SecurityPkg/VariableAuthenticated/SecureBootConfigDxe: Add SV Boot state

miczyg1 · miczyg1 · commit 568a0b88029b · 2025-06-27T14:16:57.000+02:00
Signed-off-by: Michał Żygowski &lt;michal.zygowski@3mdeb.com&gt;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -83,6 +83,22 @@ formset
             flags  = INTERACTIVE | RESET_REQUIRED,
       endcheckbox;
 
+      // Hidden checkbox for provisioned state, to be used in callback
+      // whe nefautl settigns are restored.
+      suppressif TRUE;
+        checkbox varid = SECUREBOOT_CONFIGURATION.SvBootProvisioned,
+              questionid = KEY_SOVEREIGN_BOOT_PROVISIONED,
+              prompt = STRING_TOKEN(STR_SOVEREIGN_BOOT_PRIVISIONED_PROMPT),
+              help   = STRING_TOKEN(STR_SOVEREIGN_BOOT_PRIVISIONED_HELP),
+              flags  = INTERACTIVE | RESET_REQUIRED,
+        endcheckbox;
+      endif;
+
+      text
+        help   = STRING_TOKEN(STR_SOVEREIGN_BOOT_STATE_HELP),
+        text   = STRING_TOKEN(STR_SOVEREIGN_BOOT_STATE_PROMPT),
+          text   = STRING_TOKEN(STR_SOVEREIGN_BOOT_STATE_CONTENT);
+
       disableif ideqval SECUREBOOT_CONFIGURATION.SvBootEnable == 0;
         subtitle text = STRING_TOKEN(STR_NULL);
         //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -59,6 +59,7 @@ HII_VENDOR_DEVICE_PATH  mSecureBootHiiVendorDevicePath = {
 };
 
 BOOLEAN  mIsEnterSecureBootForm = FALSE;
+BOOLEAN  mResetSvBootState = FALSE;
 
 //
 // OID ASN.1 Value for Hash Algorithms
@@ -301,7 +302,7 @@ SaveSecureBootVariable (
 /**
   Set Sovereign Boot configuration into variable space.
 
-  @param[in] SvBootEnable          The satte of Sovereign Boot.
+  @param[in] SvBootEnable          The state of Sovereign Boot.
 
   @retval    EFI_SUCCESS           The operation is finished successfully.
   @retval    Others                Other errors as indicated.
@@ -350,6 +351,53 @@ SaveSovereignBootVariable (
   return Status;
 }
 
+/**
+  Resets Sovereign Boot configuration and saves it into variable space.
+
+  @retval    EFI_SUCCESS           The operation is finished successfully.
+  @retval    Others                Other errors as indicated.
+
+**/
+EFI_STATUS
+ResetSovereignBootState (
+  SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
+  )
+{
+  SOVEREIGN_BOOT_WIZARD_NV_CONFIG  SvBootConfig;
+  EFI_STATUS                       Status;
+  UINT32                           Attrs;
+  UINTN                            VarSize;
+
+  VarSize = sizeof(SOVEREIGN_BOOT_WIZARD_NV_CONFIG);
+
+  Status = gRT->GetVariable (
+                  SV_BOOT_CONFIG_VAR,
+                  &gSovereignBootWizardFormSetGuid,
+                  &Attrs,
+                  &VarSize,
+                  &SvBootConfig
+                  );
+
+  if (EFI_ERROR (Status) || 
+      Attrs != (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS) ||
+      VarSize != sizeof(SOVEREIGN_BOOT_WIZARD_NV_CONFIG)
+     ) {
+    SvBootConfig.SvBootEnabled = FixedPcdGetBool (PcdSovereignBootDefaultState);
+  }
+
+  SvBootConfig.SvBootProvisioned = FALSE;
+
+  Status = gRT->SetVariable (
+                  SV_BOOT_CONFIG_VAR,
+                  &gSovereignBootWizardFormSetGuid,
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  sizeof (SOVEREIGN_BOOT_WIZARD_NV_CONFIG),
+                  &SvBootConfig
+                  );
+
+  return Status;
+}
+
 /**
   This code checks if the encode type and key strength of X.509
   certificate is qualified.
@@ -3528,6 +3576,12 @@ SecureBootExtractConfigFromVariable (
         ConfigData->SvBootProvisioned = SvBootConfig->SvBootProvisioned;
         FreePool (SvBootConfig);
       }
+
+      HiiSetString (
+        Private->HiiHandle,
+        STRING_TOKEN (STR_SOVEREIGN_BOOT_STATE_CONTENT),
+        ConfigData->SvBootProvisioned ? L"Yes" : L"No",
+        NULL);
   }
 
   if (SecureBootEnable != NULL) {
@@ -4989,6 +5043,21 @@ SecureBootCallback (
     goto EXIT;
   }
 
+  if (Action == EFI_BROWSER_ACTION_SUBMITTED) {
+    Status = EFI_UNSUPPORTED;
+    if (QuestionId == KEY_SOVEREIGN_BOOT_PROVISIONED) {
+      Status = EFI_SUCCESS;
+      if (mResetSvBootState && !Value->b) {
+        Status = ResetSovereignBootState (Private);
+        if (GetBrowserDataResult) {
+          SecureBootExtractConfigFromVariable (Private, IfrNvData);
+        }
+        mResetSvBootState = FALSE;
+      }
+    }
+    goto EXIT;
+  }
+
   if ((Action != EFI_BROWSER_ACTION_CHANGED) &&
       (Action != EFI_BROWSER_ACTION_CHANGING) &&
       (Action != EFI_BROWSER_ACTION_FORM_CLOSE) &&
@@ -5589,12 +5658,19 @@ SecureBootCallback (
         // If disabling, we need to restore Secure Boot keys
         if (!Value->b) {
           Status = KeyEnrollReset ();
-
+          if (EFI_ERROR (Status)) {
+            break;
+          }
+          // Reset the Sovereign Boot provisioning state
+          Status = ResetSovereignBootState (Private);
+          if (EFI_ERROR (Status)) {
+            break;
+          }
           //
           // Update secure boot strings after key reset
           //
-          if (Status == EFI_SUCCESS) {
-            Status = UpdateSecureBootString (Private);
+          Status = UpdateSecureBootString (Private);
+          if (GetBrowserDataResult) {
             SecureBootExtractConfigFromVariable (Private, IfrNvData);
           }
         }
@@ -5647,6 +5723,13 @@ SecureBootCallback (
       }
       break;
     }
+    case KEY_SOVEREIGN_BOOT_PROVISIONED:
+    {
+      Status = EFI_SUCCESS;
+      Value->b = FALSE;
+      mResetSvBootState = TRUE;
+      break;
+    }
     default:
       break;
     }
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -77,6 +77,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #define KEY_SOVEREIGN_BOOT_ENABLE           0x1120
 #define KEY_LAUNCH_SOVEREIGN_BOOT_WIZARD    0x1121
+#define KEY_SOVEREIGN_BOOT_PROVISIONED      0x1122
 
 #define LABEL_KEK_DELETE              0x1200
 #define LABEL_DB_DELETE               0x1201
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -168,3 +168,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #string STR_LAUNCH_SOVEREIGN_BOOT_WIZARD_HELP     #language en-US "Manually invoke Sovereign Boot Wizard to modify/augment the Sovereign Boot settings."
 #string STR_LAUNCH_SOVEREIGN_BOOT_WIZARD_PROMPT   #language en-US "> Launch Sovereign Boot Wizard"
+
+#string STR_SOVEREIGN_BOOT_PRIVISIONED_HELP       #language en-US "Sovereign Boot provisioning state"
+#string STR_SOVEREIGN_BOOT_PRIVISIONED_PROMPT     #language en-US "Sovereign Boot Provisioned"
+
+#string STR_SOVEREIGN_BOOT_STATE_HELP             #language en-US "Sovereign Boot provisioning state"
+#string STR_SOVEREIGN_BOOT_STATE_PROMPT           #language en-US "Sovereign Boot Provisioned"
+#string STR_SOVEREIGN_BOOT_STATE_CONTENT          #language en-US "Unknown"
