I want to write the keys (PK, KEK, DB) to enable secure boot, and then enable Secure Boot from within an EFI application.
I can successfully read those variables, and I can also write to the PK, KEK, and DB successfully. but whenever I try to change the secure boot variable, I receive an EFI error: Write Protected (EFI_ERROR = 8)
So, can I disable this protection and enable secure boot, or it is not possible to alter this variable?
Here is the code that am using on TianoCore EDKII:
SecureBootMode = 1;
Status = gRT->SetVariable(
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
sizeof(UINT8),
&SecureBootMode
);
if (EFI_ERROR(Status)) {
Print (L"Could not write to SecureBoot State. Error Code: %d\r\n", Status);
}
I use this same function to write to the other SecureBoot variables. Also I am making sure that the system is in Setup Mode before trying those operations.
When the code reaches this function, it prints Could not write to SecureBoot State. Error Code: 8
From UEFI 2.10, table 3.3:
SecureBoot
BS, RT
Whether the platform firmware is operating in Secure
boot mode (1) or not (0). All other values are reserved. Should be
treated as read-only.
I.e. the variable is only there to identify what state you're in.
The mechanisms for switching Secure Boot mode are described in the UEFI specification, but they have implications you need to be aware of. Look for the topics: