SecurityPkg/SecureBootConfigDxe: Keep SB state when resetting the keys

Signed-off-by: Michał Żygowski <[email protected]>
Dasharo · Jul 19, 2024 · 3b03021 · 3b03021
1 parent df5a2b0
commit 3b03021
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -4165,13 +4165,28 @@ LoadSignatureData (
 STATIC EFI_STATUS
 EFIAPI
 KeyEnrollReset (
-  VOID
+  IN SECUREBOOT_CONFIGURATION        *ConfigData
   )
 {
   EFI_STATUS  Status;
   UINT8       SetupMode;
+  BOOLEAN     SecureBootEnable;
+  UINTN       DataSize;
 
-  Status = EFI_SUCCESS;
+  DataSize = sizeof (SecureBootEnable);
+  Status = gRT->GetVariable(
+                EFI_SECURE_BOOT_ENABLE_NAME,
+                &gEfiSecureBootEnableDisableGuid,
+                NULL,
+                &DataSize,
+                &SecureBootEnable
+                );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot read SecureBootEnable variable: %r\n", Status));
+    /* Get the state from the from data if we failed to read the variable */
+    SecureBootEnable = ConfigData->AttemptSecureBoot;
+  }
 
   Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
   if (EFI_ERROR(Status)) {
@@ -4258,6 +4273,20 @@ KeyEnrollReset (
     goto clearKEK;
   }
 
+  /* 
+   * If Secure Boot was disabled before resetting the keys, don't change its state.
+   * Enrolling PK would enable Secure Boot automatically.
+   */
+  if (SecureBootEnable == SECURE_BOOT_DISABLE) {
+    Status = SetSecureBootState (SECURE_BOOT_DISABLE);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((
+        DEBUG_ERROR,
+        "Cannot set Secure Boot state to SECURE_BOOT_DISABLE\n"
+        ));
+    }
+  }
+
   Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
   if (EFI_ERROR (Status)) {
     DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
@@ -4969,7 +4998,7 @@ SecureBootCallback (
                            &UserSelection
                            );
       if (UserSelection == EfiHiiPopupSelectionYes) {
-        Status = KeyEnrollReset ();
+        Status = KeyEnrollReset (IfrNvData);
       }
       //
       // Update secure boot strings after key reset