diff options
| -rw-r--r-- | OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c | 35 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgIa32.dsc | 3 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgIa32.fdf | 5 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgIa32X64.dsc | 3 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgIa32X64.fdf | 3 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgX64.dsc | 3 | ||||
| -rw-r--r-- | OvmfPkg/OvmfPkgX64.fdf | 3 |
7 files changed, 20 insertions, 35 deletions
diff --git a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c index 956ff9e2c5..de0e4fa938 100644 --- a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c +++ b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c @@ -15,36 +15,19 @@ /**
- This function detects whether a secure platform-specific method to clear PK(Platform Key)
- is configured by platform owner. This method is provided for users force to clear PK
- in case incorrect enrollment mis-haps.
+ This function provides a platform-specific method to detect whether the platform
+ is operating by a physically present user.
- UEFI231 spec chapter 27.5.2 stipulates: The platform key may also be cleared using
- a secure platform-specific method. In this case, the global variable SetupMode
- must also be updated to 1.
+ Programmatic changing of platform security policy (such as disable Secure Boot,
+ or switch between Standard/Custom Secure Boot mode) MUST NOT be possible during
+ Boot Services or after exiting EFI Boot Services. Only a physically present user
+ is allowed to perform these operations.
NOTE THAT: This function cannot depend on any EFI Variable Service since they are
not available when this function is called in AuthenticateVariable driver.
-
- @retval TRUE The Platform owner wants to force clear PK.
- @retval FALSE The Platform owner doesn't want to force clear PK.
-
-**/
-BOOLEAN
-EFIAPI
-ForceClearPK (
- VOID
- )
-{
- return TRUE;
-}
-
-/**
-
- This function detects whether current platform is operated by a physical present user.
-
- @retval TRUE The Platform is operated by a physical present user.
- @retval FALSE The Platform is NOT operated by a physical persent user.
+
+ @retval TRUE The platform is operated by a physically present user.
+ @retval FALSE The platform is NOT operated by a physically present user.
**/
BOOLEAN
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 2b0011cf55..c7d50e4718 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -340,8 +340,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
- OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
@@ -494,4 +492,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index 235e322777..eda00ce097 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -1,7 +1,7 @@ ## @file
# Open Virtual Machine Firmware: FDF
#
-# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -167,11 +167,14 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf
INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
+
INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 3b8257daa2..df3b24a4b1 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -342,8 +342,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
- OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
@@ -496,4 +494,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index 2351e563ab..7c98a6a2a8 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -1,7 +1,7 @@ ## @file
# Open Virtual Machine Firmware: FDF
#
-# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 2c174ba05b..eec0f1b07d 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -341,8 +341,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
- OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
@@ -495,4 +493,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 16f21fe3c8..4908298448 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -1,7 +1,7 @@ ## @file
# Open Virtual Machine Firmware: FDF
#
-# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
@@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
|