add EDK2 compatible Secure Boot status display

* Also fix a typo for the EFI_ACCESS_DENIED → EFI_SECURITY_VIOLATION workaround.

.vs/uefi-ntfs.vcxproj

@@ -396,6 +396,7 @@
   <ItemGroup>
     <ClCompile Include="..\boot.c" />
     <ClCompile Include="..\path.c" />
+    <ClCompile Include="..\system.c" />
   </ItemGroup>
   <ItemGroup>
     <None Include="..\debug.vbs" />

.vs/uefi-ntfs.vcxproj.filters

@@ -24,6 +24,9 @@
     <ClCompile Include="..\path.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\system.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\boot.h">

Makefile

@@ -100,7 +100,7 @@ CFLAGS         += -DCONFIG_$(GNUEFI_ARCH) -D__MAKEWITH_GNUEFI -DGNU_EFI_USE_MS_A
 LDFLAGS        += -L$(GNUEFI_DIR)/$(GNUEFI_ARCH)/lib -e $(EP_PREFIX)efi_main
 LDFLAGS        += -s -Wl,-Bsymbolic -nostdlib -shared
 LIBS            = -lefi $(CRT0_LIBS)
-OBJS            = boot.o path.o
+OBJS            = boot.o path.o system.o
 
 ifeq (, $(shell which $(CC)))
   $(error The selected compiler ($(CC)) was not found)

boot.c

@@ -25,9 +25,6 @@
 /* Global handle for the current executable */
 static EFI_HANDLE MainImageHandle = NULL;
 
-/* Tri-state status for Secure Boot: -1 = Setup, 0 = Disabled, 1 = Enabled */
-static INTN SecureBootStatus = 0;
-
 /* Strings used to identify the plaform */
 #if defined(_M_X64) || defined(__x86_64__)
   static CHAR16* Arch = L"x64";
@@ -157,7 +154,7 @@ static EFI_STATUS PrintSystemInfo(VOID)
 	SMBIOS_STRUCTURE_POINTER Smbios;
 	SMBIOS_STRUCTURE_TABLE* SmbiosTable;
 	SMBIOS3_STRUCTURE_TABLE* Smbios3Table;
-	UINT8 Found = 0, *Raw, *SecureBoot, *SetupMode;
+	UINT8 Found = 0, *Raw;
 	UINTN MaximumSize, ProcessedSize = 0;
 
 	PrintInfo(L"UEFI v%d.%d (%s, 0x%08X)", gST->Hdr.Revision >> 16, gST->Hdr.Revision & 0xFFFF,
@@ -195,19 +192,6 @@ static EFI_STATUS PrintSystemInfo(VOID)
 		}
 	}
 
-	SecureBoot = LibGetVariable(L"SecureBoot", &EfiGlobalVariable);
-	SetupMode = LibGetVariable(L"SetupMode", &EfiGlobalVariable);
-	SecureBootStatus = ((SecureBoot != NULL) && (*SecureBoot != 0)) ? 1 : 0;
-	if ((SetupMode != NULL) && (*SetupMode != 0))
-		SecureBootStatus = -1;
-	// Wasteful, but we can't highlight "Enabled"/"Setup" from a %s argument...
-	if (SecureBootStatus > 0)
-		PrintInfo(L"Secure Boot status: Enabled");
-	else if (SecureBootStatus < 0)
-		PrintInfo(L"Secure Boot status: Setup");
-	else
-		PrintInfo(L"Secure Boot status: Disabled");
-
 	return EFI_SUCCESS;
 }
 
@@ -235,6 +219,7 @@ EFI_STATUS EFIAPI efi_main(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
 	CHAR8* Buffer, FsMagic[2][8] = { 
 		{ 'N', 'T', 'F', 'S', ' ', ' ', ' ', ' '} ,
 		{ 'E', 'X', 'F', 'A', 'T', ' ', ' ', ' '} };
+	INTN SecureBootStatus;
 	UINTN Index, FsType = 0, Try, Event, HandleCount = 0, Size;
 	BOOLEAN SameDevice;
 
@@ -244,12 +229,16 @@ EFI_STATUS EFIAPI efi_main(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
 	MainImageHandle = ImageHandle;
 
 	// The platform logo may still be displayed → remove it
-	SystemTable->ConOut->ClearScreen(SystemTable->ConOut);
+	gST->ConOut->ClearScreen(gST->ConOut);
 
 	Print(L"\n*** UEFI:NTFS %s (%s) ***\n\n", VERSION_STRING, Arch);
 #if defined(_GNU_EFI)
 	PrintSystemInfo();
 #endif
+	SecureBootStatus = GetSecureBootStatus();
+	PrintInfo(L"Secure Boot status: %s",
+		(SecureBootStatus > 0) ? L"Enabled" :
+		((SecureBootStatus < 0) ? L"Setup" : L"Disabled"));
 
 	Status = gBS->OpenProtocol(MainImageHandle, &gEfiLoadedImageProtocolGuid,
 		(VOID**)&LoadedImage, MainImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL);
@@ -354,7 +343,7 @@ EFI_STATUS EFIAPI efi_main(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
 		if (EFI_ERROR(Status)) {
 			// Some platforms (e.g. Intel NUCs) return EFI_ACCESS_DENIED for Secure Boot
 			// validation errors. Return a much more explicit EFI_SECURITY_VIOLATION then.
-			if ((Status == EFI_ACCESS_DENIED) && (SecureBootStatus > 1))
+			if ((Status == EFI_ACCESS_DENIED) && (SecureBootStatus >= 1))
 				Status = EFI_SECURITY_VIOLATION;
 			PrintError(L"  Unable to load driver '%s'", DriverPath);
 			goto out;
@@ -451,7 +440,7 @@ EFI_STATUS EFIAPI efi_main(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
 	// At this stage, our DevicePath is the partition we are after
 	PrintInfo(L"Launching '%s'...", &LoaderPath[1]);
 
-	// Now attempt to chain load bootx64.efi on the target partition
+	// Now attempt to chain load boot###.efi on the target partition
 	DevicePath = FileDevicePath(Handles[Index], LoaderPath);
 	if (DevicePath == NULL) {
 		Status = EFI_DEVICE_ERROR;
@@ -461,7 +450,7 @@ EFI_STATUS EFIAPI efi_main(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable
 	Status = gBS->LoadImage(FALSE, ImageHandle, DevicePath, NULL, 0, &DriverHandle);
 	SafeFree(DevicePath);
 	if (EFI_ERROR(Status)) {
-		if ((Status == EFI_ACCESS_DENIED) && (SecureBootStatus > 1))
+		if ((Status == EFI_ACCESS_DENIED) && (SecureBootStatus >= 1))
 			Status = EFI_SECURITY_VIOLATION;
 		PrintError(L"  Load failure");
 		goto out;

boot.h

@@ -152,9 +152,10 @@ static __inline VOID _SafeStrCpy(CHAR16* Destination, UINTN DestMax,
 #define SafeStrCpy(d, l, s) _SafeStrCpy(d, l, s, __FILE__, __LINE__)
 
 /*
- * Path function prototypes
+ * Function prototypes
  */
 EFI_DEVICE_PATH* GetParentDevice(CONST EFI_DEVICE_PATH* DevicePath);
 INTN CompareDevicePaths(CONST EFI_DEVICE_PATH* dp1, CONST EFI_DEVICE_PATH* dp2);
 EFI_STATUS SetPathCase(CONST EFI_FILE_HANDLE Root, CHAR16* Path);
 CHAR16* DevicePathToString(CONST EFI_DEVICE_PATH* DevicePath);
+INTN GetSecureBootStatus(VOID);

system.c

@@ -0,0 +1,50 @@
+/*
+ * uefi-ntfs: UEFI → NTFS/exFAT chain loader - System Information
+ * Copyright © 2014-2021 Pete Batard <[email protected]>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "boot.h"
+
+/*
+ * Query the Secure Boot related firmware variables.
+ * Returns:
+ *  >0 if Secure Boot is enabled
+ *   0 if Secure Boot is disabled
+ *  <0 if the system is in Setup Mode
+ */
+INTN GetSecureBootStatus(VOID)
+{
+	UINT8 SecureBoot = 0, SetupMode = 0;
+	UINTN Size;
+	/* Tri-state status for Secure Boot: -1 = Setup, 0 = Disabled, 1 = Enabled */
+	INTN SecureBootStatus = 0;
+
+	// Check if the SecureBoot variable exists
+	Size = sizeof(SecureBoot);
+	if (gRT->GetVariable(L"SecureBoot", &gEfiGlobalVariableGuid, NULL, &Size, &SecureBoot) == EFI_SUCCESS) {
+		// The "SecureBoot" variable indicates whether the platform firmware
+		// is operating in Secure Boot mode (1) or not (0).
+		SecureBootStatus = (INTN)SecureBoot;
+
+		// The "SetupMode" variable indicates whether the platform firmware
+		// is operating in Secure Boot Setup Mode (1) or not (0).
+		Size = sizeof(SetupMode);
+		if ((gRT->GetVariable(L"SetupMode", &gEfiGlobalVariableGuid, NULL, &Size, &SetupMode) == EFI_SUCCESS) && (SetupMode != 0))
+			SecureBootStatus = -1;
+	}
+
+	return SecureBootStatus;
+}

uefi-ntfs.inf

@@ -22,6 +22,7 @@
 [Sources]
   boot.c
   path.c
+  system.c
 
 [Packages]
   uefi-ntfs.dec