SecurityPkg Variable: Update code in ProcessVariable () to

check IsDeleteAuthVariable () first and then check
UserPhysicalPresent () to avoid the case below.

PcdSetXX (a DynamicHii PCD) -> gRT->SetVariable ()
-> UserPhysicalPresent () -> PcdGetXX () 

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17058 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 23 insertions, 25 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 7f9d531100..9b8f63f089 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -1359,36 +1359,34 @@ ProcessVariable (
   IsDeletion  = FALSE;

   Status      = EFI_SUCCESS;

 

-  if (UserPhysicalPresent()) {

+  if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes) && UserPhysicalPresent()) {

     //

     // Allow the delete operation of common authenticated variable at user physical presence.

     //

-    if (IsDeleteAuthVariable (Data, DataSize, Variable, Attributes)) {

-      if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {

-        Status = DeleteCertsFromDb (VariableName, VendorGuid);

-      }

-      if (!EFI_ERROR (Status)) {

-        Status = UpdateVariable (

-                   VariableName,

-                   VendorGuid,

-                   NULL,

-                   0,

-                   0,

-                   0,

-                   0,

-                   Variable,

-                   NULL

-                   );

-      }

-      return Status;

+    if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {

+      Status = DeleteCertsFromDb (VariableName, VendorGuid);

     }

-  } else {

-    if (NeedPhysicallyPresent(VariableName, VendorGuid)) {

-      //

-      // This variable is protected, only physical present user could modify its value.

-      //

-      return EFI_SECURITY_VIOLATION;

+    if (!EFI_ERROR (Status)) {

+      Status = UpdateVariable (

+                 VariableName,

+                 VendorGuid,

+                 NULL,

+                 0,

+                 0,

+                 0,

+                 0,

+                 Variable,

+                 NULL

+                 );

     }

+    return Status;

+  }

+

+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {

+    //

+    // This variable is protected, only physical present user could modify its value.

+    //

+    return EFI_SECURITY_VIOLATION;

   }

 

   //