public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: devel@edk2.groups.io
Cc: "Pawel Polawski" <ppolawsk@redhat.com>,
	"Jian J Wang" <jian.j.wang@intel.com>,
	"Oliver Steffen" <osteffen@redhat.com>,
	"Min Xu" <min.m.xu@intel.com>,
	"Marvin Häuser" <mhaeuser@posteo.de>,
	"Jiewen Yao" <jiewen.yao@intel.com>,
	jmaloy@redhat.com
Subject: Re: [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
Date: Mon, 20 Mar 2023 11:02:08 +0100	[thread overview]
Message-ID: <20230320100208.xhoz7smo5fkhal26@sirius.home.kraxel.org> (raw)
In-Reply-To: <20230303103553.804781-1-kraxel@redhat.com>

On Fri, Mar 03, 2023 at 11:35:53AM +0100, Gerd Hoffmann wrote:
> Call gRT->GetVariable() directly to read the SecureBoot variable.  It is
> one byte in size so we can easily place it on the stack instead of
> having GetEfiGlobalVariable2() allocate it for us, which avoids a few
> possible error cases.
> 
> Skip secure boot checks if (and only if):
> 
>  (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
>      the return value, or
>  (b) the SecureBoot variable was read successfully and is set to
>      SECURE_BOOT_MODE_DISABLE.
> 
> Previously the code skipped the secure boot checks on *any*
> gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
> value to NULL in that case) and also on memory allocation failures.
> 
> Fixes: CVE-2019-14560
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Ping.  Any comments on this patch?

take care,
  Gerd


  reply	other threads:[~2023-03-20 10:02 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-03 10:35 [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 Gerd Hoffmann
2023-03-20 10:02 ` Gerd Hoffmann [this message]
2023-03-20 12:08   ` Min Xu
2023-03-20 13:20   ` [edk2-devel] " Yao, Jiewen
2023-03-20 15:00     ` Gerd Hoffmann
2023-03-21  2:28       ` Yao, Jiewen
2023-03-21  6:24         ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230320100208.xhoz7smo5fkhal26@sirius.home.kraxel.org \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox