9CN_;{4qG$JguO1rmRjpvvs$C7cT8AaXR7_84 zNvccVzLWGxAIG&m5nQ;vK(rd0U)q>=VxLzV^IiVcRkzQN4jDBW>ka_jyRjsVCROb( z5F|=9NoitFiBc|5C5e?vjQ~1-fmo*@9!A%KfL<&-WaAl#X6nTZdW3PzLezb%Vd z=}AiDGzdRNfd&gzs#29IQUl^qcb$|MBH%PnsUn?}NhwB?-st0h*d(5Gh7{&uU}_5m zMduD&K@WNam{`&wFr5VbgASq6L)BS#KKkf1(bj#@*i;9~&lUe%pX(?hy5 zSP+3aL&-gmPI3monM{|bl%f?HgvnCL=yY0!c&0PnD^5a#8~sY3qRBK(l2RqjqA3J! z*|>Dw{}dBE$EB01xKuJzrX;DjB$}jX6#^y2X-Kh*26uI46kq|@!t4LS(~>k5jfH^o5{s55Dx``; zpyclb6uXywaKise?)@7<89rMt2JCDv%c`Hhc=ad#{4`Nb@wv>C`&&-uyKWvJjNLLZ zUp!fOe$18;xfNw6?3X|0Cr2zaeJa?~7aJvWEqZJ)uP8Iu+-l&H@Cwln&S(@O+&rOX z&-nx1x2qyH40kV|qVyMgNH1Jiz?r?_%ZYxaeg@cqAsb81Y;<@qapTA@TD>0)vtO*a zpD=+s73Ox%GJlXaSG93dm}7S2=j#*NuJ3n@{=xLq+F_4l8k%-`RF7ZTSu`v4dUo^n z9V;Eh-`VoG9d`a{4dEdR^Bt^8SfV4Xox6sn_WPu8O>8w{xYeTK_>f6`q9*M^rnFg( zn0skV*|m7~ftr$7T|kkBt6vT%3@+k)U}1+roIbcQ*AVP_0|OqLjrV~d6J@Y)L@&f> zzr?RQTio>dx+C{plCL;y_Brb-VYZgTTO1p_e~wk|j0Xp+Id|u%EGA61wHuT(eyRO0 zzZQd7)fSCC_8A&``O)hB&Bgb_KBG?te%nQ@h@^|}?0CN>>`9E}&b>41Hh&#C->GYr zo#Ll01G2VS5SDiLH0nbE#O=Iv6JulXCPRPe)RS{->y(qqY%kwSu`XIR?fZiC+pFf+ z4A~v|KA!sBWWTNU#M<~7ZEGwCd7s)kZ^uCEsSa9K&FOcn#$Bz?s`srxRmWpxqS=;r zH~Oe*vTJQ_BQqtpmX+IQB!vX3QWoAln`GZ`_Id>;eR*;btFv+5j(t)aUj5ZAWwm5} zSwpKcCpM%iI<`|cpTimhh;#RgP#Zy z?oId+KHgqJ;Z$7E!{rdp9PDsxeC5j3h_~zK0jFkpl+Roj&^B$xg}F0ChnIyt+ml_3 zXZ9>GCuDdsZt~)wMBVfU{q+YdxJ7mUOl%(5$ItsL77NJ%&(kwTgK-|$V3--3#d{fd z)!&QYsOM-=#HTR)XxSIBg#t~at;OmaCkuu~n6at_E=SEng$=Q5Y=is~-9~#ywubaw z(R6sk!6p9*9ICQkKA?a0C2?2m-ct+OzRd3zU#WO&(W4f6MAVa8w?zRa9n{!w)|ECN z&kp}rOFtw6>ezA6YY^Dnn zJPH?2w?J|9Y0+`x*?FUB=q+AHIja_j%a9eRZwa#P2r6=dLKQC_)2K`uhucN6dT{Kqhk^V5F Yz2L{z;*YbbrkpG5Jq!=00w)RRzfZlh*Z=?k diff --git a/efi/testdata/efivars_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 07fdd8f89d92fb05a7db021b80f66e2c91d9698a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 983 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$nHeYu1lxi1lKgMX@8agTFX1?Hhs*fSJ%c9Z z#Rg4G-3yqR7@3%um|q(3vT$iTo52*Dsqg5SsxMZh3|nywHw5QMmb3+xJSS8oMF zgC<5LWUn)_GB7tW@-qO%xtN+585zzC9op(3XDsw!@#}vPeOo5R9+i)_PoH(%xNLob z!J~&W^0xZCQCsof)1J|7!?}0w7O^j%*jT-B^Qzs-DNmMGIaP%(miEo$3wUy5m(PV* z@0IJ;Z@a}MeC+heIc9DQ>sRS)Uhi@HV?c0)^uf0b0%?iL-FwouonFvcbY9@%gPg?1 zd3M@=zg$XL&r;aw-ne5KzovNeR)xHu{cbX5%r8{_uW$Ykv`3KTw1eODCJSY=)~S}O zD)d#QMT{Sv=T{7ms2u=X9{EUqMSy+IH zrp-BGmtWn1qtx6h_Q&AwGT^uccCtbv)B6jZh<$ETMKJ88pwmBm02VV z#2Q4NAH8(ZF;I@Th3V+4h=&tT9~?uS_5U;`=4lW3 zy#1cCni-~x-8JXZoLuPX<@7NlJLK#&Z?h?DJ=4Vt3ikdr{~7bMe9!E)w{`n%p77M{ zlGiL}s$ReSki6^<_Rn3vChTqtJ-xg`aGzDWU+RRaT!=>$_*t%^V#>B`S0A(T{xqHafa+p00(Dl@&Et; diff --git a/efi/testdata/efivars_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 6bc6834ab9706c6f2692bd63656016ede8229e37..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 987 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$of#+y1iOLslKgMX@8agTFX1?Hhs*fSJ%c9Z z$iTo52*Dsqg5SsxMZh41nywHx5QVsc5A2FiS2s_f zD-;Y3ni!Rkz0b(Xz}&>h&j1wXVrpV!WZ2Jig{|kv?XdNgnn{mi>cz{xP4djNz1r^< zdwcTU_-j``#)|Csx@uXP)xNO*e_)S?=c|k#mLUukzaHf})e0|`o&D&dx0zC~&(ySa zJ664$=CW@>MEBA!Ix1_OWv|Sc@MpTg=atvaC&e9D*?m?wu{y(a`lgfNHyP}IGTpo5 zFSj*u4%3ikody zMRvUVKGoQTKZJdQ$#O2o8wL8#n?(1`i{d@K(Zyy%y17}5!kx(eReo=>x3Y!ozJBmS zkXFEze@5)Jl5@ANGm_-r`}or0CwglFOI%lRe!cs>z~CkmGb01z;$(wFa3YZ9XJq`( z!U9YUpeOqKht>OO zhYMG)c(>?z$gS7eC+(`b3MABa*SXrxihJ}~oY6eKw<|qFnsrmerQLsma^`Q&({;%X zU)XQtq<6~iR3N{wZ_oaxAC%PIDkW9SG2lLJWg>po)I@R9zBaea=&yT181Jt=W^3f| z+{Ng}q_y)FoZ24!?S)(-PZ3|fAHU|3vt?TM+r+gd>#gH|ZhijJLM^LzPM3sueX9K$ zKHG1dcWTXMu`2aHix|3$EO#ZH+;GV8{LjeLN#3PjCHT*r-OY2o?zabvPKP-+NB)r~ z-)?MkQ1*K7>fj_C9xl?lHrmYYFS8=I)uqjjmopzeNIb8;@`=jEs>!$5<~#xbh0|!o diff --git a/efi/testdata/efivars_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index fba22f315070c5f96458286976310b59737febaa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmY#qU|>)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_mock1_plus_extra_db_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_extra_db_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 07fdd8f89d92fb05a7db021b80f66e2c91d9698a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 983 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$nHeYu1lxi1lKgMX@8agTFX1?Hhs*fSJ%c9Z z#Rg4G-3yqR7@3%um|q(3vT$iTo52*Dsqg5SsxMZh3|nywHw5QMmb3+xJSS8oMF zgC<5LWUn)_GB7tW@-qO%xtN+585zzC9op(3XDsw!@#}vPeOo5R9+i)_PoH(%xNLob z!J~&W^0xZCQCsof)1J|7!?}0w7O^j%*jT-B^Qzs-DNmMGIaP%(miEo$3wUy5m(PV* z@0IJ;Z@a}MeC+heIc9DQ>sRS)Uhi@HV?c0)^uf0b0%?iL-FwouonFvcbY9@%gPg?1 zd3M@=zg$XL&r;aw-ne5KzovNeR)xHu{cbX5%r8{_uW$Ykv`3KTw1eODCJSY=)~S}O zD)d#QMT{Sv=T{7ms2u=X9{EUqMSy+IH zrp-BGmtWn1qtx6h_Q&AwGT^uccCtbv)B6jZh<$ETMKJ88pwmBm02VV z#2Q4NAH8(ZF;I@Th3V+4h=&tT9~?uS_5U;`=4lW3 zy#1cCni-~x-8JXZoLuPX<@7NlJLK#&Z?h?DJ=4Vt3ikdr{~7bMe9!E)w{`n%p77M{ zlGiL}s$ReSki6^<_Rn3vChTqtJ-xg`aGzDWU+RRaT!=>$_*t%^V#>B`S0A(T{xqHafa+p00(Dl@&Et; diff --git a/efi/testdata/efivars_mock1_plus_extra_db_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_extra_db_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_mock1_plus_extra_db_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_extra_db_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_mock1_plus_extra_db_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1_plus_extra_db_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 556d61713414d8459f8274460355dc9afc71fe75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1970 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$of#+y1iOLslKgMX@8agTFX1?Hhs*fSJ%c9Z z$iTo52*Dsqg5SsxMZh41nywHx5QVsc5A2FiS2s_f zD-;Y3ni!Rkz0b(Xz}&>h&j1wXVrpV!WZ2Jig{|kv?XdNgnn{mi>cz{xP4djNz1r^< zdwcTU_-j``#)|Csx@uXP)xNO*e_)S?=c|k#mLUukzaHf})e0|`o&D&dx0zC~&(ySa zJ664$=CW@>MEBA!Ix1_OWv|Sc@MpTg=atvaC&e9D*?m?wu{y(a`lgfNHyP}IGTpo5 zFSj*u4%3ikody zMRvUVKGoQTKZJdQ$#O2o8wL8#n?(1`i{d@K(Zyy%y17}5!kx(eReo=>x3Y!ozJBmS zkXFEze@5)Jl5@ANGm_-r`}or0CwglFOI%lRe!cs>z~CkmGb01z;$(wFa3YZ9XJq`( z!U9YUpeOqKht>OO zhYMG)c(>?z$gS7eC+(`b3MABa*SXrxihJ}~oY6eKw<|qFnsrmerQLsma^`Q&({;%X zU)XQtq<6~iR3N{wZ_oaxAC%PIDkW9SG2lLJWg>po)I@R9zBaea=&yT181Jt=W^3f| z+{Ng}q_y)FoZ24!?S)(-PZ3|fAHU|3vt?TM+r+gd>#gH|ZhijJLM^LzPM3sueX9K$ zKHG1dcWTXMu`2aHix|3$EO#ZH+;GV8{LjeLN#3PjCHT*r-OY2o?zabvPKP-+NB)r~ z-)?MkQ1*K7>fj_C9xl?lHrmYYFS8=I)uqjjmopzeNIb8;@`=jEs>!$5<~*V#TfasN z&=HiajR8b3-wM67)Zcd)jjWiQ_m(%uMCVP;TgYB`K9SWo zD!=d-W1xg%#cp+T%LlG}YrIcOJYn1V`_P*0Clm#R7b*tIUizmJzUSVdX9td0Y4y!N z6080-@oaOFVZ!~xYuw^P2XPgX3O!`#sxlkHUHcr0wp^i?b_)0d&{%z+IRm> zJy{;*lY8xES5M61OP3e#zjH28IJQ(Jow<*H+FTZ{ZPu6Hy>>5%P4-DCYddV2_)7oH z%|lO?dA+ZCUO#mXLzI%hiiKol>kEtLaWZKc@g3UvjdO2-@r)(UH*F#-TkAjQ-5P#L zI9>9`L5t51TOUnjO{ixKS!wFF+=0*Qv(LZkZp*zVH6IA?di%)y_jwf)sjmL#Ql}1W zn!}u~yQyAU%1H8H)MugPrO!1uZ!L6tm3UA&Iqw;3;QqZ5pDR|qv3+`E!_M!MeMF{x zT7ONyK9w!xXl)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_mock1_plus_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 3f9d204be87ac687669b9c7f9b63b9bf197768c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1984 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$nHeYu1lxi1lKgMX@8agTFX1?Hhs*fSJ%c9Z z#Rg4G-3yqR7@3%um|q(3vT$iTo52*Dsqg5SsxMZh3|nywHw5QMmb3+xJSS8oMF zgC<5LWUn)_GB7tW@-qO%xtN+585zzC9op(3XDsw!@#}vPeOo5R9+i)_PoH(%xNLob z!J~&W^0xZCQCsof)1J|7!?}0w7O^j%*jT-B^Qzs-DNmMGIaP%(miEo$3wUy5m(PV* z@0IJ;Z@a}MeC+heIc9DQ>sRS)Uhi@HV?c0)^uf0b0%?iL-FwouonFvcbY9@%gPg?1 zd3M@=zg$XL&r;aw-ne5KzovNeR)xHu{cbX5%r8{_uW$Ykv`3KTw1eODCJSY=)~S}O zD)d#QMT{Sv=T{7ms2u=X9{EUqMSy+IH zrp-BGmtWn1qtx6h_Q&AwGT^uccCtbv)B6jZh<$ETMKJ88pwmBm02VV z#2Q4NAH8(ZF;I@Th3V+4h=&tT9~?uS_5U;`=4lW3 zy#1cCni-~x-8JXZoLuPX<@7NlJLK#&Z?h?DJ=4Vt3ikdr{~7bMe9!E)w{`n%p77M{ zlGiL}s$ReSki6^<_Rn3vChTqtJ-xg`aGzDWU+RRaT!=>$_*t%^V#>B`S0A(T{xqHafa+p^ep`nnx)SI zX|B7@2d%zmyKZv3koO>NNewVd?*wM)g*dZxE}_gMWFP>_And}N&WX86MVTq-sfLQ+ zcmw8Y3CFzrl8n?M1?uJQY#KR;tc-r@g>Y)D~JY94ma$_keh-XvBnlfWq0 z+$fT?DR_BYa@OCk)4R&~R7Dw9A6v7o|G?kb%&VqZO{sZhe@jC%O7gW=OjD5&_rFK? z-ZbA0HBN8;v4DBzn^SMDEfI8L31a?!-tcs}=t-;6hyxs}gbVzpPAJrSF{^j0>{k8# z5|6XDD0#U(l343hbpAqR#r)7R@1E)VZ`j$S?Fp`kdbQcp@zcHy$E5_CB6l52+W&R( z-ntnXiaYjfJaFmFM7_P;ef;wS7ARi$sPaIu#>jM?bL6Kt%>qaMJ^Are{?CW)pJlq3 z42-QN_uXT15IkwncBrDEZBqG(w+FVqI^r%eqb8%Yove(0Rq(+&!7lMehRb5serM+1 zbl6h;2qmNQ`z&c?!Z625AV!=pS@&PO^M6$c{|p$ z1kCK1p6&ITr{4LlL6u1G-y@oCy9Xsb>*0)`G|Nj+vpJGYp z>J>iC&K=#5p1yC=%So{twi?gQ3tD?=sq(Eu_xE|%O18FkR*D;cVQ@b&t<3t*;ji;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_mock1_plus_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_mock1_plus_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1_plus_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 6bf70e1a39961eaddf33df0473936ab27d96e9b0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1992 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$of#+y1iOLslKgMX@8agTFX1?Hhs*fSJ%c9Z z$iTo52*Dsqg5SsxMZh41nywHx5QVsc5A2FiS2s_f zD-;Y3ni!Rkz0b(Xz}&>h&j1wXVrpV!WZ2Jig{|kv?XdNgnn{mi>cz{xP4djNz1r^< zdwcTU_-j``#)|Csx@uXP)xNO*e_)S?=c|k#mLUukzaHf})e0|`o&D&dx0zC~&(ySa zJ664$=CW@>MEBA!Ix1_OWv|Sc@MpTg=atvaC&e9D*?m?wu{y(a`lgfNHyP}IGTpo5 zFSj*u4%3ikody zMRvUVKGoQTKZJdQ$#O2o8wL8#n?(1`i{d@K(Zyy%y17}5!kx(eReo=>x3Y!ozJBmS zkXFEze@5)Jl5@ANGm_-r`}or0CwglFOI%lRe!cs>z~CkmGb01z;$(wFa3YZ9XJq`( z!U9YUpeOqKht>OO zhYMG)c(>?z$gS7eC+(`b3MABa*SXrxihJ}~oY6eKw<|qFnsrmerQLsma^`Q&({;%X zU)XQtq<6~iR3N{wZ_oaxAC%PIDkW9SG2lLJWg>po)I@R9zBaea=&yT181Jt=W^3f| z+{Ng}q_y)FoZ24!?S)(-PZ3|fAHU|3vt?TM+r+gd>#gH|ZhijJLM^LzPM3sueX9K$ zKHG1dcWTXMu`2aHix|3$EO#ZH+;GV8{LjeLN#3PjCHT*r-OY2o?zabvPKP-+NB)r~ z-)?MkQ1*K7>fj_C9xl?lHrmYYFS8=I)uqjjmopzeNIb8;@`=jEs>!$5<~%~r)^DNN z`XZ3#y6b$<>U*~9CbtWD58{^80JHU8V76Y0Gh62p%1}ZE0-#L7F3jnin446TnUbDr zs0fZXV9u6s%*!vyNG(#JUJlQvk%P$2>??vM-`gdoc4X19vn&;|0S^kN&Sg)uxi-go z&Nu6OGFP_V|5_s%JmE$ocj@G%f~CT9m&q=C!IhkYH*T$D-+xl7bjkU>ekpFN z!c2mu2p&lBj8otDxc)=zG2vy;Urc`9_oZrz_^I>0fj?KBV!EzgcbjDjgUHUJS(BFX zo-TcV%2;mqg7tyhbrVZY_#KxqhEV)q#uv{oq%26YH+(EwoGm7BI`1o!yt7Ey zNoFOfYo_6wSyGQZJvv?Q$oC0-x*C@x(sNF7PBAcFoIgF`qCEGDO)o6=d|zC)FCDyWi+)5X^Qt{xk~>vNK5dKAauFWAq{}*YWn=FiCo8iz7JfUvlI3H4k$_)} zq?Brd?=+d;D4Ct#Z<+bduJ>(@Ri|ClGybkUp4fX9TV{_*j~Ds*PW6dZ)C!dYC*OUU z5+uNVcB*VdyVd?=&3E1YkEQ0_)sjA?pP9eX*YTYUe{8h$*6(?H&oh=adERaoG?uLE zSnz&Tk;b$vOYT>j}|y#MknCbcDw3HH0rOHVUcaw5cP!o28h0QTbFJ^%m! diff --git a/efi/testdata/efivars_mock1_plus_mock2/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1_plus_mock2/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index fba22f315070c5f96458286976310b59737febaa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmY#qU|>)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_mock1_plus_shim_vendor_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_shim_vendor_ca/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 07fdd8f89d92fb05a7db021b80f66e2c91d9698a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 983 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$nHeYu1lxi1lKgMX@8agTFX1?Hhs*fSJ%c9Z z#Rg4G-3yqR7@3%um|q(3vT$iTo52*Dsqg5SsxMZh3|nywHw5QMmb3+xJSS8oMF zgC<5LWUn)_GB7tW@-qO%xtN+585zzC9op(3XDsw!@#}vPeOo5R9+i)_PoH(%xNLob z!J~&W^0xZCQCsof)1J|7!?}0w7O^j%*jT-B^Qzs-DNmMGIaP%(miEo$3wUy5m(PV* z@0IJ;Z@a}MeC+heIc9DQ>sRS)Uhi@HV?c0)^uf0b0%?iL-FwouonFvcbY9@%gPg?1 zd3M@=zg$XL&r;aw-ne5KzovNeR)xHu{cbX5%r8{_uW$Ykv`3KTw1eODCJSY=)~S}O zD)d#QMT{Sv=T{7ms2u=X9{EUqMSy+IH zrp-BGmtWn1qtx6h_Q&AwGT^uccCtbv)B6jZh<$ETMKJ88pwmBm02VV z#2Q4NAH8(ZF;I@Th3V+4h=&tT9~?uS_5U;`=4lW3 zy#1cCni-~x-8JXZoLuPX<@7NlJLK#&Z?h?DJ=4Vt3ikdr{~7bMe9!E)w{`n%p77M{ zlGiL}s$ReSki6^<_Rn3vChTqtJ-xg`aGzDWU+RRaT!=>$_*t%^V#>B`S0A(T{xqHafa+p00(Dl@&Et; diff --git a/efi/testdata/efivars_mock1_plus_shim_vendor_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_shim_vendor_ca/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_mock1_plus_shim_vendor_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock1_plus_shim_vendor_ca/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_mock1_plus_shim_vendor_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1_plus_shim_vendor_ca/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 24c09de5e1e228944c683c92f727874247388182..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1938 zcmY#qU|?7nd0^?2Da*aux2_hA(f&|$of#+y1iOLslKgMX@8agTFX1?Hhs*fSJ%c9Z z$iTo52*Dsqg5SsxMZh41nywHx5QVsc5A2FiS2s_f zD-;Y3ni!Rkz0b(Xz}&>h&j1wXVrpV!WZ2Jig{|kv?XdNgnn{mi>cz{xP4djNz1r^< zdwcTU_-j``#)|Csx@uXP)xNO*e_)S?=c|k#mLUukzaHf})e0|`o&D&dx0zC~&(ySa zJ664$=CW@>MEBA!Ix1_OWv|Sc@MpTg=atvaC&e9D*?m?wu{y(a`lgfNHyP}IGTpo5 zFSj*u4%3ikody zMRvUVKGoQTKZJdQ$#O2o8wL8#n?(1`i{d@K(Zyy%y17}5!kx(eReo=>x3Y!ozJBmS zkXFEze@5)Jl5@ANGm_-r`}or0CwglFOI%lRe!cs>z~CkmGb01z;$(wFa3YZ9XJq`( z!U9YUpeOqKht>OO zhYMG)c(>?z$gS7eC+(`b3MABa*SXrxihJ}~oY6eKw<|qFnsrmerQLsma^`Q&({;%X zU)XQtq<6~iR3N{wZ_oaxAC%PIDkW9SG2lLJWg>po)I@R9zBaea=&yT181Jt=W^3f| z+{Ng}q_y)FoZ24!?S)(-PZ3|fAHU|3vt?TM+r+gd>#gH|ZhijJLM^LzPM3sueX9K$ zKHG1dcWTXMu`2aHix|3$EO#ZH+;GV8{LjeLN#3PjCHT*r-OY2o?zabvPKP-+NB)r~ z-)?MkQ1*K7>fj_C9xl?lHrmYYFS8=I)uqjjmopzeNIb8;@`=jEs>!$5<~%~r*4v@k zdNz>G4Kwna*B9j9csY7!Vf=J;V76`tX6t-Nwq|5R3r{lglZb&3DARBWbBCn@vw4w% zXI`?Np^SkPNR(Mv7?G8r@-)iV%K_^*4rYq z65pkoF*H42)ta?1U#jBm;hzsy{-3vWT1;wA<3IChb84y5GkOCJQCEzec{ zO+QkbrhRwQJLZZP-e}1ToNZ++mT&Y4R540vmiX3I^@MHn4v{9^^Y4ULR=?kzs^mYt zSbBE3Q1;&0u2147t~vLnNXxKFd+jO#X6K znN)39&&<{)zpus3%lWj3$C<~;w|72H=y^Bk-&gbJr_}eX)nB}L|IYnSw9~@o#AM&j g*j%=2U!qx=H=FonhrV4s#!D1BrtWRNeAwhI09Mw`>;M1& diff --git a/efi/testdata/efivars_mock1_plus_shim_vendor_ca/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock1_plus_shim_vendor_ca/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index fba22f315070c5f96458286976310b59737febaa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmY#qU|>)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock2/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index b7a72961dfaf53d4b7924d2cfea133cd73528310..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1005 zcmY#qU|?7nd0^?2Da*aux2_hA(f&~Mk{Kun1ZROX*Inm>R^PK-H@RKNdl0vz#-NFL zr$H0b!UfDsj7&^S%r6ai**LY@JlekVGBR?rG8p60RY~s-g_5kF8nPf8g(I=2g?IrqsN$zonrW zCHdMbrm4t?``@E`Z<_Ch8mG7aSin5<&8aunmIykr1TlX~!UcX) zCluH&cw{fz_>Ws zAQ7A_Wce8x|Ff_FlTw=jKQJ(5g+Y8)17;v)APW-UV-aH!xhnWzonV)EBg17eYrivd zZ#rzLegsZ1vdSzH24W2&{C>;KcXqvRbF4b;qMq@0?eWCkv&hi^OqalDU}TtJW}Kuy zRWIT`i`yUmx0^+qj&X-s9lsFvJcVCi{j!y3&Rpqsx__L}>E)4pzdMXajm2hKJSw?EcOz9S{E#4%_9SEAe{2G^+-0qy*r5f^4J4>%{2ma}O zcxU$e>?ONuN?exD+p(r4U}nekY_Hcm_0D$SL z*f|HYzU|8U|F6jV6iYf+ukdMh?&yZ}^nH_FPKw>I)p&MZ(ArB&m2Vxozt6i?vbD9d zQr!3pgZqhTW!8TVpPhK=OI*w6Nv%3krnemqJUS74r=j6g&_tPOQ9BQ}^K^6B`7C7I I;H&=}0OgZ+4*&oF diff --git a/efi/testdata/efivars_mock2/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock2/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_mock2/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_mock2/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index ed5cae2cdeed8d9b2eb7b52959c04817bea9271e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1009 zcmY#qU|?7nd0^?2Da*aux2_hA(f&~MmKi7r1Q&rc*Inm>R^PK-H@RKNdl0vz#-NFL zuR#;j(gn;+j7&^S%&!c1**LY@JlekVGBR?rG8p6mu5O+{2PqgDG%+e62MQxA19KB2KLb#li>Zl`kzqy92o^k5?9@l?}Jtn;D`HRWV`@U375kGa_H}L1GQ%u*@ z>u$45VG!9_G;7jQ-qWS;PZ`VYUa&rJyKZ913BThq22n3&Dm`2h(D>r{g_H$p_J)r| zi?hW9PUn4Pl6MvfJISmhbRv5%*HDCr(2C^UlJ{B<+k;cMr$5*m^tS=Jq zi;-s1+&)PQLpxB}jn#>{Qu^cB}o#n(w;(A4|=5$Zo@Xp;^1R(FXe?RRvEcoxB8_h+m{{z+rkg+PI2@bwFhHLF8*fXU;&%5B+!HOA z{oKlL(Y7wf%RsuzD!&l*Kya)x%|_`c>m>DOlnIU6YO`Lm!4*@ M)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_ms_plus_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index a7f2ca1da7d59e815343d4295f3d47efdcf81acc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1564 zcmY#qU|?7nd0^?2Da*aux2_hA(f&{*!3GorfkES><_im$nHZUvxDvT8c7W9~8}PDmYPET^edlFl>iO^RDi@|$cHUcFPfN6(ZQy^C z`}$4&&c{*7Mm2)s{(O(Qms^NV?mPDNLCeNjvvr<--9GUe=fg(_SXQhtkh$;inJr*e z%JRVa6RrOJ3T@~9=|7zRzv;l+muJs?3C>Eg;&$HoNcHbO)}L37h^!WTq}mLWLcrmw{J+ohwiJ6gsad8u)KQKhR4FuRYwb>Y1 z7@N#R8CifSlEFY07}BzQEMhDoNq?NrF0fm2I$h{e^v%#U)n~SK#T!V%HHa{=@W^p7 z1T&N}Br!NMI2v$+bn>%+jA=9A2XTZM8UM4e8ZZMX19^~uGK++PSc8abT9EU@x(LDj z*Zk%whjLh3DP^rNhyf{(X9+b3HV9nczreT6JENqez)D{~xhO|37nYXwlJj%*3$imo zqWT3z`6;EzCB^!