Re: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable

2016-08-15 Thread Zeng, Star 
Reviewed-by: Star Zeng 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang, 
Chao B
Sent: Tuesday, August 16, 2016 10:39 AM
To: edk2-devel@lists.01.org
Cc: Fu, Siyuan ; Zhang, Chao B ; 
Zeng, Star 
Subject: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential 
inconsistency corner case for Time Auth variable

  2 steps are used to create/delete a time based variable. For create, step 1: 
Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. For delete, 
step 1: Delete Variable. Step 2: Delete Cert from CertDB. System may breaks 
between step 1 & step 2, so CertDB may contains useless Cert in the next 
reboot. AuthVariableLib choose to sync consistent state between CertDB & Time 
Auth Variable on initialization. However, it doesn't apply Time Auth attribute 
check. Now add it.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c 
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284..b013d42 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -2100,7 +2100,7 @@ CleanCertsFromDb (

);
 
-  if (EFI_ERROR(Status)) {
+  if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & 
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
 Status  = DeleteCertsFromDb(
 VariableName,
 ,
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable

2016-08-15 Thread Fu, Siyuan 
Reviewed-by: Fu Siyuan 



> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Zhang, Chao B
> Sent: Tuesday, August 16, 2016 10:39 AM
> To: edk2-devel@lists.01.org
> Cc: Fu, Siyuan ; Zhang, Chao B
> ; Zeng, Star 
> Subject: [edk2] [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential
> inconsistency corner case for Time Auth variable
> 
>   2 steps are used to create/delete a time based variable. For create,
> step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable.
> For delete, step 1: Delete Variable. Step 2: Delete Cert from CertDB.
> System may breaks between step 1 & step 2, so CertDB may contains useless
> Cert in the next reboot. AuthVariableLib choose to sync consistent state
> between CertDB & Time Auth Variable on initialization. However, it doesn't
> apply Time Auth attribute check. Now add it.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang 
> ---
>  SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index 6e1e284..b013d42 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -2100,7 +2100,7 @@ CleanCertsFromDb (
> 
> );
> 
> -  if (EFI_ERROR(Status)) {
> +  if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes &
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
>  Status  = DeleteCertsFromDb(
>  VariableName,
>  ,
> --
> 1.9.5.msysgit.1
> 
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel