[edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Set Action for failed signed image
Joseph Hemann
joseph.hemann at arm.com
Tue Oct 12 13:11:55 UTC 2021
From: Joseph Hemann <Joseph.hemann at arm.com>
If the image is signed but not allowed by DB and the hash of
image is not found in DB/DBX, then the EFI_IMAGE_INFO_ACTION
of the load of said image should be set to,
EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Min Xu <min.m.xu at intel.com>
Signed-off-by: Joseph Hemann <Joseph.hemann at arm.com>
Change-Id: I271fb61384e5b8bb5ac23ccba5de9ba77adb85ad
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index c48861cd64..0a804af216 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1957,6 +1957,7 @@ DxeImageVerificationHandler (
if (!EFI_ERROR (DbStatus) && IsFound) {
IsVerified = TRUE;
} else {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
}
}
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81829): https://edk2.groups.io/g/devel/message/81829
Mute This Topic: https://groups.io/mt/86261682/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list