OcBootManagementLib: Add DisableFirmwareRuntime option for Tools

fa747706 · MikeBeaton · a76b33c2 · fa747706 · fa747706 · fa747706
20 changed file
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,7 @@ OpenCore Changelog
 ==================
 #### v0.8.4
 - Added checks for `Driver` -> `LoadEarly` in ocvalidate
+- Added `DisableFirmwareRuntime` option for tools which require direct access to NVRAM

 #### v0.8.3
 - Added ext4 file system driver

--- a/Docs/Configuration.md5
+++ b/Docs/Configuration.md5
-44ccd71c1f33cde671307f4962c1bd32
+c3619a5b385da0893c36bc955aa9d37a
--- a/Docs/Configuration.pdf
+++ b/Docs/Configuration.pdf
--- a/Docs/Configuration.tex
+++ b/Docs/Configuration.tex
@@ -4646,6 +4646,21 @@ rm vault.pub
  \textbf{Description}: Arbitrary ASCII string used to provide a human readable
  reference for the entry. Whether this value is used is implementation defined.

+\item
+  \texttt{DisableFirmwareRuntime}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Disable firmware runtime during usage of a tool.
+
+  This disables all of the firmware runtime protections provided by
+  \texttt{OpenRuntime.efi} during the time a tool is in use. It should
+  normally be avoided, but may be required for instance if a tool needs
+  to access NVRAM directly without the redirections put in place by
+  \texttt{RequestBootVarRouting}.
+
+  \emph{Note}: This option is only valid for \texttt{Tools} and cannot be
+  specified for \texttt{Entries} (is always \texttt{false}).
+
 \item
  \texttt{Enabled}\\
  \textbf{Type}: \texttt{plist\ boolean}\\
@@ -4694,7 +4709,7 @@ rm vault.pub
  \texttt{memtest86} (for logging and configuration), or \texttt{Shell} (for
  automatic script execution).

-  \emph{Note}: This property is only valid for \texttt{Tools} and cannot be
+  \emph{Note}: This option is only valid for \texttt{Tools} and cannot be
  specified for \texttt{Entries} (is always \texttt{true}).

 \item

--- a/Docs/Differences/Differences.pdf
+++ b/Docs/Differences/Differences.pdf
--- a/Docs/Differences/Differences.tex
+++ b/Docs/Differences/Differences.tex
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Wed Aug  3 18:04:30 2022
-%DIF ADD ../Configuration.tex        Wed Aug  3 18:04:41 2022
+%DIF DEL PreviousConfiguration.tex   Tue Aug  2 07:37:43 2022
+%DIF ADD ../Configuration.tex        Thu Aug  4 22:26:32 2022

 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -4707,7 +4707,25 @@ rm vault.pub
  reference for the entry. Whether this value is used is implementation defined.

 \item
-  \texttt{Enabled}\\
+  \DIFaddbegin \texttt{\DIFadd{DisableFirmwareRuntime}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{: Disable firmware runtime during usage of a tool.
+}
+
+  \DIFadd{This disables all of the firmware runtime protections provided by
+  }\texttt{\DIFadd{OpenRuntime.efi}} \DIFadd{during the time a tool is in use. It should
+  normally be avoided, but may be required for instance if a tool needs
+  to access NVRAM directly without the redirections put in place by
+  }\texttt{\DIFadd{RequestBootVarRouting}}\DIFadd{.
+}
+
+  \emph{\DIFadd{Note}}\DIFadd{: This option is only valid for }\texttt{\DIFadd{Tools}} \DIFadd{and cannot be
+  specified for }\texttt{\DIFadd{Entries}} \DIFadd{(is always }\texttt{\DIFadd{false}}\DIFadd{).
+}
+
+\item
+  \DIFaddend \texttt{Enabled}\\
  \textbf{Type}: \texttt{plist\ boolean}\\
  \textbf{Failsafe}: \texttt{false}\\
  \textbf{Description}: Set to \texttt{true} activate this entry.
@@ -4754,7 +4772,7 @@ rm vault.pub
  \texttt{memtest86} (for logging and configuration), or \texttt{Shell} (for
  automatic script execution).

-  \emph{Note}: This property is only valid for \texttt{Tools} and cannot be
+  \emph{Note}: This \DIFdelbegin \DIFdel{property }\DIFdelend \DIFaddbegin \DIFadd{option }\DIFaddend is only valid for \texttt{Tools} and cannot be
  specified for \texttt{Entries} (is always \texttt{true}).

 \item

--- a/Docs/Errata/Errata.pdf
+++ b/Docs/Errata/Errata.pdf
--- a/Docs/Sample.plist
+++ b/Docs/Sample.plist
@@ -1168,6 +1168,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Not signed for security reasons</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>
@@ -1188,6 +1190,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Memory testing utility</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>
@@ -1208,6 +1212,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Perform shutdown</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>

--- a/Docs/SampleCustom.plist
+++ b/Docs/SampleCustom.plist
@@ -1195,6 +1195,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Not signed for security reasons</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>
@@ -1215,6 +1217,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Memory testing utility</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>
@@ -1235,6 +1239,8 @@
 				<true/>
 				<key>Comment</key>
 				<string>Perform shutdown</string>
+				<key>DisableFirmwareRuntime</key>
+				<false/>
 				<key>Enabled</key>
 				<false/>
 				<key>Flavour</key>

--- a/Include/Acidanthera/Library/OcBootManagementLib.h
+++ b/Include/Acidanthera/Library/OcBootManagementLib.h
@@ -261,6 +261,10 @@ typedef struct OC_BOOT_ENTRY_ {
  //
  BOOLEAN                     ExposeDevicePath;
  //
+  // Should disable firmware runtime (when installed) around invocation of tool.
+  //
+  BOOLEAN                     DisableFirmwareRuntime;
+  //
  // Partition UUID of entry device.
  // Set for non-system action boot entry protocol boot entries only.
  //
@@ -575,6 +579,10 @@ typedef struct {
  //
  BOOLEAN                  RealPath;
  //
+  // Whether we should disable firmware runtime (if installed) around call to Tool.
+  //
+  BOOLEAN                  DisableFirmwareRuntime;
+  //
  // System action. Boot Entry Protocol only. Optional.
  //
  OC_BOOT_SYSTEM_ACTION    SystemAction;

--- a/Include/Acidanthera/Library/OcConfigurationLib.h
+++ b/Include/Acidanthera/Library/OcConfigurationLib.h
@@ -390,15 +390,16 @@ typedef enum {
 OC_DECLARE (OC_MISC_SECURITY)

 #define OC_MISC_TOOLS_ENTRY_FIELDS(_, __) \
-  _(OC_STRING                   , Arguments        ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
-  _(OC_STRING                   , Comment          ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
-  _(OC_STRING                   , Flavour          ,     , OC_STRING_CONSTR ("Auto", _, __), OC_DESTR (OC_STRING) ) \
-  _(BOOLEAN                     , Auxiliary        ,     , FALSE                       , ()                   ) \
-  _(BOOLEAN                     , Enabled          ,     , FALSE                       , ()                   ) \
-  _(BOOLEAN                     , RealPath         ,     , FALSE                       , ()                   ) \
-  _(BOOLEAN                     , TextMode         ,     , FALSE                       , ()                   ) \
-  _(OC_STRING                   , Name             ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
-  _(OC_STRING                   , Path             ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) )
+  _(OC_STRING                   , Arguments               ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
+  _(OC_STRING                   , Comment                 ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
+  _(OC_STRING                   , Flavour                 ,     , OC_STRING_CONSTR ("Auto", _, __), OC_DESTR (OC_STRING) ) \
+  _(BOOLEAN                     , Auxiliary               ,     , FALSE                       , ()                   ) \
+  _(BOOLEAN                     , DisableFirmwareRuntime  ,     , FALSE                       , ()                   ) \
+  _(BOOLEAN                     , Enabled                 ,     , FALSE                       , ()                   ) \
+  _(BOOLEAN                     , RealPath                ,     , FALSE                       , ()                   ) \
+  _(BOOLEAN                     , TextMode                ,     , FALSE                       , ()                   ) \
+  _(OC_STRING                   , Name                    ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) ) \
+  _(OC_STRING                   , Path                    ,     , OC_STRING_CONSTR ("", _, __), OC_DESTR (OC_STRING) )
 OC_DECLARE (OC_MISC_TOOLS_ENTRY)

 #define OC_MISC_TOOLS_ARRAY_FIELDS(_, __) \

--- a/Include/Acidanthera/Library/OcVariableLib.h
+++ b/Include/Acidanthera/Library/OcVariableLib.h
@@ -11,6 +11,7 @@
 #include <Uefi.h>
 #include <Library/OcConfigurationLib.h>
 #include <Library/OcStorageLib.h>
+#include <Protocol/OcFirmwareRuntime.h>

 #define OPEN_CORE_NVRAM_ROOT_PATH  L"NVRAM"

@@ -167,6 +168,33 @@ OcResetNvram (
  IN     BOOLEAN  PreserveBoot
  );

+/**
+  When compatible protocol is found, disable firmware runtime then return
+  protocol for subsequent restore, else return NULL.
+  Always call OcRestoreFirmwareRuntime to restore firmware runtime operation
+  (if it was previously present) before booting anything, after disabling with
+  this call.
+
+  @retval     Compatible protocol if found and firmware runtime was disabled,
+              NULL otherwise.
+**/
+OC_FIRMWARE_RUNTIME_PROTOCOL *
+OcDisableFirmwareRuntime (
+  VOID
+  );
+
+/**
+  Restore firmware runtime if it was disabled by a previous call to OcDisableFirmwareRuntime.
+  Noop if FwRuntime is NULL.
+
+  @param[in]     FwRuntime          Firmware runtime protocol or NULL, from previous call to
+                                    OcDisableFirmwareRuntime.
+**/
+VOID
+OcRestoreFirmwareRuntime (
+  IN OC_FIRMWARE_RUNTIME_PROTOCOL  *FwRuntime
+  );
+
 /**
  Perform NVRAM UEFI variable deletion.
 **/

--- a/Include/Acidanthera/Protocol/OcBootEntry.h
+++ b/Include/Acidanthera/Protocol/OcBootEntry.h
@@ -24,11 +24,11 @@
 /**
  Currently supported OC_BOOT_ENTRY_PROTOCOL protocol revision.
  Needs to be changed every time the contract changes, including when
-  passed-in structures OC_PICKER_ENTRY and OC_PICKER_ENTRY change.
+  passed-in structures OC_PICKER_CONTEXT and OC_PICKER_ENTRY change.

  WARNING: This protocol is currently undergoing active design.
 **/
-#define OC_BOOT_ENTRY_PROTOCOL_REVISION  2
+#define OC_BOOT_ENTRY_PROTOCOL_REVISION  3

 /**
  Forward declaration of OC_BOOT_ENTRY_PROTOCOL structure.

--- a/Include/Acidanthera/Protocol/OcInterface.h
+++ b/Include/Acidanthera/Protocol/OcInterface.h
@@ -24,7 +24,7 @@

  WARNING: This protocol is currently undergoing active design.
 **/
-#define OC_INTERFACE_REVISION  7
+#define OC_INTERFACE_REVISION  8

 /**
  The GUID of the OC_INTERFACE_PROTOCOL.

--- a/Library/OcBootManagementLib/BootEntryManagement.c
+++ b/Library/OcBootManagementLib/BootEntryManagement.c
@@ -768,8 +768,9 @@ InternalAddBootEntryFromCustomEntry (
    }
  }

-  BootEntry->LaunchInText     = CustomEntry->TextMode;
-  BootEntry->ExposeDevicePath = CustomEntry->RealPath;
+  BootEntry->LaunchInText           = CustomEntry->TextMode;
+  BootEntry->ExposeDevicePath       = CustomEntry->RealPath;
+  BootEntry->DisableFirmwareRuntime = CustomEntry->DisableFirmwareRuntime;

  if (BootEntry->SystemAction != NULL) {
    ASSERT (CustomEntry->Arguments == NULL);

--- a/Library/OcBootManagementLib/DefaultEntryChoice.c
+++ b/Library/OcBootManagementLib/DefaultEntryChoice.c
@@ -1466,22 +1466,8 @@ OcRegisterBootstrapBootOption (
 {
  EFI_STATUS                    Status;
  OC_FIRMWARE_RUNTIME_PROTOCOL  *FwRuntime;
-  OC_FWRT_CONFIG                Config;

-  Status = gBS->LocateProtocol (
-                  &gOcFirmwareRuntimeProtocolGuid,
-                  NULL,
-                  (VOID **)&FwRuntime
-                  );
-
-  if (!EFI_ERROR (Status) && (FwRuntime->Revision == OC_FIRMWARE_RUNTIME_REVISION)) {
-    ZeroMem (&Config, sizeof (Config));
-    FwRuntime->SetOverride (&Config);
-    DEBUG ((DEBUG_INFO, "OCB: Found FW NVRAM, full access %d\n", Config.BootVariableRedirect));
-  } else {
-    FwRuntime = NULL;
-    DEBUG ((DEBUG_INFO, "OCB: Missing FW NVRAM, going on...\n"));
-  }
+  FwRuntime = OcDisableFirmwareRuntime ();

