From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Thu, 05 Sep 2019 10:26:18 -0700
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 0C622308427C;
	Thu,  5 Sep 2019 17:26:18 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-133.ams2.redhat.com [10.36.116.133])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9408A5DA60;
	Thu,  5 Sep 2019 17:26:14 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg/PlatformBootManagerLib: unload image on EFI_SECURITY_VIOLATION
To: devel@edk2.groups.io, philmd@redhat.com
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Dandan Bi <dandan.bi@intel.com>, Leif Lindholm <leif.lindholm@linaro.org>
References: <20190903163801.28652-1-lersek@redhat.com>
 <fdac892c-04c4-a6f9-39e8-524da04f7152@redhat.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <40365990-3f52-98f3-d9da-d46c9f38d184@redhat.com>
Date: Thu, 5 Sep 2019 19:26:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <fdac892c-04c4-a6f9-39e8-524da04f7152@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 05 Sep 2019 17:26:18 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 09/04/19 16:16, Philippe Mathieu-Daud=C3=A9 wrote:
> On 9/3/19 6:38 PM, Laszlo Ersek wrote:
>> The LoadImage() boot service is a bit unusual in that it allocates
>> resources in a particular failure case; namely, it produces a valid
>> "ImageHandle" when it returns EFI_SECURITY_VIOLATION. This is supposed=
 to
>> happen e.g. when Secure Boot verification fails for the image, but the
>> platform policy for the particular image origin (such as "fixed media"=
 or
>> "removable media") is DEFER_EXECUTE_ON_SECURITY_VIOLATION. The return =
code
>> allows platform logic to selectively override the verification failure=
,
>> and launch the image nonetheless.
>>
>> ArmVirtPkg/PlatformBootManagerLib does not override EFI_SECURITY_VIOLA=
TION
>> for the kernel image loaded from fw_cfg -- any LoadImage() error is
>> considered fatal. When we simply treat EFI_SECURITY_VIOLATION like any
>> other LoadImage() error, we leak the resources associated with
>> "KernelImageHandle". From a resource usage perspective,
>> EFI_SECURITY_VIOLATION must be considered "success", and rolled back.
>>
>> Implement this rollback, without breaking the proper "nesting" of erro=
r
>> handling jumps and labels.
>>
>> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> Cc: Dandan Bi <dandan.bi@intel.com>
>> Cc: Leif Lindholm <leif.lindholm@linaro.org>
>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1992
>> Fixes: 23d04b58e27b382bbd3f9b16ba9adb1cb203dad5
>> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>=20
> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>

Thank you all, pushed as commit ae9f12058d71.

Laszlo