Virtualization
/
edk2
mirror of https://gitlab.com/qemu-project/edk2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SecurityPkg: SecureBootConfigDxe: Remove SecureBoot UI change for Customized Secure Boot 

Remove SecureBoot UI support for Customized SecureBoot Mode transition according to Mantis 1263.
The feature has been moved to
  https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
Previous check-in hash is
  SHA-1: 96832eefea

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Zhang, Chao B 2016-04-28 15:27:09 +08:00
parent 560ac77ea1
commit 12087ff6d6
4 changed files with 32 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
View File

@ -33,14 +33,6 @@ formset
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
//
// Display current secure boot mode(one of SetupMode/AuditMode/UserMode/DeployedMode)
//
text
help = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_HELP),
text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_PROMPT),
text = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_CONTENT);
text text
help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT), text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
@ -71,7 +63,7 @@ formset
endoneof; endoneof;
// //
// Display PK include page // Display of 'Current Secure Boot Mode'
// //
suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD; suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;
grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1; grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
@ -93,33 +85,6 @@ formset
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of SetupMode/UserMode/AuditMode/DeployedMode transition
//
oneof name = TransSecureBootMode,
questionid = KEY_TRANS_SECURE_BOOT_MODE,
prompt = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_PROMPT),
help = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_HELP),
flags = INTERACTIVE | NUMERIC_SIZE_1,
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE
OR (ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE AND
ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 0);
option text = STRING_TOKEN(STR_USER_MODE), value = SECURE_BOOT_MODE_USER_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE;
option text = STRING_TOKEN(STR_SETUP_MODE), value = SECURE_BOOT_MODE_SETUP_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE;
option text = STRING_TOKEN(STR_AUDIT_MODE), value = SECURE_BOOT_MODE_AUDIT_MODE, flags = 0;
endif
suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE;
option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = SECURE_BOOT_MODE_DEPLOYED_MODE, flags = 0;
endif
endoneof;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_PK_OPTION_FORM, goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION), prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),