  Status = InternalRegisterBootstrapBootOption (
             OptionName,
@@ -1492,10 +1478,7 @@ OcRegisterBootstrapBootOption (
             MatchSuffixLen
             );

-  if (FwRuntime != NULL) {
-    DEBUG ((DEBUG_INFO, "OCB: Restoring FW NVRAM...\n"));
-    FwRuntime->SetOverride (NULL);
-  }
+  OcRestoreFirmwareRuntime (FwRuntime);

  return Status;
 }

--- a/Library/OcBootManagementLib/OcBootManagementLib.c
+++ b/Library/OcBootManagementLib/OcBootManagementLib.c
@@ -35,6 +35,7 @@
 #include <Library/OcMiscLib.h>
 #include <Library/OcRtcLib.h>
 #include <Library/OcStringLib.h>
+#include <Library/OcVariableLib.h>
 #include <Library/PrintLib.h>
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/UefiRuntimeServicesTableLib.h>
@@ -178,6 +179,7 @@ OcRunBootPicker (
  OC_BOOT_CONTEXT                    *BootContext;
  OC_BOOT_ENTRY                      *Chosen;
  BOOLEAN                            SaidWelcome;
+  OC_FIRMWARE_RUNTIME_PROTOCOL       *FwRuntime;

  SaidWelcome = FALSE;

@@ -351,12 +353,16 @@ OcRunBootPicker (
        }
      }

+      FwRuntime = Chosen->DisableFirmwareRuntime ? OcDisableFirmwareRuntime () : NULL;
+
      Status = OcLoadBootEntry (
                 Context,
                 Chosen,
                 gImageHandle
                 );

+      OcRestoreFirmwareRuntime (FwRuntime);
+
      //
      // Do not wait on successful return code.
      //

--- a/Library/OcConfigurationLib/OcConfigurationLib.c
+++ b/Library/OcConfigurationLib/OcConfigurationLib.c
@@ -496,15 +496,16 @@ OC_SCHEMA
 STATIC
 OC_SCHEMA
  mMiscToolsSchemaEntry[] = {
-  OC_SCHEMA_STRING_IN ("Arguments",  OC_MISC_TOOLS_ENTRY, Arguments),
-  OC_SCHEMA_BOOLEAN_IN ("Auxiliary", OC_MISC_TOOLS_ENTRY, Auxiliary),
-  OC_SCHEMA_STRING_IN ("Comment",    OC_MISC_TOOLS_ENTRY, Comment),
-  OC_SCHEMA_BOOLEAN_IN ("Enabled",   OC_MISC_TOOLS_ENTRY, Enabled),
-  OC_SCHEMA_STRING_IN ("Flavour",    OC_MISC_TOOLS_ENTRY, Flavour),
-  OC_SCHEMA_STRING_IN ("Name",       OC_MISC_TOOLS_ENTRY, Name),
-  OC_SCHEMA_STRING_IN ("Path",       OC_MISC_TOOLS_ENTRY, Path),
-  OC_SCHEMA_BOOLEAN_IN ("RealPath",  OC_MISC_TOOLS_ENTRY, RealPath),
-  OC_SCHEMA_BOOLEAN_IN ("TextMode",  OC_MISC_TOOLS_ENTRY, TextMode),
+  OC_SCHEMA_STRING_IN ("Arguments",               OC_MISC_TOOLS_ENTRY, Arguments),
+  OC_SCHEMA_BOOLEAN_IN ("Auxiliary",              OC_MISC_TOOLS_ENTRY, Auxiliary),
+  OC_SCHEMA_STRING_IN ("Comment",                 OC_MISC_TOOLS_ENTRY, Comment),
+  OC_SCHEMA_BOOLEAN_IN ("DisableFirmwareRuntime", OC_MISC_TOOLS_ENTRY, DisableFirmwareRuntime),
+  OC_SCHEMA_BOOLEAN_IN ("Enabled",                OC_MISC_TOOLS_ENTRY, Enabled),
+  OC_SCHEMA_STRING_IN ("Flavour",                 OC_MISC_TOOLS_ENTRY, Flavour),
+  OC_SCHEMA_STRING_IN ("Name",                    OC_MISC_TOOLS_ENTRY, Name),
+  OC_SCHEMA_STRING_IN ("Path",                    OC_MISC_TOOLS_ENTRY, Path),
+  OC_SCHEMA_BOOLEAN_IN ("RealPath",               OC_MISC_TOOLS_ENTRY, RealPath),
+  OC_SCHEMA_BOOLEAN_IN ("TextMode",               OC_MISC_TOOLS_ENTRY, TextMode),
 };

 STATIC

--- a/Library/OcMainLib/OpenCoreMisc.c
+++ b/Library/OcMainLib/OpenCoreMisc.c
@@ -938,14 +938,15 @@ OcMiscBoot (

  for (Index = 0, EntryIndex = 0; Index < Config->Misc.Entries.Count; ++Index) {
    if (Config->Misc.Entries.Values[Index]->Enabled) {
-      Context->CustomEntries[EntryIndex].Name      = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Name);
-      Context->CustomEntries[EntryIndex].Path      = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Path);
-      Context->CustomEntries[EntryIndex].Arguments = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Arguments);
-      Context->CustomEntries[EntryIndex].Flavour   = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Flavour);
-      Context->CustomEntries[EntryIndex].Auxiliary = Config->Misc.Entries.Values[Index]->Auxiliary;
-      Context->CustomEntries[EntryIndex].Tool      = FALSE;
-      Context->CustomEntries[EntryIndex].TextMode  = Config->Misc.Entries.Values[Index]->TextMode;
-      Context->CustomEntries[EntryIndex].RealPath  = TRUE; ///< Always true for entries
+      Context->CustomEntries[EntryIndex].Name                   = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Name);
+      Context->CustomEntries[EntryIndex].Path                   = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Path);
+      Context->CustomEntries[EntryIndex].Arguments              = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Arguments);
+      Context->CustomEntries[EntryIndex].Flavour                = OC_BLOB_GET (&Config->Misc.Entries.Values[Index]->Flavour);
+      Context->CustomEntries[EntryIndex].Auxiliary              = Config->Misc.Entries.Values[Index]->Auxiliary;
+      Context->CustomEntries[EntryIndex].Tool                   = FALSE;
+      Context->CustomEntries[EntryIndex].TextMode               = Config->Misc.Entries.Values[Index]->TextMode;
+      Context->CustomEntries[EntryIndex].RealPath               = TRUE;  ///< Always true for entries
+      Context->CustomEntries[EntryIndex].DisableFirmwareRuntime = FALSE;
      ++EntryIndex;
    }
  }
@@ -957,14 +958,15 @@ OcMiscBoot (
  //
  for (Index = 0; Index < Config->Misc.Tools.Count; ++Index) {
    if (Config->Misc.Tools.Values[Index]->Enabled) {
-      Context->CustomEntries[EntryIndex].Name      = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Name);
-      Context->CustomEntries[EntryIndex].Path      = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Path);
-      Context->CustomEntries[EntryIndex].Arguments = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Arguments);
-      Context->CustomEntries[EntryIndex].Flavour   = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Flavour);
-      Context->CustomEntries[EntryIndex].Auxiliary = Config->Misc.Tools.Values[Index]->Auxiliary;
-      Context->CustomEntries[EntryIndex].Tool      = TRUE;
-      Context->CustomEntries[EntryIndex].TextMode  = Config->Misc.Tools.Values[Index]->TextMode;
-      Context->CustomEntries[EntryIndex].RealPath  = Config->Misc.Tools.Values[Index]->RealPath;
+      Context->CustomEntries[EntryIndex].Name                   = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Name);
+      Context->CustomEntries[EntryIndex].Path                   = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Path);
+      Context->CustomEntries[EntryIndex].Arguments              = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Arguments);
+      Context->CustomEntries[EntryIndex].Flavour                = OC_BLOB_GET (&Config->Misc.Tools.Values[Index]->Flavour);
+      Context->CustomEntries[EntryIndex].Auxiliary              = Config->Misc.Tools.Values[Index]->Auxiliary;
+      Context->CustomEntries[EntryIndex].Tool                   = TRUE;
+      Context->CustomEntries[EntryIndex].TextMode               = Config->Misc.Tools.Values[Index]->TextMode;
+      Context->CustomEntries[EntryIndex].RealPath               = Config->Misc.Tools.Values[Index]->RealPath;
+      Context->CustomEntries[EntryIndex].DisableFirmwareRuntime = Config->Misc.Tools.Values[Index]->DisableFirmwareRuntime;
      ++EntryIndex;
    }
  }

--- a/Library/OcVariableLib/VariableManagement.c
+++ b/Library/OcVariableLib/VariableManagement.c
@@ -32,7 +32,6 @@
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/UefiRuntimeServicesTableLib.h>
 #include <Library/UefiLib.h>
-#include <Protocol/OcFirmwareRuntime.h>

 STATIC
 EFI_GUID
@@ -416,6 +415,44 @@ GetBootstrapBootData (
  return OptionData;
 }

+OC_FIRMWARE_RUNTIME_PROTOCOL *
+OcDisableFirmwareRuntime (
+  VOID
+  )
+{
+  EFI_STATUS                    Status;
+  OC_FIRMWARE_RUNTIME_PROTOCOL  *FwRuntime;
+  OC_FWRT_CONFIG                Config;
+
+  Status = gBS->LocateProtocol (
+                  &gOcFirmwareRuntimeProtocolGuid,
+                  NULL,
+                  (VOID **)&FwRuntime
+                  );
+
+  if (!EFI_ERROR (Status) && (FwRuntime->Revision == OC_FIRMWARE_RUNTIME_REVISION)) {
+    ZeroMem (&Config, sizeof (Config));
+    FwRuntime->SetOverride (&Config);
+    DEBUG ((DEBUG_INFO, "OCVAR: Found FW NVRAM, full access %d\n", Config.BootVariableRedirect));
+  } else {
+    FwRuntime = NULL;
+    DEBUG ((DEBUG_INFO, "OCVAR: Missing compatible FW NVRAM, going on...\n"));
+  }
+
+  return FwRuntime;
+}
+
+VOID
+OcRestoreFirmwareRuntime (
+  IN OC_FIRMWARE_RUNTIME_PROTOCOL  *FwRuntime
+  )
+{
+  if (FwRuntime != NULL) {
+    DEBUG ((DEBUG_INFO, "OCVAR: Restoring FW NVRAM...\n"));
+    FwRuntime->SetOverride (NULL);
+  }
+}
+
 VOID
 OcDeleteVariables (
  IN BOOLEAN  PreserveBoot
@@ -423,7 +460,6 @@ OcDeleteVariables (
 {
  EFI_STATUS                    Status;
  OC_FIRMWARE_RUNTIME_PROTOCOL  *FwRuntime;
-  OC_FWRT_CONFIG                Config;
  UINTN                         BootProtectSize;
  UINT32                        BootProtect;
  VOID                          *BootOption;
@@ -454,20 +490,7 @@ OcDeleteVariables (
    }
  }

-  Status = gBS->LocateProtocol (
-                  &gOcFirmwareRuntimeProtocolGuid,
-                  NULL,
-                  (VOID **)&FwRuntime
-                  );
-
-  if (!EFI_ERROR (Status) && (FwRuntime->Revision == OC_FIRMWARE_RUNTIME_REVISION)) {
-    ZeroMem (&Config, sizeof (Config));
-    FwRuntime->SetOverride (&Config);
-    DEBUG ((DEBUG_INFO, "OCVAR: Found FW NVRAM, full access %d\n", Config.BootVariableRedirect));
-  } else {
-    FwRuntime = NULL;
-    DEBUG ((DEBUG_INFO, "OCVAR: Missing compatible FW NVRAM, going on...\n"));
-  }
+  FwRuntime = OcDisableFirmwareRuntime ();

  if ((BootProtect & OC_BOOT_PROTECT_VARIABLE_BOOTSTRAP) != 0) {
    BootOption = GetBootstrapBootData (&BootOptionSize, &BootOptionIndex);
@@ -509,10 +532,7 @@ OcDeleteVariables (
    FreePool (BootOption);
  }

-  if (FwRuntime != NULL) {
-    DEBUG ((DEBUG_INFO, "OCVAR: Restoring FW NVRAM...\n"));
-    FwRuntime->SetOverride (NULL);
-  }
+  OcRestoreFirmwareRuntime (FwRuntime);
 }

 EFI_STATUS