summaryrefslogtreecommitdiff
path: root/SecurityPkg
diff options
context:
space:
mode:
authorZhang, Chao B <chao.b.zhang@intel.com>2016-04-28 15:27:09 +0800
committerZhang, Chao B <chao.b.zhang@intel.com>2016-05-04 09:13:51 +0800
commit12087ff6d63e50fb6c588caf33c9b2c4b31c2dbd (patch)
tree2ebc37018206c8600aba38f9391fcfbe33158ebc /SecurityPkg
parent560ac77ea155857da879648e559a60b528b19730 (diff)
downloadedk2-platforms-12087ff6d63e50fb6c588caf33c9b2c4b31c2dbd.tar.xz
SecurityPkg: SecureBootConfigDxe: Remove SecureBoot UI change for Customized Secure Boot
Remove SecureBoot UI support for Customized SecureBoot Mode transition according to Mantis 1263. The feature has been moved to https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot Previous check-in hash is SHA-1: 96832eefea1025c130979dec9b7da069f77bcd96 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Diffstat (limited to 'SecurityPkg')
-rw-r--r--SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr37
-rw-r--r--SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c385
-rw-r--r--SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h7
-rw-r--r--SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni20
4 files changed, 32 insertions, 417 deletions
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 484da2c0ca..fefbfbfd06 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -33,14 +33,6 @@ formset
subtitle text = STRING_TOKEN(STR_NULL);
- //
- // Display current secure boot mode(one of SetupMode/AuditMode/UserMode/DeployedMode)
- //
- text
- help = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_HELP),
- text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_PROMPT),
- text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_CONTENT);
-
text
help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
@@ -71,7 +63,7 @@ formset
endoneof;
//
- // Display PK include page
+ // Display of 'Current Secure Boot Mode'
//
suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;
grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
@@ -93,33 +85,6 @@ formset
subtitle text = STRING_TOKEN(STR_NULL);
- //
- // Display of SetupMode/UserMode/AuditMode/DeployedMode transition
- //
- oneof name = TransSecureBootMode,
- questionid = KEY_TRANS_SECURE_BOOT_MODE,
- prompt = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_PROMPT),
- help = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_HELP),
- flags = INTERACTIVE | NUMERIC_SIZE_1,
- suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE
- OR (ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE AND
- ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 0);
- option text = STRING_TOKEN(STR_USER_MODE), value = SECURE_BOOT_MODE_USER_MODE, flags = 0;
- endif
- suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE;
- option text = STRING_TOKEN(STR_SETUP_MODE), value = SECURE_BOOT_MODE_SETUP_MODE, flags = 0;
- endif
- suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE;
- option text = STRING_TOKEN(STR_AUDIT_MODE), value = SECURE_BOOT_MODE_AUDIT_MODE, flags = 0;
- endif
- suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE;
- option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = SECURE_BOOT_MODE_DEPLOYED_MODE, flags = 0;
- endif
-
- endoneof;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index c8f4d977d9..088fa26e0d 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -49,8 +49,6 @@ HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
BOOLEAN mIsEnterSecureBootForm = FALSE;
-BOOLEAN mIsSelectedSecureBootModeForm = FALSE;
-BOOLEAN mIsSecureBootModeChanged = FALSE;
//
// OID ASN.1 Value for Hash Algorithms
@@ -2833,256 +2831,6 @@ ON_EXIT:
}
/**
- Perform secure boot mode transition from User Mode by setting AuditMode
- or DeployedMode variable.
-
- @param[in] NewMode New secure boot mode.
-
- @retval EFI_SUCCESS Secure Boot mode transition is successful.
-**/
-EFI_STATUS
-TransitionFromUserMode(
- IN UINT8 NewMode
- )
-{
- UINT8 Data;
- EFI_STATUS Status;
-
- if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
- Data = 1;
- Status = gRT->SetVariable(
- EFI_AUDIT_MODE_NAME,
- &gEfiGlobalVariableGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- sizeof(UINT8),
- &Data
- );
- return Status;
- } else if (NewMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
- Data = 1;
- Status = gRT->SetVariable(
- EFI_DEPLOYED_MODE_NAME,
- &gEfiGlobalVariableGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- sizeof(UINT8),
- &Data
- );
- return Status;
- }
-
- //
- // Other case do nothing here. May Goto enroll PK page.
