SecurityPkg Variable: Update code in ProcessVariable () to

check IsDeleteAuthVariable () first and then check UserPhysicalPresent () to avoid the case below. PcdSetXX (a DynamicHii PCD) -> gRT->SetVariable () -> UserPhysicalPresent () -> PcdGetXX () Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17058 6f19259b-4bc3-4df7-8a09-765794883524
author: Star Zeng <star.zeng@intel.com> 2015-03-17 03:25:16 +0000
committer: lzeng14 <lzeng14@Edk2> 2015-03-17 03:25:16 +0000
commit: 856236cad77652dde9be649c54e18ad4d39ffaab (patch)
tree: ba4f68f45193866908a64e85f00ce4fd3cdd3e55
parent: 4f953ed72109eeb87cbb11bd534c069f31e8b344 (diff)
download: edk2-platforms-856236cad77652dde9be649c54e18ad4d39ffaab.tar.xz
1 files changed, 23 insertions, 25 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 7f9d531100..9b8f63f089 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -1359,36 +1359,34 @@ ProcessVariable (
   IsDeletion  = FALSE;
   Status      = EFI_SUCCESS;
 
-  if (UserPhysicalPresent()) {
+  if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes) && UserPhysicalPresent()) {
     //
     // Allow the delete operation of common authenticated variable at user physical presence.
     //
-    if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes)) {
-      if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
-        Status = DeleteCertsFromDb (VariableName, VendorGuid);
-      }
-      if (!EFI_ERROR (Status)) {
-        Status = UpdateVariable (
-                   VariableName,
-                   VendorGuid,
-                   NULL,
-                   0,
-                   0,
-                   0,
-                   0,
-                   Variable,
-                   NULL
-                   );
-      }
-      return Status;
+    if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
+      Status = DeleteCertsFromDb (VariableName, VendorGuid);
     }
-  } else {
-    if (NeedPhysicallyPresent(VariableName, VendorGuid)) {
-      //
-      // This variable is protected, only physical present user could modify its value.
-      //
-      return EFI_SECURITY_VIOLATION;
+    if (!EFI_ERROR (Status)) {
+      Status = UpdateVariable (
+                 VariableName,
+                 VendorGuid,
+                 NULL,
+                 0,
+                 0,
+                 0,
+                 0,
+                 Variable,
+                 NULL
+                 );
     }
+    return Status;
+  }
+
+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
+    //
+    // This variable is protected, only physical present user could modify its value.
+    //
+    return EFI_SECURITY_VIOLATION;
   }
 
   //
author	Star Zeng <star.zeng@intel.com>	2015-03-17 03:25:16 +0000
committer	lzeng14 <lzeng14@Edk2>	2015-03-17 03:25:16 +0000
commit	856236cad77652dde9be649c54e18ad4d39ffaab (patch)
tree	ba4f68f45193866908a64e85f00ce4fd3cdd3e55
parent	4f953ed72109eeb87cbb11bd534c069f31e8b344 (diff)
download	edk2-platforms-856236cad77652dde9be649c54e18ad4d39ffaab.tar.xz