diff options
Diffstat (limited to 'OvmfPkg')
| -rw-r--r-- | OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 07297c631f..9c4a0f06fb 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -361,6 +361,9 @@ ShellAppMain ( EFI_STATUS Status;
SETTINGS Settings;
+ //
+ // If we're not in Setup Mode, we can't do anything.
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
@@ -372,6 +375,10 @@ ShellAppMain ( return 1;
}
+ //
+ // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
+ // checks on those variable writes.
+ //
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
@@ -385,6 +392,9 @@ ShellAppMain ( }
}
+ //
+ // Enroll db.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
@@ -396,6 +406,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll dbx.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
@@ -406,6 +419,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll KEK.
+ //
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
@@ -417,6 +433,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll PK, leaving Setup Mode (entering User Mode) at once.
+ //
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
@@ -427,6 +446,10 @@ ShellAppMain ( return 1;
}
+ //
+ // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
+ // signatures.
+ //
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
@@ -437,6 +460,37 @@ ShellAppMain ( return 1;
}
+ //
+ // Final sanity check:
+ //
+ // [SetupMode]
+ // (read-only, standardized by UEFI)
+ // / \_
+ // 0 1, default
+ // / \_
+ // PK enrolled no PK enrolled yet,
+ // (this is called "User Mode") PK enrollment possible
+ // |
+ // |
+ // [SecureBootEnable]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0 1, default
+ // / \_
+ // [SecureBoot]=0 [SecureBoot]=1
+ // (read-only, standardized by UEFI) (read-only, standardized by UEFI)
+ // images are not verified images are verified, platform is
+ // operating in Secure Boot mode
+ // |
+ // |
+ // [CustomMode]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0, default 1
+ // / \_
+ // PK, KEK, db, dbx PK, KEK, db, dbx
+ // updates are verified updates are not verified
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
|