Enable/Disable Secured Boot by 'Secure Boot Configuration' Page which is under Setup...

[mirror_edk2.git] / SecurityPkg / Library / DxeImageVerificationLib / DxeImageVerificationLib.c

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index dab35d5f6c2edfb4e0a6a36bbc2fd6f138d0edb4..7bc3cc0ec037fb2665f4542cc9b75c38449f4802 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1117,7 +1117,6 @@ DxeImageVerificationHandler (
   IN  VOID                             *FileBuffer,\r
   IN  UINTN                            FileSize\r
   )\r
-\r
 {\r
   EFI_STATUS                  Status;\r
   UINT16                      Magic;\r
@@ -1130,6 +1129,7 @@ DxeImageVerificationHandler (
   EFI_IMAGE_EXECUTION_ACTION  Action;\r
   WIN_CERTIFICATE             *WinCertificate;\r
   UINT32                      Policy;\r
+  UINT8                       *SecureBootEnable;\r
 \r
   if (File == NULL) {\r
     return EFI_INVALID_PARAMETER;\r
@@ -1173,6 +1173,23 @@ DxeImageVerificationHandler (
   } else if (Policy == NEVER_EXECUTE) {\r
     return EFI_ACCESS_DENIED;\r
   }\r
+\r
+  SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid);\r
+  //\r
+  // Skip verification if SecureBootEnable variable doesn't exist.\r
+  //\r
+  if (SecureBootEnable == NULL) {\r
+    return EFI_SUCCESS;\r
+  }\r
+\r
+  //\r
+  // Skip verification if SecureBootEnable is disabled.\r
+  //\r
+  if (*SecureBootEnable == SECURE_BOOT_DISABLE) {\r
+    FreePool (SecureBootEnable);\r
+    return EFI_SUCCESS;\r
+  }    \r
+ \r
   SetupMode = GetEfiGlobalVariable (EFI_SETUP_MODE_NAME);\r
 \r
   //\r