Update DBXs to latest

* Switch to using https://github.com/microsoft/secureboot_objects which is now the reference for revocations.
* Also update EDK2 to latest stable and fix the new name of python3-distutils.

.github/workflows/Linux.yml

@@ -60,7 +60,7 @@ jobs:
     - name: Set up Linux environment
       run: |
         sudo apt-get update
-        sudo apt-get -y --no-install-recommends install python3-distutils uuid-dev ${{ matrix.TARGET_PKGS }}
+        sudo apt-get -y --no-install-recommends install python3-setuptools uuid-dev ${{ matrix.TARGET_PKGS }}
 
     - name: Set up EDK2
       run: |

Add-extra-PKCS-encoding-and-decoding-to-OpensslLibFull.patch

@@ -1,15 +1,15 @@
-From 8ca01c378d047e5a11c0ca1e62929d7b03c39360 Mon Sep 17 00:00:00 2001
+From 7052e9b9182947997cd90f65d8448f5e8e8a34ae Mon Sep 17 00:00:00 2001
 From: Pete Batard <[email protected]>
-Date: Wed, 18 Sep 2024 14:09:00 +0100
+Date: Mon, 27 Jan 2025 19:24:05 +0000
 Subject: [PATCH] Add extra PKCS encoding and decoding to OpensslLibFull
 
 ---
- .../Library/OpensslLib/OpensslLibFull.inf     | 32 ++++++++++++++++---
+ .../Library/OpensslLib/OpensslLibFull.inf     | 34 ++++++++++++++++---
  .../Library/OpensslLib/OpensslStub/uefiprov.c | 10 ++++++
- 2 files changed, 38 insertions(+), 4 deletions(-)
+ 2 files changed, 39 insertions(+), 5 deletions(-)
 
 diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
-index 55c6342904..eb488dc07c 100644
+index 32c79c39bb..7349a55d45 100644
 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
 +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
 @@ -1,6 +1,6 @@
@@ -21,7 +21,16 @@ index 55c6342904..eb488dc07c 100644
  #
  #  This library should be used if a module module needs ECC in TLS, or
  #  asymmetric cryptography services such as X509 certificate or PEM format
-@@ -245,6 +245,10 @@
+@@ -25,7 +25,7 @@
+
+   DEFINE OPENSSL_PATH            = openssl
+   DEFINE OPENSSL_GEN_PATH        = OpensslGen
+-  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_ASM
++  DEFINE OPENSSL_FLAGS           = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_ASM -DOPENSSL_SYS_UEFI
+   DEFINE OPENSSL_FLAGS_NOASM     =
+
+ #
+@@ -244,6 +244,10 @@
    $(OPENSSL_PATH)/crypto/ec/ecx_backend.c
    $(OPENSSL_PATH)/crypto/ec/ecx_key.c
    $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
@@ -32,7 +41,7 @@ index 55c6342904..eb488dc07c 100644
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_err.c
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_lib.c
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_meth.c
-@@ -427,6 +431,22 @@
+@@ -426,6 +430,22 @@
    $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
    $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
    $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
@@ -55,7 +64,7 @@ index 55c6342904..eb488dc07c 100644
    $(OPENSSL_PATH)/crypto/property/defn_cache.c
    $(OPENSSL_PATH)/crypto/property/property.c
    $(OPENSSL_PATH)/crypto/property/property_err.c
-@@ -593,6 +613,10 @@
+@@ -592,6 +612,10 @@
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pem2der.c
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pvk2key.c
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_spki2typespki.c
@@ -66,7 +75,7 @@ index 55c6342904..eb488dc07c 100644
    $(OPENSSL_PATH)/providers/implementations/encode_decode/endecoder_common.c
    $(OPENSSL_PATH)/providers/implementations/exchange/dh_exch.c
    $(OPENSSL_PATH)/providers/implementations/exchange/ecdh_exch.c
-@@ -706,10 +730,10 @@
+@@ -705,10 +729,10 @@
  #  OpensslStub/SslNull.c
  #  OpensslStub/EcSm2Null.c
    OpensslStub/uefiprov.c

