diff options
3 files changed, 29 insertions, 5 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 6576e681c3..64ce968ac1 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -526,7 +526,9 @@ VerifyCounterBasedPayload ( EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
UINT8 Digest[SHA256_DIGEST_SIZE];
VOID *Rsa;
-
+ UINTN PayloadSize;
+
+ PayloadSize = DataSize - AUTHINFO_SIZE;
Rsa = NULL;
CertData = NULL;
CertBlock = NULL;
@@ -558,7 +560,14 @@ VerifyCounterBasedPayload ( if (!Status) {
goto Done;
}
- Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, (UINTN) (DataSize - AUTHINFO_SIZE));
+ Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, PayloadSize);
+ if (!Status) {
+ goto Done;
+ }
+ //
+ // Hash Size.
+ //
+ Status = Sha256Update (mHashCtx, &PayloadSize, sizeof (UINTN));
if (!Status) {
goto Done;
}
@@ -1099,6 +1108,7 @@ ProcessVarWithKek ( @return EFI_INVALID_PARAMETER Invalid parameter.
@return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
+ @return EFI_OUT_OF_RESOURCES The Database to save the public key is full.
@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
set, but the AuthInfo does NOT pass the validation
check carried out by the firmware.
@@ -1253,7 +1263,7 @@ ProcessVariable ( //
KeyIndex = AddPubKeyInStore (PubKey);
if (KeyIndex == 0) {
- return EFI_SECURITY_VIOLATION;
+ return EFI_OUT_OF_RESOURCES;
}
}
@@ -2155,13 +2165,13 @@ VerifyTimeBasedPayload ( //
// Delete signer's certificates when delete the common authenticated variable.
//
- if ((PayloadSize == 0) && (Variable->CurrPtr != NULL)) {
+ if ((PayloadSize == 0) && (Variable->CurrPtr != NULL) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0)) {
Status = DeleteCertsFromDb (VariableName, VendorGuid);
if (EFI_ERROR (Status)) {
VerifyStatus = FALSE;
goto Exit;
}
- } else if (Variable->CurrPtr == NULL) {
+ } else if (Variable->CurrPtr == NULL && PayloadSize != 0) {
//
// Insert signer's certificates when adding a new common authenticated variable.
//
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 07fe99bee7..e683783fa5 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2281,6 +2281,13 @@ VariableServiceSetVariable ( }
//
+ // Check for reserverd bit in variable attribute.
+ //
+ if ((Attributes & (~EFI_VARIABLE_ATTRIBUTES_MASK)) != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Make sure if runtime bit is set, boot service bit is set also.
//
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h index 14a0744a57..563485f929 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h @@ -43,6 +43,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <Guid/HardwareErrorVariable.h>
#define VARIABLE_RECLAIM_THRESHOLD (1024)
+#define EFI_VARIABLE_ATTRIBUTES_MASK (EFI_VARIABLE_NON_VOLATILE | \
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | \
+ EFI_VARIABLE_RUNTIME_ACCESS | \
+ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
+ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
+ EFI_VARIABLE_APPEND_WRITE)
///
/// The size of a 3 character ISO639 language code.
|