diff --git a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c index 956ff9e2c5..de0e4fa938 100644 --- a/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c +++ b/OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.c @@ -15,36 +15,19 @@ /** - This function detects whether a secure platform-specific method to clear PK(Platform Key) - is configured by platform owner. This method is provided for users force to clear PK - in case incorrect enrollment mis-haps. + This function provides a platform-specific method to detect whether the platform + is operating by a physically present user. - UEFI231 spec chapter 27.5.2 stipulates: The platform key may also be cleared using - a secure platform-specific method. In this case, the global variable SetupMode - must also be updated to 1. + Programmatic changing of platform security policy (such as disable Secure Boot, + or switch between Standard/Custom Secure Boot mode) MUST NOT be possible during + Boot Services or after exiting EFI Boot Services. Only a physically present user + is allowed to perform these operations. NOTE THAT: This function cannot depend on any EFI Variable Service since they are not available when this function is called in AuthenticateVariable driver. - - @retval TRUE The Platform owner wants to force clear PK. - @retval FALSE The Platform owner doesn't want to force clear PK. - -**/ -BOOLEAN -EFIAPI -ForceClearPK ( - VOID - ) -{ - return TRUE; -} - -/** - - This function detects whether current platform is operated by a physical present user. - - @retval TRUE The Platform is operated by a physical present user. - @retval FALSE The Platform is NOT operated by a physical persent user. + + @retval TRUE The platform is operated by a physically present user. + @retval FALSE The platform is NOT operated by a physically present user. **/ BOOLEAN diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 2b0011cf55..c7d50e4718 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -340,8 +340,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -494,4 +492,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index 235e322777..eda00ce097 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -167,11 +167,14 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf INF OvmfPkg/BlockMmioToBlockIoDxe/BlockIo.inf INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf + !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif + INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 3b8257daa2..df3b24a4b1 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -342,8 +342,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -496,4 +494,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index 2351e563ab..7c98a6a2a8 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 2c174ba05b..eec0f1b07d 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -341,8 +341,6 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf @@ -495,4 +493,5 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf } + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 16f21fe3c8..4908298448 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -1,7 +1,7 @@ ## @file # Open Virtual Machine Firmware: FDF # -# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -170,6 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf !else INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif