diff options
| author | Zhang, Chao B <chao.b.zhang@intel.com> | 2016-08-16 10:21:42 +0800 |
|---|---|---|
| committer | Zhang, Chao B <chao.b.zhang@intel.com> | 2016-08-17 09:01:46 +0800 |
| commit | fd4d9c6495109979eb17779e07666c7c11c79c6a (patch) | |
| tree | 7a1664732140a0fa395936601f4a6d19625cdc05 /SecurityPkg/Library/AuthVariableLib | |
| parent | d35ec1e0507dc612ed6485410f12e683a726a3bf (diff) | |
| download | edk2-fd4d9c6495109979eb17779e07666c7c11c79c6a.tar.gz edk2-fd4d9c6495109979eb17779e07666c7c11c79c6a.tar.bz2 edk2-fd4d9c6495109979eb17779e07666c7c11c79c6a.zip | |
SecurityPkg: AuthVariableLib: Fix inconsistent CertDB case
2 steps are used to create/delete a time based variable.
For create
step 1: Insert Signer Cert to CertDB.
Step 2: Insert Payload to Variable.
For delete
step 1: Delete Variable.
Step 2: Delete Cert from CertDB.
System may breaks between step 1 & step 2, so CertDB may contains useless
Cert in the next reboot. AuthVariableLib choose to sync consistent state
between CertDB & Time Auth Variable on initialization. However, it doesn't
apply Time Auth attribute check. Now add it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Zeng Star <star.zeng@intel.com>
Diffstat (limited to 'SecurityPkg/Library/AuthVariableLib')
| -rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 6e1e284801..b013d420f6 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -2100,7 +2100,7 @@ CleanCertsFromDb ( &AuthVariableInfo
);
- if (EFI_ERROR(Status)) {
+ if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
Status = DeleteCertsFromDb(
VariableName,
&AuthVarGuid,
|