From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Chao Zhang <chao.b.zhang@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>
Subject: [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy
Date: Thu, 16 Jan 2020 20:06:54 +0100 [thread overview]
Message-ID: <20200116190705.18816-1-lersek@redhat.com> (raw)
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Repo: https://github.com/lersek/edk2.git
Branch: deny_execute_2129
The DxeImageVerificationHandler() function does not handle the
DENY_EXECUTE_ON_SECURITY_VIOLATION policy correctly. When an image is
rejected, and the platform sets this policy for the corresponding image
source, the function should return EFI_ACCESS_DENIED. Instead, the
function currently returns EFI_SECURITY_VIOLATION. The consequence is
that gBS->LoadImage() will keep the image loaded (in untrusted state),
rather than unloading it immediately. If the platform sets the
DENY_EXECUTE_ON_SECURITY_VIOLATION policy for all image sources, then
the platform may not expect EFI_SECURITY_VIOLATION at all. Then,
rejected images may linger in RAM, in untrusted state, and may be leaked
forever.
This series refactors the DxeImageVerificationHandler() function,
simplifying the control flow. The series also improves the conformance
of the return values to the SECURITY2_FILE_AUTHENTICATION_HANDLER
prototype. The last two patches are actual bugfixes, with the last one
fixing the problem laid out above.
The patches in this posting have been formatted with
"--function-context", for easier review.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Thanks,
Laszlo
Laszlo Ersek (11):
SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus"
SecurityPkg/DxeImageVerificationHandler: remove "else" after
return/break
SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status
internal
SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash
status
SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc
failure
SecurityPkg/DxeImageVerificationHandler: remove superfluous Status
setting
SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call
SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable
SecurityPkg/DxeImageVerificationHandler: fix retval for
(FileBuffer==NULL)
SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc
fail
SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny"
policies
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 118 ++++++++++----------
1 file changed, 59 insertions(+), 59 deletions(-)
--
2.19.1.3.g30247aa5d201
next reply other threads:[~2020-01-16 19:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 19:06 Laszlo Ersek [this message]
2020-01-16 19:06 ` [PATCH 01/11] SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus" Laszlo Ersek
2020-01-16 19:06 ` [PATCH 02/11] SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break Laszlo Ersek
2020-01-16 19:06 ` [PATCH 03/11] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status internal Laszlo Ersek
2020-01-16 19:06 ` [PATCH 04/11] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status Laszlo Ersek
2020-01-16 19:06 ` [PATCH 05/11] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure Laszlo Ersek
2020-01-16 19:07 ` [PATCH 06/11] SecurityPkg/DxeImageVerificationHandler: remove superfluous Status setting Laszlo Ersek
2020-01-16 19:07 ` [PATCH 07/11] SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call Laszlo Ersek
2020-01-16 19:07 ` [PATCH 08/11] SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable Laszlo Ersek
2020-01-16 19:07 ` [PATCH 09/11] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL) Laszlo Ersek
2020-01-16 19:07 ` [PATCH 10/11] SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc fail Laszlo Ersek
2020-01-16 19:07 ` [PATCH 11/11] SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies Laszlo Ersek
2020-01-31 2:59 ` [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy Michael D Kinney
2020-01-31 8:12 ` Laszlo Ersek
2020-01-31 9:28 ` Laszlo Ersek
2020-01-31 10:01 ` Laszlo Ersek
2020-01-31 10:07 ` Laszlo Ersek
2020-01-31 16:52 ` Michael D Kinney
2020-01-31 16:59 ` Laszlo Ersek
2020-01-31 17:28 ` Michael D Kinney
2020-01-31 20:19 ` Laszlo Ersek
2020-02-05 13:02 ` setting the push label at once, when opening a PR [was: SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy] Laszlo Ersek
2020-02-05 16:16 ` Michael D Kinney
2020-02-05 20:01 ` Laszlo Ersek
2020-01-31 16:31 ` [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy Michael D Kinney
2020-01-31 17:00 ` Laszlo Ersek
2020-01-31 17:12 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116190705.18816-1-lersek@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox