From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.25483.1591604111505265726 for ; Mon, 08 Jun 2020 01:15:11 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ard.biesheuvel@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E80E61F1; Mon, 8 Jun 2020 01:15:09 -0700 (PDT) Received: from [192.168.1.69] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4813C3F6CF; Mon, 8 Jun 2020 01:15:05 -0700 (PDT) Subject: Re: [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage() To: Laszlo Ersek , edk2-devel-groups-io Cc: Jordan Justen , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= References: <20200605235242.32442-1-lersek@redhat.com> From: "Ard Biesheuvel" Message-ID: <3a51e349-44f8-617c-6782-9a56413f2c6e@arm.com> Date: Mon, 8 Jun 2020 10:15:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:68.0) Gecko/20100101 Thunderbird/68.8.1 MIME-Version: 1.0 In-Reply-To: <20200605235242.32442-1-lersek@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 6/6/20 1:52 AM, Laszlo Ersek wrote: > When an image fails Secure Boot validation, LoadImage() returns > EFI_SECURITY_VIOLATION if the platform policy is > DEFER_EXECUTE_ON_SECURITY_VIOLATION. >=20 > If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then > LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain > loaded). >=20 > (Before , this > difference would be masked, as DxeImageVerificationLib would incorrectl= y > return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as > well.) >=20 > In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol u= pon > seeing EFI_ACCESS_DENIED too. >=20 > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Philippe Mathieu-Daud=C3=A9 > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2785 > Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel > --- >=20 > Notes: > Repo: https://pagure.io/lersek/edk2.git > Branch: x86_qlil_access_denied >=20 > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++= ++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) >=20 > diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c = b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > index ef753be7ea90..931553c0c1fb 100644 > --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > @@ -319,13 +319,19 @@ QemuLoadKernelImage ( > return EFI_NOT_FOUND; > =20 > case EFI_SECURITY_VIOLATION: > + // > + // Since the image has been loaded, we need to unload it before pr= oceeding > + // to the EFI_ACCESS_DENIED case below. > + // > + gBS->UnloadImage (KernelImageHandle); > + // > + // Fall through > + // > + case EFI_ACCESS_DENIED: > // > // We are running with UEFI secure boot enabled, and the image fa= iled to > // authenticate. For compatibility reasons, we fall back to the l= egacy > - // loader in this case. Since the image has been loaded, we need t= o unload > - // it before proceeding > - // > - gBS->UnloadImage (KernelImageHandle); > + // loader in this case. > // > // Fall through > // >=20