Skip to content

Commit

Permalink
SecurityPkg/SecureBootConfigDxe: require reset on all SB changes
Browse files Browse the repository at this point in the history 
Enrolling or removing any signature should require a reset to avoid
booting a system with some weird value of PCR-7.  The PCR is extended
on writes into SecureBoot-related variables (see SecureBootHook() in
SecurityPkg/DxeImageVerificationLib) and then right before booting (in
TcgDxe or Tcg2Dxe in OnReadyToBoot() handler), meaning that editing
SecureBoot configuration and continuing boot process without a reset
results in an unexpected value of PCR-7 even if the end result of
changes is the same as it would be without any changes.

Now reset is required in the following cases as well:
 * enrolling/deletion of a KEK signature
 * enrolling/deletion of a DB signature
 * enrolling/deletion of a DBX signature (one or all of them)
 * enrolling/deletion of a DBT signature

Addition cases are handled in VFR while deletion options are checkboxes
generated in C and that's where the flags get set (number of updated
places is fewer than number of handled cases because functions are
shared by menus).

Signed-off-by: Sergii Dmytruk <[email protected]>
  • Loading branch information
@SergiiDmytruk @miczyg1
SergiiDmytruk authored and miczyg1 committed Jun 14, 2024
1 parent a58f977 commit 9756808
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
8 changes: 4 additions & 4 deletions SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ formset
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_VALUE_SAVE_AND_EXIT_KEK;

goto FORMID_SECURE_BOOT_OPTION_FORM,
Expand Down Expand Up @@ -470,7 +470,7 @@ formset
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_VALUE_SAVE_AND_EXIT_DB;

goto FORMID_SECURE_BOOT_OPTION_FORM,
Expand Down Expand Up @@ -564,7 +564,7 @@ formset
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_VALUE_SAVE_AND_EXIT_DBX;

goto FORMID_SECURE_BOOT_OPTION_FORM,
Expand Down Expand Up @@ -609,7 +609,7 @@ formset
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_VALUE_SAVE_AND_EXIT_DBT;

goto FORMID_SECURE_BOOT_OPTION_FORM,
Expand Down
6 changes: 3 additions & 3 deletions SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2514,7 +2514,7 @@ UpdateDeletePage (
0,
GuidID,
Help,
EFI_IFR_FLAG_CALLBACK,
EFI_IFR_FLAG_CALLBACK | EFI_IFR_FLAG_RESET_REQUIRED,
0,
NULL
);
Expand Down Expand Up @@ -3579,7 +3579,7 @@ LoadSignatureList (
DstFormId,
STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST),
STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST),
EFI_IFR_FLAG_CALLBACK,
EFI_IFR_FLAG_CALLBACK | EFI_IFR_FLAG_RESET_REQUIRED,
KEY_SECURE_BOOT_DELETE_ALL_LIST
);

Expand Down Expand Up @@ -3651,7 +3651,7 @@ LoadSignatureList (
SECUREBOOT_DELETE_SIGNATURE_DATA_FORM,
HiiSetString (PrivateData->HiiHandle, 0, NameBuffer, NULL),
HiiSetString (PrivateData->HiiHandle, 0, HelpBuffer, NULL),
EFI_IFR_FLAG_CALLBACK,
EFI_IFR_FLAG_CALLBACK | EFI_IFR_FLAG_RESET_REQUIRED,
QuestionIdBase + Index++
);

Expand Down

0 comments on commit 9756808

Please sign in to comment.