From fd4d9c6495109979eb17779e07666c7c11c79c6a Mon Sep 17 00:00:00 2001
From: "Zhang, Chao B" <chao.b.zhang@intel.com>
Date: Tue, 16 Aug 2016 10:21:42 +0800
Subject: [PATCH 1/1] SecurityPkg: AuthVariableLib: Fix inconsistent CertDB
 case

  2 steps are used to create/delete a time based variable.
  For create
     step 1: Insert Signer Cert to CertDB.
     Step 2: Insert Payload to Variable.
  For delete
     step 1: Delete Variable.
     Step 2: Delete Cert from CertDB.
  System may breaks between step 1 & step 2, so CertDB may contains useless
Cert in the next reboot. AuthVariableLib choose to sync consistent state
between CertDB & Time Auth Variable on initialization. However, it doesn't
apply Time Auth attribute check. Now add it.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Zeng Star <star.zeng@intel.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284801..b013d420f6 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -2100,7 +2100,7 @@ CleanCertsFromDb (
                                        &AuthVariableInfo
                                        );
 
-      if (EFI_ERROR(Status)) {
+      if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
         Status      = DeleteCertsFromDb(
                         VariableName,
                         &AuthVarGuid,
-- 
2.39.2