From fd4d9c6495109979eb17779e07666c7c11c79c6a Mon Sep 17 00:00:00 2001 From: "Zhang, Chao B" Date: Tue, 16 Aug 2016 10:21:42 +0800 Subject: [PATCH] SecurityPkg: AuthVariableLib: Fix inconsistent CertDB case 2 steps are used to create/delete a time based variable. For create step 1: Insert Signer Cert to CertDB. Step 2: Insert Payload to Variable. For delete step 1: Delete Variable. Step 2: Delete Cert from CertDB. System may breaks between step 1 & step 2, so CertDB may contains useless Cert in the next reboot. AuthVariableLib choose to sync consistent state between CertDB & Time Auth Variable on initialization. However, it doesn't apply Time Auth attribute check. Now add it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Fu Siyuan Reviewed-by: Zeng Star --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 6e1e284801..b013d420f6 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -2100,7 +2100,7 @@ CleanCertsFromDb ( &AuthVariableInfo ); - if (EFI_ERROR(Status)) { + if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) { Status = DeleteCertsFromDb( VariableName, &AuthVarGuid,