Hello Takahiro,
in the current code you have left a comment:
/* * TODO: * Since there is currently no "platform-specific" installation * method of Platform Key, we can't say if VendorKeys is 0 or 1 * precisely. */
We do not supply vendor keys. So currently any secure boot setup is defined by a user and not by the vendor. So we should keep this variable at zero.
EDK2's way to keep track of changes to Secure Boot Policy Variables is a non-volatile variable VendorKeysNv which is set to 1 when first created and to 0 (in VendorKeyIsModified()) upon the first relevant change. EDK2 ignores changes in setup mode.
According to the UEFI specification Secure Boot Policy Variables are:
* PK, KEK, OsRecoveryOrder, OsRecovery#### * variables with EFI_IMAGE_SECURITY_DATABASE_GUID
efi_set_secure_state() currently sets all mode variables to read-only. This should only be the case in Audit Mode and Deployed Mode, see figure 90 "Secure Modes" in the 2.8A spec.
Best regards
Heinrich