From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web10.17608.1591567764535139352 for ; Sun, 07 Jun 2020 15:09:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JnLnkUNU; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591567763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=XzJP/addMAJ/BgUisxAJs3AGnTy9kNyJeLVe2vXkA34=; b=JnLnkUNUrvY+6sLiwcXr1uoA5PULeLWDoiqgiT81BAd5e3QYDy8lt3S9Z/2Piq/L0IK4ZD EGEKMKEUs4YmPAZLLxlhlbY5BjlOB9i4jF2lTvwfyBnmnKumEmn9ziiinFQJ0hqa+cCBwz R9L9mVKmddMWzCDoGVBos5KEy7IVVRk= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-345-Gr2JzZXeMgya0OfHNkxgbA-1; Sun, 07 Jun 2020 18:09:17 -0400 X-MC-Unique: Gr2JzZXeMgya0OfHNkxgbA-1 Received: by mail-wr1-f72.google.com with SMTP id r5so6371867wrt.9 for ; Sun, 07 Jun 2020 15:09:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=XzJP/addMAJ/BgUisxAJs3AGnTy9kNyJeLVe2vXkA34=; b=Fl1mCBx9Czow6/7bTtPLVSeLzveF7FXW5ApalMxPSMRmLRM/nK+vLx8pMXeOkpe1Mw 9YdYXIIyzaiTNpc9kvPxLQVsgNxEXRWxxdnOhDEhZF/YA7MowmdqqnmTmABcvQE22Dyo 3prLJi+Iiz9crXEqmKGxSjwr+XliH7S9U6/6SFj5HwWl/flvzISqZy6cH9iD6W/EJXrS X96Bjf/woWwWPE/ArKMtHjKRNbpUYqr/nU38I+hIvm3z133lnuekRrVOrs0KboqZbA6U dF+m+5FYXZxvEmHqdDa5R/HAD1QFm+Av1kzY6hWnOGuH3WZ6tJ3iS5eeCZg3u+g47N21 d1Zg== X-Gm-Message-State: AOAM530fFK7LmMAB5dxfCreDGPGt+0Kj88BVxhdsXcDv1XUnoi9GVSJ2 iDQYomdsdUNEyO1MLWS2d+lAnIv7DKnMQyAoIqhN/90MUz20MDv1y9Nw+n8QYjOaczR3PDUB7TA nYJRGktrJXhEBHA== X-Received: by 2002:a1c:2d83:: with SMTP id t125mr5347038wmt.187.1591567755951; Sun, 07 Jun 2020 15:09:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxw9dU4G9eoS8e1XPndHdkmUPeUl1H7rrJtMhMgTqYJB3vx4bk1bMKc9In6mqGPGPEiaJPQdg== X-Received: by 2002:a1c:2d83:: with SMTP id t125mr5347023wmt.187.1591567755770; Sun, 07 Jun 2020 15:09:15 -0700 (PDT) Return-Path: Received: from [192.168.1.43] (181.red-88-10-103.dynamicip.rima-tde.net. [88.10.103.181]) by smtp.gmail.com with ESMTPSA id a14sm22765966wrv.20.2020.06.07.15.09.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Jun 2020 15:09:15 -0700 (PDT) Subject: Re: [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage() To: Laszlo Ersek , edk2-devel-groups-io Cc: Ard Biesheuvel , Jordan Justen References: <20200605235242.32442-1-lersek@redhat.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Autocrypt: addr=philmd@redhat.com; keydata= mQINBDXML8YBEADXCtUkDBKQvNsQA7sDpw6YLE/1tKHwm24A1au9Hfy/OFmkpzo+MD+dYc+7 bvnqWAeGweq2SDq8zbzFZ1gJBd6+e5v1a/UrTxvwBk51yEkadrpRbi+r2bDpTJwXc/uEtYAB GvsTZMtiQVA4kRID1KCdgLa3zztPLCj5H1VZhqZsiGvXa/nMIlhvacRXdbgllPPJ72cLUkXf z1Zu4AkEKpccZaJspmLWGSzGu6UTZ7UfVeR2Hcc2KI9oZB1qthmZ1+PZyGZ/Dy+z+zklC0xl XIpQPmnfy9+/1hj1LzJ+pe3HzEodtlVA+rdttSvA6nmHKIt8Ul6b/h1DFTmUT1lN1WbAGxmg CH1O26cz5nTrzdjoqC/b8PpZiT0kO5MKKgiu5S4PRIxW2+RA4H9nq7nztNZ1Y39bDpzwE5Sp bDHzd5owmLxMLZAINtCtQuRbSOcMjZlg4zohA9TQP9krGIk+qTR+H4CV22sWldSkVtsoTaA2 qNeSJhfHQY0TyQvFbqRsSNIe2gTDzzEQ8itsmdHHE/yzhcCVvlUzXhAT6pIN0OT+cdsTTfif MIcDboys92auTuJ7U+4jWF1+WUaJ8gDL69ThAsu7mGDBbm80P3vvUZ4fQM14NkxOnuGRrJxO qjWNJ2ZUxgyHAh5TCxMLKWZoL5hpnvx3dF3Ti9HW2dsUUWICSQARAQABtDJQaGlsaXBwZSBN YXRoaWV1LURhdWTDqSAoUGhpbCkgPHBoaWxtZEByZWRoYXQuY29tPokCVQQTAQgAPwIbDwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSJweePYB7obIZ0lcuio/1u3q3A3gUCXsfWwAUJ KtymWgAKCRCio/1u3q3A3ircD/9Vjh3aFNJ3uF3hddeoFg1H038wZr/xi8/rX27M1Vj2j9VH 0B8Olp4KUQw/hyO6kUxqkoojmzRpmzvlpZ0cUiZJo2bQIWnvScyHxFCv33kHe+YEIqoJlaQc JfKYlbCoubz+02E2A6bFD9+BvCY0LBbEj5POwyKGiDMjHKCGuzSuDRbCn0Mz4kCa7nFMF5Jv piC+JemRdiBd6102ThqgIsyGEBXuf1sy0QIVyXgaqr9O2b/0VoXpQId7yY7OJuYYxs7kQoXI 6WzSMpmuXGkmfxOgbc/L6YbzB0JOriX0iRClxu4dEUg8Bs2pNnr6huY2Ft+qb41RzCJvvMyu gS32LfN0bTZ6Qm2A8ayMtUQgnwZDSO23OKgQWZVglGliY3ezHZ6lVwC24Vjkmq/2yBSLakZE 6DZUjZzCW1nvtRK05ebyK6tofRsx8xB8pL/kcBb9nCuh70aLR+5cmE41X4O+MVJbwfP5s/RW 9BFSL3qgXuXso/3XuWTQjJJGgKhB6xXjMmb1J4q/h5IuVV4juv1Fem9sfmyrh+Wi5V1IzKI7 RPJ3KVb937eBgSENk53P0gUorwzUcO+ASEo3Z1cBKkJSPigDbeEjVfXQMzNt0oDRzpQqH2vp apo2jHnidWt8BsckuWZpxcZ9+/9obQ55DyVQHGiTN39hkETy3Emdnz1JVHTU0Q== Message-ID: <51b375be-4707-3e9d-1107-059ada520693@redhat.com> Date: Mon, 8 Jun 2020 00:09:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200605235242.32442-1-lersek@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 6/6/20 1:52 AM, Laszlo Ersek wrote: > When an image fails Secure Boot validation, LoadImage() returns > EFI_SECURITY_VIOLATION if the platform policy is > DEFER_EXECUTE_ON_SECURITY_VIOLATION. > > If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then > LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain > loaded). > > (Before , this > difference would be masked, as DxeImageVerificationLib would incorrectly > return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as > well.) > > In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon > seeing EFI_ACCESS_DENIED too. > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Philippe Mathieu-Daudé > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 > Signed-off-by: Laszlo Ersek > --- > > Notes: > Repo: https://pagure.io/lersek/edk2.git > Branch: x86_qlil_access_denied > > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > index ef753be7ea90..931553c0c1fb 100644 > --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > @@ -319,13 +319,19 @@ QemuLoadKernelImage ( > return EFI_NOT_FOUND; > > case EFI_SECURITY_VIOLATION: > + // > + // Since the image has been loaded, we need to unload it before proceeding > + // to the EFI_ACCESS_DENIED case below. > + // > + gBS->UnloadImage (KernelImageHandle); > + // > + // Fall through Nice catch. Reviewed-by: Philippe Mathieu-Daude > + // > + case EFI_ACCESS_DENIED: > // > // We are running with UEFI secure boot enabled, and the image failed to > // authenticate. For compatibility reasons, we fall back to the legacy > - // loader in this case. Since the image has been loaded, we need to unload > - // it before proceeding > - // > - gBS->UnloadImage (KernelImageHandle); > + // loader in this case. > // > // Fall through > // >