From 8f8ca22e594e3a6c313f725fbc7e2b20d75c79fd Mon Sep 17 00:00:00 2001 From: sfu5 Date: Thu, 5 Jul 2012 08:08:12 +0000 Subject: [PATCH] 1. Reset system when user changes secure boot state in secure boot configuration form. 2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver. Signed-off-by: Fu Siyuan Reviewed-by: Dong Guo Reviewed-by: Ye Ting git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Guid/AuthenticatedVariableFormat.h | 4 +- .../DxeImageVerificationLib.c | 38 ++++--------------- .../DxeImageVerificationLib.inf | 5 --- .../RuntimeDxe/AuthService.c | 4 +- .../SecureBootConfigDxe/SecureBootConfig.vfr | 2 +- .../SecureBootConfigImpl.c | 22 +++++++---- 6 files changed, 29 insertions(+), 46 deletions(-) diff --git a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h index f18f4aa7eb..da71e774ef 100644 --- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h +++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h @@ -29,7 +29,9 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid; extern EFI_GUID gEfiSecureBootEnableDisableGuid; /// -/// "SecureBootEnable" variable for the Secure boot feature enable/disable. +/// "SecureBootEnable" variable for the Secure Boot feature enable/disable. +/// This variable is used for allowing a physically present user to disable +/// Secure Boot via firmware setup without the possession of PKpriv. /// #define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable" #define SECURE_BOOT_ENABLE 1 diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index dff4bd0371..093932053c 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1254,14 +1254,13 @@ DxeImageVerificationHandler ( UINT16 Magic; EFI_IMAGE_DOS_HEADER *DosHdr; EFI_STATUS VerifyStatus; - UINT8 *SetupMode; EFI_SIGNATURE_LIST *SignatureList; UINTN SignatureListSize; EFI_SIGNATURE_DATA *Signature; EFI_IMAGE_EXECUTION_ACTION Action; WIN_CERTIFICATE *WinCertificate; UINT32 Policy; - UINT8 *SecureBootEnable; + UINT8 *SecureBoot; PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; UINT32 NumberOfRvaAndSizes; UINT32 CertSize; @@ -1309,43 +1308,22 @@ DxeImageVerificationHandler ( return EFI_ACCESS_DENIED; } - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); + GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL); // - // Skip verification if SecureBootEnable variable doesn't exist. + // Skip verification if SecureBoot variable doesn't exist. // - if (SecureBootEnable == NULL) { + if (SecureBoot == NULL) { return EFI_SUCCESS; } // - // Skip verification if SecureBootEnable is disabled. + // Skip verification if SecureBoot is disabled. // - if (*SecureBootEnable == SECURE_BOOT_DISABLE) { - FreePool (SecureBootEnable); + if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) { + FreePool (SecureBoot); return EFI_SUCCESS; } - - FreePool (SecureBootEnable); - - GetEfiGlobalVariable2 (EFI_SETUP_MODE_NAME, (VOID**)&SetupMode, NULL); - - // - // SetupMode doesn't exist means no AuthVar driver is dispatched, - // skip verification. - // - if (SetupMode == NULL) { - return EFI_SUCCESS; - } - - // - // If platform is in SETUP MODE, skip verification. - // - if (*SetupMode == SETUP_MODE) { - FreePool (SetupMode); - return EFI_SUCCESS; - } - - FreePool (SetupMode); + FreePool (SecureBoot); // // Read the Dos header. diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf index e561a648a1..8ec41f4e11 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf @@ -68,13 +68,8 @@ gEfiCertSha256Guid gEfiCertX509Guid gEfiCertRsa2048Guid - gEfiSecureBootEnableDisableGuid [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy - - - - diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index d6df32affc..d1aeab8bfc 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -323,7 +323,7 @@ AutenticatedVariableServiceInitialize ( // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE. // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE. // - SecureBootEnable = SECURE_BOOT_MODE_DISABLE; + SecureBootEnable = SECURE_BOOT_DISABLE; FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (Variable.CurrPtr != NULL) { SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr)); @@ -331,7 +331,7 @@ AutenticatedVariableServiceInitialize ( // // "SecureBootEnable" not exist, initialize it in USER_MODE. // - SecureBootEnable = SECURE_BOOT_MODE_ENABLE; + SecureBootEnable = SECURE_BOOT_ENABLE; Status = UpdateVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr index 22c03c1288..4e790634da 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr @@ -51,7 +51,7 @@ formset questionid = KEY_SECURE_BOOT_ENABLE, prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), help = STRING_TOKEN(STR_SECURE_BOOT_HELP), - flags = INTERACTIVE, + flags = INTERACTIVE | RESET_REQUIRED, endcheckbox; endif; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index 0a08479b4b..26fc09d52d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -2069,27 +2069,25 @@ SecureBootExtractConfigFromVariable ( { UINT8 *SecureBootEnable; UINT8 *SetupMode; + UINT8 *SecureBoot; UINT8 *SecureBootMode; SecureBootEnable = NULL; SetupMode = NULL; + SecureBoot = NULL; SecureBootMode = NULL; - // - // Get the SecureBootEnable Variable - // - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - // // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable // Checkbox. // + GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); if (SecureBootEnable == NULL) { ConfigData->HideSecureBoot = TRUE; } else { ConfigData->HideSecureBoot = FALSE; - ConfigData->SecureBootState = *SecureBootEnable; } + // // If it is Physical Presence User, set the PhysicalPresent to true. // @@ -2103,11 +2101,21 @@ SecureBootExtractConfigFromVariable ( // If there is no PK then the Delete Pk button will be gray. // GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); - if (SetupMode == NULL || (*SetupMode) == 1) { + if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { ConfigData->HasPk = FALSE; } else { ConfigData->HasPk = TRUE; } + + // + // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode. + // + GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL); + if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) { + ConfigData->SecureBootState = TRUE; + } else { + ConfigData->SecureBootState = FALSE; + } // // Get the SecureBootMode from CustomMode variable. -- 2.39.2