1. Remove extra attribute for SetupMode, SignatureSupport and SecureBoot variable.

2. Allow the PK owner to update db/dbx variable directly.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13536 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 35 insertions, 1 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index bae5f7bc45..93d0e25eac 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -1956,6 +1956,33 @@ IsHwErrRecVariable (
 }

 

 /**

+  This code checks if variable should be treated as read-only variable.

+

+  @param[in]      VariableName            Name of the Variable.

+  @param[in]      VendorGuid              GUID of the Variable.

+

+  @retval TRUE      This variable is read-only variable.

+  @retval FALSE     This variable is NOT read-only variable.

+  

+**/

+BOOLEAN

+IsReadOnlyVariable (

+  IN     CHAR16         *VariableName,

+  IN     EFI_GUID       *VendorGuid

+  )

+{

+  if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {

+    if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) ||

+        (StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) ||

+        (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) {

+      return TRUE;

+    }

+  }

+  

+  return FALSE;

+}

+

+/**

 

   This code finds variable in storage blocks (Volatile or Non-Volatile).

 

@@ -2232,6 +2259,10 @@ VariableServiceSetVariable (
     return EFI_INVALID_PARAMETER;

   }

 

+  if (IsReadOnlyVariable (VariableName, VendorGuid)) {

+    return EFI_WRITE_PROTECTED;

+  }

+

   if (DataSize != 0 && Data == NULL) {

     return EFI_INVALID_PARAMETER;

   }

@@ -2349,7 +2380,10 @@ VariableServiceSetVariable (
     Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, FALSE);

   } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && 

           ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))) {

-    Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes);

+    Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, FALSE);

+    if (EFI_ERROR (Status)) {

+      Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes);

+    }

   } else {

     Status = ProcessVariable (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes);

   }