From beda2356f5128efa4461046f882b6516ece6afc7 Mon Sep 17 00:00:00 2001
From: qianouyang <qianouyang@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Fri, 28 Oct 2011 03:46:20 +0000
Subject: Enable/Disable Secured Boot by 'Secure Boot Configuration' Page which
 is under Setup browser.

Signed-off-by: qianouyang
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12586 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../VariableAuthenticated/RuntimeDxe/AuthService.c | 96 ++++++++++++++++++++--
 .../RuntimeDxe/VariableRuntimeDxe.inf              |  3 +-
 .../RuntimeDxe/VariableSmm.inf                     |  3 +-
 3 files changed, 93 insertions(+), 9 deletions(-)

(limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe')

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index fc23bb5212..ff5c653912 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -69,11 +69,15 @@ AutenticatedVariableServiceInitialize (
 {
   EFI_STATUS              Status;
   VARIABLE_POINTER_TRACK  Variable;
+  VARIABLE_POINTER_TRACK  Variable2;
   UINT8                   VarValue;
   UINT32                  VarAttr;
   UINT8                   *Data;
   UINTN                   DataSize;
   UINTN                   CtxSize;
+  UINT8                   SecureBootMode;
+  UINT8                   SecureBootEnable;
+  
   //
   // Initialize hash context.
   //
@@ -146,10 +150,10 @@ AutenticatedVariableServiceInitialize (
     Status = FindVariable (
                EFI_PLATFORM_KEY_NAME, 
                &gEfiGlobalVariableGuid, 
-               &Variable, 
+               &Variable2, 
                &mVariableModuleGlobal->VariableGlobal
                );
-    if (Variable.CurrPtr == NULL) {
+    if (Variable2.CurrPtr == NULL) {
       mPlatformMode = SETUP_MODE;
     } else {
       mPlatformMode = USER_MODE;
@@ -184,6 +188,7 @@ AutenticatedVariableServiceInitialize (
              &mVariableModuleGlobal->VariableGlobal
              );
 
+
   if (Variable.CurrPtr == NULL) {
     VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
     Status  = UpdateVariable (
@@ -198,7 +203,37 @@ AutenticatedVariableServiceInitialize (
                 NULL
                 );
   }
-  
+
+  //
+  // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
+  // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
+  // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
+  //
+  FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+  if (Variable.CurrPtr != NULL) {
+    SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
+    if (SecureBootEnable == SECURE_BOOT_ENABLE) {
+      SecureBootMode = SECURE_BOOT_MODE_ENABLE;
+    } else {
+      SecureBootMode = SECURE_BOOT_MODE_DISABLE;
+    }
+    FindVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+    Status = UpdateVariable (
+               EFI_SECURE_BOOT_MODE_NAME, 
+               &gEfiGlobalVariableGuid, 
+               &SecureBootMode, 
+               sizeof(UINT8), 
+               EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, 
+               0, 
+               0, 
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
   //
   // Detect whether a secure platform-specific method to clear PK(Platform Key)
   // is configured by platform owner. This method is provided for users force to clear PK 
@@ -445,7 +480,9 @@ UpdatePlatformMode (
   VARIABLE_POINTER_TRACK  Variable;
   UINT32                  VarAttr;
   UINT8                   SecureBootMode;
-
+  UINT8                   SecureBootEnable;
+  UINTN                   VariableDataSize;
+  
   Status = FindVariable (
              EFI_SETUP_MODE_NAME, 
              &gEfiGlobalVariableGuid, 
@@ -457,7 +494,7 @@ UpdatePlatformMode (
   }
 
   mPlatformMode  = Mode;
-  VarAttr        = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
+  VarAttr        = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
   Status         = UpdateVariable (
                      EFI_SETUP_MODE_NAME,
                      &gEfiGlobalVariableGuid,
@@ -501,8 +538,8 @@ UpdatePlatformMode (
     }
   }
 
-  VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
-  return    UpdateVariable (
+  VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
+  Status  = UpdateVariable (
               EFI_SECURE_BOOT_MODE_NAME,
               &gEfiGlobalVariableGuid,
               &SecureBootMode,
@@ -513,6 +550,51 @@ UpdatePlatformMode (
               &Variable,
               NULL
               );
+
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  //
+  // Check "SecureBootEnable" variable's existence. It can enable/disable secure boot feature.
+  //
+  Status = FindVariable (
+             EFI_SECURE_BOOT_ENABLE_NAME, 
+             &gEfiSecureBootEnableDisableGuid, 
+             &Variable, 
+             &mVariableModuleGlobal->VariableGlobal
+             );
+ 
+  if (SecureBootMode == SECURE_BOOT_MODE_ENABLE) {
+    //
+    // Create the "SecureBootEnable" variable as secure boot is enabled.
+    //
+    SecureBootEnable = SECURE_BOOT_ENABLE;
+    VariableDataSize = sizeof (SecureBootEnable);
+  } else {
+    //
+    // Delete the "SecureBootEnable" variable if this variable exist as "SecureBoot" 
+    // variable is not in secure boot state.
+    //
+    if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) {
+      return EFI_SUCCESS;
+    }
+    SecureBootEnable = SECURE_BOOT_DISABLE;
+    VariableDataSize = 0;
+  }
+  
+  Status = UpdateVariable (
+             EFI_SECURE_BOOT_ENABLE_NAME, 
+             &gEfiSecureBootEnableDisableGuid, 
+             &SecureBootEnable, 
+             VariableDataSize, 
+             EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 
+             0, 
+             0, 
+             &Variable,
+             NULL
+             );
+  return Status;
 }
 
 /**
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
index 5b2689efdb..d2a2025b66 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
@@ -71,7 +71,8 @@
   gEfiImageSecurityDatabaseGuid
   gEfiCertX509Guid
   gEfiCertPkcs7Guid
-  gEfiCertRsa2048Guid  
+  gEfiCertRsa2048Guid
+  gEfiSecureBootEnableDisableGuid
 
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
index 01bda726d0..86f6e92347 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
@@ -76,7 +76,8 @@
   gEfiImageSecurityDatabaseGuid
   gEfiCertX509Guid
   gEfiCertPkcs7Guid
-  gEfiCertRsa2048Guid  
+  gEfiCertRsa2048Guid
+  gEfiSecureBootEnableDisableGuid
 
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
-- 
cgit v1.2.3