/** @file\r
HII Config Access protocol implementation of SecureBoot configuration module.\r
\r
-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2011 - 2013, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
if (Variable == NULL) {\r
return EFI_SUCCESS;\r
}\r
+ FreePool (Variable);\r
\r
Data = NULL;\r
DataSize = 0;\r
return Status;\r
}\r
\r
+/**\r
+\r
+ Set the platform secure boot mode into "Custom" or "Standard" mode.\r
+\r
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or\r
+ CUSTOM_SECURE_BOOT_MODE.\r
+ \r
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.\r
+ @return other Fail to operate the secure boot mode.\r
+ \r
+**/\r
+EFI_STATUS\r
+SetSecureBootMode (\r
+ IN UINT8 SecureBootMode\r
+ )\r
+{\r
+ return gRT->SetVariable ( \r
+ EFI_CUSTOM_MODE_NAME,\r
+ &gEfiCustomModeEnableGuid,\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ sizeof (UINT8),\r
+ &SecureBootMode\r
+ );\r
+}\r
+\r
/**\r
Generate the PK signature list from the X509 Certificate storing file (.cer)\r
\r
\r
PkCert = NULL;\r
\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
//\r
// Parse the file's postfix. Only support DER encoded X.509 certificate files.\r
//\r
{\r
EFI_STATUS Status;\r
\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
Status = DeleteVariable (\r
EFI_PLATFORM_KEY_NAME,\r
&gEfiGlobalVariableGuid\r
) \r
{\r
UINT16* FilePostFix;\r
+ EFI_STATUS Status;\r
\r
if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
//\r
// Parse the file's postfix. Supports DER-encoded X509 certificate, \r
// and .pbk as RSA public key file.\r
) \r
{\r
UINT16* FilePostFix;\r
+ EFI_STATUS Status;\r
\r
if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+ \r
//\r
// Parse the file's postfix. \r
//\r
Cert = NULL;\r
Attr = 0; \r
DeleteKekIndex = QuestionId - OPTION_DEL_KEK_QUESTION_ID;\r
+\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
\r
//\r
// Get original KEK variable.\r
Cert = NULL;\r
Attr = 0; \r
\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
//\r
// Get original signature list data.\r
// \r
{\r
UINT8 *SecureBootEnable;\r
UINT8 *SetupMode;\r
- UINT8 *SecureBoot;\r
UINT8 *SecureBootMode;\r
\r
SecureBootEnable = NULL;\r
SetupMode = NULL;\r
- SecureBoot = NULL;\r
SecureBootMode = NULL;\r
\r
//\r
// If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable\r
// Checkbox.\r
//\r
+ ConfigData->AttemptSecureBoot = FALSE;\r
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);\r
if (SecureBootEnable == NULL) {\r
ConfigData->HideSecureBoot = TRUE;\r
} else {\r
ConfigData->HideSecureBoot = FALSE;\r
+ if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) {\r
+ ConfigData->AttemptSecureBoot = TRUE;\r
+ }\r
}\r
\r
//\r
} else {\r
ConfigData->HasPk = TRUE;\r
}\r
- \r
- //\r
- // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode.\r
- //\r
- GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);\r
- if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {\r
- ConfigData->SecureBootState = TRUE;\r
- } else {\r
- ConfigData->SecureBootState = FALSE;\r
- }\r
\r
//\r
// Get the SecureBootMode from CustomMode variable.\r
} else {\r
ConfigData->SecureBootMode = *(SecureBootMode);\r
}\r
- \r
+\r
+ if (SecureBootEnable != NULL) {\r
+ FreePool (SecureBootEnable);\r
+ }\r
+ if (SetupMode != NULL) {\r
+ FreePool (SetupMode);\r
+ }\r
+ if (SecureBootMode != NULL) {\r
+ FreePool (SecureBootMode);\r
+ }\r
}\r
\r
/**\r
EFI_STRING ConfigRequestHdr;\r
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;\r
BOOLEAN AllocatedRequest;\r
+ UINT8 *SecureBoot;\r
\r
if (Progress == NULL || Results == NULL) {\r
return EFI_INVALID_PARAMETER;\r
ConfigRequestHdr = NULL;\r
ConfigRequest = NULL;\r
Size = 0;\r
+ SecureBoot = NULL;\r
\r
ZeroMem (&Configuration, sizeof (Configuration));\r
PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);\r
// Get Configuration from Variable.\r
//\r
SecureBootExtractConfigFromVariable (&Configuration);\r
+\r
+ //\r
+ // Update current secure boot state.\r
+ //\r
+ GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);\r
+ if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {\r
+ HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL);\r
+ } else {\r
+ HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL);\r
+ }\r
+ if (SecureBoot != NULL) {\r
+ FreePool (SecureBoot);\r
+ }\r
\r
BufferSize = sizeof (SECUREBOOT_CONFIGURATION);\r
ConfigRequest = Request;\r
SECUREBOOT_CONFIGURATION *IfrNvData;\r
UINT16 LabelId;\r
UINT8 *SecureBootEnable;\r
+ UINT8 *SecureBootMode;\r
+ UINT8 *SetupMode;\r
CHAR16 PromptString[100];\r
\r
SecureBootEnable = NULL;\r
+ SecureBootMode = NULL;\r
+ SetupMode = NULL;\r
\r
if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
- if ((Action != EFI_BROWSER_ACTION_CHANGED) && (Action != EFI_BROWSER_ACTION_CHANGING)) {\r
+ if ((Action != EFI_BROWSER_ACTION_CHANGED) &&\r
+ (Action != EFI_BROWSER_ACTION_CHANGING) &&\r
+ (Action != EFI_BROWSER_ACTION_FORM_CLOSE)) {\r
return EFI_UNSUPPORTED;\r
}\r
\r
case KEY_SECURE_BOOT_ENABLE:\r
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);\r
if (NULL != SecureBootEnable) {\r
+ FreePool (SecureBootEnable);\r
if (EFI_ERROR (SaveSecureBootVariable (Value->u8))) {\r
CreatePopUp (\r
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
CreatePopUp (\r
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
&Key,\r
- L"Secure boot configuration is changed, please reset the platform to take effect!",\r
+ L"Configuration changed, please reset the platform to take effect!",\r
NULL\r
);\r
}\r
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; \r
}\r
break;\r
\r
break;\r
\r
case KEY_SECURE_BOOT_DELETE_PK: \r
- if (Value->u8) {\r
+ if (Value->u8) {\r
+ CreatePopUp (\r
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
+ &Key,\r
+ L"Are you sure you want to delete PK? Secure boot will be disabled!",\r
+ L"Press 'Y' to delete PK and exit, 'N' to discard change and return",\r
+ NULL\r
+ );\r
+ if (Key.UnicodeChar == 'y' || Key.UnicodeChar == 'Y') {\r
Status = DeletePlatformKey ();\r
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
+ if (EFI_ERROR (Status)) {\r
+ CreatePopUp (\r
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
+ &Key,\r
+ L"Only Physical Presence User could delete PK in custom mode!",\r
+ NULL\r
+ );\r
+ }\r
}\r
+ }\r
break;\r
\r
case KEY_DELETE_KEK:\r
} else if (Action == EFI_BROWSER_ACTION_CHANGED) {\r
switch (QuestionId) {\r
case KEY_SECURE_BOOT_ENABLE:\r
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; \r
+ *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
break; \r
case KEY_VALUE_SAVE_AND_EXIT_PK:\r
Status = EnrollPlatformKey (Private);\r
break;\r
\r
case KEY_SECURE_BOOT_MODE:\r
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootEnable, NULL);\r
- if (NULL != SecureBootEnable) {\r
+ GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);\r
+ if (NULL != SecureBootMode) {\r
Status = gRT->SetVariable ( \r
EFI_CUSTOM_MODE_NAME,\r
&gEfiCustomModeEnableGuid,\r
);\r
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
IfrNvData->SecureBootMode = Value->u8;\r
+ FreePool (SecureBootMode);\r
} \r
break;\r
\r
break;\r
\r
case KEY_SECURE_BOOT_DELETE_PK:\r
- if (Value->u8) {\r
+ GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);\r
+ if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {\r
+ IfrNvData->DeletePk = TRUE;\r
+ IfrNvData->HasPk = FALSE;\r
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;\r
+ } else {\r
+ IfrNvData->DeletePk = FALSE;\r
+ IfrNvData->HasPk = TRUE;\r
+ *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
+ }\r
+ if (SetupMode != NULL) {\r
+ FreePool (SetupMode);\r
}\r
break; \r
}\r
+ } else if (Action == EFI_BROWSER_ACTION_FORM_CLOSE) {\r
+ //\r
+ // Force the platform back to Standard Mode once user leave the setup screen.\r
+ //\r
+ GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);\r
+ if (NULL != SecureBootMode && *SecureBootMode == CUSTOM_SECURE_BOOT_MODE) {\r
+ IfrNvData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;\r
+ SetSecureBootMode(STANDARD_SECURE_BOOT_MODE);\r
+ }\r
+ if (SecureBootMode != NULL) {\r
+ FreePool (SecureBootMode);\r
+ }\r
}\r
\r
if (!EFI_ERROR (Status)) {\r
projects / mirror_edk2.git / commitdiff