AuthVariableLib: Set SB to enabled during transition to USER_MODE

Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Dasharo · Jul 11, 2024 · df5a2b0 · df5a2b0
1 parent d130aec
commit df5a2b0
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -205,9 +205,13 @@ AuthVariableLibInitialize (
     }
   } else if (mPlatformMode == USER_MODE) {
     //
-    // "SecureBootEnable" not exist, initialize it in USER_MODE.
+    // "SecureBootEnable" not exist, initialize it in USER_MODE. Can't use
+    // PcdSecureBootDefaultEnable here, because it will prevent enabling
+    // Secure Boot from OS when transitioning from SETUP_MODE to USER_MODE.
+    // PcdSecureBootDefaultEnable is used when settings are reset in UI and in
+    // the SecureBootDefaultKeysDxe where the default keys are being restored.
     //
-    SecureBootEnable = FixedPcdGet8 (PcdSecureBootDefaultEnable);
+    SecureBootEnable = SECURE_BOOT_ENABLE;
     Status = AuthServiceInternalUpdateVariable (
                EFI_SECURE_BOOT_ENABLE_NAME,
                &gEfiSecureBootEnableDisableGuid,