Sync patches r14373 and r14375 from main trunk.

1. Pop up error message when user tries to enroll an invalid certificate file into KEK/DB/DBX.
2. Fix a bug that 'SecureBoot' varaible will be updated to NV+AT attribute incorrectly.

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/branches/UDK2010.SR1@14376 6f19259b-4bc3-4df7-8a09-765794883524

4 files changed, 35 insertions, 71 deletions

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5bc29cf..9e4bf86 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1348,53 +1348,6 @@ Done:
 }

 

 /**

-  When VariableWriteArchProtocol install, create "SecureBoot" variable.

-

-  @param[in] Event    Event whose notification function is being invoked.

-  @param[in] Context  Pointer to the notification function's context.

-

-**/

-VOID

-EFIAPI

-VariableWriteCallBack (

-  IN  EFI_EVENT                           Event,

-  IN  VOID                                *Context

-  )

-{

-  UINT8                       SecureBootMode;

-  UINT8                       *SecureBootModePtr;

-  EFI_STATUS                  Status;

-  VOID                        *ProtocolPointer;

-

-  Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, &ProtocolPointer);

-  if (EFI_ERROR (Status)) {

-    return;

-  }

-

-  //

-  // Check whether "SecureBoot" variable exists.

-  // If this library is built-in, it means firmware has capability to perform

-  // driver signing verification.

-  //

-  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBootModePtr, NULL);

-  if (SecureBootModePtr == NULL) {

-    SecureBootMode   = SECURE_BOOT_MODE_DISABLE;

-    //

-    // Authenticated variable driver will update "SecureBoot" depending on SetupMode variable.

-    //

-    gRT->SetVariable (

-           EFI_SECURE_BOOT_MODE_NAME,

-           &gEfiGlobalVariableGuid,

-           EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE,

-           sizeof (UINT8),

-           &SecureBootMode

-           );

-  } else {

-    FreePool (SecureBootModePtr);

-  }

-}

-

-/**

   Register security measurement handler.

 

   @param  ImageHandle   ImageHandle of the loaded driver.

@@ -1409,19 +1362,6 @@ DxeImageVerificationLibConstructor (
   IN EFI_SYSTEM_TABLE  *SystemTable

   )

 {

-  VOID                *Registration;

-

-  //

-  // Register callback function upon VariableWriteArchProtocol.

-  //

-  EfiCreateProtocolNotifyEvent (

-    &gEfiVariableWriteArchProtocolGuid,

-    TPL_CALLBACK,

-    VariableWriteCallBack,

-    NULL,

-    &Registration

-    );

-

   return RegisterSecurity2Handler (

           DxeImageVerificationHandler,

           EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
index dd03b0b..0c6ab96 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
@@ -7,7 +7,7 @@
 #  This external input must be validated carefully to avoid security issue like

 #  buffer overflow, integer overflow.

 #

-# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>

+# Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>

 # This program and the accompanying materials

 # are licensed and made available under the terms and conditions of the BSD License

 # which accompanies this distribution. The full text of the license may be found at

@@ -59,7 +59,6 @@
   gEfiFirmwareVolume2ProtocolGuid

   gEfiBlockIoProtocolGuid

   gEfiSimpleFileSystemProtocolGuid

-  gEfiVariableWriteArchProtocolGuid

   

 [Guids]

   gEfiCertTypeRsa2048Sha256Guid

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 440ede9..7da0d63 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -675,7 +675,6 @@ UpdatePlatformMode (
 {

   EFI_STATUS              Status;

   VARIABLE_POINTER_TRACK  Variable;

-  UINT32                  VarAttr;

   UINT8                   SecureBootMode;

   UINT8                   SecureBootEnable;

   UINTN                   VariableDataSize;

@@ -736,13 +735,12 @@ UpdatePlatformMode (
     }

   }

 

-  VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;

   Status  = UpdateVariable (

               EFI_SECURE_BOOT_MODE_NAME,

               &gEfiGlobalVariableGuid,

               &SecureBootMode,

               sizeof(UINT8),

-              VarAttr,

+              EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,

               0,

               0,

               &Variable,

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 51da86b..ecb21d0 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -2601,14 +2601,41 @@ SecureBootCallback (
 

     case KEY_VALUE_SAVE_AND_EXIT_KEK:

       Status = EnrollKeyExchangeKey (Private);

+      if (EFI_ERROR (Status)) {

+        CreatePopUp (

+          EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,

+          &Key,

+          L"ERROR: Unsupported file type!",

+          L"Only supports DER-encoded X509 certificate",

+          NULL

+          );

+      }

       break;

 

     case KEY_VALUE_SAVE_AND_EXIT_DB:

       Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE);

+      if (EFI_ERROR (Status)) {

+        CreatePopUp (

+          EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,

+          &Key,

+          L"ERROR: Unsupported file type!",

+          L"Only supports DER-encoded X509 certificate and executable EFI image",

+          NULL

+          );

+      }

       break;

 

     case KEY_VALUE_SAVE_AND_EXIT_DBX:

       Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);

+      if (EFI_ERROR (Status)) {

+        CreatePopUp (

+          EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,

+          &Key,

+          L"ERROR: Unsupported file type!",

+          L"Only supports DER-encoded X509 certificate and executable EFI image",

+          NULL

+          );

+      }

       break;

 

     default:

@@ -2649,13 +2676,13 @@ SecureBootCallback (
       break;  

     case KEY_VALUE_SAVE_AND_EXIT_PK:

       Status = EnrollPlatformKey (Private);

-      UnicodeSPrint (

-        PromptString,

-        sizeof (PromptString),

-        L"Only DER encoded certificate file (%s) is supported.",

-        mSupportX509Suffix

-        );

       if (EFI_ERROR (Status)) {

+        UnicodeSPrint (

+          PromptString,

+          sizeof (PromptString),

+          L"Only DER encoded certificate file (%s) is supported.",

+          mSupportX509Suffix

+          );

         CreatePopUp (

           EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,

           &Key,