* [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
@ 2023-04-12 9:21 Nhi Pham
2023-04-14 5:18 ` Nhi Pham
2023-04-27 8:19 ` Yao, Jiewen
0 siblings, 2 replies; 10+ messages in thread
From: Nhi Pham @ 2023-04-12 9:21 UTC (permalink / raw)
To: devel, jiewen.yao, jian.j.wang, min.m.xu; +Cc: patches, Nhi Pham
Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
when the Image is signed but signature is not allowed by DB and the
hash of image is not found in DB/DBX.
This is documented in the UEFI spec 2.10, table 32.5.
This issue is found by the SIE SCT with the error message as follows:
SecureBoot - TestImage1.bin in Image Execution Info Table with
SIG_NOT_FOUND. --FAILURE
B3A670AA-0FBA-48CA-9D01-0EE9700965A9
SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
ImageLoadingBBTest.c:1079:Status Success
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
---
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3d40c21e975..5d8dbd546879 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
if (!EFI_ERROR (DbStatus) && IsFound) {
IsVerified = TRUE;
} else {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
}
}
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham
@ 2023-04-14 5:18 ` Nhi Pham
2023-04-18 23:20 ` [edk2-devel] " Min Xu
2023-04-27 8:19 ` Yao, Jiewen
1 sibling, 1 reply; 10+ messages in thread
From: Nhi Pham @ 2023-04-14 5:18 UTC (permalink / raw)
To: Nhi Pham, devel, jiewen.yao, jian.j.wang, min.m.xu; +Cc: patches
Hi,
Ping for reviewing.
Let me know if I need anything for this patch.
Thanks,
Nhi
On 4/12/2023 4:21 PM, Nhi Pham wrote:
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> if (!EFI_ERROR (DbStatus) && IsFound) {
>
> IsVerified = TRUE;
>
> } else {
>
> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
>
> }
>
> }
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-14 5:18 ` Nhi Pham
@ 2023-04-18 23:20 ` Min Xu
2023-04-20 3:48 ` Nhi Pham
0 siblings, 1 reply; 10+ messages in thread
From: Min Xu @ 2023-04-18 23:20 UTC (permalink / raw)
To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen,
Wang, Jian J
Cc: patches@amperecomputing.com
On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> Hi,
>
> Ping for reviewing.
>
> Let me know if I need anything for this patch.
Do you test the change and what's the test result? Can you provide the validation result?
Thanks
Min
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-18 23:20 ` [edk2-devel] " Min Xu
@ 2023-04-20 3:48 ` Nhi Pham
2023-04-26 7:54 ` Min Xu
0 siblings, 1 reply; 10+ messages in thread
From: Nhi Pham @ 2023-04-20 3:48 UTC (permalink / raw)
To: Xu, Min M, devel@edk2.groups.io, nhi@os.amperecomputing.com,
Yao, Jiewen, Wang, Jian J
Cc: patches@amperecomputing.com
Hi Min,
This SEI test passes:
SecureBoot - TestImage2.bin in Image Execution Info Table with
SIG_NOT_FOUND. -- PASS
00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c:1103:Status
- Success
The test image binary is different to the one in the commit message due
to some bug fixes in the SEI test suite. The right test case to catch
this bug is 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
You can check the test code at
https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
Thanks,
Nhi
On 4/19/2023 6:20 AM, Xu, Min M wrote:
> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
>> Hi,
>>
>> Ping for reviewing.
>>
>> Let me know if I need anything for this patch.
> Do you test the change and what's the test result? Can you provide the validation result?
>
> Thanks
> Min
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-20 3:48 ` Nhi Pham
@ 2023-04-26 7:54 ` Min Xu
2023-04-27 5:38 ` Nhi Pham
0 siblings, 1 reply; 10+ messages in thread
From: Min Xu @ 2023-04-26 7:54 UTC (permalink / raw)
To: Nhi Pham, devel@edk2.groups.io, nhi@os.amperecomputing.com,
Yao, Jiewen, Wang, Jian J
Cc: patches@amperecomputing.com
It's good to me.
Reviewed-by: Min Xu <min.m.xu@intel.com>
Thanks
> -----Original Message-----
> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
> Sent: Thursday, April 20, 2023 11:49 AM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
>
> Hi Min,
>
> This SEI test passes:
>
> SecureBoot - TestImage2.bin in Image Execution Info Table with
> SIG_NOT_FOUND. -- PASS
> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa
> dingBBTest.c:1103:Status
> - Success
>
> The test image binary is different to the one in the commit message due to some
> bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2-
> 39D5-4D35-B7E7-587CA0F3CB75
>
> You can check the test code at
> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
>
> Thanks,
>
> Nhi
>
> On 4/19/2023 6:20 AM, Xu, Min M wrote:
> > On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> >> Hi,
> >>
> >> Ping for reviewing.
> >>
> >> Let me know if I need anything for this patch.
> > Do you test the change and what's the test result? Can you provide the
> validation result?
> >
> > Thanks
> > Min
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-26 7:54 ` Min Xu
@ 2023-04-27 5:38 ` Nhi Pham
2023-04-27 5:46 ` Min Xu
0 siblings, 1 reply; 10+ messages in thread
From: Nhi Pham @ 2023-04-27 5:38 UTC (permalink / raw)
To: Xu, Min M, devel@edk2.groups.io, nhi@os.amperecomputing.com,
Yao, Jiewen, Wang, Jian J, gaoliming
Cc: patches@amperecomputing.com
Thanks Min.
Could you help merge this patch to edk2?
Regards,
Nhi
On 4/26/2023 2:54 PM, Xu, Min M wrote:
> It's good to me.
> Reviewed-by: Min Xu <min.m.xu@intel.com>
>
> Thanks
>
>> -----Original Message-----
>> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
>> Sent: Thursday, April 20, 2023 11:49 AM
>> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
>> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
>> Jian J <jian.j.wang@intel.com>
>> Cc: patches@amperecomputing.com
>> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
>> Add AUTH_SIG_NOT_FOUND Action
>>
>> Hi Min,
>>
>> This SEI test passes:
>>
>> SecureBoot - TestImage2.bin in Image Execution Info Table with
>> SIG_NOT_FOUND. -- PASS
>> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
>> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa
>> dingBBTest.c:1103:Status
>> - Success
>>
>> The test image binary is different to the one in the commit message due to some
>> bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2-
>> 39D5-4D35-B7E7-587CA0F3CB75
>>
>> You can check the test code at
>> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
>> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
>>
>> Thanks,
>>
>> Nhi
>>
>> On 4/19/2023 6:20 AM, Xu, Min M wrote:
>>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
>>>> Hi,
>>>>
>>>> Ping for reviewing.
>>>>
>>>> Let me know if I need anything for this patch.
>>> Do you test the change and what's the test result? Can you provide the
>> validation result?
>>> Thanks
>>> Min
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-27 5:38 ` Nhi Pham
@ 2023-04-27 5:46 ` Min Xu
0 siblings, 0 replies; 10+ messages in thread
From: Min Xu @ 2023-04-27 5:46 UTC (permalink / raw)
To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen,
Wang, Jian J, Gao, Liming
Cc: patches@amperecomputing.com
Hi, Nhi Pham
Yao, Jiewen and Wang, Jian are the maintainers of SecurityPkg.
They can help to merge the patch if they have no concerns about the patch.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi Pham
> via groups.io
> Sent: Thursday, April 27, 2023 1:38 PM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
>
> Thanks Min.
>
> Could you help merge this patch to edk2?
>
> Regards,
>
> Nhi
>
> On 4/26/2023 2:54 PM, Xu, Min M wrote:
> > It's good to me.
> > Reviewed-by: Min Xu <min.m.xu@intel.com>
> >
> > Thanks
> >
> >> -----Original Message-----
> >> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
> >> Sent: Thursday, April 20, 2023 11:49 AM
> >> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> >> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>;
> Wang,
> >> Jian J <jian.j.wang@intel.com>
> >> Cc: patches@amperecomputing.com
> >> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> >> Add AUTH_SIG_NOT_FOUND Action
> >>
> >> Hi Min,
> >>
> >> This SEI test passes:
> >>
> >> SecureBoot - TestImage2.bin in Image Execution Info Table with
> >> SIG_NOT_FOUND. -- PASS
> >> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
> >>
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/Imag
> >> eLoa
> >> dingBBTest.c:1103:Status
> >> - Success
> >>
> >> The test image binary is different to the one in the commit message
> >> due to some bug fixes in the SEI test suite. The right test case to
> >> catch this bug is 00C3C2F2-
> >> 39D5-4D35-B7E7-587CA0F3CB75
> >>
> >> You can check the test code at
> >> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
> >> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
> >>
> >> Thanks,
> >>
> >> Nhi
> >>
> >> On 4/19/2023 6:20 AM, Xu, Min M wrote:
> >>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> >>>> Hi,
> >>>>
> >>>> Ping for reviewing.
> >>>>
> >>>> Let me know if I need anything for this patch.
> >>> Do you test the change and what's the test result? Can you provide
> >>> the
> >> validation result?
> >>> Thanks
> >>> Min
>
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham
2023-04-14 5:18 ` Nhi Pham
@ 2023-04-27 8:19 ` Yao, Jiewen
2023-04-28 3:14 ` Nhi Pham
1 sibling, 1 reply; 10+ messages in thread
From: Yao, Jiewen @ 2023-04-27 8:19 UTC (permalink / raw)
To: Nhi Pham, devel@edk2.groups.io, Wang, Jian J, Xu, Min M
Cc: patches@amperecomputing.com
Thanks Nhi, to provide the fix.
The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code.
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
An image certificate is in the forbidden database, or
A digest of an image certifcate is in the forbidden database, or
The image signature check failed.
However, the code only contains below as forbidden database check:
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
IsVerified = FALSE;
break;
}
The image signature check fail missed the Action. (remaining issue ?)
2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
An image certifcate is in authroized database. (or)
The image digest is in the authorized database.
However, I cannot find the code to set the value in the code. (remaining issue ?)
3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
the image certificate is not found in the authorized database, and
the image digest is not in the authorized database.
It is fixed in this patch. Thank you!
4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
The image has at least one certificate, and the image digest is in the forbidden database.
The code is there.
Would you please double check, if we have the remaining issue in 1) and 2)?
> -----Original Message-----
> From: Nhi Pham <nhi@os.amperecomputing.com>
> Sent: Wednesday, April 12, 2023 5:22 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com; Nhi Pham
> <nhi@os.amperecomputing.com>
> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> AUTH_SIG_NOT_FOUND Action
>
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
> +
> 1 file changed, 1 insertion(+)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> ---
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> if (!EFI_ERROR (DbStatus) && IsFound) {
>
> IsVerified = TRUE;
>
> } else {
>
> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature is not allowed by DB and %s hash of image is not found in
> DB/DBX.\n", mHashTypeStr));
>
> }
>
> }
>
> --
> 2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-27 8:19 ` Yao, Jiewen
@ 2023-04-28 3:14 ` Nhi Pham
2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen
0 siblings, 1 reply; 10+ messages in thread
From: Nhi Pham @ 2023-04-28 3:14 UTC (permalink / raw)
To: Yao, Jiewen, Nhi Pham, devel@edk2.groups.io, Wang, Jian J,
Xu, Min M
Cc: patches@amperecomputing.com
Thanks Yao Jiewen for reviewing. I will make further investigation for
other cases based on your findings.
In the meantime, could you help merge my patch?
-Nhi
On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
> Thanks Nhi, to provide the fix.
>
> The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code.
>
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
>
> 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
> An image certificate is in the forbidden database, or
> A digest of an image certifcate is in the forbidden database, or
> The image signature check failed.
>
> However, the code only contains below as forbidden database check:
>
> if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> IsVerified = FALSE;
> break;
> }
>
> The image signature check fail missed the Action. (remaining issue ?)
>
> 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
> An image certifcate is in authroized database. (or)
> The image digest is in the authorized database.
>
> However, I cannot find the code to set the value in the code. (remaining issue ?)
>
> 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
> the image certificate is not found in the authorized database, and
> the image digest is not in the authorized database.
>
> It is fixed in this patch. Thank you!
>
> 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
> The image has at least one certificate, and the image digest is in the forbidden database.
>
> The code is there.
>
>
> Would you please double check, if we have the remaining issue in 1) and 2)?
>
>
>
>
>> -----Original Message-----
>> From: Nhi Pham <nhi@os.amperecomputing.com>
>> Sent: Wednesday, April 12, 2023 5:22 PM
>> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
>> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
>> Cc: patches@amperecomputing.com; Nhi Pham
>> <nhi@os.amperecomputing.com>
>> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
>> AUTH_SIG_NOT_FOUND Action
>>
>> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
>> when the Image is signed but signature is not allowed by DB and the
>> hash of image is not found in DB/DBX.
>>
>> This is documented in the UEFI spec 2.10, table 32.5.
>>
>> This issue is found by the SIE SCT with the error message as follows:
>> SecureBoot - TestImage1.bin in Image Execution Info Table with
>> SIG_NOT_FOUND. --FAILURE
>> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
>> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
>> ImageLoadingBBTest.c:1079:Status Success
>>
>> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
>> ---
>> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
>> +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git
>> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> index b3d40c21e975..5d8dbd546879 100644
>> ---
>> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> +++
>> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>> if (!EFI_ERROR (DbStatus) && IsFound) {
>>
>> IsVerified = TRUE;
>>
>> } else {
>>
>> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>>
>> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
>> signature is not allowed by DB and %s hash of image is not found in
>> DB/DBX.\n", mHashTypeStr));
>>
>> }
>>
>> }
>>
>> --
>> 2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
2023-04-28 3:14 ` Nhi Pham
@ 2023-04-28 11:08 ` Yao, Jiewen
0 siblings, 0 replies; 10+ messages in thread
From: Yao, Jiewen @ 2023-04-28 11:08 UTC (permalink / raw)
To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Wang, Jian J,
Xu, Min M
Cc: patches@amperecomputing.com
Sure. This patch is merged https://github.com/tianocore/edk2/pull/4321.
Thanks for the contribution.
Look forward to your investigation result.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi
> Pham via groups.io
> Sent: Friday, April 28, 2023 11:14 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Nhi Pham
> <nhi@os.amperecomputing.com>; devel@edk2.groups.io; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
>
> Thanks Yao Jiewen for reviewing. I will make further investigation for
> other cases based on your findings.
>
> In the meantime, could you help merge my patch?
>
> -Nhi
>
> On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
> > Thanks Nhi, to provide the fix.
> >
> > The UEFI specification
> (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html)
> defines below error code.
> >
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
> >
> > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
> > An image certificate is in the forbidden database, or
> > A digest of an image certifcate is in the forbidden database, or
> > The image signature check failed.
> >
> > However, the code only contains below as forbidden database check:
> >
> > if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> > Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> > IsVerified = FALSE;
> > break;
> > }
> >
> > The image signature check fail missed the Action. (remaining issue ?)
> >
> > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
> > An image certifcate is in authroized database. (or)
> > The image digest is in the authorized database.
> >
> > However, I cannot find the code to set the value in the code. (remaining
> issue ?)
> >
> > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
> > the image certificate is not found in the authorized database, and
> > the image digest is not in the authorized database.
> >
> > It is fixed in this patch. Thank you!
> >
> > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
> > The image has at least one certificate, and the image digest is in the
> forbidden database.
> >
> > The code is there.
> >
> >
> > Would you please double check, if we have the remaining issue in 1) and 2)?
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: Nhi Pham <nhi@os.amperecomputing.com>
> >> Sent: Wednesday, April 12, 2023 5:22 PM
> >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> >> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> >> Cc: patches@amperecomputing.com; Nhi Pham
> >> <nhi@os.amperecomputing.com>
> >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> >> AUTH_SIG_NOT_FOUND Action
> >>
> >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info
> Table
> >> when the Image is signed but signature is not allowed by DB and the
> >> hash of image is not found in DB/DBX.
> >>
> >> This is documented in the UEFI spec 2.10, table 32.5.
> >>
> >> This issue is found by the SIE SCT with the error message as follows:
> >> SecureBoot - TestImage1.bin in Image Execution Info Table with
> >> SIG_NOT_FOUND. --FAILURE
> >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> >> ImageLoadingBBTest.c:1079:Status Success
> >>
> >> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> >> ---
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> | 1
> >> +
> >> 1 file changed, 1 insertion(+)
> >>
> >> diff --git
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> index b3d40c21e975..5d8dbd546879 100644
> >> ---
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> +++
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> >> if (!EFI_ERROR (DbStatus) && IsFound) {
> >>
> >> IsVerified = TRUE;
> >>
> >> } else {
> >>
> >> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> >>
> >> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
> but
> >> signature is not allowed by DB and %s hash of image is not found in
> >> DB/DBX.\n", mHashTypeStr));
> >>
> >> }
> >>
> >> }
> >>
> >> --
> >> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-04-28 11:08 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham
2023-04-14 5:18 ` Nhi Pham
2023-04-18 23:20 ` [edk2-devel] " Min Xu
2023-04-20 3:48 ` Nhi Pham
2023-04-26 7:54 ` Min Xu
2023-04-27 5:38 ` Nhi Pham
2023-04-27 5:46 ` Min Xu
2023-04-27 8:19 ` Yao, Jiewen
2023-04-28 3:14 ` Nhi Pham
2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox