[edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

Nhi Pham via groups.io nhi=os.amperecomputing.com at groups.io
Fri Apr 14 05:18:10 UTC 2023 

Hi,

Ping for reviewing.

Let me know if I need anything for this patch.

Thanks,

Nhi

On 4/12/2023 4:21 PM, Nhi Pham wrote:
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi at os.amperecomputing.com>
> ---
>   SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>         if (!EFI_ERROR (DbStatus) && IsFound) {
>
>           IsVerified = TRUE;
>
>         } else {
>
> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
>           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
>
>         }
>
>       }
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#102965): https://edk2.groups.io/g/devel/message/102965
Mute This Topic: https://groups.io/mt/98215665/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list