SecurityPkg/AuthSeriableLib: Always delete variable in certdb

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1783

While cleaning the certdb, always delete the variable data in
the certdb regardless of its attribute.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 7493a2ed9c..486df55bed 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -18,7 +18,7 @@
   They will do basic validation for authentication data structure, then call crypto library

   to verify the signature.

 

-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -1735,10 +1735,13 @@ CleanCertsFromDb (
                                        );

 

       if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {

+        //

+        // While cleaning certdb, always delete the variable in certdb regardless of it attributes.

+        //

         Status      = DeleteCertsFromDb(

                         VariableName,

                         &AuthVarGuid,

-                        AuthVariableInfo.Attributes

+                        AuthVariableInfo.Attributes | EFI_VARIABLE_NON_VOLATILE

                         );

         CertCleaned = TRUE;

         DEBUG((EFI_D_INFO, "Recovery!! Cert for Auth Variable %s Guid %g is removed for consistency\n", VariableName, &AuthVarGuid));