Merge branch 'master' into openslxopenslx

70 files changed, 2173 insertions, 187 deletions

diff --git a/src/include/ipxe/efi/Protocol/AbsolutePointer.h b/src/include/ipxe/efi/Protocol/AbsolutePointer.h
index 48810f90c..886d214a9 100644
--- a/src/include/ipxe/efi/Protocol/AbsolutePointer.h
+++ b/src/include/ipxe/efi/Protocol/AbsolutePointer.h
@@ -14,6 +14,7 @@
 #define __ABSOLUTE_POINTER_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_ABSOLUTE_POINTER_PROTOCOL_GUID \
   { 0x8D59D32B, 0xC655, 0x4AE9, { 0x9B, 0x15, 0xF2, 0x59, 0x04, 0x99, 0x2A, 0x43 } }
diff --git a/src/include/ipxe/efi/Protocol/AcpiTable.h b/src/include/ipxe/efi/Protocol/AcpiTable.h
index 27a9873c3..601e7b769 100644
--- a/src/include/ipxe/efi/Protocol/AcpiTable.h
+++ b/src/include/ipxe/efi/Protocol/AcpiTable.h
@@ -14,6 +14,7 @@
 #define __ACPI_TABLE_H___
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_ACPI_TABLE_PROTOCOL_GUID \
   { 0xffe06bdd, 0x6107, 0x46a6, { 0x7b, 0xb2, 0x5a, 0x9c, 0x7e, 0xc5, 0x27, 0x5c }}
diff --git a/src/include/ipxe/efi/Protocol/AdapterInformation.h b/src/include/ipxe/efi/Protocol/AdapterInformation.h
new file mode 100644
index 000000000..b52288793
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/AdapterInformation.h
@@ -0,0 +1,258 @@
+/** @file
+  EFI Adapter Information Protocol definition.
+  The EFI Adapter Information Protocol is used to dynamically and quickly discover
+  or set device information for an adapter.
+
+  Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Revision Reference:
+  This Protocol is introduced in UEFI Specification 2.4
+
+**/
+
+#ifndef __EFI_ADAPTER_INFORMATION_PROTOCOL_H__
+#define __EFI_ADAPTER_INFORMATION_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#define EFI_ADAPTER_INFORMATION_PROTOCOL_GUID \
+  { \
+    0xE5DD1403, 0xD622, 0xC24E, {0x84, 0x88, 0xC7, 0x1B, 0x17, 0xF5, 0xE8, 0x02 } \
+  }
+
+#define EFI_ADAPTER_INFO_MEDIA_STATE_GUID \
+  { \
+    0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 } \
+  }
+
+#define EFI_ADAPTER_INFO_NETWORK_BOOT_GUID \
+  { \
+    0x1FBD2960, 0x4130, 0x41E5, {0x94, 0xAC, 0xD2, 0xCF, 0x03, 0x7F, 0xB3, 0x7C } \
+  }
+
+#define EFI_ADAPTER_INFO_SAN_MAC_ADDRESS_GUID \
+  { \
+    0x114da5ef, 0x2cf1, 0x4e12, {0x9b, 0xbb, 0xc4, 0x70, 0xb5, 0x52, 0x5, 0xd9 } \
+  }
+
+#define EFI_ADAPTER_INFO_UNDI_IPV6_SUPPORT_GUID \
+  { \
+    0x4bd56be3, 0x4975, 0x4d8a, {0xa0, 0xad, 0xc4, 0x91, 0x20, 0x4b, 0x5d, 0x4d} \
+  }
+
+#define EFI_ADAPTER_INFO_MEDIA_TYPE_GUID \
+  { \
+    0x8484472f, 0x71ec, 0x411a, { 0xb3, 0x9c, 0x62, 0xcd, 0x94, 0xd9, 0x91, 0x6e } \
+  }
+
+typedef struct _EFI_ADAPTER_INFORMATION_PROTOCOL EFI_ADAPTER_INFORMATION_PROTOCOL;
+
+///
+/// EFI_ADAPTER_INFO_MEDIA_STATE
+///
+typedef struct {
+  ///
+  /// Returns the current media state status. MediaState can have any of the following values:
+  /// EFI_SUCCESS: There is media attached to the network adapter. EFI_NOT_READY: This detects a bounced state.
+  /// There was media attached to the network adapter, but it was removed and reattached. EFI_NO_MEDIA: There is
+  /// not any media attached to the network.
+  ///
+  EFI_STATUS    MediaState;
+} EFI_ADAPTER_INFO_MEDIA_STATE;
+
+///
+/// EFI_ADAPTER_INFO_MEDIA_TYPE
+///
+typedef struct {
+  ///
+  /// Indicates the current media type. MediaType can have any of the following values:
+  /// 1: Ethernet Network Adapter
+  /// 2: Ethernet Wireless Network Adapter
+  /// 3~255: Reserved
+  ///
+  UINT8    MediaType;
+} EFI_ADAPTER_INFO_MEDIA_TYPE;
+
+///
+/// EFI_ADAPTER_INFO_NETWORK_BOOT
+///
+typedef struct {
+  ///
+  /// TRUE if the adapter supports booting from iSCSI IPv4 targets.
+  ///
+  BOOLEAN    iScsiIpv4BootCapablity;
+  ///
+  /// TRUE if the adapter supports booting from iSCSI IPv6 targets.
+  ///
+  BOOLEAN    iScsiIpv6BootCapablity;
+  ///
+  /// TRUE if the adapter supports booting from FCoE targets.
+  ///
+  BOOLEAN    FCoeBootCapablity;
+  ///
+  /// TRUE if the adapter supports an offload engine (such as TCP
+  /// Offload Engine (TOE)) for its iSCSI or FCoE boot operations.
+  ///
+  BOOLEAN    OffloadCapability;
+  ///
+  /// TRUE if the adapter supports multipath I/O (MPIO) for its iSCSI
+  /// boot operations.
+  ///
+  BOOLEAN    iScsiMpioCapability;
+  ///
+  /// TRUE if the adapter is currently configured to boot from iSCSI
+  /// IPv4 targets.
+  ///
+  BOOLEAN    iScsiIpv4Boot;
+  ///
+  /// TRUE if the adapter is currently configured to boot from iSCSI
+  /// IPv6 targets.
+  ///
+  BOOLEAN    iScsiIpv6Boot;
+  ///
+  /// TRUE if the adapter is currently configured to boot from FCoE targets.
+  ///
+  BOOLEAN    FCoeBoot;
+} EFI_ADAPTER_INFO_NETWORK_BOOT;
+
+///
+/// EFI_ADAPTER_INFO_SAN_MAC_ADDRESS
+///
+typedef struct {
+  ///
+  /// Returns the SAN MAC address for the adapter.For adapters that support today's 802.3 ethernet
+  /// networking and Fibre-Channel Over Ethernet (FCOE), this conveys the FCOE SAN MAC address from the adapter.
+  ///
+  EFI_MAC_ADDRESS    SanMacAddress;
+} EFI_ADAPTER_INFO_SAN_MAC_ADDRESS;
+
+///
+/// EFI_ADAPTER_INFO_UNDI_IPV6_SUPPORT
+///
+typedef struct {
+  ///
+  /// Returns capability of UNDI to support IPv6 traffic.
+  ///
+  BOOLEAN    Ipv6Support;
+} EFI_ADAPTER_INFO_UNDI_IPV6_SUPPORT;
+
+/**
+  Returns the current state information for the adapter.
+
+  This function returns information of type InformationType from the adapter.
+  If an adapter does not support the requested informational type, then
+  EFI_UNSUPPORTED is returned. If an adapter does not contain Information for
+  the requested InformationType, it fills InformationBlockSize with 0 and
+  returns EFI_NOT_FOUND.
+
+  @param[in]  This                   A pointer to the EFI_ADAPTER_INFORMATION_PROTOCOL instance.
+  @param[in]  InformationType        A pointer to an EFI_GUID that defines the contents of InformationBlock.
+  @param[out] InforamtionBlock       The service returns a pointer to the buffer with the InformationBlock
+                                     structure which contains details about the data specific to InformationType.
+  @param[out] InforamtionBlockSize   The driver returns the size of the InformationBlock in bytes.
+
+  @retval EFI_SUCCESS                The InformationType information was retrieved.
+  @retval EFI_UNSUPPORTED            The InformationType is not known.
+  @retval EFI_NOT_FOUND              Information is not available for the requested information type.
+  @retval EFI_DEVICE_ERROR           The device reported an error.
+  @retval EFI_OUT_OF_RESOURCES       The request could not be completed due to a lack of resources.
+  @retval EFI_INVALID_PARAMETER      This is NULL.
+  @retval EFI_INVALID_PARAMETER      InformationBlock is NULL.
+  @retval EFI_INVALID_PARAMETER      InformationBlockSize is NULL.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_ADAPTER_INFO_GET_INFO)(
+  IN  EFI_ADAPTER_INFORMATION_PROTOCOL  *This,
+  IN  EFI_GUID                          *InformationType,
+  OUT VOID                              **InformationBlock,
+  OUT UINTN                             *InformationBlockSize
+  );
+
+/**
+  Sets state information for an adapter.
+
+  This function sends information of type InformationType for an adapter.
+  If an adapter does not support the requested information type, then EFI_UNSUPPORTED
+  is returned.
+
+  @param[in]  This                   A pointer to the EFI_ADAPTER_INFORMATION_PROTOCOL instance.
+  @param[in]  InformationType        A pointer to an EFI_GUID that defines the contents of InformationBlock.
+  @param[in]  InforamtionBlock       A pointer to the InformationBlock structure which contains details
+                                     about the data specific to InformationType.
+  @param[in]  InforamtionBlockSize   The size of the InformationBlock in bytes.
+
+  @retval EFI_SUCCESS                The information was received and interpreted successfully.
+  @retval EFI_UNSUPPORTED            The InformationType is not known.
+  @retval EFI_DEVICE_ERROR           The device reported an error.
+  @retval EFI_INVALID_PARAMETER      This is NULL.
+  @retval EFI_INVALID_PARAMETER      InformationBlock is NULL.
+  @retval EFI_WRITE_PROTECTED        The InformationType cannot be modified using EFI_ADAPTER_INFO_SET_INFO().
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_ADAPTER_INFO_SET_INFO)(
+  IN  EFI_ADAPTER_INFORMATION_PROTOCOL  *This,
+  IN  EFI_GUID                          *InformationType,
+  IN  VOID                              *InformationBlock,
+  IN  UINTN                             InformationBlockSize
+  );
+
+/**
+  Get a list of supported information types for this instance of the protocol.
+
+  This function returns a list of InformationType GUIDs that are supported on an
+  adapter with this instance of EFI_ADAPTER_INFORMATION_PROTOCOL. The list is returned
+  in InfoTypesBuffer, and the number of GUID pointers in InfoTypesBuffer is returned in
+  InfoTypesBufferCount.
+
+  @param[in]  This                  A pointer to the EFI_ADAPTER_INFORMATION_PROTOCOL instance.
+  @param[out] InfoTypesBuffer       A pointer to the array of InformationType GUIDs that are supported
+                                    by This.
+  @param[out] InfoTypesBufferCount  A pointer to the number of GUIDs present in InfoTypesBuffer.
+
+  @retval EFI_SUCCESS               The list of information type GUIDs that are supported on this adapter was
+                                    returned in InfoTypesBuffer. The number of information type GUIDs was
+                                    returned in InfoTypesBufferCount.
+  @retval EFI_INVALID_PARAMETER     This is NULL.
+  @retval EFI_INVALID_PARAMETER     InfoTypesBuffer is NULL.
+  @retval EFI_INVALID_PARAMETER     InfoTypesBufferCount is NULL.
+  @retval EFI_OUT_OF_RESOURCES      There is not enough pool memory to store the results.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_ADAPTER_INFO_GET_SUPPORTED_TYPES)(
+  IN  EFI_ADAPTER_INFORMATION_PROTOCOL  *This,
+  OUT EFI_GUID                          **InfoTypesBuffer,
+  OUT UINTN                             *InfoTypesBufferCount
+  );
+
+///
+/// EFI_ADAPTER_INFORMATION_PROTOCOL
+/// The protocol for adapter provides the following services.
+/// - Gets device state information from adapter.
+/// - Sets device information for adapter.
+/// - Gets a list of supported information types for this instance of the protocol.
+///
+struct _EFI_ADAPTER_INFORMATION_PROTOCOL {
+  EFI_ADAPTER_INFO_GET_INFO               GetInformation;
+  EFI_ADAPTER_INFO_SET_INFO               SetInformation;
+  EFI_ADAPTER_INFO_GET_SUPPORTED_TYPES    GetSupportedTypes;
+};
+
+extern EFI_GUID  gEfiAdapterInformationProtocolGuid;
+
+extern EFI_GUID  gEfiAdapterInfoMediaStateGuid;
+
+extern EFI_GUID  gEfiAdapterInfoNetworkBootGuid;
+
+extern EFI_GUID  gEfiAdapterInfoSanMacAddressGuid;
+
+extern EFI_GUID  gEfiAdapterInfoUndiIpv6SupportGuid;
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/AppleNetBoot.h b/src/include/ipxe/efi/Protocol/AppleNetBoot.h
index 5946524fd..417730bc3 100644
--- a/src/include/ipxe/efi/Protocol/AppleNetBoot.h
+++ b/src/include/ipxe/efi/Protocol/AppleNetBoot.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( BSD3 );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_APPLE_NET_BOOT_PROTOCOL_GUID				\
 	{ 0x78ee99fb, 0x6a5e, 0x4186,					\
diff --git a/src/include/ipxe/efi/Protocol/Arp.h b/src/include/ipxe/efi/Protocol/Arp.h
index 0f60e3c4f..26dc89d59 100644
--- a/src/include/ipxe/efi/Protocol/Arp.h
+++ b/src/include/ipxe/efi/Protocol/Arp.h
@@ -19,6 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_ARP_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_ARP_SERVICE_BINDING_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/BlockIo.h b/src/include/ipxe/efi/Protocol/BlockIo.h
index 5efaf6e90..c5614b1ef 100644
--- a/src/include/ipxe/efi/Protocol/BlockIo.h
+++ b/src/include/ipxe/efi/Protocol/BlockIo.h
@@ -13,6 +13,7 @@
 #define __BLOCK_IO_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_BLOCK_IO_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/BlockIo2.h b/src/include/ipxe/efi/Protocol/BlockIo2.h
index abc2f8a9b..b985b5dab 100644
--- a/src/include/ipxe/efi/Protocol/BlockIo2.h
+++ b/src/include/ipxe/efi/Protocol/BlockIo2.h
@@ -14,6 +14,7 @@
 #define __BLOCK_IO2_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/BlockIo.h>
 
diff --git a/src/include/ipxe/efi/Protocol/BusSpecificDriverOverride.h b/src/include/ipxe/efi/Protocol/BusSpecificDriverOverride.h
index 69d9b1dcf..a304f3bfa 100644
--- a/src/include/ipxe/efi/Protocol/BusSpecificDriverOverride.h
+++ b/src/include/ipxe/efi/Protocol/BusSpecificDriverOverride.h
@@ -15,6 +15,7 @@
 #define _EFI_BUS_SPECIFIC_DRIVER_OVERRIDE_PROTOCOL_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Global ID for the Bus Specific Driver Override Protocol
diff --git a/src/include/ipxe/efi/Protocol/ComponentName.h b/src/include/ipxe/efi/Protocol/ComponentName.h
index cd7f4d0e3..89e2e19d2 100644
--- a/src/include/ipxe/efi/Protocol/ComponentName.h
+++ b/src/include/ipxe/efi/Protocol/ComponentName.h
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_COMPONENT_NAME_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// The global ID for the Component Name Protocol.
diff --git a/src/include/ipxe/efi/Protocol/ComponentName2.h b/src/include/ipxe/efi/Protocol/ComponentName2.h
index 886c9eb52..ad7818a46 100644
--- a/src/include/ipxe/efi/Protocol/ComponentName2.h
+++ b/src/include/ipxe/efi/Protocol/ComponentName2.h
@@ -12,6 +12,7 @@
 #define __EFI_COMPONENT_NAME2_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Global ID for the Component Name Protocol
diff --git a/src/include/ipxe/efi/Protocol/ConsoleControl/ConsoleControl.h b/src/include/ipxe/efi/Protocol/ConsoleControl/ConsoleControl.h
index c96484ff9..cdff796a4 100644
--- a/src/include/ipxe/efi/Protocol/ConsoleControl/ConsoleControl.h
+++ b/src/include/ipxe/efi/Protocol/ConsoleControl/ConsoleControl.h
@@ -26,6 +26,7 @@ Abstract:
 #define __CONSOLE_CONTROL_H__
 
 FILE_LICENCE ( BSD3 );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \
   { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} }
diff --git a/src/include/ipxe/efi/Protocol/DebugSupport.h b/src/include/ipxe/efi/Protocol/DebugSupport.h
index 8f930e335..e97b4c7f1 100644
--- a/src/include/ipxe/efi/Protocol/DebugSupport.h
+++ b/src/include/ipxe/efi/Protocol/DebugSupport.h
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __DEBUG_SUPPORT_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/IndustryStandard/PeImage.h>
 
@@ -682,23 +683,23 @@ typedef struct {
   UINT32    STVAL;
 } EFI_SYSTEM_CONTEXT_RISCV64;
 
-//
-// LoongArch processor exception types.
-//
-// The exception types is located in the CSR ESTAT
-// register offset 16 bits, width 6 bits.
-//
-// If you want to register an exception hook, you can
-// shfit the number left by 16 bits, and the exception
-// handler will know the types.
-//
-// For example:
-// mCpu->CpuRegisterInterruptHandler (
-//         mCpu,
-//         (EXCEPT_LOONGARCH_PPI << CSR_ESTAT_EXC_SHIFT),
-//         PpiExceptionHandler
-//         );
-//
+///
+/// LoongArch processor exception types.
+///
+/// The exception types is located in the CSR ESTAT
+/// register offset 16 bits, width 6 bits.
+///
+/// If you want to register an exception hook, you can
+/// shfit the number left by 16 bits, and the exception
+/// handler will know the types.
+///
+/// For example:
+/// mCpu->CpuRegisterInterruptHandler (
+///         mCpu,
+///         (EXCEPT_LOONGARCH_PPI << CSR_ESTAT_EXC_SHIFT),
+///         PpiExceptionHandler
+///         );
+///
 #define EXCEPT_LOONGARCH_INT   0
 #define EXCEPT_LOONGARCH_PIL   1
 #define EXCEPT_LOONGARCH_PIS   2
@@ -718,11 +719,22 @@ typedef struct {
 #define EXCEPT_LOONGARCH_SXD   16
 #define EXCEPT_LOONGARCH_ASXD  17
 #define EXCEPT_LOONGARCH_FPE   18
-#define EXCEPT_LOONGARCH_TBR   64 // For code only, there is no such type in the ISA spec, the TLB refill is defined for an independent exception.
+#define EXCEPT_LOONGARCH_WPE   19
+#define EXCEPT_LOONGARCH_BTD   20
+#define EXCEPT_LOONGARCH_BTE   21
+#define EXCEPT_LOONGARCH_GSPR  22
+#define EXCEPT_LOONGARCH_HVC   23
+#define EXCEPT_LOONGARCH_GCXC  24
 
-//
-// LoongArch processor Interrupt types.
-//
+///
+/// For coding convenience, define the maximum valid
+/// LoongArch exception.
+///
+#define MAX_LOONGARCH_EXCEPTION  64
+
+///
+/// LoongArch processor Interrupt types.
+///
 #define EXCEPT_LOONGARCH_INT_SIP0   0
 #define EXCEPT_LOONGARCH_INT_SIP1   1
 #define EXCEPT_LOONGARCH_INT_IP0    2
@@ -737,11 +749,11 @@ typedef struct {
 #define EXCEPT_LOONGARCH_INT_TIMER  11
 #define EXCEPT_LOONGARCH_INT_IPI    12
 
-//
-// For coding convenience, define the maximum valid
-// LoongArch interrupt.
-//
-#define MAX_LOONGARCH_INTERRUPT  14
+///
+/// For coding convenience, define the maximum valid
+/// LoongArch interrupt.
+///
+#define MAX_LOONGARCH_INTERRUPT  16
 
 typedef struct {
   UINT64    R0;
@@ -840,7 +852,6 @@ typedef enum {
   IsaX64     = IMAGE_FILE_MACHINE_X64,            ///< 0x8664
   IsaIpf     = IMAGE_FILE_MACHINE_IA64,           ///< 0x0200
   IsaEbc     = IMAGE_FILE_MACHINE_EBC,            ///< 0x0EBC
-  IsaArm     = IMAGE_FILE_MACHINE_ARMTHUMB_MIXED, ///< 0x01c2
   IsaAArch64 = IMAGE_FILE_MACHINE_ARM64           ///< 0xAA64
 } EFI_INSTRUCTION_SET_ARCHITECTURE;
 
diff --git a/src/include/ipxe/efi/Protocol/DevicePath.h b/src/include/ipxe/efi/Protocol/DevicePath.h
index 3256d5594..fd7a0ea27 100644
--- a/src/include/ipxe/efi/Protocol/DevicePath.h
+++ b/src/include/ipxe/efi/Protocol/DevicePath.h
@@ -14,6 +14,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_DEVICE_PATH_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Guid/PcAnsi.h>
 #include <ipxe/efi/IndustryStandard/Bluetooth.h>
@@ -840,6 +841,26 @@ typedef struct {
 } NVME_NAMESPACE_DEVICE_PATH;
 
 ///
+/// NVMe over Fabric (NVMe-oF) Namespace Device Path SubType.
+///
+#define MSG_NVME_OF_NAMESPACE_DP  0x22
+typedef struct {
+  EFI_DEVICE_PATH_PROTOCOL    Header;
+  ///
+  /// Namespace Identifier Type (NIDT)
+  ///
+  UINT8                       NamespaceIdType;
+  ///
+  /// Namespace Identifier (NID)
+  ///
+  UINT8                       NamespaceId[16];
+  ///
+  /// Unique identifier of an NVM subsystem
+  ///
+  CHAR8                       SubsystemNqn[];
+} NVME_OF_NAMESPACE_DEVICE_PATH;
+
+///
 /// DNS Device Path SubType
 ///
 #define MSG_DNS_DP  0x1F
@@ -1289,6 +1310,7 @@ typedef union {
   SAS_DEVICE_PATH                            Sas;
   SASEX_DEVICE_PATH                          SasEx;
   NVME_NAMESPACE_DEVICE_PATH                 NvmeNamespace;
+  NVME_OF_NAMESPACE_DEVICE_PATH              NvmeOfNamespace;
   DNS_DEVICE_PATH                            Dns;
   URI_DEVICE_PATH                            Uri;
   BLUETOOTH_DEVICE_PATH                      Bluetooth;
@@ -1345,6 +1367,7 @@ typedef union {
   SAS_DEVICE_PATH                            *Sas;
   SASEX_DEVICE_PATH                          *SasEx;
   NVME_NAMESPACE_DEVICE_PATH                 *NvmeNamespace;
+  NVME_OF_NAMESPACE_DEVICE_PATH              *NvmeOfNamespace;
   DNS_DEVICE_PATH                            *Dns;
   URI_DEVICE_PATH                            *Uri;
   BLUETOOTH_DEVICE_PATH                      *Bluetooth;
diff --git a/src/include/ipxe/efi/Protocol/DevicePathToText.h b/src/include/ipxe/efi/Protocol/DevicePathToText.h
index 2f591b9a2..fc68a7686 100644
--- a/src/include/ipxe/efi/Protocol/DevicePathToText.h
+++ b/src/include/ipxe/efi/Protocol/DevicePathToText.h
@@ -11,6 +11,7 @@
 #define __DEVICE_PATH_TO_TEXT_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Device Path To Text protocol
diff --git a/src/include/ipxe/efi/Protocol/Dhcp4.h b/src/include/ipxe/efi/Protocol/Dhcp4.h
index 1e7e27b11..c0a365c17 100644
--- a/src/include/ipxe/efi/Protocol/Dhcp4.h
+++ b/src/include/ipxe/efi/Protocol/Dhcp4.h
@@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_DHCP4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_DHCP4_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/Dhcp6.h b/src/include/ipxe/efi/Protocol/Dhcp6.h
index 19f59086c..5a3e6148e 100644
--- a/src/include/ipxe/efi/Protocol/Dhcp6.h
+++ b/src/include/ipxe/efi/Protocol/Dhcp6.h
@@ -14,6 +14,7 @@
 #define __EFI_DHCP6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_DHCP6_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/DiskIo.h b/src/include/ipxe/efi/Protocol/DiskIo.h
index c5ce5d339..7a81ad5ad 100644
--- a/src/include/ipxe/efi/Protocol/DiskIo.h
+++ b/src/include/ipxe/efi/Protocol/DiskIo.h
@@ -14,6 +14,7 @@
 #define __DISK_IO_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_DISK_IO_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/Dns4.h b/src/include/ipxe/efi/Protocol/Dns4.h
index 0ab07e519..36e9757a3 100644
--- a/src/include/ipxe/efi/Protocol/Dns4.h
+++ b/src/include/ipxe/efi/Protocol/Dns4.h
@@ -16,6 +16,7 @@
 #define __EFI_DNS4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_DNS4_SERVICE_BINDING_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/Dns6.h b/src/include/ipxe/efi/Protocol/Dns6.h
index 3b88c88eb..524988c5f 100644
--- a/src/include/ipxe/efi/Protocol/Dns6.h
+++ b/src/include/ipxe/efi/Protocol/Dns6.h
@@ -16,6 +16,7 @@
 #define __EFI_DNS6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_DNS6_SERVICE_BINDING_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/DriverBinding.h b/src/include/ipxe/efi/Protocol/DriverBinding.h
index 3c2027506..903545b98 100644
--- a/src/include/ipxe/efi/Protocol/DriverBinding.h
+++ b/src/include/ipxe/efi/Protocol/DriverBinding.h
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_DRIVER_BINDING_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// The global ID for the ControllerHandle Driver Protocol.
diff --git a/src/include/ipxe/efi/Protocol/EapConfiguration.h b/src/include/ipxe/efi/Protocol/EapConfiguration.h
new file mode 100644
index 000000000..980873945
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/EapConfiguration.h
@@ -0,0 +1,156 @@
+/** @file
+  This file defines the EFI EAP Configuration protocol.
+
+  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Revision Reference:
+  This Protocol is introduced in UEFI Specification 2.5
+
+**/
+
+#ifndef __EFI_EAP_CONFIGURATION_PROTOCOL_H__
+#define __EFI_EAP_CONFIGURATION_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+///
+/// EFI EAP Configuration protocol provides a way to set and get EAP configuration.
+///
+#define EFI_EAP_CONFIGURATION_PROTOCOL_GUID \
+  { \
+    0xe5b58dbb, 0x7688, 0x44b4, {0x97, 0xbf, 0x5f, 0x1d, 0x4b, 0x7c, 0xc8, 0xdb } \
+  }
+
+typedef struct _EFI_EAP_CONFIGURATION_PROTOCOL EFI_EAP_CONFIGURATION_PROTOCOL;
+
+///
+/// Make sure it not conflict with any real EapTypeXXX
+///
+#define EFI_EAP_TYPE_ATTRIBUTE  0
+
+typedef enum {
+  ///
+  /// EFI_EAP_TYPE_ATTRIBUTE
+  ///
+  EfiEapConfigEapAuthMethod,
+  EfiEapConfigEapSupportedAuthMethod,
+  ///
+  /// EapTypeIdentity
+  ///
+  EfiEapConfigIdentityString,
+  ///
+  /// EapTypeEAPTLS/EapTypePEAP
+  ///
+  EfiEapConfigEapTlsCACert,
+  EfiEapConfigEapTlsClientCert,
+  EfiEapConfigEapTlsClientPrivateKeyFile,
+  EfiEapConfigEapTlsClientPrivateKeyFilePassword, // ASCII format, Volatile
+  EfiEapConfigEapTlsCipherSuite,
+  EfiEapConfigEapTlsSupportedCipherSuite,
+  ///
+  /// EapTypeMSChapV2
+  ///
+  EfiEapConfigEapMSChapV2Password, // UNICODE format, Volatile
+  ///
+  /// EapTypePEAP
+  ///
+  EfiEapConfigEap2ndAuthMethod,
+  ///
+  /// More...
+  ///
+} EFI_EAP_CONFIG_DATA_TYPE;
+
+///
+/// EFI_EAP_TYPE
+///
+typedef UINT8 EFI_EAP_TYPE;
+#define EFI_EAP_TYPE_ATTRIBUTE      0
+#define EFI_EAP_TYPE_IDENTITY       1
+#define EFI_EAP_TYPE_NOTIFICATION   2
+#define EFI_EAP_TYPE_NAK            3
+#define EFI_EAP_TYPE_MD5CHALLENGE   4
+#define EFI_EAP_TYPE_OTP            5
+#define EFI_EAP_TYPE_GTC            6
+#define EFI_EAP_TYPE_EAPTLS         13
+#define EFI_EAP_TYPE_EAPSIM         18
+#define EFI_EAP_TYPE_TTLS           21
+#define EFI_EAP_TYPE_PEAP           25
+#define EFI_EAP_TYPE_MSCHAPV2       26
+#define EFI_EAP_TYPE_EAP_EXTENSION  33
+
+/**
+  Set EAP configuration data.
+
+  The SetData() function sets EAP configuration to non-volatile storage or volatile
+  storage.
+
+  @param[in]  This                Pointer to the EFI_EAP_CONFIGURATION_PROTOCOL instance.
+  @param[in]  EapType             EAP type.
+  @param[in]  DataType            Configuration data type.
+  @param[in]  Data                Pointer to configuration data.
+  @param[in]  DataSize            Total size of configuration data.
+
+  @retval EFI_SUCCESS             The EAP configuration data is set successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
+                                  Data is NULL.
+                                  DataSize is 0.
+  @retval EFI_UNSUPPORTED         The EapType or DataType is unsupported.
+  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be allocated.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_EAP_CONFIGURATION_SET_DATA)(
+  IN EFI_EAP_CONFIGURATION_PROTOCOL       *This,
+  IN EFI_EAP_TYPE                         EapType,
+  IN EFI_EAP_CONFIG_DATA_TYPE             DataType,
+  IN VOID                                 *Data,
+  IN UINTN                                DataSize
+  );
+
+/**
+  Get EAP configuration data.
+
+  The GetData() function gets EAP configuration.
+
+  @param[in]       This           Pointer to the EFI_EAP_CONFIGURATION_PROTOCOL instance.
+  @param[in]       EapType        EAP type.
+  @param[in]       DataType       Configuration data type.
+  @param[in, out]  Data           Pointer to configuration data.
+  @param[in, out]  DataSize       Total size of configuration data. On input, it means
+                                  the size of Data buffer. On output, it means the size
+                                  of copied Data buffer if EFI_SUCCESS, and means the
+                                  size of desired Data buffer if EFI_BUFFER_TOO_SMALL.
+
+  @retval EFI_SUCCESS             The EAP configuration data is got successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
+                                  Data is NULL.
+                                  DataSize is NULL.
+  @retval EFI_UNSUPPORTED         The EapType or DataType is unsupported.
+  @retval EFI_NOT_FOUND           The EAP configuration data is not found.
+  @retval EFI_BUFFER_TOO_SMALL    The buffer is too small to hold the buffer.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_EAP_CONFIGURATION_GET_DATA)(
+  IN EFI_EAP_CONFIGURATION_PROTOCOL       *This,
+  IN EFI_EAP_TYPE                         EapType,
+  IN EFI_EAP_CONFIG_DATA_TYPE             DataType,
+  IN OUT VOID                             *Data,
+  IN OUT UINTN                            *DataSize
+  );
+
+///
+/// The EFI_EAP_CONFIGURATION_PROTOCOL
+/// is designed to provide a way to set and get EAP configuration, such as Certificate,
+/// private key file.
+///
+struct _EFI_EAP_CONFIGURATION_PROTOCOL {
+  EFI_EAP_CONFIGURATION_SET_DATA    SetData;
+  EFI_EAP_CONFIGURATION_GET_DATA    GetData;
+};
+
+extern EFI_GUID  gEfiEapConfigurationProtocolGuid;
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/FormBrowser2.h b/src/include/ipxe/efi/Protocol/FormBrowser2.h
index 5e6f940b8..7f726757b 100644
--- a/src/include/ipxe/efi/Protocol/FormBrowser2.h
+++ b/src/include/ipxe/efi/Protocol/FormBrowser2.h
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_FORM_BROWSER2_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Guid/HiiPlatformSetupFormset.h>
 
diff --git a/src/include/ipxe/efi/Protocol/GraphicsOutput.h b/src/include/ipxe/efi/Protocol/GraphicsOutput.h
index b89315c7d..1e822c208 100644
--- a/src/include/ipxe/efi/Protocol/GraphicsOutput.h
+++ b/src/include/ipxe/efi/Protocol/GraphicsOutput.h
@@ -12,6 +12,7 @@
 #define __GRAPHICS_OUTPUT_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/Hash.h b/src/include/ipxe/efi/Protocol/Hash.h
new file mode 100644
index 000000000..aabbc3026
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/Hash.h
@@ -0,0 +1,172 @@
+/** @file
+  EFI_HASH_SERVICE_BINDING_PROTOCOL as defined in UEFI 2.0.
+  EFI_HASH_PROTOCOL as defined in UEFI 2.0.
+  The EFI Hash Service Binding Protocol is used to locate hashing services support
+  provided by a driver and to create and destroy instances of the EFI Hash Protocol
+  so that a multiple drivers can use the underlying hashing services.
+
+Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __EFI_HASH_PROTOCOL_H__
+#define __EFI_HASH_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#define EFI_HASH_SERVICE_BINDING_PROTOCOL_GUID \
+  { \
+    0x42881c98, 0xa4f3, 0x44b0, {0xa3, 0x9d, 0xdf, 0xa1, 0x86, 0x67, 0xd8, 0xcd } \
+  }
+
+#define EFI_HASH_PROTOCOL_GUID \
+  { \
+    0xc5184932, 0xdba5, 0x46db, {0xa5, 0xba, 0xcc, 0x0b, 0xda, 0x9c, 0x14, 0x35 } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA1_GUID \
+  { \
+    0x2ae9d80f, 0x3fb2, 0x4095, {0xb7, 0xb1, 0xe9, 0x31, 0x57, 0xb9, 0x46, 0xb6 } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA224_GUID \
+  { \
+    0x8df01a06, 0x9bd5, 0x4bf7, {0xb0, 0x21, 0xdb, 0x4f, 0xd9, 0xcc, 0xf4, 0x5b } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA256_GUID \
+  { \
+    0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA384_GUID \
+  { \
+    0xefa96432, 0xde33, 0x4dd2, {0xae, 0xe6, 0x32, 0x8c, 0x33, 0xdf, 0x77, 0x7a } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA512_GUID \
+  { \
+    0xcaa4381e, 0x750c, 0x4770, {0xb8, 0x70, 0x7a, 0x23, 0xb4, 0xe4, 0x21, 0x30 } \
+  }
+
+#define EFI_HASH_ALGORTIHM_MD5_GUID \
+  { \
+    0xaf7c79c, 0x65b5, 0x4319, {0xb0, 0xae, 0x44, 0xec, 0x48, 0x4e, 0x4a, 0xd7 } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA1_NOPAD_GUID \
+  { \
+    0x24c5dc2f, 0x53e2, 0x40ca, {0x9e, 0xd6, 0xa5, 0xd9, 0xa4, 0x9f, 0x46, 0x3b } \
+  }
+
+#define EFI_HASH_ALGORITHM_SHA256_NOPAD_GUID \
+  { \
+    0x8628752a, 0x6cb7, 0x4814, {0x96, 0xfc, 0x24, 0xa8, 0x15, 0xac, 0x22, 0x26 } \
+  }
+
+//
+// Note: Use of the following algorithms with EFI_HASH_PROTOCOL is deprecated.
+//       EFI_HASH_ALGORITHM_SHA1_GUID
+//       EFI_HASH_ALGORITHM_SHA224_GUID
+//       EFI_HASH_ALGORITHM_SHA256_GUID
+//       EFI_HASH_ALGORITHM_SHA384_GUID
+//       EFI_HASH_ALGORITHM_SHA512_GUID
+//       EFI_HASH_ALGORTIHM_MD5_GUID
+//
+
+typedef struct _EFI_HASH_PROTOCOL EFI_HASH_PROTOCOL;
+
+typedef UINT8 EFI_MD5_HASH[16];
+typedef UINT8 EFI_SHA1_HASH[20];
+typedef UINT8 EFI_SHA224_HASH[28];
+typedef UINT8 EFI_SHA256_HASH[32];
+typedef UINT8 EFI_SHA384_HASH[48];
+typedef UINT8 EFI_SHA512_HASH[64];
+
+typedef union {
+  EFI_MD5_HASH       *Md5Hash;
+  EFI_SHA1_HASH      *Sha1Hash;
+  EFI_SHA224_HASH    *Sha224Hash;
+  EFI_SHA256_HASH    *Sha256Hash;
+  EFI_SHA384_HASH    *Sha384Hash;
+  EFI_SHA512_HASH    *Sha512Hash;
+} EFI_HASH_OUTPUT;
+
+/**
+  Returns the size of the hash which results from a specific algorithm.
+
+  @param[in]  This                  Points to this instance of EFI_HASH_PROTOCOL.
+  @param[in]  HashAlgorithm         Points to the EFI_GUID which identifies the algorithm to use.
+  @param[out] HashSize              Holds the returned size of the algorithm's hash.
+
+  @retval EFI_SUCCESS           Hash size returned successfully.
+  @retval EFI_INVALID_PARAMETER HashSize is NULL or HashAlgorithm is NULL.
+  @retval EFI_UNSUPPORTED       The algorithm specified by HashAlgorithm is not supported
+                                by this driver.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_HASH_GET_HASH_SIZE)(
+  IN  CONST EFI_HASH_PROTOCOL     *This,
+  IN  CONST EFI_GUID              *HashAlgorithm,
+  OUT UINTN                       *HashSize
+  );
+
+/**
+  Creates a hash for the specified message text.
+
+  @param[in]  This          Points to this instance of EFI_HASH_PROTOCOL.
+  @param[in]  HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use.
+  @param[in]  Extend        Specifies whether to create a new hash (FALSE) or extend the specified
+                            existing hash (TRUE).
+  @param[in]  Message       Points to the start of the message.
+  @param[in]  MessageSize   The size of Message, in bytes.
+  @param[in,out]  Hash      On input, if Extend is TRUE, then this parameter holds a pointer
+                            to a pointer to an array containing the hash to extend. If Extend
+                            is FALSE, then this parameter holds a pointer to a pointer to a
+                            caller-allocated array that will receive the result of the hash
+                            computation. On output (regardless of the value of Extend), the
+                            array will contain the result of the hash computation.
+
+  @retval EFI_SUCCESS           Hash returned successfully.
+  @retval EFI_INVALID_PARAMETER Message or Hash, HashAlgorithm is NULL or MessageSize is 0.
+                                MessageSize is not an integer multiple of block size.
+  @retval EFI_UNSUPPORTED       The algorithm specified by HashAlgorithm is not supported by this
+                                 driver. Or, Extend is TRUE, and the algorithm doesn't support extending the hash.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_HASH_HASH)(
+  IN CONST EFI_HASH_PROTOCOL      *This,
+  IN CONST EFI_GUID               *HashAlgorithm,
+  IN BOOLEAN                      Extend,
+  IN CONST UINT8                  *Message,
+  IN UINT64                       MessageSize,
+  IN OUT EFI_HASH_OUTPUT          *Hash
+  );
+
+///
+/// This protocol allows creating a hash of an arbitrary message digest
+/// using one or more hash algorithms.
+///
+struct _EFI_HASH_PROTOCOL {
+  EFI_HASH_GET_HASH_SIZE    GetHashSize;
+  EFI_HASH_HASH             Hash;
+};
+
+extern EFI_GUID  gEfiHashServiceBindingProtocolGuid;
+extern EFI_GUID  gEfiHashProtocolGuid;
+extern EFI_GUID  gEfiHashAlgorithmSha1Guid;
+extern EFI_GUID  gEfiHashAlgorithmSha224Guid;
+extern EFI_GUID  gEfiHashAlgorithmSha256Guid;
+extern EFI_GUID  gEfiHashAlgorithmSha384Guid;
+extern EFI_GUID  gEfiHashAlgorithmSha512Guid;
+extern EFI_GUID  gEfiHashAlgorithmMD5Guid;
+extern EFI_GUID  gEfiHashAlgorithmSha1NoPadGuid;
+extern EFI_GUID  gEfiHashAlgorithmSha256NoPadGuid;
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/HiiConfigAccess.h b/src/include/ipxe/efi/Protocol/HiiConfigAccess.h
index aaa51a31b..e48a48335 100644
--- a/src/include/ipxe/efi/Protocol/HiiConfigAccess.h
+++ b/src/include/ipxe/efi/Protocol/HiiConfigAccess.h
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_HII_CONFIG_ACCESS_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/FormBrowser2.h>
 
diff --git a/src/include/ipxe/efi/Protocol/HiiDatabase.h b/src/include/ipxe/efi/Protocol/HiiDatabase.h
index d077b1167..4338319d1 100644
--- a/src/include/ipxe/efi/Protocol/HiiDatabase.h
+++ b/src/include/ipxe/efi/Protocol/HiiDatabase.h
@@ -14,6 +14,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __HII_DATABASE_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_HII_DATABASE_PROTOCOL_GUID \
   { 0xef9fc172, 0xa1b2, 0x4693, { 0xb3, 0x27, 0x6d, 0x32, 0xfc, 0x41, 0x60, 0x42 } }
diff --git a/src/include/ipxe/efi/Protocol/HiiFont.h b/src/include/ipxe/efi/Protocol/HiiFont.h
index 248f13ea5..6d6f88514 100644
--- a/src/include/ipxe/efi/Protocol/HiiFont.h
+++ b/src/include/ipxe/efi/Protocol/HiiFont.h
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __HII_FONT_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/GraphicsOutput.h>
 #include <ipxe/efi/Protocol/HiiImage.h>
diff --git a/src/include/ipxe/efi/Protocol/HiiImage.h b/src/include/ipxe/efi/Protocol/HiiImage.h
index 20fd72578..f40c00eb7 100644
--- a/src/include/ipxe/efi/Protocol/HiiImage.h
+++ b/src/include/ipxe/efi/Protocol/HiiImage.h
@@ -13,6 +13,7 @@
 #define __HII_IMAGE_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/GraphicsOutput.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Http.h b/src/include/ipxe/efi/Protocol/Http.h
index d30a5aa46..84eb20600 100644
--- a/src/include/ipxe/efi/Protocol/Http.h
+++ b/src/include/ipxe/efi/Protocol/Http.h
@@ -17,6 +17,7 @@
 #define __EFI_HTTP_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID \
   { \
@@ -100,7 +101,8 @@ typedef enum {
   HTTP_STATUS_503_SERVICE_UNAVAILABLE,
   HTTP_STATUS_504_GATEWAY_TIME_OUT,
   HTTP_STATUS_505_HTTP_VERSION_NOT_SUPPORTED,
-  HTTP_STATUS_308_PERMANENT_REDIRECT
+  HTTP_STATUS_308_PERMANENT_REDIRECT,
+  HTTP_STATUS_429_TOO_MANY_REQUESTS
 } EFI_HTTP_STATUS_CODE;
 
 ///
@@ -190,12 +192,27 @@ typedef struct {
   /// The URI of a remote host. From the information in this field, the HTTP instance
   /// will be able to determine whether to use HTTP or HTTPS and will also be able to
   /// determine the port number to use. If no port number is specified, port 80 (HTTP)
-  /// is assumed. See RFC 3986 for more details on URI syntax.
+  /// or 443 (HTTPS) is assumed. See RFC 3986 for more details on URI syntax.
   ///
   CHAR16             *Url;
 } EFI_HTTP_REQUEST_DATA;
 
 ///
+/// EFI_HTTP_CONNECT_REQUEST_DATA
+///
+typedef struct {
+  EFI_HTTP_REQUEST_DATA    Base;
+  ///
+  /// The URI of an Proxy Host. This field will be NULL if there is no Proxy Host
+  /// in the device path. From the information in this field, the HTTP instance will
+  /// be able to determine whether to use HTTP or HTTPS and will also be able to
+  /// determine the port number to use. If no port number is specified, port 80 (HTTP)
+  /// or 443 (HTTPS) is assumed. See RFC 3986 for more details on URI syntax.
+  ///
+  CHAR16                   *ProxyUrl;
+} EFI_HTTP_CONNECT_REQUEST_DATA;
+
+///
 /// EFI_HTTP_RESPONSE_DATA
 ///
 typedef struct {
diff --git a/src/include/ipxe/efi/Protocol/Ip4.h b/src/include/ipxe/efi/Protocol/Ip4.h
index 0455c7b2f..f45465860 100644
--- a/src/include/ipxe/efi/Protocol/Ip4.h
+++ b/src/include/ipxe/efi/Protocol/Ip4.h
@@ -22,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_IP4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/ManagedNetwork.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Ip4Config.h b/src/include/ipxe/efi/Protocol/Ip4Config.h
index ff47fd2b7..45d395ca8 100644
--- a/src/include/ipxe/efi/Protocol/Ip4Config.h
+++ b/src/include/ipxe/efi/Protocol/Ip4Config.h
@@ -1,3 +1,6 @@
+#ifndef _IPXE_EFI_IP4CONFIG_H
+#define _IPXE_EFI_IP4CONFIG_H
+
 /** @file
   This file provides a definition of the EFI IPv4 Configuration
   Protocol.
@@ -14,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_IP4CONFIG_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip4.h>
 
@@ -176,3 +180,5 @@ struct _EFI_IP4_CONFIG_PROTOCOL {
 extern EFI_GUID  gEfiIp4ConfigProtocolGuid;
 
 #endif
+
+#endif /* _IPXE_EFI_IP4CONFIG_H */
diff --git a/src/include/ipxe/efi/Protocol/Ip4Config2.h b/src/include/ipxe/efi/Protocol/Ip4Config2.h
index ca091dea5..362387179 100644
--- a/src/include/ipxe/efi/Protocol/Ip4Config2.h
+++ b/src/include/ipxe/efi/Protocol/Ip4Config2.h
@@ -14,6 +14,7 @@ This Protocol is introduced in UEFI Specification 2.5
 #define __EFI_IP4CONFIG2_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip4.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Ip6.h b/src/include/ipxe/efi/Protocol/Ip6.h
index c70df1906..2d19b806a 100644
--- a/src/include/ipxe/efi/Protocol/Ip6.h
+++ b/src/include/ipxe/efi/Protocol/Ip6.h
@@ -22,6 +22,7 @@
 #define __EFI_IP6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/ManagedNetwork.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Ip6Config.h b/src/include/ipxe/efi/Protocol/Ip6Config.h
index 5665e93b9..75c5adbb0 100644
--- a/src/include/ipxe/efi/Protocol/Ip6Config.h
+++ b/src/include/ipxe/efi/Protocol/Ip6Config.h
@@ -11,6 +11,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_IP6CONFIG_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip6.h>
 
diff --git a/src/include/ipxe/efi/Protocol/LoadFile.h b/src/include/ipxe/efi/Protocol/LoadFile.h
index 034b22b55..47e164600 100644
--- a/src/include/ipxe/efi/Protocol/LoadFile.h
+++ b/src/include/ipxe/efi/Protocol/LoadFile.h
@@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_LOAD_FILE_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_LOAD_FILE_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/LoadFile2.h b/src/include/ipxe/efi/Protocol/LoadFile2.h
index 2cb155dda..409e411cf 100644
--- a/src/include/ipxe/efi/Protocol/LoadFile2.h
+++ b/src/include/ipxe/efi/Protocol/LoadFile2.h
@@ -16,6 +16,7 @@
 #define __EFI_LOAD_FILE2_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_LOAD_FILE2_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/LoadedImage.h b/src/include/ipxe/efi/Protocol/LoadedImage.h
index db331b88f..401f464fa 100755
--- a/src/include/ipxe/efi/Protocol/LoadedImage.h
+++ b/src/include/ipxe/efi/Protocol/LoadedImage.h
@@ -13,6 +13,7 @@
 #define __LOADED_IMAGE_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_LOADED_IMAGE_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/ManagedNetwork.h b/src/include/ipxe/efi/Protocol/ManagedNetwork.h
index 44a27ed1f..60e7e9ae8 100644
--- a/src/include/ipxe/efi/Protocol/ManagedNetwork.h
+++ b/src/include/ipxe/efi/Protocol/ManagedNetwork.h
@@ -14,6 +14,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_MANAGED_NETWORK_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/SimpleNetwork.h>
 
diff --git a/src/include/ipxe/efi/Protocol/MpService.h b/src/include/ipxe/efi/Protocol/MpService.h
index cd1bb27fe..1a1874662 100644
--- a/src/include/ipxe/efi/Protocol/MpService.h
+++ b/src/include/ipxe/efi/Protocol/MpService.h
@@ -40,6 +40,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define _MP_SERVICE_PROTOCOL_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Global ID for the EFI_MP_SERVICES_PROTOCOL.
diff --git a/src/include/ipxe/efi/Protocol/Mtftp4.h b/src/include/ipxe/efi/Protocol/Mtftp4.h
index 4890c8ab2..5e50fcc9f 100644
--- a/src/include/ipxe/efi/Protocol/Mtftp4.h
+++ b/src/include/ipxe/efi/Protocol/Mtftp4.h
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_MTFTP4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_MTFTP4_SERVICE_BINDING_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/Mtftp6.h b/src/include/ipxe/efi/Protocol/Mtftp6.h
index b08af87e1..5a6d640e5 100644
--- a/src/include/ipxe/efi/Protocol/Mtftp6.h
+++ b/src/include/ipxe/efi/Protocol/Mtftp6.h
@@ -17,6 +17,7 @@
 #define __EFI_MTFTP6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_MTFTP6_SERVICE_BINDING_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/NetworkInterfaceIdentifier.h b/src/include/ipxe/efi/Protocol/NetworkInterfaceIdentifier.h
index 1ce13f273..5a0a82071 100644
--- a/src/include/ipxe/efi/Protocol/NetworkInterfaceIdentifier.h
+++ b/src/include/ipxe/efi/Protocol/NetworkInterfaceIdentifier.h
@@ -13,6 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_NETWORK_INTERFACE_IDENTIFER_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 //
 // GUID retired from UEFI Specification 2.1b
diff --git a/src/include/ipxe/efi/Protocol/PciIo.h b/src/include/ipxe/efi/Protocol/PciIo.h
index c733925d5..3c2582cab 100644
--- a/src/include/ipxe/efi/Protocol/PciIo.h
+++ b/src/include/ipxe/efi/Protocol/PciIo.h
@@ -11,6 +11,7 @@
 #define __PCI_IO_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Global ID for the PCI I/O Protocol
diff --git a/src/include/ipxe/efi/Protocol/PciRootBridgeIo.h b/src/include/ipxe/efi/Protocol/PciRootBridgeIo.h
index b6a478027..674e864d1 100644
--- a/src/include/ipxe/efi/Protocol/PciRootBridgeIo.h
+++ b/src/include/ipxe/efi/Protocol/PciRootBridgeIo.h
@@ -14,6 +14,7 @@
 #define __PCI_ROOT_BRIDGE_IO_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Library/BaseLib.h>
 
diff --git a/src/include/ipxe/efi/Protocol/PxeBaseCode.h b/src/include/ipxe/efi/Protocol/PxeBaseCode.h
index 20efd7280..5db934370 100644
--- a/src/include/ipxe/efi/Protocol/PxeBaseCode.h
+++ b/src/include/ipxe/efi/Protocol/PxeBaseCode.h
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __PXE_BASE_CODE_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// PXE Base Code protocol.
@@ -36,7 +37,7 @@ typedef EFI_PXE_BASE_CODE_PROTOCOL EFI_PXE_BASE_CODE;
 ///
 /// Default IP TTL and ToS.
 ///
-#define DEFAULT_TTL  16
+#define DEFAULT_TTL  64
 #define DEFAULT_ToS  0
 
 ///
@@ -155,8 +156,6 @@ typedef UINT16 EFI_PXE_BASE_CODE_UDP_PORT;
 #define EFI_PXE_CLIENT_SYSTEM_ARCHITECTURE  0x0006
 #elif defined (MDE_CPU_X64)
 #define EFI_PXE_CLIENT_SYSTEM_ARCHITECTURE  0x0007
-#elif defined (MDE_CPU_ARM)
-#define EFI_PXE_CLIENT_SYSTEM_ARCHITECTURE  0x000A
 #elif defined (MDE_CPU_AARCH64)
 #define EFI_PXE_CLIENT_SYSTEM_ARCHITECTURE  0x000B
 #elif defined (MDE_CPU_RISCV64)
diff --git a/src/include/ipxe/efi/Protocol/Rng.h b/src/include/ipxe/efi/Protocol/Rng.h
index 92d648bee..e4ad3d716 100644
--- a/src/include/ipxe/efi/Protocol/Rng.h
+++ b/src/include/ipxe/efi/Protocol/Rng.h
@@ -8,10 +8,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
-#ifndef __EFI_RNG_PROTOCOL_H__
-#define __EFI_RNG_PROTOCOL_H__
+#ifndef EFI_RNG_PROTOCOL_H_
+#define EFI_RNG_PROTOCOL_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/efi/Guid/Rng.h>
 
 ///
 /// Global ID for the Random Number Generator Protocol
@@ -21,142 +24,8 @@ FILE_LICENCE ( BSD2_PATENT );
     0x3152bca5, 0xeade, 0x433d, {0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
   }
 
-typedef struct _EFI_RNG_PROTOCOL EFI_RNG_PROTOCOL;
-
-///
-/// A selection of EFI_RNG_PROTOCOL algorithms.
-/// The algorithms listed are optional, not meant to be exhaustive and be argmented by
-/// vendors or other industry standards.
-///
-
-typedef EFI_GUID EFI_RNG_ALGORITHM;
-
-///
-/// The algorithms corresponds to SP800-90 as defined in
-/// NIST SP 800-90, "Recommendation for Random Number Generation Using Deterministic Random
-/// Bit Generators", March 2007.
-///
-#define EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID \
-  { \
-    0xa7af67cb, 0x603b, 0x4d42, {0xba, 0x21, 0x70, 0xbf, 0xb6, 0x29, 0x3f, 0x96 } \
-  }
-#define EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID \
-  { \
-    0xc5149b43, 0xae85, 0x4f53, {0x99, 0x82, 0xb9, 0x43, 0x35, 0xd3, 0xa9, 0xe7 } \
-  }
-#define EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID \
-  { \
-    0x44f0de6e, 0x4d8c, 0x4045, {0xa8, 0xc7, 0x4d, 0xd1, 0x68, 0x85, 0x6b, 0x9e } \
-  }
-///
-/// The algorithms correspond to X9.31 as defined in
-/// NIST, "Recommended Random Number Generator Based on ANSI X9.31 Appendix A.2.4 Using
-/// the 3-Key Triple DES and AES Algorithm", January 2005.
-///
-#define EFI_RNG_ALGORITHM_X9_31_3DES_GUID \
-  { \
-    0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 } \
-  }
-#define EFI_RNG_ALGORITHM_X9_31_AES_GUID \
-  { \
-    0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 } \
-  }
-///
-/// The "raw" algorithm, when supported, is intended to provide entropy directly from
-/// the source, without it going through some deterministic random bit generator.
-///
-#define EFI_RNG_ALGORITHM_RAW \
-  { \
-    0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \
-  }
-///
-/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant
-/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be
-/// inclusive of different geographies.
-///
-#define EFI_RNG_ALGORITHM_ARM_RNDR \
-  { \
-    0x43d2fde3, 0x9d4e, 0x4d79,  {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \
-  }
-
-/**
-  Returns information about the random number generation implementation.
-
-  @param[in]     This                 A pointer to the EFI_RNG_PROTOCOL instance.
-  @param[in,out] RNGAlgorithmListSize On input, the size in bytes of RNGAlgorithmList.
-                                      On output with a return code of EFI_SUCCESS, the size
-                                      in bytes of the data returned in RNGAlgorithmList. On output
-                                      with a return code of EFI_BUFFER_TOO_SMALL,
-                                      the size of RNGAlgorithmList required to obtain the list.
-  @param[out] RNGAlgorithmList        A caller-allocated memory buffer filled by the driver
-                                      with one EFI_RNG_ALGORITHM element for each supported
-                                      RNG algorithm. The list must not change across multiple
-                                      calls to the same driver. The first algorithm in the list
-                                      is the default algorithm for the driver.
-
-  @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
-  @retval EFI_UNSUPPORTED             The services is not supported by this driver.
-  @retval EFI_DEVICE_ERROR            The list of algorithms could not be retrieved due to a
-                                      hardware or firmware error.
-  @retval EFI_INVALID_PARAMETER       One or more of the parameters are incorrect.
-  @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
-
-**/
-typedef
-EFI_STATUS
-(EFIAPI *EFI_RNG_GET_INFO)(
-  IN EFI_RNG_PROTOCOL             *This,
-  IN OUT UINTN                    *RNGAlgorithmListSize,
-  OUT EFI_RNG_ALGORITHM           *RNGAlgorithmList
-  );
-
-/**
-  Produces and returns an RNG value using either the default or specified RNG algorithm.
-
-  @param[in]  This                    A pointer to the EFI_RNG_PROTOCOL instance.
-  @param[in]  RNGAlgorithm            A pointer to the EFI_RNG_ALGORITHM that identifies the RNG
-                                      algorithm to use. May be NULL in which case the function will
-                                      use its default RNG algorithm.
-  @param[in]  RNGValueLength          The length in bytes of the memory buffer pointed to by
-                                      RNGValue. The driver shall return exactly this numbers of bytes.
-  @param[out] RNGValue                A caller-allocated memory buffer filled by the driver with the
-                                      resulting RNG value.
-
-  @retval EFI_SUCCESS                 The RNG value was returned successfully.
-  @retval EFI_UNSUPPORTED             The algorithm specified by RNGAlgorithm is not supported by
-                                      this driver.
-  @retval EFI_DEVICE_ERROR            An RNG value could not be retrieved due to a hardware or
-                                      firmware error.
-  @retval EFI_NOT_READY               There is not enough random data available to satisfy the length
-                                      requested by RNGValueLength.
-  @retval EFI_INVALID_PARAMETER       RNGValue is NULL or RNGValueLength is zero.
-
-**/
-typedef
-EFI_STATUS
-(EFIAPI *EFI_RNG_GET_RNG)(
-  IN EFI_RNG_PROTOCOL            *This,
-  IN EFI_RNG_ALGORITHM           *RNGAlgorithm  OPTIONAL,
-  IN UINTN                       RNGValueLength,
-  OUT UINT8                      *RNGValue
-  );
-
-///
-/// The Random Number Generator (RNG) protocol provides random bits for use in
-/// applications, or entropy for seeding other random number generators.
-///
-struct _EFI_RNG_PROTOCOL {
-  EFI_RNG_GET_INFO    GetInfo;
-  EFI_RNG_GET_RNG     GetRNG;
-};
+typedef EFI_RNG_INTERFACE EFI_RNG_PROTOCOL;
 
 extern EFI_GUID  gEfiRngProtocolGuid;
-extern EFI_GUID  gEfiRngAlgorithmSp80090Hash256Guid;
-extern EFI_GUID  gEfiRngAlgorithmSp80090Hmac256Guid;
-extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
-extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
-extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
-extern EFI_GUID  gEfiRngAlgorithmRaw;
-extern EFI_GUID  gEfiRngAlgorithmArmRndr;
 
 #endif
diff --git a/src/include/ipxe/efi/Protocol/SerialIo.h b/src/include/ipxe/efi/Protocol/SerialIo.h
index 1e44a21c4..31fd99215 100644
--- a/src/include/ipxe/efi/Protocol/SerialIo.h
+++ b/src/include/ipxe/efi/Protocol/SerialIo.h
@@ -13,6 +13,7 @@
 #define __SERIAL_IO_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SERIAL_IO_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/ServiceBinding.h b/src/include/ipxe/efi/Protocol/ServiceBinding.h
index 6baf73aa7..d23059ccf 100644
--- a/src/include/ipxe/efi/Protocol/ServiceBinding.h
+++ b/src/include/ipxe/efi/Protocol/ServiceBinding.h
@@ -14,6 +14,7 @@
 #define __EFI_SERVICE_BINDING_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 ///
 /// Forward reference for pure ANSI compatability
diff --git a/src/include/ipxe/efi/Protocol/ShimLock.h b/src/include/ipxe/efi/Protocol/ShimLock.h
index b31365173..8fd3c3bc8 100644
--- a/src/include/ipxe/efi/Protocol/ShimLock.h
+++ b/src/include/ipxe/efi/Protocol/ShimLock.h
@@ -8,6 +8,7 @@
  */
 
 FILE_LICENCE ( BSD3 );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SHIM_LOCK_PROTOCOL_GUID					\
 	{ 0x605dab50, 0xe046, 0x4300,					\
diff --git a/src/include/ipxe/efi/Protocol/SimpleFileSystem.h b/src/include/ipxe/efi/Protocol/SimpleFileSystem.h
index 62edb2a88..39944c31a 100644
--- a/src/include/ipxe/efi/Protocol/SimpleFileSystem.h
+++ b/src/include/ipxe/efi/Protocol/SimpleFileSystem.h
@@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __SIMPLE_FILE_SYSTEM_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/SimpleNetwork.h b/src/include/ipxe/efi/Protocol/SimpleNetwork.h
index 141ab8856..d7e4e1182 100644
--- a/src/include/ipxe/efi/Protocol/SimpleNetwork.h
+++ b/src/include/ipxe/efi/Protocol/SimpleNetwork.h
@@ -21,6 +21,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __SIMPLE_NETWORK_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SIMPLE_NETWORK_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/SimplePointer.h b/src/include/ipxe/efi/Protocol/SimplePointer.h
index 45ddf8d5c..1381b7ec1 100644
--- a/src/include/ipxe/efi/Protocol/SimplePointer.h
+++ b/src/include/ipxe/efi/Protocol/SimplePointer.h
@@ -12,6 +12,7 @@
 #define __SIMPLE_POINTER_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SIMPLE_POINTER_PROTOCOL_GUID \
   { \
@@ -56,12 +57,12 @@ typedef struct {
   UINT64     ResolutionX;
   ///
   /// The resolution of the pointer device on the y-axis in counts/mm.
-  /// If 0, then the pointer device does not support an x-axis.
+  /// If 0, then the pointer device does not support a y-axis.
   ///
   UINT64     ResolutionY;
   ///
   /// The resolution of the pointer device on the z-axis in counts/mm.
-  /// If 0, then the pointer device does not support an x-axis.
+  /// If 0, then the pointer device does not support a z-axis.
   ///
   UINT64     ResolutionZ;
   ///
diff --git a/src/include/ipxe/efi/Protocol/SimpleTextIn.h b/src/include/ipxe/efi/Protocol/SimpleTextIn.h
index 11daeb5bc..1198ff81a 100644
--- a/src/include/ipxe/efi/Protocol/SimpleTextIn.h
+++ b/src/include/ipxe/efi/Protocol/SimpleTextIn.h
@@ -13,6 +13,7 @@
 #define __SIMPLE_TEXT_IN_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SIMPLE_TEXT_INPUT_PROTOCOL_GUID \
   { \
@@ -102,6 +103,7 @@ EFI_STATUS
   @retval EFI_NOT_READY    There was no keystroke data available.
   @retval EFI_DEVICE_ERROR The keystroke information was not returned due to
                            hardware errors.
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 
 **/
 typedef
diff --git a/src/include/ipxe/efi/Protocol/SimpleTextInEx.h b/src/include/ipxe/efi/Protocol/SimpleTextInEx.h
index 9a93da509..f797a45c9 100644
--- a/src/include/ipxe/efi/Protocol/SimpleTextInEx.h
+++ b/src/include/ipxe/efi/Protocol/SimpleTextInEx.h
@@ -14,6 +14,7 @@
 #define __SIMPLE_TEXT_IN_EX_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/SimpleTextIn.h>
 
@@ -188,6 +189,7 @@ typedef struct {
   @retval EFI_NOT_READY    There was no keystroke data available.
   @retval EFI_DEVICE_ERROR The keystroke information was not returned due to
                            hardware errors.
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 
 
 **/
diff --git a/src/include/ipxe/efi/Protocol/SimpleTextOut.h b/src/include/ipxe/efi/Protocol/SimpleTextOut.h
index 824018822..349e9debe 100644
--- a/src/include/ipxe/efi/Protocol/SimpleTextOut.h
+++ b/src/include/ipxe/efi/Protocol/SimpleTextOut.h
@@ -15,6 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __SIMPLE_TEXT_OUT_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/StorageSecurityCommand.h b/src/include/ipxe/efi/Protocol/StorageSecurityCommand.h
new file mode 100644
index 000000000..f00eb925c
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/StorageSecurityCommand.h
@@ -0,0 +1,213 @@
+/** @file
+  EFI Storage Security Command Protocol as defined in UEFI 2.3.1 specification.
+  This protocol is used to abstract mass storage devices to allow code running in
+  the EFI boot services environment to send security protocol commands to mass
+  storage devices without specific knowledge of the type of device or controller
+  that manages the device.
+
+  Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __STORAGE_SECURITY_COMMAND_H__
+#define __STORAGE_SECURITY_COMMAND_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#define EFI_STORAGE_SECURITY_COMMAND_PROTOCOL_GUID \
+  { \
+    0xC88B0B6D, 0x0DFC, 0x49A7, {0x9C, 0xB4, 0x49, 0x07, 0x4B, 0x4C, 0x3A, 0x78 } \
+  }
+
+typedef struct _EFI_STORAGE_SECURITY_COMMAND_PROTOCOL EFI_STORAGE_SECURITY_COMMAND_PROTOCOL;
+
+/**
+  Send a security protocol command to a device that receives data and/or the result
+  of one or more commands sent by SendData.
+
+  The ReceiveData function sends a security protocol command to the given MediaId.
+  The security protocol command sent is defined by SecurityProtocolId and contains
+  the security protocol specific data SecurityProtocolSpecificData. The function
+  returns the data from the security protocol command in PayloadBuffer.
+
+  For devices supporting the SCSI command set, the security protocol command is sent
+  using the SECURITY PROTOCOL IN command defined in SPC-4.
+
+  For devices supporting the ATA command set, the security protocol command is sent
+  using one of the TRUSTED RECEIVE commands defined in ATA8-ACS if PayloadBufferSize
+  is non-zero.
+
+  If the PayloadBufferSize is zero, the security protocol command is sent using the
+  Trusted Non-Data command defined in ATA8-ACS.
+
+  If PayloadBufferSize is too small to store the available data from the security
+  protocol command, the function shall copy PayloadBufferSize bytes into the
+  PayloadBuffer and return EFI_WARN_BUFFER_TOO_SMALL.
+
+  If PayloadBuffer or PayloadTransferSize is NULL and PayloadBufferSize is non-zero,
+  the function shall return EFI_INVALID_PARAMETER.
+
+  If the given MediaId does not support security protocol commands, the function shall
+  return EFI_UNSUPPORTED. If there is no media in the device, the function returns
+  EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the device,
+  the function returns EFI_MEDIA_CHANGED.
+
+  If the security protocol fails to complete within the Timeout period, the function
+  shall return EFI_TIMEOUT.
+
+  If the security protocol command completes without an error, the function shall
+  return EFI_SUCCESS. If the security protocol command completes with an error, the
+  function shall return EFI_DEVICE_ERROR.
+
+  @param  This                         Indicates a pointer to the calling context.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
+  @param  Timeout                      The timeout, in 100ns units, to use for the execution
+                                       of the security protocol command. A Timeout value of 0
+                                       means that this function will wait indefinitely for the
+                                       security protocol command to execute. If Timeout is greater
+                                       than zero, then this function will return EFI_TIMEOUT if the
+                                       time required to execute the receive data command is greater than Timeout.
+  @param  SecurityProtocolId           The value of the "Security Protocol" parameter of
+                                       the security protocol command to be sent.
+  @param  SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter
+                                       of the security protocol command to be sent.
+  @param  PayloadBufferSize            Size in bytes of the payload data buffer.
+  @param  PayloadBuffer                A pointer to a destination buffer to store the security
+                                       protocol command specific payload data for the security
+                                       protocol command. The caller is responsible for having
+                                       either implicit or explicit ownership of the buffer.
+  @param  PayloadTransferSize          A pointer to a buffer to store the size in bytes of the
+                                       data written to the payload data buffer.
+
+  @retval EFI_SUCCESS                  The security protocol command completed successfully.
+  @retval EFI_WARN_BUFFER_TOO_SMALL    The PayloadBufferSize was too small to store the available
+                                       data from the device. The PayloadBuffer contains the truncated data.
+  @retval EFI_UNSUPPORTED              The given MediaId does not support security protocol commands.
+  @retval EFI_DEVICE_ERROR             The security protocol command completed with an error.
+  @retval EFI_NO_MEDIA                 There is no media in the device.
+  @retval EFI_MEDIA_CHANGED            The MediaId is not for the current media.
+  @retval EFI_INVALID_PARAMETER        The PayloadBuffer or PayloadTransferSize is NULL and
+                                       PayloadBufferSize is non-zero.
+  @retval EFI_TIMEOUT                  A timeout occurred while waiting for the security
+                                       protocol command to execute.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_STORAGE_SECURITY_RECEIVE_DATA)(
+  IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL    *This,
+  IN UINT32                                   MediaId,
+  IN UINT64                                   Timeout,
+  IN UINT8                                    SecurityProtocolId,
+  IN UINT16                                   SecurityProtocolSpecificData,
+  IN UINTN                                    PayloadBufferSize,
+  OUT VOID                                    *PayloadBuffer,
+  OUT UINTN                                   *PayloadTransferSize
+  );
+
+/**
+  Send a security protocol command to a device.
+
+  The SendData function sends a security protocol command containing the payload
+  PayloadBuffer to the given MediaId. The security protocol command sent is
+  defined by SecurityProtocolId and contains the security protocol specific data
+  SecurityProtocolSpecificData. If the underlying protocol command requires a
+  specific padding for the command payload, the SendData function shall add padding
+  bytes to the command payload to satisfy the padding requirements.
+
+  For devices supporting the SCSI command set, the security protocol command is sent
+  using the SECURITY PROTOCOL OUT command defined in SPC-4.
+
+  For devices supporting the ATA command set, the security protocol command is sent
+  using one of the TRUSTED SEND commands defined in ATA8-ACS if PayloadBufferSize
+  is non-zero. If the PayloadBufferSize is zero, the security protocol command is
+  sent using the Trusted Non-Data command defined in ATA8-ACS.
+
+  If PayloadBuffer is NULL and PayloadBufferSize is non-zero, the function shall
+  return EFI_INVALID_PARAMETER.
+
+  If the given MediaId does not support security protocol commands, the function
+  shall return EFI_UNSUPPORTED. If there is no media in the device, the function
+  returns EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the
+  device, the function returns EFI_MEDIA_CHANGED.
+
+  If the security protocol fails to complete within the Timeout period, the function
+  shall return EFI_TIMEOUT.
+
+  If the security protocol command completes without an error, the function shall return
+  EFI_SUCCESS. If the security protocol command completes with an error, the function
+  shall return EFI_DEVICE_ERROR.
+
+  @param  This                         Indicates a pointer to the calling context.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
+  @param  Timeout                      The timeout, in 100ns units, to use for the execution
+                                       of the security protocol command. A Timeout value of 0
+                                       means that this function will wait indefinitely for the
+                                       security protocol command to execute. If Timeout is greater
+                                       than zero, then this function will return EFI_TIMEOUT if the
+                                       time required to execute the receive data command is greater than Timeout.
+  @param  SecurityProtocolId           The value of the "Security Protocol" parameter of
+                                       the security protocol command to be sent.
+  @param  SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter
+                                       of the security protocol command to be sent.
+  @param  PayloadBufferSize            Size in bytes of the payload data buffer.
+  @param  PayloadBuffer                A pointer to a destination buffer to store the security
+                                       protocol command specific payload data for the security
+                                       protocol command.
+
+  @retval EFI_SUCCESS                  The security protocol command completed successfully.
+  @retval EFI_UNSUPPORTED              The given MediaId does not support security protocol commands.
+  @retval EFI_DEVICE_ERROR             The security protocol command completed with an error.
+  @retval EFI_NO_MEDIA                 There is no media in the device.
+  @retval EFI_MEDIA_CHANGED            The MediaId is not for the current media.
+  @retval EFI_INVALID_PARAMETER        The PayloadBuffer is NULL and PayloadBufferSize is non-zero.
+  @retval EFI_TIMEOUT                  A timeout occurred while waiting for the security
+                                       protocol command to execute.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_STORAGE_SECURITY_SEND_DATA)(
+  IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL    *This,
+  IN UINT32                                   MediaId,
+  IN UINT64                                   Timeout,
+  IN UINT8                                    SecurityProtocolId,
+  IN UINT16                                   SecurityProtocolSpecificData,
+  IN UINTN                                    PayloadBufferSize,
+  IN VOID                                     *PayloadBuffer
+  );
+
+///
+/// The EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is used to send security protocol
+/// commands to a mass storage device. Two types of security protocol commands
+/// are supported. SendData sends a command with data to a device. ReceiveData
+/// sends a command that receives data and/or the result of one or more commands
+/// sent by SendData.
+///
+/// The security protocol command formats supported shall be based on the definition
+/// of the SECURITY PROTOCOL IN and SECURITY PROTOCOL OUT commands defined in SPC-4.
+/// If the device uses the SCSI command set, no translation is needed in the firmware
+/// and the firmware can package the parameters into a SECURITY PROTOCOL IN or SECURITY
+/// PROTOCOL OUT command and send the command to the device. If the device uses a
+/// non-SCSI command set, the firmware shall map the command and data payload to the
+/// corresponding command and payload format defined in the non-SCSI command set
+/// (for example, TRUSTED RECEIVE and TRUSTED SEND in ATA8-ACS).
+///
+/// The firmware shall automatically add an EFI_STORAGE_SECURITY_COMMAND_PROTOCOL
+/// for any storage devices detected during system boot that support SPC-4, ATA8-ACS
+/// or their successors.
+///
+struct _EFI_STORAGE_SECURITY_COMMAND_PROTOCOL {
+  EFI_STORAGE_SECURITY_RECEIVE_DATA    ReceiveData;
+  EFI_STORAGE_SECURITY_SEND_DATA       SendData;
+};
+
+extern EFI_GUID  gEfiStorageSecurityCommandProtocolGuid;
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/Supplicant.h b/src/include/ipxe/efi/Protocol/Supplicant.h
new file mode 100644
index 000000000..51a568335
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/Supplicant.h
@@ -0,0 +1,461 @@
+/** @file
+  This file defines the EFI Supplicant Protocol.
+
+  Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Revision Reference:
+  This Protocol is introduced in UEFI Specification 2.6
+
+**/
+
+#ifndef __EFI_SUPPLICANT_PROTOCOL_H__
+#define __EFI_SUPPLICANT_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/efi/Protocol/WiFi2.h>
+
+///
+/// The EFI Supplicant Service Binding Protocol is used to locate EFI
+/// Supplicant Protocol drivers to create and destroy child of the driver to
+/// communicate with other host using Supplicant protocol.
+///
+#define EFI_SUPPLICANT_SERVICE_BINDING_PROTOCOL_GUID \
+  { \
+    0x45bcd98e, 0x59ad, 0x4174, { 0x95, 0x46, 0x34, 0x4a, 0x7, 0x48, 0x58, 0x98 } \
+  }
+
+///
+/// The EFI Supplicant protocol provides services to process authentication and
+/// data encryption/decryption for security management.
+///
+#define EFI_SUPPLICANT_PROTOCOL_GUID \
+  { \
+    0x54fcc43e, 0xaa89, 0x4333, { 0x9a, 0x85, 0xcd, 0xea, 0x24, 0x5, 0x1e, 0x9e } \
+  }
+
+typedef struct _EFI_SUPPLICANT_PROTOCOL EFI_SUPPLICANT_PROTOCOL;
+
+///
+/// EFI_SUPPLICANT_CRYPT_MODE
+///
+typedef enum {
+  //
+  // Encrypt data provided in the fragment buffers.
+  //
+  EfiSupplicantEncrypt,
+  //
+  // Decrypt data provided in the fragment buffers.
+  //
+  EfiSupplicantDecrypt,
+} EFI_SUPPLICANT_CRYPT_MODE;
+
+///
+/// EFI_SUPPLICANT_DATA_TYPE
+///
+typedef enum {
+  //
+  // Session Configuration
+  //
+
+  //
+  // Current authentication type in use. The corresponding Data is of type
+  // EFI_80211_AKM_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211AKMSuite,
+  //
+  // Group data encryption type in use. The corresponding Data is of type
+  // EFI_SUPPLICANT_CIPHER_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211GroupDataCipherSuite,
+  //
+  // Pairwise encryption type in use. The corresponding Data is of type
+  // EFI_80211_CIPHER_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211PairwiseCipherSuite,
+  //
+  // PSK password. The corresponding Data is a NULL-terminated ASCII string.
+  //
+  EfiSupplicant80211PskPassword,
+  //
+  // Target SSID name. The corresponding Data is of type EFI_80211_SSID.
+  //
+  EfiSupplicant80211TargetSSIDName,
+  //
+  // Station MAC address. The corresponding Data is of type
+  // EFI_80211_MAC_ADDRESS.
+  //
+  EfiSupplicant80211StationMac,
+  //
+  // Target SSID MAC address. The corresponding Data is 6 bytes MAC address.
+  //
+  EfiSupplicant80211TargetSSIDMac,
+
+  //
+  // Session Information
+  //
+
+  //
+  // 802.11 PTK. The corresponding Data is of type EFI_SUPPLICANT_KEY.
+  //
+  EfiSupplicant80211PTK,
+  //
+  // 802.11 GTK. The corresponding Data is of type EFI_SUPPLICANT_GTK_LIST.
+  //
+  EfiSupplicant80211GTK,
+  //
+  // Supplicant state. The corresponding Data is
+  // EFI_EAPOL_SUPPLICANT_PAE_STATE.
+  //
+  EfiSupplicantState,
+  //
+  // 802.11 link state. The corresponding Data is EFI_80211_LINK_STATE.
+  //
+  EfiSupplicant80211LinkState,
+  //
+  // Flag indicates key is refreshed. The corresponding Data is
+  // EFI_SUPPLICANT_KEY_REFRESH.
+  //
+  EfiSupplicantKeyRefresh,
+
+  //
+  // Session Configuration
+  //
+
+  //
+  // Supported authentication types. The corresponding Data is of type
+  // EFI_80211_AKM_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211SupportedAKMSuites,
+  //
+  // Supported software encryption types provided by supplicant driver. The
+  // corresponding Data is of type EFI_80211_CIPHER_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211SupportedSoftwareCipherSuites,
+  //
+  // Supported hardware encryption types provided by wireless UNDI driver. The
+  // corresponding Data is of type EFI_80211_CIPHER_SUITE_SELECTOR.
+  //
+  EfiSupplicant80211SupportedHardwareCipherSuites,
+
+  //
+  // Session Information
+  //
+
+  //
+  // 802.11 Integrity GTK. The corresponding Data is of type
+  // EFI_SUPPLICANT_GTK_LIST.
+  //
+  EfiSupplicant80211IGTK,
+  //
+  // 802.11 PMK. The corresponding Data is 32 bytes pairwise master key.
+  //
+  EfiSupplicant80211PMK,
+  EfiSupplicantDataTypeMaximum
+} EFI_SUPPLICANT_DATA_TYPE;
+
+///
+/// EFI_80211_LINK_STATE
+///
+typedef enum {
+  //
+  // Indicates initial start state, unauthenticated, unassociated.
+  //
+  Ieee80211UnauthenticatedUnassociated,
+  //
+  // Indicates authenticated, unassociated.
+  //
+  Ieee80211AuthenticatedUnassociated,
+  //
+  // Indicates authenticated and associated, but pending RSN authentication.
+  //
+  Ieee80211PendingRSNAuthentication,
+  //
+  // Indicates authenticated and associated.
+  //
+  Ieee80211AuthenticatedAssociated
+} EFI_80211_LINK_STATE;
+
+///
+/// EFI_SUPPLICANT_KEY_TYPE (IEEE Std 802.11 Section 6.3.19.1.2)
+///
+typedef enum {
+  Group,
+  Pairwise,
+  PeerKey,
+  IGTK
+} EFI_SUPPLICANT_KEY_TYPE;
+
+///
+/// EFI_SUPPLICANT_KEY_DIRECTION (IEEE Std 802.11 Section 6.3.19.1.2)
+///
+typedef enum {
+  //
+  // Indicates that the keys are being installed for the receive direction.
+  //
+  Receive,
+  //
+  // Indicates that the keys are being installed for the transmit direction.
+  //
+  Transmit,
+  //
+  // Indicates that the keys are being installed for both the receive and
+  // transmit directions.
+  //
+  Both
+} EFI_SUPPLICANT_KEY_DIRECTION;
+
+///
+/// EFI_SUPPLICANT_KEY_REFRESH
+///
+typedef struct {
+  //
+  // If TRUE, indicates GTK is just refreshed after a successful call to
+  // EFI_SUPPLICANT_PROTOCOL.BuildResponsePacket().
+  //
+  BOOLEAN    GTKRefresh;
+} EFI_SUPPLICANT_KEY_REFRESH;
+
+#define EFI_MAX_KEY_LEN  64
+
+///
+/// EFI_SUPPLICANT_KEY
+///
+typedef struct {
+  //
+  // The key value.
+  //
+  UINT8                           Key[EFI_MAX_KEY_LEN];
+  //
+  // Length in bytes of the Key. Should be up to EFI_MAX_KEY_LEN.
+  //
+  UINT8                           KeyLen;
+  //
+  // The key identifier.
+  //
+  UINT8                           KeyId;
+  //
+  // Defines whether this key is a group key, pairwise key, PeerKey, or
+  // Integrity Group.
+  //
+  EFI_SUPPLICANT_KEY_TYPE         KeyType;
+  //
+  // The value is set according to the KeyType.
+  //
+  EFI_80211_MAC_ADDRESS           Addr;
+  //
+  // The Receive Sequence Count value.
+  //
+  UINT8                           Rsc[8];
+  //
+  // Length in bytes of the Rsc. Should be up to 8.
+  //
+  UINT8                           RscLen;
+  //
+  // Indicates whether the key is configured by the Authenticator or
+  // Supplicant. The value true indicates Authenticator.
+  //
+  BOOLEAN                         IsAuthenticator;
+  //
+  // The cipher suite required for this association.
+  //
+  EFI_80211_SUITE_SELECTOR        CipherSuite;
+  //
+  // Indicates the direction for which the keys are to be installed.
+  //
+  EFI_SUPPLICANT_KEY_DIRECTION    Direction;
+} EFI_SUPPLICANT_KEY;
+
+///
+/// EFI_SUPPLICANT_GTK_LIST
+///
+typedef struct {
+  //
+  // Indicates the number of GTKs that are contained in GTKList.
+  //
+  UINT8                 GTKCount;
+  //
+  // A variable-length array of GTKs of type EFI_SUPPLICANT_KEY. The number of
+  // entries is specified by GTKCount.
+  //
+  EFI_SUPPLICANT_KEY    GTKList[1];
+} EFI_SUPPLICANT_GTK_LIST;
+
+///
+/// EFI_SUPPLICANT_FRAGMENT_DATA
+///
+typedef struct {
+  //
+  // Length of data buffer in the fragment.
+  //
+  UINT32    FragmentLength;
+  //
+  // Pointer to the data buffer in the fragment.
+  //
+  VOID      *FragmentBuffer;
+} EFI_SUPPLICANT_FRAGMENT_DATA;
+
+/**
+  BuildResponsePacket() is called during STA and AP authentication is in
+  progress. Supplicant derives the PTK or session keys depend on type of
+  authentication is being employed.
+
+  @param[in]       This           Pointer to the EFI_SUPPLICANT_PROTOCOL
+                                  instance.
+  @param[in]       RequestBuffer  Pointer to the most recently received EAPOL
+                                  packet. NULL means the supplicant need
+                                  initiate the EAP authentication session and
+                                  send EAPOL-Start message.
+  @param[in]       RequestBufferSize
+                                  Packet size in bytes for the most recently
+                                  received EAPOL packet. 0 is only valid when
+                                  RequestBuffer is NULL.
+  @param[out]      Buffer         Pointer to the buffer to hold the built
+                                  packet.
+  @param[in, out]  BufferSize     Pointer to the buffer size in bytes. On
+                                  input, it is the buffer size provided by the
+                                  caller. On output, it is the buffer size in
+                                  fact needed to contain the packet.
+
+  @retval EFI_SUCCESS             The required EAPOL packet is built
+                                  successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  RequestBuffer is NULL, but RequestSize is
+                                  NOT 0.
+                                  RequestBufferSize is 0.
+                                  Buffer is NULL, but RequestBuffer is NOT 0.
+                                  BufferSize is NULL.
+  @retval EFI_BUFFER_TOO_SMALL    BufferSize is too small to hold the response
+                                  packet.
+  @retval EFI_NOT_READY           Current EAPOL session state is NOT ready to
+                                  build ResponsePacket.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_SUPPLICANT_BUILD_RESPONSE_PACKET)(
+  IN     EFI_SUPPLICANT_PROTOCOL          *This,
+  IN     UINT8                            *RequestBuffer      OPTIONAL,
+  IN     UINTN                            RequestBufferSize   OPTIONAL,
+  OUT UINT8                            *Buffer,
+  IN OUT UINTN                            *BufferSize
+  );
+
+/**
+  ProcessPacket() is called to Supplicant driver to encrypt or decrypt the data
+  depending type of authentication type.
+
+  @param[in]       This           Pointer to the EFI_SUPPLICANT_PROTOCOL
+                                  instance.
+  @param[in, out]  FragmentTable  Pointer to a list of fragment. The caller
+                                  will take responsible to handle the original
+                                  FragmentTable while it may be reallocated in
+                                  Supplicant driver.
+  @param[in]       FragmentCount  Number of fragment.
+  @param[in]       CryptMode      Crypt mode.
+
+  @retval EFI_SUCCESS             The operation completed successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  FragmentTable is NULL.
+                                  FragmentCount is NULL.
+                                  CryptMode is invalid.
+  @retval EFI_NOT_READY           Current supplicant state is NOT Authenticated.
+  @retval EFI_ABORTED             Something wrong decryption the message.
+  @retval EFI_UNSUPPORTED         This API is not supported.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_SUPPLICANT_PROCESS_PACKET)(
+  IN     EFI_SUPPLICANT_PROTOCOL          *This,
+  IN OUT EFI_SUPPLICANT_FRAGMENT_DATA     **FragmentTable,
+  IN     UINT32                           *FragmentCount,
+  IN     EFI_SUPPLICANT_CRYPT_MODE        CryptMode
+  );
+
+/**
+  Set Supplicant configuration data.
+
+  @param[in]  This                Pointer to the EFI_SUPPLICANT_PROTOCOL
+                                  instance.
+  @param[in]  DataType            The type of data.
+  @param[in]  Data                Pointer to the buffer to hold the data.
+  @param[in]  DataSize            Pointer to the buffer size in bytes.
+
+  @retval EFI_SUCCESS             The Supplicant configuration data is set
+                                  successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  Data is NULL.
+                                  DataSize is 0.
+  @retval EFI_UNSUPPORTED         The DataType is unsupported.
+  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be allocated.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_SUPPLICANT_SET_DATA)(
+  IN EFI_SUPPLICANT_PROTOCOL              *This,
+  IN EFI_SUPPLICANT_DATA_TYPE             DataType,
+  IN VOID                                 *Data,
+  IN UINTN                                DataSize
+  );
+
+/**
+  Get Supplicant configuration data.
+
+  @param[in]       This           Pointer to the EFI_SUPPLICANT_PROTOCOL
+                                  instance.
+  @param[in]       DataType       The type of data.
+  @param[out]      Data           Pointer to the buffer to hold the data.
+                                  Ignored if DataSize is 0.
+  @param[in, out]  DataSize       Pointer to the buffer size in bytes. On
+                                  input, it is the buffer size provided by the
+                                  caller. On output, it is the buffer size in
+                                  fact needed to contain the packet.
+
+  @retval EFI_SUCCESS             The Supplicant configuration data is got
+                                  successfully.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  This is NULL.
+                                  DataSize is NULL.
+                                  Data is NULL if *DataSize is not zero.
+  @retval EFI_UNSUPPORTED         The DataType is unsupported.
+  @retval EFI_NOT_FOUND           The Supplicant configuration data is not
+                                  found.
+  @retval EFI_BUFFER_TOO_SMALL    The size of Data is too small for the
+                                  specified configuration data and the required
+                                  size is returned in DataSize.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_SUPPLICANT_GET_DATA)(
+  IN     EFI_SUPPLICANT_PROTOCOL          *This,
+  IN     EFI_SUPPLICANT_DATA_TYPE         DataType,
+  OUT UINT8                            *Data      OPTIONAL,
+  IN OUT UINTN                            *DataSize
+  );
+
+///
+/// The EFI_SUPPLICANT_PROTOCOL is designed to provide unified place for WIFI
+/// and EAP security management. Both PSK authentication and 802.1X EAP
+/// authentication can be managed via this protocol and driver or application
+/// as a consumer can only focus on about packet transmitting or receiving.
+///
+struct _EFI_SUPPLICANT_PROTOCOL {
+  EFI_SUPPLICANT_BUILD_RESPONSE_PACKET    BuildResponsePacket;
+  EFI_SUPPLICANT_PROCESS_PACKET           ProcessPacket;
+  EFI_SUPPLICANT_SET_DATA                 SetData;
+  EFI_SUPPLICANT_GET_DATA                 GetData;
+};
+
+extern EFI_GUID  gEfiSupplicantServiceBindingProtocolGuid;
+extern EFI_GUID  gEfiSupplicantProtocolGuid;
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/Tcg2Protocol.h b/src/include/ipxe/efi/Protocol/Tcg2Protocol.h
new file mode 100644
index 000000000..4333211b6
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/Tcg2Protocol.h
@@ -0,0 +1,338 @@
+/** @file
+  TPM2 Protocol as defined in TCG PC Client Platform EFI Protocol Specification Family "2.0".
+  See http://trustedcomputinggroup.org for the latest specification
+
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __TCG2_PROTOCOL_H__
+#define __TCG2_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/efi/IndustryStandard/UefiTcgPlatform.h>
+#include <ipxe/efi/IndustryStandard/Tpm20.h>
+
+#define EFI_TCG2_PROTOCOL_GUID \
+  {0x607f766c, 0x7455, 0x42be, { 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }}
+
+typedef struct tdEFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL;
+
+typedef struct tdEFI_TCG2_VERSION {
+  UINT8    Major;
+  UINT8    Minor;
+} EFI_TCG2_VERSION;
+
+typedef UINT32 EFI_TCG2_EVENT_LOG_BITMAP;
+typedef UINT32 EFI_TCG2_EVENT_LOG_FORMAT;
+typedef UINT32 EFI_TCG2_EVENT_ALGORITHM_BITMAP;
+
+#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2  0x00000001
+#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2    0x00000002
+
+typedef struct tdEFI_TCG2_BOOT_SERVICE_CAPABILITY {
+  //
+  // Allocated size of the structure
+  //
+  UINT8                              Size;
+  //
+  // Version of the EFI_TCG2_BOOT_SERVICE_CAPABILITY structure itself.
+  // For this version of the protocol, the Major version shall be set to 1
+  // and the Minor version shall be set to 1.
+  //
+  EFI_TCG2_VERSION                   StructureVersion;
+  //
+  // Version of the EFI TCG2 protocol.
+  // For this version of the protocol, the Major version shall be set to 1
+  // and the Minor version shall be set to 1.
+  //
+  EFI_TCG2_VERSION                   ProtocolVersion;
+  //
+  // Supported hash algorithms (this bitmap is determined by the supported PCR
+  // banks in the TPM and the hashing algorithms supported by the firmware)
+  //
+  EFI_TCG2_EVENT_ALGORITHM_BITMAP    HashAlgorithmBitmap;
+  //
+  // Bitmap of supported event log formats
+  //
+  EFI_TCG2_EVENT_LOG_BITMAP          SupportedEventLogs;
+  //
+  // False = TPM not present
+  //
+  BOOLEAN                            TPMPresentFlag;
+  //
+  // Max size (in bytes) of a command that can be sent to the TPM
+  //
+  UINT16                             MaxCommandSize;
+  //
+  // Max size (in bytes) of a response that can be provided by the TPM
+  //
+  UINT16                             MaxResponseSize;
+  //
+  // 4-byte Vendor ID
+  // (see TCG Vendor ID registry, Section "TPM Capabilities Vendor ID")
+  //
+  UINT32                             ManufacturerID;
+  //
+  // Maximum number of PCR banks (hashing algorithms) supported.
+  // No granularity is provided to support a specific set of algorithms.
+  // Minimum value is 1.
+  //
+  UINT32                             NumberOfPCRBanks;
+  //
+  // A bitmap of currently active PCR banks (hashing algorithms).
+  // This is a subset of the supported hashing algorithms reported in HashAlgorithmBitMap.
+  // NumberOfPcrBanks defines the number of bits that are set.
+  //
+  EFI_TCG2_EVENT_ALGORITHM_BITMAP    ActivePcrBanks;
+} EFI_TCG2_BOOT_SERVICE_CAPABILITY;
+
+#define EFI_TCG2_BOOT_HASH_ALG_SHA1     0x00000001
+#define EFI_TCG2_BOOT_HASH_ALG_SHA256   0x00000002
+#define EFI_TCG2_BOOT_HASH_ALG_SHA384   0x00000004
+#define EFI_TCG2_BOOT_HASH_ALG_SHA512   0x00000008
+#define EFI_TCG2_BOOT_HASH_ALG_SM3_256  0x00000010
+
+//
+// This bit is shall be set when an event shall be extended but not logged.
+//
+#define EFI_TCG2_EXTEND_ONLY  0x0000000000000001
+//
+// This bit shall be set when the intent is to measure a PE/COFF image.
+//
+#define PE_COFF_IMAGE  0x0000000000000010
+
+#define MAX_PCR_INDEX  23
+
+#pragma pack(1)
+
+#define EFI_TCG2_EVENT_HEADER_VERSION  1
+
+typedef struct {
+  //
+  // Size of the event header itself (sizeof(EFI_TCG2_EVENT_HEADER)).
+  //
+  UINT32           HeaderSize;
+  //
+  // Header version. For this version of this specification, the value shall be 1.
+  //
+  UINT16           HeaderVersion;
+  //
+  // Index of the PCR that shall be extended (0 - 23).
+  //
+  TCG_PCRINDEX     PCRIndex;
+  //
+  // Type of the event that shall be extended (and optionally logged).
+  //
+  TCG_EVENTTYPE    EventType;
+} EFI_TCG2_EVENT_HEADER;
+
+typedef struct tdEFI_TCG2_EVENT {
+  //
+  // Total size of the event including the Size component, the header and the Event data.
+  //
+  UINT32                   Size;
+  EFI_TCG2_EVENT_HEADER    Header;
+  UINT8                    Event[1];
+} EFI_TCG2_EVENT;
+
+#pragma pack()
+
+/**
+  The EFI_TCG2_PROTOCOL GetCapability function call provides protocol
+  capability information and state information.
+
+  @param[in]      This               Indicates the calling context
+  @param[in, out] ProtocolCapability The caller allocates memory for a EFI_TCG2_BOOT_SERVICE_CAPABILITY
+                                     structure and sets the size field to the size of the structure allocated.
+                                     The callee fills in the fields with the EFI protocol capability information
+                                     and the current EFI TCG2 state information up to the number of fields which
+                                     fit within the size of the structure passed in.
+
+  @retval EFI_SUCCESS            Operation completed successfully.
+  @retval EFI_DEVICE_ERROR       The command was unsuccessful.
+                                 The ProtocolCapability variable will not be populated.
+  @retval EFI_INVALID_PARAMETER  One or more of the parameters are incorrect.
+                                 The ProtocolCapability variable will not be populated.
+  @retval EFI_BUFFER_TOO_SMALL   The ProtocolCapability variable is too small to hold the full response.
+                                 It will be partially populated (required Size field will be set).
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_GET_CAPABILITY)(
+  IN EFI_TCG2_PROTOCOL                    *This,
+  IN OUT EFI_TCG2_BOOT_SERVICE_CAPABILITY *ProtocolCapability
+  );
+
+/**
+  The EFI_TCG2_PROTOCOL Get Event Log function call allows a caller to
+  retrieve the address of a given event log and its last entry.
+
+  @param[in]  This               Indicates the calling context
+  @param[in]  EventLogFormat     The type of the event log for which the information is requested.
+  @param[out] EventLogLocation   A pointer to the memory address of the event log.
+  @param[out] EventLogLastEntry  If the Event Log contains more than one entry, this is a pointer to the
+                                 address of the start of the last entry in the event log in memory.
+  @param[out] EventLogTruncated  If the Event Log is missing at least one entry because an event would
+                                 have exceeded the area allocated for events, this value is set to TRUE.
+                                 Otherwise, the value will be FALSE and the Event Log will be complete.
+
+  @retval EFI_SUCCESS            Operation completed successfully.
+  @retval EFI_INVALID_PARAMETER  One or more of the parameters are incorrect
+                                 (e.g. asking for an event log whose format is not supported).
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_GET_EVENT_LOG)(
+  IN EFI_TCG2_PROTOCOL         *This,
+  IN EFI_TCG2_EVENT_LOG_FORMAT EventLogFormat,
+  OUT EFI_PHYSICAL_ADDRESS     *EventLogLocation,
+  OUT EFI_PHYSICAL_ADDRESS     *EventLogLastEntry,
+  OUT BOOLEAN                  *EventLogTruncated
+  );
+
+/**
+  The EFI_TCG2_PROTOCOL HashLogExtendEvent function call provides callers with
+  an opportunity to extend and optionally log events without requiring
+  knowledge of actual TPM commands.
+  The extend operation will occur even if this function cannot create an event
+  log entry (e.g. due to the event log being full).
+
+  @param[in]  This               Indicates the calling context
+  @param[in]  Flags              Bitmap providing additional information.
+  @param[in]  DataToHash         Physical address of the start of the data buffer to be hashed.
+  @param[in]  DataToHashLen      The length in bytes of the buffer referenced by DataToHash.
+  @param[in]  EfiTcgEvent        Pointer to data buffer containing information about the event.
+
+  @retval EFI_SUCCESS            Operation completed successfully.
+  @retval EFI_DEVICE_ERROR       The command was unsuccessful.
+  @retval EFI_VOLUME_FULL        The extend operation occurred, but the event could not be written to one or more event logs.
+  @retval EFI_INVALID_PARAMETER  One or more of the parameters are incorrect.
+  @retval EFI_UNSUPPORTED        The PE/COFF image type is not supported.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_HASH_LOG_EXTEND_EVENT)(
+  IN EFI_TCG2_PROTOCOL    *This,
+  IN UINT64               Flags,
+  IN EFI_PHYSICAL_ADDRESS DataToHash,
+  IN UINT64               DataToHashLen,
+  IN EFI_TCG2_EVENT       *EfiTcgEvent
+  );
+
+/**
+  This service enables the sending of commands to the TPM.
+
+  @param[in]  This                     Indicates the calling context
+  @param[in]  InputParameterBlockSize  Size of the TPM input parameter block.
+  @param[in]  InputParameterBlock      Pointer to the TPM input parameter block.
+  @param[in]  OutputParameterBlockSize Size of the TPM output parameter block.
+  @param[in]  OutputParameterBlock     Pointer to the TPM output parameter block.
+
+  @retval EFI_SUCCESS            The command byte stream was successfully sent to the device and a response was successfully received.
+  @retval EFI_DEVICE_ERROR       The command was not successfully sent to the device or a response was not successfully received from the device.
+  @retval EFI_INVALID_PARAMETER  One or more of the parameters are incorrect.
+  @retval EFI_BUFFER_TOO_SMALL   The output parameter block is too small.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_SUBMIT_COMMAND)(
+  IN EFI_TCG2_PROTOCOL *This,
+  IN UINT32            InputParameterBlockSize,
+  IN UINT8             *InputParameterBlock,
+  IN UINT32            OutputParameterBlockSize,
+  IN UINT8             *OutputParameterBlock
+  );
+
+/**
+  This service returns the currently active PCR banks.
+
+  @param[in]  This            Indicates the calling context
+  @param[out] ActivePcrBanks  Pointer to the variable receiving the bitmap of currently active PCR banks.
+
+  @retval EFI_SUCCESS           The bitmap of active PCR banks was stored in the ActivePcrBanks parameter.
+  @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_GET_ACTIVE_PCR_BANKS)(
+  IN  EFI_TCG2_PROTOCOL *This,
+  OUT UINT32            *ActivePcrBanks
+  );
+
+/**
+  This service sets the currently active PCR banks.
+
+  @param[in]  This            Indicates the calling context
+  @param[in]  ActivePcrBanks  Bitmap of the requested active PCR banks. At least one bit SHALL be set.
+
+  @retval EFI_SUCCESS           The bitmap in ActivePcrBank parameter is already active.
+  @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_SET_ACTIVE_PCR_BANKS)(
+  IN EFI_TCG2_PROTOCOL *This,
+  IN UINT32            ActivePcrBanks
+  );
+
+/**
+  This service retrieves the result of a previous invocation of SetActivePcrBanks.
+
+  @param[in]  This              Indicates the calling context
+  @param[out] OperationPresent  Non-zero value to indicate a SetActivePcrBank operation was invoked during the last boot.
+  @param[out] Response          The response from the SetActivePcrBank request.
+
+  @retval EFI_SUCCESS           The result value could be returned.
+  @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_TCG2_GET_RESULT_OF_SET_ACTIVE_PCR_BANKS)(
+  IN  EFI_TCG2_PROTOCOL  *This,
+  OUT UINT32             *OperationPresent,
+  OUT UINT32             *Response
+  );
+
+struct tdEFI_TCG2_PROTOCOL {
+  EFI_TCG2_GET_CAPABILITY                        GetCapability;
+  EFI_TCG2_GET_EVENT_LOG                         GetEventLog;
+  EFI_TCG2_HASH_LOG_EXTEND_EVENT                 HashLogExtendEvent;
+  EFI_TCG2_SUBMIT_COMMAND                        SubmitCommand;
+  EFI_TCG2_GET_ACTIVE_PCR_BANKS                  GetActivePcrBanks;
+  EFI_TCG2_SET_ACTIVE_PCR_BANKS                  SetActivePcrBanks;
+  EFI_TCG2_GET_RESULT_OF_SET_ACTIVE_PCR_BANKS    GetResultOfSetActivePcrBanks;
+};
+
+extern EFI_GUID  gEfiTcg2ProtocolGuid;
+
+//
+// Log entries after Get Event Log service
+//
+
+#define EFI_TCG2_FINAL_EVENTS_TABLE_GUID \
+  {0x1e2ed096, 0x30e2, 0x4254, { 0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25 }}
+
+extern EFI_GUID  gEfiTcg2FinalEventsTableGuid;
+
+typedef struct tdEFI_TCG2_FINAL_EVENTS_TABLE {
+  //
+  // The version of this structure.
+  //
+  UINT64    Version;
+  //
+  // Number of events recorded after invocation of GetEventLog API
+  //
+  UINT64    NumberOfEvents;
+  //
+  // List of events of type TCG_PCR_EVENT2.
+  //
+  // TCG_PCR_EVENT2          Event[1];
+} EFI_TCG2_FINAL_EVENTS_TABLE;
+
+#define EFI_TCG2_FINAL_EVENTS_TABLE_VERSION  1
+
+#endif
diff --git a/src/include/ipxe/efi/Protocol/TcgService.h b/src/include/ipxe/efi/Protocol/TcgService.h
index d225ae884..88b9f0ea9 100644
--- a/src/include/ipxe/efi/Protocol/TcgService.h
+++ b/src/include/ipxe/efi/Protocol/TcgService.h
@@ -11,6 +11,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define _TCG_SERVICE_PROTOCOL_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/IndustryStandard/UefiTcgPlatform.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Tcp4.h b/src/include/ipxe/efi/Protocol/Tcp4.h
index 249f1fe0c..eeecd366d 100644
--- a/src/include/ipxe/efi/Protocol/Tcp4.h
+++ b/src/include/ipxe/efi/Protocol/Tcp4.h
@@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_TCP4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip4.h>
 
diff --git a/src/include/ipxe/efi/Protocol/Tcp6.h b/src/include/ipxe/efi/Protocol/Tcp6.h
index ddceaaf9f..df0ed6500 100644
--- a/src/include/ipxe/efi/Protocol/Tcp6.h
+++ b/src/include/ipxe/efi/Protocol/Tcp6.h
@@ -16,6 +16,7 @@
 #define __EFI_TCP6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/ManagedNetwork.h>
 #include <ipxe/efi/Protocol/Ip6.h>
diff --git a/src/include/ipxe/efi/Protocol/Udp4.h b/src/include/ipxe/efi/Protocol/Udp4.h
index dc0586d81..7e8cc68c9 100644
--- a/src/include/ipxe/efi/Protocol/Udp4.h
+++ b/src/include/ipxe/efi/Protocol/Udp4.h
@@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __EFI_UDP4_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip4.h>
 //
diff --git a/src/include/ipxe/efi/Protocol/Udp6.h b/src/include/ipxe/efi/Protocol/Udp6.h
index 5a62a3e02..4f176b8db 100644
--- a/src/include/ipxe/efi/Protocol/Udp6.h
+++ b/src/include/ipxe/efi/Protocol/Udp6.h
@@ -15,6 +15,7 @@
 #define __EFI_UDP6_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Ip6.h>
 
diff --git a/src/include/ipxe/efi/Protocol/UgaDraw.h b/src/include/ipxe/efi/Protocol/UgaDraw.h
index c268bd2d2..9e07948c4 100644
--- a/src/include/ipxe/efi/Protocol/UgaDraw.h
+++ b/src/include/ipxe/efi/Protocol/UgaDraw.h
@@ -1,3 +1,6 @@
+#ifndef _IPXE_EFI_UGADRAW_H
+#define _IPXE_EFI_UGADRAW_H
+
 /** @file
   UGA Draw protocol from the EFI 1.10 specification.
 
@@ -12,6 +15,7 @@
 #define __UGA_DRAW_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_UGA_DRAW_PROTOCOL_GUID \
   { \
@@ -159,3 +163,5 @@ struct _EFI_UGA_DRAW_PROTOCOL {
 extern EFI_GUID  gEfiUgaDrawProtocolGuid;
 
 #endif
+
+#endif /* _IPXE_EFI_UGADRAW_H */
diff --git a/src/include/ipxe/efi/Protocol/UnicodeCollation.h b/src/include/ipxe/efi/Protocol/UnicodeCollation.h
index f708624ee..96933d006 100644
--- a/src/include/ipxe/efi/Protocol/UnicodeCollation.h
+++ b/src/include/ipxe/efi/Protocol/UnicodeCollation.h
@@ -12,11 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define __UNICODE_COLLATION_H__
 
 FILE_LICENCE ( BSD2_PATENT );
-
-#define EFI_UNICODE_COLLATION_PROTOCOL_GUID \
-  { \
-    0x1d85cd7f, 0xf43d, 0x11d2, {0x9a, 0xc, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \
-  }
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_UNICODE_COLLATION_PROTOCOL2_GUID \
   { \
@@ -26,16 +22,6 @@ FILE_LICENCE ( BSD2_PATENT );
 typedef struct _EFI_UNICODE_COLLATION_PROTOCOL EFI_UNICODE_COLLATION_PROTOCOL;
 
 ///
-/// Protocol GUID name defined in EFI1.1.
-///
-#define UNICODE_COLLATION_PROTOCOL  EFI_UNICODE_COLLATION_PROTOCOL_GUID
-
-///
-/// Protocol defined in EFI1.1.
-///
-typedef EFI_UNICODE_COLLATION_PROTOCOL UNICODE_COLLATION_INTERFACE;
-
-///
 /// Protocol data structures and defines
 ///
 #define EFI_UNICODE_BYTE_ORDER_MARK  (CHAR16) (0xfeff)
@@ -182,7 +168,6 @@ struct _EFI_UNICODE_COLLATION_PROTOCOL {
   CHAR8                               *SupportedLanguages;
 };
 
-extern EFI_GUID  gEfiUnicodeCollationProtocolGuid;
 extern EFI_GUID  gEfiUnicodeCollation2ProtocolGuid;
 
 #endif
diff --git a/src/include/ipxe/efi/Protocol/Usb2HostController.h b/src/include/ipxe/efi/Protocol/Usb2HostController.h
index 657918d44..4ef2a0cc6 100644
--- a/src/include/ipxe/efi/Protocol/Usb2HostController.h
+++ b/src/include/ipxe/efi/Protocol/Usb2HostController.h
@@ -13,6 +13,7 @@
 #define _USB2_HOSTCONTROLLER_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/UsbIo.h>
 
diff --git a/src/include/ipxe/efi/Protocol/UsbHostController.h b/src/include/ipxe/efi/Protocol/UsbHostController.h
index 5336f00b3..f694b80d5 100644
--- a/src/include/ipxe/efi/Protocol/UsbHostController.h
+++ b/src/include/ipxe/efi/Protocol/UsbHostController.h
@@ -1,3 +1,6 @@
+#ifndef _IPXE_EFI_USBHOSTCONTROLLER_H
+#define _IPXE_EFI_USBHOSTCONTROLLER_H
+
 /** @file
   EFI_USB_HC_PROTOCOL as defined in EFI 1.10.
 
@@ -14,6 +17,7 @@
 #define _USB_HOSTCONTROLLER_H_
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/Protocol/Usb2HostController.h>
 
@@ -501,3 +505,5 @@ struct _EFI_USB_HC_PROTOCOL {
 extern EFI_GUID  gEfiUsbHcProtocolGuid;
 
 #endif
+
+#endif /* _IPXE_EFI_USBHOSTCONTROLLER_H */
diff --git a/src/include/ipxe/efi/Protocol/UsbIo.h b/src/include/ipxe/efi/Protocol/UsbIo.h
index d5f02bb17..7686f241e 100644
--- a/src/include/ipxe/efi/Protocol/UsbIo.h
+++ b/src/include/ipxe/efi/Protocol/UsbIo.h
@@ -14,6 +14,7 @@
 #define __USB_IO_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/efi/IndustryStandard/Usb.h>
 
diff --git a/src/include/ipxe/efi/Protocol/VlanConfig.h b/src/include/ipxe/efi/Protocol/VlanConfig.h
index 79b6bc463..aa163ab95 100644
--- a/src/include/ipxe/efi/Protocol/VlanConfig.h
+++ b/src/include/ipxe/efi/Protocol/VlanConfig.h
@@ -13,6 +13,7 @@
 #define __EFI_VLANCONFIG_PROTOCOL_H__
 
 FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
 
 #define EFI_VLAN_CONFIG_PROTOCOL_GUID \
   { \
diff --git a/src/include/ipxe/efi/Protocol/WiFi2.h b/src/include/ipxe/efi/Protocol/WiFi2.h
new file mode 100644
index 000000000..016e6f588
--- /dev/null
+++ b/src/include/ipxe/efi/Protocol/WiFi2.h
@@ -0,0 +1,410 @@
+/** @file
+  This file defines the EFI Wireless MAC Connection II Protocol.
+
+  Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Revision Reference:
+  This Protocol is introduced in UEFI Specification 2.6
+
+**/
+
+#ifndef __EFI_WIFI2_PROTOCOL_H__
+#define __EFI_WIFI2_PROTOCOL_H__
+
+FILE_LICENCE ( BSD2_PATENT );
+FILE_SECBOOT ( PERMITTED );
+
+#define EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL_GUID \
+  { \
+    0x1b0fb9bf, 0x699d, 0x4fdd, { 0xa7, 0xc3, 0x25, 0x46, 0x68, 0x1b, 0xf6, 0x3b } \
+  }
+
+typedef struct _EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL;
+
+///
+/// EFI_80211_BSS_TYPE
+///
+typedef enum {
+  IeeeInfrastructureBSS,
+  IeeeIndependentBSS,
+  IeeeMeshBSS,
+  IeeeAnyBss
+} EFI_80211_BSS_TYPE;
+
+///
+/// EFI_80211_CONNECT_NETWORK_RESULT_CODE
+///
+typedef enum {
+  //
+  // The connection establishment operation finished successfully.
+  //
+  ConnectSuccess,
+  //
+  // The connection was refused by the Network.
+  //
+  ConnectRefused,
+  //
+  // The connection establishment operation failed (i.e, Network is not
+  // detected).
+  //
+  ConnectFailed,
+  //
+  // The connection establishment operation was terminated on timeout.
+  //
+  ConnectFailureTimeout,
+  //
+  // The connection establishment operation failed on other reason.
+  //
+  ConnectFailedReasonUnspecified
+} EFI_80211_CONNECT_NETWORK_RESULT_CODE;
+
+///
+/// EFI_80211_MAC_ADDRESS
+///
+typedef struct {
+  UINT8    Addr[6];
+} EFI_80211_MAC_ADDRESS;
+
+#define EFI_MAX_SSID_LEN  32
+
+///
+/// EFI_80211_SSID
+///
+typedef struct {
+  //
+  // Length in bytes of the SSId. If zero, ignore SSId field.
+  //
+  UINT8    SSIdLen;
+  //
+  // Specifies the service set identifier.
+  //
+  UINT8    SSId[EFI_MAX_SSID_LEN];
+} EFI_80211_SSID;
+
+///
+/// EFI_80211_GET_NETWORKS_DATA
+///
+typedef struct {
+  //
+  // The number of EFI_80211_SSID in SSIDList. If zero, SSIDList should be
+  // ignored.
+  //
+  UINT32            NumOfSSID;
+  //
+  // The SSIDList is a pointer to an array of EFI_80211_SSID instances. The
+  // number of entries is specified by NumOfSSID. The array should only include
+  // SSIDs of hidden networks. It is suggested that the caller inputs less than
+  // 10 elements in the SSIDList. It is the caller's responsibility to free
+  // this buffer.
+  //
+  EFI_80211_SSID    SSIDList[1];
+} EFI_80211_GET_NETWORKS_DATA;
+
+///
+/// EFI_80211_SUITE_SELECTOR
+///
+typedef struct {
+  //
+  // Organization Unique Identifier, as defined in IEEE 802.11 standard,
+  // usually set to 00-0F-AC.
+  //
+  UINT8    Oui[3];
+  //
+  // Suites types, as defined in IEEE 802.11 standard.
+  //
+  UINT8    SuiteType;
+} EFI_80211_SUITE_SELECTOR;
+
+///
+/// EFI_80211_AKM_SUITE_SELECTOR
+///
+typedef struct {
+  //
+  // Indicates the number of AKM suite selectors that are contained in
+  // AKMSuiteList. If zero, the AKMSuiteList is ignored.
+  //
+  UINT16                      AKMSuiteCount;
+  //
+  // A variable-length array of AKM suites, as defined in IEEE 802.11 standard,
+  // Table 8-101. The number of entries is specified by AKMSuiteCount.
+  //
+  EFI_80211_SUITE_SELECTOR    AKMSuiteList[1];
+} EFI_80211_AKM_SUITE_SELECTOR;
+
+///
+/// EFI_80211_CIPHER_SUITE_SELECTOR
+///
+typedef struct {
+  //
+  // Indicates the number of cipher suites that are contained in
+  // CipherSuiteList. If zero, the CipherSuiteList is ignored.
+  //
+  UINT16                      CipherSuiteCount;
+  //
+  // A variable-length array of cipher suites, as defined in IEEE 802.11
+  // standard, Table 8-99. The number of entries is specified by
+  // CipherSuiteCount.
+  //
+  EFI_80211_SUITE_SELECTOR    CipherSuiteList[1];
+} EFI_80211_CIPHER_SUITE_SELECTOR;
+
+///
+/// EFI_80211_NETWORK
+///
+typedef struct {
+  //
+  // Specifies the type of the BSS.
+  //
+  EFI_80211_BSS_TYPE                 BSSType;
+  //
+  // Specifies the SSID of the BSS.
+  //
+  EFI_80211_SSID                     SSId;
+  //
+  // Pointer to the AKM suites supported in the wireless network.
+  //
+  EFI_80211_AKM_SUITE_SELECTOR       *AKMSuite;
+  //
+  // Pointer to the cipher suites supported in the wireless network.
+  //
+  EFI_80211_CIPHER_SUITE_SELECTOR    *CipherSuite;
+} EFI_80211_NETWORK;
+
+///
+/// EFI_80211_NETWORK_DESCRIPTION
+///
+typedef struct {
+  //
+  // Specifies the found wireless network.
+  //
+  EFI_80211_NETWORK    Network;
+  //
+  // Indicates the network quality as a value between 0 to 100, where 100
+  // indicates the highest network quality.
+  //
+  UINT8                NetworkQuality;
+} EFI_80211_NETWORK_DESCRIPTION;
+
+///
+/// EFI_80211_GET_NETWORKS_RESULT
+///
+typedef struct {
+  //
+  // The number of EFI_80211_NETWORK_DESCRIPTION in NetworkDesc. If zero,
+  // NetworkDesc should be ignored.
+  //
+  UINT8                            NumOfNetworkDesc;
+  //
+  // The NetworkDesc is a pointer to an array of EFI_80211_NETWORK_DESCRIPTION
+  // instances. It is caller's responsibility to free this buffer.
+  //
+  EFI_80211_NETWORK_DESCRIPTION    NetworkDesc[1];
+} EFI_80211_GET_NETWORKS_RESULT;
+
+///
+/// EFI_80211_GET_NETWORKS_TOKEN
+///
+typedef struct {
+  //
+  // If the status code returned by GetNetworks() is EFI_SUCCESS, then this
+  // Event will be signaled after the Status field is updated by the EFI
+  // Wireless MAC Connection Protocol II driver. The type of Event must be
+  // EFI_NOTIFY_SIGNAL.
+  //
+  EFI_EVENT    Event;
+  //
+  // Will be set to one of the following values:
+  // EFI_SUCCESS: The operation completed successfully.
+  // EFI_NOT_FOUND: Failed to find available wireless networks.
+  // EFI_DEVICE_ERROR: An unexpected network or system error occurred.
+  // EFI_ACCESS_DENIED: The operation is not completed due to some underlying
+  // hardware or software state.
+  // EFI_NOT_READY: The operation is started but not yet completed.
+  //
+  EFI_STATUS                       Status;
+  //
+  // Pointer to the input data for getting networks.
+  //
+  EFI_80211_GET_NETWORKS_DATA      *Data;
+  //
+  // Indicates the scan result. It is caller's responsibility to free this
+  // buffer.
+  //
+  EFI_80211_GET_NETWORKS_RESULT    *Result;
+} EFI_80211_GET_NETWORKS_TOKEN;
+
+///
+/// EFI_80211_CONNECT_NETWORK_DATA
+///
+typedef struct {
+  //
+  // Specifies the wireless network to connect to.
+  //
+  EFI_80211_NETWORK    *Network;
+  //
+  // Specifies a time limit in seconds that is optionally present, after which
+  // the connection establishment procedure is terminated by the UNDI driver.
+  // This is an optional parameter and may be 0. Values of 5 seconds or higher
+  // are recommended.
+  //
+  UINT32               FailureTimeout;
+} EFI_80211_CONNECT_NETWORK_DATA;
+
+///
+/// EFI_80211_CONNECT_NETWORK_TOKEN
+///
+typedef struct {
+  //
+  // If the status code returned by ConnectNetwork() is EFI_SUCCESS, then this
+  // Event will be signaled after the Status field is updated by the EFI
+  // Wireless MAC Connection Protocol II driver. The type of Event must be
+  // EFI_NOTIFY_SIGNAL.
+  //
+  EFI_EVENT    Event;
+  //
+  // Will be set to one of the following values:
+  // EFI_SUCCESS: The operation completed successfully.
+  // EFI_DEVICE_ERROR: An unexpected network or system error occurred.
+  // EFI_ACCESS_DENIED: The operation is not completed due to some underlying
+  // hardware or software state.
+  // EFI_NOT_READY: The operation is started but not yet completed.
+  //
+  EFI_STATUS                               Status;
+  //
+  // Pointer to the connection data.
+  //
+  EFI_80211_CONNECT_NETWORK_DATA           *Data;
+  //
+  // Indicates the connection state.
+  //
+  EFI_80211_CONNECT_NETWORK_RESULT_CODE    ResultCode;
+} EFI_80211_CONNECT_NETWORK_TOKEN;
+
+///
+/// EFI_80211_DISCONNECT_NETWORK_TOKEN
+///
+typedef struct {
+  //
+  // If the status code returned by DisconnectNetwork() is EFI_SUCCESS, then
+  // this Event will be signaled after the Status field is updated by the EFI
+  // Wireless MAC Connection Protocol II driver. The type of Event must be
+  // EFI_NOTIFY_SIGNAL.
+  //
+  EFI_EVENT     Event;
+  //
+  // Will be set to one of the following values:
+  // EFI_SUCCESS: The operation completed successfully
+  // EFI_DEVICE_ERROR: An unexpected network or system error occurred.
+  // EFI_ACCESS_DENIED: The operation is not completed due to some underlying
+  // hardware or software state.
+  //
+  EFI_STATUS    Status;
+} EFI_80211_DISCONNECT_NETWORK_TOKEN;
+
+/**
+  Request a survey of potential wireless networks that administrator can later
+  elect to try to join.
+
+  @param[in]  This                Pointer to the
+                                  EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL
+                                  instance.
+  @param[in]  Token               Pointer to the token for getting wireless
+                                  network.
+
+  @retval EFI_SUCCESS             The operation started, and an event will
+                                  eventually be raised for the caller.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  This is NULL.
+                                  Token is NULL.
+  @retval EFI_UNSUPPORTED         One or more of the input parameters is not
+                                  supported by this implementation.
+  @retval EFI_ALREADY_STARTED     The operation of getting wireless network is
+                                  already started.
+  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be
+                                  allocated.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_WIRELESS_MAC_CONNECTION_II_GET_NETWORKS)(
+  IN EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL          *This,
+  IN EFI_80211_GET_NETWORKS_TOKEN                     *Token
+  );
+
+/**
+  Connect a wireless network specified by a particular SSID, BSS type and
+  Security type.
+
+  @param[in]  This                Pointer to the
+                                  EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL
+                                  instance.
+  @param[in]  Token               Pointer to the token for connecting wireless
+                                  network.
+
+  @retval EFI_SUCCESS             The operation started successfully. Results
+                                  will be notified eventually.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  This is NULL.
+                                  Token is NULL.
+  @retval EFI_UNSUPPORTED         One or more of the input parameters are not
+                                  supported by this implementation.
+  @retval EFI_ALREADY_STARTED     The connection process is already started.
+  @retval EFI_NOT_FOUND           The specified wireless network is not found.
+  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be
+                                  allocated.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_WIRELESS_MAC_CONNECTION_II_CONNECT_NETWORK)(
+  IN EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL          *This,
+  IN EFI_80211_CONNECT_NETWORK_TOKEN                  *Token
+  );
+
+/**
+  Request a disconnection with current connected wireless network.
+
+  @param[in]  This                Pointer to the
+                                  EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL
+                                  instance.
+  @param[in]  Token               Pointer to the token for disconnecting
+                                  wireless network.
+
+  @retval EFI_SUCCESS             The operation started successfully. Results
+                                  will be notified eventually.
+  @retval EFI_INVALID_PARAMETER   One or more of the following conditions is
+                                  TRUE:
+                                  This is NULL.
+                                  Token is NULL.
+  @retval EFI_UNSUPPORTED         One or more of the input parameters are not
+                                  supported by this implementation.
+  @retval EFI_NOT_FOUND           Not connected to a wireless network.
+  @retval EFI_OUT_OF_RESOURCES    Required system resources could not be
+                                  allocated.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_WIRELESS_MAC_CONNECTION_II_DISCONNECT_NETWORK)(
+  IN EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL          *This,
+  IN EFI_80211_DISCONNECT_NETWORK_TOKEN               *Token
+  );
+
+///
+/// The EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL provides network management
+/// service interfaces for 802.11 network stack. It is used by network
+/// applications (and drivers) to establish wireless connection with a wireless
+/// network.
+///
+struct _EFI_WIRELESS_MAC_CONNECTION_II_PROTOCOL {
+  EFI_WIRELESS_MAC_CONNECTION_II_GET_NETWORKS          GetNetworks;
+  EFI_WIRELESS_MAC_CONNECTION_II_CONNECT_NETWORK       ConnectNetwork;
+  EFI_WIRELESS_MAC_CONNECTION_II_DISCONNECT_NETWORK    DisconnectNetwork;
+};
+
+extern EFI_GUID  gEfiWiFi2ProtocolGuid;
+
+#endif