* [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action @ 2023-04-12 9:21 Nhi Pham 2023-04-14 5:18 ` Nhi Pham 2023-04-27 8:19 ` Yao, Jiewen 0 siblings, 2 replies; 10+ messages in thread From: Nhi Pham @ 2023-04-12 9:21 UTC (permalink / raw) To: devel, jiewen.yao, jian.j.wang, min.m.xu; +Cc: patches, Nhi Pham Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table when the Image is signed but signature is not allowed by DB and the hash of image is not found in DB/DBX. This is documented in the UEFI spec 2.10, table 32.5. This issue is found by the SIE SCT with the error message as follows: SecureBoot - TestImage1.bin in Image Execution Info Table with SIG_NOT_FOUND. --FAILURE B3A670AA-0FBA-48CA-9D01-0EE9700965A9 SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ ImageLoadingBBTest.c:1079:Status Success Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index b3d40c21e975..5d8dbd546879 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( if (!EFI_ERROR (DbStatus) && IsFound) { IsVerified = TRUE; } else { + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); } } -- 2.25.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham @ 2023-04-14 5:18 ` Nhi Pham 2023-04-18 23:20 ` [edk2-devel] " Min Xu 2023-04-27 8:19 ` Yao, Jiewen 1 sibling, 1 reply; 10+ messages in thread From: Nhi Pham @ 2023-04-14 5:18 UTC (permalink / raw) To: Nhi Pham, devel, jiewen.yao, jian.j.wang, min.m.xu; +Cc: patches Hi, Ping for reviewing. Let me know if I need anything for this patch. Thanks, Nhi On 4/12/2023 4:21 PM, Nhi Pham wrote: > Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table > when the Image is signed but signature is not allowed by DB and the > hash of image is not found in DB/DBX. > > This is documented in the UEFI spec 2.10, table 32.5. > > This issue is found by the SIE SCT with the error message as follows: > SecureBoot - TestImage1.bin in Image Execution Info Table with > SIG_NOT_FOUND. --FAILURE > B3A670AA-0FBA-48CA-9D01-0EE9700965A9 > SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ > ImageLoadingBBTest.c:1079:Status Success > > Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index b3d40c21e975..5d8dbd546879 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( > if (!EFI_ERROR (DbStatus) && IsFound) { > > IsVerified = TRUE; > > } else { > > + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); > > } > > } > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-14 5:18 ` Nhi Pham @ 2023-04-18 23:20 ` Min Xu 2023-04-20 3:48 ` Nhi Pham 0 siblings, 1 reply; 10+ messages in thread From: Min Xu @ 2023-04-18 23:20 UTC (permalink / raw) To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen, Wang, Jian J Cc: patches@amperecomputing.com On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote: > Hi, > > Ping for reviewing. > > Let me know if I need anything for this patch. Do you test the change and what's the test result? Can you provide the validation result? Thanks Min ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-18 23:20 ` [edk2-devel] " Min Xu @ 2023-04-20 3:48 ` Nhi Pham 2023-04-26 7:54 ` Min Xu 0 siblings, 1 reply; 10+ messages in thread From: Nhi Pham @ 2023-04-20 3:48 UTC (permalink / raw) To: Xu, Min M, devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen, Wang, Jian J Cc: patches@amperecomputing.com Hi Min, This SEI test passes: SecureBoot - TestImage2.bin in Image Execution Info Table with SIG_NOT_FOUND. -- PASS 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75 SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c:1103:Status - Success The test image binary is different to the one in the commit message due to some bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75 You can check the test code at https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c Thanks, Nhi On 4/19/2023 6:20 AM, Xu, Min M wrote: > On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote: >> Hi, >> >> Ping for reviewing. >> >> Let me know if I need anything for this patch. > Do you test the change and what's the test result? Can you provide the validation result? > > Thanks > Min ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-20 3:48 ` Nhi Pham @ 2023-04-26 7:54 ` Min Xu 2023-04-27 5:38 ` Nhi Pham 0 siblings, 1 reply; 10+ messages in thread From: Min Xu @ 2023-04-26 7:54 UTC (permalink / raw) To: Nhi Pham, devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen, Wang, Jian J Cc: patches@amperecomputing.com It's good to me. Reviewed-by: Min Xu <min.m.xu@intel.com> Thanks > -----Original Message----- > From: Nhi Pham <nhi@amperemail.onmicrosoft.com> > Sent: Thursday, April 20, 2023 11:49 AM > To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io; > nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > Jian J <jian.j.wang@intel.com> > Cc: patches@amperecomputing.com > Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: > Add AUTH_SIG_NOT_FOUND Action > > Hi Min, > > This SEI test passes: > > SecureBoot - TestImage2.bin in Image Execution Info Table with > SIG_NOT_FOUND. -- PASS > 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75 > SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa > dingBBTest.c:1103:Status > - Success > > The test image binary is different to the one in the commit message due to some > bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2- > 39D5-4D35-B7E7-587CA0F3CB75 > > You can check the test code at > https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct- > tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c > > Thanks, > > Nhi > > On 4/19/2023 6:20 AM, Xu, Min M wrote: > > On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote: > >> Hi, > >> > >> Ping for reviewing. > >> > >> Let me know if I need anything for this patch. > > Do you test the change and what's the test result? Can you provide the > validation result? > > > > Thanks > > Min ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-26 7:54 ` Min Xu @ 2023-04-27 5:38 ` Nhi Pham 2023-04-27 5:46 ` Min Xu 0 siblings, 1 reply; 10+ messages in thread From: Nhi Pham @ 2023-04-27 5:38 UTC (permalink / raw) To: Xu, Min M, devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen, Wang, Jian J, gaoliming Cc: patches@amperecomputing.com Thanks Min. Could you help merge this patch to edk2? Regards, Nhi On 4/26/2023 2:54 PM, Xu, Min M wrote: > It's good to me. > Reviewed-by: Min Xu <min.m.xu@intel.com> > > Thanks > >> -----Original Message----- >> From: Nhi Pham <nhi@amperemail.onmicrosoft.com> >> Sent: Thursday, April 20, 2023 11:49 AM >> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io; >> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, >> Jian J <jian.j.wang@intel.com> >> Cc: patches@amperecomputing.com >> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: >> Add AUTH_SIG_NOT_FOUND Action >> >> Hi Min, >> >> This SEI test passes: >> >> SecureBoot - TestImage2.bin in Image Execution Info Table with >> SIG_NOT_FOUND. -- PASS >> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75 >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa >> dingBBTest.c:1103:Status >> - Success >> >> The test image binary is different to the one in the commit message due to some >> bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2- >> 39D5-4D35-B7E7-587CA0F3CB75 >> >> You can check the test code at >> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct- >> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c >> >> Thanks, >> >> Nhi >> >> On 4/19/2023 6:20 AM, Xu, Min M wrote: >>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote: >>>> Hi, >>>> >>>> Ping for reviewing. >>>> >>>> Let me know if I need anything for this patch. >>> Do you test the change and what's the test result? Can you provide the >> validation result? >>> Thanks >>> Min ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-27 5:38 ` Nhi Pham @ 2023-04-27 5:46 ` Min Xu 0 siblings, 0 replies; 10+ messages in thread From: Min Xu @ 2023-04-27 5:46 UTC (permalink / raw) To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Yao, Jiewen, Wang, Jian J, Gao, Liming Cc: patches@amperecomputing.com Hi, Nhi Pham Yao, Jiewen and Wang, Jian are the maintainers of SecurityPkg. They can help to merge the patch if they have no concerns about the patch. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi Pham > via groups.io > Sent: Thursday, April 27, 2023 1:38 PM > To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io; > nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > Jian J <jian.j.wang@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > Cc: patches@amperecomputing.com > Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: > Add AUTH_SIG_NOT_FOUND Action > > Thanks Min. > > Could you help merge this patch to edk2? > > Regards, > > Nhi > > On 4/26/2023 2:54 PM, Xu, Min M wrote: > > It's good to me. > > Reviewed-by: Min Xu <min.m.xu@intel.com> > > > > Thanks > > > >> -----Original Message----- > >> From: Nhi Pham <nhi@amperemail.onmicrosoft.com> > >> Sent: Thursday, April 20, 2023 11:49 AM > >> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io; > >> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; > Wang, > >> Jian J <jian.j.wang@intel.com> > >> Cc: patches@amperecomputing.com > >> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: > >> Add AUTH_SIG_NOT_FOUND Action > >> > >> Hi Min, > >> > >> This SEI test passes: > >> > >> SecureBoot - TestImage2.bin in Image Execution Info Table with > >> SIG_NOT_FOUND. -- PASS > >> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75 > >> > SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/Imag > >> eLoa > >> dingBBTest.c:1103:Status > >> - Success > >> > >> The test image binary is different to the one in the commit message > >> due to some bug fixes in the SEI test suite. The right test case to > >> catch this bug is 00C3C2F2- > >> 39D5-4D35-B7E7-587CA0F3CB75 > >> > >> You can check the test code at > >> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct- > >> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c > >> > >> Thanks, > >> > >> Nhi > >> > >> On 4/19/2023 6:20 AM, Xu, Min M wrote: > >>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote: > >>>> Hi, > >>>> > >>>> Ping for reviewing. > >>>> > >>>> Let me know if I need anything for this patch. > >>> Do you test the change and what's the test result? Can you provide > >>> the > >> validation result? > >>> Thanks > >>> Min > > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham 2023-04-14 5:18 ` Nhi Pham @ 2023-04-27 8:19 ` Yao, Jiewen 2023-04-28 3:14 ` Nhi Pham 1 sibling, 1 reply; 10+ messages in thread From: Yao, Jiewen @ 2023-04-27 8:19 UTC (permalink / raw) To: Nhi Pham, devel@edk2.groups.io, Wang, Jian J, Xu, Min M Cc: patches@amperecomputing.com Thanks Nhi, to provide the fix. The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code. #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means An image certificate is in the forbidden database, or A digest of an image certifcate is in the forbidden database, or The image signature check failed. However, the code only contains below as forbidden database check: if (IsForbiddenByDbx (AuthData, AuthDataSize)) { Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; IsVerified = FALSE; break; } The image signature check fail missed the Action. (remaining issue ?) 