{WC2X$z@!UIx4=XTOsnz0#9*KcLGO~mi z1Q`Ut_y$aEE>Mfg%geD@lv+fD4JF8l4w!wJn}C6NrKRJm$P@{tQ(88^wI<2%TwieU zg5zCBF&#FW18`wHoby}QnJM5ORs3qK*b zIG**|?PC`*&v|$oZGRnm$>8gOuRC^CurJpBH~Y3pSj(HHQ|la63+80M{5OIB`ZW2c z&!@<5(&Fj${;#1aQ2qUS&C-iyJ6TUuzU7}VY0ja4_w(y=_^YoRbiHd5IL(s(Xhm5IY0v-LtGCB;+w*6KA3Qm$-tvBm(|gVC32u(ojne5iemX~{p61>2mtm6sms0EH zD^>mkI6725(DmoaQZLI3dOIz%dOiR5cGe57ht>v*G|K-rU|D5umUzo6Q`+Q4#@lO5 z=X0j;Tt1(pRJnHJhds=T+!9tEVLznU^zrYf7nMc{`){mSswCol>fjCU*R}THrkkGm zmu}gRz^oL!ZepeEwb_pHqHQ4so9^+N^4DxIDcUtX!TLkx>qVPnVi$?+Xg~T=`rFp& zs`(c4A5Z+%RXO8uCg1kOG77BIf1DCo$8i0~=K~@FrP(G6q_@sY_#Ct0Xtnh&GY(`7=tF} zxdu&4tqYi$7@3#^0v7IV?Rvg#kAv>1inEt878>xfacZ@Bw0-AgWaMULFi1D#HsEAq z4rO5zW(o~9kJkRTTir%P&1 zj)G@ivYw&5fh+sTYitPN z8XFjxMbXb8O^iy&fxyVhz}&>h&tTBR$i>ve$jGo!!OEfIb$W!dkPDB(+ij~{ByU|d zyK^AdJEGA~XQfi~|AP`6^p4KasJ;28r{IzLa*K1jRxMXysz0=jt7V<}7KXcDK3)zs zb10K6OHse8X3yo?v5?{Yl;@qYUo@{&m~V=^W%+(HLvL8${zgON8DGsrFVEO*c}o3r zdUx_I_NEyk7jB=8c;#~b$oIXoJa%S&jPDQecQKh+B^=J6v%}cy{Bb}2SlcNt7oA!% zKZQl~)1#Shz5d!Ty<4nSeIhg7`B1zi*FBZF`wQnyS$J>nt?%cAor;&T+t`JaiUoUi zOcvh}@`P($N}+pKzTTTfrwgV}b2eZ7Kfh_=?vzg(;G;xSprjLtKbbluR*Jjn1z=($_M#Goo; z-ox@4^~I7Fo7Np(@-F?;N51y-_k~h7GYZ%5ci5IUBT_Did(O1uLFzI&a+f+ynx{o- zJuC;m%Di=Qv5ys_fS|6OWb_qDPg zuDPbMOzm6Lsr?C-Lc6d1zjo-HJj2WE6*cTrF0Wg>^MLuPpASAZzYNltWWB?ji+|Dk zI&KET>l+=uz53cN)xpwy)A-ZON|ggT&e2XfIk#DJJe2o~O|h^GmG+!yd1h0p-HY|2 cDy}D@*J@ZTU(zw9m+OXi@8KNr=}n4%0Ew1vR{#J2 diff --git a/efi/testdata/efivars_ms_plus_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_ms_plus_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index d4895585f4a1e2a11e16bacf9727734127518ac9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3147 zcmcJQc{tQ-8^>p#vCA@%r9m1Q%QM4RD%nEWW9(EzG=t2TrJ;nGY7`X;6)i%JQ<0QT zwqr?2okWhDc3DoFt%y=5?{9KCb)C2CT<5*6x8Fa{^}V0%e(vA*c|JrK40a-@>EvL} z53Xs|r&U8q;~Xpo3PRsYGz`{|KO+c2Qal>g8%#dUOmG7tbT1Gg8w-&LI07L}$8Prj zG!_TsFj9u%RpMzmI9vt|1HxTo86bs0`k^q&2tQx4GMFb3IA!SoI+wwW+sI?Zkrjcw zB#2eU`b2Kn#ERQM)&`oAh_te*2Qz}h;}Vp&zB>U$$)H4wlXK1Q-bHqQ7q;pRU(0K$9GB9 z1Q^Yws{bX`0A}0z%5)yH9;Va4G&373N8O;Mj$*dgT_NnaJAFH2!m9FgNx5-Scp`dsz||H- zC9nrtpT_hZX|muyPbWXz%N}}QSWwz~$t|={3Y-oR`?r_8RSFzSN|l z?qOn0n&!uvc0DOpnR9k?T;6i~?i`zj1WVq7~S2z>+wcS3@zW<;nfpI>3eoEq_``?wiVGx4-=h?^-Bd_PRr?sG%&g-*5D!?WW+_DVpbWs0=DC@`9sUSykUAb-{4(qM21l1QHH| z7mMJIP(^HkB1VdYfurCeOI0`uG9wIVLDklhN8wQ_KQ2L7@58qqOt_i#?wD8plO(^h zzCiu22`UJbthO}F7siK$!yIAuKt?iC0VP>R3=||n84jOCp#c(Vz(Pqt52Xh1sVY5F z{x>q86@`W~x@>Z?LV7#$)mnkSWWYj{7w`aXg{uo)#7+zzkG<5?G=dXrvgxypO(IyE zOxZC^Nz{}*_y4)3kToFtLgs}$yH4U(V_;!SF*AV%fnW>{IwBg4g~L&vz#X`L)&L=1 z@#hu-f#6$PK$qd4*5-X}H0ZV>MNk1%J|xAjIhoiJS2bq6qJFuLLLA9fQJMR(jM2HO z)Z8OI550Jl?3_hUyfbTM;uJI4G-Pn;o>pf1eW~6BZSK+*QPF#bHF{B5Woq+F3Tpc8 zC>EPrn}e@54x*Y~;JeRUW{icOc}R=(27#q7lRoDB;JI&dI7!S6Xz|hEng>r5r~6++ z-NQ$u`W#!RW=!9X_ylif|j=^}xBd+zj6{kbj4?jjKmUT-#pPb6u zc`;?pt|%Avy+xHuHbO%NT2Pnm9=`QrGq$aEOPV=S-YtB~;pf*sbhui!8?BF4XAY8m#KyC7N;keH7NzLXfHCYGbcR3vpKR-t}{PUq3S8_|j!tWGD;0O(T zMZq?k38$Ll2an$fNM)J*h`J>x3D*ot{yPTj{=~o{sQqsYU=$$?y#0&;TzBgy450pI zEFjGOE^q5HU=3Y52m_QaZ|hf>AkY|0&IW=vodYqzgU*SGoOQpQv!9dmYQn#T!AV@Kdz+I~w3}>6Q(6j!FY5@W zZRo?NU`O_Eld0l1%1U2#b)pwu!5imwzabUA_gGzEpPIG2hW5wr^<76>OVrX+?9)So zwlgSodtBN_!Ev9 z;Tax{R_uPpB9(Tt5}ajEAaiYZ(nvGP7x&b&(l9LoM`uN-2EC{vCHBhFH>QXDv9>%d zrB=MrD?U(37p1G)kugS#hjn;U12^a5Mx)Oa!FxW#U^4^*4p92*ZHHih{?rHbzQhm` zD7pG!tspWZM@m2)_JM}AOD3>=nN;QbsNA~o1k>h%F52b7T`u|~uQG|Q7E!B-K1EF)w@B_YJO`%tzhuH0ZVg}@O$l{Q{A#+2Xo+F0@9@J0d zSpS(65IJbT2Y7$h5II)3AWY+xchC(k zG@Ut^tD~89U*Ut`SS~kv*Y$=5pBl8c+~a^_h4c}*p-uXC?G)zQUF#@zZSgppucU>e zWj3_c*N|*hlNM4wMC&lU3a%wPn18Uq%+JUq*fpKc*XI*&wj+zD!n&SX(6-cgS9dFQ zVH@jsj~{4fruK}eO`59UV@w}K?WxooYTNPK$ctt(QMtdHn(-?}F81cFan5)}-9z!t zLq(_ypoafUR1@6-|T`4cXZ{thiB_9;A!o#agkqH zI#^j?PCYks(YMSIj}`y` diff --git a/efi/testdata/efivars_ms_plus_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 6cb42f559476bc8994e5412f85f213b89441b880..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3804 zcmZYAc{CJU9|v$z_B~rl6UjPuM%G9%_DsYOO}3$FOtwN4*_Y|b3~7)h9y?QNWMp|Q zS+fjf&8v`-eT%V-_j#W`uY1n@=bq2`p6|Kmp5K*aVq%gJX=}E+Mlh-hdIxm%!`eTd{(t-3(@4w_Sd*e?};CZ?ltxqe{zG8P9rV5v>Z-NvA^) zwGLob3h%#B|7JC0?mj@Ws9QInG$iHG?hwdm|Anyo}3Vh&qvlv0AS zHii(qaydc2r4n7Ro4q$o;0utGo|t91syXNq%O;J{OOL4VJKYxs`j2Cy`Ek>oN*v@e z1>9rhz<3@*&uyp;`wBYrP7EJk1L$EIF*Iw4GFOPOyJt)rveL0YY{lfc3<^Hr^f5oH z=|1Si7h`HI?|S_$c&@b3Kk7L`Rg%Yjct{^k%Erh$D{``eey-bR-q_SVbM=yM%Z?vr z#htGDHXK*q8S)-aPhrvg0s7X`OjDjh&pgLgCv0@z)@Bv^dw!kJr9|~0rPZbD+}@yf z+Dj8(Nq>bjdAoP(0)O7rrCBSdE;r8Fgx{bamJxm=amPQoS-KqmD*S^N8#GV%A?89vLr(+hkJ|IXL~<+eTOxS@P?w?KI#+IgB;&vFUU^S7?=;H2NZ2ufu7CnH|vQ+ z`{X=SHDif?T>o4LBTKZG8I$&_D7sbvaq)0CVIAM~1qXL%k$pyw7N>fBe_fR!5zuoiku`8(_MzuqL6-bC@<#f&s0 zrhuM@r?DF+znF*95RV9$O|TT?c>EUrLRUd3Z{(6KzYyOM-?gzvdM*iX?T&`22jdMt z@8h|c*r+aQbBMnbdR_KG&yTD4-M@HXqpBCQ8JQRPVtOD_k%)WR5!5HSArj}44SG=< zT`m`s_9C_qLq@hIG|w9J>$s!)(sn4k%I8bR3EZF;)6kSZJmJ2So55lz0ROuDL#a{O z9Ba={=^yU&9HbrTuSn{bxvWfJz-~2Jw(`ib-_7}M8HPK&vZsQ1cFdQg1Li9>L5pkG z#vroGh?+eG*8%fdXT>Z;wyU>0Yt-@A4m+TS299Z5sKfUBNc>#buJ1y0K&}w>R%M9p&mQ zOe1~{Tnw|{@*TRL+vgU%m^g?RCW84e_NBV5NazMt(D~FtMw#@ zyKE5j7mWucVR+%_k(->%bCM_>>$^6bXjIJ~HY$sIeXI*J=r8qU=8YA!tMQFfKxLr~zIjP1z zw1K;+;A8W^CO%vBwif7}=gog7I4lrnbtc+f#+5I}LRF^FiMv8**i5T2pW;o>VtWjku#s>lOg>aYAy3{#_HiU&s*UhfO`@p5ZNClUvoq-Wr)LPTdeU(EG1H!wpKA zKe8_{buX9B*ze>&_keHfq|f}!SX0k|M==FMZ@z?;b}xy= ze@?0GCG>pr5&x}04BhYg@4W6gL&@dYatuDCk3E$s`zbchx_l za`sKrHQmP z7QUitw|$fy4t_DVPzwo*5XM*XaVCiOf4aBXs^4pZzK9|WfjJDlBJ-HZB118=h39zf z(~C!agRS83*dX>|&=+s0T*KSEW>jXfKcd^v>Npo&=eAdHt3`^$#wpjUc+gk+$b3)3 z$_)M9@VS{V77_bjJ?kC=-s!5SjuR-FzT-L2S1nYj*~tn9E~S?#qXl%9)JkK~s=69d zFLty!O20VggPuIi!nqd#9Y0Cm)zD?0u|?aF7X@DPPxM}aOj#K*zXd(T_Us(Y15)X8 z0RnR%p?L(fJ<#7Og?P|za^ec-t4M`7Tf|gJ(5voBJ`#E_p!Rm?D zrmQ0j^wco+#1q*px7NN`Vkvq8)cf8(V{`}UaOPw=?U6jIG0@k?7y0};6Pvm4b9GTADoF9=RI=&Z5$01X2F%C6NEA;%6qZBl(c+PC}h4+gzB24kI2NojRZHDv~X}e4HUP#9gtzG#oqdw4&_AF#*ZJ`xmk8Gd!c9{F#b`@o_ zn70UP*M4DY({_yy1jQEvw9CG?K?T9~^^fQqE z9n%qHP-$^`qJxRTXnvbYS2ubVSJ5FcJaJ^cF+56aL!ezl`|F?R`vQ9d+Nk(=r$P7F zB|-13uYTBLU>`<*wK`3iWQm2lLjBPJNq-}dF_kxq&IXG}LD({dj=Z04QHk3Y_(y_g zh-oPU42L076rCns>c?`G(-tUE^t_erknZawjHs|iV57!}ZW>c7#Esw8cpf=q)a zwLhhOt#pR;6q%_kYYO;}>HLZTy&iM?bwlpffkp9>^F6Dj#$}@c!lAS_Qlt{CwFp*Q z3VLGZ^5)jA-L!^L>-y|7cwa&Q;?BV~qP2LVV7)#UWe$2zN0%|dkW6Kv${T+)AqX;N zhns$dDFhijziOl8IdT>BS35eZf;sy?!1uKg5uSpRp4L^PsrtQ1(p}cEzUZl^{{uSi BVG#fT diff --git a/efi/testdata/efivars_ms_plus_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 3f72a6bab59db6ba03bcc7e8d9efe48ee85ec5d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2543 zcmcIldpMNa9{#@hW(>m^nsI3(Q&M5enjw-(8dN5^<+|A!_d$kfTqd?M*`|2PC8>>F zwtLF0l5#0Tr=18n(%qeM=}M8y`9`~Qs;Bdu^T#>s`JQJzzjv+QTEFl2yz6~eLlE?b zb6ws*YJr8Y;+&kT)+?@}7z(0e76(DK=`-QZ2;H*Qea*Y!#0Vx3;6{J|Y0E+|Fa|?l z5!w$g?nMAmOhPkmd)#{>3`^o55R*)k1QKG1Jywj2vA3g+Q9d6XZo(29!kzfh=dq_T+N*aeR1G28SEW;j(yaG{XoOiq;V_{k!Yb z-F|GY7uA}@HI7uoUoUoCRkrHJ zi{X!s`%N)!c;Z8gL7wJN8EI_q=-7d){VtyLC|Lz7>3+$A^>W9L-JI-+Elm^E$m}76f(U&s$pG+4*~HkYrr#Q=gm1 zO?Ng@&dK(v9XT3YnX6(sRx+45Bj0epzPWRxQD^YCiIoY+*wHr$FK$?TWXLX&jIP+0 z68Lxsdt`J{7dt8gYlaL?A0lsDP?ym03o~D+vby%TI7HK_=%aK8f73vQx6vI9%`>xH z=j_pvl$TTM$Oms?#s>D>`8}-VrDsZgDSt~WUwEM3ws7S4NIW}H4uilDoFjm((2g*H zjF^O$7>tDl268YKWh4Yt&`zsJW96|Fk6A`b*5=%1-z6PCJ+MC?dFOKc9hyj@ZNl_*VD>^0)kVF9)h8M6nfS?ml6#;5kMIe8WV&-GZ=#6%gz23F! zw3@xR(S{ZNg}_y`K^1Ec?0`*{RhDHO(~rjs-k_u7$qih)_cNE*dUE#a1P8E1s7^4K z;}z=3+oyxl0_8YLU6i*dX;H53LCFBL(GRR!i*5z(V&dqJ;&6Bv#_k5T!1{9xFma}T zT@)T3{=JL5x&Ortye~n{DjY?M!;* zs9Oh^ted=26@kyun$LKo=MXz4xLsnR9-JBQd_IYEKTUOTI92t6rqog9!Ws>k$oKc7 z^4i0$;%@QBNl7W04fD@9(SfAM&U&*adNyf>q`{vZx)pJ0@9_CsFJ^_$i7$N<;&A6o zoLa81Ie*S6x|8iImmD4Q<^Xw+m=M2F7(3eETFV$L){Z@X%wNkT%5=uIDCU;7a&?dG zGf4JB`lfpKvR>VaoWt$jO9?*=pO4C|7YKK)FV`V9QG}eiqibsnFAoph=ox5P9s4qM z>r0JI7JiSm6~TXXSdi^_8auL-^j?T- zGixZeqr|9w1lS@2ebz$@wvt}A-*^}1ZeXg^y}N-c_{HU~YLIMm_p^=ohUJ3Sb8klY zbocAs=kr!jn78Y@nWMiLJFdGhWEFa;%pF-_SCY(E>B=xsm5bXQeBmi^9Vx0zk6U%p z-RKp6H2Z?GTekcaVbgP^sfv^8ob_k=lV{@jr*5#ND|3{oxRW1lQ%a!wjc@BHGNA!_ zSxObZxxaNSYjWJB-$9SPe)?NqxQ8rCJyeO#xtu9v;^)k5x#EqF3A(dSQBTML0!+du zU%(*GzabRx_(EE@ZT+nL;$*y8kZ&LhRelnhvFHV2J5eJ*rG6<;5CH_Tj5#a7`zsfa z17y(>LYCU?y^psj?x=zSDk|szeK<6*I9wD-blO({aQ|Oc@t36`WWr(Gnsjt?eR| z>c=4&AC_7|jnC!gtRvjJGVMKqteDfAwdUS+c$H#9j%cS*|~U82`}4HsyIJ;>Kv9rQG$dCTN< z-f|D)$~+{UNXyr7IJV6~U1d|Bje92JJmUe!EXZG0__X#qyg98iOzM|_bEa+qv%a4M z+!L@CtzU&C(%65ax&PAg7GnqRiMD84iK9mEt7XQVD?*~mzmnwPrjB+Kn`OjUOw$Xe z-sC?UHq0OYhJmP$!VvLZe0D=jg6Yc>3uzc6tw)-OTMze$5&H diff --git a/efi/testdata/efivars_ms_plus_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_ms_plus_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_ms_plus_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_mock1/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 1e6465ec60348edab6880dc448ab776b08953cad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4130 zcmcJSc|6oxAIE1m){(JhX^>?9%`ilXv1eb#zBPmyWHi=FmZ?UekfowzOIk==-E3K+ zk|>0<%JOKj6(PBKe#7n7?YYl=?(=%x`}^m-zTb1s?|gsf_c`D9`N~5ekOJ4H^P`y; z%oD3G3wbEbFgQ@46MWtwA&`cgr6^Z8!Kz{B=DG3IXbXUe8~~W`#(X#o3WIS`I3k@^ z$D#pV6sID~jJ3cEg>oYyK*A9`H^7O4J0eh6n4<$83#?-sXe^gAC5%c72?(c$;Q0YQ zwvz+PVehwVH$7w*UJ8(4d$_PdRy1D*J&f)jjx(e)Lg@@jI1QXZ004GB9INoH-=0nf z2l+9=Y5p`{O1K}66cJ9PGic#^aRdMl08%2ncsw4!YvZ?Q;57(tBD@66HIv9TfrLZ< zNT{lS@>-~J-$He!h3uk7h2d-&^j#6Y>@ULE8j{#y;sGX9=KD>AA|Y@l6axYMTregS z3VF^`S2(K5IWpe1kWH(HNH@^b)u+o49pv~a)WNzo+@ZmRp5)mr6_<<4RAPMgB3DMt z^$iZ6e9$X1b17K4Yyr=-vJ}%sPGP*PEQ=U!E zs~E?t4uIHi69i!h9w{z}10(|C12Ke<0B-h741)a{7Jy+JSSWM_fdt@S18iVBWD%l( zaJ*pOyi-T&>p~A7YPW7?n)^Ukj%X|3#2&B#VFOqJ7Wq5!O;;2^*ag$6$niR6Gn5!Qeu zVE)wxV65%GE)f+K^+!v9hvCoO9sa%0z|#t6f*UBf9J9yn{N9$3%4zNG_1o+*Axe7u z*sw39)Q4sz8dgc!$W2ptlQhcS{*^7N#zAvUW1DY0kxWf`$~mz9jwP3-e_+al_y8iU zR8*umw`N$Mpc&cP>~_0x6w&lnxcAB}>a@?5=j32pz@_9}%$Ljy*2m{2Vpw6$E%wr3 z8g8>iNlteWPdGRy7n4W2=39yPzgNJE{yvdR)N8i>;nx@e!!mLT>^v`*Z6)0A&OAkwu-aOOwB23$R`(=-v6EETX zrM;YQ=H{~xUyrjp;%_Q;tgu2rH$jn#jH*kw^x1#Cnd46FzC;Z;pM}r9({JuAcbRLo zs}wuONPN+Kb_3(K)ZbbKI}Fo#TQwLmN|V-lk~TWuDca6g7U|mE;k${W82aR8)~GaLC)V zyU&-4@Zsu!<_5)3w=n}(^d1Z6+Sr2$Gt%4UB%0f5(lYpt7-z8FT*IBdd8(r=tJu@0 zKi?OPYlz^FI-omiTyyT^xen)ey81=LgQ#L33D?*kF`)k|1~!82e_{Z|4`N{PD+bWL zt*aP7{2(kKA^ji8ty=+Y@X&!6AbiWM-(dnrrqUR@aJCc%$N(z}Bgij2G??P+hhw8+ zjR$}xL5qMV5HyIZJXkZ;*(Q*X@Q=i-1SqV{W9G6)%&uH~C-QD%NFPW50EttRs4>j!a-F;IYOGN5BEF%eTq5Vp;rO%mB3xN*vTTC~i>G zYvf?VgSbkLonJ`-l7kG`1GZmnkQ_#TjU0cv!XNU3h&EUO?sqLj@|5vYU5E-Mgh=_A zX#tYFfw=jl-3eRFT(OR`Z(KA=gt?iQJj<9*;t!HgsXs}6fY;2f_Y{9`oA#;7@sPo0 z30y;Ext(BJ)0LB1(h_M;G0RbTSz+l%?lm;n*C1_qUpnXIQzm)GcFPUwV?^}tb`_bo zSY6E#kVKPH8}8KCDCzD{+CW$il&0C_-i|B&Xu^o2qi;BIG;U;YIVF-Q$|% zeKoe#y#n1FjdkHKpGl?0_f3kqVN;4Sq8ERtn2}eRiK_D}5Tanzl;>ofBM0v+!eb@X$-C34C=`!oX zB~x@w`HV_ND{?i6*Osn3lqx4o6eIWCJ$s|}wYZW0s41E6xKmu!IpI^4tcTR?X|mO7 zUa7W+kKI1T^d=R|sqzk;?g@?VBT}fT?9^%1xrk`<<#zO8YN|}_kih*Wse+o-?m+^ z&QzG;I4mb~ZE*iM9Hm&aAeClv3&Ptkc65Y~DDMN`BUCc|P(DB3Rcq(smdqPN(V>gA zmaN3g`Jr-{@swZ7^`cmsa0JJR+>a&ot_NLy7E?m=>d3pK+-# zzW~{B0bs&X*Z2X0zx|OLKHsHaQ-iOC0vgL<91;*r0Sg5TIAgVRKv{xy16Ub|0U~S% z7na|I66E*0qCp72u4P^xvR_#EDg?kp3*f*)006ICV2Qwf+(a=T5WaT+yZ+87L;#_+ zDEL;R_?qtj_r<>v_6U{I`qb&_UIm{Kk2sOY`4c;6x_zl8o=-Cxy!-p!dkQw1_i0B2 zCKjZw*rk~5cuQT>CPSi^hIbnrz!pj74tHB<$~ahN`Iq0gG?i_1GtDLW{G9T}GDFEn zXVR8W0<#zUANY7RT}a_KLQTz7RMLh@Gu2Cx~GhMtX`yRj=5E z8(-r5_lmb-6EzQK2gIc~NIN`_`VzrBj9D*;4Y?_qui9Q2xcj#z{bP_eBD{rz)Xzm~D$e%_kMPte=SAf zVerwdF$%?}NBC@)0d=G`)3n{_%BvS@UUQeFLnsv*6(}cg^j; dz@@o$da6jhv{yrv2l5w3H(uM9@dR~d_}_&b_p<;1 diff --git a/efi/testdata/efivars_ms_plus_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_mock1/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index fba22f315070c5f96458286976310b59737febaa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmY#qU|>)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 3f72a6bab59db6ba03bcc7e8d9efe48ee85ec5d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2543 zcmcIldpMNa9{#@hW(>m^nsI3(Q&M5enjw-(8dN5^<+|A!_d$kfTqd?M*`|2PC8>>F zwtLF0l5#0Tr=18n(%qeM=}M8y`9`~Qs;Bdu^T#>s`JQJzzjv+QTEFl2yz6~eLlE?b zb6ws*YJr8Y;+&kT)+?@}7z(0e76(DK=`-QZ2;H*Qea*Y!#0Vx3;6{J|Y0E+|Fa|?l z5!w$g?nMAmOhPkmd)#{>3`^o55R*)k1QKG1Jywj2vA3g+Q9d6XZo(29!kzfh=dq_T+N*aeR1G28SEW;j(yaG{XoOiq;V_{k!Yb z-F|GY7uA}@HI7uoUoUoCRkrHJ zi{X!s`%N)!c;Z8gL7wJN8EI_q=-7d){VtyLC|Lz7>3+$A^>W9L-JI-+Elm^E$m}76f(U&s$pG+4*~HkYrr#Q=gm1 zO?Ng@&dK(v9XT3YnX6(sRx+45Bj0epzPWRxQD^YCiIoY+*wHr$FK$?TWXLX&jIP+0 z68Lxsdt`J{7dt8gYlaL?A0lsDP?ym03o~D+vby%TI7HK_=%aK8f73vQx6vI9%`>xH z=j_pvl$TTM$Oms?#s>D>`8}-VrDsZgDSt~WUwEM3ws7S4NIW}H4uilDoFjm((2g*H zjF^O$7>tDl268YKWh4Yt&`zsJW96|Fk6A`b*5=%1-z6PCJ+MC?dFOKc9hyj@ZNl_*VD>^0)kVF9)h8M6nfS?ml6#;5kMIe8WV&-GZ=#6%gz23F! zw3@xR(S{ZNg}_y`K^1Ec?0`*{RhDHO(~rjs-k_u7$qih)_cNE*dUE#a1P8E1s7^4K z;}z=3+oyxl0_8YLU6i*dX;H53LCFBL(GRR!i*5z(V&dqJ;&6Bv#_k5T!1{9xFma}T zT@)T3{=JL5x&Ortye~n{DjY?M!;* zs9Oh^ted=26@kyun$LKo=MXz4xLsnR9-JBQd_IYEKTUOTI92t6rqog9!Ws>k$oKc7 z^4i0$;%@QBNl7W04fD@9(SfAM&U&*adNyf>q`{vZx)pJ0@9_CsFJ^_$i7$N<;&A6o zoLa81Ie*S6x|8iImmD4Q<^Xw+m=M2F7(3eETFV$L){Z@X%wNkT%5=uIDCU;7a&?dG zGf4JB`lfpKvR>VaoWt$jO9?*=pO4C|7YKK)FV`V9QG}eiqibsnFAoph=ox5P9s4qM z>r0JI7JiSm6~TXXSdi^_8auL-^j?T- zGixZeqr|9w1lS@2ebz$@wvt}A-*^}1ZeXg^y}N-c_{HU~YLIMm_p^=ohUJ3Sb8klY zbocAs=kr!jn78Y@nWMiLJFdGhWEFa;%pF-_SCY(E>B=xsm5bXQeBmi^9Vx0zk6U%p z-RKp6H2Z?GTekcaVbgP^sfv^8ob_k=lV{@jr*5#ND|3{oxRW1lQ%a!wjc@BHGNA!_ zSxObZxxaNSYjWJB-$9SPe)?NqxQ8rCJyeO#xtu9v;^)k5x#EqF3A(dSQBTML0!+du zU%(*GzabRx_(EE@ZT+nL;$*y8kZ&LhRelnhvFHV2J5eJ*rG6<;5CH_Tj5#a7`zsfa z17y(>LYCU?y^psj?x=zSDk|szeK<6*I9wD-blO({aQ|Oc@t36`WWr(Gnsjt?eR| z>c=4&AC_7|jnC!gtRvjJGVMKqteDfAwdUS+c$H#9j%cS*|~U82`}4HsyIJ;>Kv9rQG$dCTN< z-f|D)$~+{UNXyr7IJV6~U1d|Bje92JJmUe!EXZG0__X#qyg98iOzM|_bEa+qv%a4M z+!L@CtzU&C(%65ax&PAg7GnqRiMD84iK9mEt7XQVD?*~mzmnwPrjB+Kn`OjUOw$Xe z-sC?UHq0OYhJmP$!VvLZe0D=jg6Yc>3uzc6tw)-OTMze$5&H diff --git a/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 25eeecc6776dfdfd4cebfe81645a386def183872..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmY#qU|?7nd0^?2Da*aux2_hA(f&}B#tak$0xuw)8)oD;uP?~I@pAOe!uaXx22IRn z22D(IOq>i;POtYo8@Bw00WTY;R+~rLcV0$DZdL|^SVLU{Z8qjm7G@rm(4^A5l2Qf# zFkd%?;MC;OqErQ^{QMFHjR0?bZ&z=H?9@t4LmdMxxCxw$VzQ-RO}Z(mWvMw1Ihn;J z#d;7Sz2y8{137VCLkj~lBLgEt6AKfwC~;mRAlJ|w%B8jSO^iy&9%f`^U~XdMXE11D z%?A2T-Wak(p6e_wXz>*(jFIX0^6Y^zWBWfl2WZEMJp6{X8w38J)8;zii=P#E| zXXXet>5ua}cSGlg0e4m#L#A=5TS&gS#aTU}jBXFVFp0|an_qsPZ~3@Maq_$!!Ww}O zQsy1lR=OlKJ~oQ+1m9eaLIYc|UKO`zC6;STBLCcx*n8U3{cP&vNM^t0tR5j{^}^tG zn?EfzJ^Mc#YA;v(Tif2hWA^VL{<_AalV3LfU%u~j-v-%~ox2?}rr)s$5jMy!jF_jG zptV75UdOt{X|JDth;FF=eLruh`WERwb!se|Hvc{Q=y3DVA4?23O*eUTDRwXaN*?dv rAl0kFK6lu($^>Tchpg2(^UnPhcX;lf6@Cj|Uoo1+-&3n%`$-c3rYBr= diff --git a/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 1e6465ec60348edab6880dc448ab776b08953cad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4130 zcmcJSc|6oxAIE1m){(JhX^>?9%`ilXv1eb#zBPmyWHi=FmZ?UekfowzOIk==-E3K+ zk|>0<%JOKj6(PBKe#7n7?YYl=?(=%x`}^m-zTb1s?|gsf_c`D9`N~5ekOJ4H^P`y; z%oD3G3wbEbFgQ@46MWtwA&`cgr6^Z8!Kz{B=DG3IXbXUe8~~W`#(X#o3WIS`I3k@^ z$D#pV6sID~jJ3cEg>oYyK*A9`H^7O4J0eh6n4<$83#?-sXe^gAC5%c72?(c$;Q0YQ zwvz+PVehwVH$7w*UJ8(4d$_PdRy1D*J&f)jjx(e)Lg@@jI1QXZ004GB9INoH-=0nf z2l+9=Y5p`{O1K}66cJ9PGic#^aRdMl08%2ncsw4!YvZ?Q;57(tBD@66HIv9TfrLZ< zNT{lS@>-~J-$He!h3uk7h2d-&^j#6Y>@ULE8j{#y;sGX9=KD>AA|Y@l6axYMTregS z3VF^`S2(K5IWpe1kWH(HNH@^b)u+o49pv~a)WNzo+@ZmRp5)mr6_<<4RAPMgB3DMt z^$iZ6e9$X1b17K4Yyr=-vJ}%sPGP*PEQ=U!E zs~E?t4uIHi69i!h9w{z}10(|C12Ke<0B-h741)a{7Jy+JSSWM_fdt@S18iVBWD%l( zaJ*pOyi-T&>p~A7YPW7?n)^Ukj%X|3#2&B#VFOqJ7Wq5!O;;2^*ag$6$niR6Gn5!Qeu zVE)wxV65%GE)f+K^+!v9hvCoO9sa%0z|#t6f*UBf9J9yn{N9$3%4zNG_1o+*Axe7u z*sw39)Q4sz8dgc!$W2ptlQhcS{*^7N#zAvUW1DY0kxWf`$~mz9jwP3-e_+al_y8iU zR8*umw`N$Mpc&cP>~_0x6w&lnxcAB}>a@?5=j32pz@_9}%$Ljy*2m{2Vpw6$E%wr3 z8g8>iNlteWPdGRy7n4W2=39yPzgNJE{yvdR)N8i>;nx@e!!mLT>^v`*Z6)0A&OAkwu-aOOwB23$R`(=-v6EETX zrM;YQ=H{~xUyrjp;%_Q;tgu2rH$jn#jH*kw^x1#Cnd46FzC;Z;pM}r9({JuAcbRLo zs}wuONPN+Kb_3(K)ZbbKI}Fo#TQwLmN|V-lk~TWuDca6g7U|mE;k${W82aR8)~GaLC)V zyU&-4@Zsu!<_5)3w=n}(^d1Z6+Sr2$Gt%4UB%0f5(lYpt7-z8FT*IBdd8(r=tJu@0 zKi?OPYlz^FI-omiTyyT^xen)ey81=LgQ#L33D?