Hello Takahiro, in the current code you have left a comment:
/* * TODO: * Since there is currently no "platform-specific" installation * method of Platform Key, we can't say if VendorKeys is 0 or 1 * precisely. */ We do not supply vendor keys. So currently any secure boot setup is defined by a user and not by the vendor. So we should keep this variable at zero. EDK2's way to keep track of changes to Secure Boot Policy Variables is a non-volatile variable VendorKeysNv which is set to 1 when first created and to 0 (in VendorKeyIsModified()) upon the first relevant change. EDK2 ignores changes in setup mode. According to the UEFI specification Secure Boot Policy Variables are: * PK, KEK, OsRecoveryOrder, OsRecovery#### * variables with EFI_IMAGE_SECURITY_DATABASE_GUID efi_set_secure_state() currently sets all mode variables to read-only. This should only be the case in Audit Mode and Deployed Mode, see figure 90 "Secure Modes" in the 2.8A spec. Best regards Heinrich