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means An image certifcate is in authroized database. (or) The image digest is in the authorized database. However, I cannot find the code to set the value in the code. (remaining issue ?) 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means the image certificate is not found in the authorized database, and the image digest is not in the authorized database. It is fixed in this patch. Thank you! 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means The image has at least one certificate, and the image digest is in the forbidden database. The code is there. Would you please double check, if we have the remaining issue in 1) and 2)? > -----Original Message----- > From: Nhi Pham <nhi@os.amperecomputing.com> > Sent: Wednesday, April 12, 2023 5:22 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com> > Cc: patches@amperecomputing.com; Nhi Pham > <nhi@os.amperecomputing.com> > Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add > AUTH_SIG_NOT_FOUND Action > > Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table > when the Image is signed but signature is not allowed by DB and the > hash of image is not found in DB/DBX. > > This is documented in the UEFI spec 2.10, table 32.5. > > This issue is found by the SIE SCT with the error message as follows: > SecureBoot - TestImage1.bin in Image Execution Info Table with > SIG_NOT_FOUND. --FAILURE > B3A670AA-0FBA-48CA-9D01-0EE9700965A9 > SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ > ImageLoadingBBTest.c:1079:Status Success > > Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 > + > 1 file changed, 1 insertion(+) > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index b3d40c21e975..5d8dbd546879 100644 > --- > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( > if (!EFI_ERROR (DbStatus) && IsFound) { > > IsVerified = TRUE; > > } else { > > + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but > signature is not allowed by DB and %s hash of image is not found in > DB/DBX.\n", mHashTypeStr)); > > } > > } > > -- > 2.25.1 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-27 8:19 ` Yao, Jiewen @ 2023-04-28 3:14 ` Nhi Pham 2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen 0 siblings, 1 reply; 10+ messages in thread From: Nhi Pham @ 2023-04-28 3:14 UTC (permalink / raw) To: Yao, Jiewen, Nhi Pham, devel@edk2.groups.io, Wang, Jian J, Xu, Min M Cc: patches@amperecomputing.com Thanks Yao Jiewen for reviewing. I will make further investigation for other cases based on your findings. In the meantime, could you help merge my patch? -Nhi On 4/27/2023 3:19 PM, Yao, Jiewen wrote: > Thanks Nhi, to provide the fix. > > The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code. > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 > > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means > An image certificate is in the forbidden database, or > A digest of an image certifcate is in the forbidden database, or > The image signature check failed. > > However, the code only contains below as forbidden database check: > > if (IsForbiddenByDbx (AuthData, AuthDataSize)) { > Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; > IsVerified = FALSE; > break; > } > > The image signature check fail missed the Action. (remaining issue ?) > > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means > An image certifcate is in authroized database. (or) > The image digest is in the authorized database. > > However, I cannot find the code to set the value in the code. (remaining issue ?) > > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means > the image certificate is not found in the authorized database, and > the image digest is not in the authorized database. > > It is fixed in this patch. Thank you! > > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means > The image has at least one certificate, and the image digest is in the forbidden database. > > The code is there. > > > Would you please double check, if we have the remaining issue in 1) and 2)? > > > > >> -----Original Message----- >> From: Nhi Pham <nhi@os.amperecomputing.com> >> Sent: Wednesday, April 12, 2023 5:22 PM >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang, >> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com> >> Cc: patches@amperecomputing.com; Nhi Pham >> <nhi@os.amperecomputing.com> >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add >> AUTH_SIG_NOT_FOUND Action >> >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table >> when the Image is signed but signature is not allowed by DB and the >> hash of image is not found in DB/DBX. >> >> This is documented in the UEFI spec 2.10, table 32.5. >> >> This issue is found by the SIE SCT with the error message as follows: >> SecureBoot - TestImage1.bin in Image Execution Info Table with >> SIG_NOT_FOUND. --FAILURE >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9 >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ >> ImageLoadingBBTest.c:1079:Status Success >> >> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> >> --- >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 >> + >> 1 file changed, 1 insertion(+) >> >> diff --git >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> index b3d40c21e975..5d8dbd546879 100644 >> --- >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> +++ >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( >> if (!EFI_ERROR (DbStatus) && IsFound) { >> >> IsVerified = TRUE; >> >> } else { >> >> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; >> >> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but >> signature is not allowed by DB and %s hash of image is not found in >> DB/DBX.\n", mHashTypeStr)); >> >> } >> >> } >> >> -- >> 2.25.1 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action 2023-04-28 3:14 ` Nhi Pham @ 2023-04-28 11:08 ` Yao, Jiewen 0 siblings, 0 replies; 10+ messages in thread From: Yao, Jiewen @ 2023-04-28 11:08 UTC (permalink / raw) To: devel@edk2.groups.io, nhi@os.amperecomputing.com, Wang, Jian J, Xu, Min M Cc: patches@amperecomputing.com Sure. This patch is merged https://github.com/tianocore/edk2/pull/4321. Thanks for the contribution. Look forward to your investigation result. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi > Pham via groups.io > Sent: Friday, April 28, 2023 11:14 AM > To: Yao, Jiewen <jiewen.yao@intel.com>; Nhi Pham > <nhi@os.amperecomputing.com>; devel@edk2.groups.io; Wang, Jian J > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com> > Cc: patches@amperecomputing.com > Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: > Add AUTH_SIG_NOT_FOUND Action > > Thanks Yao Jiewen for reviewing. I will make further investigation for > other cases based on your findings. > > In the meantime, could you help merge my patch? > > -Nhi > > On 4/27/2023 3:19 PM, Yao, Jiewen wrote: > > Thanks Nhi, to provide the fix. > > > > The UEFI specification > (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) > defines below error code. > > > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 > > > > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means > > An image certificate is in the forbidden database, or > > A digest of an image certifcate is in the forbidden database, or > > The image signature check failed. > > > > However, the code only contains below as forbidden database check: > > > > if (IsForbiddenByDbx (AuthData, AuthDataSize)) { > > Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; > > IsVerified = FALSE; > > break; > > } > > > > The image signature check fail missed the Action. (remaining issue ?) > > > > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means > > An image certifcate is in authroized database. (or) > > The image digest is in the authorized database. > > > > However, I cannot find the code to set the value in the code. (remaining > issue ?) > > > > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means > > the image certificate is not found in the authorized database, and > > the image digest is not in the authorized database. > > > > It is fixed in this patch. Thank you! > > > > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means > > The image has at least one certificate, and the image digest is in the > forbidden database. > > > > The code is there. > > > > > > Would you please double check, if we have the remaining issue in 1) and 2)? > > > > > > > > > >> -----Original Message----- > >> From: Nhi Pham <nhi@os.amperecomputing.com> > >> Sent: Wednesday, April 12, 2023 5:22 PM > >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang, > >> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com> > >> Cc: patches@amperecomputing.com; Nhi Pham > >> <nhi@os.amperecomputing.com> > >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add > >> AUTH_SIG_NOT_FOUND Action > >> > >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info > Table > >> when the Image is signed but signature is not allowed by DB and the > >> hash of image is not found in DB/DBX. > >> > >> This is documented in the UEFI spec 2.10, table 32.5. > >> > >> This issue is found by the SIE SCT with the error message as follows: > >> SecureBoot - TestImage1.bin in Image Execution Info Table with > >> SIG_NOT_FOUND. --FAILURE > >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9 > >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ > >> ImageLoadingBBTest.c:1079:Status Success > >> > >> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> > >> --- > >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > | 1 > >> + > >> 1 file changed, 1 insertion(+) > >> > >> diff --git > >> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> index b3d40c21e975..5d8dbd546879 100644 > >> --- > >> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> +++ > >> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( > >> if (!EFI_ERROR (DbStatus) && IsFound) { > >> > >> IsVerified = TRUE; > >> > >> } else { > >> > >> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > >> > >> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed > but > >> signature is not allowed by DB and %s hash of image is not found in > >> DB/DBX.\n", mHashTypeStr)); > >> > >> } > >> > >> } > >> > >> -- > >> 2.25.1 > > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-04-28 11:08 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham 2023-04-14 5:18 ` Nhi Pham 2023-04-18 23:20 ` [edk2-devel] " Min Xu 2023-04-20 3:48 ` Nhi Pham 2023-04-26 7:54 ` Min Xu 2023-04-27 5:38 ` Nhi Pham 2023-04-27 5:46 ` Min Xu 2023-04-27 8:19 ` Yao, Jiewen 2023-04-28 3:14 ` Nhi Pham 2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox