summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStar Zeng <star.zeng@intel.com>2015-03-17 03:25:16 +0000
committerlzeng14 <lzeng14@Edk2>2015-03-17 03:25:16 +0000
commit856236cad77652dde9be649c54e18ad4d39ffaab (patch)
treeba4f68f45193866908a64e85f00ce4fd3cdd3e55
parent4f953ed72109eeb87cbb11bd534c069f31e8b344 (diff)
downloadedk2-platforms-856236cad77652dde9be649c54e18ad4d39ffaab.tar.xz
SecurityPkg Variable: Update code in ProcessVariable () to
check IsDeleteAuthVariable () first and then check UserPhysicalPresent () to avoid the case below. PcdSetXX (a DynamicHii PCD) -> gRT->SetVariable () -> UserPhysicalPresent () -> PcdGetXX () Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17058 6f19259b-4bc3-4df7-8a09-765794883524
-rw-r--r--SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c48
1 files changed, 23 insertions, 25 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 7f9d531100..9b8f63f089 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -1359,36 +1359,34 @@ ProcessVariable (
IsDeletion = FALSE;
Status = EFI_SUCCESS;
- if (UserPhysicalPresent()) {
+ if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes) && UserPhysicalPresent()) {
//
// Allow the delete operation of common authenticated variable at user physical presence.
//
- if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes)) {
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- Status = DeleteCertsFromDb (VariableName, VendorGuid);
- }
- if (!EFI_ERROR (Status)) {
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- NULL,
- 0,
- 0,
- 0,
- 0,
- Variable,
- NULL
- );
- }
- return Status;
+ if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
+ Status = DeleteCertsFromDb (VariableName, VendorGuid);
}
- } else {
- if (NeedPhysicallyPresent(VariableName, VendorGuid)) {
- //
- // This variable is protected, only physical present user could modify its value.
- //
- return EFI_SECURITY_VIOLATION;
+ if (!EFI_ERROR (Status)) {
+ Status = UpdateVariable (
+ VariableName,
+ VendorGuid,
+ NULL,
+ 0,
+ 0,
+ 0,
+ 0,
+ Variable,
+ NULL
+ );
}
+ return Status;
+ }
+
+ if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
+ //
+ // This variable is protected, only physical present user could modify its value.
+ //
+ return EFI_SECURITY_VIOLATION;
}
//