From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web12.2187.1580464915017652822 for ; Fri, 31 Jan 2020 02:01:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Dl3Dtm5T; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580464914; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xOoReLRJhfFo4z4YgCWPEDq/dACrf2V/B7zNgzDxX/Q=; b=Dl3Dtm5TWNKrtr7RhT+SxR7Xo8XS55UECrkHzZNkr+qwSh82zXep6le3TtmH0fq+v+dZN0 8Yw8WPbZp8SmOeFdhmaxS19eTn5gMquKW5PbOSSeRoi4pUriJvD4MBt11E3lmjsV2Z0zTQ H5MBHbqJ5EiG2FXgr/spm2RbZkLOq0U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-312-bMK-XqDPORCh6DsCuBfA5w-1; Fri, 31 Jan 2020 05:01:45 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 68EDD13E5; Fri, 31 Jan 2020 10:01:44 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-175.ams2.redhat.com [10.36.116.175]) by smtp.corp.redhat.com (Postfix) with ESMTP id 908F25D9E5; Fri, 31 Jan 2020 10:01:42 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy From: "Laszlo Ersek" To: "Kinney, Michael D" , "devel@edk2.groups.io" Cc: "Zhang, Chao B" , "Wang, Jian J" , "Yao, Jiewen" References: <20200116190705.18816-1-lersek@redhat.com> <45017d12-10e1-8a9b-2997-c8fa42fc1049@redhat.com> Message-ID: <7e45e0d5-31dd-8d7e-338f-545d17572aa2@redhat.com> Date: Fri, 31 Jan 2020 11:01:41 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: bMK-XqDPORCh6DsCuBfA5w-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 01/31/20 10:28, Laszlo Ersek wrote: > Hi Mike, > > On 01/31/20 09:12, Laszlo Ersek wrote: > >> So let me push this series as-is for TianoCore#2129, with your R-b >> applied. > > My pull request (with the "push" label set) seems to have stalled. The > checks have passed (twice -- I closed and reopened the PR once, to > re-trigger mergify), but the branch is not being merged. > > https://github.com/tianocore/edk2/pull/324 BTW, here are the changes between the posted & reviewed series, and the pull request: - I had to replace an EFI_D_INFO macro with DEBUG_INFO, due to checkpatch complaints. (The macro is not introduced anew, it is touched only by un-indenting.) - Normal administrativa (picked up R-b tags and Message-Id's, and noted Mike substituting for the SecurityPkg reviewers during the CNY holidays) See the git-range-diff output after my sig. Thanks, Laszlo 1: 71155b00b2b7 ! 1: 4c8cd26ce423 SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus" @@ -19,6 +19,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-2-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 2: 9ad18d2e3adb ! 2: f04114b6d6b2 SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break @@ -45,6 +45,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-3-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 3: e211153f9a32 ! 3: da0e0dfc67c4 SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status internal @@ -35,6 +35,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-4-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 4: 3ad36b80defa ! 4: d930abc95422 SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status @@ -26,6 +26,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-5-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 5: 379ac43e909b ! 5: 91b24a413440 SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure @@ -21,6 +21,11 @@ Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-6-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 6: c53a99ceb9f2 ! 6: 937d1c73965e SecurityPkg/DxeImageVerificationHandler: remove superfluous Status setting @@ -13,6 +13,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-7-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 7: c259648bbb30 ! 7: be0040ffa6cf SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call @@ -20,6 +20,12 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-8-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: replace EFI_D_INFO w/ DEBUG_INFO for PatchCheck.py] + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -101,7 +107,7 @@ + NameStr = ConvertDevicePathToText (File, FALSE, TRUE); + AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize); + if (NameStr != NULL) { -+ DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr)); ++ DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr)); + FreePool(NameStr); } + Status = EFI_SECURITY_VIOLATION; 8: ca43b52bbd96 ! 8: feffd6bfd886 SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable @@ -17,6 +17,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-9-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -38,7 +43,7 @@ @@ - DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr)); + DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr)); FreePool(NameStr); } - Status = EFI_SECURITY_VIOLATION; 9: 22edc076c210 ! 9: 116742d3de8f SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL) @@ -21,6 +21,11 @@ Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-10-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 10: e0b5e3b25eff ! 10: b73c1a576b78 SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc fail @@ -28,6 +28,11 @@ Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-11-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 11: 60363427926f ! 11: 1493b3ebadca SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies @@ -37,6 +37,11 @@ Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Fixes: 5db28a6753d307cdfb1cfdeb2f63739a9f959837 Signed-off-by: Laszlo Ersek + Message-Id: <20200116190705.18816-12-lersek@redhat.com> + Reviewed-by: Michael D Kinney + [lersek@redhat.com: push with Mike's R-b due to Chinese New Year + Holiday: ; msgid + ] diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c