mirror of https://github.com/acidanthera/audk.git
1. Correct the counter-based hash algorithm according to UEFI spec.
2. Check the reserverd bit in variable attribute. 3. Return EFI_OUT_OF_RESOURCE instead of EFI_SECURITY_VIOLATION if there is not enough speace to store the public key. 4. Fix a bug when deleting a non-existent time-based auth variable, we store the certificate into cert DB incorrectly. 5. Fix a bug that time-based auth variable can't been updated again after append operation. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13957 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
d316f1dca1
commit
275beb2b53
|
@ -526,7 +526,9 @@ VerifyCounterBasedPayload (
|
|||
EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
|
||||
UINT8 Digest[SHA256_DIGEST_SIZE];
|
||||
VOID *Rsa;
|
||||
|
||||
UINTN PayloadSize;
|
||||
|
||||
PayloadSize = DataSize - AUTHINFO_SIZE;
|
||||
Rsa = NULL;
|
||||
CertData = NULL;
|
||||
CertBlock = NULL;
|
||||
|
@ -558,7 +560,14 @@ VerifyCounterBasedPayload (
|
|||
if (!Status) {
|
||||
goto Done;
|
||||
}
|
||||
Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, (UINTN) (DataSize - AUTHINFO_SIZE));
|
||||
Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, PayloadSize);
|
||||
if (!Status) {
|
||||
goto Done;
|
||||
}
|
||||
//
|
||||
// Hash Size.
|
||||
//
|
||||
Status = Sha256Update (mHashCtx, &PayloadSize, sizeof (UINTN));
|
||||
if (!Status) {
|
||||
goto Done;
|
||||
}
|
||||
|
@ -1099,6 +1108,7 @@ ProcessVarWithKek (
|
|||
@return EFI_INVALID_PARAMETER Invalid parameter.
|
||||
@return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
|
||||
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
|
||||
@return EFI_OUT_OF_RESOURCES The Database to save the public key is full.
|
||||
@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
|
||||
set, but the AuthInfo does NOT pass the validation
|
||||
check carried out by the firmware.
|
||||
|
@ -1253,7 +1263,7 @@ ProcessVariable (
|
|||
//
|
||||
KeyIndex = AddPubKeyInStore (PubKey);
|
||||
if (KeyIndex == 0) {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -2155,13 +2165,13 @@ VerifyTimeBasedPayload (
|
|||
//
|
||||
// Delete signer's certificates when delete the common authenticated variable.
|
||||
//
|
||||
if ((PayloadSize == 0) && (Variable->CurrPtr != NULL)) {
|
||||
if ((PayloadSize == 0) && (Variable->CurrPtr != NULL) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0)) {
|
||||
Status = DeleteCertsFromDb (VariableName, VendorGuid);
|
||||
if (EFI_ERROR (Status)) {
|
||||
VerifyStatus = FALSE;
|
||||
goto Exit;
|
||||
}
|
||||
} else if (Variable->CurrPtr == NULL) {
|
||||
} else if (Variable->CurrPtr == NULL && PayloadSize != 0) {
|
||||
//
|
||||
// Insert signer's certificates when adding a new common authenticated variable.
|
||||
//
|
||||
|
|
|
@ -2280,6 +2280,13 @@ VariableServiceSetVariable (
|
|||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
//
|
||||
// Check for reserverd bit in variable attribute.
|
||||
//
|
||||
if ((Attributes & (~EFI_VARIABLE_ATTRIBUTES_MASK)) != 0) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
//
|
||||
// Make sure if runtime bit is set, boot service bit is set also.
|
||||
//
|
||||
|
|
|
@ -43,6 +43,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|||
#include <Guid/HardwareErrorVariable.h>
|
||||
|
||||
#define VARIABLE_RECLAIM_THRESHOLD (1024)
|
||||
#define EFI_VARIABLE_ATTRIBUTES_MASK (EFI_VARIABLE_NON_VOLATILE | \
|
||||
EFI_VARIABLE_BOOTSERVICE_ACCESS | \
|
||||
EFI_VARIABLE_RUNTIME_ACCESS | \
|
||||
EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
|
||||
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \
|
||||
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
|
||||
EFI_VARIABLE_APPEND_WRITE)
|
||||
|
||||
///
|
||||
/// The size of a 3 character ISO639 language code.
|
||||
|
|
Loading…
Reference in New Issue