383
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@ -49,8 +49,6 @@ HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
BOOLEAN mIsEnterSecureBootForm = FALSE; BOOLEAN mIsEnterSecureBootForm = FALSE;
BOOLEAN mIsSelectedSecureBootModeForm = FALSE;
BOOLEAN mIsSecureBootModeChanged = FALSE;
// //
// OID ASN.1 Value for Hash Algorithms // OID ASN.1 Value for Hash Algorithms
@ -2832,256 +2830,6 @@ ON_EXIT:
); );
} }
/**
Perform secure boot mode transition from User Mode by setting AuditMode
or DeployedMode variable.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromUserMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_AUDIT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
} else if (NewMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_DEPLOYED_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
}
//
// Other case do nothing here. May Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Setup Mode by setting AuditMode
variable.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromSetupMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
Status = EFI_INVALID_PARAMETER;
if (NewMode == SECURE_BOOT_MODE_AUDIT_MODE) {
Data = 1;
Status = gRT->SetVariable(
EFI_AUDIT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
return Status;
}
//
// Other case do nothing here. May Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Audit Mode. Nothing is done here,
should goto enroll PK page.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromAuditMode(
IN UINT8 NewMode
)
{
//
// Other case do nothing here. Should Goto enroll PK page.
//
return EFI_SUCCESS;
}
/**
Perform secure boot mode transition from Deployed Mode by setting Deployed Mode
variable to 0.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
TransitionFromDeployedMode(
IN UINT8 NewMode
)
{
UINT8 Data;
EFI_STATUS Status;
//
// Platform specific logic. when physical presence, Allow to set DeployedMode =:0
// to switch back to UserMode
//
if (NewMode == SECURE_BOOT_MODE_USER_MODE) {
Data = 0;
Status = gRT->SetVariable(
EFI_DEPLOYED_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof(UINT8),
&Data
);
DEBUG((EFI_D_INFO, "DeployedMode Status %x\n", Status));
return Status;
}
return EFI_SUCCESS;
}
/**
Perform main secure boot mode transition.
@param[in] CurMode New secure boot mode.
@param[in] NewMode New secure boot mode.
@retval EFI_SUCCESS Secure Boot mode transition is successful.
**/
EFI_STATUS
SecureBootModeTransition(
IN UINT8 CurMode,
IN UINT8 NewMode
)
{
EFI_STATUS Status;
//
// Set platform to be customized mode to ensure platform specific mode switch sucess
//
Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
if (EFI_ERROR (Status)) {
return Status;
}
//
// SecureBootMode transition
//
switch (CurMode) {
case SECURE_BOOT_MODE_USER_MODE:
Status = TransitionFromUserMode(NewMode);
break;
case SECURE_BOOT_MODE_SETUP_MODE:
Status = TransitionFromSetupMode(NewMode);
break;
case SECURE_BOOT_MODE_AUDIT_MODE:
Status = TransitionFromAuditMode(NewMode);
break;
case SECURE_BOOT_MODE_DEPLOYED_MODE:
Status = TransitionFromDeployedMode(NewMode);
break;
default:
Status = EFI_INVALID_PARAMETER;
ASSERT(FALSE);
}
return Status;
}
/**
Get current secure boot mode by retrieve data from SetupMode/AuditMode/DeployedMode.
@param[out] SecureBootMode Current secure boot mode.
**/
VOID
ExtractSecureBootModeFromVariable(
OUT UINT8 *SecureBootMode
)
{
UINT8 *SetupMode;
UINT8 *AuditMode;
UINT8 *DeployedMode;
SetupMode = NULL;
AuditMode = NULL;
DeployedMode = NULL;
//
// Get AuditMode/DeployedMode from variable
//
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
GetVariable2 (EFI_AUDIT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&AuditMode, NULL);
GetVariable2 (EFI_DEPLOYED_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&DeployedMode, NULL);
if (SetupMode != NULL && AuditMode != NULL && DeployedMode != NULL) {
if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 0) {
//
// User Mode
//
*SecureBootMode = SECURE_BOOT_MODE_USER_MODE;
} else if (*SetupMode == 1 && *AuditMode == 0 && *DeployedMode == 0) {
//
// Setup Mode
//
*SecureBootMode = SECURE_BOOT_MODE_SETUP_MODE;
} else if (*SetupMode == 1 && *AuditMode == 1 && *DeployedMode == 0) {
//
// Audit Mode
//
*SecureBootMode = SECURE_BOOT_MODE_AUDIT_MODE;
} else if (*SetupMode == 0 && *AuditMode == 0 && *DeployedMode == 1) {
//
// Deployed Mode
//
*SecureBootMode = SECURE_BOOT_MODE_DEPLOYED_MODE;
} else {
ASSERT(FALSE);
}
}else {
ASSERT(FALSE);
}
if (SetupMode != NULL) {
FreePool (SetupMode);
}
if (DeployedMode != NULL) {
FreePool (DeployedMode);
}
if (AuditMode != NULL) {
FreePool (AuditMode);
}
}
/** /**
Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT
@ -3098,7 +2846,6 @@ UpdateSecureBootString(
IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
) )
{ {
UINT8 CurSecureBootMode;
UINT8 *SecureBoot; UINT8 *SecureBoot;
SecureBoot = NULL; SecureBoot = NULL;
@ -3116,20 +2863,6 @@ UpdateSecureBootString(
} else { } else {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL); HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL);
} }
//
// Get current secure boot mode.
//
ExtractSecureBootModeFromVariable(&CurSecureBootMode);
if (CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"UserMode", NULL);
} else if (CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"SetupMode", NULL);
} else if (CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"AuditMode", NULL);
} else if (CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_CUR_SECURE_BOOT_MODE_CONTENT), L"DeployedMode", NULL);
}
FreePool(SecureBoot); FreePool(SecureBoot);
@ -3148,10 +2881,12 @@ SecureBootExtractConfigFromVariable (
) )
{ {
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *SetupMode;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
EFI_TIME CurrTime; EFI_TIME CurrTime;
SecureBootEnable = NULL; SecureBootEnable = NULL;
SetupMode = NULL;
SecureBootMode = NULL; SecureBootMode = NULL;
// //
@ -3177,25 +2912,11 @@ SecureBootExtractConfigFromVariable (
ConfigData->PhysicalPresent = FALSE; ConfigData->PhysicalPresent = FALSE;
} }
//
// Get the SecureBootMode from CustomMode variable.
//
GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
if (SecureBootMode == NULL) {
ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
} else {
ConfigData->SecureBootMode = *(SecureBootMode);
}
//
// Extact current Secure Boot Mode
//
ExtractSecureBootModeFromVariable(&ConfigData->CurSecureBootMode);
// //
// If there is no PK then the Delete Pk button will be gray. // If there is no PK then the Delete Pk button will be gray.
// //
if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE) { GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
ConfigData->HasPk = FALSE; ConfigData->HasPk = FALSE;
} else { } else {
ConfigData->HasPk = TRUE; ConfigData->HasPk = TRUE;
@ -3212,7 +2933,7 @@ SecureBootExtractConfigFromVariable (
// //
// Fix Pk, SecureBootEnable inconsistence // Fix Pk, SecureBootEnable inconsistence
// //
if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) { if ((*SetupMode) == USER_MODE) {
ConfigData->HideSecureBoot = FALSE; ConfigData->HideSecureBoot = FALSE;
if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) { if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
ConfigData->AttemptSecureBoot = TRUE; ConfigData->AttemptSecureBoot = TRUE;
@ -3221,10 +2942,22 @@ SecureBootExtractConfigFromVariable (
ConfigData->HideSecureBoot = TRUE; ConfigData->HideSecureBoot = TRUE;
} }
//
// Get the SecureBootMode from CustomMode variable.
//
GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
if (SecureBootMode == NULL) {
ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
} else {
ConfigData->SecureBootMode = *(SecureBootMode);
}
if (SecureBootEnable != NULL) { if (SecureBootEnable != NULL) {
FreePool (SecureBootEnable); FreePool (SecureBootEnable);
} }
if (SetupMode != NULL) {
FreePool (SetupMode);
}
if (SecureBootMode != NULL) { if (SecureBootMode != NULL) {
FreePool (SecureBootMode); FreePool (SecureBootMode);
} }
@ -3458,18 +3191,20 @@ SecureBootCallback (
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *Pk; UINT8 *Pk;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
UINT8 *SetupMode;
CHAR16 PromptString[100]; CHAR16 PromptString[100];
UINT8 CurSecureBootMode;
EFI_DEVICE_PATH_PROTOCOL *File; EFI_DEVICE_PATH_PROTOCOL *File;
Status = EFI_SUCCESS; Status = EFI_SUCCESS;
SecureBootEnable = NULL; SecureBootEnable = NULL;
SecureBootMode = NULL; SecureBootMode = NULL;
SetupMode = NULL;
File = NULL; File = NULL;
if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) { if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
gSecureBootPrivateData = Private; gSecureBootPrivateData = Private;
@ -3493,13 +3228,6 @@ SecureBootCallback (
Status = UpdateSecureBootString(Private); Status = UpdateSecureBootString(Private);
SecureBootExtractConfigFromVariable (IfrNvData); SecureBootExtractConfigFromVariable (IfrNvData);
mIsEnterSecureBootForm = TRUE; mIsEnterSecureBootForm = TRUE;
} else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE){
//
// Secure Boot Policy variable changes after transition. Re-sync CurSecureBootMode
//
ExtractSecureBootModeFromVariable(&IfrNvData->CurSecureBootMode);
mIsSelectedSecureBootModeForm = TRUE;
mIsSecureBootModeChanged = FALSE;
} }
goto EXIT; goto EXIT;
} }
@ -3511,11 +3239,6 @@ SecureBootCallback (
Value->u8 = SECURE_BOOT_MODE_STANDARD; Value->u8 = SECURE_BOOT_MODE_STANDARD;
Status = EFI_SUCCESS; Status = EFI_SUCCESS;
} }
} else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE) {
if (mIsSelectedSecureBootModeForm) {
Value->u8 = IfrNvData->CurSecureBootMode;
Status = EFI_SUCCESS;
}
} }
goto EXIT; goto EXIT;
} }
@ -3770,57 +3493,6 @@ SecureBootCallback (
); );
} }
break; break;
case KEY_TRANS_SECURE_BOOT_MODE:
//
// Pop up to alert user want to change secure boot mode
//
if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE &&
(Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE || Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE))
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE &&
Value->u8 == SECURE_BOOT_MODE_AUDIT_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE &&
Value->u8 == SECURE_BOOT_MODE_USER_MODE && IfrNvData->PhysicalPresent == 1)){
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Are you sure you want to switch secure boot mode?",
L"Press 'Y' to switch secure boot mode, 'N' to discard change and return",
NULL
);
if (Key.UnicodeChar != 'y' && Key.UnicodeChar != 'Y') {
//
// If not 'Y'/''y' restore to defualt secure boot mode
//
Value->u8 = IfrNvData->CurSecureBootMode;
goto EXIT;
}
} else if ((IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE && Value->u8 == SECURE_BOOT_MODE_USER_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE && Value->u8 == SECURE_BOOT_MODE_DEPLOYED_MODE)
||(IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE && Value->u8 == SECURE_BOOT_MODE_SETUP_MODE)) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Secure boot mode transition requires PK change",
L"Please go to link below to update PK",
NULL
);
} else {
Status = EFI_INVALID_PARAMETER;
goto EXIT;
}
Status = SecureBootModeTransition(IfrNvData->CurSecureBootMode, Value->u8);
//
// Secure Boot Policy variable may change after transition. Re-sync CurSecureBootMode
//
ExtractSecureBootModeFromVariable(&CurSecureBootMode);
if (IfrNvData->CurSecureBootMode != CurSecureBootMode) {
IfrNvData->CurSecureBootMode = CurSecureBootMode;
mIsSecureBootModeChanged = TRUE;
}
break;
default: default:
if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) && if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) &&
(QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) { (QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) {
@ -3889,13 +3561,6 @@ SecureBootCallback (
case KEY_SECURE_BOOT_MODE: case KEY_SECURE_BOOT_MODE:
mIsEnterSecureBootForm = FALSE; mIsEnterSecureBootForm = FALSE;
break; break;
case KEY_TRANS_SECURE_BOOT_MODE:
mIsSelectedSecureBootModeForm = FALSE;
if (mIsSecureBootModeChanged) {
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET;
}
mIsSecureBootModeChanged = FALSE;
break;
case KEY_SECURE_BOOT_KEK_GUID: case KEY_SECURE_BOOT_KEK_GUID:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DB: case KEY_SECURE_BOOT_SIGNATURE_GUID_DB:
case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX: case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX:
@ -3914,7 +3579,8 @@ SecureBootCallback (
break; break;
case KEY_SECURE_BOOT_DELETE_PK: case KEY_SECURE_BOOT_DELETE_PK:
if (IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || IfrNvData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) { GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
IfrNvData->DeletePk = TRUE; IfrNvData->DeletePk = TRUE;
IfrNvData->HasPk = FALSE; IfrNvData->HasPk = FALSE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
@ -3923,6 +3589,9 @@ SecureBootCallback (
IfrNvData->HasPk = TRUE; IfrNvData->HasPk = TRUE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
} }
if (SetupMode != NULL) {
FreePool (SetupMode);
}
break; break;
default: default:
break; break;

7
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
View File

@ -56,7 +56,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define KEY_HIDE_SECURE_BOOT 0x100c #define KEY_HIDE_SECURE_BOOT 0x100c
#define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d #define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d
#define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e #define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e
#define KEY_TRANS_SECURE_BOOT_MODE 0x100f
#define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_PK_OPTION 0x1101
@ -108,10 +107,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define SECURE_BOOT_GUID_SIZE 36 #define SECURE_BOOT_GUID_SIZE 36
#define SECURE_BOOT_GUID_STORAGE_SIZE 37 #define SECURE_BOOT_GUID_STORAGE_SIZE 37
#define SECURE_BOOT_MODE_USER_MODE 0
#define SECURE_BOOT_MODE_SETUP_MODE 1
#define SECURE_BOOT_MODE_AUDIT_MODE 2
#define SECURE_BOOT_MODE_DEPLOYED_MODE 3
// //
// Nv Data structure referenced by IFR // Nv Data structure referenced by IFR
@ -122,8 +117,6 @@ typedef struct {
CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE]; CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
BOOLEAN PhysicalPresent; // If a Physical Present User BOOLEAN PhysicalPresent; // If a Physical Present User
UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom
UINT8 CurSecureBootMode; // Current SecureBoot Mode SetupMode/UserMode/AuditMode/DeployedMode
UINT8 TransSecureBootMode; // Trans Next SecureBoot Mode
BOOLEAN DeletePk; BOOLEAN DeletePk;
BOOLEAN HasPk; // If Pk is existed it is true BOOLEAN HasPk; // If Pk is existed it is true
BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden

20
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
View File

@ -26,10 +26,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot" #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"
#string STR_CUR_SECURE_BOOT_MODE_PROMPT #language en-US "Current Secure Boot Mode"
#string STR_CUR_SECURE_BOOT_MODE_HELP #language en-US "Current Secure Boot Mode: SetupMode/AuditMode/UserMode/DeployedMode."
#string STR_CUR_SECURE_BOOT_MODE_CONTENT #language en-US " "
#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature" #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
@ -60,11 +56,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer" #string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
#string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Customize Secure Boot" #string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode"
#string STR_SECURE_BOOT_MODE_HELP #language en-US "Customize Secure Boot: Standard/Customized. Secure Boot Policy variables can be configured without authentication in customized option" #string STR_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode: Custom Mode or Standard Mode"
#string STR_STANDARD_MODE #language en-US "Standard" #string STR_STANDARD_MODE #language en-US "Standard Mode"
#string STR_CUSTOM_MODE #language en-US "Customized" #string STR_CUSTOM_MODE #language en-US "Custom Mode"
#string STR_SECURE_BOOT_OPTION #language en-US "Custom Secure Boot Options" #string STR_SECURE_BOOT_OPTION #language en-US "Custom Secure Boot Options"
#string STR_SECURE_BOOT_OPTION_HELP #language en-US "Enter into Custom Secure Boot Options Form" #string STR_SECURE_BOOT_OPTION_HELP #language en-US "Enter into Custom Secure Boot Options Form"
@ -111,11 +107,3 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SHA256_GUID" #string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SHA256_GUID"
#string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SHA384_GUID" #string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SHA384_GUID"
#string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID" #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID"
#string STR_TRANS_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode Transition"
#string STR_TRANS_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode Transition: SetupMode/UserMode/AuditMode/DeployedMode"
#string STR_USER_MODE #language en-US "User Mode"
#string STR_SETUP_MODE #language en-US "Setup Mode"
#string STR_AUDIT_MODE #language en-US "Audit Mode"
#string STR_DEPLOYED_MODE #language en-US "Deployed Mode"