tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: SecureBootConfigDxe: SecureBoot UI for Customized SecureBoot Mode 

Add SecureBoot UI support for Customized SecureBoot Mode transition according to Mantis 1263. User can do secure boot mode transition through UI.
  https://mantis.uefi.org/mantis/view.php?id=1263

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Zeng Star <star.zeng@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19134 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Chao Zhang 2015-12-07 06:20:36 +00:00 committed by czhang46
parent 4fc08e8d68
commit 96832eefea
4 changed files with 474 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
View File

@ -1,7 +1,7 @@
/** @file /** @file
VFR file used by the SecureBoot configuration component. VFR file used by the SecureBoot configuration component.
Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -33,6 +33,14 @@ formset
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
//
// Display current secure boot mode(one of SetupMode/AuditMode/UserMode/DeployedMode)
//
text
help = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_HELP),
text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_PROMPT),
text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_CONTENT);
text text
help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT), text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
@ -84,18 +92,18 @@ formset
endoneof; endoneof;
// //
// // Display PK include page
// Display of 'Current Secure Boot Mode'
// //
suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD; suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;
grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1; grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
goto FORMID_SECURE_BOOT_OPTION_FORM, goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION), prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP),
flags = INTERACTIVE, flags = INTERACTIVE,
key = KEY_SECURE_BOOT_OPTION; key = KEY_SECURE_BOOT_OPTION;
endif;
endif; endif;
endif;
endform; endform;
// //
@ -106,6 +114,55 @@ formset
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of SetupMode/UserMode/AuditMode/DeployedMode transition
//
disableif TRUE;
oneof varid = SECUREBOOT_CONFIGURATION.TransSecureBootMode,
prompt = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_PROMPT),
help = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_HELP),
flags = INTERACTIVE,
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE
OR (ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE AND
ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 0);
option text = STRING_TOKEN(STR_USER_MODE), value = SECURE_BOOT_MODE_USER_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE;
option text = STRING_TOKEN(STR_SETUP_MODE), value = SECURE_BOOT_MODE_SETUP_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE;
option text = STRING_TOKEN(STR_AUDIT_MODE), value = SECURE_BOOT_MODE_AUDIT_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE;
option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = SECURE_BOOT_MODE_DEPLOYED_MODE, flags = 0;
endif
option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = 4, flags = 0;
endoneof;
endif;
oneof name = TransSecureBootMode,
questionid = KEY_TRANS_SECURE_BOOT_MODE,
prompt = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_PROMPT),
help = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_HELP),
flags = INTERACTIVE | NUMERIC_SIZE_1,
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE
OR (ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE AND
ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 0);
option text = STRING_TOKEN(STR_USER_MODE), value = SECURE_BOOT_MODE_USER_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE;
option text = STRING_TOKEN(STR_SETUP_MODE), value = SECURE_BOOT_MODE_SETUP_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE;
option text = STRING_TOKEN(STR_AUDIT_MODE), value = SECURE_BOOT_MODE_AUDIT_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE;
option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = SECURE_BOOT_MODE_DEPLOYED_MODE, flags = 0;
endif
endoneof;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_PK_OPTION_FORM, goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION), prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),

452
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@ -49,6 +49,8 @@ HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
BOOLEAN mIsEnterSecureBootForm = FALSE; BOOLEAN mIsEnterSecureBootForm = FALSE;
BOOLEAN mIsSelectedSecureBootModeForm = FALSE;
BOOLEAN mIsSecureBootModeChanged = FALSE;
// //
// OID ASN.1 Value for Hash Algorithms // OID ASN.1 Value for Hash Algorithms
@ -2808,6 +2810,256 @@ ON_EXIT:
); );
} }
/**
Perform secure boot mode transition from User Mode by setting AuditMode
or DeployedMode variable.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromUserMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_AUDIT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
} else if (NewMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_DEPLOYED_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
}
//
// Other case do nothing here. May Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Setup Mode by setting AuditMode
variable.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromSetupMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
Status = EFI_INVALID_PARAMETER;
if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_AUDIT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
}
//
// Other case do nothing here. May Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Audit Mode. Nothing is done here,
should goto enroll PK page.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromAuditMode(
IN UINT8 NewMode
)
{
//
// Other case do nothing here. Should Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Deployed Mode by setting Deployed Mode
variable to 0.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromDeployedMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
//
// Platform specific logic. when physical presence, Allow to set DeployedMode =:0
// to switch back to UserMode
//
if (NewMode == SECURE_BOOT_MODE_USER_MODE) {
Data = 0;
Status = gRT->SetVariable(
EFI_DEPLOYED_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
DEBUG((EFI_D_INFO, "DeployedMode Status %x\n", Status));
return Status;
}
return EFI_SUCCESS;
}
/**
Perform main secure boot mode transition.
@param[in] CurMode New secure boot mode.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
SecureBootModeTransition(
IN UINT8 CurMode,
IN UINT8 NewMode
)
{
EFI_STATUS Status;
//
// Set platform to be customized mode to ensure platform specific mode switch sucess
//
Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
if (EFI_ERROR (Status)) {
return Status;
}
//
// SecureBootMode transition
//
switch (CurMode) {
case SECURE_BOOT_MODE_USER_MODE:
Status = TransitionFromUserMode(NewMode);
break;
case SECURE_BOOT_MODE_SETUP_MODE:
Status = TransitionFromSetupMode(NewMode);
break;
case SECURE_BOOT_MODE_AUDIT_MODE:
Status = TransitionFromAuditMode(NewMode);
break;
case SECURE_BOOT_MODE_DEPLOYED_MODE:
Status = TransitionFromDeployedMode(NewMode);
break;
default:
Status = EFI_INVALID_PARAMETER;
ASSERT(FALSE);
}
return Status;
}
/**
Get current secure boot mode by retrieve data from SetupMode/AuditMode/DeployedMode.
@param[out] SecureBootMode Current secure boot mode.
**/
VOID
ExtractSecureBootModeFromVariable(
OUT UINT8 *SecureBootMode
)
{
UINT8 *SetupMode;
UINT8 *AuditMode;
UINT8 *DeployedMode;
SetupMode = NULL;
AuditMode = NULL;
DeployedMode = NULL;
//
// Get AuditMode/DeployedMode from variable
//
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
GetVariable2 (EFI_AUDIT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&AuditMode, NULL);
GetVariable2 (EFI_DEPLOYED_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&DeployedMode, NULL);
if (SetupMode != NULL && AuditMode != NULL && DeployedMode != NULL) {
if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 0) {
//
// User Mode
//
*SecureBootMode = SECURE_BOOT_MODE_USER_MODE;
} else if (*SetupMode == 1 && *AuditMode == 0 && *DeployedMode == 0) {
//
// Setup Mode
//
*SecureBootMode = SECURE_BOOT_MODE_SETUP_MODE;
} else if (*SetupMode == 1 && *AuditMode == 1 && *DeployedMode == 0) {
//
// Audit Mode
//
*SecureBootMode = SECURE_BOOT_MODE_AUDIT_MODE;
} else if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 1) {
//
// Deployed Mode
//
*SecureBootMode = SECURE_BOOT_MODE_DEPLOYED_MODE;
} else {
ASSERT(FALSE);
}
}else {
ASSERT(FALSE);
}
if (SetupMode != NULL) {
FreePool (SetupMode);
}
if (DeployedMode != NULL) {
FreePool (DeployedMode);
}
if (AuditMode != NULL) {
FreePool (AuditMode);
}
}
/** /**
This function extracts configuration from variable. This function extracts configuration from variable.
@ -2820,12 +3072,10 @@ SecureBootExtractConfigFromVariable (
) )
{ {
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *SetupMode;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
EFI_TIME CurrTime; EFI_TIME CurrTime;
SecureBootEnable = NULL; SecureBootEnable = NULL;
SetupMode = NULL;
SecureBootMode = NULL; SecureBootMode = NULL;
// //
@ -2865,16 +3115,6 @@ SecureBootExtractConfigFromVariable (
ConfigData->PhysicalPresent = FALSE; ConfigData->PhysicalPresent = FALSE;
} }
//
// If there is no PK then the Delete Pk button will be gray.
//
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
ConfigData->HasPk = FALSE;
} else {
ConfigData->HasPk = TRUE;
}
// //
// Get the SecureBootMode from CustomMode variable. // Get the SecureBootMode from CustomMode variable.
// //
@ -2885,12 +3125,24 @@ SecureBootExtractConfigFromVariable (
ConfigData->SecureBootMode = *(SecureBootMode); ConfigData->SecureBootMode = *(SecureBootMode);
} }
//
// Extact current Secure Boot Mode
//
ExtractSecureBootModeFromVariable(&ConfigData->CurSecureBootMode);
//
// If there is no PK then the Delete Pk button will be gray.
//
if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
ConfigData->HasPk = FALSE;
} else {
ConfigData->HasPk = TRUE;
}
if (SecureBootEnable != NULL) { if (SecureBootEnable != NULL) {
FreePool (SecureBootEnable); FreePool (SecureBootEnable);
} }
if (SetupMode != NULL) {
FreePool (SetupMode);
}
if (SecureBootMode != NULL) { if (SecureBootMode != NULL) {
FreePool (SecureBootMode); FreePool (SecureBootMode);
} }
@ -2965,16 +3217,28 @@ SecureBootExtractConfig (
SecureBootExtractConfigFromVariable (&Configuration); SecureBootExtractConfigFromVariable (&Configuration);
// //
// Update current secure boot state. // Get current secure boot state.
// //
GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL); GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) { if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL); HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL);
} else { } else {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL); HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL);
} }
if (SecureBoot != NULL) {
FreePool (SecureBoot); //
// Get current secure boot mode
//
DEBUG((EFI_D_INFO, "Configuration.CurSecureBootMode %d\n", Configuration.CurSecureBootMode));
if (Configuration.CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE) {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"UserMode", NULL);
} else if (Configuration.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE) {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"SetupMode", NULL);
} else if (Configuration.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"AuditMode", NULL);
} else if (Configuration.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"DeployedMode", NULL);
} }
BufferSize = sizeof (SECUREBOOT_CONFIGURATION); BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
@ -3021,6 +3285,10 @@ SecureBootExtractConfig (
*Progress = Request + StrLen (Request); *Progress = Request + StrLen (Request);
} }
if (SecureBoot != NULL) {
FreePool (SecureBoot);
}
return Status; return Status;
} }
@ -3142,43 +3410,16 @@ SecureBootCallback (
UINT16 LabelId; UINT16 LabelId;
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
UINT8 *SetupMode;
CHAR16 PromptString[100]; CHAR16 PromptString[100];
UINT8 CurSecureBootMode;
Status = EFI_SUCCESS;
SecureBootEnable = NULL; SecureBootEnable = NULL;
SecureBootMode = NULL; SecureBootMode = NULL;
SetupMode = NULL;
if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) { if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
if (Action == EFI_BROWSER_ACTION_FORM_OPEN) {
if (QuestionId == KEY_SECURE_BOOT_MODE) {
mIsEnterSecureBootForm = TRUE;
}
return EFI_SUCCESS;
}
if (Action == EFI_BROWSER_ACTION_RETRIEVE) {
Status = EFI_UNSUPPORTED;
if (QuestionId == KEY_SECURE_BOOT_MODE) {
if (mIsEnterSecureBootForm) {
Value->u8 = SECURE_BOOT_MODE_STANDARD;
Status = EFI_SUCCESS;
}
}
return Status;
}
if ((Action != EFI_BROWSER_ACTION_CHANGED) &&
(Action != EFI_BROWSER_ACTION_CHANGING) &&
(Action != EFI_BROWSER_ACTION_FORM_CLOSE) &&
(Action != EFI_BROWSER_ACTION_DEFAULT_STANDARD)) {
return EFI_UNSUPPORTED;
}
Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
// //
@ -3190,10 +3431,46 @@ SecureBootCallback (
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
Status = EFI_SUCCESS;
HiiGetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8 *) IfrNvData); HiiGetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8 *) IfrNvData);
if (Action == EFI_BROWSER_ACTION_FORM_OPEN) {
if (QuestionId == KEY_SECURE_BOOT_MODE) {
mIsEnterSecureBootForm = TRUE;
} else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE){
//
// Secure Boot Policy variable changes after tranistion. Re-sync CurSecureBootMode
//
ExtractSecureBootModeFromVariable(&IfrNvData->CurSecureBootMode);
mIsSelectedSecureBootModeForm = TRUE;
mIsSecureBootModeChanged = FALSE;
}
goto EXIT;
}
if (Action == EFI_BROWSER_ACTION_RETRIEVE) {
Status = EFI_UNSUPPORTED;
if (QuestionId == KEY_SECURE_BOOT_MODE) {
if (mIsEnterSecureBootForm) {
Value->u8 = SECURE_BOOT_MODE_STANDARD;
Status = EFI_SUCCESS;
}
} else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE) {
if (mIsSelectedSecureBootModeForm) {
Value->u8 = IfrNvData->CurSecureBootMode;
Status = EFI_SUCCESS;
}
}
goto EXIT;
}
if ((Action != EFI_BROWSER_ACTION_CHANGED) &&
(Action != EFI_BROWSER_ACTION_CHANGING) &&
(Action != EFI_BROWSER_ACTION_FORM_CLOSE) &&
(Action != EFI_BROWSER_ACTION_DEFAULT_STANDARD)) {
Status = EFI_UNSUPPORTED;
goto EXIT;
}
if (Action == EFI_BROWSER_ACTION_CHANGING) { if (Action == EFI_BROWSER_ACTION_CHANGING) {
switch (QuestionId) { switch (QuestionId) {
@ -3419,6 +3696,66 @@ SecureBootCallback (
); );
} }
break; break;
case KEY_TRANS_SECURE_BOOT_MODE:
//
// Pop up to alert user want to change secure boot mode
//
if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE &&
(Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE || Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE))
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE &&
Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE &&
Value->u8 == SECURE_BOOT_MODE_USER_MODE && IfrNvData->PhysicalPresent == 1)){
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Are you sure you want to switch secure boot mode?",
L"Press 'Y' to switch secure boot mode, 'N' to discard change and return",
NULL
);
if (Key.UnicodeChar != 'y' && Key.UnicodeChar != 'Y') {
//
// If not 'Y'/''y' restore to defualt secure boot mode
//
Value->u8 = IfrNvData->CurSecureBootMode;
goto EXIT;
}
} else if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE && Value->u8 == SECURE_BOOT_MODE_USER_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE && Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Secure boot mode tranistion requires PK change",
L"Please go to link below to update PK",
NULL
);
} else {
Status = EFI_INVALID_PARAMETER;
goto EXIT;
}
Status = SecureBootModeTransition(IfrNvData->CurSecureBootMode, Value->u8);
//
// Secure Boot Policy variable may change after tranistion. Re-sync CurSecureBootMode
//
ExtractSecureBootModeFromVariable(&CurSecureBootMode);
if (IfrNvData->CurSecureBootMode != CurSecureBootMode) {
IfrNvData->CurSecureBootMode = CurSecureBootMode;
mIsSecureBootModeChanged = TRUE;
if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"UserMode", NULL);
} else if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"SetupMode", NULL);
} else if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"AuditMode", NULL);
} else if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"DeployedMode", NULL);
}
}
break;
default: default:
if (QuestionId >= FILE_OPTION_GOTO_OFFSET) { if (QuestionId >= FILE_OPTION_GOTO_OFFSET) {
@ -3509,7 +3846,13 @@ SecureBootCallback (
case KEY_SECURE_BOOT_MODE: case KEY_SECURE_BOOT_MODE:
mIsEnterSecureBootForm = FALSE; mIsEnterSecureBootForm = FALSE;
break; break;
case KEY_TRANS_SECURE_BOOT_MODE:
mIsSelectedSecureBootModeForm = FALSE;
if (mIsSecureBootModeChanged) {
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET;
}
mIsSecureBootModeChanged = FALSE;
break;
case KEY_SECURE_BOOT_KEK_GUID: case KEY_SECURE_BOOT_KEK_GUID:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DB: case KEY_SECURE_BOOT_SIGNATURE_GUID_DB:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX: case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX:
@ -3528,8 +3871,7 @@ SecureBootCallback (
break; break;
case KEY_SECURE_BOOT_DELETE_PK: case KEY_SECURE_BOOT_DELETE_PK:
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
IfrNvData->DeletePk = TRUE; IfrNvData->DeletePk = TRUE;
IfrNvData->HasPk = FALSE; IfrNvData->HasPk = FALSE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
@ -3538,9 +3880,6 @@ SecureBootCallback (
IfrNvData->HasPk = TRUE; IfrNvData->HasPk = TRUE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
} }
if (SetupMode != NULL) {
FreePool (SetupMode);
}
break; break;
default: default:
if (QuestionId >= FILE_OPTION_OFFSET && QuestionId < FILE_OPTION_GOTO_OFFSET) { if (QuestionId >= FILE_OPTION_OFFSET && QuestionId < FILE_OPTION_GOTO_OFFSET) {
@ -3575,10 +3914,13 @@ SecureBootCallback (
} }
} }
EXIT:
if (!EFI_ERROR (Status)) { if (!EFI_ERROR (Status)) {
BufferSize = sizeof (SECUREBOOT_CONFIGURATION); BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
HiiSetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8*) IfrNvData, NULL); HiiSetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8*) IfrNvData, NULL);
} }
FreePool (IfrNvData); FreePool (IfrNvData);
return EFI_SUCCESS; return EFI_SUCCESS;

11
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
View File

@ -1,7 +1,7 @@
/** @file /** @file
Header file for NV data structure definition. Header file for NV data structure definition.
Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -84,6 +84,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define LABEL_DBT_DELETE 0x1203 #define LABEL_DBT_DELETE 0x1203
#define LABEL_END 0xffff #define LABEL_END 0xffff
#define KEY_TRANS_SECURE_BOOT_MODE 0x2000
#define SECURE_BOOT_MAX_ATTEMPTS_NUM 255 #define SECURE_BOOT_MAX_ATTEMPTS_NUM 255
#define CONFIG_OPTION_OFFSET 0x2000 #define CONFIG_OPTION_OFFSET 0x2000
@ -116,6 +118,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define SECURE_BOOT_GUID_SIZE 36 #define SECURE_BOOT_GUID_SIZE 36
#define SECURE_BOOT_GUID_STORAGE_SIZE 37 #define SECURE_BOOT_GUID_STORAGE_SIZE 37
#define SECURE_BOOT_MODE_USER_MODE 0
#define SECURE_BOOT_MODE_SETUP_MODE 1
#define SECURE_BOOT_MODE_AUDIT_MODE 2
#define SECURE_BOOT_MODE_DEPLOYED_MODE 3
// //
// Nv Data structure referenced by IFR // Nv Data structure referenced by IFR
// //
@ -125,6 +132,8 @@ typedef struct {
CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE]; CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
BOOLEAN PhysicalPresent; // If a Physical Present User BOOLEAN PhysicalPresent; // If a Physical Present User
UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom
UINT8 CurSecureBootMode; // Current SecureBoot Mode SetupMode/UserMode/AuditMode/DeployedMode
UINT8 TransSecureBootMode; // Trans Next SecureBoot Mode
BOOLEAN DeletePk; BOOLEAN DeletePk;
BOOLEAN HasPk; // If Pk is existed it is true BOOLEAN HasPk; // If Pk is existed it is true
BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden

BIN
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
View File

Binary file not shown.