[edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Set Action for failed signed image

Yao, Jiewen jiewen.yao at intel.com
Wed Oct 13 06:45:37 UTC 2021 

It seems make sense.

Would you please:
1) Fila a Bugzilla - https://bugzilla.tianocore.org/
2) Describe what unit test you have done. Especially, if multiple cert list/data have been tested.
I ask this because we use a for-loop to check cert in list one by one.

Thank you
Yao Jiewen

> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Joseph
> Hemann
> Sent: Tuesday, October 12, 2021 9:12 PM
> To: devel at edk2.groups.io
> Cc: nd at arm.com; Joseph Hemann <Joseph.hemann at arm.com>; Yao, Jiewen
> <jiewen.yao at intel.com>; Wang, Jian J <jian.j.wang at intel.com>; Xu, Min M
> <min.m.xu at intel.com>
> Subject: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Set Action
> for failed signed image
> 
> From: Joseph Hemann <Joseph.hemann at arm.com>
> 
> If the image is signed but not allowed by DB and the hash of
> image is not found in DB/DBX, then the EFI_IMAGE_INFO_ACTION
> of the load of said image should be set to,
> EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
> unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
> 
> Cc: Jiewen Yao <jiewen.yao at intel.com>
> Cc: Jian J Wang <jian.j.wang at intel.com>
> Cc: Min Xu <min.m.xu at intel.com>
> 
> Signed-off-by: Joseph Hemann <Joseph.hemann at arm.com>
> Change-Id: I271fb61384e5b8bb5ac23ccba5de9ba77adb85ad
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c    | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index c48861cd64..0a804af216 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1957,6 +1957,7 @@ DxeImageVerificationHandler (
>        if (!EFI_ERROR (DbStatus) && IsFound) {
>          IsVerified = TRUE;
>        } else {
> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>          DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n",
> mHashTypeStr));
>        }
>      }
> --
> 2.17.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81863): https://edk2.groups.io/g/devel/message/81863
Mute This Topic: https://groups.io/mt/86282200/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list