/**
SecureBoot Hook for SetVariable.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
**/
VOID
EFIAPI
SecureBootHook (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
)
{
EFI_STATUS Status;
UINTN VariableDataSize;
VOID *VariableData;
if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {
return ;
}
//
// We should NOT use Data and DataSize here,because it may include signature,
// or is just partial with append attributes, or is deleted.
// We should GetVariable again, to get full variable content.
//
Status = InternalGetVariable (
VariableName,
VendorGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
VariableData = NULL;
VariableDataSize = 0;
}
Status = MeasureVariable (
VariableName,
VendorGuid,
VariableData,
VariableDataSize
);
DEBUG ((EFI_D_ERROR, "MeasureBootPolicyVariable - %r\n", Status));
if (VariableData != NULL) {
FreePool (VariableData);
}
return ;
}
/**
SecureBoot Hook for SetVariable.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
**/
VOID
EFIAPI
SecureBootHook (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
)
{
EFI_STATUS Status;
UINTN VariableDataSize;
VOID *VariableData;
if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {
return ;
}
//
// We should NOT use Data and DataSize here,because it may include signature,
// or is just partial with append attributes, or is deleted.
// We should GetVariable again, to get full variable content.
//
Status = InternalGetVariable (
VariableName,
VendorGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
//
// Measure DBT only if present and not empty
//
if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0 &&
CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid)) {
DEBUG((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2));
return;
} else {
VariableData = NULL;
VariableDataSize = 0;
}
}
Status = MeasureVariable (
VariableName,
VendorGuid,
VariableData,
VariableDataSize
);
DEBUG ((EFI_D_INFO, "MeasureBootPolicyVariable - %r\n", Status));
if (VariableData != NULL) {
FreePool (VariableData);
}
//
// "SecureBoot" is 8bit & read-only. It can only be changed according to PK update
//
if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&
CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {
Status = InternalGetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
return;
}
//
// If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready
//
ASSERT(mSecureBootVarData != NULL);
if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {
FreePool(mSecureBootVarData);
mSecureBootVarData = VariableData;
mSecureBootVarDataSize = VariableDataSize;
DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
Status = MeasureVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
mSecureBootVarData,
mSecureBootVarDataSize
);
DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
} else {
//
// "SecureBoot" variable is not changed
//
FreePool(VariableData);
}
}
return ;
}