return EFI_INVALID_PARAMETER;\r
}\r
\r
- if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
- //\r
- // Verify against X509 Cert PK.\r
- //\r
- Del = FALSE;\r
- Status = VerifyTimeBasedPayload (\r
- VariableName,\r
- VendorGuid,\r
- Data,\r
- DataSize,\r
- Variable,\r
- Attributes,\r
- AuthVarTypePk,\r
- &Del\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If delete PK in user mode, need change to setup mode.\r
- //\r
- if (Del && IsPk) {\r
- Status = UpdatePlatformMode (SETUP_MODE);\r
- }\r
- }\r
- return Status;\r
- } else {\r
- //\r
- // Process PK or KEK in Setup mode or Custom Secure Boot mode.\r
- //\r
+ Del = FALSE;\r
+ if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {\r
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
+ if (PayloadSize == 0) {\r
+ Del = TRUE;\r
+ }\r
\r
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);\r
if (EFI_ERROR (Status)) {\r
Variable,\r
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
+ } else if (mPlatformMode == USER_MODE) {\r
+ //\r
+ // Verify against X509 Cert in PK database.\r
+ //\r
+ Status = VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypePk,\r
+ &Del\r
+ );\r
+ } else {\r
+ //\r
+ // Verify against the certificate in data payload.\r
+ //\r
+ Status = VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypePayload,\r
+ &Del\r
+ );\r
+ }\r
\r
- if (IsPk) {\r
- if (PayloadSize != 0) {\r
- //\r
- // If enroll PK in setup mode, need change to user mode.\r
- //\r
- Status = UpdatePlatformMode (USER_MODE);\r
- } else {\r
- //\r
- // If delete PK in custom mode, need change to setup mode.\r
- //\r
- UpdatePlatformMode (SETUP_MODE);\r
- }\r
- } \r
+ if (!EFI_ERROR(Status) && IsPk) {\r
+ if (mPlatformMode == SETUP_MODE && !Del) {\r
+ //\r
+ // If enroll PK in setup mode, need change to user mode.\r
+ //\r
+ Status = UpdatePlatformMode (USER_MODE);\r
+ } else if (mPlatformMode == USER_MODE && Del){\r
+ //\r
+ // If delete PK in user mode, need change to setup mode.\r
+ //\r
+ Status = UpdatePlatformMode (SETUP_MODE);\r
+ }\r
}\r
\r
return Status;\r
data, this value contains the required size.\r
@param[in] Variable The variable information which is used to keep track of variable usage.\r
@param[in] Attributes Attribute value of the variable.\r
- @param[in] AuthVarType Verify against PK or KEK database or private database.\r
+ @param[in] AuthVarType Verify against PK, KEK database, private database or certificate in data payload.\r
@param[out] VarDel Delete the variable or not.\r
\r
@retval EFI_INVALID_PARAMETER Invalid parameter.\r
goto Exit;\r
}\r
}\r
+ } else if (AuthVarType == AuthVarTypePayload) {\r
+ CertList = (EFI_SIGNATURE_LIST *) PayloadPtr;\r
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
+ RootCert = Cert->SignatureData;\r
+ RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);\r
+ \r
+ // Verify Pkcs7 SignedData via Pkcs7Verify library.\r
+ //\r
+ VerifyStatus = Pkcs7Verify (\r
+ SigData,\r
+ SigDataSize,\r
+ RootCert,\r
+ RootCertSize,\r
+ NewData,\r
+ NewDataSize\r
+ );\r
} else {\r
return EFI_SECURITY_VIOLATION;\r
}\r