SecurityPkg Variable: Make PK & SecureBootMode consistent

PK can be cleared in runtime. However SecureBootMode variable is not updated accordingly. Add code in variable init to make them consistent. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17401 6f19259b-4bc3-4df7-8a09-765794883524
2015-05-11 05:49:31 +00:00 · 2015-05-11 05:49:31 +00:00 · 98e9d30f78
parent 74705ca53e
commit 98e9d30f78
1 changed files with 19 additions and 1 deletions
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@ -277,7 +277,25 @@ AutenticatedVariableServiceInitialize (
  SecureBootEnable = SECURE_BOOT_DISABLE;
  FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
  if (Variable.CurrPtr != NULL) {
-    SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
+    if (mPlatformMode == SETUP_MODE){
+      //
+      // PK is cleared in runtime. "SecureBootMode" is not updated before reboot 
+      // Delete "SecureBootMode" in SetupMode
+      //
+      Status = UpdateVariable (
+                 EFI_SECURE_BOOT_ENABLE_NAME,
+                 &gEfiSecureBootEnableDisableGuid,
+                 &SecureBootEnable,
+                 0,
+                 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                 0,
+                 0,
+                 &Variable,
+                 NULL
+                 );
+    } else {
+      SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
+    }
  } else if (mPlatformMode == USER_MODE) {
    //
    // "SecureBootEnable" not exist, initialize it in USER_MODE.