From patchwork Mon Sep 28 22:06:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Richter <erichte@linux.ibm.com>
X-Patchwork-Id: 1372912
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4C0c8c5tRKz9s1t
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Sep 2020 08:08:00 +1000 (AEST)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256
 header.s=pp1 header.b=GdRLFla/;
	dkim-atps=neutral
Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 4C0c8c4XsrzDqQm
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Sep 2020 08:08:00 +1000 (AEST)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1;
 helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
 dmarc=pass (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256
 header.s=pp1 header.b=GdRLFla/; dkim-atps=neutral
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4C0c6n41MdzDqL8
 for <skiboot@lists.ozlabs.org>; Tue, 29 Sep 2020 08:06:25 +1000 (AEST)
Received: from pps.filterd (m0098393.ppops.net [127.0.0.1])
 by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 08SM2qHe018228
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 18:06:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
 h=from : to : cc : subject
 : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding; s=pp1;
 bh=NyeZnz0dtKhedJPQTvo2ZDt7ekQcmHCuRTuIRZt5Pj4=;
 b=GdRLFla/YhN4RgYQebW7D2r4ipJqakeusfOEp7+OGL+j1vjD97BSwPEXVHwxg3hSAstu
 /b2JKL7K6D8qZhNFQ9Dn0XdFq8CHrj4MqMmWoS6xuWm+NDoZtepJlaSOgCOyQf8KaR0p
 w3uF/Y7U7S8AO5Tkzv5l345GYNuQE1lc6XYaC7FvyRthjAkkfrsXf7lDo1GHN98lsn/T
 rs8CH1GTkxeW4D3DOJhKJfeyUIJmBeZBOg+DnAIeULoCYaEdJ8ZB98ZhraquyJNJ+SHk
 eJsbQoY0JLw8zsC7WUXDow1aY/Mch3HSoc8PqOjH5rZImLmcvLfX/Cce9D3qGzB/NvOB UA==
Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com
 [169.51.49.102])
 by mx0a-001b2d01.pphosted.com with ESMTP id 33ur338bn1-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 18:06:22 -0400
Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1])
 by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 08SM2TcZ012593
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 22:06:20 GMT
Received: from b06cxnps3075.portsmouth.uk.ibm.com
 (d06relay10.portsmouth.uk.ibm.com [9.149.109.195])
 by ppma06ams.nl.ibm.com with ESMTP id 33u5r9gynh-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 22:06:20 +0000
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com
 [9.149.105.62])
 by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 08SM6Hjw28180890
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 28 Sep 2020 22:06:17 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 8D14AAE04D;
 Mon, 28 Sep 2020 22:06:17 +0000 (GMT)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 54E76AE045;
 Mon, 28 Sep 2020 22:06:16 +0000 (GMT)
Received: from ceres.ibmuc.com (unknown [9.211.92.104])
 by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
 Mon, 28 Sep 2020 22:06:16 +0000 (GMT)
From: Eric Richter <erichte@linux.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Sep 2020 17:06:09 -0500
Message-Id: <20200928220609.10479-5-erichte@linux.ibm.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200928220609.10479-1-erichte@linux.ibm.com>
References: <20200928220609.10479-1-erichte@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687
 definitions=2020-09-28_25:2020-09-28,
 2020-09-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 mlxscore=0 bulkscore=0
 malwarescore=0 adultscore=0 impostorscore=0 suspectscore=1
 lowpriorityscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999
 phishscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2006250000 definitions=main-2009280164
Subject: [Skiboot] [PATCH v6a 4/4] secvar/backend: improve edk2 driver unit
 testcases
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: klaus@linux.ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nayna Jain <nayna@linux.ibm.com>

This patch adds following more unit test cases and improve comments.

* Check for successful processing of queued updates
* Check for queued updates when one update fail, especially when PK is
added.
* Check for queued updates when one update fail, especially when PK is
deleted.
* Check hw-key-hash addition/deleting/verification.
* Update dbxcert file
* Update rc checks against specific failure error return codes.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 libstb/secvar/test/data/dbxcert.h            | 161 ++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c | 263 ++++++++++++++++---
 2 files changed, 387 insertions(+), 37 deletions(-)
 create mode 100644 libstb/secvar/test/data/dbxcert.h

diff --git a/libstb/secvar/test/data/dbxcert.h b/libstb/secvar/test/data/dbxcert.h
new file mode 100644
index 00000000..26faa543
--- /dev/null
+++ b/libstb/secvar/test/data/dbxcert.h
@@ -0,0 +1,161 @@
+unsigned char dbx_cert_auth[] = {
+0xe4 ,0x07 ,0x09 ,0x1c ,0x10 ,0x05 ,0x0f ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0xd3 ,0x05 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e  ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49
+,0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7  ,0x30 ,0x82 ,0x05 ,0xb7 ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0  ,0x82 ,0x05 ,0xa8 ,0x30 ,0x82 ,0x05 ,0xa4 ,0x02
+,0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09  ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02
+,0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01
+,0xa0 ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x03 ,0xc6  ,0x30 ,0x82 ,0x02 ,0xae ,0xa0 ,0x03 ,0x02 ,0x01
+,0x02 ,0x02 ,0x09 ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20  ,0x41 ,0x00 ,0xa8 ,0xeb ,0x30 ,0x0d ,0x06 ,0x09
+,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01  ,0x0b ,0x05 ,0x00 ,0x30 ,0x78 ,0x31 ,0x0b ,0x30
+,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02  ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03
+,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78  ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03
+,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73  ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06
+,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42  ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55
+,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x03
+,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d  ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d
+,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79  ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62
+,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x1e ,0x17  ,0x0d ,0x32 ,0x30 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31
+,0x35 ,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x17 ,0x0d  ,0x32 ,0x31 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x35
+,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x30 ,0x78 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06
+,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c  ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54
+,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d  ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41
+,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30  ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03
+,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06  ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54
+,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55  ,0x04 ,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f
+,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e
+,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40  ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30
+,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01
+,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30  ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00
+,0xaf ,0xca ,0xd3 ,0xaa ,0xb0 ,0xc7 ,0xb5 ,0x2e  ,0x3b ,0x12 ,0x27 ,0x68 ,0x2d ,0x90 ,0x17 ,0xc4
+,0x21 ,0x93 ,0x58 ,0x53 ,0xd7 ,0xa6 ,0x2f ,0x40  ,0xfa ,0x37 ,0x8e ,0x7a ,0x85 ,0x5b ,0xd3 ,0xa8
+,0x9d ,0xac ,0xa1 ,0x6a ,0x52 ,0xeb ,0x07 ,0x05  ,0x8c ,0x74 ,0x00 ,0xbe ,0xa6 ,0x54 ,0x1b ,0x1d
+,0x73 ,0xa9 ,0x41 ,0x67 ,0xfd ,0xd4 ,0xdb ,0xcd  ,0x49 ,0xed ,0x63 ,0x29 ,0x97 ,0xb5 ,0x6d ,0xea
+,0x69 ,0xbc ,0x24 ,0x2c ,0x1b ,0x09 ,0x32 ,0x09  ,0x65 ,0x99 ,0xc4 ,0xd0 ,0x76 ,0x9a ,0x07 ,0xd9
+,0x69 ,0x5e ,0x30 ,0xbe ,0x6f ,0x67 ,0x0b ,0xa4  ,0x90 ,0xe0 ,0x3e ,0xd7 ,0xf9 ,0xe8 ,0xb6 ,0x20
+,0xc6 ,0xd8 ,0x4e ,0xfd ,0x7e ,0x3f ,0x6f ,0xf3  ,0x97 ,0x09 ,0x82 ,0xec ,0x81 ,0x53 ,0x10 ,0x32
+,0x8c ,0xa8 ,0xfe ,0xf4 ,0x77 ,0x48 ,0x0d ,0x84  ,0x83 ,0x14 ,0xeb ,0xa4 ,0x75 ,0xaa ,0x30 ,0x03
+,0x3a ,0xa5 ,0x54 ,0x7e ,0xb3 ,0x2e ,0x2b ,0x95  ,0xcf ,0x4d ,0x8c ,0x67 ,0x6d ,0xf1 ,0x48 ,0xc1
+,0x96 ,0x0b ,0xb2 ,0x2d ,0x07 ,0x27 ,0x65 ,0xa3  ,0x3b ,0x96 ,0x76 ,0xc4 ,0xa9 ,0x2c ,0x65 ,0xcb
+,0xa4 ,0xaf ,0x75 ,0xec ,0x7c ,0x90 ,0x3a ,0x8e  ,0x78 ,0xa6 ,0xa5 ,0x4a ,0x99 ,0x79 ,0x51 ,0x20
+,0x60 ,0x67 ,0x9a ,0xc8 ,0x96 ,0x03 ,0xa1 ,0x98  ,0xfc ,0x88 ,0x24 ,0x50 ,0xaf ,0xb7 ,0x30 ,0xb7
+,0x68 ,0x8a ,0x83 ,0xbc ,0x62 ,0xff ,0x93 ,0x70  ,0xc7 ,0x72 ,0xf3 ,0x95 ,0x48 ,0xf1 ,0x9c ,0x5e
+,0x1a ,0x66 ,0x2e ,0xa1 ,0x1d ,0x4a ,0xf7 ,0x9d  ,0x04 ,0x52 ,0xdd ,0x19 ,0xfe ,0x1e ,0x4e ,0x2d
+,0x9b ,0x9e ,0x6f ,0x7f ,0x0b ,0x93 ,0x0b ,0x3b  ,0x08 ,0x81 ,0x68 ,0x9b ,0x0d ,0x45 ,0xf7 ,0xd6
+,0x75 ,0xf7 ,0xb6 ,0xbf ,0xa9 ,0x63 ,0x24 ,0xab  ,0x92 ,0x38 ,0x3a ,0xac ,0x04 ,0x69 ,0x14 ,0x7f
+,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30  ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e
+,0x04 ,0x16 ,0x04 ,0x14 ,0x89 ,0x84 ,0xb5 ,0xcf  ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d ,0xfe
+,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc ,0xe5  ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04
+,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0x89 ,0x84 ,0xb5  ,0xcf ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d
+,0xfe ,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc  ,0xe5 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13
+,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01  ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x37 ,0xba
+,0x93 ,0xe4 ,0x7e ,0xcd ,0xb2 ,0xa4 ,0xe2 ,0x75  ,0x37 ,0x53 ,0xbc ,0x43 ,0x47 ,0xc9 ,0x94 ,0x51
+,0xa9 ,0x14 ,0x28 ,0x0a ,0xa6 ,0xa1 ,0x90 ,0x0a  ,0xbc ,0x50 ,0x67 ,0x85 ,0x47 ,0xb7 ,0xfc ,0xe3
+,0xd5 ,0x45 ,0xde ,0x89 ,0x99 ,0x46 ,0xba ,0xff  ,0x32 ,0x45 ,0x70 ,0x22 ,0x84 ,0x9e ,0x35 ,0x9c
+,0x0a ,0xea ,0x63 ,0xf5 ,0xc7 ,0x7c ,0xe0 ,0xc1  ,0x9f ,0xb1 ,0xb6 ,0xe0 ,0xc1 ,0x1c ,0xb1 ,0xba
+,0xeb ,0x6d ,0x53 ,0xde ,0xb2 ,0xf9 ,0xf8 ,0x4a  ,0x2c ,0x48 ,0xf4 ,0x12 ,0xcb ,0x26 ,0x3c ,0xe9
+,0x1c ,0xb1 ,0xd3 ,0x36 ,0x48 ,0xa4 ,0xec ,0x24  ,0x35 ,0xf3 ,0x47 ,0xa9 ,0xf7 ,0xe1 ,0xfb ,0x38
+,0xf0 ,0x23 ,0x46 ,0x02 ,0xf5 ,0x76 ,0xd1 ,0x39  ,0xf9 ,0x58 ,0x50 ,0x5c ,0xe9 ,0x39 ,0xa8 ,0x97
+,0x41 ,0x66 ,0xa0 ,0x8a ,0xb2 ,0xd9 ,0x83 ,0x2d  ,0xed ,0xb0 ,0x49 ,0x2b ,0x6a ,0xc4 ,0xd8 ,0x37
+,0xc0 ,0x6f ,0x51 ,0xab ,0x46 ,0x26 ,0x0f ,0x90  ,0x2b ,0x63 ,0xc2 ,0x87 ,0x75 ,0xaa ,0x47 ,0xbc
+,0xbe ,0x9d ,0x54 ,0x17 ,0x54 ,0xa0 ,0x7c ,0x1b  ,0x58 ,0x82 ,0x3f ,0x44 ,0x0b ,0xc1 ,0xa6 ,0xcc
+,0xe2 ,0x53 ,0xde ,0x6e ,0xf7 ,0x52 ,0x0d ,0x83  ,0xb7 ,0x03 ,0xfd ,0xed ,0x4c ,0xc3 ,0x76 ,0xe6
+,0x14 ,0xb9 ,0xc9 ,0x45 ,0xc0 ,0x40 ,0x45 ,0x4a  ,0x70 ,0x40 ,0xe6 ,0x1a ,0x10 ,0x76 ,0x0c ,0xab
+,0x2b ,0x9e ,0xe9 ,0xfd ,0x29 ,0xcb ,0xf8 ,0xce  ,0x11 ,0xf7 ,0x27 ,0x43 ,0xbb ,0xcd ,0xba ,0x22
+,0x5b ,0x61 ,0x5f ,0x63 ,0x16 ,0xb3 ,0x2b ,0x83  ,0x75 ,0x98 ,0x2e ,0xca ,0x0a ,0x9e ,0x8c ,0x5a
+,0xd5 ,0x77 ,0xb5 ,0xa2 ,0x74 ,0xeb ,0x94 ,0x4f  ,0x8f ,0xf6 ,0xc3 ,0x30 ,0x9c ,0xf4 ,0x6e ,0x9b
+,0x5d ,0xd7 ,0x0f ,0x43 ,0x16 ,0xba ,0x5e ,0xa3  ,0xe3 ,0x8b ,0x8f ,0x74 ,0x27 ,0xaf ,0x31 ,0x82
+,0x01 ,0xb1 ,0x30 ,0x82 ,0x01 ,0xad ,0x02 ,0x01  ,0x01 ,0x30 ,0x81 ,0x85 ,0x30 ,0x78 ,0x31 ,0x0b
+,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13  ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06
+,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65  ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06
+,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75  ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49  ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x02 ,0x09  ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20 ,0x41 ,0x00 ,0xa8
+,0xeb ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48  ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 ,0x00
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x04
+,0x82 ,0x01 ,0x00 ,0x61 ,0xd9 ,0xe2 ,0xd2 ,0x84  ,0x74 ,0x50 ,0xdd ,0x77 ,0x00 ,0x84 ,0xf9 ,0x10
+,0x75 ,0x83 ,0x2c ,0xf4 ,0x33 ,0xf5 ,0x5e ,0xec  ,0x8d ,0x63 ,0x5f ,0xdd ,0x5d ,0x23 ,0xc9 ,0x31
+,0x03 ,0x85 ,0xf5 ,0x18 ,0xb4 ,0xdd ,0x2c ,0x15  ,0x21 ,0x38 ,0xf3 ,0x27 ,0x31 ,0xaf ,0x2c ,0xa4
+,0x49 ,0xb0 ,0x6a ,0x72 ,0xc6 ,0x10 ,0xae ,0xb4  ,0xf4 ,0xdb ,0x47 ,0x1b ,0x40 ,0xc7 ,0xc3 ,0xaf
+,0xe3 ,0xd7 ,0x7d ,0x9b ,0xfc ,0xe3 ,0x6f ,0x23  ,0x30 ,0x74 ,0x03 ,0x57 ,0xe2 ,0xc3 ,0xfb ,0xd0
+,0x02 ,0x16 ,0xec ,0xb0 ,0xf4 ,0x79 ,0x5b ,0xf0  ,0xcb ,0x5b ,0x19 ,0x16 ,0xa9 ,0x6c ,0x97 ,0x08
+,0xb6 ,0x7b ,0x28 ,0x7c ,0xe5 ,0xe2 ,0xcc ,0x55  ,0xa0 ,0x39 ,0x08 ,0xc6 ,0x39 ,0xb5 ,0x8b ,0x19
+,0xfa ,0xcc ,0x6e ,0xf7 ,0x20 ,0x27 ,0xcf ,0x4c  ,0x24 ,0x01 ,0xa9 ,0xd7 ,0xc2 ,0xa6 ,0x62 ,0x34
+,0xb9 ,0xaf ,0xa4 ,0x1c ,0x0b ,0xd5 ,0xfd ,0x77  ,0x4c ,0xf5 ,0xa2 ,0x56 ,0x4c ,0xe3 ,0x62 ,0x93
+,0xf7 ,0x2b ,0x20 ,0x99 ,0x88 ,0x47 ,0xe9 ,0xf8  ,0xb5 ,0x47 ,0xe0 ,0xef ,0x12 ,0xc6 ,0x74 ,0xef
+,0xed ,0x67 ,0x26 ,0x1c ,0xfe ,0x58 ,0x9c ,0xfd  ,0x8a ,0xff ,0x4d ,0xdc ,0x11 ,0x67 ,0x56 ,0x82
+,0xf4 ,0x6e ,0xcd ,0x47 ,0x10 ,0xf9 ,0x6c ,0x5e  ,0x5e ,0x66 ,0xf6 ,0x36 ,0x9b ,0x52 ,0x87 ,0x28
+,0xdc ,0xf6 ,0xc0 ,0x61 ,0xfd ,0x8c ,0x2c ,0x06  ,0x1d ,0x5a ,0x0f ,0x92 ,0x1c ,0x81 ,0xe8 ,0x2d
+,0xd7 ,0xbc ,0x44 ,0x61 ,0xa3 ,0x5a ,0xa1 ,0xb1  ,0x55 ,0x43 ,0xe5 ,0xe3 ,0xd4 ,0xe1 ,0xf1 ,0x27
+,0x6a ,0x13 ,0x90 ,0x0d ,0x20 ,0x63 ,0xb1 ,0x06  ,0xdb ,0x70 ,0xf9 ,0xc8 ,0xa2 ,0xef ,0xbc ,0x6c
+,0xd8 ,0x65 ,0xbd ,0x21 ,0xba ,0x0d ,0x53 ,0xe6  ,0x64 ,0x5a ,0x76 ,0xe4 ,0x07 ,0x77 ,0x72 ,0xa8
+,0x22 ,0xef ,0x08 ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4  ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c
+,0x2b ,0xf0 ,0x72 ,0xf6 ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0xda ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30
+,0x82 ,0x03 ,0xc6 ,0x30 ,0x82 ,0x02 ,0xae ,0xa0  ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0x99
+,0x04 ,0x63 ,0xe8 ,0x8c ,0x39 ,0xba ,0x08 ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x78  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30  ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05
+,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30  ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06
+,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c  ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c
+,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a  ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c
+,0x54 ,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03  ,0x55 ,0x04 ,0x03 ,0x0c ,0x02 ,0x44 ,0x42 ,0x31
+,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48  ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10
+,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e  ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d
+,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30 ,0x30 ,0x39  ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x34 ,0x30
+,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30 ,0x39 ,0x31  ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x34 ,0x30 ,0x5a
+,0x30 ,0x78 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03  ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31
+,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08  ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31
+,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07  ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e
+,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04  ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c
+,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c  ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0b ,0x30 ,0x09
+,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x02 ,0x44  ,0x42 ,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a
+,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01  ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61
+,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63  ,0x6f ,0x6d ,0x30 ,0x82 ,0x01 ,0x22 ,0x30 ,0x0d
+,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d  ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03 ,0x82 ,0x01
+,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a ,0x02 ,0x82  ,0x01 ,0x01 ,0x00 ,0xa9 ,0x0d ,0x4c ,0xc6 ,0xc3
+,0x61 ,0xe3 ,0x89 ,0xd8 ,0x6b ,0x02 ,0x78 ,0x2a  ,0x49 ,0xc8 ,0x04 ,0x24 ,0xd9 ,0xae ,0xb2 ,0xa4
+,0xfa ,0x7d ,0xe9 ,0x94 ,0x59 ,0x6c ,0xb4 ,0x17  ,0xb2 ,0x2b ,0x3b ,0x7f ,0x2e ,0x1a ,0xbf ,0xc8
+,0x8e ,0xb7 ,0xe8 ,0xe1 ,0x79 ,0x9f ,0xed ,0x45  ,0x64 ,0x0a ,0x58 ,0x52 ,0x4b ,0x1f ,0xf1 ,0xe9
+,0xf6 ,0xc7 ,0x98 ,0xe6 ,0x1c ,0x0b ,0xe9 ,0x2e  ,0x61 ,0xc3 ,0x28 ,0x95 ,0x1b ,0xf9 ,0x25 ,0xc3
+,0x5f ,0xa1 ,0x55 ,0x06 ,0xbe ,0x4b ,0xd5 ,0xef  ,0x51 ,0x4a ,0x64 ,0x6d ,0x6d ,0x02 ,0x3e ,0xcd
+,0x61 ,0x1c ,0xc6 ,0xb6 ,0x84 ,0x65 ,0xee ,0xb5  ,0xb0 ,0x73 ,0x46 ,0x1a ,0x22 ,0xe7 ,0x3e ,0x22
+,0x5b ,0xbf ,0x52 ,0x19 ,0x69 ,0x34 ,0xc0 ,0xfd  ,0x44 ,0x64 ,0xe7 ,0xca ,0xc0 ,0x29 ,0xb0 ,0x15
+,0x7a ,0xb7 ,0x47 ,0x59 ,0xbd ,0xac ,0x1d ,0xe3  ,0x5c ,0x70 ,0xb0 ,0x35 ,0xd2 ,0x11 ,0xd4 ,0x3e
+,0x99 ,0x7e ,0x94 ,0x2c ,0x0b ,0x29 ,0xe0 ,0xf2  ,0xe5 ,0x8d ,0x34 ,0xd1 ,0xb3 ,0xfb ,0xdc ,0xe1
+,0x77 ,0x02 ,0x4e ,0x1e ,0xcf ,0xee ,0x82 ,0xe4  ,0x30 ,0x4b ,0x70 ,0xbe ,0x5e ,0x2b ,0x35 ,0x2f
+,0x73 ,0xcc ,0xc2 ,0x45 ,0xd5 ,0xd3 ,0x8f ,0xd7  ,0xd2 ,0x36 ,0xc8 ,0x23 ,0xdd ,0x57 ,0xc6 ,0x86
+,0xd1 ,0x48 ,0xef ,0xd7 ,0x24 ,0x09 ,0x13 ,0xda  ,0x22 ,0x31 ,0xa6 ,0x9d ,0x12 ,0x51 ,0xf2 ,0xff
+,0x8c ,0x91 ,0xfb ,0x5b ,0xc2 ,0x3a ,0x58 ,0x92  ,0x7e ,0x79 ,0x8b ,0xdb ,0x62 ,0x17 ,0xd8 ,0x00
+,0x90 ,0xfc ,0x40 ,0xa5 ,0x39 ,0x82 ,0x3b ,0xde  ,0xec ,0xb2 ,0xe2 ,0xe8 ,0x70 ,0x78 ,0xdf ,0x7d
+,0x72 ,0x0d ,0xff ,0xd2 ,0x8a ,0xd5 ,0x0b ,0xb9  ,0xf0 ,0xe0 ,0x30 ,0xee ,0xdd ,0xa6 ,0xd2 ,0xa2
+,0x04 ,0xf7 ,0x38 ,0xc1 ,0xee ,0xd1 ,0xb3 ,0x91  ,0x42 ,0x64 ,0x71 ,0x02 ,0x03 ,0x01 ,0x00 ,0x01
+,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d ,0x06 ,0x03  ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04 ,0x14 ,0x59
+,0x42 ,0xac ,0x51 ,0xf6 ,0x4e ,0xc4 ,0xe5 ,0x34  ,0x80 ,0x9b ,0x61 ,0xfc ,0x48 ,0xf4 ,0xa6 ,0x24
+,0xc8 ,0x68 ,0xf3 ,0x30 ,0x1f ,0x06 ,0x03 ,0x55  ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16 ,0x80 ,0x14
+,0x59 ,0x42 ,0xac ,0x51 ,0xf6 ,0x4e ,0xc4 ,0xe5  ,0x34 ,0x80 ,0x9b ,0x61 ,0xfc ,0x48 ,0xf4 ,0xa6
+,0x24 ,0xc8 ,0x68 ,0xf3 ,0x30 ,0x0f ,0x06 ,0x03  ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff ,0x04 ,0x05
+,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30 ,0x0d ,0x06  ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01
+,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x01  ,0x00 ,0x90 ,0x90 ,0xf4 ,0x01 ,0xc1 ,0x37 ,0x11
+,0xcb ,0x31 ,0x64 ,0xe2 ,0x3f ,0x78 ,0x95 ,0x1d  ,0x51 ,0x73 ,0x65 ,0x02 ,0x23 ,0x15 ,0xed ,0x46
+,0xa5 ,0x71 ,0x60 ,0x3e ,0x24 ,0xa8 ,0x1e ,0x51  ,0xcc ,0xc7 ,0x40 ,0x0d ,0x8a ,0x73 ,0xf1 ,0x40
+,0x60 ,0x6a ,0xbe ,0xce ,0xfa ,0xdf ,0xbc ,0x7d  ,0x9c ,0x5f ,0x24 ,0x3b ,0x29 ,0x22 ,0xe5 ,0xda
+,0xbd ,0x85 ,0x6d ,0x33 ,0x50 ,0xf8 ,0xb3 ,0x20  ,0x8e ,0x0d ,0xc4 ,0x14 ,0x93 ,0x0d ,0x8a ,0xd2
+,0x74 ,0x10 ,0x92 ,0x14 ,0x5e ,0xde ,0x5f ,0x33  ,0x3d ,0x39 ,0x18 ,0xd5 ,0xa2 ,0x4a ,0x42 ,0x8c
+,0x64 ,0x75 ,0xd3 ,0xfa ,0x8d ,0xce ,0x57 ,0xda  ,0xb6 ,0x44 ,0x6a ,0xb0 ,0x53 ,0xf1 ,0x00 ,0x53
+,0x64 ,0xd8 ,0xf7 ,0xa4 ,0xc2 ,0x1a ,0xa6 ,0x00  ,0xc4 ,0x40 ,0x63 ,0x61 ,0x38 ,0x97 ,0xe1 ,0x65
+,0xbd ,0x4f ,0x36 ,0x7c ,0x77 ,0x8c ,0x26 ,0x41  ,0xa3 ,0x69 ,0x10 ,0x87 ,0xf4 ,0x66 ,0xe2 ,0xad
+,0x13 ,0x60 ,0x77 ,0x71 ,0xf6 ,0xc2 ,0xad ,0xec  ,0x9c ,0xac ,0x85 ,0xf9 ,0x5d ,0xaf ,0xa4 ,0x19
+,0x70 ,0xb9 ,0xe4 ,0xfa ,0xbf ,0x5b ,0x00 ,0x2f  ,0x46 ,0xd9 ,0xc4 ,0x9a ,0x32 ,0x96 ,0xb7 ,0x7f
+,0x22 ,0xf9 ,0xa4 ,0xea ,0xba ,0xc8 ,0xb8 ,0x59  ,0xbd ,0x12 ,0x30 ,0x76 ,0x50 ,0x4f ,0x62 ,0x72
+,0x05 ,0xe2 ,0xf4 ,0x29 ,0x91 ,0x05 ,0x28 ,0xba  ,0x3c ,0xf0 ,0x6b ,0x1e ,0x54 ,0xa2 ,0x47 ,0xa7
+,0xfc ,0x64 ,0x20 ,0x9c ,0xf1 ,0x95 ,0xe3 ,0xd1  ,0xc9 ,0x37 ,0xe8 ,0xeb ,0x4e ,0xda ,0x2b ,0x5f
+,0x1c ,0x7a ,0xb3 ,0xe2 ,0x0a ,0x01 ,0x5c ,0x7a  ,0x1e ,0xfc ,0x24 ,0x60 ,0x14 ,0x75 ,0xcd ,0xe9
+,0x9e ,0x77 ,0xbf ,0x3a ,0x6f ,0xd7 ,0x7f ,0x42  ,0x14 ,0x94 ,0x27 ,0x0b ,0x6e ,0x1d ,0x78 ,0x9b
+,0xc5 ,0x82 ,0x28 ,0xf7 ,0x78 ,0xc4 ,0xdf ,0x4e  ,0x85 };
+
+unsigned int dbx_cert_auth_len = 2521;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 3ec4afdc..8259ffa1 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -19,13 +19,65 @@
 #include "./data/multipleDB.h"
 #include "./data/multiplePK.h"
 #include "./data/dbx.h"
+#include "./data/dbxcert.h"
 #include "./data/dbxsha512.h"
 #include "./data/dbxmalformed.h"
 
