1. Reset system when user changes secure boot state in secure boot configuration form.

2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524
2012-07-05 08:08:12 +00:00 · 2012-07-05 08:08:12 +00:00 · 8f8ca22e59
parent b37aa2c645
commit 8f8ca22e59
6 changed files with 29 additions and 46 deletions
--- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
+++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
@ -29,7 +29,9 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid;
 extern EFI_GUID gEfiSecureBootEnableDisableGuid;
 ///
-/// "SecureBootEnable" variable for the Secure boot feature enable/disable.
+/// "SecureBootEnable" variable for the Secure Boot feature enable/disable.
 /// This variable is used for allowing a physically present user to disable
 /// Secure Boot via firmware setup without the possession of PKpriv.
 ///
 #define EFI_SECURE_BOOT_ENABLE_NAME      L"SecureBootEnable"
 #define SECURE_BOOT_ENABLE               1
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@ -1254,14 +1254,13 @@ DxeImageVerificationHandler (
  UINT16                               Magic;
  EFI_IMAGE_DOS_HEADER                 *DosHdr;
  EFI_STATUS                           VerifyStatus;
  UINT8                                *SetupMode;
  EFI_SIGNATURE_LIST                   *SignatureList;
  UINTN                                SignatureListSize;
  EFI_SIGNATURE_DATA                   *Signature;
  EFI_IMAGE_EXECUTION_ACTION           Action;
  WIN_CERTIFICATE                      *WinCertificate;
  UINT32                               Policy;
-  UINT8                                *SecureBootEnable;
+  UINT8                                *SecureBoot;
  PE_COFF_LOADER_IMAGE_CONTEXT         ImageContext;
  UINT32                               NumberOfRvaAndSizes;
  UINT32                               CertSize;
@ -1309,43 +1308,22 @@ DxeImageVerificationHandler (
    return EFI_ACCESS_DENIED;
  }
-  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
+  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
  //
-  // Skip verification if SecureBootEnable variable doesn't exist.
+  // Skip verification if SecureBoot variable doesn't exist.
  //
-  if (SecureBootEnable == NULL) {
+  if (SecureBoot == NULL) {
    return EFI_SUCCESS;
  }
  //
-  // Skip verification if SecureBootEnable is disabled.
+  // Skip verification if SecureBoot is disabled.
  //
-  if (*SecureBootEnable == SECURE_BOOT_DISABLE) {
+  if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
-    FreePool (SecureBootEnable);
+    FreePool (SecureBoot);
    return EFI_SUCCESS;
  }
-
+  FreePool (SecureBoot);
  FreePool (SecureBootEnable);
  GetEfiGlobalVariable2 (EFI_SETUP_MODE_NAME, (VOID**)&SetupMode, NULL);
  //
  // SetupMode doesn't exist means no AuthVar driver is dispatched,
  // skip verification.
  //
  if (SetupMode == NULL) {
    return EFI_SUCCESS;
  }
  //
  // If platform is in SETUP MODE, skip verification.
  //
  if (*SetupMode == SETUP_MODE) {
    FreePool (SetupMode);
    return EFI_SUCCESS;
  }
  FreePool (SetupMode);
  //
  // Read the Dos header.
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
@ -68,13 +68,8 @@
  gEfiCertSha256Guid
  gEfiCertX509Guid
  gEfiCertRsa2048Guid
  gEfiSecureBootEnableDisableGuid
 [Pcd]
  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy
  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@ -323,7 +323,7 @@ AutenticatedVariableServiceInitialize (
  // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
  // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
  //
-  SecureBootEnable = SECURE_BOOT_MODE_DISABLE;
+  SecureBootEnable = SECURE_BOOT_DISABLE;
  FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
  if (Variable.CurrPtr != NULL) {
    SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
@ -331,7 +331,7 @@ AutenticatedVariableServiceInitialize (
    //
    // "SecureBootEnable" not exist, initialize it in USER_MODE.
    //
-    SecureBootEnable = SECURE_BOOT_MODE_ENABLE;
+    SecureBootEnable = SECURE_BOOT_ENABLE;
    Status = UpdateVariable (
               EFI_SECURE_BOOT_ENABLE_NAME,
               &gEfiSecureBootEnableDisableGuid,
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@ -51,7 +51,7 @@ formset
          questionid = KEY_SECURE_BOOT_ENABLE,
          prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
          help   = STRING_TOKEN(STR_SECURE_BOOT_HELP),
-          flags  = INTERACTIVE,
+          flags  = INTERACTIVE | RESET_REQUIRED,
    endcheckbox;
    endif;
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@ -2069,27 +2069,25 @@ SecureBootExtractConfigFromVariable (
 {
  UINT8   *SecureBootEnable;
  UINT8   *SetupMode;
  UINT8   *SecureBoot;
  UINT8   *SecureBootMode;
  SecureBootEnable = NULL;
  SetupMode        = NULL;
  SecureBoot       = NULL;
  SecureBootMode   = NULL;
  //
  // Get the SecureBootEnable Variable
  //
  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
  //
  // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
  // Checkbox.
  //
  GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
  if (SecureBootEnable == NULL) {
    ConfigData->HideSecureBoot = TRUE;
  } else {
    ConfigData->HideSecureBoot = FALSE;
    ConfigData->SecureBootState = *SecureBootEnable;
  }
  //
  // If it is Physical Presence User, set the PhysicalPresent to true.
  //
@ -2103,11 +2101,21 @@ SecureBootExtractConfigFromVariable (
  // If there is no PK then the Delete Pk button will be gray.
  //
  GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
-  if (SetupMode == NULL || (*SetupMode) == 1) {
+  if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
    ConfigData->HasPk = FALSE;
  } else  {
    ConfigData->HasPk = TRUE;
  }
  //
  // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode.
  //
  GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
  if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {
    ConfigData->SecureBootState = TRUE;
  } else {
    ConfigData->SecureBootState = FALSE;
  }
  //
  // Get the SecureBootMode from CustomMode variable.