From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web09.339.1580490047611609639 for ; Fri, 31 Jan 2020 09:00:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Am3r+moh; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580490046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h+wlLGcQRjalcom9eSKzRWLl/QDriXyaZmDAS37vs30=; b=Am3r+mohzOGic6DtWHsI2daakkx5JqrPvs6+IzPJCIXupI6zyC3j/50/9InMOCSY81c9lF LGvwGFt+6FfmhK3K/EOkkas6X9YOFYMAgi6uIYUtnH8ybxYixtbcm2/LmUpCd4TAYfBjZx n21OFbYOnyJR3J3AjU4Hf079h+4wmnk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-278-lQzWYh_LNa6HLFnXNwsJ6g-1; Fri, 31 Jan 2020 12:00:42 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 747C213E2; Fri, 31 Jan 2020 17:00:41 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-99.ams2.redhat.com [10.36.116.99]) by smtp.corp.redhat.com (Postfix) with ESMTP id 40E8887B07; Fri, 31 Jan 2020 17:00:40 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy To: "Kinney, Michael D" , "devel@edk2.groups.io" Cc: "Zhang, Chao B" , "Wang, Jian J" , "Yao, Jiewen" References: <20200116190705.18816-1-lersek@redhat.com> <45017d12-10e1-8a9b-2997-c8fa42fc1049@redhat.com> From: "Laszlo Ersek" Message-ID: <75ea6a41-96e3-4526-1158-6e3cd83c2767@redhat.com> Date: Fri, 31 Jan 2020 18:00:39 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: lQzWYh_LNa6HLFnXNwsJ6g-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 01/31/20 17:31, Kinney, Michael D wrote: > Laszlo, > > I think a new BZ is a good idea. I am sure there is more > history here and more discussion required on this invalid > policy PCD setting case. > > I would also like to see a DEBUG() message or even better > a REPORT_STATUS_CODE() for an invalid policy PCD setting > and I would like platform policy to decide if the platform > should deadloop or continue with EFI_ACCESS_DENIED. By > putting the deadloop in this function, it takes away the > option for the platform to make that decision. > > I also find ASSERT(FALSE) harder to triage. I prefer the > debug log to provide some indication of the cause of the > assert. Then I can go look up the file/line number for > more context. OK. I'll abandon the patch, and only open a BZ with this information. It's best if the SecurityPkg reviewers evaluate it carefully. Thanks! Laszlo