SecurityPkg/SecureBootConfigDxe: Keep SB state when resetting the keys

Reset Secure Boot Keys option should only touch the keys and nothing else. Keep the SecureBootEnable variable value from before selecting to reset the keys as re-enrolling PK would unconditionally enable Secure Boot. Signed-off-by: Michał Żygowski <[email protected]>
Dasharo · Jul 22, 2024 · f066733 · f066733
1 parent 9acbff3
commit f066733
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -4165,13 +4165,28 @@ LoadSignatureData (
 STATIC EFI_STATUS
 EFIAPI
 KeyEnrollReset (
-  VOID
+  IN SECUREBOOT_CONFIGURATION        *ConfigData
   )
 {
   EFI_STATUS  Status;
   UINT8       SetupMode;
+  BOOLEAN     SecureBootEnable;
+  UINTN       DataSize;
 
-  Status = EFI_SUCCESS;
+  DataSize = sizeof (SecureBootEnable);
+  Status = gRT->GetVariable(
+                EFI_SECURE_BOOT_ENABLE_NAME,
+                &gEfiSecureBootEnableDisableGuid,
+                NULL,
+                &DataSize,
+                &SecureBootEnable
+                );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot read SecureBootEnable variable: %r\n", Status));
+    /* Get the state from the from data if we failed to read the variable */
+    SecureBootEnable = ConfigData->AttemptSecureBoot;
+  }
 
   Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
   if (EFI_ERROR(Status)) {
@@ -4258,6 +4273,20 @@ KeyEnrollReset (
     goto clearKEK;
   }
 
+  /* 
+   * If Secure Boot was disabled before resetting the keys, don't change its state.
+   * Enrolling PK would enable Secure Boot automatically.
+   */
+  if (SecureBootEnable == SECURE_BOOT_DISABLE) {
+    Status = SaveSecureBootVariable (SECURE_BOOT_DISABLE);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((
+        DEBUG_ERROR,
+        "Cannot set Secure Boot state to SECURE_BOOT_DISABLE\n"
+        ));
+    }
+  }
+
   Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
   if (EFI_ERROR (Status)) {
     DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
@@ -4969,7 +4998,7 @@ SecureBootCallback (
                            &UserSelection
                            );
       if (UserSelection == EfiHiiPopupSelectionYes) {
-        Status = KeyEnrollReset ();
+        Status = KeyEnrollReset (IfrNvData);
       }
       //
       // Update secure boot strings after key reset