Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Rikitav/Unified.Firmware/llms.txt
Use this file to discover all available pages before exploring further.
VariableAttributes is a [Flags] enum passed to ReadEnvironmentVariable and WriteEnvironmentVariable. It controls how a UEFI NVRAM variable is stored in firmware and which execution phases are permitted to access it. Each flag maps directly to a bit in the UEFI specification’s variable attributes bitmask.
Namespace
Unified.Firmware
Members
| Member | Value | Description |
|---|---|---|
None | 0x00000000 | No attributes set. |
NON_VOLATILE | 0x00000001 | The variable persists across power cycles, stored in non-volatile NVRAM. Without this flag, the variable is volatile and lost on reset. |
BOOTSERVICE_ACCESS | 0x00000002 | The variable is accessible during boot services, before ExitBootServices is called. |
RUNTIME_ACCESS | 0x00000004 | The variable remains accessible at OS runtime after ExitBootServices. Requires BOOTSERVICE_ACCESS to also be set. |
HARDWARE_ERROR_RECORD | 0x00000008 | The variable is used to store hardware error records. The firmware manages a dedicated storage quota for these entries. |
AUTHENTICATED_WRITE_ACCESS | 0x00000010 | Writes to the variable require a valid authentication descriptor. Ensures only authorised sources can modify the value. |
TIME_BASED_AUTHENTICATED_WRITE_ACCESS | 0x00000020 | Writes require a time-based authentication descriptor. Used by Secure Boot key databases (db, dbx, KEK, PK) to prevent replay attacks. |
APPEND_WRITE | 0x00000040 | New data is appended to the existing variable value instead of replacing it. Commonly used with authenticated key databases to accumulate entries. |
ENHANCED_AUTHENTICATED_ACCESS | 0x00000080 | Enhanced authentication mechanism for variable access control, providing finer-grained read and write permissions beyond standard auth. |
Common Combinations
Most real-world variables use a predictable combination of flags. The three examples below cover the majority of use cases.Standard Boot Variable
A persistent variable readable by both boot services and the OS runtime. This is the combination used byBootOrder, Boot####, and most standard firmware variables.
Boot-Service-Only Variable
A volatile variable accessible only during boot services. The value is discarded once the OS takes control.Secure Boot Key Database
Used for Secure Boot key stores (db, dbx, KEK, PK). The TIME_BASED_AUTHENTICATED_WRITE_ACCESS flag prevents unauthorised or replayed updates.
The combination
NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS (0x00000007) is by far the most common attribute set in practice. When reading an unknown variable, this combination is a safe first guess before inspecting the raw attributes returned by the firmware.