SecurityPkg Variable: Update code in ProcessVariable () to

check IsDeleteAuthVariable () first and then check UserPhysicalPresent () to avoid the case below. PcdSetXX (a DynamicHii PCD) -> gRT->SetVariable () -> UserPhysicalPresent () -> PcdGetXX () Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17058 6f19259b-4bc3-4df7-8a09-765794883524
2025-07-24 06:04:52 +02:00 · 2015-03-17 03:25:16 +00:00 · 2015-03-17 03:25:16 +00:00 · 856236cad7
commit 856236cad7
parent 4f953ed721
1 changed files with 23 additions and 25 deletions
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@ -1359,36 +1359,34 @@ ProcessVariable (
  IsDeletion  = FALSE;
  Status      = EFI_SUCCESS;
-  if (UserPhysicalPresent()) {
+  if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes) && UserPhysicalPresent()) {
    //
    // Allow the delete operation of common authenticated variable at user physical presence.
    //
-    if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes)) {
+    if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
-      if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
+      Status = DeleteCertsFromDb (VariableName, VendorGuid);
        Status = DeleteCertsFromDb (VariableName, VendorGuid);
      }
      if (!EFI_ERROR (Status)) {
        Status = UpdateVariable (
                   VariableName,
                   VendorGuid,
                   NULL,
                   0,
                   0,
                   0,
                   0,
                   Variable,
                   NULL
                   );
      }
      return Status;
    }
-  } else {
+    if (!EFI_ERROR (Status)) {
-    if (NeedPhysicallyPresent(VariableName, VendorGuid)) {
+      Status = UpdateVariable (
-      //
+                 VariableName,
-      // This variable is protected, only physical present user could modify its value.
+                 VendorGuid,
-      //
+                 NULL,
-      return EFI_SECURITY_VIOLATION;
+                 0,
                 0,
                 0,
                 0,
                 Variable,
                 NULL
                 );
    }
    return Status;
  }
  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
    //
    // This variable is protected, only physical present user could modify its value.
    //
    return EFI_SECURITY_VIOLATION;
  }
  //