Default to append for DBX, DB and KEK variables

pbatard · pbatard · commit 0457d57b0d2b · 2026-01-02T12:39:15.000Z
* Because of the whole signed authenticate variable process, and the moronic decision of the UEFI Forum to treat appending both as a special case as well as make the attribute part of the signature payload, we have to pay very close attention to what we use for our attributes else, on pedantic firmwares like HP ProDesk 600 ones, installing the official signed DBXs from Microsoft fails, because they are always declared as append (even if we are obviously not appending when we write to the DBX the first time). * To avoid introduce very complex logic to detect and re-sign variables, and since most firmwares that follow the EDK2 implementation *should* treat append on a non-existing variable as "create and report success", we now always set the DBX, DB and KEK with the append attribute. * This addresses part of #17. * Also make sure some more variables are properly zeroed and fix some parameter names.
diff --git a/src/data.c b/src/data.c
@@ -1,7 +1,7 @@
 /* Autogenerated file - DO NOT EDIT */
 /*
  * MSSB (More Secure Secure Boot -- "Mosby") embedded data
- * Copyright © 2024-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2024-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -7427,7 +7427,7 @@ EFI_STATUS InitializeList(
 	ZeroMem(List, sizeof(MOSBY_LIST));
 	List->Entry[List->Size].Type = KEK;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"kek_2011_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?LinkId=321185";
 	List->Entry[List->Size].Description = "Microsoft Corporation KEK CA 2011";
@@ -7436,7 +7436,7 @@ EFI_STATUS InitializeList(
 	List->Size++;
 	List->Entry[List->Size].Type = KEK;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"kek_2023_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239775";
 	List->Entry[List->Size].Description = "Microsoft Corporation KEK 2K CA 2023";
@@ -7446,7 +7446,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Set = MOSBY_SET1;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"db_2011_win_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321192";
 	List->Entry[List->Size].Description = "Microsoft Windows Production PCA 2011";
@@ -7455,7 +7455,7 @@ EFI_STATUS InitializeList(
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"db_2011_3rd_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321194";
 	List->Entry[List->Size].Description = "Microsoft Corporation UEFI CA 2011";
@@ -7464,7 +7464,7 @@ EFI_STATUS InitializeList(
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"db_2023_win_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239776";
 	List->Entry[List->Size].Description = "Windows UEFI CA 2023";
@@ -7473,7 +7473,7 @@ EFI_STATUS InitializeList(
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"db_2023_3rd_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239872";
 	List->Entry[List->Size].Description = "Microsoft UEFI CA 2023";
@@ -7482,7 +7482,7 @@ EFI_STATUS InitializeList(
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"db_2023_opt_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2284009";
 	List->Entry[List->Size].Description = "Microsoft Option ROM UEFI CA 2023";
@@ -7492,7 +7492,7 @@ EFI_STATUS InitializeList(
 #if defined(_M_X64) || defined(__x86_64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_x64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/DBX/amd64/DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for x86 (64 bit) [2025.10.16]";
@@ -7503,7 +7503,7 @@ EFI_STATUS InitializeList(
 #if defined(_M_IX86) || defined(__i386__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_ia32.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/DBX/x86/DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for x86 (32 bit) [2025.10.16]";
@@ -7514,7 +7514,7 @@ EFI_STATUS InitializeList(
 #if defined (_M_ARM64) || defined(__aarch64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_aa64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/DBX/arm64/DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for ARM (64 bit) [2025.02.24]";
@@ -7525,7 +7525,7 @@ EFI_STATUS InitializeList(
 #if defined (_M_ARM) || defined(__arm__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_arm.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/DBX/arm/DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for ARM (32 bit) [2025.02.24]";
@@ -7537,7 +7537,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
 	List->Entry[List->Size].Set = MOSBY_SET2;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_2024_x64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/amd64/DBXUpdate2024.bin";
 	List->Entry[List->Size].Description = "Revocation of 'Microsoft Windows Production PCA 2011'";
@@ -7548,7 +7548,7 @@ EFI_STATUS InitializeList(
 #if defined(_M_X64) || defined(__x86_64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_svn_x64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/amd64/DBXUpdateSVN.bin";
 	List->Entry[List->Size].Description = "Windows Bootmgr SVN 7.0 DBX update [2025-06-06]";
@@ -7560,7 +7560,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
 	List->Entry[List->Size].Set = MOSBY_SET2;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_2024_ia32.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/x86/DBXUpdate2024.bin";
 	List->Entry[List->Size].Description = "Revocation of 'Microsoft Windows Production PCA 2011'";
@@ -7571,7 +7571,7 @@ EFI_STATUS InitializeList(
 #if defined(_M_IX86) || defined(__i386__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_svn_ia32.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/x86/DBXUpdateSVN.bin";
 	List->Entry[List->Size].Description = "Windows Bootmgr SVN 7.0 DBX update [2025-06-06]";
@@ -7583,7 +7583,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
 	List->Entry[List->Size].Set = MOSBY_SET2;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_2024_aa64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/arm64/DBXUpdate2024.bin";
 	List->Entry[List->Size].Description = "Revocation of 'Microsoft Windows Production PCA 2011'";
@@ -7594,7 +7594,7 @@ EFI_STATUS InitializeList(
 #if defined (_M_ARM64) || defined(__aarch64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_svn_aa64.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/arm64/DBXUpdateSVN.bin";
 	List->Entry[List->Size].Description = "Windows Bootmgr SVN 7.0 DBX update [2025-06-06]";
@@ -7606,7 +7606,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
 	List->Entry[List->Size].Set = MOSBY_SET2;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_2024_arm.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/arm/DBXUpdate2024.bin";
 	List->Entry[List->Size].Description = "Revocation of 'Microsoft Windows Production PCA 2011'";
@@ -7617,7 +7617,7 @@ EFI_STATUS InitializeList(
 #if defined (_M_ARM) || defined(__arm__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Flags = ALLOW_UPDATE;
-	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 	List->Entry[List->Size].Path = L"dbx_update_svn_arm.bin";
 	List->Entry[List->Size].Url = "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DBX/arm/DBXUpdateSVN.bin";
 	List->Entry[List->Size].Description = "Windows Bootmgr SVN 7.0 DBX update [2025-06-06]";
diff --git a/src/gen_data.sh b/src/gen_data.sh
@@ -108,7 +108,7 @@ cat << EOF
 /* Autogenerated file - DO NOT EDIT */
 /*
  * MSSB (More Secure Secure Boot -- "Mosby") embedded data
- * Copyright © 2024-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2024-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -210,7 +210,16 @@ for file in "${order[@]}"; do
   if [[ "$type" == "SBAT" || "$type" == "MOK" || "$type" == "SSPU" || "$type" == "SSPV" ]]; then
     echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;"
   else
-    echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT;"
+    # The whole "append" business of the UEFI spec's SetVariable() is bullshit.
+    # The specs do not define what should happen is someone tries to append to a non-existing
+    # variable, so, technically, a pedantic UEFI firmware may refuse all the Microsoft-signed
+    # DBX updates, because they are all set for append whereas the first one we install should
+    # NOT have it set. And of course, in their great wisdom, the UEFI Forum made the append
+    # attribute part of the payload that is hashed for signature (meaning you can't remove the
+    # attribute without BREAKING the signature, which pedantic firmwares very much do check!).
+    # Long story short, because EDK2 treats append on non-existing variable as "create variable
+    # and return SUCCESS", we just set append everywhere and hope for the best...
+    echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;"
   fi
   echo "	List->Entry[List->Size].Path = L\"${file}\";"
   echo "	List->Entry[List->Size].Url = \"${url}\";"
diff --git a/src/mosby.c b/src/mosby.c
@@ -1,6 +1,6 @@
 /*
  * MSSB (More Secure Secure Boot -- "Mosby")
- * Copyright © 2024-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2024-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -221,16 +221,16 @@ EFI_STATUS EFIAPI efi_main(
 )
 {
 	BOOLEAN TestMode = FALSE, GenDBCred = FALSE, UpdateMode = FALSE;
-	BOOLEAN Append = FALSE, Reboot = FALSE, LogToFile = TRUE;
+	BOOLEAN Reboot = FALSE, LogToFile = TRUE;
 	EFI_STATUS Status;
-	EFI_TIME Time;
+	EFI_TIME Time = { 0 };
 	UINT8 Set = MOSBY_SET1;
 	UINTN i, Size;
 	UINT16* SystemSSPV = NULL;
-	UINT32 SystemSBatVer, InstallSBatVer;
+	UINT32 SystemSBatVer = 0, InstallSBatVer = 0;
 	INTN Argc, Type, Sel, LastEntry;
-	MOSBY_CRED Cred;
-	CHAR8 DbSubject[80], PkSubject[80], *SBat, *SBatLine;
+	MOSBY_CRED Cred = { 0 };
+	CHAR8 DbSubject[80], PkSubject[80], *SBat = NULL, *SBatLine = NULL;
 	CHAR16 **Argv = NULL, **ArgvCopy, MosbyKeyPath[MAX_PATH];
 	MOSBY_LIST List;
 
@@ -506,7 +506,7 @@ EFI_STATUS EFIAPI efi_main(
 			FreeCredentials(&Cred);
 			goto exit;
 		}
-		List.Entry[i].Attrs = UEFI_VAR_NV_BS_RT_AT;
+		List.Entry[i].Attrs = UEFI_VAR_NV_BS_RT_AT_AP;
 		Status = SaveCredentials(WIDEN(MOSBY_CRED_NAME), &Cred);
 		if (EFI_ERROR(Status))
 			goto exit;
@@ -619,7 +619,6 @@ EFI_STATUS EFIAPI efi_main(
 	/* Install the variables, making sure that we finish with the PK. */
 	Status = EFI_NOT_FOUND;
 	for (Type = MAX_TYPES - 1; Type >= 0; Type--) {
-		Append = (UpdateMode && Type == DBX);
 		for (i = 0; i < List.Size; i++) {
 			if (List.Entry[i].Type != Type || List.Entry[i].Flags & NO_INSTALL)
 				continue;
@@ -631,13 +630,11 @@ EFI_STATUS EFIAPI efi_main(
 				RecallPrint(L"Installing %a '%a'\n", KeyInfo[Type].DisplayName, List.Entry[i].Description);
 			else
 				RecallPrint(L"Installing %a From '%s'\n", KeyInfo[Type].DisplayName, List.Entry[i].Path);
-			Status = gRT->SetVariable(KeyInfo[Type].VariableName, KeyInfo[Type].VariableGuid,
-					List.Entry[i].Attrs | (Append ? EFI_VARIABLE_APPEND_WRITE : 0),
+			Status = gRT->SetVariable(KeyInfo[Type].VariableName, KeyInfo[Type].VariableGuid, List.Entry[i].Attrs,
 					(List.Entry[i].Flags & USE_BUFFER) ? List.Entry[i].Buffer.Size : List.Entry[i].Variable.Size,
 					(List.Entry[i].Flags & USE_BUFFER) ? (VOID*)List.Entry[i].Buffer.Data : (VOID*)List.Entry[i].Variable.Data);
 			if (EFI_ERROR(Status))
 				ReportErrorAndExit(L"Failed to set Secure Boot variable: %r\n", Status);
-			Append = TRUE;
 		}
 	}
 
