ACK: [PATCH 12/15] uefirtauthvar: setting authenticated variable with invalid attribute test

Wed Oct 22 16:07:32 UTC 2014

On 22/10/14 10:40, Ivan Hu wrote:
> This test sets with the invalid attributes. The authenticated variable is
> followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, set the authenticated
> variable with invalid EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute, firmware should
> return EFI_SECURITY_VIOLATION.
> 
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
>  src/uefi/uefirtauthvar/uefirtauthvar.c |   44 ++++++++++++++++++++++++++++++++
>  1 file changed, 44 insertions(+)
> 
> diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c
> index 00da3c7..fc59487 100644
> --- a/src/uefi/uefirtauthvar/uefirtauthvar.c
> +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c
> @@ -622,6 +622,49 @@ static int uefirtauthvar_test10(fwts_framework *fw)
>  	return FWTS_ERROR;
>  }
>  
> +/*
> + * The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor,
> + * set the authenticated variable with invalid
> + * EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of
> + * EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute should
> + * return EFI_SECURITY_VIOLATION.
> + */
> +static int uefirtauthvar_test11(fwts_framework *fw)
> +{
> +	long ioret;
> +
> +	uint64_t status;
> +	int supcheck;
> +	uint32_t attr = FWTS_UEFI_VAR_NON_VOLATILE |
> +			FWTS_UEFI_VAR_BOOTSERVICE_ACCESS |
> +			FWTS_UEFI_VAR_RUNTIME_ACCESS |
> +			FWTS_UEFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
> +
> +	ioret = setvar(&gtestguid, attr, sizeof(AuthVarCreate), AuthVarCreate, &status);
> +
> +	if (ioret == -1) {
> +		supcheck = check_fw_support(fw, status);
> +		if (supcheck != FWTS_OK)
> +			return supcheck;
> +
> +		if (status == EFI_SECURITY_VIOLATION) {
> +			fwts_passed(fw, "Set authenticated variable test with invalid attributes passed.");
> +			return FWTS_OK;
> +		}
> +
> +		fwts_failed(fw, LOG_LEVEL_MEDIUM,
> +			"UEFISetAuthVarInvalidAttr",
> +			"Set authenticated variable fail");
> +			fwts_uefi_print_status_info(fw, status);
> +	}
> +
> +	fwts_failed(fw, LOG_LEVEL_HIGH,
> +		"UEFISetAuthVarInvalidAttr",
> +		"Set authenticated variable expected fail but success");
> +
> +	return FWTS_ERROR;
> +}
> +
>  static fwts_framework_minor_test uefirtauthvar_tests[] = {
>  	{ uefirtauthvar_test1, "Create authenticated variable test." },
>  	{ uefirtauthvar_test2, "Authenticated variable test with the same authenticated variable." },
> @@ -633,6 +676,7 @@ static fwts_framework_minor_test uefirtauthvar_tests[] = {
>  	{ uefirtauthvar_test8, "Authenticated variable test with invalid modified data." },
>  	{ uefirtauthvar_test9, "Authenticated variable test with invalid modified timestamp." },
>  	{ uefirtauthvar_test10, "Authenticated variable test with different guid." },
> +	{ uefirtauthvar_test11, "Authenticated variable test with invalid attributes." },
>  	{ NULL, NULL }
>  };
>  
> 
Acked-by: Colin Ian King <colin.king at canonical.com>