From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.123]) by mx.groups.io with SMTP id smtpd.web10.11149.1682651663335905288 for ; Thu, 27 Apr 2023 20:14:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="no key for verify" header.i=@amperemail.onmicrosoft.com header.s=selector1-amperemail-onmicrosoft-com header.b=hm9AvlUi; spf=pass (domain: os.amperecomputing.com, ip: 40.107.237.123, mailfrom: nhi@os.amperecomputing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Djh04i/4+Hplx1FOt/QI4e6KG+mdB6+y0dvzBUvl0gg6H7+MKZVJDsPk31oErRgZrxZnxcsylCxOd7+qbFeZjFZk49MDLQyZsyJ87JHltwIkqRH1UW7eTojphOMcembOz/MPP3RBjt+svn6n11fiEm4DfwZsOmFFTjTkBaXuL1Fv2uB73Mm5fGqFMQ3KiB2JHPrdlVlZ3blzzB3XsNP/+juaxY61ZFKJ+VnE1nmeyA7kElGcuLdxfl101M09gk16pbPd36gKYwNofQpLP23U6FrbYkJIvZ2lO561hORlLyKl6Qkg9jYo5Ik1CpTNIBIU3AzT7Phv7yJkJgXRb+/Vcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qVdrEXz/uQhT5TIHwhWZzDRl2NpRbN5EU0T8XWW1KLY=; b=JE8Ba8BfN/3Dr6mbExfDDFi7i9nY/Y1mj1SyI32y0KSuEa0x51tT/eFzOUivk4gxIBk1t5qDp98gEucnxd/edmHO7NyZsbHtSzYspYXXNLhGHm2xR7R7MltYLLwQzz7nslZZW1Rlt6saLdxyXN/24/3Mq3zQiAsmGudahAgdgvXflFEqpWQeKOkXBGU9INrpG+NVaA7awii1Y6d8t+cWfhHhZAt45bV0Hfr4eFlcNggVJnb6o3n0QJc4HZLtty2jjbFV1TCLHjE18CRf6Rgvhq5EY95POobV8zQ6impU4pHi85PiVDPDRaGvQs7TZToq/n/HWlc2DhRQcrZ7t7aWrw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=amperemail.onmicrosoft.com; dkim=pass header.d=amperemail.onmicrosoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amperemail.onmicrosoft.com; s=selector1-amperemail-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qVdrEXz/uQhT5TIHwhWZzDRl2NpRbN5EU0T8XWW1KLY=; b=hm9AvlUiJphYcz/Mj02ldhJJwzb+rk0MYP7fAckangTpfMK9X7ODhEMIwMWl+EP8CPZey3ZqKnCxZSsyEUAzRX66N89ARU6WGwsWi7mAzBHkkRelnEGwOTaNLANT7TW5xSfsKZcbybjTY+VuBYGKnwEFsTxNd3KSB30aceZSW6Y= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amperemail.onmicrosoft.com; Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by BN8PR01MB5362.prod.exchangelabs.com (2603:10b6:408:b0::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.22; Fri, 28 Apr 2023 03:14:18 +0000 Received: from PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99]) by PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99%3]) with mapi id 15.20.6340.022; Fri, 28 Apr 2023 03:14:18 +0000 Message-ID: <98293b9e-e9a5-8ddf-e7f4-6121d68961ce@amperemail.onmicrosoft.com> Date: Fri, 28 Apr 2023 10:14:07 +0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action To: "Yao, Jiewen" , Nhi Pham , "devel@edk2.groups.io" , "Wang, Jian J" , "Xu, Min M" Cc: "patches@amperecomputing.com" References: <20230412092149.138221-1-nhi@os.amperecomputing.com> From: "Nhi Pham" In-Reply-To: X-ClientProxiedBy: SI2P153CA0002.APCP153.PROD.OUTLOOK.COM (2603:1096:4:140::16) To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) Return-Path: nhi@os.amperecomputing.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR01MB7287:EE_|BN8PR01MB5362:EE_ X-MS-Office365-Filtering-Correlation-Id: af4bcce8-921a-4f75-d7ac-08db4796a710 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: jqEUm7wOfms082v9zCfEPLOzMEY5qsOwl4aQyhofvgPQT7QGf9nm4+GVi6D/i5AvqugieD2qs3AEsblgyhxeA2tq60tYi43X9YrH4OJzQG6IglJmapGFiWz49CjXm0JNuEev4ZnxyvEqgisZnEioAXMEqFsyFTsSDxtGFGQcGsnVkpQwROMB2xpKJGl+329fMK7h6C8T0wOXAph2++cbJy4Ajj+/guBdHdi+2LA4g9MxNGgBfbNbHJKB4u+lMYBp8LNbRpoEwpZjtCU8ZkWBeiTVeKW6J3hosCJhK7Gn49uirvXQ9EoiDEaG+483f2Iu9PxIaTG59VjAohx8m1mVrNWDs8CkhlfdP1CVuPbJaMcvtmqpM53+mgfs9Jf8T1AZT5KpzaEkdmUk3yxfKWtU9gR0xA6C/sQTG5Jye+DvQx/XaQe4ATNxJtGUX428YbWUMboDRhvHI0R7SVEPnRITvX/lfetasBZhUY7UtEntl1Tuep+zZY51ynGB8H8b+LQ55dR84pOhnkFwmdCTSZHFXlLZna4hIhfhesGDBttyJd0+hphGRGnmfvbIaZJW4+BVrCMEuZIJfaSBBHhGANlmyStWwf/hhmii1fr+lRJEON0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR01MB7287.