summaryrefslogtreecommitdiff
path: root/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
diff options
context:
space:
mode:
Diffstat (limited to 'SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c')
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c97
1 files changed, 77 insertions, 20 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 6467c06..c4fbb64 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -33,6 +33,7 @@ UINT32 mMaxKeyNumber;
UINT32 mMaxKeyDbSize;
UINT8 *mCertDbStore;
UINT32 mMaxCertDbSize;
+UINT32 mPlatformMode;
UINT8 mVendorKeyState;
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
@@ -109,17 +110,6 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
MAX_UINTN
}
},
- {
- &gEdkiiSecureBootModeGuid,
- L"SecureBootMode",
- {
- VAR_CHECK_VARIABLE_PROPERTY_REVISION,
- VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
- VARIABLE_ATTRIBUTE_NV_BS_RT,
- sizeof (UINT8),
- sizeof (UINT8)
- }
- }
};
VOID **mAuthVarAddressPointer[10];
@@ -153,6 +143,8 @@ AuthVariableLibInitialize (
UINT8 *Data;
UINTN DataSize;
UINTN CtxSize;
+ UINT8 SecureBootMode;
+ UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT32 ListSize;
@@ -228,11 +220,31 @@ AuthVariableLibInitialize (
mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
}
+ Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
+ } else {
+ DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
+ }
+
//
- // Init Secure Boot variables
+ // Create "SetupMode" variable with BS+RT attribute set.
//
- Status = InitSecureBootVariables ();
-
+ if (EFI_ERROR (Status)) {
+ mPlatformMode = SETUP_MODE;
+ } else {
+ mPlatformMode = USER_MODE;
+ }
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_SETUP_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ &mPlatformMode,
+ sizeof(UINT8),
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
//
// Create "SignatureSupport" variable with BS+RT attribute set.
@@ -249,6 +261,57 @@ AuthVariableLibInitialize (
}
//
+ // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
+ // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
+ // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
+ //
+ SecureBootEnable = SECURE_BOOT_DISABLE;
+ Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
+ if (!EFI_ERROR (Status)) {
+ if (mPlatformMode == USER_MODE){
+ SecureBootEnable = *(UINT8 *) Data;
+ }
+ } else if (mPlatformMode == USER_MODE) {
+ //
+ // "SecureBootEnable" not exist, initialize it in USER_MODE.
+ //
+ SecureBootEnable = SECURE_BOOT_ENABLE;
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_SECURE_BOOT_ENABLE_NAME,
+ &gEfiSecureBootEnableDisableGuid,
+ &SecureBootEnable,
+ sizeof (UINT8),
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ //
+ // Create "SecureBoot" variable with BS+RT attribute set.
+ //
+ if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
+ SecureBootMode = SECURE_BOOT_MODE_ENABLE;
+ } else {
+ SecureBootMode = SECURE_BOOT_MODE_DISABLE;
+ }
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ &SecureBootMode,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
+
+ //
// Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
//
CustomMode = STANDARD_SECURE_BOOT_MODE;
@@ -408,16 +471,10 @@ AuthVariableLibProcessVariable (
{
EFI_STATUS Status;
- //
- // Process PK, KEK, Sigdb, AuditMode, DeployedMode separately.
- //
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
- } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)
- && (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) {
- Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes);
} else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
generated by cgit v1.1 at 2024-07-10 06:27:26 +0000