diff --git a/src/mosby.h b/src/mosby.h
@@ -1,6 +1,6 @@
 /*
  * MSSB (More Secure Secure Boot -- "Mosby")
- * Copyright © 2024-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2024-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -76,8 +76,10 @@
 
 /* Variable attributes */
 #define UEFI_VAR_NV_BS              (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
+#define UEFI_VAR_NV_BS_AP           (UEFI_VAR_NV_BS | EFI_VARIABLE_APPEND_WRITE)
 #define UEFI_VAR_NV_BS_RT           (UEFI_VAR_NV_BS | EFI_VARIABLE_RUNTIME_ACCESS)
 #define UEFI_VAR_NV_BS_RT_AT        (UEFI_VAR_NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
+#define UEFI_VAR_NV_BS_RT_AT_AP     (UEFI_VAR_NV_BS_RT_AT | EFI_VARIABLE_APPEND_WRITE)
 
 /* Flags */
 #define USE_BUFFER                  0x01
diff --git a/src/pki.c b/src/pki.c
@@ -1,6 +1,6 @@
 /*
  * MSSB (More Secure Secure Boot -- "Mosby") PKI/OpenSSL functions
- * Copyright © 2024-2025 Pete Batard <pete@akeo.ie>
+ * Copyright © 2024-2026 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -425,7 +425,8 @@ EFI_STATUS PopulateAuthVar(
 		ReportErrorAndExit(L"'%s' is too small to be a valid certificate or signature list\n", Entry->Path);
 
 	// Set default attributes for authenticated variable
-	Entry->Attrs = Entry->Type == MOK ? UEFI_VAR_NV_BS : UEFI_VAR_NV_BS_RT_AT;
+	if (Entry->Attrs == 0)
+		Entry->Attrs = (Entry->Type == MOK) ? UEFI_VAR_NV_BS_AP : UEFI_VAR_NV_BS_RT_AT_AP;
 
 	// Check for signed ESL (PKCS#7 only)
 	SignedEsl = (EFI_VARIABLE_AUTHENTICATION_2*)Entry->Buffer.Data;
@@ -523,7 +524,7 @@ EFI_STATUS PopulateAuthVar(
 
 EFI_STATUS SignToAuthVar(
 	IN CONST CHAR16 *VariableName,
-	IN CONST EFI_GUID *VendorGuid,
+	IN CONST EFI_GUID *VariableGuid,
 	IN CONST UINT32 Attributes,
 	IN OUT MOSBY_VARIABLE *Variable,
 	IN CONST MOSBY_CRED *Credentials
@@ -536,7 +537,7 @@ EFI_STATUS SignToAuthVar(
 		UINTN Size;
 	} SignableElement[5] = {
 		{ (UINT8*)VariableName, StrLen(VariableName) * sizeof(CHAR16) },
-		{ (UINT8*)VendorGuid, sizeof(EFI_GUID) },
+		{ (UINT8*)VariableGuid, sizeof(EFI_GUID) },
 		{ (UINT8*)&Attributes, sizeof(Attributes) },
 		{ (UINT8*)&Variable->Data->TimeStamp, sizeof(EFI_TIME) },
 		{ &(((UINT8*)Variable->Data)[OFFSET_OF_AUTHINFO2_CERT_DATA]), Variable->Size - OFFSET_OF_AUTHINFO2_CERT_DATA }
