Re: Lock BootOrder variable

Paulo Henrique Lacerda de Amorim

The UEFI define the BootOrder variable with NV+BS+RT attributes, so its
not possible to lock this variable, you can try to delete the BootOrder
variable and then set the variable with AT attribute, which will
probably will result in an undefined behavior. OVMF just recreates the
the BootOrder with NV+BS+RT again, then any code which can call Runtime
Services will be able to change BootOrder again.

A possible method is too use a signed loader which have your own
'BootOrder' hardcoded.

Em 12/12/2019 05:49, Wang, Sunny (HPS SW) escreveu:

Hi All,

Is there any spec'd way that we can use to lock some UEFI variables like BootOrder without breaking OS installation and OS functionalities?

For some security reasons and customer use cases, we need to let system firmware completely own some UEFI variables like BootOrder. In other words, we don't want some UEFI variables to be controlled by the OS using the UEFI runtime service SetVariable. In addition, we tried to lock the BootOrder variable, but it would break OS installation or some OS functionalities.

By the way, we will bring this need to USWG if there is no existing spec'd way for satisfying this need.

Sunny Wang

