From beda2356f5128efa4461046f882b6516ece6afc7 Mon Sep 17 00:00:00 2001 From: qianouyang Date: Fri, 28 Oct 2011 03:46:20 +0000 Subject: Enable/Disable Secured Boot by 'Secure Boot Configuration' Page which is under Setup browser. Signed-off-by: qianouyang Reviewed-by: gdong1 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12586 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Include/Guid/AuthenticatedVariableFormat.h | 12 + SecurityPkg/Include/Guid/SecureBootConfigHii.h | 26 ++ .../DxeImageVerificationLib.c | 19 +- .../DxeImageVerificationLib.h | 1 + .../DxeImageVerificationLib.inf | 1 + SecurityPkg/SecurityPkg.dec | 8 +- SecurityPkg/SecurityPkg.dsc | 3 +- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 96 ++++- .../RuntimeDxe/VariableRuntimeDxe.inf | 3 +- .../RuntimeDxe/VariableSmm.inf | 3 +- .../SecureBootConfigDxe/SecureBootConfig.vfr | 50 +++ .../SecureBootConfigDxe/SecureBootConfigDriver.c | 133 +++++++ .../SecureBootConfigDxe/SecureBootConfigDxe.inf | 65 ++++ .../SecureBootConfigDxe/SecureBootConfigImpl.c | 393 +++++++++++++++++++++ .../SecureBootConfigDxe/SecureBootConfigImpl.h | 190 ++++++++++ .../SecureBootConfigDxe/SecureBootConfigNvData.h | 34 ++ .../SecureBootConfigStrings.uni | Bin 0 -> 2054 bytes 17 files changed, 1025 insertions(+), 12 deletions(-) create mode 100644 SecurityPkg/Include/Guid/SecureBootConfigHii.h create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni (limited to 'SecurityPkg') diff --git a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h index 245339c3df..7ff469779c 100644 --- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h +++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h @@ -21,7 +21,19 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define EFI_AUTHENTICATED_VARIABLE_GUID \ { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } } +#define EFI_SECURE_BOOT_ENABLE_DISABLE \ + { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } } + + extern EFI_GUID gEfiAuthenticatedVariableGuid; +extern EFI_GUID gEfiSecureBootEnableDisableGuid; + +/// +/// "SecureBootEnable" variable for the Secure boot feature enable/disable. +/// +#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable" +#define SECURE_BOOT_ENABLE 1 +#define SECURE_BOOT_DISABLE 0 /// /// Alignment of variable name and data, according to the architecture: diff --git a/SecurityPkg/Include/Guid/SecureBootConfigHii.h b/SecurityPkg/Include/Guid/SecureBootConfigHii.h new file mode 100644 index 0000000000..5f162486f4 --- /dev/null +++ b/SecurityPkg/Include/Guid/SecureBootConfigHii.h @@ -0,0 +1,26 @@ +/** @file + GUIDs used as HII FormSet and HII Package list GUID in SecureBootConfigDxe driver. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials are licensed and made available under +the terms and conditions of the BSD License that accompanies this distribution. +The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php. + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __SECUREBOOT_CONFIG_HII_GUID_H__ +#define __SECUREBOOT_CONFIG_HII_GUID_H__ + +#define SECUREBOOT_CONFIG_FORM_SET_GUID \ + { \ + 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14} \ + } + + +extern EFI_GUID gSecureBootConfigFormSetGuid; + +#endif diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index dab35d5f6c..7bc3cc0ec0 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1117,7 +1117,6 @@ DxeImageVerificationHandler ( IN VOID *FileBuffer, IN UINTN FileSize ) - { EFI_STATUS Status; UINT16 Magic; @@ -1130,6 +1129,7 @@ DxeImageVerificationHandler ( EFI_IMAGE_EXECUTION_ACTION Action; WIN_CERTIFICATE *WinCertificate; UINT32 Policy; + UINT8 *SecureBootEnable; if (File == NULL) { return EFI_INVALID_PARAMETER; @@ -1173,6 +1173,23 @@ DxeImageVerificationHandler ( } else if (Policy == NEVER_EXECUTE) { return EFI_ACCESS_DENIED; } + + SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid); + // + // Skip verification if SecureBootEnable variable doesn't exist. + // + if (SecureBootEnable == NULL) { + return EFI_SUCCESS; + } + + // + // Skip verification if SecureBootEnable is disabled. + // + if (*SecureBootEnable == SECURE_BOOT_DISABLE) { + FreePool (SecureBootEnable); + return EFI_SUCCESS; + } + SetupMode = GetEfiGlobalVariable (EFI_SETUP_MODE_NAME); // diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h index 34ed0c89a1..2cd1f87468 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h @@ -34,6 +34,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include #include +#include #include #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256 diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf index 5874d6b66b..1dda6774fa 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf @@ -62,6 +62,7 @@ gEfiCertSha256Guid gEfiCertX509Guid gEfiCertRsa2048Guid + gEfiSecureBootEnableDisableGuid [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index f4605ec1b0..4ed4f406d9 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -35,6 +35,9 @@ # Include/Guid/AuthenticatedVariableFormat.h gEfiAuthenticatedVariableGuid = { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } } + # Include/Guid/AuthenticatedVariableFormat.h + gEfiSecureBootEnableDisableGuid = { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } } + ## Include/Guid/TcgEventHob.h gTcgEventEntryHobGuid = { 0x2e3044ac, 0x879f, 0x490f, {0x97, 0x60, 0xbb, 0xdf, 0xaf, 0x69, 0x5f, 0x50 }} @@ -55,7 +58,10 @@ ## Include/Guid/TcgConfigHii.h gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }} - + + ## Include/Guid/SecureBootConfigHii.h + gSecureBootConfigFormSetGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}} + [Ppis] ## Include/Ppi/LockPhysicalPresence.h gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } } diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 0600a5f141..708ed54b0b 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -104,7 +104,8 @@ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf } SecurityPkg/Tcg/TcgSmm/TcgSmm.inf - + SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigDxe.inf + [Components.IA32, Components.X64] SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index fc23bb5212..ff5c653912 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -69,11 +69,15 @@ AutenticatedVariableServiceInitialize ( { EFI_STATUS Status; VARIABLE_POINTER_TRACK Variable; + VARIABLE_POINTER_TRACK Variable2; UINT8 VarValue; UINT32 VarAttr; UINT8 *Data; UINTN DataSize; UINTN CtxSize; + UINT8 SecureBootMode; + UINT8 SecureBootEnable; + // // Initialize hash context. // @@ -146,10 +150,10 @@ AutenticatedVariableServiceInitialize ( Status = FindVariable ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, - &Variable, + &Variable2, &mVariableModuleGlobal->VariableGlobal ); - if (Variable.CurrPtr == NULL) { + if (Variable2.CurrPtr == NULL) { mPlatformMode = SETUP_MODE; } else { mPlatformMode = USER_MODE; @@ -184,6 +188,7 @@ AutenticatedVariableServiceInitialize ( &mVariableModuleGlobal->VariableGlobal ); + if (Variable.CurrPtr == NULL) { VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; Status = UpdateVariable ( @@ -198,7 +203,37 @@ AutenticatedVariableServiceInitialize ( NULL ); } - + + // + // If "SecureBootEnable" variable exists, then update "SecureBoot" variable. + // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE. + // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE. + // + FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal); + if (Variable.CurrPtr != NULL) { + SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr)); + if (SecureBootEnable == SECURE_BOOT_ENABLE) { + SecureBootMode = SECURE_BOOT_MODE_ENABLE; + } else { + SecureBootMode = SECURE_BOOT_MODE_DISABLE; + } + FindVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal); + Status = UpdateVariable ( + EFI_SECURE_BOOT_MODE_NAME, + &gEfiGlobalVariableGuid, + &SecureBootMode, + sizeof(UINT8), + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + // // Detect whether a secure platform-specific method to clear PK(Platform Key) // is configured by platform owner. This method is provided for users force to clear PK @@ -445,7 +480,9 @@ UpdatePlatformMode ( VARIABLE_POINTER_TRACK Variable; UINT32 VarAttr; UINT8 SecureBootMode; - + UINT8 SecureBootEnable; + UINTN VariableDataSize; + Status = FindVariable ( EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, @@ -457,7 +494,7 @@ UpdatePlatformMode ( } mPlatformMode = Mode; - VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; + VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; Status = UpdateVariable ( EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, @@ -501,8 +538,8 @@ UpdatePlatformMode ( } } - VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; - return UpdateVariable ( + VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; + Status = UpdateVariable ( EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &SecureBootMode, @@ -513,6 +550,51 @@ UpdatePlatformMode ( &Variable, NULL ); + + if (EFI_ERROR (Status)) { + return Status; + } + + // + // Check "SecureBootEnable" variable's existence. It can enable/disable secure boot feature. + // + Status = FindVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal + ); + + if (SecureBootMode == SECURE_BOOT_MODE_ENABLE) { + // + // Create the "SecureBootEnable" variable as secure boot is enabled. + // + SecureBootEnable = SECURE_BOOT_ENABLE; + VariableDataSize = sizeof (SecureBootEnable); + } else { + // + // Delete the "SecureBootEnable" variable if this variable exist as "SecureBoot" + // variable is not in secure boot state. + // + if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) { + return EFI_SUCCESS; + } + SecureBootEnable = SECURE_BOOT_DISABLE; + VariableDataSize = 0; + } + + Status = UpdateVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + &SecureBootEnable, + VariableDataSize, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + return Status; } /** diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index 5b2689efdb..d2a2025b66 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,7 +71,8 @@ gEfiImageSecurityDatabaseGuid gEfiCertX509Guid gEfiCertPkcs7Guid - gEfiCertRsa2048Guid + gEfiCertRsa2048Guid + gEfiSecureBootEnableDisableGuid [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf index 01bda726d0..86f6e92347 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf @@ -76,7 +76,8 @@ gEfiImageSecurityDatabaseGuid gEfiCertX509Guid gEfiCertPkcs7Guid - gEfiCertRsa2048Guid + gEfiCertRsa2048Guid + gEfiSecureBootEnableDisableGuid [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr new file mode 100644 index 0000000000..fbf5e2eae1 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr @@ -0,0 +1,50 @@ +/** @file + VFR file used by the SecureBoot configuration component. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "SecureBootConfigNvData.h" + +formset + guid = SECUREBOOT_CONFIG_FORM_SET_GUID, + title = STRING_TOKEN(STR_SECUREBOOT_TITLE), + help = STRING_TOKEN(STR_SECUREBOOT_HELP), + classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID, + + varstore SECUREBOOT_CONFIGURATION, + varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID, + name = SECUREBOOT_CONFIGURATION, + guid = SECUREBOOT_CONFIG_FORM_SET_GUID; + + form formid = SECUREBOOT_CONFIGURATION_FORM_ID, + title = STRING_TOKEN(STR_SECUREBOOT_TITLE); + + subtitle text = STRING_TOKEN(STR_NULL); + + suppressif TRUE; + checkbox varid = SECUREBOOT_CONFIGURATION.HideSecureBoot, + prompt = STRING_TOKEN(STR_NULL), + help = STRING_TOKEN(STR_NULL), + endcheckbox; + endif; + + grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1; + checkbox varid = SECUREBOOT_CONFIGURATION.SecureBootState, + questionid = KEY_SECURE_BOOT_ENABLE, + prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), + help = STRING_TOKEN(STR_SECURE_BOOT_HELP), + endcheckbox; + endif; + + endform; + +endformset; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c new file mode 100644 index 0000000000..1d6c4ac6e8 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c @@ -0,0 +1,133 @@ +/** @file + The module entry point for SecureBoot configuration module. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "SecureBootConfigImpl.h" + +/** + The entry point for SecureBoot configuration driver. + + @param[in] ImageHandle The image handle of the driver. + @param[in] SystemTable The system table. + + @retval EFI_ALREADY_STARTED The driver already exists in system. + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources. + @retval EFI_SUCCES All the related protocols are installed on the driver. + @retval Others Fail to get the SecureBootEnable variable. + +**/ +EFI_STATUS +EFIAPI +SecureBootConfigDriverEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; + + // + // If already started, return. + // + Status = gBS->OpenProtocol ( + ImageHandle, + &gEfiCallerIdGuid, + NULL, + ImageHandle, + ImageHandle, + EFI_OPEN_PROTOCOL_TEST_PROTOCOL + ); + if (!EFI_ERROR (Status)) { + return EFI_ALREADY_STARTED; + } + + // + // Create a private data structure. + // + PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate); + if (PrivateData == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Install SecureBoot configuration form + // + Status = InstallSecureBootConfigForm (PrivateData); + if (EFI_ERROR (Status)) { + goto ErrorExit; + } + + // + // Install private GUID. + // + Status = gBS->InstallMultipleProtocolInterfaces ( + &ImageHandle, + &gEfiCallerIdGuid, + PrivateData, + NULL + ); + + if (EFI_ERROR (Status)) { + goto ErrorExit; + } + + return EFI_SUCCESS; + +ErrorExit: + if (PrivateData != NULL) { + UninstallSecureBootConfigForm (PrivateData); + } + + return Status; +} + +/** + Unload the SecureBoot configuration form. + + @param[in] ImageHandle The driver's image handle. + + @retval EFI_SUCCESS The SecureBoot configuration form is unloaded. + @retval Others Failed to unload the form. + +**/ +EFI_STATUS +EFIAPI +SecureBootConfigDriverUnload ( + IN EFI_HANDLE ImageHandle + ) +{ + EFI_STATUS Status; + SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; + + Status = gBS->HandleProtocol ( + ImageHandle, + &gEfiCallerIdGuid, + (VOID **) &PrivateData + ); + if (EFI_ERROR (Status)) { + return Status; + } + + ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE); + + gBS->UninstallMultipleProtocolInterfaces ( + &ImageHandle, + &gEfiCallerIdGuid, + PrivateData, + NULL + ); + + UninstallSecureBootConfigForm (PrivateData); + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf new file mode 100644 index 0000000000..b0254da30e --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf @@ -0,0 +1,65 @@ +## @file +# Component name for SecureBoot configuration module. +# +# Copyright (c) 2011, Intel Corporation. All rights reserved.
+# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SecureBootConfigDxe + FILE_GUID = F0E6A44F-7195-41c3-AC64-54F202CD0A21 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = SecureBootConfigDriverEntryPoint + UNLOAD_IMAGE = SecureBootConfigDriverUnload + +# +# VALID_ARCHITECTURES = IA32 X64 IPF EBC +# + +[Sources] + SecureBootConfigDriver.c + SecureBootConfigImpl.c + SecureBootConfigImpl.h + SecureBootConfig.vfr + SecureBootConfigStrings.uni + SecureBootConfigNvData.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiLib + UefiBootServicesTableLib + UefiRuntimeServicesTableLib + UefiDriverEntryPoint + UefiHiiServicesLib + DebugLib + HiiLib + +[Guids] + gEfiIfrTianoGuid + gEfiSecureBootEnableDisableGuid + gSecureBootConfigFormSetGuid + +[Protocols] + gEfiHiiConfigAccessProtocolGuid ## PRODUCES + gEfiHiiConfigRoutingProtocolGuid ## CONSUMES + +[Depex] + gEfiHiiConfigRoutingProtocolGuid AND + gEfiHiiDatabaseProtocolGuid AND + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c new file mode 100644 index 0000000000..f0a3f07637 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -0,0 +1,393 @@ +/** @file + HII Config Access protocol implementation of SecureBoot configuration module. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "SecureBootConfigImpl.h" + +CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"; + +SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate = { + SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE, + { + SecureBootExtractConfig, + SecureBootRouteConfig, + SecureBootCallback + } +}; + +HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = { + { + { + HARDWARE_DEVICE_PATH, + HW_VENDOR_DP, + { + (UINT8) (sizeof (VENDOR_DEVICE_PATH)), + (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8) + } + }, + SECUREBOOT_CONFIG_FORM_SET_GUID + }, + { + END_DEVICE_PATH_TYPE, + END_ENTIRE_DEVICE_PATH_SUBTYPE, + { + (UINT8) (END_DEVICE_PATH_LENGTH), + (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8) + } + } +}; + +/** + Save Secure Boot option to variable space. + + @param[in] VarValue The option of Secure Boot. + + @retval EFI_SUCCESS The operation is finished successfully. + @retval Others Other errors as indicated. + +**/ +EFI_STATUS +SaveSecureBootVariable ( + IN UINT8 VarValue + ) +{ + EFI_STATUS Status; + + Status = gRT->SetVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof (UINT8), + &VarValue + ); + if (EFI_ERROR (Status)) { + return Status; + } + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + return EFI_SUCCESS; +} + +/** + This function allows a caller to extract the current configuration for one + or more named elements from the target driver. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Request A null-terminated Unicode string in + format. + @param[out] Progress On return, points to a character in the Request + string. Points to the string's null terminator if + request was successful. Points to the most recent + '&' before the first failing name/value pair (or + the beginning of the string if the failure is in + the first name/value pair) if the request was not + successful. + @param[out] Results A null-terminated Unicode string in + format which has all values filled + in for the names in the Request string. String to + be allocated by the called function. + + @retval EFI_SUCCESS The Results is filled with the requested values. + @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. + @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in this + driver. + +**/ +EFI_STATUS +EFIAPI +SecureBootExtractConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Request, + OUT EFI_STRING *Progress, + OUT EFI_STRING *Results + ) +{ + EFI_STATUS Status; + UINTN BufferSize; + SECUREBOOT_CONFIGURATION Configuration; + + EFI_STRING ConfigRequest; + UINT8 *SecureBootEnable; + + if (Progress == NULL || Results == NULL) { + return EFI_INVALID_PARAMETER; + } + + *Progress = Request; + if ((Request != NULL) && !HiiIsConfigHdrMatch (Request, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) { + return EFI_NOT_FOUND; + } + + // + // Get the SecureBoot Variable + // + SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid); + + // + // If the SecureBoot Variable doesn't exist, hide the SecureBoot Enable/Disable + // Checkbox. + // + if (SecureBootEnable == NULL) { + Configuration.HideSecureBoot = TRUE; + } else { + Configuration.HideSecureBoot = FALSE; + Configuration.SecureBootState = *SecureBootEnable; + } + + BufferSize = sizeof (Configuration); + ConfigRequest = Request; + + Status = gHiiConfigRouting->BlockToConfig ( + gHiiConfigRouting, + ConfigRequest, + (UINT8 *) &Configuration, + BufferSize, + Results, + Progress + ); + + // + // Set Progress string to the original request string. + // + if (Request == NULL) { + *Progress = NULL; + } else if (StrStr (Request, L"OFFSET") == NULL) { + *Progress = Request + StrLen (Request); + } + + return Status; +} + +/** + This function processes the results of changes in configuration. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Configuration A null-terminated Unicode string in + format. + @param[out] Progress A pointer to a string filled in with the offset of + the most recent '&' before the first failing + name/value pair (or the beginning of the string if + the failure is in the first name/value pair) or + the terminating NULL if all was successful. + + @retval EFI_SUCCESS The Results is processed successfully. + @retval EFI_INVALID_PARAMETER Configuration is NULL. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in this + driver. + +**/ +EFI_STATUS +EFIAPI +SecureBootRouteConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Configuration, + OUT EFI_STRING *Progress + ) +{ + EFI_STATUS Status; + UINTN BufferSize; + SECUREBOOT_CONFIGURATION SecureBootConfiguration; + UINT8 *SecureBootEnable; + + + if (Configuration == NULL || Progress == NULL) { + return EFI_INVALID_PARAMETER; + } + + *Progress = Configuration; + if (!HiiIsConfigHdrMatch (Configuration, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) { + return EFI_NOT_FOUND; + } + + // + // Convert to buffer data by helper function ConfigToBlock() + // + BufferSize = sizeof (SECUREBOOT_CONFIGURATION); + Status = gHiiConfigRouting->ConfigToBlock ( + gHiiConfigRouting, + Configuration, + (UINT8 *) &SecureBootConfiguration, + &BufferSize, + Progress + ); + if (EFI_ERROR (Status)) { + return Status; + } + + SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid); + if (SecureBootEnable == NULL) { + return EFI_SUCCESS; + } + + if ((*SecureBootEnable) != SecureBootConfiguration.SecureBootState) { + // + // If the configure is changed, update the SecureBoot Variable. + // + SaveSecureBootVariable (SecureBootConfiguration.SecureBootState); + } + return EFI_SUCCESS; +} + +/** + This function processes the results of changes in configuration. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Action Specifies the type of action taken by the browser. + @param[in] QuestionId A unique value which is sent to the original + exporting driver so that it can identify the type + of data to expect. + @param[in] Type The type of value for the question. + @param[in] Value A pointer to the data being sent to the original + exporting driver. + @param[out] ActionRequest On return, points to the action requested by the + callback function. + + @retval EFI_SUCCESS The callback successfully handled the action. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the + variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be saved. + @retval EFI_UNSUPPORTED The specified Action is not supported by the + callback. + +**/ +EFI_STATUS +EFIAPI +SecureBootCallback ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN EFI_BROWSER_ACTION Action, + IN EFI_QUESTION_ID QuestionId, + IN UINT8 Type, + IN EFI_IFR_TYPE_VALUE *Value, + OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest + ) +{ + BOOLEAN SecureBootEnable; + + if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((Action != EFI_BROWSER_ACTION_CHANGING) || (QuestionId != KEY_SECURE_BOOT_ENABLE)) { + return EFI_UNSUPPORTED; + } + + if (NULL == GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid)) { + return EFI_SUCCESS; + } + + SecureBootEnable = Value->u8; + SaveSecureBootVariable (Value->u8); + return EFI_SUCCESS; + +} + +/** + This function publish the SecureBoot configuration Form. + + @param[in, out] PrivateData Points to SecureBoot configuration private data. + + @retval EFI_SUCCESS HII Form is installed for this network device. + @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation. + @retval Others Other errors as indicated. + +**/ +EFI_STATUS +InstallSecureBootConfigForm ( + IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData + ) +{ + EFI_STATUS Status; + EFI_HII_HANDLE HiiHandle; + EFI_HANDLE DriverHandle; + + EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; + + DriverHandle = NULL; + ConfigAccess = &PrivateData->ConfigAccess; + Status = gBS->InstallMultipleProtocolInterfaces ( + &DriverHandle, + &gEfiDevicePathProtocolGuid, + &mSecureBootHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + ConfigAccess, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + + PrivateData->DriverHandle = DriverHandle; + + // + // Publish the HII package list + // + HiiHandle = HiiAddPackages ( + &gSecureBootConfigFormSetGuid, + DriverHandle, + SecureBootConfigDxeStrings, + SecureBootConfigBin, + NULL + ); + if (HiiHandle == NULL) { + gBS->UninstallMultipleProtocolInterfaces ( + DriverHandle, + &gEfiDevicePathProtocolGuid, + &mSecureBootHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + ConfigAccess, + NULL + ); + + return EFI_OUT_OF_RESOURCES; + } + + PrivateData->HiiHandle = HiiHandle; + return EFI_SUCCESS; +} + +/** + This function removes SecureBoot configuration Form. + + @param[in, out] PrivateData Points to SecureBoot configuration private data. + +**/ +VOID +UninstallSecureBootConfigForm ( + IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData + ) +{ + // + // Uninstall HII package list + // + if (PrivateData->HiiHandle != NULL) { + HiiRemovePackages (PrivateData->HiiHandle); + PrivateData->HiiHandle = NULL; + } + + // + // Uninstall HII Config Access Protocol + // + if (PrivateData->DriverHandle != NULL) { + gBS->UninstallMultipleProtocolInterfaces ( + PrivateData->DriverHandle, + &gEfiDevicePathProtocolGuid, + &mSecureBootHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + &PrivateData->ConfigAccess, + NULL + ); + PrivateData->DriverHandle = NULL; + } + + FreePool (PrivateData); +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h new file mode 100644 index 0000000000..ef19031845 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h @@ -0,0 +1,190 @@ +/** @file + The header file of HII Config Access protocol implementation of SecureBoot + configuration module. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __SECUREBOOT_CONFIG_IMPL_H__ +#define __SECUREBOOT_CONFIG_IMPL_H__ + +#include + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "SecureBootConfigNvData.h" + +// +// Tool generated IFR binary data and String package data +// +extern UINT8 SecureBootConfigBin[]; +extern UINT8 SecureBootConfigDxeStrings[]; + +/// +/// HII specific Vendor Device Path definition. +/// +typedef struct { + VENDOR_DEVICE_PATH VendorDevicePath; + EFI_DEVICE_PATH_PROTOCOL End; +} HII_VENDOR_DEVICE_PATH; + +typedef struct { + UINTN Signature; + + EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess; + EFI_HII_HANDLE HiiHandle; + EFI_HANDLE DriverHandle; + +} SECUREBOOT_CONFIG_PRIVATE_DATA; + +extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate; + +#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B') +#define SECUREBOOT_CONFIG_PRIVATE_DATA_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE) + + +/** + This function publish the SecureBoot configuration Form. + + @param[in, out] PrivateData Points to SecureBoot configuration private data. + + @retval EFI_SUCCESS HII Form is installed for this network device. + @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation. + @retval Others Other errors as indicated. + +**/ +EFI_STATUS +InstallSecureBootConfigForm ( + IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData + ); + +/** + This function removes SecureBoot configuration Form. + + @param[in, out] PrivateData Points to SecureBoot configuration private data. + +**/ + +VOID +UninstallSecureBootConfigForm ( + IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData + ); + +/** + This function allows a caller to extract the current configuration for one + or more named elements from the target driver. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Request A null-terminated Unicode string in + format. + @param[out] Progress On return, points to a character in the Request + string. Points to the string's null terminator if + request was successful. Points to the most recent + '&' before the first failing name/value pair (or + the beginning of the string if the failure is in + the first name/value pair) if the request was not + successful. + @param[out] Results A null-terminated Unicode string in + format which has all values filled + in for the names in the Request string. String to + be allocated by the called function. + + @retval EFI_SUCCESS The Results is filled with the requested values. + @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. + @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in this + driver. + +**/ +EFI_STATUS +EFIAPI +SecureBootExtractConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Request, + OUT EFI_STRING *Progress, + OUT EFI_STRING *Results + ); + +/** + This function processes the results of changes in configuration. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Configuration A null-terminated Unicode string in + format. + @param[out] Progress A pointer to a string filled in with the offset of + the most recent '&' before the first failing + name/value pair (or the beginning of the string if + the failure is in the first name/value pair) or + the terminating NULL if all was successful. + + @retval EFI_SUCCESS The Results is processed successfully. + @retval EFI_INVALID_PARAMETER Configuration is NULL. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in this + driver. + +**/ +EFI_STATUS +EFIAPI +SecureBootRouteConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Configuration, + OUT EFI_STRING *Progress + ); + +/** + This function processes the results of changes in configuration. + + @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. + @param[in] Action Specifies the type of action taken by the browser. + @param[in] QuestionId A unique value which is sent to the original + exporting driver so that it can identify the type + of data to expect. + @param[in] Type The type of value for the question. + @param[in] Value A pointer to the data being sent to the original + exporting driver. + @param[out] ActionRequest On return, points to the action requested by the + callback function. + + @retval EFI_SUCCESS The callback successfully handled the action. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the + variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be saved. + @retval EFI_UNSUPPORTED The specified Action is not supported by the + callback. + +**/ +EFI_STATUS +EFIAPI +SecureBootCallback ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN EFI_BROWSER_ACTION Action, + IN EFI_QUESTION_ID QuestionId, + IN UINT8 Type, + IN EFI_IFR_TYPE_VALUE *Value, + OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest + ); + +#endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h new file mode 100644 index 0000000000..278066e87f --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h @@ -0,0 +1,34 @@ +/** @file + Header file for NV data structure definition. + +Copyright (c) 2011, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__ +#define __SECUREBOOT_CONFIG_NV_DATA_H__ + +#include +#include + +#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001 +#define SECUREBOOT_CONFIGURATION_FORM_ID 0x0001 + +#define KEY_SECURE_BOOT_ENABLE 0x5000 + +// +// Nv Data structure referenced by IFR +// +typedef struct { + BOOLEAN SecureBootState; + BOOLEAN HideSecureBoot; +} SECUREBOOT_CONFIGURATION; + +#endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni new file mode 100644 index 0000000000..99f728ead0 Binary files /dev/null and b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni differ -- cgit v1.2.3