SecurityPkg Variable: Make PK & SecureBootMode consistent

PK can be cleared in runtime. However SecureBootMode variable is not updated accordingly.  Add code in variable init to make them consistent.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17401 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index b48129135fd3f8c1cdfcc539a10208035a611f3c..36d447027d89c4d7fdd21ae20a444eba96e6ccc4 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -277,7 +277,25 @@ AutenticatedVariableServiceInitialize (
   SecureBootEnable = SECURE_BOOT_DISABLE;\r
   FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
   if (Variable.CurrPtr != NULL) {\r
-    SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));\r
+    if (mPlatformMode == SETUP_MODE){\r
+      //\r
+      // PK is cleared in runtime. "SecureBootMode" is not updated before reboot \r
+      // Delete "SecureBootMode" in SetupMode\r
+      //\r
+      Status = UpdateVariable (\r
+                 EFI_SECURE_BOOT_ENABLE_NAME,\r
+                 &gEfiSecureBootEnableDisableGuid,\r
+                 &SecureBootEnable,\r
+                 0,\r
+                 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+                 0,\r
+                 0,\r
+                 &Variable,\r
+                 NULL\r
+                 );\r
+    } else {\r
+      SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));\r
+    }\r
   } else if (mPlatformMode == USER_MODE) {\r
     //\r
     // "SecureBootEnable" not exist, initialize it in USER_MODE.\r