[PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V
@ 2021-10-15  4:31 Guomin Jiang
  2021-10-28  7:59 ` Wang, Jian J
  0 siblings, 1 reply; 2+ messages in thread
From: Guomin Jiang @ 2021-10-15  4:31 UTC (permalink / raw)
  To: devel; +Cc: Jiewen Yao, Jian J Wang

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2673

M mean that Measured Boot, V mean that Verified Boot.

The FvReport do below:
1. Do nothing if neither M nor V
2. Allocate pages to save the firmware volume and use it to install
   firmware info Ppi
3. Install PreHashFv Ppi if the FV need measurement.
4. Verify the Hash if the FV need verification

Notes:
1. The component is used to verify the FV or measure the FV
2. Copy action is just for security purpose but not main purpose.
3. If you use this component, Doesn't need to copy in other compoent
   which result time consumption.

Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
---
 SecurityPkg/FvReportPei/FvReportPei.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/FvReportPei/FvReportPei.c b/SecurityPkg/FvReportPei/FvReportPei.c
index 9f3ebd8ed174..6dce3298e3a2 100644
--- a/SecurityPkg/FvReportPei/FvReportPei.c
+++ b/SecurityPkg/FvReportPei/FvReportPei.c
@@ -150,10 +150,12 @@ VerifyHashedFv (
   FvHashValue = HashValue;
   for (FvIndex = 0; FvIndex < FvNumber; ++FvIndex) {
     //
-    // FV must be meant for verified boot and/or measured boot.
+    // Not meant for verified boot and/or measured boot?
     //
-    ASSERT ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) != 0 ||
-            (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) != 0);
+    if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) == 0 &&
+          (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) == 0) {
+      continue;
+    }
 
     //
     // Skip any FV not meant for current boot mode.
-- 
2.30.0.windows.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V
  2021-10-15  4:31 [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V Guomin Jiang
@ 2021-10-28  7:59 ` Wang, Jian J
  0 siblings, 0 replies; 2+ messages in thread
From: Wang, Jian J @ 2021-10-28  7:59 UTC (permalink / raw)
  To: Jiang, Guomin, devel@edk2.groups.io; +Cc: Yao, Jiewen

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Jiang, Guomin <guomin.jiang@intel.com>
> Sent: Friday, October 15, 2021 12:31 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow
> neither M nor V
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2673
> 
> M mean that Measured Boot, V mean that Verified Boot.
> 
> The FvReport do below:
> 1. Do nothing if neither M nor V
> 2. Allocate pages to save the firmware volume and use it to install
>    firmware info Ppi
> 3. Install PreHashFv Ppi if the FV need measurement.
> 4. Verify the Hash if the FV need verification
> 
> Notes:
> 1. The component is used to verify the FV or measure the FV
> 2. Copy action is just for security purpose but not main purpose.
> 3. If you use this component, Doesn't need to copy in other compoent
>    which result time consumption.
> 
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> ---
>  SecurityPkg/FvReportPei/FvReportPei.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/SecurityPkg/FvReportPei/FvReportPei.c
> b/SecurityPkg/FvReportPei/FvReportPei.c
> index 9f3ebd8ed174..6dce3298e3a2 100644
> --- a/SecurityPkg/FvReportPei/FvReportPei.c
> +++ b/SecurityPkg/FvReportPei/FvReportPei.c
> @@ -150,10 +150,12 @@ VerifyHashedFv (
>    FvHashValue = HashValue;
>    for (FvIndex = 0; FvIndex < FvNumber; ++FvIndex) {
>      //
> -    // FV must be meant for verified boot and/or measured boot.
> +    // Not meant for verified boot and/or measured boot?
>      //
> -    ASSERT ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) != 0 ||
> -            (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) != 0);
> +    if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) == 0 &&
> +          (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) == 0) {
> +      continue;
> +    }
> 
>      //
>      // Skip any FV not meant for current boot mode.
> --
> 2.30.0.windows.2


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-10-28  7:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-15  4:31 [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V Guomin Jiang
2021-10-28  7:59 ` Wang, Jian J

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox