From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.web12.16712.1634057823445706529
 for <devel@edk2.groups.io>;
 Tue, 12 Oct 2021 09:57:03 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: joseph.hemann@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DE95A1FB;
	Tue, 12 Oct 2021 09:57:02 -0700 (PDT)
Received: from u203013-lin.austin.arm.com (unknown [10.118.29.243])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D5A473F694;
	Tue, 12 Oct 2021 09:57:02 -0700 (PDT)
From: "Joseph Hemann" <joseph.hemann@arm.com>
To: devel@edk2.groups.io
Cc: nd@arm.com,
	Joseph Hemann <joseph.hemann@arm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Joseph Hemann <Joseph.Hemann@arm.com>
Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image
Date: Tue, 12 Oct 2021 11:57:01 -0500
Message-Id: <20211012165701.52619-1-joseph.hemann@arm.com>
X-Mailer: git-send-email 2.17.1

If the image is not signed and the hash of image is not found
in DB/DBX, then the EFI_IMAGE_INFO_ACTION of the load of said
image should be set to,
EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>

Signed-off-by: Joseph Hemann <Joseph.Hemann@arm.com>
Change-Id: Ia432ebf4ec811e36d67b80bc438a6aff60bc9b67
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 0a804af2162f..e5fae732bb1f 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1848,6 +1848,7 @@ DxeImageVerificationHandler (
     //
     // Image Hash is not found in both forbidden and allowed database.
     //
+    Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
     DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
     goto Failed;
   }
-- 
2.17.1