From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web11.1190.1580855196009647018 for ; Tue, 04 Feb 2020 14:26:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ThdkZpxb; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580855195; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IlUcV3kpthV4YrdzJAr6662+8xh6Y5L3EIpiPGVhpt4=; b=ThdkZpxbHuDQTjVA7SLam74RtOtByfPwXm+kscDw2jpM2FMcOSKIWUH14ZnqJW+Esrr2EM TRZWfBIebwClR4+sFXZZ8IyBVUoNshINn8L7yO7LHrpAYVJ41K8D59oEdv3urLGWAvioYe O5SNGLSaAcug4szqq1lIzPO4oPSrhqw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-388-5V_yxI8SPkC0NC2-Oshazg-1; Tue, 04 Feb 2020 17:26:33 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7E806800D5C; Tue, 4 Feb 2020 22:26:32 +0000 (UTC) Received: from x1w.redhat.com (ovpn-204-152.brq.redhat.com [10.40.204.152]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9E7EB1BC6D; Tue, 4 Feb 2020 22:26:27 +0000 (UTC) From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= To: devel@edk2.groups.io Cc: Philippe Mathieu-Daude , Jiewen Yao , Jian J Wang , Chao Zhang Subject: [PATCH 1/1] SecurityPkg: Fix incorrect return value in documentation Date: Tue, 4 Feb 2020 23:26:24 +0100 Message-Id: <20200204222624.7478-1-philmd@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: 5V_yxI8SPkC0NC2-Oshazg-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The DxeTpmMeasureBootHandler and DxeTpm2MeasureBootHandler handlers are SECURITY2_FILE_AUTHENTICATION_HANDLER prototype. This prototype can not return EFI_INVALID_PARAMETER. The prototype documentation states it returns EFI_ACCESS_DENIED if: "The file specified by File and FileBuffer did not authenticate, and the platform policy dictates that the DXE Foundation may not use File." Note in practice both functions return EFI_SECURITY_VIOLATION: "The file specified by DevicePath and FileBuffer did not authenticate, and the platform policy dictates that the file should be placed in the untrusted state. The image has been added to the file execution table." Noticed while reviewing commit 6d57592740cdd0b6868baeef7929d6e6fef. Cc: Jiewen Yao Cc: Jian J Wang Cc: Chao Zhang Signed-off-by: Philippe Mathieu-Daude --- .../Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 2 +- SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLi= b.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c index 04b9b0d7fbf3..0c07f65c6835 100644 --- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c +++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c @@ -384,7 +384,7 @@ Finish: and other exception operations. The File parameter allows for possible = logging within the SAP of the driver. =20 - If File is NULL, then EFI_INVALID_PARAMETER is returned. + If File is NULL, then EFI_ACCESS_DENIED is returned. =20 If the file specified by File with an authentication status specified by AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS i= s returned. diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.= c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c index 1f2eed29a1df..0dccbb66eb26 100644 --- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c +++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c @@ -678,7 +678,7 @@ Finish: and other exception operations. The File parameter allows for possible = logging within the SAP of the driver. =20 - If File is NULL, then EFI_INVALID_PARAMETER is returned. + If File is NULL, then EFI_ACCESS_DENIED is returned. =20 If the file specified by File with an authentication status specified by AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS i= s returned. --=20 2.21.1