1. Reset system when user changes secure boot state in secure boot configuration form.

2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524
author: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> 2012-07-05 08:08:12 +0000
committer: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> 2012-07-05 08:08:12 +0000
commit: 8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd (patch)
tree: 7ff3a01251e6922c56612e83c6d39a4264f205bb /SecurityPkg
parent: b37aa2c645ff7e9c2209fe325f6078813ff462cd (diff)
download: edk2-8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd.tar.gz
6 files changed, 29 insertions, 46 deletions
diff --git a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
index f18f4aa7e..da71e774e 100644
--- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
+++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
@@ -29,7 +29,9 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid;
 extern EFI_GUID gEfiSecureBootEnableDisableGuid;
 
 ///
-/// "SecureBootEnable" variable for the Secure boot feature enable/disable.
+/// "SecureBootEnable" variable for the Secure Boot feature enable/disable.
+/// This variable is used for allowing a physically present user to disable
+/// Secure Boot via firmware setup without the possession of PKpriv.
 ///
 #define EFI_SECURE_BOOT_ENABLE_NAME      L"SecureBootEnable"
 #define SECURE_BOOT_ENABLE               1
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index dff4bd037..093932053 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1254,14 +1254,13 @@ DxeImageVerificationHandler (
   UINT16                               Magic;
   EFI_IMAGE_DOS_HEADER                 *DosHdr;
   EFI_STATUS                           VerifyStatus;
-  UINT8                                *SetupMode;
   EFI_SIGNATURE_LIST                   *SignatureList;
   UINTN                                SignatureListSize;
   EFI_SIGNATURE_DATA                   *Signature;
   EFI_IMAGE_EXECUTION_ACTION           Action;
   WIN_CERTIFICATE                      *WinCertificate;
   UINT32                               Policy;
-  UINT8                                *SecureBootEnable;
+  UINT8                                *SecureBoot;
   PE_COFF_LOADER_IMAGE_CONTEXT         ImageContext;
   UINT32                               NumberOfRvaAndSizes;
   UINT32                               CertSize;
@@ -1309,43 +1308,22 @@ DxeImageVerificationHandler (
     return EFI_ACCESS_DENIED;
   }
 
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
+  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
   //
-  // Skip verification if SecureBootEnable variable doesn't exist.
+  // Skip verification if SecureBoot variable doesn't exist.
   //
-  if (SecureBootEnable == NULL) {
+  if (SecureBoot == NULL) {
     return EFI_SUCCESS;
   }
 
   //
-  // Skip verification if SecureBootEnable is disabled.
+  // Skip verification if SecureBoot is disabled.
   //
-  if (*SecureBootEnable == SECURE_BOOT_DISABLE) {
-    FreePool (SecureBootEnable);
+  if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+    FreePool (SecureBoot);
     return EFI_SUCCESS;
   }
-
-  FreePool (SecureBootEnable);
-
-  GetEfiGlobalVariable2 (EFI_SETUP_MODE_NAME, (VOID**)&SetupMode, NULL);
-
-  //
-  // SetupMode doesn't exist means no AuthVar driver is dispatched,
-  // skip verification.
-  //
-  if (SetupMode == NULL) {
-    return EFI_SUCCESS;
-  }
-
-  //
-  // If platform is in SETUP MODE, skip verification.
-  //
-  if (*SetupMode == SETUP_MODE) {
-    FreePool (SetupMode);
-    return EFI_SUCCESS;
-  }
-
-  FreePool (SetupMode);
+  FreePool (SecureBoot);
 
   //
   // Read the Dos header.
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
index e561a648a..8ec41f4e1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
@@ -68,13 +68,8 @@
   gEfiCertSha256Guid
   gEfiCertX509Guid
   gEfiCertRsa2048Guid
-  gEfiSecureBootEnableDisableGuid
   
 [Pcd]
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
   gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy
   gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy
-
-  
-
-
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index d6df32aff..d1aeab8bf 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -323,7 +323,7 @@ AutenticatedVariableServiceInitialize (
   // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
   // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
   //
-  SecureBootEnable = SECURE_BOOT_MODE_DISABLE;
+  SecureBootEnable = SECURE_BOOT_DISABLE;
   FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
   if (Variable.CurrPtr != NULL) {
     SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
@@ -331,7 +331,7 @@ AutenticatedVariableServiceInitialize (
     //
     // "SecureBootEnable" not exist, initialize it in USER_MODE.
     //
-    SecureBootEnable = SECURE_BOOT_MODE_ENABLE;
+    SecureBootEnable = SECURE_BOOT_ENABLE;
     Status = UpdateVariable (
                EFI_SECURE_BOOT_ENABLE_NAME,
                &gEfiSecureBootEnableDisableGuid,
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 22c03c128..4e790634d 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -51,7 +51,7 @@ formset
           questionid = KEY_SECURE_BOOT_ENABLE,
           prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
           help   = STRING_TOKEN(STR_SECURE_BOOT_HELP),
-          flags  = INTERACTIVE,
+          flags  = INTERACTIVE | RESET_REQUIRED,
     endcheckbox;
     endif;
     
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 0a08479b4..26fc09d52 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -2069,27 +2069,25 @@ SecureBootExtractConfigFromVariable (
 {
   UINT8   *SecureBootEnable;
   UINT8   *SetupMode;
+  UINT8   *SecureBoot;
   UINT8   *SecureBootMode;
 
   SecureBootEnable = NULL;
   SetupMode        = NULL;
+  SecureBoot       = NULL;
   SecureBootMode   = NULL;
   
   //
-  // Get the SecureBootEnable Variable
-  //
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-
-  //
   // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
   // Checkbox.
   //
+  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
   if (SecureBootEnable == NULL) {
     ConfigData->HideSecureBoot = TRUE;
   } else {
     ConfigData->HideSecureBoot = FALSE;
-    ConfigData->SecureBootState = *SecureBootEnable;
   }
+  
   //
   // If it is Physical Presence User, set the PhysicalPresent to true.
   //
@@ -2103,11 +2101,21 @@ SecureBootExtractConfigFromVariable (
   // If there is no PK then the Delete Pk button will be gray.
   //
   GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
-  if (SetupMode == NULL || (*SetupMode) == 1) {
+  if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
     ConfigData->HasPk = FALSE;
   } else  {
     ConfigData->HasPk = TRUE;
   }
+  
+  //
+  // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode.
+  //
+  GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
+  if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {
+    ConfigData->SecureBootState = TRUE;
+  } else {
+    ConfigData->SecureBootState = FALSE;
+  }
 
   //
   // Get the SecureBootMode from CustomMode variable.
author	sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>	2012-07-05 08:08:12 +0000
committer	sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>	2012-07-05 08:08:12 +0000
commit	8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd (patch)
tree	7ff3a01251e6922c56612e83c6d39a4264f205bb /SecurityPkg
parent	b37aa2c645ff7e9c2209fe325f6078813ff462cd (diff)
download	edk2-8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd.tar.gz