Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-05-08 10:39:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

efi_loader: update SetVariable attribute check

Browse source 
UEFI specification v2.10 says that
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated and
EFI_UNSUPPORTED should be returned in SetVariable variable service.
Current implementation returns EFI_INVALID_PARAMETER,
let's fix the return value.

Together with above change, this commit also updates the SetVariable
attribute check to be aligned with the EDK2 reference implementation.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Masahisa Kojima 2023-02-21 11:33:17 +09:00 committed by Heinrich Schuchardt
parent 5ee8d90f54
commit 26a35023c4
1 changed files with 25 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

31
lib/efi_loader/efi_variable.c
View file

@ -230,8 +230,30 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
u64 time = 0;
enum efi_auth_var_type var_type;
if (!variable_name || !*variable_name || !vendor ||
((attributes & EFI_VARIABLE_RUNTIME_ACCESS) &&
if (!variable_name || !*variable_name || !vendor)
return EFI_INVALID_PARAMETER;
if (data_size && !data)
return EFI_INVALID_PARAMETER;
/* EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated */
if (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
return EFI_UNSUPPORTED;
/* Make sure if runtime bit is set, boot service bit is set also */
if ((attributes &
(EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) ==
EFI_VARIABLE_RUNTIME_ACCESS)
return EFI_INVALID_PARAMETER;
/* only EFI_VARIABLE_NON_VOLATILE attribute is invalid */
if ((attributes & EFI_VARIABLE_MASK) == EFI_VARIABLE_NON_VOLATILE)
return EFI_INVALID_PARAMETER;
/* Make sure HR is set with NV, BS and RT */
if (attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD &&
(!(attributes & EFI_VARIABLE_NON_VOLATILE) ||
!(attributes & EFI_VARIABLE_RUNTIME_ACCESS) ||
!(attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)))
return EFI_INVALID_PARAMETER;
@ -281,8 +303,6 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
/* authenticate a variable */
if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
if (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
return EFI_INVALID_PARAMETER;
if (attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) {
u32 env_attr;
@ -300,8 +320,7 @@ efi_status_t efi_set_variable_int(const u16 *variable_name,
}
} else {
if (attributes &
(EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) {
EFI_PRINT("Secure boot is not configured\n");
return EFI_INVALID_PARAMETER;
}