public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Ard Biesheuvel" <ard.biesheuvel@arm.com>
To: Laszlo Ersek <lersek@redhat.com>,
	edk2-devel-groups-io <devel@edk2.groups.io>
Cc: "Jordan Justen" <jordan.l.justen@intel.com>,
	"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
Date: Mon, 8 Jun 2020 10:15:00 +0200	[thread overview]
Message-ID: <3a51e349-44f8-617c-6782-9a56413f2c6e@arm.com> (raw)
In-Reply-To: <20200605235242.32442-1-lersek@redhat.com>

On 6/6/20 1:52 AM, Laszlo Ersek wrote:
> When an image fails Secure Boot validation, LoadImage() returns
> EFI_SECURITY_VIOLATION if the platform policy is
> DEFER_EXECUTE_ON_SECURITY_VIOLATION.
> 
> If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
> LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
> loaded).
> 
> (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
> difference would be masked, as DxeImageVerificationLib would incorrectly
> return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
> well.)
> 
> In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
> seeing EFI_ACCESS_DENIED too.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>

> ---
> 
> Notes:
>      Repo:   https://pagure.io/lersek/edk2.git
>      Branch: x86_qlil_access_denied
> 
>   OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
>   1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> index ef753be7ea90..931553c0c1fb 100644
> --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> @@ -319,13 +319,19 @@ QemuLoadKernelImage (
>       return EFI_NOT_FOUND;
>   
>     case EFI_SECURITY_VIOLATION:
> +    //
> +    // Since the image has been loaded, we need to unload it before proceeding
> +    // to the EFI_ACCESS_DENIED case below.
> +    //
> +    gBS->UnloadImage (KernelImageHandle);
> +    //
> +    // Fall through
> +    //
> +  case EFI_ACCESS_DENIED:
>       //
>       // We are running with UEFI secure boot enabled, and the image failed to
>       // authenticate. For compatibility reasons, we fall back to the legacy
> -    // loader in this case. Since the image has been loaded, we need to unload
> -    // it before proceeding
> -    //
> -    gBS->UnloadImage (KernelImageHandle);
> +    // loader in this case.
>       //
>       // Fall through
>       //
> 


  parent reply	other threads:[~2020-06-08  8:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-05 23:52 [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage() Laszlo Ersek
2020-06-07 22:09 ` Philippe Mathieu-Daudé
2020-06-08  8:15 ` Ard Biesheuvel [this message]
2020-06-09 20:20 ` [edk2-devel] " Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3a51e349-44f8-617c-6782-9a56413f2c6e@arm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox