diff options
author | Hao Wu <hao.a.wu@intel.com> | 2016-07-06 14:07:04 +0800 |
---|---|---|
committer | Hao Wu <hao.a.wu@intel.com> | 2016-07-06 16:19:31 +0800 |
commit | 2415f51ea04418a47f96c11b3c5a4bc93f379cad (patch) | |
tree | f241bb93c5a94597e8e78bcb8e112822eed3f393 | |
parent | 5a005913347249598e61fc479bfbe5178d32de2e (diff) | |
download | edk2-platforms-2415f51ea04418a47f96c11b3c5a4bc93f379cad.tar.xz |
SecurityPkg: AuthVariableLib & SecureBootConfigDxe: Fix SecureBootEnable & PK inconsistency issue
Revert previous fix in AuthVariable driver init which breaks
SecureBootEnable original behavior. Add more error handling logic in
SecureBootConfigDxe to prevent wrong display info when SecureBootEnable &
PK inconsistency happens.
Commit hash for the reverted patch in AuthVariable driver is
SHA-1: a6811666b0bef18871fa62b6c5abf18fb076fd0d
(We integrate the change for AuthService.c in commit
126f3b1de02c71fde8e28abc35a46ac5f135b527 on master to AuthVariableLib.c
on UDK2015 branch)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
(cherry picked from commit 126f3b1de02c71fde8e28abc35a46ac5f135b527)
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 14 | ||||
-rw-r--r-- | SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 47 |
2 files changed, 26 insertions, 35 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index a54eaaa066..00ec1710fc 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -256,19 +256,7 @@ AuthVariableLibInitialize ( SecureBootEnable = SECURE_BOOT_DISABLE;
Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
if (!EFI_ERROR (Status)) {
- if (mPlatformMode == SETUP_MODE){
- //
- // PK is cleared in runtime. "SecureBootMode" is not updated before reboot
- // Delete "SecureBootMode" in SetupMode
- //
- Status = AuthServiceInternalUpdateVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- &SecureBootEnable,
- 0,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
- );
- } else {
+ if (mPlatformMode == USER_MODE){
SecureBootEnable = *(UINT8 *) Data;
}
} else if (mPlatformMode == USER_MODE) {
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index e43c6e0ee7..a16a2ce42a 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -2841,20 +2841,6 @@ SecureBootExtractConfigFromVariable ( ConfigData->RevocationTime.Minute = CurrTime.Minute;
ConfigData->RevocationTime.Second = 0;
- //
- // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
- // Checkbox.
- //
- ConfigData->AttemptSecureBoot = FALSE;
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (SecureBootEnable == NULL) {
- ConfigData->HideSecureBoot = TRUE;
- } else {
- ConfigData->HideSecureBoot = FALSE;
- if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) {
- ConfigData->AttemptSecureBoot = TRUE;
- }
- }
//
// If it is Physical Presence User, set the PhysicalPresent to true.
@@ -2876,6 +2862,26 @@ SecureBootExtractConfigFromVariable ( }
//
+ // Check SecureBootEnable & Pk status, fix the inconsistence.
+ // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
+ // Checkbox.
+ //
+ ConfigData->AttemptSecureBoot = FALSE;
+ GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
+
+ //
+ // Fix Pk, SecureBootEnable inconsistence
+ //
+ if ((SetupMode != NULL) && (*SetupMode) == USER_MODE) {
+ ConfigData->HideSecureBoot = FALSE;
+ if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
+ ConfigData->AttemptSecureBoot = TRUE;
+ }
+ } else {
+ ConfigData->HideSecureBoot = TRUE;
+ }
+
+ //
// Get the SecureBootMode from CustomMode variable.
//
GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
@@ -3050,7 +3056,6 @@ SecureBootRouteConfig ( OUT EFI_STRING *Progress
)
{
- UINT8 *SecureBootEnable;
SECUREBOOT_CONFIGURATION IfrNvData;
UINTN BufferSize;
EFI_STATUS Status;
@@ -3087,10 +3092,7 @@ SecureBootRouteConfig ( //
// Store Buffer Storage back to EFI variable if needed
//
- SecureBootEnable = NULL;
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (NULL != SecureBootEnable) {
- FreePool (SecureBootEnable);
+ if (!IfrNvData.HideSecureBoot) {
Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot);
if (EFI_ERROR (Status)) {
return Status;
@@ -3141,6 +3143,7 @@ SecureBootCallback ( SECUREBOOT_CONFIGURATION *IfrNvData;
UINT16 LabelId;
UINT8 *SecureBootEnable;
+ UINT8 *Pk;
UINT8 *SecureBootMode;
UINT8 *SetupMode;
CHAR16 PromptString[100];
@@ -3552,11 +3555,11 @@ SecureBootCallback ( }
} else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) {
if (QuestionId == KEY_HIDE_SECURE_BOOT) {
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (SecureBootEnable == NULL) {
+ GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL);
+ if (Pk == NULL) {
IfrNvData->HideSecureBoot = TRUE;
} else {
- FreePool (SecureBootEnable);
+ FreePool (Pk);
IfrNvData->HideSecureBoot = FALSE;
}
Value->b = IfrNvData->HideSecureBoot;
|