Fix time-based and count-based authenticated variable can be updated by each other...

[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.c

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index cf8ad9969696a06e1c70095246724d9063fc6fc7..6576e681c3b6ba812c15b3b0c377b4cb37864d2c 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -1137,6 +1137,22 @@ ProcessVariable (
     return EFI_SECURITY_VIOLATION;\r
   }\r
   \r
+  //\r
+  // A time-based authenticated variable and a count-based authenticated variable\r
+  // can't be updated by each other.\r
+  // \r
+  if (Variable->CurrPtr != NULL) {    \r
+    if (((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) &&\r
+        ((Variable->CurrPtr->Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)) {\r
+      return EFI_SECURITY_VIOLATION;      \r
+    }\r
+    \r
+    if (((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) && \r
+        ((Variable->CurrPtr->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0)) {\r
+      return EFI_SECURITY_VIOLATION;      \r
+    }\r
+  }\r
+    \r
   //\r
   // Process Time-based Authenticated variable.\r
   //\r