OpenCoreUefi: Add support for ProtectSecureBoot

Changelog.md

@@ -13,6 +13,7 @@ OpenCore Changelog
 - Removed `ConsoleBehaviourOs` and `ConsoleBehaviourUi`
 - Fixed providing ConsoleOutHandle GOP when running from Shell
 - Added `PickerAttributes` option to colour picker
+- Added `ProtectSecureBoot` option through FwRuntimeServices
 
 #### v0.5.5
 - Fixed CPU bus ratio calculation for Nehalem and Westmere

Docs/Configuration.tex

@@ -1303,6 +1303,18 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
   As \texttt{AvoidRuntimeDefrag} resolves a similar problem, no known firmwares should need
   this quirk. Do not use this unless you fully understand the consequences.
 
+\item
+  \texttt{ProtectSecureBoot}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Protect UEFI Secure Boot variables from being written.
+
+  Reports security violation during attempts to write to \texttt{db}, \texttt{dbx},
+  \texttt{PK}, and \texttt{KEK} variables from the operating system.
+
+  \emph{Note}: This quirk mainly attempts to avoid issues with NVRAM implementations
+  with problematic defragmentation, such as select Insyde or \texttt{MacPro5,1}.
+
 \item
   \texttt{ProvideCustomSlide}\\
   \textbf{Type}: \texttt{plist\ boolean}\\

Docs/Differences/Differences.tex

@@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
 %DIF DEL PreviousConfiguration.tex   Thu Feb  6 00:43:28 2020
-%DIF ADD ../Configuration.tex        Sat Feb  8 22:43:16 2020
+%DIF ADD ../Configuration.tex        Sat Feb  8 23:35:07 2020
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -1364,7 +1364,22 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
   this quirk. Do not use this unless you fully understand the consequences.
 
 \item
-  \texttt{ProvideCustomSlide}\\
+  \DIFaddbegin \texttt{\DIFadd{ProtectSecureBoot}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{: Protect UEFI Secure Boot variables from being written.
+}
+
+  \DIFadd{Reports security violation during attempts to write to }\texttt{\DIFadd{db}}\DIFadd{, }\texttt{\DIFadd{dbx}}\DIFadd{,
+  }\texttt{\DIFadd{PK}}\DIFadd{, and }\texttt{\DIFadd{KEK}} \DIFadd{variables from the operating system.
+}
+
+  \emph{\DIFadd{Note}}\DIFadd{: This quirk mainly attempts to avoid issues with NVRAM implementations
+  with problematic defragmentation, such as select Insyde or }\texttt{\DIFadd{MacPro5,1}}\DIFadd{.
+}
+
+\item
+  \DIFaddend \texttt{ProvideCustomSlide}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
   \textbf{Description}: Provide custom KASLR slide on low memory.

Docs/Sample.plist

@@ -254,6 +254,8 @@
 			<false/>
 			<key>ProtectCsmRegion</key>
 			<false/>
+			<key>ProtectSecureBoot</key>
+			<false/>
 			<key>ProvideCustomSlide</key>
 			<true/>
 			<key>SetupVirtualMap</key>

Docs/SampleFull.plist

@@ -254,6 +254,8 @@
 			<false/>
 			<key>ProtectCsmRegion</key>
 			<false/>
+			<key>ProtectSecureBoot</key>
+			<false/>
 			<key>ProvideCustomSlide</key>
 			<true/>
 			<key>SetupVirtualMap</key>

Platform/OpenCore/OpenCoreUefi.c

@@ -517,6 +517,7 @@ OcLoadBooterUefiSupport (
   AbcSettings.DevirtualiseMmio       = Config->Booter.Quirks.DevirtualiseMmio;
   AbcSettings.DisableSingleUser      = Config->Booter.Quirks.DisableSingleUser;
   AbcSettings.DisableVariableWrite   = Config->Booter.Quirks.DisableVariableWrite;
+  AbcSettings.ProtectSecureBoot      = Config->Booter.Quirks.ProtectSecureBoot;
   AbcSettings.DiscardHibernateMap    = Config->Booter.Quirks.DiscardHibernateMap;
   AbcSettings.EnableSafeModeSlide    = Config->Booter.Quirks.EnableSafeModeSlide;
   AbcSettings.EnableWriteUnprotector = Config->Booter.Quirks.EnableWriteUnprotector;