From 8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd Mon Sep 17 00:00:00 2001 From: sfu5 Date: Thu, 5 Jul 2012 08:08:12 +0000 Subject: 1. Reset system when user changes secure boot state in secure boot configuration form. 2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver. Signed-off-by: Fu Siyuan Reviewed-by: Dong Guo Reviewed-by: Ye Ting git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524 --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 4 ++-- .../SecureBootConfigDxe/SecureBootConfig.vfr | 2 +- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 22 +++++++++++++++------- 3 files changed, 18 insertions(+), 10 deletions(-) (limited to 'SecurityPkg/VariableAuthenticated') diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index d6df32affc..d1aeab8bfc 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -323,7 +323,7 @@ AutenticatedVariableServiceInitialize ( // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE. // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE. // - SecureBootEnable = SECURE_BOOT_MODE_DISABLE; + SecureBootEnable = SECURE_BOOT_DISABLE; FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (Variable.CurrPtr != NULL) { SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr)); @@ -331,7 +331,7 @@ AutenticatedVariableServiceInitialize ( // // "SecureBootEnable" not exist, initialize it in USER_MODE. // - SecureBootEnable = SECURE_BOOT_MODE_ENABLE; + SecureBootEnable = SECURE_BOOT_ENABLE; Status = UpdateVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr index 22c03c1288..4e790634da 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr @@ -51,7 +51,7 @@ formset questionid = KEY_SECURE_BOOT_ENABLE, prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), help = STRING_TOKEN(STR_SECURE_BOOT_HELP), - flags = INTERACTIVE, + flags = INTERACTIVE | RESET_REQUIRED, endcheckbox; endif; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index 0a08479b4b..26fc09d52d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -2069,27 +2069,25 @@ SecureBootExtractConfigFromVariable ( { UINT8 *SecureBootEnable; UINT8 *SetupMode; + UINT8 *SecureBoot; UINT8 *SecureBootMode; SecureBootEnable = NULL; SetupMode = NULL; + SecureBoot = NULL; SecureBootMode = NULL; - // - // Get the SecureBootEnable Variable - // - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - // // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable // Checkbox. // + GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); if (SecureBootEnable == NULL) { ConfigData->HideSecureBoot = TRUE; } else { ConfigData->HideSecureBoot = FALSE; - ConfigData->SecureBootState = *SecureBootEnable; } + // // If it is Physical Presence User, set the PhysicalPresent to true. // @@ -2103,11 +2101,21 @@ SecureBootExtractConfigFromVariable ( // If there is no PK then the Delete Pk button will be gray. // GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); - if (SetupMode == NULL || (*SetupMode) == 1) { + if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { ConfigData->HasPk = FALSE; } else { ConfigData->HasPk = TRUE; } + + // + // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode. + // + GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL); + if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) { + ConfigData->SecureBootState = TRUE; + } else { + ConfigData->SecureBootState = FALSE; + } // // Get the SecureBootMode from CustomMode variable. -- cgit v1.2.3