They will do basic validation for authentication data structure, then call crypto library\r
to verify the signature.\r
\r
-Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
return FALSE;\r
}\r
\r
-\r
-/**\r
- Internal function to delete a Variable given its name and GUID, no authentication\r
- required.\r
-\r
- @param[in] VariableName Name of the Variable.\r
- @param[in] VendorGuid GUID of the Variable.\r
-\r
- @retval EFI_SUCCESS Variable deleted successfully.\r
- @retval Others The driver failded to start the device.\r
-\r
-**/\r
-EFI_STATUS\r
-DeleteVariable (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid\r
- )\r
-{\r
- EFI_STATUS Status;\r
- VARIABLE_POINTER_TRACK Variable;\r
-\r
- Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
- if (EFI_ERROR (Status)) {\r
- return EFI_SUCCESS;\r
- }\r
-\r
- ASSERT (Variable.CurrPtr != NULL);\r
- return UpdateVariable (VariableName, VendorGuid, NULL, 0, 0, 0, 0, &Variable, NULL);\r
-}\r
-\r
/**\r
Initializes for authenticated varibale service.\r
\r
return Status;\r
}\r
\r
+/**\r
+ Check if it is to delete auth variable.\r
+\r
+ @param[in] Data Data pointer.\r
+ @param[in] DataSize Size of Data.\r
+ @param[in] Variable The variable information which is used to keep track of variable usage.\r
+ @param[in] Attributes Attribute value of the variable.\r
+\r
+ @retval TRUE It is to delete auth variable.\r
+ @retval FALSE It is not to delete auth variable.\r
+\r
+**/\r
+BOOLEAN\r
+IsDeleteAuthVariable (\r
+ IN VOID *Data,\r
+ IN UINTN DataSize,\r
+ IN VARIABLE_POINTER_TRACK *Variable,\r
+ IN UINT32 Attributes\r
+ )\r
+{\r
+ BOOLEAN Del;\r
+ UINT8 *Payload;\r
+ UINTN PayloadSize;\r
+\r
+ Del = FALSE;\r
+\r
+ //\r
+ // To delete a variable created with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\r
+ // or the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute,\r
+ // SetVariable must be used with attributes matching the existing variable\r
+ // and the DataSize set to the size of the AuthInfo descriptor.\r
+ //\r
+ if ((Variable->CurrPtr != NULL) &&\r
+ (Attributes == Variable->CurrPtr->Attributes) &&\r
+ ((Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)) {\r
+ if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
+ Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
+ PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
+ if (PayloadSize == 0) {\r
+ Del = TRUE;\r
+ }\r
+ } else {\r
+ Payload = (UINT8 *) Data + AUTHINFO_SIZE;\r
+ PayloadSize = DataSize - AUTHINFO_SIZE;\r
+ if (PayloadSize == 0) {\r
+ Del = TRUE;\r
+ }\r
+ }\r
+ }\r
+\r
+ return Del;\r
+}\r
+\r
/**\r
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
\r
@param[in] VendorGuid Variable vendor GUID.\r
\r
@param[in] Data Data pointer.\r
- @param[in] DataSize Size of Data found. If size is less than the\r
- data, this value contains the required size.\r
+ @param[in] DataSize Size of Data.\r
@param[in] Variable The variable information which is used to keep track of variable usage.\r
@param[in] Attributes Attribute value of the variable.\r
\r
PubKey = NULL;\r
IsDeletion = FALSE;\r
\r
- if (NeedPhysicallyPresent(VariableName, VendorGuid) && !UserPhysicalPresent()) {\r
+ if (UserPhysicalPresent()) {\r
//\r
- // This variable is protected, only physical present user could modify its value.\r
+ // Allow the delete operation of common authenticated variable at user physical presence.\r
//\r
- return EFI_SECURITY_VIOLATION;\r
+ if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes)) {\r
+ if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
+ Status = DeleteCertsFromDb (VariableName, VendorGuid);\r
+ }\r
+ if (!EFI_ERROR (Status)) {\r
+ Status = UpdateVariable (\r
+ VariableName,\r
+ VendorGuid,\r
+ NULL,\r
+ 0,\r
+ 0,\r
+ 0,\r
+ 0,\r
+ Variable,\r
+ NULL\r
+ );\r
+ }\r
+ return Status;\r
+ }\r
+ } else {\r
+ if (NeedPhysicallyPresent(VariableName, VendorGuid)) {\r
+ //\r
+ // This variable is protected, only physical present user could modify its value.\r
+ //\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
}\r
\r
//\r
may not be modified without authorization. If platform fails to protect these resources, \r
the authentication service provided in this driver will be broken, and the behavior is undefined.\r
\r
-Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
IN EFI_TIME *SecondTime\r
);\r
\r
+/**\r
+ Delete matching signer's certificates when deleting common authenticated\r
+ variable by corresponding VariableName and VendorGuid from "certdb".\r
+\r
+ @param[in] VariableName Name of authenticated Variable.\r
+ @param[in] VendorGuid Vendor GUID of authenticated Variable.\r
+\r
+ @retval EFI_INVALID_PARAMETER Any input parameter is invalid.\r
+ @retval EFI_NOT_FOUND Fail to find "certdb" or matching certs.\r
+ @retval EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.\r
+ @retval EFI_SUCCESS The operation is completed successfully.\r
+\r
+**/\r
+EFI_STATUS\r
+DeleteCertsFromDb (\r
+ IN CHAR16 *VariableName,\r
+ IN EFI_GUID *VendorGuid\r
+ );\r
\r
/**\r
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
**/\r
\r
#include "Variable.h"\r
+#include "AuthService.h"\r
#include <Library/DevicePathLib.h>\r
\r
extern LIST_ENTRY mLockedVariableList;\r
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,\r
{\r
VAR_CHECK_VARIABLE_PROPERTY_REVISION,\r
- 0,\r
+ VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,\r
VARIABLE_ATTRIBUTE_NV_BS_RT_AT,\r
sizeof (UINT8),\r
sizeof (UINT8)\r
},\r
{\r
&gEfiAuthenticatedVariableGuid,\r
- L"AuthVarKeyDatabase",\r
+ AUTHVAR_KEYDB_NAME,\r
{\r
VAR_CHECK_VARIABLE_PROPERTY_REVISION,\r
- 0,\r
+ VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,\r
VARIABLE_ATTRIBUTE_NV_BS_RT_AW,\r
sizeof (UINT8),\r
MAX_UINTN\r
},\r
{\r
&gEfiCertDbGuid,\r
- L"certdb",\r
+ EFI_CERT_DB_NAME,\r
{\r
VAR_CHECK_VARIABLE_PROPERTY_REVISION,\r
- 0,\r
+ VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,\r
VARIABLE_ATTRIBUTE_NV_BS_RT_AT,\r
sizeof (UINT32),\r
MAX_UINTN\r
projects / mirror_edk2.git / commitdiff