1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
From 6eb407947592e084110a124be089bef167af1383 Mon Sep 17 00:00:00 2001
From: kuqin <kuqin@microsoft.com>
Date: Fri, 15 Apr 2022 13:03:22 -0700
Subject: [PATCH] SecurityPkg: SecureBootVariableLib: Added newly supported
interfaces
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This change updated the interfaces provided by SecureBootVariableLib.
The new additions provided interfaces to enroll single authenticated
variable from input, a helper function to query secure boot status,
enroll all secure boot variables from UefiSecureBoot.h defined data
structures, a as well as a routine that deletes all secure boot related
variables.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
[ dannf: Context adjustments ]
Origin: https://github.com/tianocore/edk2/commit/6eb407947592e084110a124be089bef167af1383
Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641
Bug-Ubuntu: https://launchpad.net/bugs/2040137
Last-Update: 2024-02-13
@@ -26,4 +26,17 @@
OUT UINT8 *SetupMode
);
+/**
+ Helper function to quickly determine whether SecureBoot is enabled.
+
+ @retval TRUE SecureBoot is verifiably enabled.
+ @retval FALSE SecureBoot is either disabled or an error prevented checkng.
+
+**/
+BOOLEAN
+EFIAPI
+IsSecureBootEnabled (
+ VOID
+ );
+
#endif
@@ -51,3 +51,41 @@
return EFI_SUCCESS;
}
+
+/**
+ Helper function to quickly determine whether SecureBoot is enabled.
+
+ @retval TRUE SecureBoot is verifiably enabled.
+ @retval FALSE SecureBoot is either disabled or an error prevented checking.
+
+**/
+BOOLEAN
+EFIAPI
+IsSecureBootEnabled (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT8 *SecureBoot;
+
+ SecureBoot = NULL;
+
+ Status = GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
+ //
+ // Skip verification if SecureBoot variable doesn't exist.
+ //
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot check SecureBoot variable %r \n ", Status));
+ return FALSE;
+ }
+
+ //
+ // Skip verification if SecureBoot is disabled but not AuditMode
+ //
+ if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+ FreePool (SecureBoot);
+ return FALSE;
+ } else {
+ return TRUE;
+ }
+}
|