+bool test_hw_key_hash = false;
+
+/* Hardcoding HW KEY HASH to avoid emulating device-tree in unit-tests. */
+const unsigned char hw_key_hash[64] = {
+0xb6, 0xdf, 0xfe, 0x75, 0x53, 0xf9, 0x2e, 0xcb, 0x2b, 0x05, 0x55, 0x35, 0xd7, 0xda, 0xfe, 0x32, \
+0x98, 0x93, 0x35, 0x1e, 0xd7, 0x4b, 0xbb, 0x21, 0x6b, 0xa0, 0x56, 0xa7, 0x1e, 0x3c, 0x0b, 0x56, \
+0x6f, 0x0c, 0x4d, 0xbe, 0x31, 0x42, 0x13, 0x68, 0xcb, 0x32, 0x11, 0x6f, 0x13, 0xbb, 0xdd, 0x9e, \
+0x4f, 0xe3, 0x83, 0x8b, 0x1c, 0x6a, 0x2e, 0x07, 0xdb, 0x95, 0x16, 0xc9, 0x33, 0xaa, 0x20, 0xef
+};
+
+const unsigned char new_hw_key_hash[64] = {
+0xa6, 0xdf, 0xfe, 0x75, 0x53, 0xf9, 0x2e, 0xcb, 0x2b, 0x05, 0x55, 0x35, 0xd7, 0xda, 0xfe, 0x32, \
+0x98, 0x93, 0x35, 0x1e, 0xd7, 0x4b, 0xbb, 0x21, 0x6b, 0xa0, 0x56, 0xa7, 0x1e, 0x3c, 0x0b, 0x56, \
+0x6f, 0x0c, 0x4d, 0xbe, 0x31, 0x42, 0x13, 0x68, 0xcb, 0x32, 0x11, 0x6f, 0x13, 0xbb, 0xdd, 0x9e, \
+0x4f, 0xe3, 0x83, 0x8b, 0x1c, 0x6a, 0x2e, 0x07, 0xdb, 0x95, 0x16, 0xc9, 0x33, 0xaa, 0x20, 0xef
+};
+
 int reset_keystore(struct list_head *bank __unused) { return 0; }
-int add_hw_key_hash(struct list_head *bank __unused) { return 0; }
-int delete_hw_key_hash(struct list_head *bank __unused) { return 0; }
-int verify_hw_key_hash(void) { return 0; }
+int verify_hw_key_hash(void)
+{
+
+	/* This check is added just to simulate mismatch of hashes. */
+	if (test_hw_key_hash)
+		if (memcmp(new_hw_key_hash, hw_key_hash, 64) != 0)
+			return OPAL_PERMISSION;
+
+	return OPAL_SUCCESS;
+}
+
+
+int add_hw_key_hash(struct list_head *bank)
+{
+	struct secvar *var;
+	uint32_t hw_key_hash_size = 64;
+
+	var = new_secvar("HWKH", 5, hw_key_hash,
+			hw_key_hash_size, SECVAR_FLAG_PROTECTED);
+	list_add_tail(bank, &var->link);
+
+	return OPAL_SUCCESS;
+}
+
+int delete_hw_key_hash(struct list_head *bank)
+{
+	struct secvar *var;
+
+	var = find_secvar("HWKH", 5, bank);
+	if (!var)
+		return OPAL_SUCCESS;
+
+	list_del(&var->link);
+	dealloc_secvar(var);
+
+	return OPAL_SUCCESS;
+}
 
 const char *secvar_test_name = "edk2-compat";
 
@@ -37,7 +89,10 @@ int run_test()
 	struct secvar *tmp;
 	char empty[64] = {0};
 
-	// Check pre-process creates the empty variables
+	/* The sequence of test cases here is important to ensure that
+	 * timestamp checks work as expected. */
+
+	/* Check pre-process creates the empty variables. */
 	ASSERT(0 == list_length(&variable_bank));
 	rc = edk2_compat_pre_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_SUCCESS == rc);
@@ -47,24 +102,87 @@ int run_test()
 	ASSERT(64 == tmp->data_size);
 	ASSERT(!(memcmp(tmp->data, empty, 64)));
 
-	// Add PK to update and .process()
+	/* Add test to verify hw_key_hash.
+	 * This is to ensure that mismatch of test happens.
+	 * The test uses test_hw_key_hash variable to ensure that
+	 * mismatch happens. For all next tests, test_hw_key_hash variable
+	 * should be zero to avoid hard-coded mismatch.
+	 */
+	test_hw_key_hash = 1;
+	setup_mode = false;
 	printf("Add PK");
 	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
 	ASSERT(1 == list_length(&update_bank));
-
 	rc = edk2_compat_process(&variable_bank, &update_bank);
+	printf("rc is %04x %d\n", rc, rc);
 	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(0 == list_length(&update_bank));
+	ASSERT(setup_mode);
+
+	/* Set test_hw_key_hash to zero to avoid hardcoded mismatch. */
+	test_hw_key_hash = 0;
+
+	/* Add PK and a failed update. */
+	printf("Add PK and failed dbx");
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(2 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(setup_mode);
+
+	/* Add PK and db, db update should fail, so all updates fail. */
+	printf("Add PK");
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+	printf("Add db");
+	tmp = new_secvar("db", 3, DB_auth, sizeof(DB_auth), 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(2 == list_length(&update_bank));
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PERMISSION == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
 	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(setup_mode);
+
+	/* Add PK to update and .process(). */
+	printf("Add PK");
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(6 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
 	tmp = find_secvar("PK", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
-	ASSERT(PK_auth_len > tmp->data_size); // esl should be smaller without auth
+	ASSERT(PK_auth_len > tmp->data_size); /* esl should be smaller without auth. */
 	ASSERT(!setup_mode);
 
-	// Add db, should fail with no KEK
+	/* Add db, should fail with no KEK. */
 	printf("Add db");
 	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -72,16 +190,14 @@ int run_test()
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	printf("rc is %d %04x\n", rc, rc);
-	ASSERT(OPAL_SUCCESS != rc);
+	ASSERT(OPAL_PERMISSION == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 
+	/* Add valid KEK, .process(), succeeds. */
 	printf("Add KEK");
-
-	// Add valid KEK, .process(), succeeds 
 	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
@@ -95,8 +211,7 @@ int run_test()
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add valid KEK, .process(), timestamp check fails 
-
+	/* Add valid KEK, .process(), timestamp check fails. */
 	tmp = new_secvar("KEK", 4, OldTS_KEK_auth, OldTS_KEK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
@@ -110,7 +225,7 @@ int run_test()
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add db, .process(), should succeed
+	/* Add db, .process(), should succeed. */
 	printf("Add db again\n");
 	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -126,7 +241,7 @@ int run_test()
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add db, .process(), should fail because of timestamp 
+	/* Add db, .process(), should fail because of timestamp. */
 	printf("Add db again\n");
 	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -135,8 +250,13 @@ int run_test()
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_PERMISSION == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
 
-	// Add valid sha256 dbx
+	/* Add valid sha256 dbx. */
 	printf("Add sha256 dbx\n");
 	tmp = new_secvar("dbx", 4, dbxauth, dbx_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -145,8 +265,13 @@ int run_test()
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
 
-	// Add invalid KEK, .process(), should fail
+	/* Add invalid KEK, .process(), should fail. Timestamp check failure. */
 	printf("Add invalid KEK\n");
 	tmp = new_secvar("KEK", 4, InvalidKEK_auth, InvalidKEK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -154,14 +279,14 @@ int run_test()
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS != rc);
+	ASSERT(OPAL_PERMISSION == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
 	tmp = find_secvar("KEK", 4, &variable_bank);
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add ill formatted KEK, .process(), should fail
+	/* Add ill formatted KEK, .process(), should fail. */
 	printf("Add invalid KEK\n");
 	tmp = new_secvar("KEK", 4, MalformedKEK_auth, MalformedKEK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -169,44 +294,56 @@ int run_test()
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS != rc);
+	ASSERT(OPAL_PARAMETER == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
 	tmp = find_secvar("KEK", 4, &variable_bank);
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add multiple KEK ESLs, one of them should sign the db 
+	/* Add multiple db and then multiple KEKs.
+	 * The db should be signed with a KEK yet to be added.
+	 */
+	printf("Add multiple db\n");
+	tmp = new_secvar("db", 3, multipleDB_auth, multipleDB_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
 	printf("Add multiple KEK\n");
 	tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
-	ASSERT(1 == list_length(&update_bank));
+	ASSERT(2 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(OPAL_PERMISSION == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
-	tmp = find_secvar("KEK", 4, &variable_bank);
-	ASSERT(NULL != tmp);
-	ASSERT(0 != tmp->data_size);
 
-	// Add multiple DB ESLs signed with second key of the KEK 
+	/* Add multiple KEK ESLs, one of them should sign the db. */
+	printf("Add multiple KEK\n");
+	tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
 	printf("Add multiple db\n");
 	tmp = new_secvar("db", 3, multipleDB_auth, multipleDB_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
-	ASSERT(1 == list_length(&update_bank));
+	ASSERT(2 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_SUCCESS == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 	ASSERT(0 != tmp->data_size);
 
-	// Add db with signeddata PKCS7 format.
+	/* Add db with signeddata PKCS7 format. */
 	printf("DB with signed data\n");
 	tmp = new_secvar("db", 3, dbsigneddata_auth, dbsigneddata_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -215,9 +352,42 @@ int run_test()
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
 
-	// Delete PK. 
+	/* Delete PK and invalid dbx - to test queued updates for deleting PK. */
 	printf("Delete PK\n");
+	/* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */
+	add_hw_key_hash(&variable_bank);
+	ASSERT(6 == list_length(&variable_bank));
+	tmp = new_secvar("PK", 3, noPK_auth, noPK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+	printf("Add invalid dbx\n");
+	tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(2 == list_length(&update_bank));
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(6 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
+	ASSERT(!setup_mode);
+
+	/* Delete PK. */
+	printf("Delete PK\n");
+	/* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */
+	add_hw_key_hash(&variable_bank);
+	ASSERT(6 == list_length(&variable_bank));
 	tmp = new_secvar("PK", 3, noPK_auth, noPK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
@@ -227,12 +397,14 @@ int run_test()
 	ASSERT(OPAL_SUCCESS == rc);
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
 	tmp = find_secvar("PK", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 	ASSERT(0 == tmp->data_size);
 	ASSERT(setup_mode);
 
-	// Add multiple PK. 
+	/* Add multiple PK. */
 	printf("Multiple PK\n");
 	tmp = new_secvar("PK", 3, multiplePK_auth, multiplePK_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -240,9 +412,15 @@ int run_test()
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS != rc);
-
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+	ASSERT(setup_mode);
 
+	/* Add invalid dbx like with wrong GUID. */
 	printf("Add invalid dbx\n");
 	tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -250,8 +428,11 @@ int run_test()
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS != rc);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
 
+	/* Ensure sha512 dbx is considered as valid. */
 	printf("Add sha512 dbx\n");
 	tmp = new_secvar("dbx", 4, dbx512, dbx512_auth_len, 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
@@ -260,15 +441,23 @@ int run_test()
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
 	ASSERT(OPAL_SUCCESS == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("dbx", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
 
+	/* We do not support cert as dbx. */
 	printf("Add db(cert) as dbx\n");
-	tmp = new_secvar("dbx", 4, DB_auth, sizeof(DB_auth), 0);
+	tmp = new_secvar("dbx", 4, dbx_cert_auth, sizeof(dbx_cert_auth), 0);
 	ASSERT(0 == edk2_compat_validate(tmp));
 	list_add_tail(&update_bank, &tmp->link);
 	ASSERT(1 == list_length(&update_bank));
 
 	rc = edk2_compat_process(&variable_bank, &update_bank);
-	ASSERT(OPAL_SUCCESS != rc);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
 
 	return 0;
 }