- //
- return EFI_SUCCESS;
-}
-
-/**
- Perform secure boot mode transition from Setup Mode by setting AuditMode
- variable.
-
- @param[in] NewMode New secure boot mode.
-
- @retval EFI_SUCCESS Secure Boot mode transition is successful.
-**/
-EFI_STATUS
-TransitionFromSetupMode(
- IN UINT8 NewMode
- )
-{
- UINT8 Data;
- EFI_STATUS Status;
-
- Status = EFI_INVALID_PARAMETER;
-
- if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
- Data = 1;
- Status = gRT->SetVariable(
- EFI_AUDIT_MODE_NAME,
- &gEfiGlobalVariableGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- sizeof(UINT8),
- &Data
- );
- return Status;
- }
-
- //
- // Other case do nothing here. May Goto enroll PK page.
- //
- return EFI_SUCCESS;
-}
-
-/**
- Perform secure boot mode transition from Audit Mode. Nothing is done here,
- should goto enroll PK page.
-
- @param[in] NewMode New secure boot mode.
-
- @retval EFI_SUCCESS Secure Boot mode transition is successful.
-**/
-EFI_STATUS
-TransitionFromAuditMode(
- IN UINT8 NewMode
- )
-{
- //
- // Other case do nothing here. Should Goto enroll PK page.
- //
- return EFI_SUCCESS;
-}
-
-/**
- Perform secure boot mode transition from Deployed Mode by setting Deployed Mode
- variable to 0.
-
- @param[in] NewMode New secure boot mode.
-
- @retval EFI_SUCCESS Secure Boot mode transition is successful.
-**/
-EFI_STATUS
-TransitionFromDeployedMode(
- IN UINT8 NewMode
- )
-{
- UINT8 Data;
- EFI_STATUS Status;
-
- //
- // Platform specific logic. when physical presence, Allow to set DeployedMode =:0
- // to switch back to UserMode
- //
- if (NewMode == SECURE_BOOT_MODE_USER_MODE) {
- Data = 0;
- Status = gRT->SetVariable(
- EFI_DEPLOYED_MODE_NAME,
- &gEfiGlobalVariableGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- sizeof(UINT8),
- &Data
- );
- DEBUG((EFI_D_INFO, "DeployedMode Status %x\n", Status));
- return Status;
- }
- return EFI_SUCCESS;
-}
-
-/**
- Perform main secure boot mode transition.
-
- @param[in] CurMode New secure boot mode.
- @param[in] NewMode New secure boot mode.
-
- @retval EFI_SUCCESS Secure Boot mode transition is successful.
-**/
-EFI_STATUS
-SecureBootModeTransition(
- IN UINT8 CurMode,
- IN UINT8 NewMode
- )
-{
- EFI_STATUS Status;
-
- //
- // Set platform to be customized mode to ensure platform specific mode switch sucess
- //
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // SecureBootMode transition
- //
- switch (CurMode) {
- case SECURE_BOOT_MODE_USER_MODE:
- Status = TransitionFromUserMode(NewMode);
- break;
-
- case SECURE_BOOT_MODE_SETUP_MODE:
- Status = TransitionFromSetupMode(NewMode);
- break;
-
- case SECURE_BOOT_MODE_AUDIT_MODE:
- Status = TransitionFromAuditMode(NewMode);
- break;
-
- case SECURE_BOOT_MODE_DEPLOYED_MODE:
- Status = TransitionFromDeployedMode(NewMode);
- break;
-
- default:
- Status = EFI_INVALID_PARAMETER;
- ASSERT(FALSE);
- }
-
- return Status;
-}
-
-/**
- Get current secure boot mode by retrieve data from SetupMode/AuditMode/DeployedMode.
-
- @param[out] SecureBootMode Current secure boot mode.
-
-**/
-VOID
-ExtractSecureBootModeFromVariable(
- OUT UINT8 *SecureBootMode
- )
-{
- UINT8 *SetupMode;
- UINT8 *AuditMode;
- UINT8 *DeployedMode;
-
- SetupMode = NULL;
- AuditMode = NULL;
- DeployedMode = NULL;
-
- //
- // Get AuditMode/DeployedMode from variable
- //
- GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
- GetVariable2 (EFI_AUDIT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&AuditMode, NULL);
- GetVariable2 (EFI_DEPLOYED_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&DeployedMode, NULL);
- if (SetupMode != NULL && AuditMode != NULL && DeployedMode != NULL) {
- if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 0) {
- //
- // User Mode
- //
- *SecureBootMode = SECURE_BOOT_MODE_USER_MODE;
- } else if (*SetupMode == 1 && *AuditMode == 0 && *DeployedMode == 0) {
- //
- // Setup Mode
- //
- *SecureBootMode = SECURE_BOOT_MODE_SETUP_MODE;
- } else if (*SetupMode == 1 && *AuditMode == 1 && *DeployedMode == 0) {
- //
- // Audit Mode
- //
- *SecureBootMode = SECURE_BOOT_MODE_AUDIT_MODE;
- } else if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 1) {
- //
- // Deployed Mode
- //
- *SecureBootMode = SECURE_BOOT_MODE_DEPLOYED_MODE;
- } else {
- ASSERT(FALSE);
- }
- }else {
- ASSERT(FALSE);
- }
-
- if (SetupMode != NULL) {
- FreePool (SetupMode);
- }
- if (DeployedMode != NULL) {
- FreePool (DeployedMode);
- }
- if (AuditMode != NULL) {
- FreePool (AuditMode);
- }
-}
-
-/**
Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT
and STR_CUR_SECURE_BOOT_MODE_CONTENT.
@@ -3098,7 +2846,6 @@ UpdateSecureBootString(
IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
)
{
- UINT8 CurSecureBootMode;
UINT8 *SecureBoot;
SecureBoot = NULL;
@@ -3116,20 +2863,6 @@ UpdateSecureBootString(
} else {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL);
}
- //
- // Get current secure boot mode.
- //
- ExtractSecureBootModeFromVariable(&CurSecureBootMode);
-
- if (CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE) {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"UserMode", NULL);
- } else if (CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE) {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"SetupMode", NULL);
- } else if (CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"AuditMode", NULL);
- } else if (CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"DeployedMode", NULL);
- }
FreePool(SecureBoot);
@@ -3148,10 +2881,12 @@ SecureBootExtractConfigFromVariable (
)
{
UINT8 *SecureBootEnable;
+ UINT8 *SetupMode;
UINT8 *SecureBootMode;
EFI_TIME CurrTime;
SecureBootEnable = NULL;
+ SetupMode = NULL;
SecureBootMode = NULL;
//
@@ -3178,24 +2913,10 @@ SecureBootExtractConfigFromVariable (
}
//
- // Get the SecureBootMode from CustomMode variable.
- //
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
- if (SecureBootMode == NULL) {
- ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
- } else {
- ConfigData->SecureBootMode = *(SecureBootMode);
- }
-
- //
- // Extact current Secure Boot Mode
- //
- ExtractSecureBootModeFromVariable(&ConfigData->CurSecureBootMode);
-
- //
// If there is no PK then the Delete Pk button will be gray.
//
- if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
+ GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
+ if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
ConfigData->HasPk = FALSE;
} else {
ConfigData->HasPk = TRUE;
@@ -3212,7 +2933,7 @@ SecureBootExtractConfigFromVariable (
//
// Fix Pk, SecureBootEnable inconsistence
//
- if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
+ if ((*SetupMode) == USER_MODE) {
ConfigData->HideSecureBoot = FALSE;
if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
ConfigData->AttemptSecureBoot = TRUE;
@@ -3221,10 +2942,22 @@ SecureBootExtractConfigFromVariable (
ConfigData->HideSecureBoot = TRUE;
}
+ //
+ // Get the SecureBootMode from CustomMode variable.
+ //
+ GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
+ if (SecureBootMode == NULL) {
+ ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
+ } else {
+ ConfigData->SecureBootMode = *(SecureBootMode);
+ }
+
if (SecureBootEnable != NULL) {
FreePool (SecureBootEnable);
}
-
+ if (SetupMode != NULL) {
+ FreePool (SetupMode);
+ }
if (SecureBootMode != NULL) {
FreePool (SecureBootMode);
}
@@ -3458,18 +3191,20 @@ SecureBootCallback (
UINT8 *SecureBootEnable;
UINT8 *Pk;
UINT8 *SecureBootMode;
+ UINT8 *SetupMode;
CHAR16 PromptString[100];
- UINT8 CurSecureBootMode;
EFI_DEVICE_PATH_PROTOCOL *File;
Status = EFI_SUCCESS;
SecureBootEnable = NULL;
SecureBootMode = NULL;
+ SetupMode = NULL;
File = NULL;
if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
return EFI_INVALID_PARAMETER;
}
+
Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
gSecureBootPrivateData = Private;
@@ -3493,13 +3228,6 @@ SecureBootCallback (
Status = UpdateSecureBootString(Private);
SecureBootExtractConfigFromVariable (IfrNvData);
mIsEnterSecureBootForm = TRUE;
- } else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE){
- //
- // Secure Boot Policy variable changes after transition. Re-sync CurSecureBootMode
- //
- ExtractSecureBootModeFromVariable(&IfrNvData->CurSecureBootMode);
- mIsSelectedSecureBootModeForm = TRUE;
- mIsSecureBootModeChanged = FALSE;
}
goto EXIT;
}
@@ -3511,12 +3239,7 @@ SecureBootCallback (
Value->u8 = SECURE_BOOT_MODE_STANDARD;
Status = EFI_SUCCESS;
}
- } else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE) {
- if (mIsSelectedSecureBootModeForm) {
- Value->u8 = IfrNvData->CurSecureBootMode;
- Status = EFI_SUCCESS;
- }
- }
+ }
goto EXIT;
}
@@ -3770,57 +3493,6 @@ SecureBootCallback (
);
}
break;
- case KEY_TRANS_SECURE_BOOT_MODE:
- //
- // Pop up to alert user want to change secure boot mode
- //
- if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE &&
- (Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE || Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE))
- ||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE &&
- Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE)
- ||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE &&
- Value->u8 == SECURE_BOOT_MODE_USER_MODE && IfrNvData->PhysicalPresent == 1)){
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Are you sure you want to switch secure boot mode?",
- L"Press 'Y' to switch secure boot mode, 'N' to discard change and return",
- NULL
- );
- if (Key.UnicodeChar != 'y' && Key.UnicodeChar != 'Y') {
- //
- // If not 'Y'/''y' restore to defualt secure boot mode
- //
- Value->u8 = IfrNvData->CurSecureBootMode;
- goto EXIT;
- }
- } else if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE && Value->u8 == SECURE_BOOT_MODE_USER_MODE)
- ||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)
- ||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE && Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE)
- ||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Secure boot mode transition requires PK change",
- L"Please go to link below to update PK",
- NULL
- );
- } else {
- Status = EFI_INVALID_PARAMETER;
- goto EXIT;
- }
-
- Status = SecureBootModeTransition(IfrNvData->CurSecureBootMode, Value->u8);
- //
- // Secure Boot Policy variable may change after transition. Re-sync CurSecureBootMode
- //
- ExtractSecureBootModeFromVariable(&CurSecureBootMode);
- if (IfrNvData->CurSecureBootMode != CurSecureBootMode) {
- IfrNvData->CurSecureBootMode = CurSecureBootMode;
- mIsSecureBootModeChanged = TRUE;
- }
- break;
-
default:
if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) &&
(QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) {
@@ -3889,13 +3561,6 @@ SecureBootCallback (
case KEY_SECURE_BOOT_MODE:
mIsEnterSecureBootForm = FALSE;
break;
- case KEY_TRANS_SECURE_BOOT_MODE:
- mIsSelectedSecureBootModeForm = FALSE;
- if (mIsSecureBootModeChanged) {
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET;
- }
- mIsSecureBootModeChanged = FALSE;
- break;
case KEY_SECURE_BOOT_KEK_GUID:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DB:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX:
@@ -3914,7 +3579,8 @@ SecureBootCallback (
break;
case KEY_SECURE_BOOT_DELETE_PK:
- if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
+ GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
+ if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
IfrNvData->DeletePk = TRUE;
IfrNvData->HasPk = FALSE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
@@ -3923,6 +3589,9 @@ SecureBootCallback (
IfrNvData->HasPk = TRUE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
}
+ if (SetupMode != NULL) {
+ FreePool (SetupMode);
+ }
break;
default:
break;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index cf8dc885de..df4d72ec16 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -56,7 +56,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define KEY_HIDE_SECURE_BOOT 0x100c
#define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d
#define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e
-#define KEY_TRANS_SECURE_BOOT_MODE 0x100f
#define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101
@@ -108,10 +107,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define SECURE_BOOT_GUID_SIZE 36
#define SECURE_BOOT_GUID_STORAGE_SIZE 37
-#define SECURE_BOOT_MODE_USER_MODE 0
-#define SECURE_BOOT_MODE_SETUP_MODE 1
-#define SECURE_BOOT_MODE_AUDIT_MODE 2
-#define SECURE_BOOT_MODE_DEPLOYED_MODE 3
//
// Nv Data structure referenced by IFR
@@ -122,8 +117,6 @@ typedef struct {
CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
BOOLEAN PhysicalPresent; // If a Physical Present User
UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom
- UINT8 CurSecureBootMode; // Current SecureBoot Mode SetupMode/UserMode/AuditMode/DeployedMode
- UINT8 TransSecureBootMode; // Trans Next SecureBoot Mode
BOOLEAN DeletePk;
BOOLEAN HasPk; // If Pk is existed it is true
BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index eedd8b52dd..af6d83b5f8 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -26,10 +26,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"
-#string STR_CUR_SECURE_BOOT_MODE_PROMPT #language en-US "Current Secure Boot Mode"
-#string STR_CUR_SECURE_BOOT_MODE_HELP #language en-US "Current Secure Boot Mode: SetupMode/AuditMode/UserMode/DeployedMode."
-#string STR_CUR_SECURE_BOOT_MODE_CONTENT #language en-US " "
-
#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
@@ -60,11 +56,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
-#string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Customize Secure Boot"
-#string STR_SECURE_BOOT_MODE_HELP #language en-US "Customize Secure Boot: Standard/Customized. Secure Boot Policy variables can be configured without authentication in customized option"
+#string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode"
+#string STR_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode: Custom Mode or Standard Mode"
-#string STR_STANDARD_MODE #language en-US "Standard"
-#string STR_CUSTOM_MODE #language en-US "Customized"
+#string STR_STANDARD_MODE #language en-US "Standard Mode"
+#string STR_CUSTOM_MODE #language en-US "Custom Mode"
#string STR_SECURE_BOOT_OPTION #language en-US "Custom Secure Boot Options"
#string STR_SECURE_BOOT_OPTION_HELP #language en-US "Enter into Custom Secure Boot Options Form"
@@ -111,11 +107,3 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SHA256_GUID"
#string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SHA384_GUID"
#string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID"
-
-#string STR_TRANS_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode Transition"
-#string STR_TRANS_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode Transition: SetupMode/UserMode/AuditMode/DeployedMode"
-
-#string STR_USER_MODE #language en-US "User Mode"
-#string STR_SETUP_MODE #language en-US "Setup Mode"
-#string STR_AUDIT_MODE #language en-US "Audit Mode"
-#string STR_DEPLOYED_MODE #language en-US "Deployed Mode" \ No newline at end of file