From a365eed476687881ce0ed49af7d483fd3cb0c491 Mon Sep 17 00:00:00 2001 From: Fu Siyuan Date: Thu, 22 Aug 2013 09:46:03 +0000 Subject: Fix a bug in secure boot configuration driver: Enroll DB/KEK will disable Attempt Secure Boot option. Signed-off-by: Fu Siyuan Reviewed-by: Eric Dong Reviewed-by: Ye Ting git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14590 6f19259b-4bc3-4df7-8a09-765794883524 --- .../SecureBootConfigDxe/SecureBootConfig.vfr | 27 +++++++++----- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 43 +++++++++++++++------- 2 files changed, 48 insertions(+), 22 deletions(-) (limited to 'SecurityPkg') diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr index 656befbb44..9685a9e0c2 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr @@ -65,20 +65,29 @@ formset // // Display of Oneof: 'Secure Boot Mode' // - oneof varid = SECUREBOOT_CONFIGURATION.SecureBootMode, - questionid = KEY_SECURE_BOOT_MODE, - prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), - help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), - flags = INTERACTIVE, - option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT; - option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0; - endoneof; + disableif TRUE; + oneof varid = SECUREBOOT_CONFIGURATION.SecureBootMode, + prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), + help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), + flags = INTERACTIVE, + option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = 0; + option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0; + endoneof; + endif; + oneof name = SecureBootMode, + questionid = KEY_SECURE_BOOT_MODE, + prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), + help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), + flags = INTERACTIVE | NUMERIC_SIZE_1, + option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT; + option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0; + endoneof; // // // Display of 'Current Secure Boot Mode' // - suppressif ideqval SECUREBOOT_CONFIGURATION.SecureBootMode == SECURE_BOOT_MODE_STANDARD; + suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD; grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1; goto FORMID_SECURE_BOOT_OPTION_FORM, prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION), diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index 659952a63a..e8af62de4a 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -48,6 +48,8 @@ HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = { }; +BOOLEAN mIsEnterSecureBootForm = FALSE; + // // OID ASN.1 Value for Hash Algorithms // @@ -2407,6 +2409,14 @@ SecureBootRouteConfig ( return EFI_NOT_FOUND; } + // + // Get Configuration from Variable. + // + SecureBootExtractConfigFromVariable (&IfrNvData); + + // + // Map the Configuration to the configuration block. + // BufferSize = sizeof (SECUREBOOT_CONFIGURATION); Status = gHiiConfigRouting->ConfigToBlock ( gHiiConfigRouting, @@ -2488,6 +2498,25 @@ SecureBootCallback ( return EFI_INVALID_PARAMETER; } + if (Action == EFI_BROWSER_ACTION_FORM_OPEN) { + if (QuestionId == KEY_SECURE_BOOT_MODE) { + mIsEnterSecureBootForm = TRUE; + } + + return EFI_SUCCESS; + } + + if (Action == EFI_BROWSER_ACTION_RETRIEVE) { + Status = EFI_UNSUPPORTED; + if (QuestionId == KEY_SECURE_BOOT_MODE) { + if (mIsEnterSecureBootForm) { + Value->u8 = SECURE_BOOT_MODE_STANDARD; + Status = EFI_SUCCESS; + } + } + return Status; + } + if ((Action != EFI_BROWSER_ACTION_CHANGED) && (Action != EFI_BROWSER_ACTION_CHANGING) && (Action != EFI_BROWSER_ACTION_FORM_CLOSE) && @@ -2759,19 +2788,7 @@ SecureBootCallback ( break; case KEY_SECURE_BOOT_MODE: - GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL); - if (NULL != SecureBootMode) { - Status = gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &Value->u8 - ); - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; - IfrNvData->SecureBootMode = Value->u8; - FreePool (SecureBootMode); - } + mIsEnterSecureBootForm = FALSE; break; case KEY_SECURE_BOOT_KEK_GUID: -- cgit v1.2.3