Method and Apparatus for Boot Variable Protection

What is claimed is: 1 . A method comprising: a first processor receiving a request from a second processor to alter a first variable stored in a non-volatile memory on the first processor and associated with boot code that is also stored in the non-volatile memory; the first processor executing a security policy to determine if the second processor meets criteria for altering the first variable; and the first processor granting permission to the second processor to alter the first variable responsive to determining that the second processor meets the criteria for altering the first variable. 2 . The method as recited in claim 1 , further comprising the first processor inhibiting the second processor from altering the first variable responsive to determining that the second processor does not meet the criteria for altering the first variable. 3 . The method as recited in claim 1 , wherein the criteria include determining if the second processor is operating in a recovery mode that provides a reduced set of capabilities relative to a normal operating system executable on the second processor. 4 . The method as recited in claim 1 , wherein the criteria includes determining if the second processor has provided proper credentials for altering the first variable. 5 . The method as recited in claim 1 , further comprising the non-volatile memory storing a plurality a plurality of variables including the first variable. 6 . The method as recited in claim 5 , further comprising the second processor requesting access to one of the plurality of variables during a boot procedure, wherein the first processor is configured to execute the security policy to determine whether to grant access to the one of the plurality of variables. 7 . The method as recited in claim 5 , wherein the first processor is configured to limit access of the plurality of variables by the second processor to a single one of the variables at a given time. 8 . The method as recited in claim 5 , further comprising: the second processor conveying a request to the first processor to delete one of the plurality of variables; responsive to receiving the request, the first processor executing the security policy to determine if the first processor is authorized to delete the one of the plurality of variables; and responsive to determining that the second processor is authorized, the first processor granting permission to the second processor to delete the one of the plurality of variables. 9 . The method as recited in claim 5 , further comprising: the first processor adding a new variable to the plurality of variables; and the first processor setting attributes associated with the new variable. 10 . The method as recited in claim 9 , wherein the attributes associated with the new variable include one or more of the following: an operating mode in which the new variable may be altered; an indication as to whether the new variable can be deleted; credentials required for access to the new variable. 11 . A computer system comprising: a main processor; and an auxiliary processor, the auxiliary processor including a non-volatile memory storing a plurality of variables used by the main processor during a boot procedure; wherein responsive to a request to alter a first variable of the plurality of variables by the main processor, the auxiliary processor is configured to execute a security policy to determine if the main processor meets criteria for altering the first variable; and wherein the auxiliary processor is configured to grant permission to alter first variable to the main processor responsive to determining that the main processor meets criteria for altering the variable. 12 . The computer system as recited in claim 11 , wherein the auxiliary processor is further configured to deny access to the first variable by the main processor responsive to determining that the main processor has not met the criteria for altering the variable. 13 . The computer system as recited in claim 11 , wherein the criteria includes determining if the main processor is operating in a recovery mode that comprises the computer system having a reduced set of capabilities relative to a normal operating system executable on the main processor. 14 . The computer system as recited in claim 11 , wherein the criteria includes determining if the main processor has provided proper credentials for altering the first variable. 15 . The computer system as recited in claim 11 , wherein the main processor is further configured to request access to one of the plurality of variables during a boot procedure, wherein responsive to receiving the request, the auxiliary processor is configured to execute the security policy to determine whether to grant access to the one of the plurality of variables. 16 . The computer system as recited in claim 11 , wherein the auxiliary processor is configured to limit access to the plurality of variables, by the main processor, to one variable at a time. 17 . The computer system as recited in claim 11 , wherein the main processor is further configured to convey a request to the auxiliary processor to delete one of the plurality of variables, and wherein the auxiliary processor is configured to determine whether to allow deletion of the one of the plurality of variables based on at least a current operating mode of the main processor and credentials provided by the main processor. 18 . A method comprising: a main processor in a computer system sending a request to an auxiliary processor to alter a first one of a plurality of variables stored in a non-volatile memory implemented on the auxiliary processor; executing, using the auxiliary processor, a security policy to determine whether to grant permission to alter the first one of the plurality of variables, wherein determining whether to grant access includes the auxiliary processor: determining whether the main processor is operating in recovery mode, the recovery mode having a reduced set of capabilities relative to a normal operating system executable by the main processor; and determining whether the main processor has provided required credentials for altering the first one of the plurality of variables; and the auxiliary processor granting permission to the main processor to alter the first one of the plurality of variables responsive to determining that the main processor is operating in the recovery mode and has provided the required credentials. 19 . The method as recited in claim 18 , further comprising the auxiliary processor denying permission to alter the first one of the plurality of variables responsive to determining that at least one of the following is true: the main processor is not operating in the recovery mode; the main processor has not provided the required credentials for altering the first one of the plurality of variables. 20 . The method as recited in claim 18 , further comprising: the main processor requesting access to one or more of the plurality of variables during a boot procedure; the auxiliary processor executing the security policy to determine whether to grant access to the one or more of the plurality of variables by the main processor; and the auxiliary processor enabling access to the one or more of the plurality of variables, one at a time, responsive to determining that the main processor is authorized to access the one or more of the plurality of variables.