Add PFX support for providing certificates

* Also set the start date of the credentials we generate to 00:00 so that users
  don't run into a situation where they can't sign an executable because the
  credentials are not valid yet.
* Also re-instate 'Microsoft Windows Production PCA 2011' DB installation since
  KB5025885 is a complete mess and, even with the 2024.08 refresh, Microsoft still
  has not defaulted to use UEFI bootloaders that are signed with the new 2023 creds.

Add-extra-PKCS-encoding-and-decoding-to-OpensslLibFull.patch

@@ -1,15 +1,15 @@
-From 326d5527828d10a36388c9cc85f93d6b8e7dfbfc Mon Sep 17 00:00:00 2001
+From 8ca01c378d047e5a11c0ca1e62929d7b03c39360 Mon Sep 17 00:00:00 2001
 From: Pete Batard <[email protected]>
-Date: Tue, 25 Jun 2024 20:25:48 +0100
+Date: Wed, 18 Sep 2024 14:09:00 +0100
 Subject: [PATCH] Add extra PKCS encoding and decoding to OpensslLibFull
 
 ---
- .../Library/OpensslLib/OpensslLibFull.inf     | 31 ++++++++++++++++---
+ .../Library/OpensslLib/OpensslLibFull.inf     | 32 ++++++++++++++++---
  .../Library/OpensslLib/OpensslStub/uefiprov.c | 10 ++++++
- 2 files changed, 37 insertions(+), 4 deletions(-)
+ 2 files changed, 38 insertions(+), 4 deletions(-)
 
 diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
-index 55c6342904..fbcb0dc430 100644
+index 55c6342904..eb488dc07c 100644
 --- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
 +++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
 @@ -1,6 +1,6 @@
@@ -32,7 +32,7 @@ index 55c6342904..fbcb0dc430 100644
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_err.c
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_lib.c
    $(OPENSSL_PATH)/crypto/encode_decode/decoder_meth.c
-@@ -427,6 +431,21 @@
+@@ -427,6 +431,22 @@
    $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c
    $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c
    $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c
@@ -44,6 +44,7 @@ index 55c6342904..fbcb0dc430 100644
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_init.c
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_key.c
++  $(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c
 +  $(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c
@@ -54,7 +55,7 @@ index 55c6342904..fbcb0dc430 100644
    $(OPENSSL_PATH)/crypto/property/defn_cache.c
    $(OPENSSL_PATH)/crypto/property/property.c
    $(OPENSSL_PATH)/crypto/property/property_err.c
-@@ -593,6 +612,10 @@
+@@ -593,6 +613,10 @@
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pem2der.c
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pvk2key.c
    $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_spki2typespki.c
@@ -65,7 +66,7 @@ index 55c6342904..fbcb0dc430 100644
    $(OPENSSL_PATH)/providers/implementations/encode_decode/endecoder_common.c
    $(OPENSSL_PATH)/providers/implementations/exchange/dh_exch.c
    $(OPENSSL_PATH)/providers/implementations/exchange/ecdh_exch.c
-@@ -706,10 +729,10 @@
+@@ -706,10 +730,10 @@
  #  OpensslStub/SslNull.c
  #  OpensslStub/EcSm2Null.c
    OpensslStub/uefiprov.c

README.md

@@ -28,20 +28,21 @@ The motivations behind this are as follows:
    enabled environment!  
    This application can remedy that.
 2. In 2023, because of the expiration of the certificates listed above, Microsoft introduced
-   one new *KEK* and two new *DB* certificates, that are erefore not be commonly found in your
-   system manufacturer's default key (especially if your system has not received any firmware
-   update since 2024) and that (because a *KEK* can **only** be installed through updates
-   [that are signed by the platform manufacturer](https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html#enrolling-key-exchange-keys))
+   one new *KEK* and two new *DB* certificates, that are therefore not be commonly found in
+   your system manufacturer's default key (especially if your system has not received any
+   firmware update since 2024) and that (because a *KEK* can **only** be installed through
+   [updates that are signed by the platform manufacturer](https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html#enrolling-key-exchange-keys))
    cannot be fully updated from the OS itself, even if the OS is Secure Boot compatible or
    comes from Micosoft.  
    This application can remedy that.
 3. As of the second half of 2024, and due to
    [many](https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/),
    [many](https://wack0.github.io/dubiousdisk/) vulnerabilities uncovered in the UEFI Windows
    bootloaders, Microsoft is in the process of **completely removing** one of the base DB
-   certificates that it has been using to sign its UEFI executables since 2011.  
-   This application can make sure that this DB certificate is properly removed (as opposed to
-   what will happen if you use the native Secure Boot key restoration from your UEFI
+   certificates (The `Microsoft Windows Production PCA 2011` certificate mentioned above).  
+   **Once Microsoft produces installation media that no longer users this certificate**,
+   this application will make sure that this DB certificate is properly removed (as opposed
+   to what would happen if you use the native Secure Boot key restoration from your UEFI
    firmware).
 4. In 2024, it was disovered that some PC manufacturers [played fast and loose with the
    Primary Key (*PK*) shipped with their hardware](https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/),
@@ -65,6 +66,11 @@ The motivations behind this are as follows:
    The end result is that it has become a lot more convoluted and daunting than it should
    really be for end-users, to make Secure Boot work in their favour.  
    This application can also remedy that.
+6. Figuring out SBAT, SkuSiPolicy as well as Microsoft's new SVN DBX based revocation updates
+   is currrently a mess, as you need to wade through many different sources to try to ensure
+   that your system is actually up to date with them (because if they aren't, an attacker can
+   easily bypass Secure Boot on your system).  
+   This application can remedy that.
 
 In short, while making sure that all the Secure Boot keys used by your platform are up to
 date, the whole point of this application is to give control of the whole Secure Boot process
@@ -89,7 +95,7 @@ And it does so by making incredibly **easy** to install your own set of Secure B
    make sure that your platform is in *Setup Mode*. Please refer to your manufacturer's
    documentation if you don't know how to enable *Setup Mode*.
 
-4. Boot into the UEFI Shell media you created and type `Mosby` (without any extension). The
+4. Boot into the UEFI Shell media you created and type: `Mosby` (without any extension). The
    executable relevant to your platform will automatically launch and will guide you through
    the installation of the UEFI Secure Boot keys.
 
@@ -100,6 +106,20 @@ If needed, you can also provide your own DB/DBX/DBT/KEK/PK/MOK binaries in DER,
 signed ESL format, by using something like `-db canonical_ca.cer` to point a Secure Boot
 variable to the data you want to install for it.
 
+## Parameters
+
+* `-h`: Display the application parameters and exit.
+* `-v`: Display the application version and exit.
+* `-i`: Display information about the embedded data installable by the application, as well
+        as the current SBAT data from the system (if SBAT is set).
+* `-s`: Silent option (Removes some of the early and late prompts).
+* `-u`: Update only: Only update the revocation databases, SBAT, and SSPV/SSPU as needed.
+* `-t`: Test mode. Disables some checks and wnables the internal **low security** Random
+        Number Generator, if no other Random Number Generator can be found.
+
+You can also point to files using the `-pk`, `-kek`, `-db`, `-dbx`, `-mok`, `-dbt`, `-sbat`,
+`-sspv` and `-sspu` parameters.
+
 ## Compilation
 
 Because Mosby depends on OpenSSL to provide the various cryptography function it needs, and
@@ -153,7 +173,7 @@ generator, however because of the algorithm being used, this generator should be
 
 * On Windows, use `signtool.exe` with the `.pfx`. For example, to sign `bootx64.efi`:
 ```
-signtool sign /f MosbyKey.pfx" /fd SHA256 bootx64.efi
+signtool sign /f MosbyKey.pfx /fd SHA256 bootx64.efi
 ```
 
 Note that you can download `signtool.exe` with the command: