EFI_STATUS Status;\r
SETTINGS Settings;\r
\r
+ //\r
+ // If we're not in Setup Mode, we can't do anything.\r
+ //\r
Status = GetSettings (&Settings);\r
if (EFI_ERROR (Status)) {\r
return 1;\r
return 1;\r
}\r
\r
+ //\r
+ // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature\r
+ // checks on those variable writes.\r
+ //\r
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {\r
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;\r
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
}\r
}\r
\r
+ //\r
+ // Enroll db.\r
+ //\r
Status = EnrollListOfCerts (\r
EFI_IMAGE_SECURITY_DATABASE,\r
&gEfiImageSecurityDatabaseGuid,\r
return 1;\r
}\r
\r
+ //\r
+ // Enroll dbx.\r
+ //\r
Status = EnrollListOfCerts (\r
EFI_IMAGE_SECURITY_DATABASE1,\r
&gEfiImageSecurityDatabaseGuid,\r
return 1;\r
}\r
\r
+ //\r
+ // Enroll KEK.\r
+ //\r
Status = EnrollListOfCerts (\r
EFI_KEY_EXCHANGE_KEY_NAME,\r
&gEfiGlobalVariableGuid,\r
return 1;\r
}\r
\r
+ //\r
+ // Enroll PK, leaving Setup Mode (entering User Mode) at once.\r
+ //\r
Status = EnrollListOfCerts (\r
EFI_PLATFORM_KEY_NAME,\r
&gEfiGlobalVariableGuid,\r
return 1;\r
}\r
\r
+ //\r
+ // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid\r
+ // signatures.\r
+ //\r
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;\r
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
return 1;\r
}\r
\r
+ //\r
+ // Final sanity check:\r
+ //\r
+ // [SetupMode]\r
+ // (read-only, standardized by UEFI)\r
+ // / \_\r
+ // 0 1, default\r
+ // / \_\r
+ // PK enrolled no PK enrolled yet,\r
+ // (this is called "User Mode") PK enrollment possible\r
+ // |\r
+ // |\r
+ // [SecureBootEnable]\r
+ // (read-write, edk2-specific, boot service only)\r
+ // / \_\r
+ // 0 1, default\r
+ // / \_\r
+ // [SecureBoot]=0 [SecureBoot]=1\r
+ // (read-only, standardized by UEFI) (read-only, standardized by UEFI)\r
+ // images are not verified images are verified, platform is\r
+ // operating in Secure Boot mode\r
+ // |\r
+ // |\r
+ // [CustomMode]\r
+ // (read-write, edk2-specific, boot service only)\r
+ // / \_\r
+ // 0, default 1\r
+ // / \_\r
+ // PK, KEK, db, dbx PK, KEK, db, dbx\r
+ // updates are verified updates are not verified\r
+ //\r
Status = GetSettings (&Settings);\r
if (EFI_ERROR (Status)) {\r
return 1;\r