Reputation: 475
How to delete a UEFI Authenticated Variable?
I write a UEFI Shell app to experiment with UEFI Authenticated variables. I can create an Authenticated variable and then update it by signing with the same private key. However, when trying to delete it later, I get a security violation error.
Stepping through the EDKII code in SecurityPkg\Library\AuthVariableLib\AuthService.c, I can see that to delete an authenticated variable, the UserPhysicalPresent() function must return TRUE. The default implementation of UserPhysicalPresent() is in PlatformSecureLibNull.c, always returning TRUE, but apparently several real devices from major OEMs do actually implement this function and deletion always fails.
What would be the correct way to delete a UEFI authenticated variable created from UEFI Shell or from within an OS? How to satisfy the user physical presence requirement?
Upvotes: 2
Views: 981
Answers (1)
Reputation: 475
There may be a bug in some EDKII Variable Service implementations - there should be no Physical Presence requirement to delete an authenticated variable. If the firmware is affected by this issue, there may be no way to delete an authenticated variable. Be careful - once written, the custom authenticated variable can be updated, but cannot be deleted. I had to physically flash firmware on my devices that I experimented with to get rid of the authenticated variables I wrote.
Update: on the devices, where UserPhysicalPresent() properly returns TRUE, the Authenticated UEFI variable can be deleted by any physically present user. That is, a properly signed common Authenticated UEFI variable can be deleted with a request signed with a completely different key. There is a comment in the above-mentioned AuthService.c: "Allow the delete operation of common authenticated variable(AT or AW) at user physical presence."
This means that applications cannot solely rely on integrity of Authenticated variables as they can be deleted and rewritten with the same name but different data. Since reading the Authenticated variable only returns its contents, there is no direct way to validate that the content is authentic.
Upvotes: 1
Related Questions
- How to create a UEFI read only variable?
- Cannot delete entity, must remove tokens from principal first
- EF Core Remove Reference to Self without deleting
- Cannot delete entity, must delete login profile first
- How do I clear environment variables previously saved with u-boot?
- UEFI Shell: Access disabled device
- Authorize.net CIM - How to delete a customer profile from Authorize.net CIM
- How i can set firmware environment variable in UEFI driver
- How can I delete an id-less entity in Orion?
- Can I clear an external variable inside a using block?