Method and Apparatus for Boot Variable Protection

What is claimed is: 1 . A method, comprising: a first processor receiving a request from a second processor to alter a first variable associated with boot code of the second processor, wherein the receiving includes the second processor storing the request in a mailbox circuit and sending a separate indication of the storing to the first processor; in response to the indication and the request, the first processor evaluating a security policy to determine whether the second processor meets criteria for altering the first variable; and the first processor granting permission to the second processor to alter the first variable responsive to determining that the second processor meets the criteria for altering the first variable. 2 . The method of claim 1 , wherein the first processor is configured to inhibit the second processor from altering the first variable responsive to determining that the second processor does not meet the criteria for altering the first variable, wherein the first variable is stored in a non-volatile memory external to the first processor and accessible to the second processor via the first processor. 3 . The method of claim 1 , wherein the evaluating includes determining whether the second processor is operating in a recovery mode that provides a reduced set of capabilities relative to a set of capabilities available during execution of an operating system by the second processor. 4 . The method of claim 1 , wherein the evaluating includes determining whether the second processor has provided proper credentials for altering the first variable. 5 . The method of claim 1 , wherein the first variable is one of a plurality of boot variables accessed during a boot procedure in which the boot code is executed by the second processor. 6 . The method of claim 5 , further comprising: the second processor requesting access to one of the plurality of boot variables during a boot procedure, wherein the first processor evaluates the security policy during the boot procedure to determine whether to grant access to the one of the plurality of variables. 7 . The method of claim 5 , wherein the first processor is configured to limit access to the plurality of variables by the second processor to a single one of the boot variables at a given time. 8 . The method of claim 5 , further comprising: the second processor conveying a request to the first processor to delete one of the plurality of variables; responsive to receiving the request, the first processor evaluating the security policy to determine whether the second processor is authorized to delete the one of the plurality of variables; and responsive to determining that the second processor is authorized, the first processor granting permission to the second processor to delete the one of the plurality of variables. 9 . The method of claim 5 , further comprising: the first processor adding a new variable to the plurality of variables; and the first processor setting attributes associated with the new variable. 10 . The method of claim 9 , wherein the attributes associated with the new variable include one or more of the following: an operating mode in which the new variable may be altered; an indication as to whether the new variable can be deleted; and credentials required for access to the new variable. 11 . A computer system comprising: a main processor; an auxiliary processor; and a non-volatile memory a plurality of variables stored therein, wherein the main processor is configured to use the plurality of variables during a boot procedure; wherein the auxiliary processor is configured to: receive, at a mailbox circuit, a request to alter a first variable of the plurality of variables by the main processor; receive an indication of the request being received at the mailbox circuit; in response to the request and the indication, enforce a security policy that includes determining whether the main processor meets criteria for altering the first variable; and grant permission to alter the first variable to the main processor responsive to determining that the main processor meets criteria for altering the variable. 12 . The computer system of claim 11 , wherein the auxiliary processor is configured to: deny the main processor access to the first variable responsive to determining that the main processor has not met the criteria for altering the variable. 13 . The computer system of claim 11 , wherein the criteria include a criterion that the main processor is operating in a recovery mode. 14 . The computer system of claim 11 , wherein the criteria include a criterion that the main processor has provided proper credentials for altering the first variable. 15 . The computer system of claim 11 , wherein the auxiliary processor is configured to: verify boot code of the main processor during the boot procedure. 16 . The computer system of claim 15 , wherein the boot code is stored in the non-volatile memory with the first variable. 17 . The computer system of claim 11 , wherein the auxiliary processor is configured to: receive a request from the main processor to delete one of the plurality of variables; and determine whether to allow deletion of the one of the plurality of variables based on at least a current operating mode of the main processor and credentials provided by the main processor. 18 . A method, comprising: an auxiliary processor in a computer system receiving a request at a mailbox circuit of an auxiliary processor, wherein the request is from a main processor of the computer system to alter a first one of a plurality of boot variables stored in a non-volatile memory accessible to the auxiliary processor; the auxiliary processor evaluating a security policy to determine whether to grant the main processor permission to alter the first boot variable, wherein determining whether to grant the main processor access includes the auxiliary processor: determining whether the main processor is operating in recovery mode; and determining whether the main processor has provided authorization credentials for altering the first boot variable; and the auxiliary processor granting permission to the main processor to alter the first boot variable to determining that the main processor is operating in the recovery mode and has provided the authorization credentials. 19 . The method of claim 18 , wherein the non-volatile memory is external to the auxiliary processor, and wherein the plurality of boot variables include variables defined in a unified extensible firmware interface (UEFI) specification. 20 . The method of claim 18 , wherein the request is received during a boot procedure of the main processor in which the auxiliary processor verifies boot code of the main processor.