From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86])
 by mx.groups.io with SMTP id smtpd.web10.6892.1646894745831549531
 for <devel@edk2.groups.io>;
 Wed, 09 Mar 2022 22:45:46 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@hpe.com header.s=pps0720 header.b=SI/M8CTn;
 spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: hpe.com, ip: 148.163.147.86, mailfrom: prvs=00680eeea7=abner.chang@hpe.com)
Received: from pps.filterd (m0150242.ppops.net [127.0.0.1])
	by mx0a-002e3701.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 229IOduR023826;
	Thu, 10 Mar 2022 06:45:42 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject
 : date : message-id; s=pps0720;
 bh=e9BY0SympN+9x/doTAaVZ7Jpia7vlZHu9E3sFvUNOIo=;
 b=SI/M8CTnlaAYgLMaGoN0FOeew4vPMcbl64GO0KTYj793XYNpmYg2CHlbcdgP1QqldsWF
 kIAkwS9mpumViqFXEefwAf+YZptWvPau3gTd51lOMdzRsHTkw7ec+E1egH44tqU+CAoQ
 AUznGK/Amq6zt+b1hj+7zhWB5x8DMHlo2u+jb701mmuMxXYQvhVVgYiRCfOxxqzOT1qs
 vfvII6Hoy7vgmHHUA63VxG0vm6N0SSQrbBeJnlz3bLT+yVK0Yme8kLFkEHh1RK04G42p
 tuPn2U/T4FC2NTuSfeW6oZwhILYIHcJy6Xum5SFOyepl/26xnNjlDtekzA+geE+5dLvR hw== 
Received: from g4t3426.houston.hpe.com (g4t3426.houston.hpe.com [15.241.140.75])
	by mx0a-002e3701.pphosted.com (PPS) with ESMTPS id 3eq1g35gjh-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 10 Mar 2022 06:45:42 +0000
Received: from g9t2301.houston.hpecorp.net (g9t2301.houston.hpecorp.net [16.220.97.129])
	by g4t3426.houston.hpe.com (Postfix) with ESMTP id 6B7495A;
	Thu, 10 Mar 2022 06:45:41 +0000 (UTC)
Received: from abner-virtual-machine.asiapacific.hpqcorp.net (abner-virtual-machine.asiapacific.hpqcorp.net [15.119.211.133])
	by g9t2301.houston.hpecorp.net (Postfix) with ESMTP id 469FB48;
	Thu, 10 Mar 2022 06:45:40 +0000 (UTC)
From: "Abner Chang" <abner.chang@hpe.com>
To: devel@edk2.groups.io
Cc: Nickle Wang <nickle.wang@hpe.com>, Andrew Fish <afish@apple.com>,
        Ray Ni <ray.ni@intel.com>
Subject: [PATCH] EmulatorPkg/RedfishPlatformCredentialLib: Check EFI_SECURE_BOOT_MODE_NAME
Date: Thu, 10 Mar 2022 13:42:25 +0800
Message-Id: <20220310054225.21135-1-abner.chang@hpe.com>
X-Mailer: git-send-email 2.17.1
X-Proofpoint-ORIG-GUID: 6iDPV-sIUYJHcHHvgS5e0GkeBmHOvGq8
X-Proofpoint-GUID: 6iDPV-sIUYJHcHHvgS5e0GkeBmHOvGq8
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.64.514
 definitions=2022-03-10_02,2022-03-09_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 phishscore=0 malwarescore=0 suspectscore=0 mlxlogscore=819 impostorscore=0
 spamscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0 clxscore=1015
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2202240000 definitions=main-2203100032

Check EFI_SECURE_BOOT_MODE_NAME before setting the flags to
prohibit acquiring Redfish service credential and using Redfish
service.

Signed-off-by: Abner Chang <abner.chang@hpe.com>
Cc: Nickle Wang <nickle.wang@hpe.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>
---
 .../RedfishPlatformCredentialLib.c            | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/EmulatorPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c b/EmulatorPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c
index eaf9c56450..a0233a984d 100644
--- a/EmulatorPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c
+++ b/EmulatorPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c
@@ -165,6 +165,9 @@ LibStopRedfishService (
   IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE  ServiceStopType
   )
 {
+  EFI_STATUS  Status;
+  UINT8       *SecureBootVar;
+
   if (ServiceStopType >= ServiceStopTypeMax) {
     return EFI_INVALID_PARAMETER;
   }
@@ -177,8 +180,18 @@ LibStopRedfishService (
     if (!PcdGetBool (PcdRedfishServieStopIfSecureBootDisabled)) {
       return EFI_UNSUPPORTED;
     } else {
-      mStopRedfishService = TRUE;
-      DEBUG ((DEBUG_INFO, "EFI Redfish service is stopped due to SecureBoot is disabled!!\n"));
+      //
+      // Check Secure Boot status and lock Redfish service if Secure Boot is disabled.
+      //
+      Status = GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID **)&SecureBootVar, NULL);
+      if (EFI_ERROR (Status) || (*SecureBootVar != SECURE_BOOT_MODE_ENABLE)) {
+        //
+        // Secure Boot is disabled
+        //
+        mSecureBootDisabled = TRUE;
+        mStopRedfishService = TRUE;
+        DEBUG ((DEBUG_INFO, "EFI Redfish service is stopped due to SecureBoot is disabled!!\n"));
+      }
     }
   } else if (ServiceStopType == ServiceStopTypeExitBootService) {
     //
@@ -224,18 +237,5 @@ LibCredentialEndOfDxeNotify (
   IN  EDKII_REDFISH_CREDENTIAL_PROTOCOL  *This
   )
 {
-  EFI_STATUS  Status;
-  UINT8       *SecureBootVar;
-
-  //
-  // Check Secure Boot status and lock Redfish service if Secure Boot is disabled.
-  //
-  Status = GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID **)&SecureBootVar, NULL);
-  if (EFI_ERROR (Status) || (*SecureBootVar != SECURE_BOOT_MODE_ENABLE)) {
-    //
-    // Secure Boot is disabled
-    //
-    mSecureBootDisabled = TRUE;
-    LibStopRedfishService (This, ServiceStopTypeSecureBootDisabled);
-  }
+  LibStopRedfishService (This, ServiceStopTypeSecureBootDisabled);
 }
-- 
2.17.1