1. Reset system when user changes secure boot state in secure boot configuration form.

2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524
2012-07-05 08:08:12 +00:00 · 2012-07-05 08:08:12 +00:00 · 8f8ca22e59
parent b37aa2c645
commit 8f8ca22e59
6 changed files with 29 additions and 46 deletions
--- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
+++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
@ -29,7 +29,9 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid;
 extern EFI_GUID gEfiSecureBootEnableDisableGuid;

 ///
-/// "SecureBootEnable" variable for the Secure boot feature enable/disable.
+/// "SecureBootEnable" variable for the Secure Boot feature enable/disable.
+/// This variable is used for allowing a physically present user to disable
+/// Secure Boot via firmware setup without the possession of PKpriv.
 ///
 #define EFI_SECURE_BOOT_ENABLE_NAME      L"SecureBootEnable"
 #define SECURE_BOOT_ENABLE               1
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@ -1254,14 +1254,13 @@ DxeImageVerificationHandler (
  UINT16                               Magic;
  EFI_IMAGE_DOS_HEADER                 *DosHdr;
  EFI_STATUS                           VerifyStatus;
-  UINT8                                *SetupMode;
  EFI_SIGNATURE_LIST                   *SignatureList;
  UINTN                                SignatureListSize;
  EFI_SIGNATURE_DATA                   *Signature;
  EFI_IMAGE_EXECUTION_ACTION           Action;
  WIN_CERTIFICATE                      *WinCertificate;
  UINT32                               Policy;
-  UINT8                                *SecureBootEnable;
+  UINT8                                *SecureBoot;
  PE_COFF_LOADER_IMAGE_CONTEXT         ImageContext;
  UINT32                               NumberOfRvaAndSizes;
  UINT32                               CertSize;
@ -1309,43 +1308,22 @@ DxeImageVerificationHandler (
    return EFI_ACCESS_DENIED;
  }

-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
+  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
  //
-  // Skip verification if SecureBootEnable variable doesn't exist.
+  // Skip verification if SecureBoot variable doesn't exist.
  //
-  if (SecureBootEnable == NULL) {
+  if (SecureBoot == NULL) {
    return EFI_SUCCESS;
  }

  //
-  // Skip verification if SecureBootEnable is disabled.
+  // Skip verification if SecureBoot is disabled.
  //
-  if (*SecureBootEnable == SECURE_BOOT_DISABLE) {
-    FreePool (SecureBootEnable);
+  if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+    FreePool (SecureBoot);
    return EFI_SUCCESS;
  }
-
-  FreePool (SecureBootEnable);
-
-  GetEfiGlobalVariable2 (EFI_SETUP_MODE_NAME, (VOID**)&SetupMode, NULL);
-
-  //
-  // SetupMode doesn't exist means no AuthVar driver is dispatched,
-  // skip verification.
-  //
-  if (SetupMode == NULL) {
-    return EFI_SUCCESS;
-  }
-
-  //
-  // If platform is in SETUP MODE, skip verification.
-  //
-  if (*SetupMode == SETUP_MODE) {
-    FreePool (SetupMode);
-    return EFI_SUCCESS;
-  }
-
-  FreePool (SetupMode);
+  FreePool (SecureBoot);

  //
  // Read the Dos header.
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
@ -68,13 +68,8 @@
  gEfiCertSha256Guid
  gEfiCertX509Guid
  gEfiCertRsa2048Guid
-  gEfiSecureBootEnableDisableGuid
  
 [Pcd]
  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy
  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy
-
-  
-
-
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@ -323,7 +323,7 @@ AutenticatedVariableServiceInitialize (
  // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
  // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
  //
-  SecureBootEnable = SECURE_BOOT_MODE_DISABLE;
+  SecureBootEnable = SECURE_BOOT_DISABLE;
  FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
  if (Variable.CurrPtr != NULL) {
    SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
@ -331,7 +331,7 @@ AutenticatedVariableServiceInitialize (
    //
    // "SecureBootEnable" not exist, initialize it in USER_MODE.
    //
-    SecureBootEnable = SECURE_BOOT_MODE_ENABLE;
+    SecureBootEnable = SECURE_BOOT_ENABLE;
    Status = UpdateVariable (
               EFI_SECURE_BOOT_ENABLE_NAME,
               &gEfiSecureBootEnableDisableGuid,
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@ -51,7 +51,7 @@ formset
          questionid = KEY_SECURE_BOOT_ENABLE,
          prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
          help   = STRING_TOKEN(STR_SECURE_BOOT_HELP),
-          flags  = INTERACTIVE,
+          flags  = INTERACTIVE | RESET_REQUIRED,
    endcheckbox;
    endif;
    
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@ -2069,27 +2069,25 @@ SecureBootExtractConfigFromVariable (
 {
  UINT8   *SecureBootEnable;
  UINT8   *SetupMode;
+  UINT8   *SecureBoot;
  UINT8   *SecureBootMode;

  SecureBootEnable = NULL;
  SetupMode        = NULL;
+  SecureBoot       = NULL;
  SecureBootMode   = NULL;
  
-  //
-  // Get the SecureBootEnable Variable
-  //
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-
  //
  // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
  // Checkbox.
  //
+  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
  if (SecureBootEnable == NULL) {
    ConfigData->HideSecureBoot = TRUE;
  } else {
    ConfigData->HideSecureBoot = FALSE;
-    ConfigData->SecureBootState = *SecureBootEnable;
  }
+  
  //
  // If it is Physical Presence User, set the PhysicalPresent to true.
  //
@ -2103,11 +2101,21 @@ SecureBootExtractConfigFromVariable (
  // If there is no PK then the Delete Pk button will be gray.
  //
  GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
-  if (SetupMode == NULL || (*SetupMode) == 1) {
+  if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
    ConfigData->HasPk = FALSE;
  } else  {
    ConfigData->HasPk = TRUE;
  }
+  
+  //
+  // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode.
+  //
+  GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
+  if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {
+    ConfigData->SecureBootState = TRUE;
+  } else {
+    ConfigData->SecureBootState = FALSE;
+  }

  //
  // Get the SecureBootMode from CustomMode variable.