From df5a2b05f3a519a5466a0f420d80ca9a70fecba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Thu, 11 Jul 2024 14:34:39 +0200 Subject: [PATCH] AuthVariableLib: Set SB to enabled during transition to USER_MODE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 7d33bfce2c..54a2dda425 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -205,9 +205,13 @@ AuthVariableLibInitialize ( } } else if (mPlatformMode == USER_MODE) { // - // "SecureBootEnable" not exist, initialize it in USER_MODE. + // "SecureBootEnable" not exist, initialize it in USER_MODE. Can't use + // PcdSecureBootDefaultEnable here, because it will prevent enabling + // Secure Boot from OS when transitioning from SETUP_MODE to USER_MODE. + // PcdSecureBootDefaultEnable is used when settings are reset in UI and in + // the SecureBootDefaultKeysDxe where the default keys are being restored. // - SecureBootEnable = FixedPcdGet8 (PcdSecureBootDefaultEnable); + SecureBootEnable = SECURE_BOOT_ENABLE; Status = AuthServiceInternalUpdateVariable ( EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid,