REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
When SetVariable() to a time based auth variable with APPEND_WRITE attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in the input Data is earlier than current value, it will cause timestamp zeroing. This issue may bring time based auth variable downgrade problem. For example: A vendor released three certs at 2014, 2015, and 2016, and system integrated the 2016 cert. User can SetVariable() with 2015 cert and APPEND_WRITE attribute to cause timestamp zeroing first, then SetVariable() with 2014 cert to downgrade the cert. This patch fixes this issue. Cc: Jiewen Yao <jiewen....@intel.com> Cc: Chao Zhang <chao.b.zh...@intel.com> Cc: Jian J Wang <jian.j.w...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng <star.z...@intel.com> --- MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c index a2d61c8cd618..8e8db71bd201 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c @@ -2462,6 +2462,8 @@ UpdateVariable ( if (Variable->CurrPtr != NULL) { if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) { CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME)); + } else { + CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME)); } } } -- 2.7.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel