From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.102]) by mx.groups.io with SMTP id smtpd.web10.38450.1681291476038037560 for ; Wed, 12 Apr 2023 02:24:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@os.amperecomputing.com header.s=selector2 header.b=ALzLpB46; spf=pass (domain: os.amperecomputing.com, ip: 40.107.223.102, mailfrom: nhi@os.amperecomputing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kC+VEC2qUuwsYq0Ppu7Nday/PGLtrNWDMaRvCELO24Et3vwsXk6TmCHtXO/daGSH7DM6doL+Pwzot30QG0PBr+QcP6hsNR7yyIZlKi7z1fMagcsNpqEM0tfrxXUWGTMsxFVDB0Jjrd4HXPhbJ3jxJRFIyNvOFIWd/qgisHuY+ZakHQCvN6OTGyBIxOJGSto6563syRQbuKUT7IX0/QuQ1xkN1LLOAc0IPe0oqjY0R8l3CTEyt5VFDj9UT4bLCyt/BtrtpAZP7Nyo/RTAdUVTAICSmAnUaOQcG85bn/J8rIL+EQBWwr7BZ9aSQtWvcv2lwJNeIS2+j/j1ZQr+Qe7lAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bf+UMRFYATvF84YNS/ER1Lnju9ETdvW7tWFR5OI2+zk=; b=nIwE1mR6hWNBig9/nH5Q5fp4BwmXbWLHSU4XfavEDM4glVpnHaEJII4F6vmyC5gZMip9x1TQz8ptgE65pSgV19ACGDCo0nEeNOsxPshjK+BubyBbL9pc/egoNOoNVLibdz4UW6HAHQzGw4S+OlYQ+skdynCZZexkxTgJTdRwZ5D/ODcfc7dzF03TxfQuJJaT+ZtQDdnNJL23SzqnilHWxsWPaUE9WLHxRgogbApeaq7h21+sARDmDqMuAiS7+fLCh28UDZpLhpCwxGk33OhcxcL/lkofdapqKs2kWZrBsBMq+OO5n5qOQujnWXMu7KdMzMNs/lnSKdlBTQ5eZhbeDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=os.amperecomputing.com; dkim=pass header.d=os.amperecomputing.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=os.amperecomputing.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bf+UMRFYATvF84YNS/ER1Lnju9ETdvW7tWFR5OI2+zk=; b=ALzLpB46d3nX2BhKgChtKh5HNUvdPelPKsoa7KruEuR0pAfyLKBW5kQWHAxrZCB5jC4eMpW2awMwFZSJT/x7GgXd7P5lSevczX5nixFCbNqckc+J2Jv/7Wclj6hgkr4RGtscjVCM6uuiuiUoGPPft0WCtLOFZypPrmbcFTwFzCY= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=os.amperecomputing.com; Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by BL0PR01MB4211.prod.exchangelabs.com (2603:10b6:208:48::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.18; Wed, 12 Apr 2023 09:24:30 +0000 Received: from PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99]) by PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99%5]) with mapi id 15.20.6298.020; Wed, 12 Apr 2023 09:24:30 +0000 From: "Nhi Pham" To: devel@edk2.groups.io, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com Cc: patches@amperecomputing.com, Nhi Pham Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Date: Wed, 12 Apr 2023 16:21:49 +0700 Message-Id: <20230412092149.138221-1-nhi@os.amperecomputing.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: SI2PR02CA0018.apcprd02.prod.outlook.com (2603:1096:4:194::18) To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) Return-Path: nhi@os.amperecomputing.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR01MB7287:EE_|BL0PR01MB4211:EE_ X-MS-Office365-Filtering-Correlation-Id: 4b2310e2-2457-477a-bc17-08db3b37b7cf X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KKHnV9Ahq3m8qCIncnn/4qeY8QtqkijNwl8DDXzU4fQeyvKoD/Y2QF4aSCfiR+7wwDlnfwlYEKOcFiWjrCzsnXZuESIFagKvH5yXIHg0NEB4qmmAHMgZ44cOiQwzlzrSWLFHwJo8fLdFuAZoXPIqflNoP7YEY5yd9J+TMQ5Ku2CmR3lulN2IolG/L/r3XMrPOfvmfWKrA5u/nvf3y4Q4bym0lD2+O61iQhve6bNgWKdJgjGckgszocFjK9DNdNW55V/Lt3/6mpzLCaJL6fVQsLU6jZO5DB9lgbqEHDB+Cj0gEYI+fW9n4m0aziwxbVAWOanClmJGUIarxIbXEfHW3+hAIoluYI75CPjJv2S2KvqJRVdmDnrufaU/d6VGPSoCG/bOF0/6EZHTmP3J+TKpAT2DmKTg1k8ASMkZZtTUzobDqQK1BMlbSUpCbLWYnnRSmLoG3p3rKVRr6DSn2TGVK/sZJUr0LphGJMyRLi9bCOGZYnqfwdigJmk2S1WB1b//Cs87320QeRYfqtMjDqE2hpVcRZWN+B/arRU/5UKYaiKOVbmrS2SQqaG0vqiQZKwADHVWv8OSi2VvEQ8RwlIzP+QRdG8u1VUc33wlh3zSzLPcO76CowoMJi3y8P8LiCHy X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR01MB7287.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(346002)(376002)(136003)(396003)(366004)(39850400004)(451199021)(6512007)(8936002)(83380400001)(2616005)(38100700002)(186003)(107886003)(478600001)(6486002)(6666004)(52116002)(26005)(1076003)(6506007)(2906002)(5660300002)(316002)(38350700002)(15650500001)(66556008)(66476007)(41300700001)(4326008)(66946007)(8676002)(86362001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?CIeCC2YSjDqw6hRvoYJMmHKN4bbA8Wu8dvGcfcyS+mUUFZqHsJtMug1h0v7O?= =?us-ascii?Q?8mrRx2XfqZ9Zq9WZKoljnYlGmDKcjUIN/Zo6xEKO+BXChYLfRcjj5M0NpJcn?= =?us-ascii?Q?4XwKfvaY0iIfKxt4Q0eojE3M6zOSvnqxxLykSiWePumkscpx1Tr99xyk9lHn?= =?us-ascii?Q?x1NX/Xo5fAeiznFAX5CrY8gQ+l9Hjty0p4QC5FD+6bZ25BLBzuBDkp+t33P+?= =?us-ascii?Q?141MVij8o34IEs9T3euGHLCQ6/6eFYF6iqVo5s/iyYv2TSAzFyqh8W0qvO6M?= =?us-ascii?Q?WYOR2BRHkF4DnnKlLzh+ZCiSqYyai+Lqh000IFtQ1/sZNTtXKdxvhlwY5V0I?= =?us-ascii?Q?5JZiOSNdCslDpYb3MkAnqVwYVpbE6RMWYl14nwdXeQHrFp1UXoox7HPTBIUB?= =?us-ascii?Q?NfwXNCuSU2TXegue2U/68G0YT3bfA44XPZR0iPpUEfSsCVQ/+RpjDvslrLZU?= =?us-ascii?Q?nXx4SlMge99wef/QgtQUsMDf3xltVjyxENGOF5kP0nCF3H8BdFhwYKmk6vmK?= =?us-ascii?Q?HW+qK1cZIZ8KG2ysCMKWKTy1qQ8HkqjVu0MbSDxhK5gmfnErL4XpFSfQPE+z?= =?us-ascii?Q?/owZVo5PZuLyY3PZIBu03Q/mvums9d4neD4DAefUtnC3B5egmXd5mSvOdYn4?= =?us-ascii?Q?Z3fNv3CkuIryFO9y1ujYRIjUDa2sQ93ZelQ+dIX/ARpnDxPsKdrawxAGvLX+?= =?us-ascii?Q?hCCgMeEU/jvvAryWvMDTSNvVWI4b9gdHprWmzYHRk4BwI/cgtrMGPtn2ob9f?= =?us-ascii?Q?VQ7bDsgFWb7ppXxulRwAXuP1kwf96TrqlMK0Gl75Imi2Vf5UGaGiQbVf+Jgr?= =?us-ascii?Q?r47IctMQvKSDxTdEkJXKaL7cwnZZ8tSnnuLEtHs/QK1vhK+ED75c+zMKM0aQ?= =?us-ascii?Q?zflIl4W7kZGXeroQulznkizSBFQt0bO2RY9Cy4VJykoqib2hhikX0Q0CGhEJ?= =?us-ascii?Q?Ccmsj2OaEOVSFRzchdmg2n2jsgvpzD+Gl5oo9YUGUTlEPdGBIRFO7uAgKlZh?= =?us-ascii?Q?l+VbXd7Ezx3Cd+aFqUddnosI6UF3Oke7HzR4lFPr3h7fp+wC/i0fmQ0P6ddx?= =?us-ascii?Q?OcaAmk4UPO9sjWbOCAAZ7OX+v2NXCAGJfbAXCHagPcexWt2IoWBYLImO2hcw?= =?us-ascii?Q?unzGyUdgbvdgEFxvFot2jbb4ZwtrFpWh92t5OJh0fen9RzgraRVC+YH0x8Ki?= =?us-ascii?Q?o3CGm+5mDXY70DxD0SMbZ5oCorraaXtD072QwGSUBX7Mpj6YY3Cis3pspIzP?= =?us-ascii?Q?9vyb1VE4YjjsJH4QUpuzSZvFKmQ4cRtLzxRdZ6sClc0ycJzM9Y8MWOZM6nAQ?= =?us-ascii?Q?TsNjOue8nTw2F2koBaexrNZ0+sJm+3tP7ZJRpXKRjnJYfGoF/5VpSGjZ7xv7?= =?us-ascii?Q?v1voQHp1DcEpKmLAYFbsJLhZYvJiDCOmAdzxgEkD2UM9DgzsUtdUBpCDhsUF?= =?us-ascii?Q?f72BjDLQQbxaGqwyZyvDZj4u7q3j9R41QBmgcLQwGMKIyQCgcNov8HVMUkNj?= =?us-ascii?Q?aZaZNH1hVMBTTj6t7S+45j6ipMIGZ80xZvwR05aq3GkAXIDh6phjvzH0FVBq?= =?us-ascii?Q?TG+p4NsWFDThOwM0Gxa0z65bvMJWbd0qFO76KP6RZEGEOug/manRjyi6v53p?= =?us-ascii?Q?ZO/QR5TSrmOrZ1Oie9n5tpI=3D?= X-OriginatorOrg: os.amperecomputing.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b2310e2-2457-477a-bc17-08db3b37b7cf X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2023 09:24:29.9074 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NbLUvrJ+q1wZVxhKqCYzSHJt2kXNEhqf3l/5lLNl1hZEyi120APEV7pTwSRgmlMkBK6jZ2xLdpMisvJ+3pl9UTR2rRhEnn0qOLpTDsL1KI4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB4211 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table when the Image is signed but signature is not allowed by DB and the hash of image is not found in DB/DBX. This is documented in the UEFI spec 2.10, table 32.5. This issue is found by the SIE SCT with the error message as follows: SecureBoot - TestImage1.bin in Image Execution Info Table with SIG_NOT_FOUND. --FAILURE B3A670AA-0FBA-48CA-9D01-0EE9700965A9 SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ ImageLoadingBBTest.c:1079:Status Success Signed-off-by: Nhi Pham --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index b3d40c21e975..5d8dbd546879 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( if (!EFI_ERROR (DbStatus) && IsFound) {=0D IsVerified =3D TRUE;=0D } else {=0D + Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;=0D DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but = signature is not allowed by DB and %s hash of image is not found in DB/DBX.= \n", mHashTypeStr));=0D }=0D }=0D --=20 2.25.1