/** @file\r
Measure TrEE required variable.\r
\r
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
{EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid},\r
{EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid},\r
{EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid},\r
+ {EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid},\r
};\r
\r
+//\r
+// "SecureBoot" may update following PK Del/Add\r
+// Cache its value to detect value update\r
+//\r
+UINT8 *mSecureBootVarData = NULL;\r
+UINTN mSecureBootVarDataSize = 0;\r
+\r
/**\r
This function will return if this variable is SecureBootPolicy Variable.\r
\r
FreePool (VariableData);\r
}\r
\r
+ //\r
+ // "SecureBoot" is 8bit & read-only. It can only be changed according to PK update\r
+ //\r
+ if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&\r
+ CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {\r
+ Status = InternalGetVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &VariableData,\r
+ &VariableDataSize\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return;\r
+ }\r
+\r
+ //\r
+ // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready\r
+ //\r
+ ASSERT(mSecureBootVarData != NULL);\r
+\r
+ if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {\r
+ FreePool(mSecureBootVarData);\r
+ mSecureBootVarData = VariableData;\r
+ mSecureBootVarDataSize = VariableDataSize;\r
+\r
+ DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));\r
+ Status = MeasureVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ mSecureBootVarData,\r
+ mSecureBootVarDataSize\r
+ );\r
+ DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));\r
+ } else {\r
+ //\r
+ // "SecureBoot" variable is not changed\r
+ //\r
+ FreePool(VariableData);\r
+ }\r
+ }\r
+\r
return ;\r
}\r
+\r
+/**\r
+ Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).\r
+ Record their initial State when variable write service is ready.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+RecordSecureBootPolicyVarData(\r
+ VOID\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ //\r
+ // Record initial "SecureBoot" variable value.\r
+ // It is used to detect SecureBoot variable change in SecureBootHook.\r
+ //\r
+ Status = InternalGetVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ (VOID **)&mSecureBootVarData,\r
+ &mSecureBootVarDataSize\r
+ );\r
+ if (EFI_ERROR(Status)) {\r
+ //\r
+ // Read could fail when Auth Variable solution is not supported\r
+ //\r
+ DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s Status %x\n", EFI_SECURE_BOOT_MODE_NAME, Status));\r
+ }\r
+}\r
projects / mirror_edk2.git / blobdiff