Ubuntu Wiki

Firmware Test Suite - uefirtvariable test

The uefirtauthvar test checks the authenticated variable interact with firmware by SetVariable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute set. Those the test authenticated variables are generated follow the UEFI spec 7.2.1, Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor, DER-encoded PKCS #7 version 1.5 SignedData, digest algorithm of SHA-256.

uefirtauthvar tests

• checks the setvariable with the new authenticated variable which created with TIME_BASED_AUTHENTICATED, i.e. EFI_VARIABLE_AUTHENTICATION_2 descriptor(UEFI spec. 7.2.1.). It also checks the data content after variable was successfully created.
• add the test with one existing variable, but set the same authenticated variable, firmware need to check the setting authenticated variable and return EFI_SECURITY_VIOLATION.
• while one existing variable, but set authenticated variable, which created by another valid key, firmware should check the authenticated variable and return return EFI_SECURITY_VIOLATION.
• add the normal append operation and then check the total data size and the data.
• update the new authenticated variable by using the same key but a new timestame and data, also checks the updated data and size.
• set the old data and timestamp authenticated variable, firmware need to check the authenticaed information and return EFI_SECURITY_VIOLATION.
• test to delete the test authenticated variable and checks if it still exists.
• set the authenticated variable with invalid modified data, firmware should check the data and return EFI_SECURITY_VIOLATION.
• set the authenticated variable with invalid timestamp, firmware should check the authenticated info and return EFI_SECURITY_VIOLATION.
• sets the authenticated variable with different guid, not the same as hash guid in authenticated variable, firmware should check the guid and return EFI_SECURITY_VIOLATION.
• test with setting with the invalid attributes. The authenticated variable is followed EFI_VARIABLE_AUTHENTICATION_2 descriptor, set the authenticated variable with invalid EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS instead of EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute, firmware should return EFI_SECURITY_VIOLATION.
• set the authenticated variable with both EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS and the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attributes, firmware should return EFI_INVALID_PARAMETER.
• test with setting and deleting another authenticated variable which created by different key, after previous test authenticated variable was deleted. It also will check the existence of authenticated variable and the correctness of the data.

Examples:

sudo fwts uefirtauthvar -

..runs uefirtauthvar on your machine and dumps the output to stdout.