From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <chao.b.zhang@intel.com>
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by ml01.01.org (Postfix) with ESMTP id B29E11A1DF6
 for <edk2-devel@lists.01.org>; Mon, 15 Aug 2016 19:25:14 -0700 (PDT)
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by orsmga103.jf.intel.com with ESMTP; 15 Aug 2016 19:25:15 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,528,1464678000"; d="scan'208";a="1036149618"
Received: from czhan46-mobl.ccr.corp.intel.com ([10.239.192.130])
 by orsmga002.jf.intel.com with ESMTP; 15 Aug 2016 19:25:12 -0700
From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: edk2-devel@lists.01.org
Cc: siyuan.fu@intel.com, star.zeng@intel.com,
 Chao Zhang <chao.b.zhang@intel.com>
Date: Tue, 16 Aug 2016 10:25:10 +0800
Message-Id: <1471314310-14964-1-git-send-email-chao.b.zhang@intel.com>
X-Mailer: git-send-email 1.9.5.msysgit.1
Subject: [PATCH] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable 2 steps are used to create/delete a time based variable. For create, step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. For delete, step 1: Delete Variable. Step 2: Delete Cert from CertDB. System may breaks between step 1 & step 2, so CertDB may contains useless Cert in the next reboot. AuthVariableLib choose to sync consistent state between CertDB & Time Auth Variable on initialization. However, it doesn't apply Time Auth attribute check. Now add it.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 02:25:14 -0000

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284..b013d42 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -2100,7 +2100,7 @@ CleanCertsFromDb (
                                        &AuthVariableInfo
                                        );
 
-      if (EFI_ERROR(Status)) {
+      if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
         Status      = DeleteCertsFromDb(
                         VariableName,
                         &AuthVarGuid,
-- 
1.9.5.msysgit.1