From 126f3b1de02c71fde8e28abc35a46ac5f135b527 Mon Sep 17 00:00:00 2001 From: "Zhang, Chao B" Date: Wed, 13 Apr 2016 15:27:04 +0800 Subject: [PATCH] SecurityPkg: AuthVariableLib & SecureBootConfigDxe: Fix SecureBootEnable & PK inconsistency issue Revert previous fix in AuthVariable driver init which breaks SecureBootEnable original behavior. Add more error handling logic in SecureBootConfigDxe to prevent wrong display info when SecureBootEnable & PK inconsistency happens. Commit hash for the reverted patch in AuthVariable driver is SHA-1: a6811666b0bef18871fa62b6c5abf18fb076fd0d Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Fu Siyuan --- .../Library/AuthVariableLib/AuthService.c | 14 +----- .../SecureBootConfigImpl.c | 47 ++++++++++--------- 2 files changed, 26 insertions(+), 35 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index f11b86827a..4649e50e5e 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -441,19 +441,7 @@ InitSecureBootVariables ( SecureBootEnable = SECURE_BOOT_DISABLE; Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **)&Data, &DataSize); if (!EFI_ERROR(Status)) { - if (!IsPkPresent) { - // - // PK is cleared in runtime. "SecureBootMode" is not updated before reboot - // Delete "SecureBootMode" - // - Status = AuthServiceInternalUpdateVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - &SecureBootEnable, - 0, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS - ); - } else { + if (IsPkPresent) { SecureBootEnable = *Data; } } else if ((SecureBootMode == SecureBootModeTypeUserMode) || (SecureBootMode == SecureBootModeTypeDeployedMode)) { diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index e840316368..c8f4d977d9 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -3167,20 +3167,6 @@ SecureBootExtractConfigFromVariable ( ConfigData->RevocationTime.Minute = CurrTime.Minute; ConfigData->RevocationTime.Second = 0; - // - // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable - // Checkbox. - // - ConfigData->AttemptSecureBoot = FALSE; - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (SecureBootEnable == NULL) { - ConfigData->HideSecureBoot = TRUE; - } else { - ConfigData->HideSecureBoot = FALSE; - if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) { - ConfigData->AttemptSecureBoot = TRUE; - } - } // // If it is Physical Presence User, set the PhysicalPresent to true. @@ -3215,6 +3201,26 @@ SecureBootExtractConfigFromVariable ( ConfigData->HasPk = TRUE; } + // + // Check SecureBootEnable & Pk status, fix the inconsistence. + // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable + // Checkbox. + // + ConfigData->AttemptSecureBoot = FALSE; + GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); + + // + // Fix Pk, SecureBootEnable inconsistence + // + if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) { + ConfigData->HideSecureBoot = FALSE; + if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) { + ConfigData->AttemptSecureBoot = TRUE; + } + } else { + ConfigData->HideSecureBoot = TRUE; + } + if (SecureBootEnable != NULL) { FreePool (SecureBootEnable); } @@ -3363,7 +3369,6 @@ SecureBootRouteConfig ( OUT EFI_STRING *Progress ) { - UINT8 *SecureBootEnable; SECUREBOOT_CONFIGURATION IfrNvData; UINTN BufferSize; EFI_STATUS Status; @@ -3400,10 +3405,7 @@ SecureBootRouteConfig ( // // Store Buffer Storage back to EFI variable if needed // - SecureBootEnable = NULL; - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (NULL != SecureBootEnable) { - FreePool (SecureBootEnable); + if (!IfrNvData.HideSecureBoot) { Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot); if (EFI_ERROR (Status)) { return Status; @@ -3454,6 +3456,7 @@ SecureBootCallback ( SECUREBOOT_CONFIGURATION *IfrNvData; UINT16 LabelId; UINT8 *SecureBootEnable; + UINT8 *Pk; UINT8 *SecureBootMode; CHAR16 PromptString[100]; UINT8 CurSecureBootMode; @@ -3926,11 +3929,11 @@ SecureBootCallback ( } } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) { if (QuestionId == KEY_HIDE_SECURE_BOOT) { - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (SecureBootEnable == NULL) { + GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL); + if (Pk == NULL) { IfrNvData->HideSecureBoot = TRUE; } else { - FreePool (SecureBootEnable); + FreePool (Pk); IfrNvData->HideSecureBoot = FALSE; } Value->b = IfrNvData->HideSecureBoot; -- 2.39.2