MosbyPkg.dsc

@@ -21,7 +21,7 @@
 [BuildOptions]
   DEBUG_*_*_CC_FLAGS             = -DENABLE_DEBUG
   RELEASE_*_*_CC_FLAGS           = -DMDEPKG_NDEBUG
-  *_*_*_CC_FLAGS                 = -flto=auto -DDISABLE_NEW_DEPRECATED_INTERFACES
+  *_*_*_CC_FLAGS                 = -flto=auto -fno-stack-protector -DDISABLE_NEW_DEPRECATED_INTERFACES 
 
 !include MdePkg/MdeLibs.dsc.inc
 
@@ -64,8 +64,7 @@
 
 [LibraryClasses.ARM, LibraryClasses.AARCH64]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
-  NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
-  NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
+  CompilerIntrinsicsLib|MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
 
 [LibraryClasses.ARM]
   ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf

OpenSSL-submodule-fixes-for-ARM-compilation.patch

@@ -1,45 +1,13 @@
-From 95bd3ef78312f593f7340913b867382694f9f97c Mon Sep 17 00:00:00 2001
+From ddfd6e05dfae0c56c835ec584581b561809a2502 Mon Sep 17 00:00:00 2001
 From: Pete Batard <[email protected]>
-Date: Sat, 17 Aug 2024 14:39:32 +0100
+Date: Mon, 27 Jan 2025 19:25:14 +0000
 Subject: [PATCH] OpenSSL submodule fixes for ARM compilation
 
-* Coz I really don't have time to figure out this ArmSoftFloatLib bullshit.
-* And, by the way, double randomness in drbg_add() was NEVER even used in the first place.
+* Double randomness in drbg_add() was NEVER used in the first place.
 ---
- crypto/params.c         | 4 ++++
  crypto/rand/rand_meth.c | 2 +-
- 2 files changed, 5 insertions(+), 1 deletion(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/crypto/params.c b/crypto/params.c
-index 5fd1e0028d..50d9f9f4e9 100644
---- a/crypto/params.c
-+++ b/crypto/params.c
-@@ -709,7 +709,9 @@ OSSL_PARAM OSSL_PARAM_construct_int64(const char *key, int64_t *buf)
-
- int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
- {
-+#if !defined (_M_ARM) && !defined(__arm__)
-     double d;
-+#endif
-
-     if (val == NULL || p == NULL)
-         return 0;
-@@ -752,6 +754,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
-     } else if (p->data_type == OSSL_PARAM_REAL) {
-         switch (p->data_size) {
-         case sizeof(double):
-+#if !defined (_M_ARM) && !defined(__arm__)
-             d = *(const double *)p->data;
-             if (d >= 0
-                     /*
-@@ -764,6 +767,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
-                 *val = (uint64_t)d;
-                 return 1;
-             }
-+#endif
-             break;
-         }
-     }
 diff --git a/crypto/rand/rand_meth.c b/crypto/rand/rand_meth.c
 index 276763057d..74a8892127 100644
 --- a/crypto/rand/rand_meth.c

OpenSSL-submodule-fixes-for-RISCV64-compilation.patch

@@ -1,9 +1,10 @@
-From 48c67fe6b705e6e72004f57b858e183b6b2be3c3 Mon Sep 17 00:00:00 2001
+From b7f3fefcc4d946c78c2ab0a500e969632e593723 Mon Sep 17 00:00:00 2001
 From: Pete Batard <[email protected]>
-Date: Sat, 17 Aug 2024 15:29:10 +0100
+Date: Mon, 27 Jan 2025 20:38:04 +0000
 Subject: [PATCH] OpenSSL submodule fixes for RISCV64 compilation
 
 ---
+ crypto/ec/curve448/curve448.c                         | 2 +-
  crypto/ec/curve448/point_448.h                        | 2 +-
  crypto/ec/ec_ameth.c                                  | 3 ++-
  crypto/evp/evp_enc.c                                  | 2 +-
@@ -12,8 +13,21 @@ Subject: [PATCH] OpenSSL submodule fixes for RISCV64 compilation
  providers/implementations/macs/hmac_prov.c            | 2 +-
  providers/implementations/signature/ecdsa_sig.c       | 2 +-
  providers/implementations/signature/rsa_sig.c         | 2 +-
- 8 files changed, 9 insertions(+), 8 deletions(-)
+ 9 files changed, 10 insertions(+), 9 deletions(-)
 
+diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c
+index 6928d9693c..7ddd617a73 100644
+--- a/crypto/ec/curve448/curve448.c
++++ b/crypto/ec/curve448/curve448.c
+@@ -509,7 +509,7 @@ struct smvt_control {
+     int power, addend;
+ };
+
+-#if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 3))
++#if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 3)) && !defined(_M_RISCV64) && !defined (__riscv)
+ # define NUMTRAILINGZEROS       __builtin_ctz
+ #else
+ # define NUMTRAILINGZEROS       numtrailingzeros
 diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h
 index e67ea68044..72536c2471 100644
 --- a/crypto/ec/curve448/point_448.h
@@ -47,10 +61,10 @@ index d4348ff244..cac8672354 100644
          ERR_raise(ERR_LIB_EC, EC_R_DECODE_ERROR);
          return 0;
 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
-index b178d10864..c33f930e6f 100644
+index 4e6f83e3d0..6cac709644 100644
 --- a/crypto/evp/evp_enc.c
 +++ b/crypto/evp/evp_enc.c
-@@ -1382,7 +1382,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
+@@ -1423,7 +1423,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
 
      EVP_CIPHER_CTX_reset(out);
 
@@ -60,10 +74,10 @@ index b178d10864..c33f930e6f 100644
 
      if (in->fetched_cipher != NULL && !EVP_CIPHER_up_ref(in->fetched_cipher)) {
 diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h
-index 8153872cba..f448000ce7 100644
+index aacd49707f..03c25cbb1f 100644
 --- a/providers/implementations/include/prov/ciphercommon.h
 +++ b/providers/implementations/include/prov/ciphercommon.h
-@@ -315,7 +315,7 @@ static void name(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src)             \
+@@ -317,7 +317,7 @@ static void name(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src)             \
      CTX_TYPE *sctx = (CTX_TYPE *)src;                                          \
      CTX_TYPE *dctx = (CTX_TYPE *)dst;                                          \
                                                                                 \
@@ -112,7 +126,7 @@ index 865d49d100..472add01f2 100644
      dstctx->md = NULL;
      dstctx->mdctx = NULL;
 diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 76516d9a09..0d453a4ae0 100644
+index 919ef17269..540bea8814 100644
 --- a/providers/implementations/signature/rsa_sig.c
 +++ b/providers/implementations/signature/rsa_sig.c
 @@ -994,7 +994,7 @@ static void *rsa_dupctx(void *vprsactx)
@@ -123,7 +137,7 @@ index 76516d9a09..0d453a4ae0 100644
 +    memcpy(dstctx, srcctx, sizeof(*dstctx));
      dstctx->rsa = NULL;
      dstctx->md = NULL;
-     dstctx->mdctx = NULL;
+     dstctx->mgf1_md = NULL;
 -- 
 2.45.2.windows.1
 

README.md

@@ -60,9 +60,9 @@ The motivations behind this are as follows:
    to arbitrarily deny common Linux bootloaders such as GRUB from being Secure Boot signed,
    trying to lock down hardware so that Secure Boot could not ever been disabled by the user,
    making a two-tier version of Secure Boot signatures with one exclusive tier for Windows
-   and a lower tier for other OSes and application or even trying to prevent anybody that is
-   not an OS or hardware manufacturer from being allowed to redistribute the UEFI revocation
-   lists...  
+   and a lower tier for other OSes and application or, up until recently, even trying to
+   prevent anybody that wasn't an OS or hardware manufacturer from being allowed to
+   redistribute UEFI revocation lists...  
    The end result is that it has become a lot more convoluted and daunting than it should
    really be for end-users, to make Secure Boot work in their favour.  
    This application can also remedy that.