Re: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable
Reviewed-by: Star Zeng-Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang, Chao B Sent: Tuesday, August 16, 2016 10:39 AM To: edk2-devel@lists.01.org Cc: Fu, Siyuan ; Zhang, Chao B ; Zeng, Star Subject: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable 2 steps are used to create/delete a time based variable. For create, step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. For delete, step 1: Delete Variable. Step 2: Delete Cert from CertDB. System may breaks between step 1 & step 2, so CertDB may contains useless Cert in the next reboot. AuthVariableLib choose to sync consistent state between CertDB & Time Auth Variable on initialization. However, it doesn't apply Time Auth attribute check. Now add it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 6e1e284..b013d42 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -2100,7 +2100,7 @@ CleanCertsFromDb ( ); - if (EFI_ERROR(Status)) { + if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) { Status = DeleteCertsFromDb( VariableName, , -- 1.9.5.msysgit.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable
Reviewed-by: Fu Siyuan> -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Zhang, Chao B > Sent: Tuesday, August 16, 2016 10:39 AM > To: edk2-devel@lists.01.org > Cc: Fu, Siyuan ; Zhang, Chao B > ; Zeng, Star > Subject: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential > inconsistency corner case for Time Auth variable > > 2 steps are used to create/delete a time based variable. For create, > step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. > For delete, step 1: Delete Variable. Step 2: Delete Cert from CertDB. > System may breaks between step 1 & step 2, so CertDB may contains useless > Cert in the next reboot. AuthVariableLib choose to sync consistent state > between CertDB & Time Auth Variable on initialization. However, it doesn't > apply Time Auth attribute check. Now add it. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Chao Zhang > --- > SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index 6e1e284..b013d42 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -2100,7 +2100,7 @@ CleanCertsFromDb ( > > ); > > - if (EFI_ERROR(Status)) { > + if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) { > Status = DeleteCertsFromDb( > VariableName, > , > -- > 1.9.5.msysgit.1 > > ___ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel