tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-27 15:44:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: AuthVariableLib & SecureBootConfigDxe: Fix SecureBootEnable & PK inconsistency issue

Browse Source 
Revert previous fix in AuthVariable driver init which breaks SecureBootEnable original behavior. Add more error handling logic in SecureBootConfigDxe to prevent wrong display info when SecureBootEnable & PK inconsistency happens.
Commit hash for the reverted patch in AuthVariable driver is
SHA-1: a6811666b0bef18871fa62b6c5abf18fb076fd0d

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Zhang, Chao B 2016-04-13 15:27:04 +08:00
parent 7717798408
commit 126f3b1de0
2 changed files with 26 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
SecurityPkg/Library/AuthVariableLib/AuthService.c
View File

@ -441,19 +441,7 @@ InitSecureBootVariables (
SecureBootEnable = SECURE_BOOT_DISABLE; SecureBootEnable = SECURE_BOOT_DISABLE;
Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **)&Data, &DataSize); Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **)&Data, &DataSize);
if (!EFI_ERROR(Status)) { if (!EFI_ERROR(Status)) {
if (!IsPkPresent) { if (IsPkPresent) {
//
// PK is cleared in runtime. "SecureBootMode" is not updated before reboot
// Delete "SecureBootMode"
//
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&SecureBootEnable,
0,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
} else {
SecureBootEnable = *Data; SecureBootEnable = *Data;
} }
} else if ((SecureBootMode == SecureBootModeTypeUserMode) || (SecureBootMode == SecureBootModeTypeDeployedMode)) { } else if ((SecureBootMode == SecureBootModeTypeUserMode) || (SecureBootMode == SecureBootModeTypeDeployedMode)) {

47
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@ -3167,20 +3167,6 @@ SecureBootExtractConfigFromVariable (
ConfigData->RevocationTime.Minute = CurrTime.Minute; ConfigData->RevocationTime.Minute = CurrTime.Minute;
ConfigData->RevocationTime.Second = 0; ConfigData->RevocationTime.Second = 0;
//
// If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
// Checkbox.
//
ConfigData->AttemptSecureBoot = FALSE;
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
if (SecureBootEnable == NULL) {
ConfigData->HideSecureBoot = TRUE;
} else {
ConfigData->HideSecureBoot = FALSE;
if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) {
ConfigData->AttemptSecureBoot = TRUE;
}
}
// //
// If it is Physical Presence User, set the PhysicalPresent to true. // If it is Physical Presence User, set the PhysicalPresent to true.
@ -3215,6 +3201,26 @@ SecureBootExtractConfigFromVariable (
ConfigData->HasPk = TRUE; ConfigData->HasPk = TRUE;
} }
//
// Check SecureBootEnable & Pk status, fix the inconsistence.
// If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
// Checkbox.
//
ConfigData->AttemptSecureBoot = FALSE;
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
//
// Fix Pk, SecureBootEnable inconsistence
//
if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
ConfigData->HideSecureBoot = FALSE;
if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
ConfigData->AttemptSecureBoot = TRUE;
}
} else {
ConfigData->HideSecureBoot = TRUE;
}
if (SecureBootEnable != NULL) { if (SecureBootEnable != NULL) {
FreePool (SecureBootEnable); FreePool (SecureBootEnable);
} }
@ -3363,7 +3369,6 @@ SecureBootRouteConfig (
OUT EFI_STRING *Progress OUT EFI_STRING *Progress
) )
{ {
UINT8 *SecureBootEnable;
SECUREBOOT_CONFIGURATION IfrNvData; SECUREBOOT_CONFIGURATION IfrNvData;
UINTN BufferSize; UINTN BufferSize;
EFI_STATUS Status; EFI_STATUS Status;
@ -3400,10 +3405,7 @@ SecureBootRouteConfig (
// //
// Store Buffer Storage back to EFI variable if needed // Store Buffer Storage back to EFI variable if needed
// //
SecureBootEnable = NULL; if (!IfrNvData.HideSecureBoot) {
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
if (NULL != SecureBootEnable) {
FreePool (SecureBootEnable);
Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot); Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return Status; return Status;
@ -3454,6 +3456,7 @@ SecureBootCallback (
SECUREBOOT_CONFIGURATION *IfrNvData; SECUREBOOT_CONFIGURATION *IfrNvData;
UINT16 LabelId; UINT16 LabelId;
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *Pk;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
CHAR16 PromptString[100]; CHAR16 PromptString[100];
UINT8 CurSecureBootMode; UINT8 CurSecureBootMode;
@ -3926,11 +3929,11 @@ SecureBootCallback (
} }
} else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) { } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) {
if (QuestionId == KEY_HIDE_SECURE_BOOT) { if (QuestionId == KEY_HIDE_SECURE_BOOT) {
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL);
if (SecureBootEnable == NULL) { if (Pk == NULL) {
IfrNvData->HideSecureBoot = TRUE; IfrNvData->HideSecureBoot = TRUE;
} else { } else {
FreePool (SecureBootEnable); FreePool (Pk);
IfrNvData->HideSecureBoot = FALSE; IfrNvData->HideSecureBoot = FALSE;
} }
Value->b = IfrNvData->HideSecureBoot; Value->b = IfrNvData->HideSecureBoot;