-/**\r
- Perform secure boot mode transition from User Mode by setting AuditMode \r
- or DeployedMode variable.\r
-\r
- @param[in] NewMode New secure boot mode.\r
-\r
- @retval EFI_SUCCESS Secure Boot mode transition is successful.\r
-**/\r
-EFI_STATUS\r
-TransitionFromUserMode(\r
- IN UINT8 NewMode\r
- )\r
-{\r
- UINT8 Data;\r
- EFI_STATUS Status;\r
-\r
- if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {\r
- Data = 1;\r
- Status = gRT->SetVariable(\r
- EFI_AUDIT_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof(UINT8),\r
- &Data\r
- );\r
- return Status;\r
- } else if (NewMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {\r
- Data = 1;\r
- Status = gRT->SetVariable(\r
- EFI_DEPLOYED_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof(UINT8),\r
- &Data\r
- );\r
- return Status;\r
- }\r
-\r
- //\r
- // Other case do nothing here. May Goto enroll PK page.\r
- //\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Perform secure boot mode transition from Setup Mode by setting AuditMode \r
- variable.\r
-\r
- @param[in] NewMode New secure boot mode.\r
-\r
- @retval EFI_SUCCESS Secure Boot mode transition is successful.\r
-**/\r
-EFI_STATUS\r
-TransitionFromSetupMode(\r
- IN UINT8 NewMode\r
- )\r
-{\r
- UINT8 Data;\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_INVALID_PARAMETER;\r
-\r
- if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {\r
- Data = 1;\r
- Status = gRT->SetVariable(\r
- EFI_AUDIT_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof(UINT8),\r
- &Data\r
- );\r
- return Status;\r
- }\r
-\r
- //\r
- // Other case do nothing here. May Goto enroll PK page.\r
- //\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Perform secure boot mode transition from Audit Mode. Nothing is done here,\r
- should goto enroll PK page.\r
-\r
- @param[in] NewMode New secure boot mode.\r
-\r
- @retval EFI_SUCCESS Secure Boot mode transition is successful.\r
-**/\r
-EFI_STATUS\r
-TransitionFromAuditMode(\r
- IN UINT8 NewMode\r
- )\r
-{\r
- //\r
- // Other case do nothing here. Should Goto enroll PK page.\r
- //\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Perform secure boot mode transition from Deployed Mode by setting Deployed Mode\r
- variable to 0.\r
-\r
- @param[in] NewMode New secure boot mode.\r
-\r
- @retval EFI_SUCCESS Secure Boot mode transition is successful.\r
-**/\r
-EFI_STATUS\r
-TransitionFromDeployedMode(\r
- IN UINT8 NewMode\r
- )\r
-{\r
- UINT8 Data;\r
- EFI_STATUS Status;\r
-\r
- //\r
- // Platform specific logic. when physical presence, Allow to set DeployedMode =:0\r
- // to switch back to UserMode\r
- //\r
- if (NewMode == SECURE_BOOT_MODE_USER_MODE) {\r
- Data = 0;\r
- Status = gRT->SetVariable(\r
- EFI_DEPLOYED_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof(UINT8),\r
- &Data\r
- );\r
- DEBUG((EFI_D_INFO, "DeployedMode Status %x\n", Status));\r
- return Status;\r
- }\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Perform main secure boot mode transition.\r
-\r
- @param[in] CurMode New secure boot mode.\r
- @param[in] NewMode New secure boot mode.\r
-\r
- @retval EFI_SUCCESS Secure Boot mode transition is successful.\r
-**/\r
-EFI_STATUS\r
-SecureBootModeTransition(\r
- IN UINT8 CurMode,\r
- IN UINT8 NewMode\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- //\r
- // Set platform to be customized mode to ensure platform specific mode switch sucess\r
- //\r
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- //\r
- // SecureBootMode transition\r
- //\r
- switch (CurMode) {\r
- case SECURE_BOOT_MODE_USER_MODE:\r
- Status = TransitionFromUserMode(NewMode);\r
- break;\r
-\r
- case SECURE_BOOT_MODE_SETUP_MODE:\r
- Status = TransitionFromSetupMode(NewMode);\r
- break;\r
-\r
- case SECURE_BOOT_MODE_AUDIT_MODE:\r
- Status = TransitionFromAuditMode(NewMode);\r
- break;\r
-\r
- case SECURE_BOOT_MODE_DEPLOYED_MODE:\r
- Status = TransitionFromDeployedMode(NewMode);\r
- break;\r
-\r
- default:\r
- Status = EFI_INVALID_PARAMETER;\r
- ASSERT(FALSE);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Get current secure boot mode by retrieve data from SetupMode/AuditMode/DeployedMode.\r
-\r
- @param[out] SecureBootMode Current secure boot mode.\r
-\r
-**/\r
-VOID\r
-ExtractSecureBootModeFromVariable(\r
- OUT UINT8 *SecureBootMode\r
- )\r
-{\r
- UINT8 *SetupMode;\r
- UINT8 *AuditMode;\r
- UINT8 *DeployedMode;\r
-\r
- SetupMode = NULL;\r
- AuditMode = NULL;\r
- DeployedMode = NULL;\r
-\r
- //\r
- // Get AuditMode/DeployedMode from variable\r
- //\r
- GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);\r
- GetVariable2 (EFI_AUDIT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&AuditMode, NULL);\r
- GetVariable2 (EFI_DEPLOYED_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&DeployedMode, NULL);\r
- if (SetupMode != NULL && AuditMode != NULL && DeployedMode != NULL) {\r
- if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 0) {\r
- //\r
- // User Mode\r
- //\r
- *SecureBootMode = SECURE_BOOT_MODE_USER_MODE;\r
- } else if (*SetupMode == 1 && *AuditMode == 0 && *DeployedMode == 0) {\r
- //\r
- // Setup Mode\r
- //\r
- *SecureBootMode = SECURE_BOOT_MODE_SETUP_MODE;\r
- } else if (*SetupMode == 1 && *AuditMode == 1 && *DeployedMode == 0) {\r
- //\r
- // Audit Mode\r
- //\r
- *SecureBootMode = SECURE_BOOT_MODE_AUDIT_MODE;\r
- } else if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 1) {\r
- //\r
- // Deployed Mode\r
- //\r
- *SecureBootMode = SECURE_BOOT_MODE_DEPLOYED_MODE;\r
- } else {\r
- ASSERT(FALSE);\r
- }\r
- }else {\r
- ASSERT(FALSE);\r
- }\r
-\r
- if (SetupMode != NULL) {\r
- FreePool (SetupMode);\r
- }\r
- if (DeployedMode != NULL) {\r
- FreePool (DeployedMode);\r
- }\r
- if (AuditMode != NULL) {\r
- FreePool (AuditMode);\r
- }\r
-}\r
-\r