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(376002)(136003)(396003)(39850400004)(346002)(366004)(451199021)(15650500001)(31686004)(31696002)(2906002)(53546011)(6666004)(6486002)(186003)(83380400001)(42882007)(2616005)(107886003)(6512007)(6506007)(26005)(66556008)(4326008)(66946007)(110136005)(83170400001)(478600001)(316002)(66476007)(5660300002)(38100700002)(41300700001)(8676002)(8936002)(43740500002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UTYzNmw4bUxWS0pBMFJzdVNNa3hicmZsajV1eEhDL29ZNjNwTEFZQzVFVlMy?= =?utf-8?B?YVpUQzNmaVcxOXN3WFFYNVdJM0FZUitWZ1hkeWlITDdNUjFFMktZMzJuM3dB?= =?utf-8?B?MzIvVkJWQktRUnRzOUJLa2dJU1l2Mm9KZ2QzNkhtRUJDNFZHdWsrZk5COU1k?= =?utf-8?B?K2NLbDJGVVYxWUtTcEt0cUk1MDRtNXg5QnMwK3pEa2lzWWQ0V09Mczl6NHJL?= =?utf-8?B?OEl1RDQ4N3YyN3ovUThaL1V1aksvdWRnSVN0bmRjSHNnMUhGRGZpUFRZR0VV?= =?utf-8?B?SXFvallSLzRGSkhMenB0TTJYTExVaEIzTENmK3ZUSnZ0NWpzWjd4cGU3Ky9t?= =?utf-8?B?OTg0YmJmcUhwcHZMQWFmZ2xPQ2ltSGV1bnJ6VVhjbUo5dEc2MXp4YnVEQlg1?= =?utf-8?B?bTJHWDAwMk5oRDNvZGZWTkJwb3h0cFB2V3hYS2VlNjNHYmt4UUp6WFg5M3Jm?= =?utf-8?B?UyswY1R2ODFqZlIya1lCNGdxMWh2NEtnSkx5Mlg4UmduRGtDb2RhY2wxRTN2?= =?utf-8?B?ZVJQUVYzcllSOEJtSUpOSGFnRG90RzRVUUMvOVJKdHFFb1RMN2FNL3dkVUZV?= =?utf-8?B?TTQ5TGY1aFN1RERNUE9nVWVaMFFGdlhXUnpTSTYvSTBXbXdMbjd1ajV5YjN3?= =?utf-8?B?eW42bDhzTUlqdXF0eldSWS9RMWZxNFFzTVVaSkl2cHFVR3RQVDdiMmVEU3R2?= =?utf-8?B?c0QwaUFhQ1EzTWNEeUJlK2tZcFc5dWhHbmF4K29xVzB0TGRJYWNKSTc2UUZD?= =?utf-8?B?NnBjVGtjay9RcUZkVGF0MlZmcGVhTElxb0hUU0tocS93YW5NMmlheXZ2RUZ4?= =?utf-8?B?Nnh5NWlBWjFLN2RPWG9oQjdXWDBiUTVYNDQyZUJaNm5ranhCZUplYWNiaUxZ?= =?utf-8?B?TnE4WWp5cUlpMHJERG5VWloxN2kzVTVrWHZSS0VDN0RQejNVZTZQN1JTN2c3?= =?utf-8?B?N2lZNVFqQ2xOWWxpLzlJdGNGNWhPK1BvNEZDQkJxSGk3S3BuMlNUdUZrV05u?= =?utf-8?B?NmFsaGdockkwcUt2dGxxbzFzK0RtWDVQUXBKV3pGTGJNY3RKMkRpcGZ2eWF3?= =?utf-8?B?RDc2VVB5WTlxUTRWZHA1RUtSNmVkYVV3Y2UvSC92S1ZWZU51NTBKTVhKaElJ?= =?utf-8?B?aDRwOUd0eU5LRVRtTmlQN3FrS0tERkRFTURDQzJBTENVSU44dUtzZ1ZHSDFm?= =?utf-8?B?Ymh3VklwUWlrcCt3T2lPektLRGp1VGNHSUczaStOaFVZOWlDUGtiRHBnTGdJ?= =?utf-8?B?TS9ENGk4a1RFL2dhbkFkQnlEeENmQVhqY0VpS0lYT3Y5VzduNzl2NC95Q0Ny?= =?utf-8?B?YTU4ZndQcWZWWVphUFJwajdOc0xmSklNMlBQMHRacUp1L1RLd3d6NUh4eHEx?= =?utf-8?B?MGhLOTFDbFpRYlk1cFh3Mmp2ajdpY3RRcFJEanM4bTRSdVNTSnZ4YWd2ZUZl?= =?utf-8?B?MDFlMHpVSUdydUlxWk85UXV3NzFRRDZxa0x2UkRFWCtLWlBHR3F1azBRVlZW?= =?utf-8?B?ZUV5bUdNRDdaZSttVlhXSVJDWWhPVCs2NHd4UGlQQ0JvNGZZSWdqNktJSzhQ?= =?utf-8?B?UWVhV1FTSXNQRWJXS3dQZC9ISmtuK1BWY1ZtOE9FamlVeUhFRWhFQU1DTnVy?= =?utf-8?B?RlNkbThrTmRHOTZDRHdIWHBnZGhKVVQ4cnp1VTNHdjBWZmt4V0EzaXRGaitC?= =?utf-8?B?KzNOSlF2bzViZUJBQXZOZmt3U3I4N2dFWGZrZHJVY0FES3lHb2RGY2RzMk9o?= =?utf-8?B?VFZTc00wa1JxK0p6Qys5MGhDVzRtLzV2VVl5bDBRL0hkUlgwQSt6VVZvWXFp?= =?utf-8?B?dGw5aTBQb1lwRFpLYlFLemN5YzhhNEVFbUFOdE9CREJteHlnN25NSElCOFgv?= =?utf-8?B?TlpWVDdOdHEwaFgwNGhOemFEa2oyR0lWa05HZE15eGNUcjA4YytiaEF4M01J?= =?utf-8?B?cFQ2cmtQRmhESVM1eXdCZ05HUnlKV1h0dEVUN1VxaktSdGlRR1kwcks1eGYx?= =?utf-8?B?L0NtUWRwMC8zVHJVdC9wZjRGK1ZSc3BLTHFOd3JOYUtxNHFYU1IxditxU2tx?= =?utf-8?B?OGRMVUFnaVBDVHkwcnVscm0xbnZvakxXZVRBSkU1RkpPUkZnbm8zMVNpTkNG?= =?utf-8?B?V2RCN0JlMlk2OEVRMy9JWTdMZkQ1Yk55ZEFvNVVLK244OWo3YUxLTGQ3S0w3?= =?utf-8?Q?IRNqaJWlo9JaNnMAKA9oBiQ=3D?= X-OriginatorOrg: amperemail.onmicrosoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: af4bcce8-921a-4f75-d7ac-08db4796a710 X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2023 03:14:18.0237 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MWEfJTKtBBuCmbKVdizLr0yA5SWvg1lOgXbryY10W2kfMUqZz5VtvoZfiMISZ72iZ2qAo2KazrhiRUW6wC/BapHX6D/jh36CS/QE4KVFUJI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR01MB5362 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Thanks Yao Jiewen for reviewing. I will make further investigation for other cases based on your findings. In the meantime, could you help merge my patch? -Nhi On 4/27/2023 3:19 PM, Yao, Jiewen wrote: > Thanks Nhi, to provide the fix. > > The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code. > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 > > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means > An image certificate is in the forbidden database, or > A digest of an image certifcate is in the forbidden database, or > The image signature check failed. > > However, the code only contains below as forbidden database check: > > if (IsForbiddenByDbx (AuthData, AuthDataSize)) { > Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; > IsVerified = FALSE; > break; > } > > The image signature check fail missed the Action. (remaining issue ?) > > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means > An image certifcate is in authroized database. (or) > The image digest is in the authorized database. > > However, I cannot find the code to set the value in the code. (remaining issue ?) > > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means > the image certificate is not found in the authorized database, and > the image digest is not in the authorized database. > > It is fixed in this patch. Thank you! > > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means > The image has at least one certificate, and the image digest is in the forbidden database. > > The code is there. > > > Would you please double check, if we have the remaining issue in 1) and 2)? > > > > >> -----Original Message----- >> From: Nhi Pham >> Sent: Wednesday, April 12, 2023 5:22 PM >> To: devel@edk2.groups.io; Yao, Jiewen ; Wang, >> Jian J ; Xu, Min M >> Cc: patches@amperecomputing.com; Nhi Pham >> >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add >> AUTH_SIG_NOT_FOUND Action >> >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table >> when the Image is signed but signature is not allowed by DB and the >> hash of image is not found in DB/DBX. >> >> This is documented in the UEFI spec 2.10, table 32.5. >> >> This issue is found by the SIE SCT with the error message as follows: >> SecureBoot - TestImage1.bin in Image Execution Info Table with >> SIG_NOT_FOUND. --FAILURE >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9 >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ >> ImageLoadingBBTest.c:1079:Status Success >> >> Signed-off-by: Nhi Pham >> --- >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 >> + >> 1 file changed, 1 insertion(+) >> >> diff --git >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> index b3d40c21e975..5d8dbd546879 100644 >> --- >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> +++ >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( >> if (!EFI_ERROR (DbStatus) && IsFound) { >> >> IsVerified = TRUE; >> >> } else { >> >> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; >> >> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but >> signature is not allowed by DB and %s hash of image is not found in >> DB/DBX.\n", mHashTypeStr)); >> >> } >> >> } >> >> -- >> 2.25.1