SecurityPkg: AuthVariableLib & SecureBootConfigDxe: Fix SecureBootEnable & PK inconsistency issue

Revert previous fix in AuthVariable driver init which breaks SecureBootEnable original behavior. Add more error handling logic in SecureBootConfigDxe to prevent wrong display info when SecureBootEnable & PK inconsistency happens. Commit hash for the reverted patch in AuthVariable driver is SHA-1: a6811666b0 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
2016-04-13 15:27:04 +08:00 · 2016-04-13 15:27:04 +08:00 · 126f3b1de0
parent 7717798408
commit 126f3b1de0
2 changed files with 26 additions and 35 deletions
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@ -441,19 +441,7 @@ InitSecureBootVariables (
  SecureBootEnable = SECURE_BOOT_DISABLE;
  Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **)&Data, &DataSize);
  if (!EFI_ERROR(Status)) {
-    if (!IsPkPresent) {
-      //
-      // PK is cleared in runtime. "SecureBootMode" is not updated before reboot
-      // Delete "SecureBootMode"
-      //
-      Status = AuthServiceInternalUpdateVariable (
-                 EFI_SECURE_BOOT_ENABLE_NAME,
-                 &gEfiSecureBootEnableDisableGuid,
-                 &SecureBootEnable,
-                 0,
-                 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
-                 );
-    } else {
+    if (IsPkPresent) {
      SecureBootEnable = *Data;
    }
  } else if ((SecureBootMode == SecureBootModeTypeUserMode) || (SecureBootMode == SecureBootModeTypeDeployedMode)) {
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@ -3167,20 +3167,6 @@ SecureBootExtractConfigFromVariable (
  ConfigData->RevocationTime.Minute = CurrTime.Minute;
  ConfigData->RevocationTime.Second = 0;

-  //
-  // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
-  // Checkbox.
-  //
-  ConfigData->AttemptSecureBoot = FALSE;
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-  if (SecureBootEnable == NULL) {
-    ConfigData->HideSecureBoot = TRUE;
-  } else {
-    ConfigData->HideSecureBoot = FALSE;
-    if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) {
-      ConfigData->AttemptSecureBoot = TRUE;
-    }
-  }

  //
  // If it is Physical Presence User, set the PhysicalPresent to true.
@ -3215,6 +3201,26 @@ SecureBootExtractConfigFromVariable (
    ConfigData->HasPk = TRUE;
  }

+  //
+  // Check SecureBootEnable & Pk status, fix the inconsistence. 
+  // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
+  // Checkbox.
+  //
+  ConfigData->AttemptSecureBoot = FALSE;
+  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);  
+
+  //
+  // Fix Pk, SecureBootEnable inconsistence
+  //
+  if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
+    ConfigData->HideSecureBoot = FALSE;
+    if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
+      ConfigData->AttemptSecureBoot = TRUE;
+    }
+  } else {
+    ConfigData->HideSecureBoot = TRUE;
+  }
+
  if (SecureBootEnable != NULL) {
    FreePool (SecureBootEnable);
  }
@ -3363,7 +3369,6 @@ SecureBootRouteConfig (
       OUT EFI_STRING                          *Progress
  )
 {
-  UINT8                      *SecureBootEnable;
  SECUREBOOT_CONFIGURATION   IfrNvData;
  UINTN                      BufferSize;
  EFI_STATUS                 Status;
@ -3400,10 +3405,7 @@ SecureBootRouteConfig (
  //
  // Store Buffer Storage back to EFI variable if needed
  //
-  SecureBootEnable = NULL;
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-  if (NULL != SecureBootEnable) {
-    FreePool (SecureBootEnable);
+  if (!IfrNvData.HideSecureBoot) {
    Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot);
    if (EFI_ERROR (Status)) {
      return Status;
@ -3454,6 +3456,7 @@ SecureBootCallback (
  SECUREBOOT_CONFIGURATION        *IfrNvData;
  UINT16                          LabelId;
  UINT8                           *SecureBootEnable;
+  UINT8                           *Pk;
  UINT8                           *SecureBootMode;
  CHAR16                          PromptString[100];
  UINT8                           CurSecureBootMode;
@ -3926,11 +3929,11 @@ SecureBootCallback (
    }
  } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) {
    if (QuestionId == KEY_HIDE_SECURE_BOOT) {
-      GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-      if (SecureBootEnable == NULL) {
+      GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL);
+      if (Pk == NULL) {
        IfrNvData->HideSecureBoot = TRUE;
      } else {
-        FreePool (SecureBootEnable);
+        FreePool (Pk);
        IfrNvData->HideSecureBoot = FALSE;
      }
      Value->b = IfrNvData->HideSecureBoot;