*kF`)k|1~!82e_{Z|4`N{PD+bWL zt*aP7{2(kKA^ji8ty=+Y@X&!6AbiWM-(dnrrqUR@aJCc%$N(z}Bgij2G??P+hhw8+ zjR$}xL5qMV5HyIZJXkZ;*(Q*X@Q=i-1SqV{W9G6)%&uH~C-QD%NFPW50EttRs4>j!a-F;IYOGN5BEF%eTq5Vp;rO%mB3xN*vTTC~i>G zYvf?VgSbkLonJ`-l7kG`1GZmnkQ_#TjU0cv!XNU3h&EUO?sqLj@|5vYU5E-Mgh=_A zX#tYFfw=jl-3eRFT(OR`Z(KA=gt?iQJj<9*;t!HgsXs}6fY;2f_Y{9`oA#;7@sPo0 z30y;Ext(BJ)0LB1(h_M;G0RbTSz+l%?lm;n*C1_qUpnXIQzm)GcFPUwV?^}tb`_bo zSY6E#kVKPH8}8KCDCzD{+CW$il&0C_-i|B&Xu^o2qi;BIG;U;YIVF-Q$|% zeKoe#y#n1FjdkHKpGl?0_f3kqVN;4Sq8ERtn2}eRiK_D}5Tanzl;>ofBM0v+!eb@X$-C34C=`!oX zB~x@w`HV_ND{?i6*Osn3lqx4o6eIWCJ$s|}wYZW0s41E6xKmu!IpI^4tcTR?X|mO7 zUa7W+kKI1T^d=R|sqzk;?g@?VBT}fT?9^%1xrk`<<#zO8YN|}_kih*Wse+o-?m+^ z&QzG;I4mb~ZE*iM9Hm&aAeClv3&Ptkc65Y~DDMN`BUCc|P(DB3Rcq(smdqPN(V>gA zmaN3g`Jr-{@swZ7^`cmsa0JJR+>a&ot_NLy7E?m=>d3pK+-# zzW~{B0bs&X*Z2X0zx|OLKHsHaQ-iOC0vgL<91;*r0Sg5TIAgVRKv{xy16Ub|0U~S% z7na|I66E*0qCp72u4P^xvR_#EDg?kp3*f*)006ICV2Qwf+(a=T5WaT+yZ+87L;#_+ zDEL;R_?qtj_r<>v_6U{I`qb&_UIm{Kk2sOY`4c;6x_zl8o=-Cxy!-p!dkQw1_i0B2 zCKjZw*rk~5cuQT>CPSi^hIbnrz!pj74tHB<$~ahN`Iq0gG?i_1GtDLW{G9T}GDFEn zXVR8W0<#zUANY7RT}a_KLQTz7RMLh@Gu2Cx~GhMtX`yRj=5E z8(-r5_lmb-6EzQK2gIc~NIN`_`VzrBj9D*;4Y?_qui9Q2xcj#z{bP_eBD{rz)Xzm~D$e%_kMPte=SAf zVerwdF$%?}NBC@)0d=G`)3n{_%BvS@UUQeFLnsv*6(}cg^j; dz@@o$da6jhv{yrv2l5w3H(uM9@dR~d_}_&b_p<;1 diff --git a/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms_plus_mock1_and_2016_dbx_update/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index 6cb42f559476bc8994e5412f85f213b89441b880..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3804 zcmZYAc{CJU9|v$z_B~rl6UjPuM%G9%_DsYOO}3$FOtwN4*_Y|b3~7)h9y?QNWMp|Q zS+fjf&8v`-eT%V-_j#W`uY1n@=bq2`p6|Kmp5K*aVq%gJX=}E+Mlh-hdIxm%!`eTd{(t-3(@4w_Sd*e?};CZ?ltxqe{zG8P9rV5v>Z-NvA^) zwGLob3h%#B|7JC0?mj@Ws9QInG$iHG?hwdm|Anyo}3Vh&qvlv0AS zHii(qaydc2r4n7Ro4q$o;0utGo|t91syXNq%O;J{OOL4VJKYxs`j2Cy`Ek>oN*v@e z1>9rhz<3@*&uyp;`wBYrP7EJk1L$EIF*Iw4GFOPOyJt)rveL0YY{lfc3<^Hr^f5oH z=|1Si7h`HI?|S_$c&@b3Kk7L`Rg%Yjct{^k%Erh$D{``eey-bR-q_SVbM=yM%Z?vr z#htGDHXK*q8S)-aPhrvg0s7X`OjDjh&pgLgCv0@z)@Bv^dw!kJr9|~0rPZbD+}@yf z+Dj8(Nq>bjdAoP(0)O7rrCBSdE;r8Fgx{bamJxm=amPQoS-KqmD*S^N8#GV%A?89vLr(+hkJ|IXL~<+eTOxS@P?w?KI#+IgB;&vFUU^S7?=;H2NZ2ufu7CnH|vQ+ z`{X=SHDif?T>o4LBTKZG8I$&_D7sbvaq)0CVIAM~1qXL%k$pyw7N>fBe_fR!5zuoiku`8(_MzuqL6-bC@<#f&s0 zrhuM@r?DF+znF*95RV9$O|TT?c>EUrLRUd3Z{(6KzYyOM-?gzvdM*iX?T&`22jdMt z@8h|c*r+aQbBMnbdR_KG&yTD4-M@HXqpBCQ8JQRPVtOD_k%)WR5!5HSArj}44SG=< zT`m`s_9C_qLq@hIG|w9J>$s!)(sn4k%I8bR3EZF;)6kSZJmJ2So55lz0ROuDL#a{O z9Ba={=^yU&9HbrTuSn{bxvWfJz-~2Jw(`ib-_7}M8HPK&vZsQ1cFdQg1Li9>L5pkG z#vroGh?+eG*8%fdXT>Z;wyU>0Yt-@A4m+TS299Z5sKfUBNc>#buJ1y0K&}w>R%M9p&mQ zOe1~{Tnw|{@*TRL+vgU%m^g?RCW84e_NBV5NazMt(D~FtMw#@ zyKE5j7mWucVR+%_k(->%bCM_>>$^6bXjIJ~HY$sIeXI*J=r8qU=8YA!tMQFfKxLr~zIjP1z zw1K;+;A8W^CO%vBwif7}=gog7I4lrnbtc+f#+5I}LRF^FiMv8**i5T2pW;o>VtWjku#s>lOg>aYAy3{#_HiU&s*UhfO`@p5ZNClUvoq-Wr)LPTdeU(EG1H!wpKA zKe8_{buX9B*ze>&_keHfq|f}!SX0k|M==FMZ@z?;b}xy= ze@?0GCG>pr5&x}04BhYg@4W6gL&@dYatuDCk3E$s`zbchx_l za`sKrHQmP z7QUitw|$fy4t_DVPzwo*5XM*XaVCiOf4aBXs^4pZzK9|WfjJDlBJ-HZB118=h39zf z(~C!agRS83*dX>|&=+s0T*KSEW>jXfKcd^v>Npo&=eAdHt3`^$#wpjUc+gk+$b3)3 z$_)M9@VS{V77_bjJ?kC=-s!5SjuR-FzT-L2S1nYj*~tn9E~S?#qXl%9)JkK~s=69d zFLty!O20VggPuIi!nqd#9Y0Cm)zD?0u|?aF7X@DPPxM}aOj#K*zXd(T_Us(Y15)X8 z0RnR%p?L(fJ<#7Og?P|za^ec-t4M`7Tf|gJ(5voBJ`#E_p!Rm?D zrmQ0j^wco+#1q*px7NN`Vkvq8)cf8(V{`}UaOPw=?U6jIG0@k?7y0};6Pvm4b9GTADoF9=RI=&Z5$01X2F%C6NEA;%6qZBl(c+PC}h4+gzB24kI2NojRZHDv~X}e4HUP#9gtzG#oqdw4&_AF#*ZJ`xmk8Gd!c9{F#b`@o_ zn70UP*M4DY({_yy1jQEvw9CG?K?T9~^^fQqE z9n%qHP-$^`qJxRTXnvbYS2ubVSJ5FcJaJ^cF+56aL!ezl`|F?R`vQ9d+Nk(=r$P7F zB|-13uYTBLU>`<*wK`3iWQm2lLjBPJNq-}dF_kxq&IXG}LD({dj=Z04QHk3Y_(y_g zh-oPU42L076rCns>c?`G(-tUE^t_erknZawjHs|iV57!}ZW>c7#Esw8cpf=q)a zwLhhOt#pR;6q%_kYYO;}>HLZTy&iM?bwlpffkp9>^F6Dj#$}@c!lAS_Qlt{CwFp*Q z3VLGZ^5)jA-L!^L>-y|7cwa&Q;?BV~qP2LVV7)#UWe$2zN0%|dkW6Kv${T+)AqX;N zhns$dDFhijziOl8IdT>BS35eZf;sy?!1uKg5uSpRp4L^PsrtQ1(p}cEzUZl^{{uSi BVG#fT diff --git a/efi/testdata/eventlog_sb_no_efi_action.bin b/efi/testdata/eventlog_sb_no_efi_action.bin deleted file mode 100644 index 65545c9056c45660d9fb1245fca5ae0d85ae93ae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11929 zcmeHt2V4}(viEEt?UE!TAd7$?adycfSwJ!@IVm|w&M1-v1eGA7U?Pc#f`B4HkRU1s zvVw>K1O$nK1W}N0W|4E$21^@s+LC3EOKU8V# z>+Fcr+JjRMcJ>YgB{ptD0!SqE3k@&C%Eoy^r>NkFkq$>q`>2lGxR=8C>{)lq$`?z-M=T)J@IKzk zSp|8mT%2xpRJ5g&qg^?biGEU{$;p28={gw! z=%diKZns>JhMY<$esBCT4FZ8B13*_i7NjCanWD)Vk*3CYT96thD5=RzoI~vc@QmOV zn5Lk{5PgEYop3}S#{+l~C}$KMO5 z;~WNVW2M1MgVG?L01`k@#)_3j0>42@fS|P1f1MyPi0$7`0)h-c#USVaFb07^#vl+t zIc}G7;-squFT);c-1M#DJ?t-fq+d3A=~zVTi(J`mz23xDCU)<%F3Yyp z7GLH=MmCpX;!0(10!l)_kH}UgFH6G;`0H+j5TtKDs75zMzOX!_+y@W-+m+qh+~1dvA^V-2N03gFTX22N}%) zk!lI;jtBa5wh9^V^BxskbV4)Fzs;J~UfYeF$=`9P)qTHO^L{zZYrgXheit%wU)R4_ zZf8^txJ0pA(Ikk)SS#@)YqiM;rqsz#Gs#D6D(|uH=}a}5tLr{7xwoC>%l1`WaV+r5 zP(z{+03u%6?p^O~Zs!KxA1Df^$ml7}uW6JiUKyN=eNPljm#>z=(B;iW zU;%tzx$@G)V#3x$bZo!Gd{!7=qllWds)*+Rnde^K29^w2MNIF5O)bNsF+>**Mt)gKK9;|KA&fY|BqqlgGBVTo4uZ48+w7I18w37yoc z+1kulCgWBlFu79B>$_xORGytE|55C^5R)SLUk%4MdjYUPZE(>6)PG?*Hd|N80H8km zbBHC1pjU4vxG@i)5Bu=QGULzQt_M_GKW+f;YG3NFGZtmW$ zfj-`NdXoO2DHth;&Q4xF-cI;!AScOgFf!}8JNo+s__ze()O`GXef;eM-JvJsK{=8Q zVI=&r9cSX^?(c*%wD%7T!|B=kA8-!z^|W_%hK!O=Aj!T!28AF=044DRImo^cAaetg zQZNZdNBu1_3xR?gGV}aeW*v1MoSF)b0OIkGh55&pr)9h{siDMtN7;_M6JuY@5AH$Q zQqa869t{+FS4KDGH8~YoGi>EZ2;ahLKs$`REX#cI#Qnv=xbp0?B4dkHX}wfKZyV7? z*FerUdq0vJW;=Z&d-8-c;%6xz8-keNB&_j<<-9X3g*=qo$6}Cr{kf{-U;p0UJ@NneO@W9s20x zq6B)99wFp6x)RH{d!3(3+$~sRz1HB)%Mw2!i{dY|-C+tNXPxDr>=e4V>Tj7hS(-k( zB*hqYA2~I$|H=8_wpqvYrt4wKabXFO!^EQT^M@$hQ}j1L{o3W0LBnzI{<2c3W$X* z7aeTI5b+=#OpweN8Hj?+7|0D*@S@p3mMA857oyrwgvFMIUi}Narj+u#wtEzTHt-GH zXj9M_G|Dl^(Tmq{3k>w#B`)sh?>bqH0Hw%y=j<6?DfC`G>T z*RunXW^q$7k4jbeea{_u|237aFOz$8EQ7m3i2AtBy5LUwL(6^Pm%4&$$Xdgu=~C0r zHGh5M6X8jB=xLMsD@mhFIl9q(X3yEkG8ZTcRd3{ktWmPh`z^n4`aC{1$G?u59>;r4p9(Gts zsLW67a%RVD9lI7@&=ixPFIz57bB`&(XYIIHo!qUlcXtOz+63ZeGgN1HCZ}qs$VYRy zK3`F@bbd@zw+5seECk74zQVU^sG=M;C~AQ55D4}rPG`Cwx=y#8K-Q_=Tw=@=&HV*L z7t2W7ztDE)kbLeo-HYt-%%JY+@Z26&QvRV1m8W5MrG=uICuVMKemsm|*YNz>rR_{Q zkD8wAOdeJ;m#TPY5OlN54z=C5G%bv)_pAyxbG(Uf#cLWVy6`ed|Ju`b@*lz`^C~!P z^H{1A?!D(&syxl_BYSZ;?Q>GtnY-?^Rr#DaveTa)F_i*+Egu`1=z|VO=5SPI*?qJr zyJxO1-A#yVxbPziTQ(b)rr~%+{1$*Bvg-rGQx)+_auFgK2?yDx$1{Wvj3;fxArTB(W zlfTBGJ_v&vHZh1I*o?%7@+Tz*qZ9uYdk*=g(8rEOG4A}+p2PTpQ-i)WcNcd@`#@)$ zN>HGikH0$vL-41(0X=vSFNc?v#7h!L(6d2G!6XV0M~&@RL>k?=jBBT~KAyKfcEpV;V2|zLJQLwp zVav=NQnsF)!Zz)7=XjHSyeoI~OEcaz=oKifA;_zwiwr$z3mGpq(OQ<7T-k|~JHgU&IP`K%J zIJk8wWTaa6wP&-nfMy%;V*u)bIyqW7n(^xYSMUR=FQmMX&Taq?C@o5mAOVlnCeT2@ zqYvtW+M6^4Jc|Ds@cak7e+fBEtKoh|m%^I8D`w>s>vj|AyoHtM83Vo+xpnR>l+;Vg zB-=5A*GRPw>s^->Q$MiKI4W5Ef-5CyfU0ln16_=?i^s7kjy`m15gTj4*_yY?1nJO-DVxGy)yAM1T6|D!@p)+)<3Z@6&@d8-b~~PkhJ=kpJdjGenCMs z{V934eIepR>4zn366F`Ahg|-V#?_N|90!LL@Xlq?qx09=SPCvG6qTQCR_#oU+i$|P zesrRiOEcA{EI?o7qVmQ4qq#yAThaoOcmzMRzYdVwuXxqQZt4w+zNm-l{lZe_kz0{Q zi7uM#$Meb<6rzRP$U<(X={g*`)kN{2_F#e}idM(rVAlIbtL@q{4@C>i!#TeyysW0P z`rO-c19=3wYvM+~_lP@>%F3Da)JBLnR*|3O!l(_mJ`jEp4 zAJuCvp1%0lJjzGn3c4etz=6{;;%698{ssel(DkpO2su3j1D`fwfU>8B1Ow>5z`%dw zP(+4+ClDm1HbW7Jlz>SvI{I(H17UFI1|Dqx6A!)%uW+X78e0EyEOLp`Q}=;7m4^;> zL1RKBc@VW4!o+EiC6Zz~{V=v7pn)25Ut8Ti=N^k_X3wH<&KEtcvno-kyK79=-qm%T zZz*6)id0Fmv5a*i+&-rHaK^8W#~?c?e0`77@f1SEj=iNpl`{`@w`sFSjKpMfg@))+ zm(?%P^|18ReHOlCBx}3)rFI|`Ij}y3;mCXzTg}e+{#N554@s z(fDCcMVQ>^iwcKiy#`s|w{Cn)4PB{)*r`#3UNPE-ho z^-F>de|1BYl6s77q_@sR~n7V}C%|dFY1|e7=e3n5)K$Szg*ehCguO*}D$M+VJ zg)G>ZV%w6K7g4b)d8K$n>FpX0c2u(F4ti=yFn;G37*Qlg$s zvn_}-u^bS8?Q*P)cl1Hr^XZ8uiI@^I9X8Q9w^I~t9UuHZl-_<7f8>k^kFJF92RiK! zZV8p?ri7qej~I{L`TSc7rc3(JrH`L0Tjs=dozitk+rBlB>zINj?ViGsva^y><)3dE z7l}kq6_EM0p0BPQ=h)*iqG>{V!YuN}MV2!a@ttmpsl1iq`%(;#9KU}&X1_}Af*8$U zR<~!+$SwCup7_rcT}yBEx?Yrsgcxt*C&)bTB>JCg*@*j0sbrW+uOQ>y8nXjIB0ErP0jcBi6eWm2PXY_?y1v-(KE-XbeRz zl)t|`%LdMcyDN=pLx%pOp zggZ+RMf%yr!aB=XiyuQ4%yeiZ{v#8a^_SY=?cw-Nl zO6;2)N-%7!I+Z99kMz#*8@}%kp~%l6%jUwFE(u{aLY7cq2TMznu3@_JwJRzs(kImf zH(TK>Nq$jn4i~y;Z(YJ&F9wc%3d3bBs%KU?nX8DAq)^%i#cdAL9c517xlBn>yVz!r7lHX~U%v*IoXr4_J98shPD-hm2c4wcP*HWM8NP};)@N__Z3sVZn; z7`o%n-Vx*d)eWOeXNH7gY9Cap&ETStWKhZ_Dz+ns>(SI*3DLm({(C28(uvWGGf^F4 zz~R|AeMgl-h{w;p!x=2N1aDmaNV9+d{3k)`*MYR069jle>6akrJ~TpzR1fE@Hp)hl z=upOMmx?uh^(rFRd!VAm4v9pgB>@{~IaCACg0AqQ&?XlfAOLU!+yO5j6p#ia0WoN# zE)Wd>k?ZK6MmslCiPAr&vC#Ie594xqX)H595z6rdUrZIYW>hZZRM>s z7kV%D&|JXp=D%V#Y@nG5f#iYv{du<-vC1cgY3w`CYuARg~Yx z3wFtWmt3&b8w55jRkDT45nXJ|`F_{j{y88&okm3<9Si7bpAZRTl&^2x$}%xOQ28wA z`lR&Y^EVxK*@J4S7sTH0g#`N9Uc>JcE^yoc7kG*3-|+*KwEcffzx+FX_;>v9KRM;` z@A%<=cl-e3Bm^1XJZDw48yp$~J*n>m;}Gl{!{s_LWCp%&hfh#B z@r`Z{C@m1DWmK=i;aD}zrFYrht6gz*gc+dR=y!c=$3J8BpKAZPf1X9{`*Te5`X!aP%5!-V zR>1g1zv~7YbN!#{YTu-P_7*s!u1^9=`j#qr- zUR>;+FdoVsUn?AXzI9>VBaD)Qn`-uiDya3<7FbZz(*df0fL;8CNpE z!+?r0KZXu5f>M!t>ietCxZ!v&7c=V=L5DypYN&p&OdCXX|8mX6H@ zS?nN&KaYE}57}=&jK9U1U<_IkTG{5@SlOlmYE<}g*hJD@|FW?CebP`<70*Q4eg*B! z!)gV1I^%p?pe-Iv=GV+EPvRbUJ?t(v{Jk2jRC^u*}~I*H*WK>}%c zm|FP928d5UptJw46P%>nCTT|v9*-wT;i0u`(gqudB9TAlHvj*L`Omi2G+6Iq37p}v zEw!IMZ+5Nz^=to+uOdWs9q6t#dhMm$(s4Zbi#@l%lP%u;rV4T0Xo)Cv-2Qw%^a9(RXzYwO#3YCabM|Fy-XA$gTND2HHO- zFE{7$h@Lf3k)k(eJnmVyliW}{Vj}B`+hzF&6dZ&LIqV6vVYl6~L?ccTN0%lao?Q{1 zu6EO^>px|vY<;i7uXxhN{I%bTGUk=_wQX^thFgifLmv-#r#cx}-<-sa*weqT`YtvE)st_I(if|DDTmON!)acmH+=ol2{JN8dbQk*^tz}QNeM+A?Ma!*A2+FzwhbyBUJAZ+Blf27!A>vY zR#a>Y!)3#Bn(0p(GeTmzOU-X&p%)3e?wfK^3@}_V`~3WAFm7_>uF*iY&AD_XwtyEI z9=Tbv#|jd?npWlfIs=1QP>N=}QqN2^t+#TiH1{y*zFaTGq@Q!Zup-U{4DKsmtLv>~ z-*PabO%WC0GGJZwP;Rf$y7ACCym1!GAhGYSEDMUOo6$L`vh{(4Vm&~ zMU(4r9^yWQQA_rd=~o^3w$tgi?{uxbo8p!*3P9i4?O%47@)KhH%;Cr92HoXC_%;0! z%a03O5-VC(+8^b9TJg$47SljGiWckA!s%6CEfCVAno+;%fvJPd$e)O`8minAyZzFs zQOp6&;3I3@d*tgnpp`761$2*88ZT!+Ph~bBe=~nj;=lVY38w+uJ+^8tR*{ zK@;sw{3iX)?A|WVBe6iqtn3qC#iKID2o*>BxGS^T%kr<&K8U*<>k+KCM0TJUVJ1K{ zc@F^e-;O`>9i>v-5;32aE)zv_+mxZG?Z6d{Cs-hfeloM?@nh<(gBf>nivp^%kd;U3 z1NJF$Eh=x#WZD|J&Nt;7zee(r3fd$7koU=I*GGM26>a^A4-Kv~VFAedqe>I%+@KpDvB069w10{S6L*`EA zP5xyJI0KGAAV7kSssIuC3jh#558nIIXKp{uksEiDnV&xGZdv+biTH#Cgc{z*Svjj9 zua${2%#4V(baJ*Ur?4)`O@!>#R`W*7mwz(vc(OT%fGb>b_o zvf2oLAZ?s0gRW`UH}hS|dTVfGB`saMZ`cNmMx6trkwqzmcqn2#NJ%Ja>IQnTDCv>a7JGC0WL(6H%`|% z6x_O*PC^Eh0VVJt9t35rHq%K;tdo);C}Z{CCrC76+mDlgpa4+O2nGO*MqrT92n0}u z+ohZ^;cCIhq)v;Qx>cmkG0-FPywO|NBFaGI$~Nn@CiYUXyJrOt_pcoDeIsyLuDzz{ z@^)lIa|tH4MD`}|V(w#)v5ayMN05`iiycZBjf9K9OxoyC?zx>$LS)PL56I8l0FIlT zXo!-K%$S#9?a8Q>e<<+DHOX;+DmsIubFj@~T)m@Zu|8{Wwfn~d$tH&CQke&t%>j`r zNu7@S1`M_eY439%=3j6^v(CQBoYGm{gPhLWaj4b(fLikbdCbf0=NkOZr(JwmKd{)& ztm=P>YLB8xAe*sv!l}(wCc~H#CqJ!3qS$2aBi}RWYO+_?h|w2oon}k-S6*?<_e)bl zq7VQgPXkl~>7h5u&456xq0uNLat>sIX=a$F1}UKf5`iGUb#8hz8=6Ivn8L+~BV?Mf z&d9IsW#8Ko_%8p)iH5WdnrH+-Shy8B{D4$?QQMureY1_nJ$wfuAo1Bw_aEm5z{I>MF`CV^NzU7l)xs`xDn|_}lz~!~I`>0e* zx~0$?>4@dd9nY)#S!IvLKVJd`gNubG&1v?h39yZv?Gu8I4^)|Qj0Pj5u!>H1FO7f~3Ws8=EKE}K!2&V3?lEpCO&V*wD ziM}%Bh4K0LEeYtDe#zO)(Cv*PYSyYEUV{`~d-)pJ(&Q9PIkiv9KQ4Dx9J|iCU8B{y zSa8?n{DidQm}k1j?|5xK6V1Ewv*BR=AYSJmGZl6e5st+#(96Avrtrc7j*ZhH6WY~V znwd*w-3kRJmdf~i7cBObWhLzXBz9ehMUnE)hU1&P0N9~(aMJ}eeq%Z|&aO}ZKz-J7 zuq6twUvDQkH<}!x3r16nLFS`#-E?5=FDRn%9|$%@4(vWo3(u&R3r7rFs3P5nXr< z)8%~;tw#)#adGWm#a~}oi*B5H-_|~7?BTErt5*GnfAuTH(vudJtDD~N z9X;+_na{01Su%2VnXS36>Cuz17V(kH>Fr6V$>Xz0<9BqvsBL1xhF55%dOd%KJ~}Zk ziJo9Y2>FdH#W3$#XWnAu9J|)^*DhjWC2}N*BTy8evKV8WAna zih%470{Fq!IIO6(fO7xc@%;+@C7_* zQ_vXPmt&ZtAE)aU5a7E@T-=f5CFZ@M%VLg1Z*gBwceq#Fmqc_5bPVtphtvYnaY%I` zy@iw(($xcyGJvAcKPW8*T?*P!QbP|)K|zH;piMvmXtY6t$T;(!Vi6 zz%QRKDjJ&1C$S0hENSe>heCV42&Hn-_T_Ya93!|CPUltx9!vp>MDv5J#zQNsWj*#C zVsu(~?KF#Yy}ek-8B$-1)Y~ zyo4@i4$PL(Yhn3K(eVayW#V*qS>lPS$HnU8Z;igYGc?>L5Id8mIF$TFGc3kabZRsg8?!|5d;!r# zvNHAqI_{iO&)lYZksV%Xv^^bO+d_-WKGdOdHSMmnP&M;Le_Wj%3&qhtP@KaxU9k zwyOBM?>QGL&hQiEF1$UtoEVyM$DO`1j|)d}=JP|A5}>c;QzHvwpr=$0XGNynC!5l{ z<_0p|_}GT?Kci5tWO1G2+ts^^GNjT_dkk@-;nqQqcS!rx-gA>S1G*wHBFo!{*_j4wDf=v#Alad)&2aK@#E<^LF&^V!C@Bz+3MwDLGS&eq<6kO&L>r7Z=;V*q!uAuJmet zv1ph>D8<@a9VN6h&i8H0sOQkxMw!6(i4rf4`;I)9tq9Oe7qpJI;}dCku64 z(gan(gX*ojjitjzdL{*`z_dUJm}D(P%}E((_VL$FNx?=v7=vx`Ho?)KuI-zw@RwW>-%lNV?`zgi#Awvyz@;p_QLWZ zZ;s$etL@8sQ5*212EmWgKZTzwJCX7y*jmnnw52SaH_Un+W_sQDuYsSZ3ucd!$8v2P z+`1IfQmp&hv)Efevvv3}1oc7P9PJ#fIF0`;_<__HQeH@B*MSF=5yeZAfyZhCXdvJ* z0QEqf4H^O-#eWZY{sHgbLJrGHnBTrjq0K(!GxCacdk73Z!b*(H{$C5-I`DzK&4R!Vzx^bMX=h_{&8HZ~xOuURhi-L);uW6SJPRvb)#rc~z6L|fltUl!>nzf<_sA#4> zC%tW-3qMivVF8;+{YB{kHz~rnYT~xz&|3uw=hCQ=*=ucV`4n1RzHngVqEPv!lm3akf*;yn`pX|sylP`N`3l8Y*hBMvZXx~1t%!XI zE?OMNb4!^NqJ-Qif@@FeIUKsxM0LOBV7wHHUf1DZ=KF^$?K-j#MDxwVxV|bpuVS!T z?rph&Jc8Ucexu)K*qvAQWmMNfAP0qO&nff$J2~ZBr$t}44Qu#YcXqcQyvoKAt!dG@ z|6J4!*Xv%=vvng%+uum%Vge}_*v&GZgot!ea87h4AkGyrex!I+6E5OdNtw;Z+p-km z^~Pc|rHt@NCe-8n{#ntQrL=R(Q|uZa+Y@a(6|bUteA$IC9zzGTx}G{>@Uz$ZWO#&p ztwvNWsr_`#YrYf%d450r61OE?) zBC>c1JYGtABNTy1NtgtqqW%^<5C(UyTrY)M`v+|1nbk5 z)-N#hu=Ug}3t!qNXFLC;W-tUfxHgI5On(|v#ligkR^uV%L$7%R1s*KVnC<6!7oHa0 z_(8oqRDNWj+#yN7LC*J$+jf=*lKIrKPc7W{_k>L~p^d3W4N8UL9jWb!j;xmB<-(zT zwDzuv)~oxA<0ER~Tn+s!n6{y}ZEH`OG4TW1jifDtPE${Nl;t9xZh%1$1O_B1^YKG0 zLP0(U@_p|^!ugNSO`eqz!NxkD_+_~bF77zQfb)&~A!K1LZcwACkM=!#?5UxI&(m!g ziJVXV8qD~g60%5BtFD2M+ZTgqiy7T4q<3oKg9O56m{bH*IdzJ>qvZBlGMj#SZy{B{ zhK(+=Esh?Dj8UOXzR5j{s{XXamh+=g%F+$fSXDtTTzz@TK9;+U*Up^giO2>$fr~6 zbK)#)p5iZEj+OF_+>d=WHQpo{U2LYyF8a~!G*w&22hxX<+81$0GDLXwB!xdP=zMUC zuShk;2VV4u_SlohzbSvJxDQ?O=$W!*PHfj{J%^Lqwghk=Q_!MUFBmS(mXa=8zGYk} z5;d7m;n#Yus%DH+-DOzIg#LtC#ElDV8Rc=EZi*><72^AojgB0@cRc!l%EdV`x}nT& zufXA3?iIXo%T!$pZ}htcibaBrxANm zz;1dm`k__!XE4Krr9dm4U%Yk4uu9q%8>G@m`r9McdlZ#wwb)3eZ}_*B^&c8VQ3~ZP zZcWj=1JLzy9DPeKE#QFiV=b8J6v)Z3l(qXTmsT|t;`_NqFD^c9VWe*!|`e4N@M#=w*7oDhfF2+ zPrQydYOFk+AQ^}B$?FzX>p2(W{#rAf~yRr%T#l_i-|YJwYQ z;VMa9VNDJZ-iBTLmL4)}h!K?M((&$l8C4>sQxb)uG;BEPG{Usq94-zpsg6;m88V1`p00@GYu zWqprjyBVKp4JxwEH(OTR<)E|#7Ro?8eyuyuz|5hxG0sMz!w@QaI6;LE5>%>!62s6H z-$zG`^;b2Fuw=Xzimtg|p*D?+L{dN{m&llo9PWpccO*pv^7`+dm`)``F;7Q!hyjOZ zVhtQs3LqZ8jt*C_;1;xg_@m4M0`Q+Cd0Yo_IwuhDfyys|&~<2p5V;?&S*^GABGI9= zmoDY2{2G-6u-CJ^+75|Cqon{FC>^Q^XhTOhDYU`G2Ji>m0C&I}2mxdODL@Q*QWuB@ zfQU8pFHie%x&mczOmnX7T_48f^1^7kzamuQ3A&IXY|X4(z@@O~=7)!Lrw27sM&lfU z@1OBdu`mcaSo{X!^^cym{F~exbN%zv>Ope&K$3<4I7o7L=nZ%S!GJxv421(s0bl67 z*h6yxznlM#*|33TCK!?j9{1PTg0%+H@^4z%#xSTMQ81};Tfn#my+gKlWO3FE3n;jf zZhkg+5_q~#NJQ_zD(ieL>Aq3K8=_Fjn|tTXBx?jA9%}YpUQqrR2fHdNzP?^?ybTAj zE+nEiP8E*B4SnGbc;f!bFY2%2wf=?wHD5Yxm;NfbU_O5pFDPsCm+^u_fWJyE*vbw8 z8#F>@V{bpL?9I43J)EwCmY+)&Kf60uy!f;E zQ^cd>8ku3p;f8%7BNc)P?EBk5Jf|iMoM0S+eQ~&5Cj?K!$8GQqYA3$Y&Hg3%;`GcK z^?NkDFE4&r-N3O(=o)xi5Y)hK#6E)lLQOoMyEoP70yz&9AMF0shu-k9*QnNgZ0L4! zTlcAPP^mQ(@}yy3)En|vjmTbV0OYg68xiti|5dxLaE~D-mZWteRKfk3*5Tpjn>igT zr?~Ym+k3Ywt_-sR)a&D}jqdnYto}>qe;uE9UgzFNmRW=13S7n6TuCcnY<=7{!}YoT zFAeffZi0Ov=v{o%75p`r_DX z!Ru#R=4L%Ysi}ClC*w9%7C}7N8_k^IVH#7vFTI25M0f`^B!U*`R6&tfxFHabc5;*V z0BSSiANmAe_xHzEKR+>dYh8U+#kAcRDeA4g{UlGSl5r&#czPv-{(^^E^N7;>)k|8p zgBL@TBuWYqvN79*(G0WPjoV>S|3QQK!wrt(e)bGU0Lce~azZ@0A<5yl2|UkR!|v!{ zf&CmBvDzWp%%7E6NBXelUr&9$DrrU9x|w&$>mq`LkodHrKyP)k*Ug}lTHT78Gr_V;qe z5nZ5VF5ef@&{C-r16{qKRe761Ryfm(p`}-|_aXW~L6R3vFThDmLJGu_Q^2&sKc9g3 z_y;(XeqY2S*DuMdW+Wse@X``czM8y<2BOI1&-Kgydt&~pocXv{-A+m)o$&F@D{hx}->2flpU>flrw^@l%M=YiMHpF_c#yp$JXPhUUDtow zNZI;sxnI$QjrmKzC1uPD>uXzMMUA!)dS8F?^ht3tw7xlk8@6X0u=+4QtlEcY`O3@F zU)^YOS~ZG5;?Z_G*y^?YBegG9|56UVD~HRxQ2*`qOD8BO6dBbnuBWV{3c#qmAM(z{ zCo{3lLS^%t(Z~31Ia}>GA!X(G(~6hhUht=;e(ytge|C;7N*Na zXSGrvH>L$gcbAyo$VAWMcil7PrW$0rVz&J3Nf2&g_|Cq;ESs~bO6>jvX&x6d<&Nbi zcsH%c`*j8cv7r>r_@tkjYFTgLR%z~G(tEyEf=NB=fZ2>V>p!%=Y_+bpf@9Oc@HRzM zxXYk*;RE@-`__zKpOr8^$+?>`5Vg7HT@*4h%~wyeGObjBwTxyt{AEdt`*1Ge z9@V~}bU&kbWiFFtupLE@b!p-9uCEdZZc<=vn4kE7SZGIj^%T(jVgOI+4PMPJ$;bIvP zd)Y70VSx(6K-EXjNQGO@og0tI7Cs&j7GA%WtIV#^D29eaN8n+GR)piG=<`11ta*z^(OBL)BX6*h`AT(mEp^lcBR_?0fI<?%*ou{65(Tu?hDoZ6brBrlHwpt3?db=M#@^(d#hgI z4y)6=k@1_1HnV#lco~5Oif84Y_^KX}Ge>ARJH}m^)%&bCkosQYz|n4@T3cj0iV-FP zM6I3yfPTIHmhLE(>Xz{N)HJzBnmd*Zg{}Lq;GbZDB>IW7-H#trZ+(&8lv7Bq%s`gM z){=LtaxJQFJ_?pCb&#Np&oDQFrIT{!kc~w$lzGSO<9=$9?!|}~<(!*0-n+oZG{&bYcQOqj! zRobinnFFqXGY|lfpjs0kLO(Kq_?~&sYoED&G_g1Do?w3Zw5$2k7hA*!EFfI>HqOpf z19|O+1jF=*SaSzwn|d+}m9ZSqfi&XC}eCF3W-1>8BMcmV-rVj*Qkp< z3~udm&j#rzX@ui;#Vyhy5LgNTbd$t_G?XYyG$k|A(p-`rq=g&Qv=kPu!H)it%-|-t zO+||_BL?