From patchwork Wed Jul  1 18:11:06 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heinrich Schuchardt <xypron.glpk@gmx.de>
X-Patchwork-Id: 240584
List-Id: U-Boot discussion <u-boot.lists.denx.de>
From: xypron.glpk at gmx.de (Heinrich Schuchardt)
Date: Wed,  1 Jul 2020 20:11:06 +0200
Subject: [PATCH 1/1] efi_loader: time based authentication
Message-ID: <20200701181106.167453-1-xypron.glpk@gmx.de>

When overwriting an existing time base authenticated variable we should
compare to the preceding time value and not to the start of the epoch.

Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
 lib/efi_loader/efi_variable.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

--
2.27.0

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index c262cb5972..974b710fec 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -35,7 +35,8 @@ static u8 efi_vendor_keys;
 static efi_status_t efi_get_variable_common(u16 *variable_name,
 					    const efi_guid_t *vendor,
 					    u32 *attributes,
-					    efi_uintn_t *data_size, void *data);
+					    efi_uintn_t *data_size, void *data,
+					    u64 *timep);

 static efi_status_t efi_set_variable_common(u16 *variable_name,
 					    const efi_guid_t *vendor,
@@ -308,7 +309,7 @@ static efi_status_t efi_init_secure_state(void)

 	size = 0;
 	ret = efi_get_variable_common(L"PK", &efi_global_variable_guid,
-				      NULL, &size, NULL);
+				      NULL, &size, NULL, NULL);
 	if (ret == EFI_BUFFER_TOO_SMALL) {
 		if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
 			mode = EFI_MODE_USER;
@@ -596,7 +597,8 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
 static efi_status_t efi_get_variable_common(u16 *variable_name,
 					    const efi_guid_t *vendor,
 					    u32 *attributes,
-					    efi_uintn_t *data_size, void *data)
+					    efi_uintn_t *data_size, void *data,
+					    u64 *timep)
 {
 	char *native_name;
 	efi_status_t ret;
@@ -621,6 +623,9 @@ static efi_status_t efi_get_variable_common(u16 *variable_name,

 	val = parse_attr(val, &attr, &time);

+	if (timep)
+		*timep = time;
+
 	in_size = *data_size;

 	if ((s = prefix(val, "(blob)"))) {
@@ -704,7 +709,7 @@ efi_status_t EFIAPI efi_get_variable(u16 *variable_name,
 		  data_size, data);

 	ret = efi_get_variable_common(variable_name, vendor, attributes,
-				      data_size, data);
+				      data_size, data, NULL);
 	return EFI_EXIT(ret);
 }

@@ -900,7 +905,7 @@ static efi_status_t efi_set_variable_common(u16 *variable_name,
 	old_size = 0;
 	attr = 0;
 	ret = efi_get_variable_common(variable_name, vendor, &attr,
-				      &old_size, NULL);
+				      &old_size, NULL, &time);
 	append = !!(attributes & EFI_VARIABLE_APPEND_WRITE);
 	attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE;
 	delete = !append && (!data_size || !attributes);
@@ -991,7 +996,7 @@ static efi_status_t efi_set_variable_common(u16 *variable_name,
 			goto err;
 		}
 		ret = efi_get_variable_common(variable_name, vendor,
-					      &attr, &old_size, old_data);
+					      &attr, &old_size, old_data, NULL);
 		if (ret != EFI_SUCCESS)
 			goto err;
 	} else {