OcBootManagementLib: Implement 11.0 recovery compatibility

e5a85b17 · vit9696 · 47a341f8 · e5a85b17 · e5a85b17 · e5a85b17
4 changed file
--- a/Include/Acidanthera/Library/OcAppleSecureBootLib.h
+++ b/Include/Acidanthera/Library/OcAppleSecureBootLib.h
@@ -47,4 +47,26 @@ OcAppleSecureBootInstallProtocol (
  IN BOOLEAN  SbWinPolicyValid
  );

+/**
+  Report DMG loading to Apple Secure Boot protocol.
+
+  @param[in]  LoadingDmg  TRUE after loading DMG.
+
+  @retval EFI_SUCCESS on success.
+**/
+EFI_STATUS
+OcAppleSecureBootSetDmgLoading (
+  IN BOOLEAN  LoadingDmg
+  );
+
+/**
+  Get DMG loading status on Apple Secure Boot protocol.
+
+  @retval TRUE when loading DMG.
+**/
+BOOLEAN
+OcAppleSecureBootGetDmgLoading (
+  VOID
+  );
+
 #endif // OC_APPLE_SECURE_BOOT_LIB_H
--- a/Library/OcAppleSecureBootLib/OcAppleSecureBootLib.c
+++ b/Library/OcAppleSecureBootLib/OcAppleSecureBootLib.c
@@ -33,6 +33,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/UefiRuntimeServicesTableLib.h>

+STATIC BOOLEAN mDmgLoading = FALSE;
 STATIC BOOLEAN mSbAvailable = TRUE;

 STATIC UINT8   mSbPolicy             = AppleImg4SbModeMedium;
@@ -1039,3 +1040,39 @@ OcAppleSecureBootInstallProtocol (

  return &SecureBoot;
 }
+
+EFI_STATUS
+OcAppleSecureBootSetDmgLoading (
+  IN BOOLEAN  LoadingDmg
+  )
+{
+  EFI_STATUS                  Status;
+  APPLE_SECURE_BOOT_PROTOCOL  *SecureBoot;
+
+  Status = gBS->LocateProtocol (
+    &gAppleSecureBootProtocolGuid,
+    NULL,
+    (VOID **)&SecureBoot
+    );
+  if (!EFI_ERROR (Status)) {
+    mDmgLoading = LoadingDmg;
+
+    if (LoadingDmg) {
+      DEBUG ((DEBUG_INFO, "OCB: Disabling secure boot for Apple images\n"));
+      SecureBoot->SetAvailability (SecureBoot, FALSE);
+    } else {
+      DEBUG ((DEBUG_INFO, "OCB: Reenabling secure boot after Apple images\n"));
+      SecureBoot->SetAvailability (SecureBoot, FALSE);
+    }
+  }
+
+  return Status;
+}
+
+BOOLEAN
+OcAppleSecureBootGetDmgLoading (
+  VOID
+  )
+{
+  return mDmgLoading;
+}
--- a/Library/OcBootManagementLib/DmgBootSupport.c
+++ b/Library/OcBootManagementLib/DmgBootSupport.c
@@ -16,6 +16,7 @@

 #include <Guid/FileInfo.h>

+#include <Library/OcAppleSecureBootLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <Library/DebugLib.h>
 #include <Library/DevicePathLib.h>
@@ -473,7 +474,13 @@ InternalLoadDmg (
              );
  Context->DevicePath = DevPath;

-  if (DevPath == NULL) {
+  if (DevPath != NULL) {
+    //
+    // If we succeeded, we need to disable Apple Secure Boot, as DMG images
+    // are currently only verified with the chunklist.
+    //
+    OcAppleSecureBootSetDmgLoading (TRUE);
+  } else {
    DEBUG ((DEBUG_INFO, "OCB: Failed to retrieve boot file from DMG\n"));

    OcAppleDiskImageFreeFile (Context->DmgContext);
@@ -501,5 +508,10 @@ InternalUnloadDmg (
    OcAppleDiskImageFreeContext (DmgLoadContext->DmgContext);
    FreePool (DmgLoadContext->DmgContext);
    DmgLoadContext->DevicePath = NULL;
+    //
+    // This code should never execute, as with Apple Secure Boot
+    // it should always reboot on failure, but just in case.
+    //
+    OcAppleSecureBootSetDmgLoading (FALSE);
  }
 }
--- a/Library/OcBootManagementLib/OcBootManagementLib.inf
+++ b/Library/OcBootManagementLib/OcBootManagementLib.inf
@@ -102,6 +102,7 @@
  OcAppleDiskImageLib
  OcAppleKeyMapLib
  OcAppleKeysLib
+  OcAppleSecureBootLib
  OcConsoleLib
  OcCryptoLib
  OcDevicePathLib