`m;LM25o{~%;BixChrO|fv^1|u)IEzd2fZT8&ik9v7KAfqSBl!T4X(PznU)?Kaa%ORhDgK~T=_-zP{Eg74c&Ku`dvCN~h1uv393dD?Swb;Fje4oGL1vrQ=1b%{%S(=Ed5KU6q8H{U~MSs6K%yZulLVZT=6enrgdZ5QhNE~aL`u6@4P z#;oaoiAq`3B7n_YFX7bY3X5S(v5TK>B2j!I=aKK3G%fk7E5xYmYM0rPedSl2^ZZh^ zkSGLz$i;(NAU*U(xfu|M6*L-!M9zUsaGM!!Q-hRHg+w4$-#RxvnhnjOLrmsk#F?G7 zVx3l8-o?JFJ>a*zZzmekHfW*|fZ4+Bkl_cUl59PKK-*?}k9$(>2y$ZI4nhO4#5Aho zaMJ9cG+h&qd$>P`LTPbR-jv(y41K)YwBMFz?ta(n)NlKw+io?(o=>}PCdlQrwd;sX zbegU3pltZ(j_ofipRvjxiGTSC6bdq*{rW)28iR4qC6PAWbwbyXd^&bkfX zvZqLB=jFVF)MJ=FgJVrzo6kh?E`4t}nBPm(_(xBM9zld*r55NF2BRpvuz+*@RPeZ7 z<(5X~5_$Im!SPQw_q@>39FP)KfFdT^5pkcW8F$nGh?hB{oM&Z zZe*g5B;%_7psARt%v@c(i9RlpTS2Z>yTQzAL~te%{fP(2I4vT{mq>CX6QDbkK*d!X z!YuXEah!!af#iZSbtI8Pa7KQWR!^HRr>-N6e$@gP)1Tp5wb5*khy`I zvTzfOjQC4r76ygZWaj<3%m#P^oR$Vo3Y3(DEX+T)Jk4WeiFHNR+e@}Ly&L^veNY>@ zmx}JW{s>w4w-Sa4@9~N7${{;vsnAWEP3VWPmlaq~9ltl3`AM#Doni(@pVu`5XGk z_`EcFoDm`HH}WZ(S$Rc(M#4Q%XQj&I&dVY{VVlA)^j#q;!{=O;9`6v&Tq4=#j2EX& zFUT@S+(S+b?|*zDuyxuwrQv#rdQ3=s_>ft_*o8w>gcGc5mM02f0?m{GgfTQCln68; zN}d$~*&hV(jjeH7(rV38&3oj=)V1fC<+VePZzt{tIex!^1&OBJiUG_a%yt5_01Xfe zTP_CJj3MGc2Dq_m#wb7(WX3=qxPu?f4zfkC;18H-4TRZjs_QYn$Ztulw3E-H0JMiM z;6Yo0=HTuulPse+19vjncc+AeGs#QbdqbDSor&HOzMcfQSHhP>bO~@K`%6G-0qHoT zx{%&NN(<@gen=TWG3XDJ6^AYb9Vn@x2c@8(LLkrzNjc@GM~gG%(JAjBOeMYe-TdMqV3J;CtTl?bl?6-ZY+((NvyNVcKH`D?&RM4=whFUg`|2q-Y75WJpdq z-}v7F*RL$ufNy$1IN|Bsy zeV?>!T_4faECVSfa{)@1uWVZ~)ld)V7c;?l2nPC?O{NhJU1wN~r|7^p7MZg|@_Yf& zh4ONa&-DqMGJWooJ;-*iRNC%#FTRkX8}DmSIXVtknyDIjqh^+8$3mnW>iVu-;$ty* z*wAM%ept;~w)8iXfLkRFC_eMzlOfza=QMa&<1BnjU(?AlgqFyVs?Inly$>1BDdpOm z!&VW0_bul_*%<+%LgvuP&xs-FO$7S#TrM2NnU4=yihJs zwKkUPl8ULj_&o~cNEg*O4=vwalslFCSYHsmnMFYj3%KZCTbM)a7T{OLpL;OOpw=SV z%5t?t_oZq1N#%&soxPs40Pv`kqj#rD8a}t?c?Z3lD{;ep)rH33;sUL}AKh1~b%YxK zIR^DY7*w}`K~#ZOt8}P;P+~AL;V-f0kZ%etb~K84#~=0_#uuCxwAKg*2+odVSDZ!w z*_}utKrjR^*{Bfph z<_AJmoavv1pI5ZiIm6;KL!);W(+D*HZ!JMudb$Yx$Rc8jGP?RMF6P-{SJDTClB;<| zVxdkU6e~meYG_%U?@;roXaD(nxq!EclCO^Wj=YpFBkQCI?TL5b7p;4#d&zBax8Oz6 zI92|G%B@P~vY{j06M~iTTwg06@Y4_rbWS$-q$z83Kgw0xi}Wy>An*tX*~_ggYq4Td z`#Em4ziDI|Y}_L_B^V4Q?GdK&bq4(i}p4$D%g-|kBxjXtH*imElrW(+))|;Uu$xocDnY;!pju2$sZ5>ntIvz_}oNjoWFIW8Lz*L-G|&ns}}TgDw@fU zNkeUOVaJQ#FJKd?zom#I>4<6NU=M{>-53+|O8 z@2a?UlZhq%#u}OGnfphwg-bV`^iSj!df)ciUvaw}Zko4q3u&>p!*?ef z(B(LmQ^KSYDeO)WRDIIW>Co*4s{2(3<7H6v22KahzJ0jVrZ4|MEYCWW>#NGk3I@B+ zJAby8Jz37wxY_{5pu;L3 z@RgZoG9Ot-5T&o6+k^6)xNO6IgaP$+7}y5Ye;bNWGD0x$aRUaZyPH>G0R1;G@V__| zk(ZK`l9G|#2t}Z#G~5IuBmWXS5CM0r;Q`+tc<@blg|o!#=>6$fT`q*M`dsa2N}_p z)Gjb|vvt>e7P+)rVekBxsu#h?7b_DO&a|h|6&%cOZ`U7EKQzE2B>3R-wADVY-@;PE z>fdXZhA56aFLg>Xs#EYCbl=AEKst|F{;3UNUw7za1KON=)VM@A-kI8w=*(*Su2dwX zm)6lOanJI;qWJKtI5!hN8zw$9A75M2w1pqgW-4nFc$#|3<3`}CLSR6Gc0Rs| zMJQIsK>k1aknsM;#|F>x@E~*j4+8Ss#@X8sG2nb7z6n{Fi|Vv!YNLG5AAM>f>GPB? zJ(2UtufdG}FCmL8wdM-=xNR|zwusT)Ms|meRG?t!G?Rv)CZ~R(ccj8DTV~4-Z*64q z*|1TCdyAr;M?`B-p18$5i>myvWiRK9Y4WF=mNA+_T)5iO;@vEF>#v z;%Wbr2@h*)%_=EO>E2jh%yOKh8}Sx+rp~Zgy`?QzztQM=1`{{6#fjScHI*VNdLleh zOCG!glXER$nlejrl$(=I;MD7HW(Wibwmv}RF6`|bm9sclXxqb` zlk9U6ENq?M99K{~3)%79&L#{D!^Yx{fB`{L?Xak1&5yoS;u?-}&p zyT_NMSV{$CdqjCC=L&4fn=I-@7eDG#x6O*_JZ2X8y>|X^$vGL>8=r5R z7l=kq-=kp@bAoHyPQu6n`%t)u>N@ipoJvin|l_E{8@}K1#X+DO_^>>g!RwQ5~9lI5TP-;HO7Mp2Z) zxrHMY?<--j%i$-*v6;~f?{BX32OlIaoeg=Sx30S@P<5li)Lui5tTM<243 z-ZwrFZ(3h|Izc)P>67I*bdLm~$d4h*#>Sc9D#EOVEWyBbw&n&y(-ie)0endGQP~UoF!In6D-ykb~$&-Fz@tP&S0|& zOIUI=bgU&-k_iukNAVb;-Tqpfs%Cc^&CU+{V}Unnj_K$t5--%PImDV(dUw4GN_=Tn zqjz+SVp}~+#U>8;ez-sh517t+l7>YZS#_tA+9$9;4x;g6-hl=t4wVf)8;K4RDDB|_B|b<{stVc| zhOYR7J7VlvMcoKX`haj$)%`N9DO?1S0!q0=M7L*gKb&Zi79;0AyL)^p#VnF}DxzH+ zI6NI=?5vRw(fE-&oWX)i;9B*2ngs;lpY$qUr`7G80Kf-IzXU+np%KEX{cz4|t*j-9 z4yC?6P`WIDFE;~wJWDGbkVrII2C#>=Lv;W>sD?L%HmKMG{(w6`0K9=?qX)u6;Bqu;`z#9kx99Pp&IKUF{ zh2D!JG#Bu@`FG5QJv1{xkUTKoA7=~J8c566wX&7r1zs|LLgS90c@=uQe9y?@tQ8he zaU13s%xqLJ$otM=vjE{}>0mDjL4NUU0k( z2eAi8L~ooX9EY3u!X5C${mK>ft7xsQ@L#jiVY~FJPD3yS3mEAi7bP<*)z)uedpG-{>}kODak=@vH|-7? z{aVQv#oz9N1o{yl;CBiaI8K2JyruP@cm+xl{}0nW|A|-r6R-SVPOqDpQUa=2k%$W+730`~pwA)1rp#x5`p!M-?LuA2o-!8IRzg39srcB6lBo&-HJ zzE&CUeR=Wy@&=AYK-a*>f)F0N5&H=F3pen5?Alai0AxK-eW3KC553`IuTZV|*wF2( zWzDC?L8;ad$diVBQE$jwHC^>m$&k+qA4JHD{b%L6$~}hY7?SSs5EVk7?&0B=n>n4! zC%KI-J9@XNE)BB+)N6cKMz{YnQvcHUkNkP(_3zEF%o-P!;mXeENZSEpYkXHs*5>+O zV)74ef_)(9U99Vhz^!2?LVv4Frp$+6N8JoEEi@5~3X$CmR4 z`nJr?dW29@@o-PXZ7MH>Xt38?xx#GfQ~vn$4sIvHC#WD1v_OXjYV`{@1On1d?$tAZ z+RXU7KEc=h^|96W-Ws?iL;V)1+CHgKKRaIHloI}UYcm#z4PuvVs^|RpI@OR*Jv!Oo z`K>Rqhp&vDdT{+J53cMU2!Fh1dUdaZPCuY^^|neM#%eO)@Q$k)uXW&EnMLp0tjVgZABCJ7n5#a*S>;?+mH%7;1~Fg=n@ zv6p%u4=M-6;xn+&{YFGjb4_zHloN!bpKrWR*7&`O74Z^@D?3w`GB2uM3)p@fjRjJ~ zPi0uTh9vHrk?6mWq*r%(%kl6dS&uJYVv{4NXyh7cLo|MTo{hMi2^xcoIplr9QJ*2S z)&il!3-EVxB#TOlLf_R%g3{1Q0rR~!aktdeR+LRSjFBRT933ZkQq;`LvB1+S!StCP zT8$%WZ8dBGMHn&f_v*aC`}4~)kQ##@dN>Bx!SAmdSljCU*YO5+@ZiA-jU9ORLV(uur|$FWey zo1{=4d8WxDx!&a@kA_5v={VlfbboZa$NlTBb=FyT-M#2|^&658;I5!@(^~38Elo zdm(`1H>dlYqtLx~j({ZmI6hkj-J3xt$b!<_CW1Io5`{*^n=t|d7=e_avye&>#BHk( zIAKTX`5?RlgAs%`GXe3^B3d9wfcj2zlfh~c{zCwI{GDFlK(Q}g2<~`cV{U^dfGl9| z?yEzwLa+cV43Z1NSpWd*6KB^P{YG1yQ}CYWnpmCU-mZAs*e9z~JGjCFoSMv}*VxXh zmVUM}21u2?Ty8#pNlJ8h)%~(YW$)>tFw-!X0(rZ$m=n`&4YvL6Hn;9p)V>tNb#!;- z=#pR+W#8SeupC`HaWYi?(E?2L3`IG<=}c{R?zO-^(E-jmO7u-5^-s%#-W5pZHH+v6 z#aK1zm>N8NBZ;&}7x7l*b4ASW4ozan?xV+lVd*LBUP;$43)S2wFQGlvhgEWMyQt?q zTcRF3QmnI|KEdohy0THEI5K7Lkz-bFHo`Ec`-xqhXnqJ7 zWjqTOj-=f_=1$x4fg=DIP~Zhpb`n4V3jm*yNGNGyK`azZ1>E);1tOpURM-|^kWxsA z9%E-JxBsF8I>B(QQFQ)P4Ktz&RNPi8BV|CTOA@o~g99e^--uj>x6ipwrgX6lc&WRe z0m?w=8335bP+UGcI{w&)^v@Y^LH$s}S?~EQyIy@~L(V(an0uQgKV=F4G^Do71CO5`9b(j1k)?yI7>9UHL zg^^A*i>;)`2wZq^EOtPOn?v5XN_+2Y$dPmA^iGYuFz;=vq`rQjU)RoEH~iJV`ix)H zTw|CKt_No6G;=lC$%Uyl(-N<;5|ozIgH%jPoAfdx3v`?t*DdC6676qYAF*e;sy|;4 zmQjw=S=|C$LOjnCvH#et;-55XrEAG#B(}&Oki<|L(GQTf*|csoG7D?EP#2;QmU;V{y^0C#rC%tO*P-1VH*>&^9&mJ2Z3levy091)c763CO z&yD9_Z%~N$uSAwsFLn&au58u4@_r_}U|XHw&~mPSBwV{bt)}^I!GIz0`xhIQDduV3 z*dsER>~0Xs1pNK_5})U(f)dUK0`gX;h*eDm(IU#zx6^Vk`=*DOA_C&0k568FS2>%r zxfuB5a;#APik9g+BK`#L?i2S-4#)Uuc6GXkc%WmLM)6d)$)J<4C)(j6Iz{@88g|3ru7b22o!Xa3XEW$@ze92(fM* z!}T(2{A6i=L-ozFVSU>bFf;7=JFgOnFcah7I`96>Q;Kggi2^XJ^*`p4d0rY4d8b;7 zrqfESuh!g_B&+`(_#5KOAJ7Pmg^X1M_xl`+LV>n1LG7&x2_N8&v zr_I5h*E^d|Up5N*F3)m)-(cIad_;#(xnR0aUBrBK=auMOTY3b~!qr~(+Ehc8$;av$ zS|peEbh^aN)_-^;?mD?(aH!znST6m3~XSf4Vd zIX}XlF1G#GYe<$-TO;m*W@JBxD4Wa zWY-_*ElpmTN=JD_0gks0kxGtYte0$g;qm&-U1}U$!@?BtW1otSTwKzu+*9_w9E8uo zdr|UoTC$Jamc&bboc$L4GLJMzd8F(`pF!C_Y?fIHEt@~`rmeDmE!9>cy1$)#n9M!@xjDIW?wMH_l!pt$$MEmtJLCR0@CxU> z0jkM_=b~{!u}YYlHNFrP!Po-^fzWUi2NR2P3>JikK*1nJ1{50;i%bkQW}O2B1LZ|P z_8}x66#-7ngMdL`Fc|Xf_YMCoKy3RrxT4umEKCq9C=&u~bR5lv;{1KVjDVf=C3w5| zy8rVN`y(&}lNrg^o#cx?fD-skSP@)?E=0Vr0m<(o$l{`LK} zf<%De4Ey7(;0O?ip_iwvO7Dm=&!_ykUE7<_k{n+k9drqqFO`F+&Zw!$yS`Os^AbgS z#=0QGCq0Xc4`78!;a4i2mNbaDPd^Gd9%7S!$lQzb%ydV+S)Ze6@ndTBC@Z3q_BtD5 z$UrTTdrHNQt(-XzevitkY)mvN2UP@3MU^oV0(nCLY1l3>N7hj^8zdf_5A_E(R&&lbuC zjTERz`hFzS^w#K)L|k=i9zilW&;`=gH;qh=3TaPSIAN_AOr`2_Mp)HqKQGl_ZL$L@%x$)1=&BLgnkcjLiwS* z-MZHJ#lEXJ7K-M21J}G=6*;s5h5Q{Bg9@Vfuk+5n80goxIKmMHe(~LQGU;`j#%{`= zk72(8_a6g@fnzY?L0fp@iKVo?J7CD2Pn@QwzA$3Y1paX~R_PS7vB~ijPoib_kSQj$ z+?XJ6@nX}C8vPvoQe#&6nEWlRY4*^1r1T~56>3czQfLFVny`7hA;yYU7{}eL5x!~j z3o^@KXxGHOmKMo;dH6(3KmTI(IeIK{&RX-+LF-RFQzOGCdpe%rKi8_)yja}O%=LNZ zapBtch7cV@Hv`scCib?K4Ox1oIZ=EqAoW%^6nQIk(#_x;bEo$>rU2H+)%Sd3#DZ)q z`)+|TO{LN+sY*OdBuae-Mo6U!0_&8k}SZblAZNxOStdEiK4mGk9RhQBE-X5rY|=jpg@3+0yHjHvOTNPPCk4~~ynl3K3P_rjhb4)Lvc zJ9K!=h30Mt`U`E|lkH6EF&MzZ#$$Y5P1Cr? z@`!yd&eJVtSbf4ZAMTcwZd!w9s~haI?yIS!#AO9}xsQ_XBccq$+=Mx^q~1(^L{)xf zYH59SShq(Y17=YiJ{52xW*YI_tKLBdE0kAu)9+)D)B!<0#W12HDthROCoPRzQpoxt zKF^|YD_DZRqt)z8vR+xSJ{^-{Aa#TDU+)0a{;4T*^O7Az$-K!~>gVjOVAJc*M!e81 z9N?X#f+Gj|PYXT7&G=O6-6(Q4*GDGfb6J6YO))ZmGka?&8SW<~J~j<{B>b%M0;J0rJZWXW2b~-gYbX;8NNHJA+2clnmEJ>|}PnemuhXT&bQf}GL{?TZi4 zOLxxUo@r^^Pm~*8@GWu5#wrI` zK1m*xoT%0|9!T>m_-O|8FsJWKjPaIG$gWfcKL{yC*iD{kmc?Y`?5X$V06ojZ`BN4=%=5u@K0JNlM|Y|rF_h1_ zB){ZfoLv?^TLS3W8Vr(0%R*|iP!G%Sf#|v`o25`X8wd3Zy?X9;o?8IWvkRuE2g$Eu zO11l#9=c7C?bUmq{7g1H=gjF%eBTs*1L!$8n!8BS^LZrYgJFKtai%;h*PdeUYRK^B zz1Ka>#S8z-zh2$SxFdpX?~24I1yXe0Zd2G8V08}Y8Qd+IZij84=OUGT@15T{h0+Z8 zc|Gs?-KoCovMHpSF9Ui+R{3K*vw>dVlm?rFL1zK1VNmZhqskHOUUgSOPwGY$r-E4V zXfiv{3o5Hf?=iYAaR40YiAvMq9jwJRe?$wgfCmW*Scajm^<7B1V-!<8u<`owAj z=;i!Jl#kZ?(7wdKeb}kxkYZ)Gl)SZkX5mc76f=%#B@E~lE+!FT3fBECkcEQCQn=8? zDw|Fvg<`SFqQN>@3+i7UD!S&{$!vxdc*7@ImMJ2^GSoaB=?qU8qtIz>bi6RIsQH?gSLV_qYB5PKgCki312T$uK6j0`_JauAnPVP0znY%IF%`@BQ z_vV@6U;WlQ&eDkT&TcBjqE_O$cWuj(Y-+jcG1XYV{*(=c{w{9d{3KqfJ@V@@&UaL# z!j%?Use5P}etfMmrMp^Uja4Jq3Fyf`Zj%N?jjvkf8@iT?r*FUF621gqLwJ7sJkmnj zaSH@`KcY^xCG-MnbwfMrP7mbQ#cxGS{TCA;S}5H%P}OqDLS41be$R&V`{HyTqD$^6<>pidaW+O4Ejtx>2YscaWq2xUVdalW?U2~p`n@8?`ph6jt9?!ehVU;y1KwnVBhs0P7KA>_KN!nc|PCpdpv`i};_6jt^ zVxt3?3xU3HRq+hv)RW!vOy;ZfQ~mX<^Nus?OQhuj*_7r9$CDJGFZYy~O!bi%{J!dW zE^Z_&`lF^fO`CJ-arjF{=YB04VW59J_ZV#<$>YC}R-!=QR$o9DM-xyQ%A$8S)L4q& z+203x>J)@^D@<+_LElu?0DnGBu%OO!Kj9kdK7pJt(*r*R`l{1MW-xBZa!*EzCW{*6 zU~3&aO@K*8{cx8jb!?i$3g~N>gGVACm~<$MxTVCY@^+`lDN_Y!$1ld2MX3Iiw7~#< zT?lhLV>aac$~#k^DoyUXAP>(Gx|Mh+I8jRNeV*9}&^N{wcz!+Lfz7UBUc7D**_v~q zTfA4`a(15Uz~`t@&cD{bgQcm=D6o8ZEV)Fqszz|@M(TY-Ipnv8{B@2A%5iOfy?;9e zT8k-O@>M0bT9_C+pQa8m9~g~$U+9}2yt@wcJ(`=% zc0-|G%P2c0{OcV$^fqw|-A25f&3n~N={3C`pdY5qrK_$HWHDDy-|2p7?B(Jp05kdK z?Pq?x2h6{*x(W2(&y{XmSA=S+gT@C?96gp0vk~g=wE47sEd|otT_i5 z29B$}N&Qf6kE9hCDK4sTlSkCQMghGhIQFa#dwbvf!6Gr*aTxwdIBrL5QfWBN9>C(aLdVP_rJUbve7qcPXn80g(?97cG8GZlEtt$(Q? zaa7_4JN*PhuwCG{4Mt-h2BGZxlFCpLA!Lh45h7Vq$X?cb zmA&kH2zPwH_xruw)4jj@$M10;kL%%Ke9n2E_xbpo_j#RT7y+YTW@IJ%^NW#|^c!@A z?m=&&0WLsdbJ=&%vKZ z)6d?~)*a_?H~_*Rd_S)y>3YDzAoOIU?MP@C1VZ*`9I1tIt6_d{5vOM!%wIj_X(hHr zttrxEn4oBb_{8_b$v1jtExvt?D8{SPtv)C(ziAZls*@{R7)Vv3erYm8uC@`pGQK=~ zbYV5c>|x+Io^s|O(; zBO2|fL*#1f?FNRhs*~S7Z(2L1_S2-T z^z2K9=b1sB#VsvIOBV9>TWL;5?6H5VE*Z5Bg~A|Ykeo0GfwUs-01Ih#Ir-s-t4<|C z0f9rpmXMid_hmMl7zGoUYv&Fgo1L2-gL4ar6zGyk z0jR@EM$RlOg_4y*iAdT@%gEZ>*^2=((vo7*a##g11qBBgF|3q=ojgj$UPeyJ0pLC? zc>>M>u!XSL{ZQ}7I-T2&W9qdUGA+LTzB2AIV0;L;;pYL;S+lgVG@{NrdV6~)N=W$n z`ii^#+3n)?csB_T7bm=jmxMjRRf5zsr2Z$hwYu72Q(r#(AqL2bNlJ^8b^{m+O41)q zPL6;;;3fbXF#K~2K%+GNV|@pLx7YuD25*4oaN5ie$N?M*kp0}3q`REdmk_e31eD&b zW5_hVW}UQ*aE(f2ChdGv(O?L5xrhZfVz9~aedH~x&2w?J(da^p;eO{Mb3a;jChPfc zMkiiz`P$ujy?0`XBjLGE1s3EpOAPHS!9k6#|mJqXAW zViXg((g=_OGa!fh0&*DP%gba|djL{;k@flp5eN)}0&xww8uIr?1oCU&Q z-G5{w(iYkCMakpn4Ky+)%0y< z*X)`G)EYrMtUKi`JY7aV?>09dTs>iFFB!ndZa_CdoiERtbhBmSbHvm8X`(Y5FB1Ey zzKp+y7Zd}>$8^>x4DVy}je_4r8rfD$3l6esJdf{tF=en`8og%e*^*I0DKKb^C zW|qf{<0oPhJYM8->d!x!O5b5?9B63&FxxCKmAZH`9yXt_8vm_HcUPT}i8`o4o9Oy! z8Xh~hAqAgffCzg|ZHF@}AMjI2I9}B{s4;l;sl-#*yl9uM*I#8a%|YqCkZ|S?f<^Y+ z6XMdQ40A{ebbj*k`v+G$mh6cQrT(fB{?Wk`=z`e?*AY&)SpSSe15zC70SteoAS(n; zdRmkH6ovmXmX7>&01FgO!-XU>Ci5Y)BU2|+`~5k_Ne@3P69v%!l>_7ej1&j|6nL6f z(CS};%o*$ZFJzoBrBqVnb1ncb{SkPkfH7c{Wss#GrT6zhA_dp4f%kjbc@XeeAN#*T ziPXBJz9ls+saFq^4-g}L12X@=(iyHdvB5pl!m+yTZid zGy_>ZE3@b;1&i4gKG$xO6^Z3uwfyG)qFT<`=sE*-^9yzrihH$HaLli+rZdJIOVe-m z?nusM^8S&QZl_KiJ;@hy*1f>S>y4@!KSYkme%gri#fbT^wkK-*9_cP$_ixh=+~uB{ zN#-sWrb*B{5ENp#zBLf=sOM@m`8)pw`rE|x#{DsTkSqQ54-J~5(nfa`=%;Kh4swv+ zT}R}deU|0BM|ot`^Wyu=s1v!-?Rk6VK_8rOtcgLPtHI1uwDEDu(GhbKoptI{C1Mdt zH=RW+12lHfMWOG+j=%hj9wTG?eqW^lQ}#uwA}6ND;Ry2ROmRSNLs;|$`KJ=JZ&;%7 zdkNyT3Y9a{O`j(_1R|D_&n^kY-_}x73O$A!+*Y@6Xs4~+BO@BD`zYlXp8R2`rt1G$ z%mC>uaMc~XaM$U2Dg9P7dADX`i7`tk_bvc0l9RO^)^$22J?Oa55AAYIrs?Z)bM~jH zakEC5c$EJ}D?=YpCQYbG!6+^J&t;b%x6Wp(ihlF;*k(lvKVCj_B5^0q|6Y?5-HV*# zJme|g+gP5E4K%O4W?}Ggks*xara8vp3K z#jX60mJ*)(IpSPuSDj4orf6QG)D7M(WGP-RTv`aDc+05kCo#Ki>+1=bZq9GV46X;;H>_AiFv1#fRU#kxYIR%e<&%jbk-c2LA`wm2H&PH3yw zsP*$aDAuG^W?aU#% zbyQnSKvHbXv&0O_gLJzhRI~W8UMxH?nO`F!cWDInM=fw9qFGxSs zSQ;`Hxb*VbLgR6+*i&rH4d)Gss>OwB+pepce*Jp0| z>4iKWazfS9LiZB$xQ_G~aOR??-O5#O6kzn#xQPy#NU-0K2+!F`-|Z*T69i9=Ou{s! zd#xf7CtZ~81Qxp=>%0c`Z-xdRMvcD{qbe;D#s`agMbnfwpZI>sw8m3)P%V}lrt;NySP;K~eg7%eAWmn` z_=b~@6S4zdIv_-|6tBDR2iCRMVK!~ndceNheqL}hsK$5&D^?$PAk~s1JQ|gWVcusG z7nNLTpK=3xp_V!Hb7jSc@uGtZ?gf~DCFPwjHT#SXK9^RfSt4{b!2b5`44qTIlxo6h zb{a>?k@8-u&jS1cW0flBdhZbO*3W}I!sZ(Vd8|o%7N&fEfnivg=k0zPdk54dc{VS+ ziV-dUi=S>OFvsGbF17f>_647^LAX!g_KDN4L}XJl4ivgGz@BRC@&zL%%6Y$PH>U1T z{=G_ARKi3io4V*DxV4?rTx32A`-sRP4Y73W@^hr4V;YR{B8KT+>HI2R{++p>2RI z-@4}aE&xj2>mgYo_r|+JM3V3~-+FiQuCYZqrh`5E1x0Er^_D!u%RW^Da%nD=E(JSW zXY%(7I`I>Q!$cae=a7;XIv}@O$V`EqX4Lt#I3@N<{G6K!Lq%8rJ8W;yFY^~k?K*W< zoVYK0xn8e{R)Eqqp^EzDT`je$~nlx4#3D)Rp1bsiRY2z~= z+nd0e1g9JJnze5x$DntC@{n> z?Ton_lO0Sm-GukgC4R|U*BBG+gpU^ENk&ztUb|M+FNq|V$jHk?6MB-qi}$oKg6rd1 z1P?r0N9aD5a*JQDZ-0ypXml9eC{OCBJhg#T^s@nb&(+)bUcPfdCOKMmk58ujc*nrw zOTWSF_;q5azJ1T$2kZ$hrz=h1&cNDtm9)E^uuYGz1r$9VaWKzmvE~P&CmMe7pX)eq zUDgjSK4y&@QyQ%etCuVoEaJRjBjL81EZ9E?_I?7Tsj{Lw%btNHlTYhEtHb$V}-j=IZ{s!zr3#uJnM)XCyBnuUqgucIH%+XcE!Zb+vE=Ork>R@>i?88QsI-hS+ zs&_s}Y3hmYNV8DuP?=?*GslYzUz9Vuj05{v%aq7X_BPI-4+aenwW&SVR`}%Yh7KOQ zR~#QBvZ<7UeO$ke#mb$EjfB#oWNK$yTyg)k824LRNmzCQ?;8uvYOs%Amwui>_I`^M zn%!}m(xDwPucVTtEc43n^4Rr{_8YulpKvofwrd7?9P!x8p$7i8e8pDhUBghVPfR3ZWAws*%2Us|f~}=TS)K*^3|%L7l&zz<>E7)A z24*g1o_qgODV&V^%Imf*MEMJ8u+OVt<(4(=%PytW7O?Plnat&(Gr5yL=;U)=M<>#o zG9T>o*CY%RE|l$;+@}oMzR**HoVT9dTEZ{qi6p%mv(`)i`x3`fUy|KU^?h4&yc9DO z82Ou$e!B|Y_><7L&sfGV(xJgUc3u_w4D2fmxTa<8xl0_$6O^drU`HFO zY1-K-gcXjrIhKx0(wc&O)w17Ec(!h{6t8_!j0{UhlBiTE$IPfl%=s{xbpbP3u&=&G z8B3lHyS(yI&#gj4*1wsmu2|crWN?I7#8>fxWA{e#LoHG6ueog1)^SoXjlVp9Ti6>4 zo-PW99v7@AICegKpf%o#MnI6$7K)ggCN|y;2G6IJUg`>a)y#HyiV1UT$_lmD+^OKf zhcwj_b@eT{$0PAz-|i9_uiBS&@2WX#1+l?M_Z-Hcw4d_GaLhoydy3!w7T9+x?Yy$+ z511`Z*wba(YCgT)c+%)ht%HTxfXt52hH59+54O*x$ZX(5WP=RucDz03WNXci(EaL4 z&_CM=W&6Ii1NL7<`R0@^p6$QH)!4SG-D{yOzxXovS;SF|J9vxnvYuc3-l)5Z(6@-U z-YO-!$41_gRqQuBOWc-Jy&YBjma~84mwel|FEH>EZSDK9`hNQd<8HScCOX=@*Di8_ z=}OuscQ*)lKKotel0D+7dTu(_qMkTH+#|F_M9HN*E*~~NZp3|-U;3wwozqq~A&BXC zQu2-Nebc_w(Cwb1h3+s-q#9bFvBe5p-?Tc7c1opoU&pfWtz6fcO134H#GQ)NqJYOo z7V_;YYQWxi^ay8F-zh&;;44Ypz<6u< zjLN-F{#0Vg-JYi{u_(>xIixTf0rpDJXyel~P2KZH3r@5z7pfHv5?K9vno~o>dYbZN zs|vwB>HgyS#*WdrlxoxJH>J7J zr7quTwl&E7EPTE$Ul79%Xo9`w+jmcVkXQP?~#Bm^cgq=cLNy&f)If5(6P)Ta1|cJp@WRc}-y{p+D(Q>P_;nNdYYTr}0>Xh?2o8eafU(d~bWqVrkae^m zBw(WJ1ttl$o`t)uowJPx%o#!m#=ky@L4u(PwQ_}EZt!4Fl!Hb zX_%V}%+12X4t@n2nC1FB3JJr1d7fTLR*7C(lAZ?)fq-c#@OZ#rUN9d-kPpl!Xb4|I z;7i`Wmf+xs{}mU(V6NXTGXLYEo}IH5%-fw_NA|t~y%N-yUe?Fb*238adc6RLfEfRL zeef>;B?Lr(1V4_A90CF%Euu_`GU-h)+`QlT4?tex4Jky&O8X zthcd1E8wzH!@ubS-oMv8xbyOY-RAZo*9X5_w==sPK7xj4-0aKC-K$kc3@(HZ-%Z^VD;zcSX=e$8kpH?NDjEqM508-0T?jiLzaX!G5SZ@T;w@B4FnJK^gA3`g zeDUHD8{$c$d7a9Kqm40UV6AI_4pkYf2$s*kpDz<3W$WSLBFxS0?d{Fw^mlY~S;CyS zT^#ISF7DixZjRh=f8g;B4`XS`>mW9}{)ZEMmy?H&3w|1Gj*ba`W;8Sm5C~NptOC%-((zIds$qsY^U>Bcw1 zF;B!8Lg3?V;n%^vM=2%IPQfYsIUDjFlg)!TPVkZLJ@k_kr?#s3Fq_$EYHcsKb*V;^ zNKFe_UF|DjHj%d<-ze5ieZ=3Y4;U#nqvdIONtH3SME`PhUzM=%%so?tu=>j8IP0x` zjd49D{-M8C;*2TU6AzA#;l=q@%p3+|=R3_QlY5-CscfI5;aa!_*TOfywGi6^`)$-O z2}A+BEO2nr|BAkdfQ7DO7lnl9pV<9FBI&hl?cA*B)h*mSeCbsz+#H}DE{+zKPmOTDM6l(ZuIL`#hQXUVSEQi%)WpjKwX-b;GT3PKvEvp1m zFUcRFt7lm~(+C_2S4*Ie82`z=l6Mu-wYNPseynBxKp025WtHjjC))SvKGF)J)mzc= zE=|QWD!bJiPk)g2%yy4VZ}o9+JlVe;i?SPk82haPpR=6{ILpO@d z&}Kdiys;aXSK?{fF_{FPbe%M}`d}2X|IGftryI5#^151*$>piT_RmCu*>t*%PpNb- z*l^>Ou2@(JAD+$nm%R0AK^yYjBS=hs+VgV>7T`$maJpOeBcDdP5W$A2?i?jr`Y}eS z)XRMDOUxUGuDYXn5x0sXM@ldC1E%e4$dUqr4+BXy@M2>`Bg1yq#$QQqRB?u-Jho>y z^q2Xe`8;@tle%qLa|wy)Tb5Y2dF={sLs8UQ=nd?fpDO)}yF(&X1?#x+`bi^Um+@Tf zLXDp`dzaV8n8OZIr4CqQ6Yook1XJ0}eU~#YGsqK;skl=Uj*Pxlbzj<1 z3h$ej_hIxfgnYd`-16ly@0_bFVI)<0-94wY^XQ%)|BFpE&-z+(6h^J;Bww1DY)Lw@ z2yK@ai+KD5{A;sy)$qjp$hfv&PxbC3PgrLzBm~q4-)3F#A{iW<`Tv1B{O*e>LIg9jS80YQ`NID<)a4f(mvo{s!wP z4i9;X?PYAEI*{vU*G}$A#c_mnkx|&q{9dDjq2^A)`yIJ^iL=P`Y}U=WmnANy9P{_* zQsPD?6Qj5%VtKwJtHiY46I_}X{Rxf5*!jRn0m>C93aG`8Xv_9OC2symBjKrq!eY`W zRPeU1=@#k!CG7D*r?HP8xGk<9>N>1Qb(kkI{o^cGBA@p(?(0h!9X?srVgSchu-Z@3 zl>jZ8PVTA&e)mVXbWGgIa@BUW!bJ^f3pWk7IW_y=yqdB`$w?KaUcI#0UR;mG#5h0EI{8l{w4trvx7* za0n_rJilZ9&hPLq{*TxBtFsCFBdyCxK}f;G*ZCL|7e~R}5lRoUhG*S>S{qyp8JMSy zqlG(!0!((zVdLUUTR6j6JaKxFCFBp6e4Rxa|La0&d6M1L{UE4c9L_YdG%# zrI+;du!XtVdHDXyzV2>*<#fnjOK{--jhFwePk%iW4la%s)Y8)pN-qVk z9w6*s*595o0zCZ#qSvysafbJI@NM%ycQwOi*$)zMYOO*lJBC*utSL?A(Z;;9xXErJ zc-%DJlGQBTES=$9p%#eiav$d+&}qQwbC4-$vdNk@auLtzjbuhyNe!;0+L?ck=4d{o zye-<~3GIEDj(dxj-R^An1;fk$#wWE`jEn1KMw}ng_-?12i=u}H#aEGX0Z!J(Yr1g|Tbx1(vDx54#Zh23{Kd`-K8-(@@7uLHSUo_rPx;7@- zpwE%pgFe<$Eqg_C3w#g7f5kOt^nY&ba`GLrK|^zYb0imuRi! z%9x;h^cE>PPDuOZG=?n|f%rVx$5bM!-+4SZ9~_(mD7t^O7EITz#oyIE3JN;*U%d`C z3ObnMceft#O$vmEN=HruZ(W?Vw3O-Ppw8Dl4Akn+nE9h1u#jgf48_BKQDyiQ$4&ix zBJaoXFaMU;tCF7J^sv>PP@u-$YJ?izdCX^M35fq+JwQTC0XiLP6Sm^J{>$JBrq5lE zRxj++^LPCA8Gp4(0C;NmOGS&tYwkWVMf7bxM*PZfvR!C zca%_x;DyMiqW7rrH1blR*kSTE>xJJ+6~BBM8+(f?&28t98!#KT~53`o5~Ks{;xOHZEu*Lo5K*AtiDdV+;V zEoA&G*-yO(@Ls`^e~&|ONHDZvj&@FP6~X@%8SrrknzWreycwkdQ~lb2B&51_ZXTX+ z1^G2mxGwGCV-GMryt)?z^T9_P0(=6ze1?<+JYXTAUkC0&gm}S*;CufviTjtyzh*Ev zxEPYo9u{s;cL){u#_wHD{BJkW@_Ycl#edq>%_QmW-}e^a8hO*&B4=s63tIlgiKS@fk8!AkMCl0B=9#E{Ky!uImw z#h2A8*)Nl2dTp^dMKSI=YkE@`J$(tE)qjL2$XnO>uoued$ctK8))T&VC>0^`WYI=xu*8$)Sr zW+M1J7dIv~MTzh|1`OFXXH7WeqV1)4M%3HyT2ZN zcQ$2wC;CD0k=)LSbOrU(TqGBX0{*XKKA-#R{;tl0;cx2EukjWQ!F4lzT~wq0$`rqw zYfLaY{P1C5&-)neF&-X`5Z+RU7zs3db*OCm+0oQYbzp7g=PpGw> zo23O8yx4`y!{0*zPz3#77T~C*mpj)#My{`gS-QLY+x}ms8hqY5_?`%J8yiOUUX#`m zdruy$36BOEdQ>Gae0uVi3}KOh*pa|OV1d8ygbX5Q|IfahVs7sgW1_hRRuh{q;+?ERwn( zn}|eup+-?gEm+Tm?O(C}0(Y5d+S52*2V#fRG7~4_$JFg(}ca+vq zN?>*9jz&;ixxpTGtMIVlj@5iC{8nr8O9qZ_lFPF)0^@FGe79fU9U_=Ng&ye|y$*eS z5qyj<_w7gYH2dikMVt=p5JO#k=57KMaN2KvCx!kPZhQUIwsSTZ;ZGm& z9$HjNykjIXK6HMsz)dN4NxdJ1w-}e*Y(^3luW=$xelO-l)yxJ+K-GNgg`yzpOPQe5 znmlLi4`pp6DCbwyL-^jap9=fLm0cWaieg_psMU~#d z^v7$`7A8;IGxar1RQ);jd@bcR>~_zEL?+RxS7%%s^tbB3_al7D{%eqbT^fL{MF*AeSJ??4 zm|o|Se~JjuAKgAi5a4_LwO910ip`Z-w+|mV7^i#~bXg-cNMrIhheK-PnD1O9f_1d<-_{jL-KJsi0cK;q(I{|z7 zhxpDwSXE(Dzlx&V%WmDoMv6P+ecj6H$r6?2lHc#9NV7OH{@yEK_y=&W1l7;mK|1k} zFOy1XZ@g8bDc0O{dLa>4X09ShmkiCr2J$D|p+!HQp3fu`xUt;+u#O_jH)#}(aoa&8 z?NOyO)wmy!@1LJ5h*%xs#HxAD1`FhJkHizVI^$5qJh1V#4|q;hBYfWLQ9D0 z%R5|y(>1{icn@Z#MCG46bzn7Q$3_S8z2#Z=@rteT^?LQ4LdQ>zt1+7hg?#s-c|173 z>}laz19|=P)SCxsg$B|u&&`+!^Ox?eE9(!NVmG5kvU=K9WVix(t)$+Q5Lu#|)A`1NoUdWC1kxuCd*>E8+|N+n^X6`N9t!m>#_vd1ZcT zdh`~^zp>n9ISpvl`fA15`RIywpor~bM4maxPjW5}p06VtPC%Y@U`MlFRJb6PV{Xs6 z%-sJ#^v6o;Pa>$N@!=+En4%1jPdxvGZ#Tm$5id@GYs>TD#U$1;GZXVtqnN^Enp^3y zGLR>PReqk>y;KE@cpL}i2W76l31UxyJs$KJXE-8{uzd>TDO81VjHCxjG1{gi)X?~7 z#U_Lv*o>!sYryBaRsKF17s#_enYbgxmHhLrS*KDj9y6w6?uwEh>`LaG+aVET_e2QD zbGanhM3kPnYtTKTq^lsHacR&S;NdF2^`dO5gwE z7bg#4cVAbX$1WuHUTzfAf_W7^D`HvL;ecbB@LRv3lf#F*47R;g9BXWbOF-WB zFcCJ%s1TrCbpJuc?Tm{dLV9n46B66)wfWAGOG{56AM!zDy#5qZdORni_if}@wt?iB z*cKtaK8*dnu7IAI4UmtSkvI67)^HME^E?&D-omDG#xKe_;eLu0g&RY^fouzqkAGYk zJ@E;f8l%D;I>NHAu{R}psP42CbzU`t-x(xN4dknLsv#Q8#O`}(&$(=fg!Uli;Wl7l zUdGIC0$Anm3=4pKAJ(f%InS!O56RCN8=5H3<5COmbI@%Uled_}@J97q0Qmum?y|al zwqRFr&B_9K*}gMu*B3cb2WHX!ha8eXMmJp95zVAit7R9ooeOV z-g!&oeXIWDGd{mB#yc6Y-Tv>Qv^hXt=tB?7<6|YWG+vG-?=>QnEr}1ML6(YT=qJN< zNa&QvK%VC$6}K>Fj<~Q}cJm_I%9`bB)Zb6)^#(ETqj=Un90a{3oHiRNO0Pa56W==B zt=6yElCx*QroVIHddl!u|uP&Se`QcrDRP;kR6ui}) zMQwgGW&ZL^bEAX_)C|se9U%X51D%hc(?KsHgEs{u?{=d@F%)CXG>NA6E*sm}wu=Ig z&!e>5)1&B3t>^lRZH-YUQ)*N|*Ql5CUFq?QFMVU?-9Y}ML5(h^4EkD}<@s_r0XTn* z*!w;kL$U!utx=D`CNYAZe5lDqa}qNWYz)@|E4D|41hgZ4!)+N{$rx+bXB>k#0_{VO zy7H;Qkf$EBxN&8knVLSKb)OpgtQCfjcz|q5_1g~6Dz6y7@wuo@0a9y zM^BLA+-!t1qVVewLVVuwg%Yeu9!}7fh2F>E*L_~&{S40`zAtPTOhe`2c-8>4-$wJ+ zNecfYT1uyHiM5knu4x-E_n=3_!VBL{KXr1dJfQ)bMFV-{O$Phd z2UZ{nx)Pn;j(Lf?l0)6Bz2r0tfogquuCGl%-udTG93zli?88)L!l|;#!qH;-sHj!6 zycqNm{oAvxwLm@xsakp3PjWDHLHy9Iq3NPMe_Z7&^9v9+^rA>`{&{ounAJx&*c zh9OIJN*$KuZP^DfBD3Mw7?o$Qw)7DEX zH~@Lu{rfzF9n{uC;?W;dKJOE!l4W(u*7po@J{nZWD$JJ#@~cV^LmhHgd9m0;_m`Y2 zR4OYwTonvAFFBt=@=i=K-vIefJvhSk!MjoLX6%^3Xw-StI@>ZGUyb5-Lba}779DnnI3WMYmW~X<@R`=;OsTzgtbYU9 zg@Y=t->lKZh4Z{zzTp_iFN}(=bm6bp)}cmDx#j7P@j#JTd>ZRUD{4I)>sOmLQH_XaMG9W8!Ul^Pm~{};BeeDT~Xdz z83HS=r&aaG^~s7N#G8T^k}tkv_Mrw|MM=)fcL6!<;j^<=sC>JgtwrI~9veXW!DTOo zJ#X&NRXqE!Xu54j)Af0u4bmG+np8$=qg&eK0^}cS9W0Q2(;VL@-DZWfOKp;iP7$0c zj6U0P)9fuaNXG&4dByLL?@f!pzLG*}4TzW4V#;9;Fm-Fda=r>;o^c{Xh=(b+t~bY* z!zWz1bhj>a_uV8FDUQ_NjFlnZ8|$Opun*rBh?aGsnEt+F%hKX6Ig(vE zwLmvYWTxqdkRO9o`IRkg+nCDq6(YH5D-Zzfqns+Trp82d zTzx<>#ldn!e z_>zrP2>kb$a)R(1ad__EvY!P+?!pWl6-d<26JlF~O1ayTlz=?8=Vu%mm(RshM;^DG z8q@~s#RCoO`FXKgdL7i}J>5)!Jg&xUBCIckNWsgbEFwh8f#YYceet22*5`U8B2u2U zXF#5ys4(k|26*5(`6wl!T?!kQf<_jQC-nx`a})hkxVMem$V8hl z#t!3~vOh@yf2Bb#=1#@KK;RQr5?l@QCRU1N#tE(h!y|I*8F}%#lpx9ktR_y+a)CTm zViH-|wEG4LOPSBDR}ZK+b(X5Nf3W{>yX<0(Aew0g@-(sf-IvYpV|hpSY0WZ(&-mu? zk0{penbhftvgb#YA?#l|ilm5xCDX%2P>5_ReswTkL)(uzl)lMdp5E>1rt9d-%mCWwoOm1` z>~ibv){5*+G25A4@O;O-a(i>&jgQ@$7 zG7*WTPHMCloNu;(`nkHv-D~*~^hadt(+*!ee|K`ijX}FGo2Vz`l5bBZur!nlknK{` z+zo*Khzs5M(p+Hpu0YbJ&B`xKR7{#-&7@ssVQWZ0GLVx6q5hP>9&j>fs!c6l!vU4P z0tsKyfb|GMKN)aK(R7#{wR z4dq`vW0l0hY?S1ViQGoW*Y|BYnQ&*j^BuxG21v&0maJj|_1$5edT&f%o+cGG2=#;9 z6_sV3MB@eOo-YXrWK-k45f?WFfl2i-nOM(xKTjRdAHB^a;UA-#jIX@LY9QbCqN25} zn6x|&u>3-1PqL=c(t*5w;txhwhC!#qyHs8bCRP~2>rFicwdosrvY-;&+0W7zRrwy?at_A ztHRVvt($8n=b{MprzIVxUOlDkU5>ogxxdC6=9$c+c;XS<4+BTO_y|GJH|ysl`FlM#1XZ3&nFuj&?kSqwkm&z3 zrcxPo;tfJM{0g*h>ppo(&H74nTYLY?!25Zqjr5a@;F}Mw7&uacc?aSV^v$X5GyE5> zBXGaf2YQ@el+dfJt;R-?khIazjxNZ_rKke!JAHo3qqo#MI#B%5g}gP%(`3F+8XVgIa~?`Gmr-NxP(>d}t^@l8i_YE%Guw;ouC|4wpd zMrJzIK($9aDJ|O6&P1b0qT~zfVfu~`An!wAMaU3UR$u2nU3RjYI>%z=s*4r)gx^n} z_JNXsC&IkKCp5Hpkhd*zvQxuGY*0LTiLBz0#)7LZbG5gvQ~WK2{>Z0(?{&q{JeD~9 zDn$@Sb^VvzTSY?3ilfevTSr=H5QO?FP+{~X7LN$EUmbPIuuk)!%$LF@V+fssDP^L$ zi#ifB(EpIiR{3|g94F48Sr?=RD*K7-Gniaoi?DIB)gxFY_z?D2w2F_=-2|S@(Imqy z53VEdY@zj&V*|OkLk@O_7vUg;d3YR(!YroV&5h>_-6WRsw|FpkGUjX#6ZMmztOxz{ z2MG0We98>2-3Wp5=kbHa;Zle*%9gF8& z3xUs|Ce7%4Y%~xiRM{7Axzqfk;?hfHWQ$v*-23&=gguZ?b@BP`Z;_rJC%pYM%S7Kg zAR>z6bZGcpv`uk(o8Pf0kWXJ%PgS1^df)rt>M^TMG;s_a^@e`7hOU1T2d+LG@s%IoufpV15EtL_G1JR1juLCsCmsg zoXnJEbiOi^$}UhrU5=IS-H-Q5!465d5=58}JY~uo0n?Zb3I)9Ld}6tL;Ba@HUhmQ! z)!E@qENPx6HPC*}_r@rRBG$UeCOjY7)v$&ri#TQJ&USlr+27zB|g_XK=5Nbp+b464{9El2grC zG2oulaan_xx6%hK7cF*sGS3Cs94Nr2d+on;}6gLElxt9+3$*HyE z*Q{3&<}I(@5Z&3H(<7Yv=~+YF?ZU?TCAj|d^0e>;i7|3U`FKCj{|;%BvoV(EZ2s}} z7s2jwM&270N6BXn{$4-s*~K;8MDVBM%vxmQvr6Zjt@CXcS`?Tv%6Z_JO=-XNUg|hj zpA3S&_1w=e=uQnFJ#I8}D?fQz6AN>8duZE+mn3N1DMeu)1N5g?-RNkSu!N>^onp`- z_AQoBKJ@L8s%LW%y6GDAKsG{s(#J_Oh&y2#cXXa~c}No_!B7?ISQ@j$(dL`hjdKz; z4YWUyV^z{Dv`$rEBc&NYfo4xRF3Jp>bmmLENj3OpjS*qKI>LuURI`KU(N_}n(z&%* zGMyZAYw}0XLRq(<+mO01!u)FV@vd_V14n1HpW%2wOvmmDM&3=Q18kqPq!BW?uV2D| z{!EY*N_UTOiN@^&xDcX5j*py&qA|67f768PTXnQ0$pYl(vWVU~%EwQiw`I7*2 zJ-_)SE>DAU==9-LL?X&0W{O?q;ZQo}x0+|t4nOWA%tMxtpVx;*maj|?XtH2FZLC;H zA3A=SKDgf2o3=<|=Y0yazm!xNUamHVdmgOw%D>}BC24d2zI(<`jv<3E*<7vyg!*S$ zqbX{)b*}_`e-PjP6fGf*kptC2ueq|Xw}y3-8s&{#vSYNqDa$?{?Cb>E-wcP5 z1o}SV99Anl=E>OQnVf$Hd$?&qI#3{fAu@I{1mr(o#fA4^wyGF81l>QG!K9Fz^=*Cc zZM&)PM(!$`&KjYA-w!RZRrsa3Ej<)lXu$RE*7Tl8vPh>P#9N|Id##?Yug$+f5L$F>BuqS#*uPP zxjy8&x@87u|z60xyjCl$5Qnl}~rnUEo#6~q>Giwx*04u^8%qzqauKwcXY^pVe`yI1@e b^3v$IYcqE0MuT@t#Y*|a*OA^l?S%gW_`RYA diff --git a/tools/make-efi-testdata/apps.go b/tools/make-efi-testdata/apps.go index 8fe6b333..3b75f590 100644 --- a/tools/make-efi-testdata/apps.go +++ b/tools/make-efi-testdata/apps.go @@ -84,34 +84,6 @@ func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []moc signCerts: [][]byte{certs["TestUefiSigning1.1.1"]}, filename: "mockshim_vendor_db.efi.signed.1.1.1", }, - { - path: filepath.Join(srcDir, "shim"), - name: "mockshim", - makeExtraArgs: []string{ - "VENDOR_CERT_FILE=" + filepath.Join(vendorCertDir, "TestShimVendorCA.cer"), - "SHIM_VERSION=15.7", - "SBAT_VAR_PREVIOUS=sbat,1,2022052400\\\\ngrub,2\\\\n", - "SBAT_VAR_LATEST=sbat,1,2022111500\\\\nshim,2\\\\ngrub,3\\\\n", - "WITH_SBAT=1", - "WITH_SBATLEVEL=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning1.2.1"]}, - filename: "mockshim.efi.signed.1.2.1", - }, - { - path: filepath.Join(srcDir, "shim"), - name: "mockshim", - makeExtraArgs: []string{ - "VENDOR_CERT_FILE=" + filepath.Join(vendorCertDir, "TestShimVendorCA.cer"), - "SHIM_VERSION=15.7", - "SBAT_VAR_PREVIOUS=sbat,1,2022052400\\\\ngrub,2\\\\n", - "SBAT_VAR_LATEST=sbat,1,2022111500\\\\nshim,2\\\\ngrub,3\\\\n", - "WITH_SBAT=1", - "WITH_SBATLEVEL=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning2.1.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning2.1.1"]}, - filename: "mockshim.efi.signed.2.1.1", - }, { path: filepath.Join(srcDir, "shim"), name: "mockshim", @@ -144,59 +116,11 @@ func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []moc signCerts: [][]byte{certs["TestShimVendorSigning.1"]}, filename: "mockgrub1.efi.signed.shim.1", }, - { - path: filepath.Join(srcDir, "grub"), - name: "mockgrub1", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning1.1.1"]}, - filename: "mockgrub1.efi.signed.1.1.1", - }, - { - path: filepath.Join(srcDir, "grub"), - name: "mockgrub1", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning1.2.1"]}, - filename: "mockgrub1.efi.signed.1.2.1", - }, { path: filepath.Join(srcDir, "kernel"), name: "mockkernel1", filename: "mockkernel1.efi", }, - { - path: filepath.Join(srcDir, "kernel"), - name: "mockkernel1", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestShimVendorSigning.1.key")}, - signCerts: [][]byte{certs["TestShimVendorSigning.1"]}, - filename: "mockkernel1.efi.signed.shim.1", - }, - { - path: filepath.Join(srcDir, "kernel"), - name: "mockkernel1", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning1.1.1"]}, - filename: "mockkernel1.efi.signed.1.1.1", - }, - { - path: filepath.Join(srcDir, "kernel"), - name: "mockkernel1", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key")}, - signCerts: [][]byte{certs["TestUefiSigning1.2.1"]}, - filename: "mockkernel1.efi.signed.1.2.1", - }, - { - path: filepath.Join(srcDir, "kernel"), - name: "mockkernel2", - makeExtraArgs: []string{"WITH_SBAT=1"}, - signKeys: []string{filepath.Join(srcDir, "keys", "TestShimVendorSigning.1.key")}, - signCerts: [][]byte{certs["TestShimVendorSigning.1"]}, - filename: "mockkernel2.efi.signed.shim.1", - }, } } diff --git a/tools/make-efi-testdata/certs.go b/tools/make-efi-testdata/certs.go index 49b16a72..30ef2283 100644 --- a/tools/make-efi-testdata/certs.go +++ b/tools/make-efi-testdata/certs.go @@ -100,20 +100,6 @@ var certDatas = []certData{ CommonName: "Test UEFI CA 2", }, }, - { - name: "TestUefiSigning1.2.1", - issuer: "TestUefiCA1.2", - extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}, - keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment, - serialNumber: big.NewInt(1), - subject: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Fake Corporation"}, - Locality: []string{"London"}, - Province: []string{"England"}, - CommonName: "Test UEFI Secure Boot Signing 1", - }, - }, { name: "TestShimVendorCA", isCA: true, @@ -142,61 +128,6 @@ var certDatas = []certData{ CommonName: "Test UEFI Vendor Secure Boot Signing 1", }, }, - { - name: "TestRoot2", - isCA: true, - keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, - serialNumber: big.NewInt(1), - subject: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Another Fake Corporation"}, - Locality: []string{"Cambridge"}, - Province: []string{"England"}, - CommonName: "Test Root CA", - }, - }, - { - name: "TestKek2.1", - issuer: "TestRoot2", - isCA: true, - keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, - serialNumber: big.NewInt(1001), - subject: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Another Fake Corporation"}, - Locality: []string{"Cambridge"}, - Province: []string{"England"}, - CommonName: "Test KEK 1", - }, - }, - { - name: "TestUefiCA2.1", - issuer: "TestRoot2", - isCA: true, - keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, - serialNumber: big.NewInt(1002), - subject: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Another Fake Corporation"}, - Locality: []string{"Cambridge"}, - Province: []string{"England"}, - CommonName: "Test UEFI CA 1", - }, - }, - { - name: "TestUefiSigning2.1.1", - issuer: "TestUefiCA2.1", - extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}, - keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment, - serialNumber: big.NewInt(1), - subject: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Another Fake Corporation"}, - Locality: []string{"Cambridge"}, - Province: []string{"England"}, - CommonName: "Test UEFI Secure Boot Signing 1", - }, - }, } func decodePEM(path, t string) ([]byte, error) { diff --git a/tools/make-efi-testdata/dbupdates.go b/tools/make-efi-testdata/dbupdates.go deleted file mode 100644 index 2fdb547e..00000000 --- a/tools/make-efi-testdata/dbupdates.go +++ /dev/null @@ -1,292 +0,0 @@ -package main - -import ( - "encoding/pem" - "errors" - "io/ioutil" - "os" - "os/exec" - "path/filepath" - "strconv" - - "github.com/canonical/go-efilib" - - "golang.org/x/xerrors" - - "github.com/snapcore/secboot/internal/testutil" -) - -type modifiedMS2016DbxUpdate struct { - key string - tmp string - cert []byte - src string -} - -func (u *modifiedMS2016DbxUpdate) db() string { return "dbx" } - -func (u *modifiedMS2016DbxUpdate) create() (string, error) { - cert, err := ioutil.TempFile(u.tmp, "cert.") - if err != nil { - return "", xerrors.Errorf("cannot create cert: %w", err) - } - defer cert.Close() - - b := pem.Block{Type: "CERTIFICATE", Bytes: u.cert} - if _, err := cert.Write(pem.EncodeToMemory(&b)); err != nil { - return "", xerrors.Errorf("cannot write cert: %w", err) - } - cert.Close() - - f, err := os.Open(filepath.Join(u.src, "uefi.org/revocationlistfile/2016-08-08/dbxupdate.bin")) - if err != nil { - return "", err - } - defer f.Close() - - if _, err := efi.ReadTimeBasedVariableAuthentication(f); err != nil { - return "", xerrors.Errorf("invalid authentication: %w", err) - } - - db, err := efi.ReadSignatureDatabase(f) - if err != nil { - return "", xerrors.Errorf("invalid payload: %w", err) - } - - if len(db) != 1 { - return "", errors.New("unexpected number of ESLs") - } - if db[0].Type != efi.CertSHA256Guid { - return "", errors.New("unexpected ESL type") - } - if len(db[0].Signatures) != 77 { - return "", errors.New("unexpected number of signatures") - } - - db[0].Signatures[10].Data[0] ^= 0xff - db[0].Signatures[40].Owner = efi.MakeGUID(0xa0baa8a3, 0x041d, 0x48a8, 0xbc87, [...]uint8{0xc3, 0x6d, 0x12, 0x1b, 0x5e, 0x3d}) - - update, err := ioutil.TempFile(u.tmp, "update.") - if err != nil { - return "", xerrors.Errorf("cannot create update: %w", err) - } - defer update.Close() - - if err := db.Write(update); err != nil { - return "", xerrors.Errorf("cannot write update: %w", err) - } - update.Close() - - // This is not reproducible because the signed variable has a timestamp, - // but this doesn't affect the tests. - cmd := exec.Command("sbvarsign", "--key", u.key, "--cert", cert.Name(), "dbx", update.Name()) - if err := cmd.Run(); err != nil { - return "", xerrors.Errorf("cannot sign update: %w", err) - } - - return update.Name() + ".signed", nil -} - -func (u *modifiedMS2016DbxUpdate) name() string { return "dbxupdate.bin" } - -func newModifiedMS2016DbxUpdate(key, tmp string, cert []byte, srcDir string) *modifiedMS2016DbxUpdate { - return &modifiedMS2016DbxUpdate{key, tmp, cert, srcDir} -} - -type mockDbUpdate struct { - d string - n string - key string - tmp string - cert []byte - esls []esl -} - -func newMockDbUpdate(db, name, key, tmp string, cert []byte, esls []esl) *mockDbUpdate { - return &mockDbUpdate{db, name, key, tmp, cert, esls} -} - -func (u *mockDbUpdate) db() string { return u.d } - -func (u *mockDbUpdate) create() (string, error) { - cert, err := ioutil.TempFile(u.tmp, "cert.") - if err != nil { - return "", xerrors.Errorf("cannot create cert: %w", err) - } - defer cert.Close() - - b := pem.Block{Type: "CERTIFICATE", Bytes: u.cert} - if _, err := cert.Write(pem.EncodeToMemory(&b)); err != nil { - return "", xerrors.Errorf("cannot write cert: %w", err) - } - cert.Close() - - update, err := ioutil.TempFile(u.tmp, "update.") - if err != nil { - return "", xerrors.Errorf("cannot create update: %w", err) - } - defer update.Close() - - var db efi.SignatureDatabase - for _, esl := range u.esls { - l, err := esl.get() - if err != nil { - return "", err - } - db = append(db, l) - } - - if err := db.Write(update); err != nil { - return "", xerrors.Errorf("cannot write update: %w", err) - } - update.Close() - - // This is not reproducible because the signed variable has a timestamp, - // but this doesn't affect the tests. - cmd := exec.Command("sbvarsign", "--key", u.key, "--cert", cert.Name(), u.d, update.Name()) - if err := cmd.Run(); err != nil { - return "", xerrors.Errorf("cannot sign update: %w", err) - } - - return update.Name() + ".signed", nil -} - -func (u *mockDbUpdate) name() string { return u.n } - -type dbUpdateFile struct { - d string - p string - n string -} - -func newDbUpdateFile(db, path, name string) *dbUpdateFile { - return &dbUpdateFile{db, path, name} -} - -func (f *dbUpdateFile) db() string { return f.d } -func (f *dbUpdateFile) create() (string, error) { return f.p, nil } -func (f *dbUpdateFile) name() string { return f.n } - -type dbUpdate interface { - db() string - create() (string, error) - name() string -} - -type dbUpdateData struct { - name string - updates []dbUpdate -} - -func newDbUpdateData(srcDir, tmpDir string, certs map[string][]byte) []dbUpdateData { - return []dbUpdateData{ - { - name: "update_uefi.org_2016-08-08", - updates: []dbUpdate{ - newDbUpdateFile("dbx", filepath.Join(srcDir, "uefi.org/revocationlistfile/2016-08-08/dbxupdate.bin"), "dbxupdate.bin"), - }, - }, - { - name: "update_uefi.org_2020-10-12", - updates: []dbUpdate{ - newDbUpdateFile("dbx", filepath.Join(srcDir, "uefi.org/revocationlistfile/2020-10-12/dbxupdate_x64_1.bin"), "dbxupdate_x64_1.bin"), - }, - }, - { - name: "update_mock1", - updates: []dbUpdate{ - newMockDbUpdate("db", "dbupdate.bin", filepath.Join(srcDir, "keys", "TestKek1.1.key"), tmpDir, certs["TestKek1.1"], []esl{ - &x509Esl{ - cert: certs["TestUefiCA1.2"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - }, - }, - { - name: "update_modified_uefi.org_2016-08-08", - updates: []dbUpdate{ - newModifiedMS2016DbxUpdate(filepath.Join(srcDir, "keys", "TestKek1.1.key"), tmpDir, certs["TestKek1.1"], srcDir), - }, - }, - } -} - -func makeOneDbUpdate(dstDir string, data *dbUpdateData) error { - for _, update := range data.updates { - dir := filepath.Join(dstDir, data.name, update.db()) - if err := os.MkdirAll(dir, 0755); err != nil { - return xerrors.Errorf("cannot mkdir for %s: %w", update.db(), err) - } - - path, err := update.create() - if err != nil { - return xerrors.Errorf("cannot create update %s: %w", update.name(), err) - } - - if err := testutil.CopyFile(filepath.Join(dir, update.name()), path, 0644); err != nil { - return xerrors.Errorf("cannot copy update %s: %w", update.name(), err) - } - } - - return nil -} - -func makeDbUpdates(srcDir, dstDir string) error { - tmpDir, err := ioutil.TempDir("", "gen-efi-testdata.") - if err != nil { - return err - } - defer os.RemoveAll(tmpDir) - - certs, err := makeCertificates(srcDir) - if err != nil { - return xerrors.Errorf("cannot make certificates: %w", err) - } - - for _, data := range newDbUpdateData(srcDir, tmpDir, certs) { - if err := makeOneDbUpdate(dstDir, &data); err != nil { - return xerrors.Errorf("cannot create db update %s: %w", data.name, err) - } - } - - return nil -} - -func extractESLsFromOneUpdate(srcDir, update string, esls map[string]*efi.SignatureList) error { - f, err := os.Open(filepath.Join(srcDir, update)) - if err != nil { - return err - } - defer f.Close() - - if _, err := efi.ReadTimeBasedVariableAuthentication(f); err != nil { - return xerrors.Errorf("invalid authentication: %w", err) - } - - db, err := efi.ReadSignatureDatabase(f) - if err != nil { - return xerrors.Errorf("invalid payload: %w", err) - } - - for i, l := range db { - esls[update+"."+strconv.Itoa(i)] = l - } - - return nil -} - -func extractESLsFromUpdates(srcDir string) (out map[string]*efi.SignatureList, err error) { - out = make(map[string]*efi.SignatureList) - - for _, update := range []string{ - "uefi.org/revocationlistfile/2016-08-08/dbxupdate.bin", - "uefi.org/revocationlistfile/2020-10-12/dbxupdate_x64_1.bin", - } { - if err := extractESLsFromOneUpdate(srcDir, update, out); err != nil { - return nil, xerrors.Errorf("cannot extract ESLs from %s: %w", update, err) - } - } - - return out, nil -} diff --git a/tools/make-efi-testdata/efivars.go b/tools/make-efi-testdata/efivars.go index e1ae6ce5..fd385317 100644 --- a/tools/make-efi-testdata/efivars.go +++ b/tools/make-efi-testdata/efivars.go @@ -8,7 +8,7 @@ import ( "os" "path/filepath" - "github.com/canonical/go-efilib" + efi "github.com/canonical/go-efilib" "golang.org/x/xerrors" ) @@ -51,14 +51,6 @@ func (e devNullSha256Esl) get() (*efi.SignatureList, error) { }}, nil } -type rawEsl struct { - l *efi.SignatureList -} - -func (e rawEsl) get() (*efi.SignatureList, error) { - return e.l, nil -} - type x509Esl struct { cert []byte owner efi.GUID @@ -161,11 +153,6 @@ func newEfiVarData(srcDir string) ([]efiVarData, error) { return nil, xerrors.Errorf("cannot read src certificates: %w", err) } - esls, err := extractESLsFromUpdates(srcDir) - if err != nil { - return nil, xerrors.Errorf("cannot extract ESLs from updates: %w", err) - } - return []efiVarData{ { name: "efivars_ms", @@ -196,256 +183,6 @@ func newEfiVarData(srcDir string) ([]efiVarData, error) { newDbVar("dbx", sigDb{devNullSha256Esl{}}), }, }, - { - name: "efivars_ms_plus_2016_dbx_update", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["DellPK2016"], - owner: efi.MakeGUID(0x70564dce, 0x9afc, 0x4ee3, 0x85fc, [...]uint8{0x94, 0x96, 0x49, 0xd7, 0xe4, 0x5c}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["MicrosoftKEK"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["MicrosoftPCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["MicrosoftUefiCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - }), - newDbVar("dbx", sigDb{ - devNullSha256Esl{}, - rawEsl{esls["uefi.org/revocationlistfile/2016-08-08/dbxupdate.bin.0"]}, - }), - }, - }, - { - name: "efivars_mock1", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, - { - name: "efivars_mock1_plus_extra_db_ca", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - &x509Esl{ - cert: certs["TestUefiCA1.2"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, - { - name: "efivars_mock1_plus_shim_vendor_ca", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - &x509Esl{ - cert: certs["TestShimVendorCA"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, - { - name: "efivars_ms_plus_mock1", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["MicrosoftKEK"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["MicrosoftPCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["MicrosoftUefiCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, - { - name: "efivars_ms_plus_mock1_and_2016_dbx_update", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["MicrosoftKEK"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["MicrosoftPCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["MicrosoftUefiCA"], - owner: efi.MakeGUID(0x77fa9abd, 0x0359, 0x4d32, 0xbd60, [...]uint8{0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}), - }, - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - }), - newDbVar("dbx", sigDb{ - devNullSha256Esl{}, - rawEsl{esls["uefi.org/revocationlistfile/2016-08-08/dbxupdate.bin.0"]}, - }), - }, - }, - { - name: "efivars_mock2", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["TestKek2.1"], - owner: efi.MakeGUID(0xc143dd0a, 0xf73a, 0x456b, 0xb246, [...]uint8{0xd0, 0x6e, 0xe0, 0x5e, 0xa4, 0x7c}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["TestUefiCA2.1"], - owner: efi.MakeGUID(0xc143dd0a, 0xf73a, 0x456b, 0xb246, [...]uint8{0xd0, 0x6e, 0xe0, 0x5e, 0xa4, 0x7c}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, - { - name: "efivars_mock1_plus_mock2", - vars: []efiVar{ - newGlobalVar("SecureBoot", efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess, bytesPayload([]byte{0x01})), - newGlobalVar("PK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - &x509Esl{ - cert: certs["PkKek-1-Ubuntu"], - owner: efi.MakeGUID(0x4e32566d, 0x8e9e, 0x4f52, 0x81d3, [...]uint8{0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}), - }), - newGlobalVar("KEK", efi.AttributeNonVolatile|efi.AttributeBootserviceAccess|efi.AttributeRuntimeAccess|efi.AttributeTimeBasedAuthenticatedWriteAccess, - sigDb{ - &x509Esl{ - cert: certs["TestKek1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - &x509Esl{ - cert: certs["TestKek2.1"], - owner: efi.MakeGUID(0xc143dd0a, 0xf73a, 0x456b, 0xb246, [...]uint8{0xd0, 0x6e, 0xe0, 0x5e, 0xa4, 0x7c}), - }, - }), - newDbVar("db", sigDb{ - &x509Esl{ - cert: certs["TestUefiCA1.1"], - owner: efi.MakeGUID(0x03f66fa4, 0x5eee, 0x479c, 0xa408, [...]uint8{0xc4, 0xdc, 0x0a, 0x33, 0xfc, 0xde}), - }, - &x509Esl{ - cert: certs["TestUefiCA2.1"], - owner: efi.MakeGUID(0xc143dd0a, 0xf73a, 0x456b, 0xb246, [...]uint8{0xd0, 0x6e, 0xe0, 0x5e, 0xa4, 0x7c}), - }, - }), - newDbVar("dbx", sigDb{devNullSha256Esl{}}), - }, - }, }, nil } diff --git a/tools/make-efi-testdata/logs.go b/tools/make-efi-testdata/logs.go index 1302a377..2d82333c 100644 --- a/tools/make-efi-testdata/logs.go +++ b/tools/make-efi-testdata/logs.go @@ -403,9 +403,6 @@ type logData struct { var logs = []logData{ {name: "eventlog_sb"}, - {name: "eventlog_sb_no_efi_action", opts: logOptions{omitEFIActionEvents: true}}, - {name: "eventlog_sb_no_shim_verification", opts: logOptions{noShimVerification: true}}, - {name: "eventlog_sb_no_sbat", opts: logOptions{noSBAT: true}}, {name: "eventlog_no_sb", opts: logOptions{secureBootDisabled: true}}} func makeTCGLogs(srcDir, dstDir string) error { diff --git a/tools/make-efi-testdata/main.go b/tools/make-efi-testdata/main.go index af99d173..f61d99ff 100644 --- a/tools/make-efi-testdata/main.go +++ b/tools/make-efi-testdata/main.go @@ -5,7 +5,7 @@ import ( "os" "path/filepath" - "github.com/canonical/go-sp800.90a-drbg" + drbg "github.com/canonical/go-sp800.90a-drbg" "golang.org/x/xerrors" ) @@ -48,10 +48,6 @@ func run() error { return xerrors.Errorf("cannot create EFI variables: %w", err) } - if err := makeDbUpdates(srcDir, dstDir); err != nil { - return xerrors.Errorf("cannot create DB updates: %w", err) - } - if err := makeMockApps(srcDir, dstDir); err != nil { return xerrors.Errorf("cannot create mock EFI apps: %w", err) } From 35ec4819b6e64596ee5e43d97e047ce7535d7aef Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Tue, 21 Nov 2023 16:28:37 +0000 Subject: [PATCH 2/4] efi: remove use of pre-generated test data for defaultEnv test --- efi/default_env_test.go | 66 ++- efi/export_test.go | 8 +- .../KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 1564 -> 0 bytes .../PK-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 977 -> 0 bytes ...eBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | Bin 5 -> 0 bytes .../db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 3147 -> 0 bytes .../dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f | Bin 80 -> 0 bytes efi/testdata/eventlog_no_sb.bin | Bin 9382 -> 0 bytes efi/testdata/eventlog_sb.bin | Bin 12254 -> 0 bytes tools/make-efi-testdata/efivars.go | 239 ---------- tools/make-efi-testdata/logs.go | 448 ------------------ tools/make-efi-testdata/main.go | 8 - 12 files changed, 50 insertions(+), 719 deletions(-) delete mode 100644 efi/testdata/efivars_ms/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c delete mode 100644 efi/testdata/efivars_ms/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/efivars_ms/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f delete mode 100644 efi/testdata/eventlog_no_sb.bin delete mode 100644 efi/testdata/eventlog_sb.bin delete mode 100644 tools/make-efi-testdata/efivars.go delete mode 100644 tools/make-efi-testdata/logs.go diff --git a/efi/default_env_test.go b/efi/default_env_test.go index 6334007e..777a1a9b 100644 --- a/efi/default_env_test.go +++ b/efi/default_env_test.go @@ -20,12 +20,15 @@ package efi_test import ( + "io" "os" + "path/filepath" efi "github.com/canonical/go-efilib" + "github.com/canonical/go-tpm2" "github.com/canonical/tcglog-parser" . "github.com/snapcore/secboot/efi" - "github.com/snapcore/secboot/internal/testutil" + "github.com/snapcore/secboot/internal/efitest" . "gopkg.in/check.v1" ) @@ -40,17 +43,26 @@ type testReadVarData struct { } func (s *defaultEnvSuite) testReadVar(c *C, data *testReadVarData) { - restore := MockReadVar("testdata/efivars_ms") + vars := makeMockVars(c, withMsSecureBootConfig()) + restore := MockReadVar(func(name string, guid efi.GUID) ([]byte, efi.VariableAttributes, error) { + entry, exists := vars[efi.VariableDescriptor{Name: name, GUID: guid}] + if !exists { + return nil, 0, efi.ErrVarNotExist + } + return entry.Payload, entry.Attrs, nil + }) defer restore() - varData, attrs, err := DefaultEnv.ReadVar(data.name, data.guid) - c.Check(err, IsNil) - - expectedVarData, expectedAttrs, err := testutil.EFIReadVar("testdata/efivars_ms", data.name, data.guid) - c.Check(err, IsNil) + payload, attrs, err := DefaultEnv.ReadVar(data.name, data.guid) - c.Check(attrs, Equals, expectedAttrs) - c.Check(varData, DeepEquals, expectedVarData) + entry, exists := vars[efi.VariableDescriptor{Name: data.name, GUID: data.guid}] + if !exists { + c.Check(err, Equals, efi.ErrVarNotExist) + } else { + c.Check(err, IsNil) + c.Check(attrs, Equals, entry.Attrs) + c.Check(payload, DeepEquals, entry.Payload) + } } func (s *defaultEnvSuite) TestReadVar1(c *C) { @@ -71,27 +83,45 @@ func (s *defaultEnvSuite) TestReadVar3(c *C) { guid: efi.ImageSecurityDatabaseGuid}) } -func (s *defaultEnvSuite) testReadEventLog(c *C, path string) { - restore := MockEventLogPath(path) - defer restore() +func (s *defaultEnvSuite) TestReadVarNotExist(c *C) { + s.testReadVar(c, &testReadVarData{ + name: "SecureBoot", + guid: efi.ImageSecurityDatabaseGuid}) +} + +func (s *defaultEnvSuite) testReadEventLog(c *C, opts *efitest.LogOptions) { + dir := c.MkDir() + path := filepath.Join(dir, "log") - log, err := DefaultEnv.ReadEventLog() + log := efitest.NewLog(c, opts) + + logFile, err := os.Create(path) c.Assert(err, IsNil) + defer logFile.Close() + + c.Check(log.Write(logFile), IsNil) - f, err := os.Open(path) + restore := MockEventLogPath(path) + defer restore() + + log, err = DefaultEnv.ReadEventLog() c.Assert(err, IsNil) - defer f.Close() - expectedLog, err := tcglog.ReadLog(f, &tcglog.LogOptions{}) + _, err = logFile.Seek(0, io.SeekStart) + c.Check(err, IsNil) + expectedLog, err := tcglog.ReadLog(logFile, &tcglog.LogOptions{}) c.Assert(err, IsNil) c.Check(log, DeepEquals, expectedLog) } func (s *defaultEnvSuite) TestReadEventLog1(c *C) { - s.testReadEventLog(c, "testdata/eventlog_sb.bin") + s.testReadEventLog(c, &efitest.LogOptions{Algorithms: []tpm2.HashAlgorithmId{tpm2.HashAlgorithmSHA256, tpm2.HashAlgorithmSHA1}}) } func (s *defaultEnvSuite) TestReadEventLog2(c *C) { - s.testReadEventLog(c, "testdata/eventlog_no_sb.bin") + s.testReadEventLog(c, &efitest.LogOptions{ + Algorithms: []tpm2.HashAlgorithmId{tpm2.HashAlgorithmSHA256, tpm2.HashAlgorithmSHA1}, + SecureBootDisabled: true, + }) } diff --git a/efi/export_test.go b/efi/export_test.go index fc4db686..193d361e 100644 --- a/efi/export_test.go +++ b/efi/export_test.go @@ -22,7 +22,6 @@ package efi import ( efi "github.com/canonical/go-efilib" "github.com/canonical/tcglog-parser" - "github.com/snapcore/secboot/internal/testutil" ) // Export constants for testing @@ -178,12 +177,9 @@ func MockOpenPeImage(fn func(Image) (peImageHandle, error)) (restore func()) { } } -func MockReadVar(dir string) (restore func()) { +func MockReadVar(fn func(string, efi.GUID) ([]byte, efi.VariableAttributes, error)) (restore func()) { origReadVar := readVar - readVar = func(name string, guid efi.GUID) ([]byte, efi.VariableAttributes, error) { - return testutil.EFIReadVar(dir, name, guid) - } - + readVar = fn return func() { readVar = origReadVar } diff --git a/efi/testdata/efivars_ms/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index a7f2ca1da7d59e815343d4295f3d47efdcf81acc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1564 zcmY#qU|?7nd0^?2Da*aux2_hA(f&{*!3GorfkES><_im$nHZUvxDvT8c7W9~8}PDmYPET^edlFl>iO^RDi@|$cHUcFPfN6(ZQy^C z`}$4&&c{*7Mm2)s{(O(Qms^NV?mPDNLCeNjvvr<--9GUe=fg(_SXQhtkh$;inJr*e z%JRVa6RrOJ3T@~9=|7zRzv;l+muJs?3C>Eg;&$HoNcHbO)}L37h^!WTq}mLWLcrmw{J+ohwiJ6gsad8u)KQKhR4FuRYwb>Y1 z7@N#R8CifSlEFY07}BzQEMhDoNq?NrF0fm2I$h{e^v%#U)n~SK#T!V%HHa{=@W^p7 z1T&N}Br!NMI2v$+bn>%+jA=9A2XTZM8UM4e8ZZMX19^~uGK++PSc8abT9EU@x(LDj z*Zk%whjLh3DP^rNhyf{(X9+b3HV9nczreT6JENqez)D{~xhO|37nYXwlJj%*3$imo zqWT3z`6;EzCB^!