From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by ml01.01.org (Postfix) with ESMTP id 376CF1A1E0F for ; Mon, 15 Aug 2016 19:39:03 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP; 15 Aug 2016 19:39:03 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,528,1464678000"; d="scan'208";a="1036156320" Received: from czhan46-mobl.ccr.corp.intel.com ([10.239.192.130]) by orsmga002.jf.intel.com with ESMTP; 15 Aug 2016 19:39:01 -0700 From: "Zhang, Chao B" To: edk2-devel@lists.01.org Cc: siyuan.fu@intel.com, star.zeng@intel.com, Chao Zhang Date: Tue, 16 Aug 2016 10:38:59 +0800 Message-Id: <1471315139-19308-1-git-send-email-chao.b.zhang@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 Subject: [PATCH V1] SecurityPkg: AuthVariableLib: Fix potential inconsistency corner case for Time Auth variable X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 02:39:03 -0000 2 steps are used to create/delete a time based variable. For create, step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. For delete, step 1: Delete Variable. Step 2: Delete Cert from CertDB. System may breaks between step 1 & step 2, so CertDB may contains useless Cert in the next reboot. AuthVariableLib choose to sync consistent state between CertDB & Time Auth Variable on initialization. However, it doesn't apply Time Auth attribute check. Now add it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 6e1e284..b013d42 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -2100,7 +2100,7 @@ CleanCertsFromDb ( &AuthVariableInfo ); - if (EFI_ERROR(Status)) { + if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) { Status = DeleteCertsFromDb( VariableName, &AuthVarGuid, -- 1.9.5.msysgit.1