From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C047922551B8F for ; Thu, 22 Mar 2018 09:33:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 38AFD4072458; Thu, 22 Mar 2018 16:39:41 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7CA35111CB9E; Thu, 22 Mar 2018 16:39:40 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Jiaxin Wu , Siyuan Fu Date: Thu, 22 Mar 2018 17:39:33 +0100 Message-Id: <20180322163933.29122-6-lersek@redhat.com> In-Reply-To: <20180322163933.29122-1-lersek@redhat.com> References: <20180322163933.29122-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 22 Mar 2018 16:39:41 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [PATCH 5/5] NetworkPkg/TlsAuthConfigDxe: preserve TlsCaCertificate variable attributes X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 16:33:10 -0000 If the platform creates the "TlsCaCertificate" variable as volatile, then EnrollX509toVariable() shouldn't fail to extend it just because TLS_AUTH_CONFIG_VAR_BASE_ATTR contains the EFI_VARIABLE_NON_VOLATILE attribute. Thus, if the variable exists, add the EFI_VARIABLE_APPEND_WRITE attribute to the variable's current attributes. This is what DeleteCert() does already. Cc: Jiaxin Wu Cc: Siyuan Fu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c b/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c index faefc72d0efa..cbdd5f0664bd 100644 --- a/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c +++ b/NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigImpl.c @@ -813,6 +813,7 @@ EnrollX509toVariable ( CACert = NULL; CACertData = NULL; Data = NULL; + Attr = 0; Status = ReadFileContent ( Private->FileContext->FHandle, @@ -847,22 +848,22 @@ EnrollX509toVariable ( CopyMem ((UINT8* ) (CACertData->SignatureData), X509Data, X509DataSize); // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable + // Check if the signature database entry already exists. If it does, use the + // EFI_VARIABLE_APPEND_WRITE attribute to append the new signature data to + // the original variable, plus preserve the original variable attributes. // - Attr = TLS_AUTH_CONFIG_VAR_BASE_ATTR; - Status = gRT->GetVariable( VariableName, &gEfiTlsCaCertificateGuid, - NULL, + &Attr, &DataSize, NULL ); if (Status == EFI_BUFFER_TOO_SMALL) { Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { + } else if (Status == EFI_NOT_FOUND) { + Attr = TLS_AUTH_CONFIG_VAR_BASE_ATTR; + } else { goto ON_EXIT; } -- 2.14.1.3.gb7cf6e02401b