[PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed signed image

[PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed signed image

[Joseph Hemann]

If the image is signed but not allowed by DB and the hash of
image is not found in DB/DBX, then the EFI_IMAGE_INFO_ACTION
of the load of said image should be set to,
EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>

Signed-off-by: Joseph Hemann <joseph.hemann@arm.com>
Change-Id: I6b2777bd7aeb57773b8876e44c2179ea7501bc8c
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index c48861cd6496..0a804af2162f 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1957,6 +1957,7 @@ DxeImageVerificationHandler (
       if (!EFI_ERROR (DbStatus) && IsFound) {
         IsVerified = TRUE;
       } else {
+        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
         DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
       }
     }
-- 
2.17.1

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed signed image

[Samer El-Haj-Mahmoud]

Hi Jiewen, Jian, and Min,

Can you please review this patch? We have a corresponding UEFI Spec "code first" ECR (https://bugzilla.tianocore.org/show_bug.cgi?id=3561), and need to clarify a couple of cases in the code.

Thanks,
--Samer


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Joseph
> Hemann via groups.io
> Sent: Tuesday, October 12, 2021 12:59 PM
> To: devel@edk2.groups.io
> Cc: nd <nd@arm.com>; Joseph Hemann <Joseph.Hemann@arm.com>; Jiewen
> Yao <jiewen.yao@intel.com>; Jian J Wang <jian.j.wang@intel.com>; Min Xu
> <min.m.xu@intel.com>
> Subject: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set
> Action for failed signed image
> 
> If the image is signed but not allowed by DB and the hash of
> image is not found in DB/DBX, then the EFI_IMAGE_INFO_ACTION
> of the load of said image should be set to,
> EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
> unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> 
> Signed-off-by: Joseph Hemann <joseph.hemann@arm.com>
> Change-Id: I6b2777bd7aeb57773b8876e44c2179ea7501bc8c
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c    | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index c48861cd6496..0a804af2162f 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1957,6 +1957,7 @@ DxeImageVerificationHandler (
>        if (!EFI_ERROR (DbStatus) && IsFound) {
>          IsVerified = TRUE;
>        } else {
> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>          DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n",
> mHashTypeStr));
>        }
>      }
> --
> 2.17.1
> 
> 
> 
> 
>