Dasharo · miczyg1 · Nov 25, 2025 · Nov 24, 2025 · Nov 27, 2025 · Nov 28, 2025
diff --git a/DasharoModulePkg/Application/SovereignBootWizard/BootOptionParsing.c b/DasharoModulePkg/Application/SovereignBootWizard/BootOptionParsing.c
@@ -11,7 +11,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 ///
 /// Boot Option from variable Menu
 ///
-SV_MENU_OPTION  BootOptionMenu = {
+SV_MENU_OPTION  mBootOptionMenu = {
   SOVEREIGN_BOOT_MENU_OPTION_SIGNATURE,
   { NULL },
   0
@@ -489,15 +489,14 @@ CheckIfEntryIsDuplicate (
   }
 
   Index = 0;
-  while (Index < BootOptionMenu.MenuNumber) {
-    BootloaderEntry = GetMenuEntry (&BootOptionMenu, Index++);
+  while (Index < mBootOptionMenu.MenuNumber) {
+    BootloaderEntry = GetMenuEntry (&mBootOptionMenu, Index++);
     if (BootloaderEntry == NULL) {
       DEBUG ((DEBUG_WARN, "Bootloader entry is NULL\n"));
       continue;
     }
 
     if (MenuPathsAreEqual (MenuEntry, BootloaderEntry)) {
-      DEBUG ((DEBUG_WARN, "Found duplicate entry\n"));
       return TRUE;
     }
   }
@@ -640,7 +639,7 @@ FillMenuEntryFromDevicePath (
 
 /**
 
-  Build the BootOptionMenu according to BootOrder Variable.
+  Build the mBootOptionMenu according to BootOrder Variable.
   This Routine will access the Boot#### to get EFI_LOAD_OPTION.
 
   @param CallbackData The BMM context data.
@@ -666,7 +665,7 @@ GetBootOptions (
   MenuCount         = 0;
   BootOrderListSize = 0;
   BootOrderList     = NULL;
-  InitializeListHead (&BootOptionMenu.Head);
+  InitializeListHead (&mBootOptionMenu.Head);
 
   DEBUG ((DEBUG_INFO, "Locating boot options\n"));
 
@@ -679,8 +678,8 @@ GetBootOptions (
       return Status;
     }
 
-    InsertTailList (&BootOptionMenu.Head, &NewMenuEntry->Link);
-    BootOptionMenu.MenuNumber = 1;
+    InsertTailList (&mBootOptionMenu.Head, &NewMenuEntry->Link);
+    mBootOptionMenu.MenuNumber = 1;
     return EFI_SUCCESS;
   }
 
@@ -712,24 +711,24 @@ GetBootOptions (
       return Status;
     }
 
-    InsertTailList (&BootOptionMenu.Head, &NewMenuEntry->Link);
+    InsertTailList (&mBootOptionMenu.Head, &NewMenuEntry->Link);
     MenuCount++;
   }
 
   EfiBootManagerFreeLoadOptions (BootOption, BootOptionCount);
 
   FREE_NON_NULL (BootOrderList);
 
-  BootOptionMenu.MenuNumber = MenuCount;
+  mBootOptionMenu.MenuNumber = MenuCount;
 
-  Status = ScanFileSystemsForBootOptions (Private, &BootOptionMenu);
+  Status = ScanFileSystemsForBootOptions (Private, &mBootOptionMenu);
   if (EFI_ERROR (Status)) {
     DEBUG ((DEBUG_ERROR, "Scanning of filesystems failed with %r\n", Status));
   }
 
-  DEBUG ((DEBUG_INFO, "Found %d boot options \n", BootOptionMenu.MenuNumber));
+  DEBUG ((DEBUG_INFO, "Found %d boot options \n", mBootOptionMenu.MenuNumber));
 
-  if (BootOptionMenu.MenuNumber == 0) {
+  if (mBootOptionMenu.MenuNumber == 0) {
     return EFI_NOT_FOUND;
   }
 
@@ -777,12 +776,13 @@ UpdateBootloaderPage (
   IN  SOVEREIGN_BOOT_WIZARD_PRIVATE_DATA  *Private
   )
 {
-  SV_MENU_ENTRY    *BootloaderEntry;
-  EFI_STRING       NewString;
-  EFI_STATUS       Status;
+  SV_MENU_ENTRY        *BootloaderEntry;
+  SV_SECURITY_CONTEXT  *SecurityContext;
+  EFI_STRING           NewString;
+  EFI_STATUS           Status;
 
-  while (mBootloaderIndex < BootOptionMenu.MenuNumber) {
-    BootloaderEntry   = GetMenuEntry (&BootOptionMenu, mBootloaderIndex);
+  while (mBootloaderIndex < mBootOptionMenu.MenuNumber) {
+    BootloaderEntry   = GetMenuEntry (&mBootOptionMenu, mBootloaderIndex);
     if (BootloaderEntry == NULL) {
       return EFI_NO_MEDIA;
     }
@@ -794,6 +794,7 @@ UpdateBootloaderPage (
     if (BootloaderEntry->SecurityContext == NULL) {
       Status = FillSecurityContext(BootloaderEntry);
       if (EFI_ERROR (Status)) {
+        Private->FormData.ImageUnsigned = TRUE;
         DEBUG ((DEBUG_ERROR, "Failed to fill security context for bootloader %u\n", mBootloaderIndex));
         return EFI_NO_MEDIA;
       }
@@ -803,15 +804,17 @@ UpdateBootloaderPage (
     if (Status == EFI_NO_MEDIA) {
       DEBUG ((DEBUG_INFO, "No more keys/certificates for bootloader %u\n", mBootloaderIndex));
       // No more keys/certs to show for this bootloader, proceed to the next one
-      mCertIndex = 0;
-      mBootloaderIndex++;
-      continue;
+      if (!mAltAccessMode) {
+        mCertIndex = 0;
+        mBootloaderIndex++;
+        continue;
+      }
     }
 
     break;
   }
 
-  if (mBootloaderIndex >= BootOptionMenu.MenuNumber) {
+  if (mBootloaderIndex >= mBootOptionMenu.MenuNumber) {
     DEBUG ((DEBUG_INFO, "No more keys/certificates/bootloaders to show\n"));
     return EFI_NO_MEDIA;
   }
@@ -838,6 +841,43 @@ UpdateBootloaderPage (
     HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_BOOTOPT_DESCRIPTION), L"Not Found!", NULL);
   }
 
+  if (mAltAccessMode && (BootloaderEntry->SecurityContext != NULL)) {
+    NewString = NULL;
+    SecurityContext = (SV_SECURITY_CONTEXT *)BootloaderEntry->SecurityContext;
+    Status = ParseHashValue (SecurityContext->ImageDigest,
+                             SecurityContext->ImageDigestSize,
+                             &NewString);
+    if (!EFI_ERROR (Status)) {
+      HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_BOOTLOADER_HASH_HEX), NewString, NULL);
+      FREE_NON_NULL (NewString);
+    } else {
+      HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_BOOTLOADER_HASH_HEX), L"Image hash could not be obtained.", NULL);
+    }
+
+    Private->FormData.ImageUnsigned = (!SecurityContext->ImageIsSigned ||
+                                       (SecurityContext->NumCertificates == 0));
+
+    if (SecurityContext->ImageIsInDbx) {
+      Private->FormData.ImageTrusted = IMAGE_STATE_UNTRUSTED;
+    } else if (SecurityContext->ImageIsInDb) {
+      Private->FormData.ImageTrusted = IMAGE_STATE_TRUSTED;
+    } else {
+      Private->FormData.ImageTrusted = IMAGE_STATE_UNDECIDED;
+    }
+
+    DEBUG ((DEBUG_INFO, "UpdateBootloaderPage:\n"
+      "  ImageIsSigned: %u\n"
+      "  ImageIsVerified: %u\n"
+      "  ImageIsInDb: %u\n"
+      "  ImageIsInDbx: %u\n"
+      "  ImageTrusted: %u\n",
+      SecurityContext->ImageIsSigned,
+      SecurityContext->ImageIsVerified,
+      SecurityContext->ImageIsInDb,
+      SecurityContext->ImageIsInDbx,
+      Private->FormData.ImageTrusted));
+  }
+
   return Status;
 }
 
@@ -882,19 +922,19 @@ FreeBootMenuEntries (
 {
   SV_MENU_ENTRY    *BootloaderEntry;
 
-  if (BootOptionMenu.MenuNumber == 0) {
+  if (mBootOptionMenu.MenuNumber == 0) {
     return;
   }
 
-  while (!IsListEmpty (&BootOptionMenu.Head)) {
+  while (!IsListEmpty (&mBootOptionMenu.Head)) {
     BootloaderEntry = CR (
-                        BootOptionMenu.Head.ForwardLink,
+                        mBootOptionMenu.Head.ForwardLink,
                         SV_MENU_ENTRY,
                         Link,
                         SOVEREIGN_BOOT_MENU_ENTRY_SIGNATURE);
     RemoveEntryList (&BootloaderEntry->Link);
     FreeBootMenuEntry (BootloaderEntry);
   }
 
-  BootOptionMenu.MenuNumber = 0;
+  mBootOptionMenu.MenuNumber = 0;
 }