| Message ID | 1413970840-27212-5-git-send-email-ivan.hu@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
On 22/10/14 10:40, Ivan Hu wrote: > This test sets with the invalid attributes. The authenticated variable is > followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, set the authenticated > variable with invalid EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute, firmware should > return EFI_SECURITY_VIOLATION. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/uefirtauthvar/uefirtauthvar.c | 44 ++++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c > index 00da3c7..fc59487 100644 > --- a/src/uefi/uefirtauthvar/uefirtauthvar.c > +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c > @@ -622,6 +622,49 @@ static int uefirtauthvar_test10(fwts_framework *fw) > return FWTS_ERROR; > } > > +/* > + * The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, > + * set the authenticated variable with invalid > + * EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of > + * EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute should > + * return EFI_SECURITY_VIOLATION. > + */ > +static int uefirtauthvar_test11(fwts_framework *fw) > +{ > + long ioret; > + > + uint64_t status; > + int supcheck; > + uint32_t attr = FWTS_UEFI_VAR_NON_VOLATILE | > + FWTS_UEFI_VAR_BOOTSERVICE_ACCESS | > + FWTS_UEFI_VAR_RUNTIME_ACCESS | > + FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; > + > + ioret = setvar(>estguid, attr, sizeof(AuthVarCreate), AuthVarCreate, &status); > + > + if (ioret == -1) { > + supcheck = check_fw_support(fw, status); > + if (supcheck != FWTS_OK) > + return supcheck; > + > + if (status == EFI_SECURITY_VIOLATION) { > + fwts_passed(fw, "Set authenticated variable test with invalid attributes passed."); > + return FWTS_OK; > + } > + > + fwts_failed(fw, LOG_LEVEL_MEDIUM, > + "UEFISetAuthVarInvalidAttr", > + "Set authenticated variable fail"); > + fwts_uefi_print_status_info(fw, status); > + } > + > + fwts_failed(fw, LOG_LEVEL_HIGH, > + "UEFISetAuthVarInvalidAttr", > + "Set authenticated variable expected fail but success"); > + > + return FWTS_ERROR; > +} > + > static fwts_framework_minor_test uefirtauthvar_tests[] = { > { uefirtauthvar_test1, "Create authenticated variable test." }, > { uefirtauthvar_test2, "Authenticated variable test with the same authenticated variable." }, > @@ -633,6 +676,7 @@ static fwts_framework_minor_test uefirtauthvar_tests[] = { > { uefirtauthvar_test8, "Authenticated variable test with invalid modified data." }, > { uefirtauthvar_test9, "Authenticated variable test with invalid modified timestamp." }, > { uefirtauthvar_test10, "Authenticated variable test with different guid." }, > + { uefirtauthvar_test11, "Authenticated variable test with invalid attributes." }, > { NULL, NULL } > }; > > Acked-by: Colin Ian King <colin.king@canonical.com>
On Wed, Oct 22, 2014 at 5:40 PM, Ivan Hu <ivan.hu@canonical.com> wrote: > This test sets with the invalid attributes. The authenticated variable is > followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, set the authenticated > variable with invalid EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute, firmware should > return EFI_SECURITY_VIOLATION. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/uefirtauthvar/uefirtauthvar.c | 44 ++++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c > index 00da3c7..fc59487 100644 > --- a/src/uefi/uefirtauthvar/uefirtauthvar.c > +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c > @@ -622,6 +622,49 @@ static int uefirtauthvar_test10(fwts_framework *fw) > return FWTS_ERROR; > } > > +/* > + * The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, > + * set the authenticated variable with invalid > + * EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of > + * EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute should > + * return EFI_SECURITY_VIOLATION. > + */ > +static int uefirtauthvar_test11(fwts_framework *fw) > +{ > + long ioret; > + > + uint64_t status; > + int supcheck; > + uint32_t attr = FWTS_UEFI_VAR_NON_VOLATILE | > + FWTS_UEFI_VAR_BOOTSERVICE_ACCESS | > + FWTS_UEFI_VAR_RUNTIME_ACCESS | > + FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; > + > + ioret = setvar(>estguid, attr, sizeof(AuthVarCreate), AuthVarCreate, &status); > + > + if (ioret == -1) { > + supcheck = check_fw_support(fw, status); > + if (supcheck != FWTS_OK) > + return supcheck; > + > + if (status == EFI_SECURITY_VIOLATION) { > + fwts_passed(fw, "Set authenticated variable test with invalid attributes passed."); > + return FWTS_OK; > + } > + > + fwts_failed(fw, LOG_LEVEL_MEDIUM, > + "UEFISetAuthVarInvalidAttr", > + "Set authenticated variable fail"); > + fwts_uefi_print_status_info(fw, status); > + } > + > + fwts_failed(fw, LOG_LEVEL_HIGH, > + "UEFISetAuthVarInvalidAttr", > + "Set authenticated variable expected fail but success"); > + > + return FWTS_ERROR; > +} > + > static fwts_framework_minor_test uefirtauthvar_tests[] = { > { uefirtauthvar_test1, "Create authenticated variable test." }, > { uefirtauthvar_test2, "Authenticated variable test with the same authenticated variable." }, > @@ -633,6 +676,7 @@ static fwts_framework_minor_test uefirtauthvar_tests[] = { > { uefirtauthvar_test8, "Authenticated variable test with invalid modified data." }, > { uefirtauthvar_test9, "Authenticated variable test with invalid modified timestamp." }, > { uefirtauthvar_test10, "Authenticated variable test with different guid." }, > + { uefirtauthvar_test11, "Authenticated variable test with invalid attributes." }, > { NULL, NULL } > }; > > -- > 1.7.9.5 > > Acked-by: Keng-Yu Lin <kengyu@canonical.com>
diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c index 00da3c7..fc59487 100644 --- a/src/uefi/uefirtauthvar/uefirtauthvar.c +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c @@ -622,6 +622,49 @@ static int uefirtauthvar_test10(fwts_framework *fw) return FWTS_ERROR; } +/* + * The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, + * set the authenticated variable with invalid + * EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of + * EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute should + * return EFI_SECURITY_VIOLATION. + */ +static int uefirtauthvar_test11(fwts_framework *fw) +{ + long ioret; + + uint64_t status; + int supcheck; + uint32_t attr = FWTS_UEFI_VAR_NON_VOLATILE | + FWTS_UEFI_VAR_BOOTSERVICE_ACCESS | + FWTS_UEFI_VAR_RUNTIME_ACCESS | + FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; + + ioret = setvar(>estguid, attr, sizeof(AuthVarCreate), AuthVarCreate, &status); + + if (ioret == -1) { + supcheck = check_fw_support(fw, status); + if (supcheck != FWTS_OK) + return supcheck; + + if (status == EFI_SECURITY_VIOLATION) { + fwts_passed(fw, "Set authenticated variable test with invalid attributes passed."); + return FWTS_OK; + } + + fwts_failed(fw, LOG_LEVEL_MEDIUM, + "UEFISetAuthVarInvalidAttr", + "Set authenticated variable fail"); + fwts_uefi_print_status_info(fw, status); + } + + fwts_failed(fw, LOG_LEVEL_HIGH, + "UEFISetAuthVarInvalidAttr", + "Set authenticated variable expected fail but success"); + + return FWTS_ERROR; +} + static fwts_framework_minor_test uefirtauthvar_tests[] = { { uefirtauthvar_test1, "Create authenticated variable test." }, { uefirtauthvar_test2, "Authenticated variable test with the same authenticated variable." }, @@ -633,6 +676,7 @@ static fwts_framework_minor_test uefirtauthvar_tests[] = { { uefirtauthvar_test8, "Authenticated variable test with invalid modified data." }, { uefirtauthvar_test9, "Authenticated variable test with invalid modified timestamp." }, { uefirtauthvar_test10, "Authenticated variable test with different guid." }, + { uefirtauthvar_test11, "Authenticated variable test with invalid attributes." }, { NULL, NULL } };
This test sets with the invalid attributes. The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, set the authenticated variable with invalid EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute, firmware should return EFI_SECURITY_VIOLATION. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> --- src/uefi/uefirtauthvar/uefirtauthvar.c | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)