mirror of https://github.com/acidanthera/audk.git
929d1a24d1
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 In timestamp check after the cert is found in db, the original code jumps to 'Done' if any error happens in fetching dbx variable. At any of the jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist), because it could be used to bypass timestamp check. This patch add code to change VerifyStatus to FALSE in the case of memory allocation failure and dbx fetching failure to avoid potential bypass issue. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> |
||
|---|---|---|
| .. | ||
| AuthVariableLib | ||
| DxeImageAuthenticationStatusLib | ||
| DxeImageVerificationLib | ||
| DxeRsa2048Sha256GuidedSectionExtractLib | ||
| DxeTcg2PhysicalPresenceLib | ||
| DxeTcgPhysicalPresenceLib | ||
| DxeTpm2MeasureBootLib | ||
| DxeTpmMeasureBootLib | ||
| DxeTpmMeasurementLib | ||
| FmpAuthenticationLibPkcs7 | ||
| FmpAuthenticationLibRsa2048Sha256 | ||
| HashInstanceLibSha1 | ||
| HashInstanceLibSha256 | ||
| HashInstanceLibSha384 | ||
| HashInstanceLibSha512 | ||
| HashInstanceLibSm3 | ||
| HashLibBaseCryptoRouter | ||
| HashLibTpm2 | ||
| PeiRsa2048Sha256GuidedSectionExtractLib | ||
| PeiTcg2PhysicalPresenceLib | ||
| PlatformSecureLibNull | ||
| SmmTcg2PhysicalPresenceLib | ||
| Tcg2PpVendorLibNull | ||
| TcgPpVendorLibNull | ||
| TcgStorageCoreLib | ||
| TcgStorageOpalLib | ||
| Tpm2CommandLib | ||
| Tpm2DeviceLibDTpm | ||
| Tpm2DeviceLibRouter | ||
| Tpm2DeviceLibTcg2 | ||
| Tpm12CommandLib | ||
| Tpm12DeviceLibDTpm | ||
| Tpm12DeviceLibTcg | ||
| TpmCommLib | ||