[PATCH 4/4] uefirtvariable: add test for setvariable with both authenticated attributes are set (LP: #1356207)

[Ivan Hu]

Add test for both EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS and
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS are set in a setvariable
call. From UEFI spec, firmware must return EFI_INVALID_PARAMETER when both
authenticated attributes are set.

Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
---
 src/uefi/uefirtvariable/uefirtvariable.c |   55 +++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c
index a69c804..46c7f0e 100644
--- a/src/uefi/uefirtvariable/uefirtvariable.c
+++ b/src/uefi/uefirtvariable/uefirtvariable.c
@@ -941,11 +941,20 @@ static int setvariable_invalidattr(
 	ioret = ioctl(fd, EFI_RUNTIME_SET_VARIABLE, &setvariable);
 
 	if ((status == EFI_SUCCESS) && (ioret != -1)) {
-		fwts_warning(fw,
-			"After ExitBootServices() is performed, the "
-			"attributes %" PRIu32 ", "
-			"for SetVariable shouldn't be set successfully.",
-			attributes);
+		if ((attributes | FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) &&
+			(attributes | FWTS_UEFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) &&
+			(status != EFI_INVALID_PARAMETER)) {
+			fwts_warning(fw,
+				"Both the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute and the "
+				"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute are set "
+				"in a SetVariable call, then the firmware must return EFI_INVALID_PARAMETER.");
+		} else {
+			fwts_warning(fw,
+				"After ExitBootServices() is performed, the "
+				"attributes %" PRIu32 ", "
+				"for SetVariable shouldn't be set successfully.",
+				attributes);
+		}
 		return FWTS_ERROR;
 	}
 	return FWTS_OK;
@@ -1225,6 +1234,36 @@ static int setvariable_test6(fwts_framework *fw)
 	return FWTS_OK;
 }
 
+static int setvariable_test7(fwts_framework *fw)
+{
+	int ret;
+	uint64_t datasize = 10;
+	uint8_t datadiff = 0;
+	uint32_t attr;
+
+	attr = attributes | FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
+	ret = setvariable_invalidattr(fw, attr, datasize, variablenametest, &gtestguid1, datadiff);
+		if (ret == FWTS_ERROR) {
+			fwts_failed(fw, LOG_LEVEL_MEDIUM, "UEFIRuntimeSetVariable",
+				"Successfully set variable with both authenticated (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS "
+				"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) attributes are set, expected fail.");
+			setvariable_insertvariable(fw, 0, datasize, variablenametest, &gtestguid1, datadiff);
+			return FWTS_ERROR;
+		}
+
+		if (setvariable_checkvariable_notfound(fw, variablenametest,
+			&gtestguid1) == FWTS_ERROR) {
+			fwts_log_info(fw,
+				"Get the variable which is set by SetVariable with both "
+				"authenticated (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS "
+				"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) "
+				"attributes are set %" PRIu32 " , test failed.", attr);
+			setvariable_insertvariable(fw, 0, datasize, variablenametest, &gtestguid1, datadiff);
+			return FWTS_ERROR;
+		}
+	return FWTS_OK;
+}
+
 static int do_queryvariableinfo(
 	uint64_t *status,
 	uint64_t *remvarstoragesize,
@@ -1429,6 +1468,12 @@ static int uefirtvariable_test3(fwts_framework *fw)
 		return ret;
 	fwts_passed(fw, "SetVariable on Invalid Attributes passed.");
 
+	fwts_log_info(fw, "Testing SetVariable with both Authenticated Attributes set.");
+	ret = setvariable_test7(fw);
+	if (ret != FWTS_OK)
+		return ret;
+	fwts_passed(fw, "Testing SetVariable with both Authenticated Attributes set passed.");
+
 	return FWTS_OK;
 }
 
-- 
1.7.9.5