Fix a bug in secure boot configuration driver: Enroll DB/KEK will disable Attempt...

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14590 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 656befbb44fb70d0a431f74bcfdce54ae211bba2..9685a9e0c2a3c2b9a85fcc3eb7d932d3d3bd8637 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -65,20 +65,29 @@ formset
     //\r
     // Display of Oneof: 'Secure Boot Mode'\r
     //\r
-    oneof varid  = SECUREBOOT_CONFIGURATION.SecureBootMode,\r
-          questionid = KEY_SECURE_BOOT_MODE,      \r
-          prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),\r
-          help   = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),\r
-          flags  = INTERACTIVE,\r
-          option text = STRING_TOKEN(STR_STANDARD_MODE),    value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;\r
-          option text = STRING_TOKEN(STR_CUSTOM_MODE),      value = SECURE_BOOT_MODE_CUSTOM,   flags = 0;\r
-    endoneof;\r
+    disableif TRUE;\r
+      oneof varid  = SECUREBOOT_CONFIGURATION.SecureBootMode,\r
+            prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),\r
+            help   = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),\r
+            flags  = INTERACTIVE,\r
+            option text = STRING_TOKEN(STR_STANDARD_MODE),    value = SECURE_BOOT_MODE_STANDARD, flags = 0;\r
+            option text = STRING_TOKEN(STR_CUSTOM_MODE),      value = SECURE_BOOT_MODE_CUSTOM,   flags = 0;\r
+      endoneof;\r
+    endif;\r
+      oneof name = SecureBootMode,\r
+            questionid = KEY_SECURE_BOOT_MODE,      \r
+            prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),\r
+            help   = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),\r
+            flags  = INTERACTIVE | NUMERIC_SIZE_1,\r
+            option text = STRING_TOKEN(STR_STANDARD_MODE),    value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;\r
+            option text = STRING_TOKEN(STR_CUSTOM_MODE),      value = SECURE_BOOT_MODE_CUSTOM,   flags = 0;\r
+      endoneof;\r
     \r
     //\r
     //\r
     // Display of 'Current Secure Boot Mode'\r
     //\r
-    suppressif ideqval SECUREBOOT_CONFIGURATION.SecureBootMode == SECURE_BOOT_MODE_STANDARD;\r
+    suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;\r
       grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;\r
       goto FORMID_SECURE_BOOT_OPTION_FORM,\r
            prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),\r

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 659952a63a05c7738d5e8235a0237a39deeec207..e8af62de4af26d2b73547dce6060bc77cba74e15 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -48,6 +48,8 @@ HII_VENDOR_DEVICE_PATH          mSecureBootHiiVendorDevicePath = {
 };\r
 \r
 \r
+BOOLEAN mIsEnterSecureBootForm = FALSE;\r
+\r
 //\r
 // OID ASN.1 Value for Hash Algorithms\r
 //\r
@@ -2407,6 +2409,14 @@ SecureBootRouteConfig (
     return EFI_NOT_FOUND;\r
   }\r
 \r
+  //\r
+  // Get Configuration from Variable.\r
+  //\r
+  SecureBootExtractConfigFromVariable (&IfrNvData);\r
+\r
+  //\r
+  // Map the Configuration to the configuration block.\r
+  //\r
   BufferSize = sizeof (SECUREBOOT_CONFIGURATION);\r
   Status = gHiiConfigRouting->ConfigToBlock (\r
                                 gHiiConfigRouting,\r
@@ -2488,6 +2498,25 @@ SecureBootCallback (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
+  if (Action == EFI_BROWSER_ACTION_FORM_OPEN) {\r
+    if (QuestionId == KEY_SECURE_BOOT_MODE) {\r
+      mIsEnterSecureBootForm = TRUE;\r
+    }\r
+\r
+    return EFI_SUCCESS;\r
+  }\r
+  \r
+  if (Action == EFI_BROWSER_ACTION_RETRIEVE) {\r
+    Status = EFI_UNSUPPORTED;\r
+    if (QuestionId == KEY_SECURE_BOOT_MODE) {\r
+      if (mIsEnterSecureBootForm) {\r
+        Value->u8 = SECURE_BOOT_MODE_STANDARD;\r
+        Status = EFI_SUCCESS;\r
+      }\r
+    }\r
+    return Status;\r
+  }\r
+  \r
   if ((Action != EFI_BROWSER_ACTION_CHANGED) &&\r
       (Action != EFI_BROWSER_ACTION_CHANGING) &&\r
       (Action != EFI_BROWSER_ACTION_FORM_CLOSE) &&\r
@@ -2759,19 +2788,7 @@ SecureBootCallback (
       break;\r
       \r
     case KEY_SECURE_BOOT_MODE:\r
-      GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);\r
-      if (NULL != SecureBootMode) {\r
-        Status = gRT->SetVariable (                          \r
-                        EFI_CUSTOM_MODE_NAME,\r
-                        &gEfiCustomModeEnableGuid,\r
-                        EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
-                        sizeof (UINT8),\r
-                        &Value->u8\r
-                        );\r
-        *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
-        IfrNvData->SecureBootMode = Value->u8;\r
-        FreePool (SecureBootMode);\r
-      }        \r
+      mIsEnterSecureBootForm = FALSE;\r
       break;\r
 \r
     case KEY_SECURE_BOOT_KEK_GUID:\r