{WC2X$z@!UIx4=XTOsnz0#9*KcLGO~mi z1Q`Ut_y$aEE>Mfg%geD@lv+fD4JF8l4w!wJn}C6NrKRJm$P@{tQ(88^wI<2%TwieU zg5zCBF&#FW18`wHoby}QnJM5ORs3qK*b zIG**|?PC`*&v|$oZGRnm$>8gOuRC^CurJpBH~Y3pSj(HHQ|la63+80M{5OIB`ZW2c z&!@<5(&Fj${;#1aQ2qUS&C-iyJ6TUuzU7}VY0ja4_w(y=_^YoRbiHd5IL(s(Xhm5IY0v-LtGCB;+w*6KA3Qm$-tvBm(|gVC32u(ojne5iemX~{p61>2mtm6sms0EH zD^>mkI6725(DmoaQZLI3dOIz%dOiR5cGe57ht>v*G|K-rU|D5umUzo6Q`+Q4#@lO5 z=X0j;Tt1(pRJnHJhds=T+!9tEVLznU^zrYf7nMc{`){mSswCol>fjCU*R}THrkkGm zmu}gRz^oL!ZepeEwb_pHqHQ4so9^+N^4DxIDcUtX!TLkx>qVPnVi$?+Xg~T=`rFp& zs`(c4A5Z+%RXO8uCg1kOG77BIf1DCo$8i0~=K~@FrP(G6q_@sY_#Ct0Xtnh&GY(`7=tF} zxdu&4tqYi$7@3#^0v7IV?Rvg#kAv>1inEt878>xfacZ@Bw0-AgWaMULFi1D#HsEAq z4rO5zW(o~9kJkRTTir%P&1 zj)G@ivYw&5fh+sTYitPN z8XFjxMbXb8O^iy&fxyVhz}&>h&tTBR$i>ve$jGo!!OEfIb$W!dkPDB(+ij~{ByU|d zyK^AdJEGA~XQfi~|AP`6^p4KasJ;28r{IzLa*K1jRxMXysz0=jt7V<}7KXcDK3)zs zb10K6OHse8X3yo?v5?{Yl;@qYUo@{&m~V=^W%+(HLvL8${zgON8DGsrFVEO*c}o3r zdUx_I_NEyk7jB=8c;#~b$oIXoJa%S&jPDQecQKh+B^=J6v%}cy{Bb}2SlcNt7oA!% zKZQl~)1#Shz5d!Ty<4nSeIhg7`B1zi*FBZF`wQnyS$J>nt?%cAor;&T+t`JaiUoUi zOcvh}@`P($N}+pKzTTTfrwgV}b2eZ7Kfh_=?vzg(;G;xSprjLtKbbluR*Jjn1z=($_M#Goo; z-ox@4^~I7Fo7Np(@-F?;N51y-_k~h7GYZ%5ci5IUBT_Did(O1uLFzI&a+f+ynx{o- zJuC;m%Di=Qv5ys_fS|6OWb_qDPg zuDPbMOzm6Lsr?C-Lc6d1zjo-HJj2WE6*cTrF0Wg>^MLuPpASAZzYNltWWB?ji+|Dk zI&KET>l+=uz53cN)xpwy)A-ZON|ggT&e2XfIk#DJJe2o~O|h^GmG+!yd1h0p-HY|2 cDy}D@*J@ZTU(zw9m+OXi@8KNr=}n4%0Ew1vR{#J2 diff --git a/efi/testdata/efivars_ms/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c b/efi/testdata/efivars_ms/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c deleted file mode 100644 index 687e561126750b618ef12a9607841f2e302cbf1d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5 McmZQ$U|?Vb001Na2mk;8 diff --git a/efi/testdata/efivars_ms/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index d4895585f4a1e2a11e16bacf9727734127518ac9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3147 zcmcJQc{tQ-8^>p#vCA@%r9m1Q%QM4RD%nEWW9(EzG=t2TrJ;nGY7`X;6)i%JQ<0QT zwqr?2okWhDc3DoFt%y=5?{9KCb)C2CT<5*6x8Fa{^}V0%e(vA*c|JrK40a-@>EvL} z53Xs|r&U8q;~Xpo3PRsYGz`{|KO+c2Qal>g8%#dUOmG7tbT1Gg8w-&LI07L}$8Prj zG!_TsFj9u%RpMzmI9vt|1HxTo86bs0`k^q&2tQx4GMFb3IA!SoI+wwW+sI?Zkrjcw zB#2eU`b2Kn#ERQM)&`oAh_te*2Qz}h;}Vp&zB>U$$)H4wlXK1Q-bHqQ7q;pRU(0K$9GB9 z1Q^Yws{bX`0A}0z%5)yH9;Va4G&373N8O;Mj$*dgT_NnaJAFH2!m9FgNx5-Scp`dsz||H- zC9nrtpT_hZX|muyPbWXz%N}}QSWwz~$t|={3Y-oR`?r_8RSFzSN|l z?qOn0n&!uvc0DOpnR9k?T;6i~?i`zj1WVq7~S2z>+wcS3@zW<;nfpI>3eoEq_``?wiVGx4-=h?^-Bd_PRr?sG%&g-*5D!?WW+_DVpbWs0=DC@`9sUSykUAb-{4(qM21l1QHH| z7mMJIP(^HkB1VdYfurCeOI0`uG9wIVLDklhN8wQ_KQ2L7@58qqOt_i#?wD8plO(^h zzCiu22`UJbthO}F7siK$!yIAuKt?iC0VP>R3=||n84jOCp#c(Vz(Pqt52Xh1sVY5F z{x>q86@`W~x@>Z?LV7#$)mnkSWWYj{7w`aXg{uo)#7+zzkG<5?G=dXrvgxypO(IyE zOxZC^Nz{}*_y4)3kToFtLgs}$yH4U(V_;!SF*AV%fnW>{IwBg4g~L&vz#X`L)&L=1 z@#hu-f#6$PK$qd4*5-X}H0ZV>MNk1%J|xAjIhoiJS2bq6qJFuLLLA9fQJMR(jM2HO z)Z8OI550Jl?3_hUyfbTM;uJI4G-Pn;o>pf1eW~6BZSK+*QPF#bHF{B5Woq+F3Tpc8 zC>EPrn}e@54x*Y~;JeRUW{icOc}R=(27#q7lRoDB;JI&dI7!S6Xz|hEng>r5r~6++ z-NQ$u`W#!RW=!9X_ylif|j=^}xBd+zj6{kbj4?jjKmUT-#pPb6u zc`;?pt|%Avy+xHuHbO%NT2Pnm9=`QrGq$aEOPV=S-YtB~;pf*sbhui!8?BF4XAY8m#KyC7N;keH7NzLXfHCYGbcR3vpKR-t}{PUq3S8_|j!tWGD;0O(T zMZq?k38$Ll2an$fNM)J*h`J>x3D*ot{yPTj{=~o{sQqsYU=$$?y#0&;TzBgy450pI zEFjGOE^q5HU=3Y52m_QaZ|hf>AkY|0&IW=vodYqzgU*SGoOQpQv!9dmYQn#T!AV@Kdz+I~w3}>6Q(6j!FY5@W zZRo?NU`O_Eld0l1%1U2#b)pwu!5imwzabUA_gGzEpPIG2hW5wr^<76>OVrX+?9)So zwlgSodtBN_!Ev9 z;Tax{R_uPpB9(Tt5}ajEAaiYZ(nvGP7x&b&(l9LoM`uN-2EC{vCHBhFH>QXDv9>%d zrB=MrD?U(37p1G)kugS#hjn;U12^a5Mx)Oa!FxW#U^4^*4p92*ZHHih{?rHbzQhm` zD7pG!tspWZM@m2)_JM}AOD3>=nN;QbsNA~o1k>h%F52b7T`u|~uQG|Q7E!B-K1EF)w@B_YJO`%tzhuH0ZVg}@O$l{Q{A#+2Xo+F0@9@J0d zSpS(65IJbT2Y7$h5II)3AWY+xchC(k zG@Ut^tD~89U*Ut`SS~kv*Y$=5pBl8c+~a^_h4c}*p-uXC?G)zQUF#@zZSgppucU>e zWj3_c*N|*hlNM4wMC&lU3a%wPn18Uq%+JUq*fpKc*XI*&wj+zD!n&SX(6-cgS9dFQ zVH@jsj~{4fruK}eO`59UV@w}K?WxooYTNPK$ctt(QMtdHn(-?}F81cFan5)}-9z!t zLq(_ypoafUR1@6-|T`4cXZ{thiB_9;A!o#agkqH zI#^j?PCYks(YMSIj}`y` diff --git a/efi/testdata/efivars_ms/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f b/efi/testdata/efivars_ms/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f deleted file mode 100644 index fba22f315070c5f96458286976310b59737febaa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmY#qU|>)aJ95w`V3Na{m5x8nCOd2R0L4JS0Eic_*tI~GWrfF{_QSbC(s8zrHym-A i@kd5v*6%MTX6ElyQD5iyBxUwwpCwagN>>E!2n7ICIv=(G diff --git a/efi/testdata/eventlog_no_sb.bin b/efi/testdata/eventlog_no_sb.bin deleted file mode 100644 index 5d22bf51f08db1b229ebbb59bac3395ac6490062..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9382 zcmd^F2{=_<+umm|ony)rAqN>UZZl=(5He&YWQ=1v9CKt2(SVSs2uX^hWQYu@G?)vO z${1x#h7$SrCU0+jec$)~-_`qF|8@QA*n4@_+UI$mz4o*2d$08z0000Kbo{FDL5(Ip zE>1WdO&mVZ#oHg0+PDk}Ad%32Xn+a80=SJfN~qds9PcMPETuK-J{2}+%xZgws}Qfb z1q*bnS^3{8Hf}c;es9GcON|nW!=&Wz6OR~Qa$CGTK(+`wAt46B${%d{y|(KV z?=(;6j*8!+zm?VNV1FbQD4mmg>Z5#A)&!yEMUgC zkvji<${b6o+s`m;kKE9k{7qlOdQAbH5#Rl7)o)Bw*S0Pa(AZwt-VqyzNxSo`GB31-Lm$~E1L<&hGm`Y^RM(bb8ekw3C43CCu6|3swymN763o##dZn zwh^8sZT4MVA zYK$>4z}p#TOmy;)U;ydiMhrETri-U1PRH9xOo9vKgxgTmEPu4&j65Cu4-!dUI6apT zaQjvo30Y7Ul#m1^K~T8@%)^qYOkY^Xy-1WGxfBcUJK5^Oa*hLjsrN+iHq0 z?LbB}m11H`|9_P55x&q^Y5%^qE797Jx{V zly3V213Fu!w0C)r3UZv$%yUC$rgT>ok<z?+2w*`M5XeipCfkptvi?>2X9+Ju~=n(kYw%WMgmuyG)C-&_mGy*FOV_Nnp z#)qV6?sBTi%&g+l{ejGaeWVaCmO-Iw~EL zVI?#q6S3UE-(UTlS?*|j|7TDz$Yk#8OR)p0vQ7)8PIGi!lKEqKA$>(p*J}6^-w1gO zUhNSqTt#c;`_RMv>NCnqS=@SNwV4L(Ds4!PMPVau~Y2nQ$y1 z(R*EW@%=*lwghy{bE&yAAv+pGH1?~Dc)ld_+{0VXk|wWg#;%j1@TA;DdHfpl4t&f0 z62V=U3KG(eWBT-t-}T&jI+}asN8n(b6|eP+nF>3K2**k;(#j7-lX+qRr-td^37zU~ zO^ju7ZbbqUpRe=!EL!fno|Ulsqu4beCS~$}1deZb0kA@SaM1(szkrU--W4(csLNUo zvO-Df*VzlskDUzG1Ea~tA^7OnfDViUrZZt(6Y8hO2u7v+h#KEef|3zq;o#>+@OJel zdP~r+#}Ar=#SGNl6;6H2Y&+ejoqNaI)*Sx z{<0ru>P8?rtI@mUBI-0+$E*FNjv^>7+$I7v`K0z#O7jXcfc6^ZpF7W`%Wci)eFu{flOw56bV zp*!j?^tOy{(raQeqI%fcNiuB9Rzuoh>?L{TQzz~(48&f~$`%=0s7&dh8XRgs7hMH8 z-t75EZj|MGXyH&L28vnazD zc^^4Ba^T6iz}6Y3)W&Nes<9#Q5yQqs>}u$fTZsoiwm-hWghW$s#{eb}XFCEKfEtK}k&6z7 zF+?0l2Mg;kMh2oF7z4TB23|BP$P&qfKWMBm7;d?xzQ^D^uNmd;T|DkZpbdNh7upOo z0r%w^=IY1kx%vD1>=GAuB6*5=ZN{>g6VXfD$AbX3iu;g=&H+yTe&SGAKrs%5E)=&= z&_c0#015_B6#4^Y#Gp$-dvZ$XM#;!15D2s>Xbc){${;dM^P8cdprBtFav}W%3;sV% zUsNAXUw0<8_SuN+jFO=SS zanN}V>3V0Wh&{NjrY*tJnYzcKg)RR8SifD=u&Uk#m>NLvX+o3y5!WeO<&&- z!#(LjpElxON$<;0pc}O_?_(v)n5QUIzmXfXO360oYyKoBj<+EGap9_E_)~%_b4qyB zTm<7NO;Vy_eC)(Mp6Yj#+VVcXv#ZfJy9JdFI-vC=aWhphN7i&lC{)!N3py1eb%sY zc}!Eg3Zxp&2kgFddB=*8nrg^^s3FE(Akf=*DuWPujczHPtOMUvV!{-~^#w#1%gH*t z&?T@-_qk2=Alp6DsJq)ec|uCA&(@;ywCpc8Q#5f$e^{Lx50SL5@4I@Dhe_{IW1rr{ zVHFFR^0$ToH_Pl%JSL?nA)GzgYFx~5ratAbX=Lca%A`p(r|oyohD_v@bJ*swRK?$W z$G%u`nvW=-Gn}%V7?OFHKwFv5fg?Np=@C;Y(A)g6fr&oALpqne;*9-Ao3eWr2C`j} zvGwPFWT8B%l3J(X)q6{_r}CfZ3ZS<#$*W)iXWgrd^N4+Xyo&hjha+?E~N~7e(j46T2~k1=Ig6A)CU)5Xa@fL`bzPQp(cLKLA?+M z)o*eTMWFe*9?GAB7>r8zTksruH-#oU8pXKtJD$V*g42NJ8sQ+p$-&(sL$%D^HR75lfiDh7&dxXSn4RSSZ*Gcm{yXS4x75Ub*h z{wn>vqQ0FsB1Sblc5f+zPz!L^5u~JMO3;r@Bd5t@Zr{VjK40oe`Y2y^rJzJK%rS&) zZCFkp?$TlbT7LkLMhY9dV=b)3iODXDa+EWQn<5#@3TV z*ru)aEN>FgyMq6@EaP3n9)Z$o$=zzHB7+ZFgT{+Z4VG-M=y;c#8mvX-172)Flh!+y z_nTG`wd3&rEBb-L7Ybe|W;cijlogefS|=XsO`?H_#{k?5>Tb#q z@hJZ_;`t}Ke@Qt^D`CF-E`~IDm(M6D*D4y*c?+x1Gx~ika_iVrD6OBELB>BVp_S|q z(z7NnhWD6n7!|B~!Fe+AB~|aX2YWHH2i=cNviG8si&(c7WLFQVO3DT{H(KAXA3-;~ zXX(Cr*KNk}>MK)EBha#NBJ6A0C4&?5lVNdw7EQ+7e$v(-^ApWm&@U*cramPNx6Oy2 zD4kuzCQ^P;dB{nMFsYij<1{d=B;isPH9B{-m8Bp@spxuklX^#T>;Y5GwWIHAIJJ|B zWqt-~IjT7aMlT4JZ%Oe>3P|{p1@IeNi{nyZOb8Bex>R=14dfBz zuJ<>ddyf#fty!br|t>y_ma^06LOx1#jb zv#1G=iJIkBoabn~SDk!{HUWPs?%j3VnLC+}@1+;mI`-r`QR3)Jod(eVKm-4Wmm+eK5|WbA zGMh^gNR)y_Fe>VA;R9iC=LR3}eCLBdEw6B9crBg3ycW4g>ACj-p2}U1x}YIGf;@m) z17Yesz!E_*m3kOk?pIHZxvz_N$i2rRn$f)=ocl#zCtEEtS+Ux5^=)nEx#j}a#0a%S z8><*M$=k=YA5Qz$avNqPhOKF;96u>p&cCNLpkn&r-tD?<;Um#moWVi*)Ma&xbloi7 zwada6_sQEXe5rXEjC{E^iDA!p7E{H>`0iFisA}jSm!QDI*5F!H-wDa+&wFudIAIST? z4GHgmd}{Qlj0iH({m3WBX>fr*ln&<;`KKidV@bURRb8~t*<;TPCA^>UWG1pd{XLxV z|7FP{L#e(7K51JDq%NU%vy|DXB^f9XHp8GMpw6ya>=h-y$BNPH<2y^~LKbXvv2988 zi^v!?@{>0?=TOxjx7o6PFiQS>!z@-^kONm&Ub>IzUc=SX>D(O2FX>i-&ZqmOBs{9C zGp;5xqIqL+KG$K2X4H%CxhmaO)t0t=-6s8OSqz+%rYGwj)K&{C=?HU4uDEj(46|Fp z)umTt$+sq*#Hlvi$l?nSXnlyvU$pHUlQlh5ZB)_C&`D8$+y71f_LGs%rda32nOHo; zUmrYH#yk2Twr}cvqf~T>xgM+N2e)*J*7jM_Z0YS+aYr&mxc5p4&(i76y2V$dnn?y+ zaF2FZ%;(!uFjdlvE`8jmYLy$?nZDOCg=d>T=P@O1TFt_dvTSLY>&v%HibSF&3&?z1 z&Q;Znvuhq4(Ke+$VIFZKhb6N-uER|^nYTjR?xfL?$bLm-mD}1ZB(ottp6ky;$57-#`AgfAweA8m zJ#0sZX=MZ)QNGNDGaUlCxmI%apXAf327-M))$EOnPg@))MdGJjnr`KX6IcQ$QnMEd zYpr4|e_XO)ri#1F40f7ojlL7volJ|E6`bqG0&GstB3ByPUbEQo#)O(l*-Z?_8#Pp> zCrHI1y>oqs?~@=F`FY8*xpB64onbbXEWrRjOLOC1qg2(am(@PYp3)H9?1i%=`9(Fk zoamxGwefeo7})KUhRd4OGgmm6vcAl>oFP{45GYj}an3%qw;=rtd$4hp8SFV4IyMq3 z$%IG2V|a|Kq#<+tI*O zwS^7-K3t%L2dw8?l7?L!cc6lmLuJ#>W}?FoN_#j%i4PK#s)9C#p)0;yM~pwO zsvl*_92APKc~GG-jf+H*VSy)+G3~jWk0$R*iTdY1zjtCf)i{cAIG;_?oWX)i;70XFngs;lkJP$d$Mx-;0KgkczXU+np%Fss?QqU&qiiIJLepL!EMMir zR~myo9_7{cNF*994cI{2p;~|rRKuG>n_6rDKfnzj0A4^aAPYzXV$hu)gk%7SSVRAG zw;!e}PzJ}e=3C$PVh&zf9Lw-ihH^ZCImyEN8C458loW5yKB7r~iBBGja}0WL+Fi}k zAn;Jh5Txs$-EH|dzc`6 zOfjpX^O$O)fbff(C}_6cZ5d~6OIP)xU!5Mw&_yfEpA(bKfDjW-N ziTrjf3gWSwTqEcw)X4RzYfFtDko!>i;qIR?YZKGfC^j$+)&rLf48uWN+aVBg!E@gW zLIqBet|? zamUQ@whC48;)!d!Qde@$t6mM@KY_*qsbZ(H%v?ee?LLSPoJ-QFPv3ST;%M%ZOBY#W z2})}D`kIgqqbs)dS_6Q_m0L=E^skb5H{Tl=pgy>mK{qhX!hYQT%KiXOeR_%`AxtKnR@z4%Dvf8!7Ff|nmh`y;y zS!T&B>y)~ibeZP%CC~Gea$KL3P!(VHikbJ0bNy9YFfx8;LCswrq0yDs%nij96rVrK zPpDkh&BOwIXeE!(BPB8?Zrmz$kKa`}!<*-1e6QcI*n0X!yWLH8PDlqnnBc#`b|x;Q zK!THtAM_)OK;i}${%Azo4FBq3aBqEw?DCUvvCN1)tT{ATpu#Xf{c#_uXxq7S?_;us ukNby(*Vz?1*r?8nYZkto$c3r)7e?Ds$ZU~-HA diff --git a/efi/testdata/eventlog_sb.bin b/efi/testdata/eventlog_sb.bin deleted file mode 100644 index f27a6e68f181cb7e04ad5a12a5c96e960b04e731..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12254 zcmeHt2|N|;+y9)!c8)E(kRyq#bB?{Tlk7V7t?V4TV=vi5R3r&)LXsjWSt3g+Dti%H zWQnXLOAGnW9C@DV>HYnF|M%bX{@>60{%&UG-1p2}*ERQCbA7Mn1^@s+LEEpI5Hx7w z=i-FZ(Zp#5yZ8ix(rcF?0VERog$CFFEPz`ZqlFG@gX7Ps4odGD^_UKyBXZf@;V;nA z+<*l-R;>bW6%pIb#U`u-;^5JVYK@eIw)ZBT zqHX3U1)>u+7;tiVyFQP?0wr_uPyCb*%b6h5oE+jW&*^+te4YMI%JoRMNUasJ9mNb2 z0b(e70AT!f{GRR@jq=9Gh4c)$Xu3OQOhv8xE^9r(0?CY1S>2Bx({38byqjATSe1>e zI8+W#so&_;Q;syy9`T2~PgXkL8>p)37)++Lq&AsobO|4%#R89) z^=^nH=4sU=P4riri8&t3k~tC_9DN0^wotlBHJ?!yqT%prB>CZqt_?*Dz+fgy>WzO=cUj5Ub;g!?xnCkecILZ>5CQO0~QdidmC@< zqK3SBU5aUTRHCVar%g4Ljd@b3_?mz)kX!K{n)siY!;=rU)^D0&4CnzDtm-e0q+ila zD8IsPEB21Oe(pMSO`Cza-*Wb_;i2X944vK)TQCN77K}k2%0VF!NF=lIh1x?&W4CHl zB_4*hcDY{w8K~(*<9Ej|F(43FDgboDV?jDoV*U1yl0y4vc7+4wM7&1dsrN^46RT()hKmGziLB|JMl;gV_B2Bp|2&R1AU%0AmmsWDEiU zT*qx!O`LSI6lBq)$4%cV(&X;%mU~|Bt!Ei+D1Ldf&1wTzspP#gA_x1HkN6De{f57>ZggxWa}7cwVcpwZ(6F&-d#m{zc0nqNK+_zp{!}$m7U0$ysZbCN&7S!_bFmtZaG`$e=hyP%i8{> zHdgh3i!?ixO@la0bP`W+R+^4rN}T<*lYAwoav%Af%FvL%vg#Xi;kNT!>E4RVPWk@n z8b}lZK;&tG8XzO|M){Z!h*dNig+$JSEO4I{?$d(Q&;f}+P~JKpBbo!vw#zq_ml;RQ zGH0JvT-nXFyFKVl{`V6NX&W@r2!ObFD{Q2NTzWx=B-F-f>v5mZjtES8wvE&PEVGR5 zvOiATFU@e5-#s#bTcNDvZvKqh+Qry}WLj+^V$WneAPVz(ZR$EK z6PsZrIwTwUxnt||sy=r4!wJtnfg&L$b6*D}_o>P`EtopZF?A90#&W}+6+T(5-kS7E z)bsV#9+85ri`Eb8>=jvV_pJ6bw($dRJqyEW(z{FYs_Ny7J`KK)eM=Nc+fgZxValD2 zzykQ*>#Bcur|)Wy99sJwOy)^VgOD4X%<99Mi?=At})jeUz& zvrVzc_DlJR=|?fo^p4*3;ye{2u>7OpV0|Z56A(Kcei#vfB`h*348>4+VF9Q5nb1j{ zs*R1TrSk5D!jqq_3;Hcu?zx_wxZ{K5HBmNY>c1L}Z}tM4e)gh#A*1F{d~y|fh6dT9iSq` zhOiQTc^+r#P9i(wj2*~HXNO=f{#%dDrRhtp8Q5kNd1vM~SH@-&T?C)E{OY%Se-cVg^|#ePks z9SuXj?r5Osn^LAJ@5!mis$pv9>- z3<(}S>Q|A^XE0SVdge1nV{gNwC*w_0qggXsl2KDf=aMJx>VDDKz=Dk^*G}_#{sw(` zazPqB$&3*7AN>@|x^q>CPRc!a*J`!Vo#(~=qLxKp7`wuhMozozc)U&Y{4&`pcd{gH zc2Sl!>OOL6WZ&bn!L74SX${xHRO7-DB8Q2E<7W@hkW$#!EKdx=2%0H92xI8Ps1ayH zj66F6vOfsmJ6q$ptkIgIod3v;rOT$z?COEXx03dO+<)A_hD6hE!T=@^W;+5JfEtK} zEf*7P#t`u!6WpPgF)9!RnK6(b9uP!xfgDk6TCPNm*AbQ*>Us>%37XOF*uL4L5VVCa z;76N*Cg7eNqa1^HJ@>#szwJ^|PGm1h?{!_4bn^9<^7ACYqf&lkU*{mFzyK*oEg&6- zR2R})NNFKm-3KWHC;|P0vXaoHpglD$^q^E!GzbLR6eNPi>wORzulbEpNJz-97`c%D z1rC8feZHs|XfmI~B`&a~b0Hs!?))N}#!KIu)A@d!=vp|FTOPDO6)2L(54N5NtEiIq z*mHo{dGWRL9MbL1QXx-hZFO6sr89kxMKgEaKB}I9`yHgV-Fk$INxLp^p?;yVI+P|) z?Ca?P8S}WQn1>~5LVjmF-+oPH>doLE9ZTmg6Qw_@w<@xY`M^?d_{GlPDyrtNX{OY) zGmT$g`9^p#9eC29^+IM(h9cAGUh`*MR2lO$1?o3)LRM(G=lsndpN|*JPk2tHB6=>8b(A4FX=g&*6DHK^QO_LrMz8Uo0J?6R0xXL6#}JREAuA%6`YYu*uvq zUb|e5%7lAwc^1o03Hd6VA3pv$DJ=6YiLoM&7e{sK<3qL*pttEmJsWe7r%Vn{d6xYL z+tPa$hH_nmxVm#cqEN1MagEdP%DpAI6M2tyh0&aB3MyE@S@-JVJYtWK;7+a6Eh9`S z&El?8&@3P8FjL=*OMLq9+h$TZdc0C%B$(`V03fwU3Xu#p>uF^hQ7d`-B+4# z2sQa@4C;k2sBRsDXoAftbZCE4VlX=KZ?Wf)Zwh_vXcX(VKkYe;FE|b8TO+xWoE!pO zaB4w;?!IIa1ViwryaqjZ5U+?=kip9kDA2Rkm4&-tbll$}sw61BCaTb%qFRuAoP9$A zaK>xq2SQbx@xKZ`FX(UQj!4oCkKJ3!Ak_c@wIpfj*<$n~)2JEh*xUDTaeYf&$sZI- zujCg?ggb^&tq$v|pk;A>!%btJgJR&I4g zgB_DT$bGZ@RU^w#qmA&4a448;BTDDF`LKyShj_g^pGozU&WE!OM-I8u1!&qG%rzBz z5w^tME^Ft-D`wkPb4D=P*Qb1IpB(F5qaNXsD#8x6H1XFDT0_Q*ObwT8vFHSsn;Kk& zWrN<_Ayd{{KJP}Y!;c08KPvwaelBlADjwr#Iu+WQ`stie_Umx7YbL)3ex5FxKS~+T zwRLpwR7y{^>21sAY68vI;Kv9w0QGWoaM{;%K%QeQ}UA)Q?V9#Bq#AWZ=t>vf=k zfX5Kj2X)u`5b!AfYryj#(EcUluq}uC@3|P(=u`T9|j%6`6-qyf6#jSuuOa;_dnrg(bMsfApe`KPOfR0(py zO%2xf>qgM^6CB-F@4C-AUVUNeWei#tOoo3=zhro9ekwdZz@m{T5FlgyAuq|i8Qo7q zH~lerxNSb-SjoFZY!dAkl@>m7q)FxE9jC!zCA>>%^yu8xR*wAhN`==?H>!7}#_coZ zTRl8c&8MB}TN+@fc3$=TzR?S!WgCtMBngPTYkL`>xKH_tt^L$16mwxW-P`%aj6=5~ z_awS%b05tuWl@S2b*BoseO%x1z^w+F2i5x%WKfKHj{CFTK3s0om2Z*Aw+QF`s`R{) z$@+6o(+%Vy30r{8For^)-RBqiTEcR~WQEZ-(c-=ap6=2iR)wcf%2Y1Xa z%Z|Ngqi?uf^OBvb8CBUbB%6x~qF&@O&w3In-buwX*^!7iTg3dH>Q!}wxKjo7X+eRe zPoZ8zmYmdbV#irfkMsNHB&t89pH-da(t6*PWb3JX1=a1xC5rJF+^607)CohFyVfhm zFY0GKs%}N=uV+ym5gYwZVCOto7pu-9&)_^j~1$ zzi}ucPrwrhGP3KT2-KB^yI^$m-+~8X;I=h9*!(9Rd>3Bf%(Qmt{L8V(MOrWY2U>I< zdi44A36a!6^co0L=RuB0n(4HI*s_2+ddz)YEr*m@)}3(sh<3}2e~o}qc2fANrpnP2LfO{cB|+sgE&7{uxg$nmviU+o z4CqU17n!;_x@$g*UEHH!xA3KUAQU;UI)&lMcp6*D&HDCM{Q=bjulYrUTRzX4@8x|H zkseY1PO~gbakRh8G1;I_!EeZY3tNkHKCS#yOVZx%@aYD$3GJ9+sc3=|t%I)E_HNo+rNtGyb=PEV8uftKj3drC|DEW_L^3ZMz7;!r`+lYQpL~x<%g63cIaX%|5)f zlqulA#uV8V$Mi?Vs!^xh+(+s2DLVc=CoT|-jdAf}T*RomoXiZaUAJkNdDd~vu z6P7&$NJgidBh+P<<)}H6Q*f&FH?oC-gj-usd5dTw=T*AZ<~#$)D@H_mfpmc@6tE2j#UOYKcDK6Lc{(U^T|7v?1y z2D7@nf<|tU$_3&-({wHl8Fcm+i-(wO5+cYy@FJ2=#+SaAb@1R`DBBTjY+gW+_?mn8 zlX|=`m)V7wht{V*f|;gl1=<-xQq5aO)Y3QFB2`8+h7Z~7R93mI%|SLB654#d@4y&} zS~PEIQ|hj}07DP=;bBHuVMmldd%29RK0_WC%rm4q4U{XZjR`SqoW0fvp@(4f@7us#hXz(Z#?==#$Mgp+FD;0-K^ku05RSRy3CZ*op6Cp{@ zi8VS$#;LZ{vsG^3hVO?PRPcc5d@IuMWAp7$$8NJy<#)CR=qW23SZ83MVv6H=%t%^Y zP`X>Qyx)=2?k1<2gNtnP%|9z|cU1WV7Ro_1ey%&v!Nj4q&S$;QVFZ;uoT0)887fsl ziDBr9Ke;2u`zq^3*)m^?##BEj*OI(G%AaWJ`)6>46DMuL|*)`w#rWfOSX>lwgKpCp>1fNe8vtd;&;8ogr^W8&+lLK0* zWATn54^DZgSsDiKFCKzu{YOt*_D$~fx&HBK^&vTYAW1_393(jjdIR1-2;e{|L*W23 zzz=#a4$xe{@8-W^Hf*7p34!E+`Tjgxu+~6Y{!J@enFh4*1ygEwgiWf^TjhI3m*&i| zfRY>e=10RPK_`1f#r5~CurJ&uKQN9Q@)a!^x_{POx>^LHq2b`=1?7)%u&bix=jR2- z+i(!;O7``}sl#!&ksmw&Pu%bPqJ9^xwJ-eleCe=V`dxCtbbc2tC~NcEXu%=C?~)6) zvV*|74klZ=9@59gob7YF(Dxq5OJh(IPQwBQy2r!=S$EXdZ{(Pm8z_GobZt^@;n}Np z`|LrD)N_(=cS8dGj1TZTg&Q2Fzzt4m{X1TPip2kq<(_}XEB}sH{wJ4M{vEIU?~Yes zoP;3bn@^;!af63vyD4TxVjffFD=gN369svXcbmt#+D@u^Gq22yWay$5=ToH4?8ucW z{%G+O@hGKQZUl0;VPD8tjc5w{{8hA9B$W$Av5rCGrWV^v2XpxfRcPE zMpmubom$?Pmfo$b<5(1Q4ZJOiXkpi5ACUmj2L6v-8>;nyoEGJl9Y6cf>pu1>&6mW>pvs)pF00De}M(v`|sK242#QgQ+r?TUri`e8q_+71%zIg9xeO8zp&6XVe$&JS%59d6-bdf`jq@C=>v1d#{1{L(fxI<1 zO45gPGZ@;ufB;8_Kykb{v}l(eDqs+PBYR{wyP*LQVaY#MvhemDF*@E^@IKKn{C|;Lp#! z&O_nb50h_kEf|BAfimg5YngO9ph|5^4wrbE+g}pt-xn#h)$weUzrthS& zs?EJJ|Ds7-iBFi#deO9A1k;gW+ozk5N%6GizK}OP@y>}X^r4b~&DM~2eXgk+#B{sv?`+_ zTnB6lTNHQiSv7fm25)klX9sf-inIDnG%_mPPk&cMdZ`k7EB`U%pgS_<%O`EVgSm+N zG<%w|A5Xt%&$F9OyM3o~<;@ho^qv6pot@;;gR~zJtC6G&2`7E}9HWVY)wTaiewo*8xK|Q^8*#lDpn~^^eX*pE2J9hKMlcN|!8Q^0 zlpwqK4gEB?dmf0XxMpr7skpQ6XcwdEij7?6DiSN<0#_SIi3LIuY+Z zH!8B8>2KeAlZOwYp%qFBT+0%fxR8TMPA&n^;^bi8wH(rqOtj6kUbKYv)^*5zejFj0 z8M&M5JOdUeHwsdJ^o(4%@$A`&*wbQ11H&U~_ZB$Vs?JMk77R@0z$vO Date: Tue, 21 Nov 2023 16:30:56 +0000 Subject: [PATCH 3/4] efi: remove unused event log --- .../src/eventlog_dell_embedded_box_pc_3000.bin | Bin 20161 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 efi/testdata/src/eventlog_dell_embedded_box_pc_3000.bin diff --git a/efi/testdata/src/eventlog_dell_embedded_box_pc_3000.bin b/efi/testdata/src/eventlog_dell_embedded_box_pc_3000.bin deleted file mode 100644 index a74d8c2a7cf04e8b1411d81a25f8ccec15afb4d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20161 zcmeHv2_Tf)`~N$Pb?j^QK_TmmkR@c#zK1L|#$artnX#2UsYsSkLWz`+P!v(Nloq9h zN{d1&OH#Drf8LQ>+}r)#`~ThVf4yhsecyB5^Um{}^PJ~ApL5Q0-hm(pq6fzx1qE=^ zF_eHun;WA|!U-W%%$kMA=pY0gh#?_92nC@bMgwbe@P+f3!Lg9lp)!6-CK0+W#{W6e zpxt<+uxbq&1>GZ~*0UHT@}8&P7%%vlo<%?KP0HCAIo&e~Ar<2n-Z^uD--~|@bYc^8 zUVrSA&4){Z=e1$Fh~MabeZeQfXY;n139DWd!B);fpO_g&tSx3~n|& zkurZo>gua7laY6Ie$FFV5fd<72s%1XyWHMDyD)+?8#orq>xJg-31&NeJMdhK&k=dq zLkI59#G@d-<~ZNAyS-j!S;&}SoIl;^FDx6r#5Fx2eTnh39Qtt@A)Mtu0v(3Nn0Ud~De1r3H4G&@We?u_ZN zIsB&iLEmd(3di*8UY_?Jfw7yq8l(O`pP7b{f#a91@oB$|ITaUCdpOKtV+9Jj7#c4< z!*Ds6t=d(ARj$m@ndS5GfPIn3n}uiUyi9FA{RKX%OrXx7J>nPSc5k-lo%MPHbL-Lc zu8a;xqdT%O%qZx_H_J0}yGu-(QrNGZ5gPhUJDywWxA2`v(|Vm7<6)HQzE@S8{zjqu0fyf*hbsdI3dn9*b&`t8u5&CYMxx#oRC9+*T1BTOPvp@^Oi zK}UzQ8QHFlVP|BKPu`IHksX0RF+iAv5-cxjhDMcTIkN`cN6pZD=@GQBB z^Z^Qm6~OQ@(mNyRdD)k!7M2^sxp1G^kw6Y7;t3S2C`NeU7O!2HcMuVewj@NMf6HaV zurB1%8<-nlB`{(ODFK?=nup+((dHCN7%{{TZDfGPV#Ed6v8tH0*tHmpI#x}66G*Dj zl2}zZi6Q-+O0Z&>VQwg11QyGM;aG?>ITHOs06*+XjMPF|M1GXT*~HWwZ5M>2!W{^% z2qqCB^|K@q3=n-Hf)fJwS?LlH2A<4!a*Os8Eo0~n;!n3Q z22##SU69&4Qo+a?E_pU%>yfLOpUqb)_y(N&ROS`UYyUdreQBDza^d*QeG>;eLpFVW z)|=}>FCBTus56kxTDm9sM0F(VYWn;t$ABpl?3zH$?cQD*xla5Biq`v68x2@f8cf*O zN_Vi^>!b^O41DO76MfBZx`B7RLtqz?Y!NvYD65j1#ZaU3sMN~i%5{0>VZrL|hjN=s zl5PaO8TTe{J-LT{dL)*Y#8%UhgF4VaM~{FIC5eb?AdyN83P@Cp6N#j!V~WS{!iiN# zSOb_97!eE%O!V}agb(mt31q?;CgC+krf6l6R5IG1N)6RkQNfdglws{t270N2RUrb! zAdr>8T};BoqJ#@Y3FnU`)L{~8|Bep)Z&G9|J53g#10jtZtgsjbxYk@qpmXt@s+c7z zo&euiqT~|r!_vqV7=d`c-MO0|?U{KJYH!R3WkJsS+7-uqXq`xm11W&y6A7%a<^I57 z>N7L9Ool1q=)PdtM|R2Eqs}7=f7>CIbj=2@&K*O=T=S9evr)S`F+2&}sy< zD*H-^n(=F5gvlgjm6Lm;@y)L6>>T~iRW(@GiPpMGDxOc?T2Xv5sJew-Gp46*Lyhh9 zb-YQ}Dj`F^3B^08!=dN)Y|F^=JTY4kOFsWT+UM29E5&Io3Qo6fFsi+M$5Q!Vb8$D* z0juE{J+CwMud6Cz{pfsNCfr|hmX}vkyrL~>#_e)-G?l!nV#Dz*>nptGRjy8c&QIbv z%IPbAf9F)vwv-n&SH6YV=XE=AO^`dZLrpxz$e+AkRnUhYFK(!q3#}pAZ`(56a%*?Z zvu+b*DQ)^{Z0j8Rmin!nGKa*+MZKEo?MvT2N8>{$F7ax$b9vztz34`^zpm?<6gpTF z|6-|m=bcn(qU;!t-h+rmsm^d{zDQ&ULP7YJiO5m&2H`f|>b3r5vZJ4Cq(f(1?Q0J0 z)_JddTAoi20Pb>ZSsdc5fWa69OUUF84E$p5H(=nK4}FPnqgS$_AJ{!ADP++YGVwAw z5PX73AwF1fj3`hVBr7k!H4#rHQAoa2FsLAhk`{&(SRITOoKMfI`iJ>wCx0T@2W^KV zQ=`z}?V`A20Rl@~e1lsyq zuitysp)#B|u`-o@ENv?FO}oWcBW@m4Y@JzF(BqfLJ)_fWkfU4(`K`mBckr&8U&W&0 zA8tC|XnXPTsjc#^{dKlmGyQ;oj1OdZft1tjl%GoZ}C~J zr=!*do>m-oQ7)OkKk!_K6vgJ=;61=F(G(-svB*GA* z5=tidgyE?a6`&SC$ARhsy#-1ObagXO28vg#*RI-_&x4-i?v3rB1>bX(R zJDBN~>GO?|OeG3)`Tc4elg1LSRT-=bEeL!)m%-VWD=|EhEm14amS#CGx0-AF$G+&& zp6~{St5M^e8CeBwbI(YzL7dy~wVFIpv(MGy9QNAyU&ItZWA73D_%mY@rs8;q*;7;2?MfOQ>~1z1KBbhje_w#YrfB0Y4&@0~l|(NL zI6Q;6KONF--BSI0Ooy+`$B7aNT`s!5j)FGZo^HK&^JgR_@EYV0q$VIhkYR(m7$yZTr_So)R=DPTtp1wdZwY**{)TgbRYf{qm=r)HRfwVZu zFoUO^AozeDxO|eq^c|r_{}_Y%00v!J#2}{djWjyU%ajWX8hl%l<(80H5p^pWc5(7}$8z=47mjj-1#*e7YB!;jb2QB8B@ z+;?q}R=o7stkmzLz3gG~DAVz-25}un_2}WdW3mmqMCTg1q*+L1rkSlFx$6w>UN6!2 zqzkYfBTB52^U#=|HR5N@9uPWv>scGmi#B)J3E4JfykQ~pAXv} zdLHe3+VP)(pZhZ#ucyB%_VD)a(ap|q@9RFaq64#W0e);T))>no^CGiklfMN&Kz)Jo z0-ap|9*l;P>KYpGY+3{w06aDrD~!cr8UT;pUjv?B(EdZn;rkZ7)xI>UEu{9XmR{33 z2hI=$eJ)C$afGZyLqSGDy`F8-pY3k8B=3DqqW;NlB5Eo9uo{(b}w6 z;jv}x89i6oU6$7$W^#Ad$Jy`pH4{oJuIABAkoRYZxR7b(y}iDb=}P0aU260kmfqX) zUSIpxZLzjX>6lBj=$!83^PHQ$^md$~+exSW=FG#8A)@5krwKhXVL}XkclWz^trpR` zI-&IZ=8y@+{q~*iZ50ASiKec%y$Tb~_?-??pK2P`U-?44m^F-XX2r(5dy$Gg3?ieq zcOweRx!y56Ym8OIpJU9ImhAW(8T7(ckWoV+lZXDsv4>Miji0j%*N?9-dDord5vW%| ze>Zf6JZr$fX0x9AcvjV^(|sBe@}ZlC4c(ZxTDmmG?ns!FT=zk=^>RbTevaKH`;%YS zpz|&synZ?7n5TDd5uO>{9L5z9qx;^Z;mCm_*InXCYfd6>MI7@Mb&FjN1M9!Tz)Eoa z{ZxdJ3&6mqMHpbd+d+c?}T2-v7Ds6pknkVD0|m_L1w4@Y zfd@ZLuh6u0r@smYrOZKAS4>y}EZL5=?22OyV>3cH`3wleF^y-%plT_X*jPI)OmIb) z1(b5{PAe3BwKmT;h|gHp;57TPsi&~x*ou@mgA@<99sa5p_L_A~Y;BUXJ(LnXZ>*n| zu39Uzp(?CyqRUF$LMV19@sL<#gf&}r^9<)*fxAs#6iV$iJ*U4m_D9n7&yTT+u&UTE7Fm9#HLz)7oHhM!t=Ymsa1&TW5fBSxX*f>+7;KB>}R{xl}8FGCDon!)@du$ zZKv)Up2Iv5P*aS!zX%5501U`r^>T4)0p=nMv^UFysH1DT_L@;XLL>_s4LyQ(XS8 z>Z?sv!)2r2@)*b(idd8fCunYP<8^-j+Ewki04lNE^Hk!a_#Fm}>1V~J=o{V(dy2fX z%lLf8Imu8?6y01~WzToHrSd?Iq-aJz=eLN%Ih4%Z*P5Fh8W`-@pSc_^!i}>J2d{d# zo>OrB)$S6DHtW-ec*K~U(wna|H7MwsD@dq*3y>t*=3k99RQsmED43d#Uf*)&(5f)m zn_cuJGoC#o8cy39?CS3F^e|nzKz;UDJU#yY_=*oId;)B z&KwaqSety?UoS(tPQ@$TZf9C&THmc>m-xEF!jv5ubL-*=~|rxyN$RPnd&Fe8`Nb-!nups*=o#fpK8k0UwnOZ_LVE@|)MdTtxAGr< zdt0`s$ZhSGPny~12O>j1HCiR_%AOghqBEHwwAGiy5(UDTvht^oH@WR_T{>l<7_aP_ zOTQv0(1FhVaL#HsMMuyJ1sw^iPt=(Yct>YpgVxwu@Wd%?U6aDQr~6_*+#W}Kw)`vu zP-OX(WpUw*1~A|RPgx>qE*h5KTtMhEQaYZT;U>)wYd%xc!XDzpLqkyzr;Dt3;_aXc z#^F?xlwO^)jCX+xD!XQasB-#@K{FML2GkJW$xaD;)<=7jjMENYVxEh>eq==~M;M$1 z=l|e?8@Ah!KKf97cA9V4MCJ5Ta!Csd3MxplNPnS>XXzGEPlbGscHLrRuEW=6Zd^yw z+^dZ>pGSYE11`{VJ_jEuQ{nqd`9yF?XMPybW^nA>XXiHc zmjhe(ow+jjm=^`{++3@!pBkVxZmB|u6$(#MIT>QLW=+M*v+e3B1m@~IBKUnO5|mjK zoFEJw;{hi+LpWvupDu$F)Cr$(U=oSg0-rX+C*zgiUMQG+B1GWlqTxpnV1R*$gkx*r zd*1MK_HYc`SvZ5je)sjQ#3MV^Vsbs$wXY%bt_?V7J!M{lwo} zQ+b*7(s;txGbOiKc5bB>NFUVzbe6Bjf<~nUm@ga_{d=~++vfxPePqBNc$q=Y5AJy% znU6!hou)>4;;AY#LMz<~h=_B#d80=5Vc{~>KvynN)gzWaTsI<1;) zfu`VUA;$+OXbox77dzg|q%*k=hjlwQ*}p$-e`CI6scDtjn?s7cRZjtpUrDLln5NyzG1A3Z+7y&CRA3Xyj#7L7VT|$>s~Og);*2D=Ddg6;O2`4Y(!YmRF;l;kYL4o)*Z3Qwws2r36!iwH9tmB$PqC z7CBjHu zbOQ$`*oJ$6@;y9R3m1{r+u-YIRw`UIJkLFLjLU>i{yvMfYs#*ytM5=;JJBDaQZ12 z0&8juJP_#LY{5^Ne(W_nOBZeJeENc|T_g>AKEi;7p@Op# zurUPi@mb9L8`smiot!(8$Y%SZbcqklVup01Pp^);Vv%%dsG+$`j%gOkSl~N9zwT$M z%uD$%+W4Oz`D^jz{CRAvzRq|WRyEkOtTsuVEQcUn8llCu{Z4fme;;6Nso?ng0oDUx zE57UM?U$dm-eD|u9N4Tj@0V6esZ!7zMghZVmBZu0Tf@VmC+VxFBt6(#RWMZdl-;%X zz#3_d;s?2a#)|dP6qq~Oix0m17Q(;B{`>YHiNt_juz=?tK;|$~D9GAkpCXl4r@2K~;LTKj-TkoBqZ-o> zp55AVXuv4ru=48-pervQQZM!>cxeX?@R0i7C7%Djhy33qo`08k{$KV=|GUKV|MwCP zJX-+s=I>}LjE=^MTx74zaYPbOW3A=TgY9)FD4KrH{nEz*(ih$`6=`!G`KlNloPSC& z&m7UeK4<^M{7Yy+1EvE9tWx3VZl$~2hXkMuS^ZXP2wE7XaezE{LIvX#5_-oSZp+1O zJmMO(kHk6pXgY+bCxn7__C9S?yPN$gdFas^hcw5sv_8jsdK+g2wVm7YXTnxray=ehu=T7Z0>=YZix4LgeLJ;GVpwsMCV!Wm8Kiyj z+JlGi_jj2czaZS@xf&4sFGB`D1Qmf}DRQsytQXp5Tr)KycTm>hZFBNOP~9^W6gv61 zXm@$iTz(1t;*f%9<4D~5;uq^GOh@tNcYHyq?J7LCm<~Wj74^CgxSpg+!xe#p z=J$vrC+~EKq~N%AysDS$@Cs$NcQ;HZ!E{{DrrMv7yWp@KB{tfV|6&AyEBj7#*Yx``MKx5riI0}^!){K!X-QVyT7D_c?SNlH9y zXmQFhOmHAenEPzI8np5qb12HXv`Dq5NYtgwdhm4VJ_ZIoE~BFhUYLaAU}O1Du9Q=m zd8jt|nrT7gUg>(mCYgO|oA66EasA-~@SgG|+rED6BL@<#?;Sqa^sf=_rlSmL+$qchdc_h^jAQ9nJDa%+iy5@t<*|A^U&WeL;LR$CD4+~@)yy{a)(LTM zi@m8wAM4xiUe=|x!G7NHc>&fjQ$&X=j9#$uWddD%cBqxcpf}T(KxZu!q`NAt>0EGHS7cbDmF*bM-i;CrkvH*^$8YUru-;+2#>ouO z@FRzLZ^j4vXrtZHO54zK{yrGRV2TfkqPkiIZVwgs0kjecEs0hl{3_d%HfR4)oI^!B zKHNM#ee6ofdDQ}J@8fiq^L!|X-E9Txtp61WhTS!T{{40R?DYjv;r7Rd&pt`subt#y z4lgVID2^nWLco#n{%9p7Um~z`N=g(0RhJBJ98yvCAyNWWh~Rx07~6i5!`7FC5S8*v9pY8_<9& zzWQgvO9hN?^mv}UJM)6}wSJ)j&dUy-k~v>d5Ub>tp0XQ^pUTci`KWTYp>BNfc%sqE z-n+|WQy%`=a2Y(2|4}1Qesn0A;7g3uUEubce3#WCE_P?ekux#;oGyuqtas}*Ms{k? zqagdWtD+x|@u9k7*>0@$F?h2o9bth`}z2vnt7*rOQ0atZ*iWlT1p?I#AEAOu3=Ba zo-uRQdj4>miP7Vu4Yffo@Dk9nYW&R3m+}Xk=Ak48U5P+Qj)Oz{vZg=qjG0&kE%JoEreh zU}6X^h{kWJj*Pb`l|qmbtASgfR(~c3 zmvP6I>nO;~ddMaoYybM`LnAGPa%TBgy1u-m@v|$>P~X1MrSNzyWlkZ5k@0_t{W1;8 zCL%C9Ec6u=HeNhw@meV z)6ZA_xuh4Xy3Dp<=;Sx~X6cqR5(^2c1mC5|=2T*iaKb=BdDdRqVs<<2Aiw!jXr-TWCSu`t@ItkCTQEE51Jx-Jj@P+jsp-Wz1dC)Ji)vpHKat z@CXeJA}r%UdP7J52L0*D(+;(dveF&QkT-uR3L-p?&{MB{?nGZ`Sm;{uGP0$Y7a92U zrSn=DFA+QLJBGr)l$AHdXBmh3HQ#vZMRetizbcLKJ9^RAiDv1cpdG<#xy)WRVFDBO z!;iRvyLz1Ih`ll@^N4`AA#b;A&k*?~2Or;{sAVjeCNa(@h39%cxv5X6M#;yxZ%CO$ zL7#-4`(>(R$v>95G1r`_=u-ZTN4GR@*F~#h>@CPWyjkK2#T*e0(_v`y_36@G~3H=7e;X0F!T2>I+LcQW|L%+;?RF< z`|;zyZfqJtFXMq=b4e~fs%3UGW-2il`&D>zU@`*=($c-`>|^R(Y@)wu-P*M9EoiHD zHnG#w`=KKSl^eLRJil%V@FvLeez9h9LcHtrvzr-y1%eM&8cMk(eo8<=r`NQNMxDyN zFiLF>GMG+u8;G(wkd>y-`(UR^q+M^Nz^?^G30uw~!RFhsE61_&@_3x;xyO~y`lGpl z8OzgnTYggHB3)w*G)a_-%DCyoa`O?-2CAIdW~(+YN3UNC3UCO;FB4R({mjlF&TdA} z@&QYC5;bKiG6%dMgiU(wd2rh~V+Gcu;?zj1x_eBmZ^OR!sU0!D%olEb_Y^#r{9&i@ zv^RHY1Ct-aB-&UBw$97UBa3oU>mD0k3NR5$&a*BN6r5ZM^bgzj?p6HdMSo*zoh#H?vR(xLvj}?AYCWwUd@dXYU^iS;Iv~sAg z>awa}oG~g~B0)PH=FYj2B-|PWuf_s)N3-!^>jYL#A3s(0EkwzvJRpB?osD;@eUp?Z zUsO_N#4O^4kQjTBj`U!Hcpm}@@&5e0Gh4Su>8e3oy6FS`wm-tUEy$7e*y5Yx=mt_7rp3t*>OO8D+@EK|8%t zlb)fVS1h?giFe$_+G{sDSHza)_dF@QDzrpe-@yZnsW$tOLYFb< zY!@wOzw)8zp#G$$on89oO}m9sP*C6WahK3&b^1Y@`ly(%f$C}3C%kSjdoa0 zNygRS>vlm~O9Vx1{*VEX6Fiz(Rs&5@2fuh}BkwpokrJ|xXLjw?oh2wpU-xQ}F^5s0 z%pRMs9Skbei&8BI$B+glMXsTqg|`(&;L+d@g<2dWZ6<|LL&In-@&}yQU6`HrY}!=t z!n3o@PDXaGk}%#6{4+rGqnz2DnR{*vTxq*O-_Wv=e9&aiQ2b%B?w5q#)wg04mvDmH zJD3m>wi!!h^La zh_oW=$iP@##|10KoDvr6t|ZZHHXTzvzBVsoLsPXBd9^>|=}+|Y4*~~Om&QZB#R0jM+qg6Rl49C&I zxF~OeQkXY!YZ&~p2RMTUqyVU)z!N4`B zIkbf;Rj>MwqM*WC+@6BI=U?O}u?t#Gzs^z49aCFd(!xK@^dxSL;7hjVKd-7B1?NjZ zgN6(BC*moq|5sK$galhGSkQk%2(>13o#H*^hVheYJ3KySHVEdNc0xh#IJXHfofPgQ zu$)w77h21Dxb8#wQC$uRub|{dfuAh{?)*XswkFnSVA`lS@V^vt;5~ZKR3Tx$I6M`s z%#iDhXDI_vIK>bqwbysp1%YDfP$%xA+C_Aw@f*R^so zg%h6hnHM3mqDuI2BV#)!B5!=kV?p)$c6rGre&&!_@&q*&a&g)I&YvT!H z(foy0(RRq263M|4I5GkJy#$pC-eso1%zYz(x`&1Sj{ouDknoFM*MmiNu&$i9Im@jh zUBHHdPRv@K<2YPEPP6xl@2D~m3$@=a>&wJn7OmYWU%q984FBuQ5Bvd?!Q2iPOj)#I z%ewaR<`ne{ev&UR*@wRA;rqZv_38GAdKAQ8ibzF7+$u0{X^7%}<~K6cy8kXtPrsvU z^k8w_ZPE?#_TvGrSLPRa{oWWzL-c zIl6zvnG?@a3&o>q|8?dl|Le^8*O~LLGw1&fXAWlRJb2EvqNZBuT*V<9_baCAQnDHr z1_~%BYSQwp&!qEx#PyY`yFXu#U9VTKS6W53l(4*B%AQ|?gn=TEKn@`U!R{OY6a?-6 zAW$qV@%!gjj~zhHO7zR=Y1X;DKJ@gwAy^ftiklL}auoK{XOydZ6DEWmE>$<&_|)%; z7`A*WGa)dFUIJ|kBmLisypUW5NEHXaa3!ZU?`f+LO!n0|cX`6!BohT$Zm``(XcP&r lapt~!zhp$R=~$a5dtmy#G2EvJNd|Epc!R Date: Mon, 27 Nov 2023 16:40:50 +0000 Subject: [PATCH 4/4] tools/gen-compattest-data: comment out some non-buildable code This tool hasn't worked since https://github.com/snapcore/secboot/pull/156. As https://github.com/snapcore/secboot/pull/274 also makes it unbuildable, comment out the unbuildable code for now and return an error. --- tools/gen-compattest-data/main.go | 116 +++++++++++++++--------------- 1 file changed, 60 insertions(+), 56 deletions(-) diff --git a/tools/gen-compattest-data/main.go b/tools/gen-compattest-data/main.go index 46562ad8..3e4705c1 100644 --- a/tools/gen-compattest-data/main.go +++ b/tools/gen-compattest-data/main.go @@ -22,6 +22,7 @@ package main import ( "crypto/rand" "crypto/x509" + "errors" "flag" "fmt" "io/ioutil" @@ -33,11 +34,7 @@ import ( "github.com/canonical/go-tpm2/mssim" tpm2_testutil "github.com/canonical/go-tpm2/testutil" "github.com/canonical/tcglog-parser" - "github.com/snapcore/snapd/asserts" - "golang.org/x/xerrors" - - "github.com/snapcore/secboot" secboot_efi "github.com/snapcore/secboot/efi" "github.com/snapcore/secboot/internal/testutil" "github.com/snapcore/secboot/internal/tpm2test" @@ -73,58 +70,63 @@ func init() { } func computePCRProtectionProfile(env secboot_efi.HostEnvironment) (*secboot_tpm2.PCRProtectionProfile, error) { - profile := secboot_tpm2.NewPCRProtectionProfile() - - sbpParams := secboot_efi.SecureBootPolicyProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - LoadSequences: []secboot_efi.ImageLoadActivity{ - secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockshim1.efi.signed.1"), secboot_efi.Firmware).Loads( - secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockgrub1.efi.signed.shim"), secboot_efi.Shim).Loads( - secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockkernel1.efi.signed.shim"), secboot_efi.Shim), - ), - ), - }, - Environment: env, - } - - if err := secboot_efi.AddSecureBootPolicyProfile(profile, &sbpParams); err != nil { - return nil, xerrors.Errorf("cannot add secureboot policy profile: %w", err) - } - - sdefisParams := secboot_efi.SystemdStubProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - PCRIndex: 12, - KernelCmdlines: []string{ - "snapd_recovery_mode=run quiet console=tty1 panic=-1", - "snapd_recovery_mode=recover quiet console=tty1 panic=-1", - }, - } - - if err := secboot_efi.AddSystemdStubProfile(profile.RootBranch(), &sdefisParams); err != nil { - return nil, xerrors.Errorf("cannot add systemd EFI stub profile: %w", err) - } - - modelData, err := ioutil.ReadFile("tools/gen-compattest-data/data/fake-model") - if err != nil { - return nil, xerrors.Errorf("cannot read model assertion: %w", err) - } - - model, err := asserts.Decode(modelData) - if err != nil { - return nil, xerrors.Errorf("cannot decode model assertion: %w", err) - } - - smParams := secboot_tpm2.SnapModelProfileParams{ - PCRAlgorithm: tpm2.HashAlgorithmSHA256, - PCRIndex: 12, - Models: []secboot.SnapModel{model.(secboot.SnapModel)}, - } - - if err := secboot_tpm2.AddSnapModelProfile(profile.RootBranch(), &smParams); err != nil { - return nil, xerrors.Errorf("cannot add snap model profile: %w", err) - } - - return profile, nil + return nil, errors.New("TODO: This function needs porting to the efi.AddPCRProfile API") + /* + profile := secboot_tpm2.NewPCRProtectionProfile() + + sbpParams := secboot_efi.SecureBootPolicyProfileParams{ + PCRAlgorithm: tpm2.HashAlgorithmSHA256, + LoadSequences: []secboot_efi.ImageLoadActivity{ + secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockshim1.efi.signed.1"), secboot_efi.Firmware).Loads( + secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockgrub1.efi.signed.shim"), secboot_efi.Shim).Loads( + secboot_efi.NewImageLoadActivity(secboot_efi.FileImage("efi/testdata/mockkernel1.efi.signed.shim"), secboot_efi.Shim), + ), + ), + }, + Environment: env, + } + + if err := secboot_efi.AddSecureBootPolicyProfile(profile, &sbpParams); err != nil { + return nil, xerrors.Errorf("cannot add secureboot policy profile: %w", err) + } + + sdefisParams := secboot_efi.SystemdStubProfileParams{ + PCRAlgorithm: tpm2.HashAlgorithmSHA256, + PCRIndex: 12, + KernelCmdlines: []string{ + "snapd_recovery_mode=run quiet console=tty1 panic=-1", + "snapd_recovery_mode=recover quiet console=tty1 panic=-1", + }, + } + + if err := secboot_efi.AddSystemdStubProfile(profile.RootBranch(), &sdefisParams); err != nil { + return nil, xerrors.Errorf("cannot add systemd EFI stub profile: %w", err) + } + + modelData, err := ioutil.ReadFile("tools/gen-compattest-data/data/fake-model") + + if err != nil { + return nil, xerrors.Errorf("cannot read model assertion: %w", err) + } + + model, err := asserts.Decode(modelData) + + if err != nil { + return nil, xerrors.Errorf("cannot decode model assertion: %w", err) + } + + smParams := secboot_tpm2.SnapModelProfileParams{ + PCRAlgorithm: tpm2.HashAlgorithmSHA256, + PCRIndex: 12, + Models: []secboot.SnapModel{model.(secboot.SnapModel)}, + } + + if err := secboot_tpm2.AddSnapModelProfile(profile.RootBranch(), &smParams); err != nil { + return nil, xerrors.Errorf("cannot add snap model profile: %w", err) + } + + return profile, nil + */ } func run() int { @@ -150,6 +152,8 @@ func run() int { }) defer restore() + // TODO: This data was deleted in https://github.com/snapcore/secboot/pull/156 and + // https://github.com/snapcore/secboot/pull/274. env := &mockEFIEnvironment{"efi/testdata/efivars2", "efi/testdata/eventlog1.bin"} tpm, err := secboot_tpm2.ConnectToDefaultTPM()