From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61])
 by mx.groups.io with SMTP id smtpd.web11.493.1591734060949717452
 for <devel@edk2.groups.io>;
 Tue, 09 Jun 2020 13:21:01 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Lhrqt2S2;
 spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1591734060;
	h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=UdGcBe9O+JIK/Ea69X5wcD8iLTRnj2rajs7ZotPFYz8=;
	b=Lhrqt2S2lAPzHvT+ehH6jF6o9CCihDhAyGyYBrP9ALaBtaiDJsTcUDZMGT8P4Pv4sB/XhI
	989267xkkYjhK/rsud6maYyB+gwgY48/1pZkEJQVdwB6vX6oA5QzdTs7p3u3rjBnB5LAlB
	Tmmmss4jxlhKHXoWq11wvvxfqfXoN1A=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-336-NX0OwMvGPcmJxcmCQXG0Gg-1; Tue, 09 Jun 2020 16:20:52 -0400
X-MC-Unique: NX0OwMvGPcmJxcmCQXG0Gg-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 982E31800D42;
	Tue,  9 Jun 2020 20:20:51 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-194.ams2.redhat.com [10.36.112.194])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 5D1BE5D9E5;
	Tue,  9 Jun 2020 20:20:50 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>,
 Jordan Justen <jordan.l.justen@intel.com>,
 =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= <philmd@redhat.com>
Reply-To: devel@edk2.groups.io, lersek@redhat.com
References: <20200605235242.32442-1-lersek@redhat.com>
Message-ID: <51749156-6672-90ae-6543-0a20390b5360@redhat.com>
Date: Tue, 9 Jun 2020 22:20:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20200605235242.32442-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

On 06/06/20 01:52, Laszlo Ersek wrote:
> When an image fails Secure Boot validation, LoadImage() returns
> EFI_SECURITY_VIOLATION if the platform policy is
> DEFER_EXECUTE_ON_SECURITY_VIOLATION.
> 
> If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
> LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
> loaded).
> 
> (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
> difference would be masked, as DxeImageVerificationLib would incorrectly
> return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
> well.)
> 
> In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
> seeing EFI_ACCESS_DENIED too.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> 
> Notes:
>     Repo:   https://pagure.io/lersek/edk2.git
>     Branch: x86_qlil_access_denied
> 
>  OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> index ef753be7ea90..931553c0c1fb 100644
> --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> @@ -319,13 +319,19 @@ QemuLoadKernelImage (
>      return EFI_NOT_FOUND;
>  
>    case EFI_SECURITY_VIOLATION:
> +    //
> +    // Since the image has been loaded, we need to unload it before proceeding
> +    // to the EFI_ACCESS_DENIED case below.
> +    //
> +    gBS->UnloadImage (KernelImageHandle);
> +    //
> +    // Fall through
> +    //
> +  case EFI_ACCESS_DENIED:
>      //
>      // We are running with UEFI secure boot enabled, and the image failed to
>      // authenticate. For compatibility reasons, we fall back to the legacy
> -    // loader in this case. Since the image has been loaded, we need to unload
> -    // it before proceeding
> -    //
> -    gBS->UnloadImage (KernelImageHandle);
> +    // loader in this case.
>      //
>      // Fall through
>      //
> 

Merged as commit dafce295e6f4 via
<https://github.com/tianocore/edk2/pull/671>.

Thanks!
Laszlo