From 98e9d30f787fc0c25fe5232c29fd0bfb9fb446c4 Mon Sep 17 00:00:00 2001 From: Chao Zhang Date: Mon, 11 May 2015 05:49:31 +0000 Subject: [PATCH] SecurityPkg Variable: Make PK & SecureBootMode consistent PK can be cleared in runtime. However SecureBootMode variable is not updated accordingly. Add code in variable init to make them consistent. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Fu Siyuan git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17401 6f19259b-4bc3-4df7-8a09-765794883524 --- .../RuntimeDxe/AuthService.c | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index b48129135f..36d447027d 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -277,7 +277,25 @@ AutenticatedVariableServiceInitialize ( SecureBootEnable = SECURE_BOOT_DISABLE; FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (Variable.CurrPtr != NULL) { - SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr)); + if (mPlatformMode == SETUP_MODE){ + // + // PK is cleared in runtime. "SecureBootMode" is not updated before reboot + // Delete "SecureBootMode" in SetupMode + // + Status = UpdateVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + &SecureBootEnable, + 0, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + } else { + SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr)); + } } else if (mPlatformMode == USER_MODE) { // // "SecureBootEnable" not exist, initialize it in USER_MODE.