From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=104.47.40.86; helo=nam03-co1-obe.outbound.protection.outlook.com; envelope-from=wojciech.zmuda@cavium.com; receiver=edk2-devel@lists.01.org Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0086.outbound.protection.outlook.com [104.47.40.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 59766202E60EA for ; Mon, 16 Oct 2017 09:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=i8VrpD8fHRIm+PSt9siCU9CZIqrEU6fb8ASYNUPauE8=; b=mumZ1Ac8z67GZVa/9yKI2jDE21776o+YVxBTM8p+eWMoh69Whzqmqhv1bi01OM2wpKRkmQv72sjyBN1EblZ+WnMNLVOw48QGoTwcwKpDN33aaK2r1/Fpv3p5raLOS1H5+/G4NsR8ez493QnpBjxt1KqZURrx3o+HDdiHmX47MUE= Received: from CY1PR0701MB1852.namprd07.prod.outlook.com (10.163.42.18) by CY1PR0701MB1849.namprd07.prod.outlook.com (10.163.42.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Mon, 16 Oct 2017 16:57:53 +0000 Received: from CY1PR0701MB1852.namprd07.prod.outlook.com ([10.163.42.18]) by CY1PR0701MB1852.namprd07.prod.outlook.com ([10.163.42.18]) with mapi id 15.20.0077.020; Mon, 16 Oct 2017 16:57:53 +0000 From: "Zmuda, Wojciech" To: "edk2-devel@lists.01.org" Thread-Topic: SecurityPkg: untrusted OptionRom is loaded despite DENY_EXECUTE_ON_SECURITY_VIOLATION set. Thread-Index: AQHTRpsJYllILr1R/kWdPFlk6zLQlqLmsODR Date: Mon, 16 Oct 2017 16:57:53 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [31.172.191.173] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY1PR0701MB1849; 6:Bio6sGzF+VVTpsIZlQMJAawxOUNNd6NjpU8pWQ1r46/aXrcas8d/8OvW/5mXC+xVMfDhdVrhbVKXlGRZ5m9GZjKHNjUuPJgZDWz+XQ5URW99jkdfEqO07jLxqg20Q3IHpyQWe2uRGjy6VVK9L0SlkEz0WoI4WSzBdVnh+TrQNP0213DHH3P1ken+D7Dm7cqGgCMJCa8svpe0fzZceWULOv1lrp4sy6urT8M0q9d6I6qA48Um8XQyJvEfuEPJXSpeBlDqYOEzOxNzVqvLbQYEc+2MGh339o7Vr/v5WS4bvoHAxTRR6lyY4OTx4dOZsj3WW/WBdjFtFdS3Z7o+TWXzsw==; 5:f5dhbypbAmgIrBDhtCYMPAJySuNVPPAdfBrcr29UI0xq7+PBVIwW5i/cATQaIdgvYoermXJAaL8xSuDsaWeq8GplZk72yV09pR6vMlPqGUqjUBuE/CjNa4i/zR77rcVl8rV2kgiA6XvpVdaao1Ho0Q==; 24:bo5o8F13aZN91T46a7iuzH6TLiFgPmgD/XNfDegpZkbVslbirQH/I+3mdGeXelGNWNxZRQ63T+yqSYqD0WU4nXG6kvuIe7CZa4Hr/e/Mg8Y=; 7:hNpXfs91PD0kMK5OeLBMD9YFYOWSBpqK2uVpDma9NS+zIZrqx47AvN37Jv20bOlV0HDOocujf1YhPN7LZucSCzpX/+B7Z7l91zmaNSn+BFCY9sNmy1zcbZyDT9YPhikknCX89uGgxcB2TUoprSv+zPkXbxdtY5wJ3LAm7f0MzQiZPS1M6tbVeB7mjergcVEIKF5nJ7aExCxMptDLT+hZ+rxP1BzLm+T7hV5/a3Ct6dA= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 4de69708-3ae6-4487-5151-08d514b70adc x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:CY1PR0701MB1849; x-ms-traffictypediagnostic: CY1PR0701MB1849: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Wojciech.Zmuda@cavium.com; x-exchange-antispam-report-test: UriScan:(190756311086443)(192374486261705); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6041248)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR0701MB1849; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR0701MB1849; x-forefront-prvs: 0462918D61 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(346002)(376002)(199003)(189002)(3280700002)(105586002)(106356001)(3660700001)(33656002)(2900100001)(86362001)(189998001)(15650500001)(7696004)(5660300001)(101416001)(54356999)(76176999)(50986999)(2906002)(66066001)(2351001)(6506006)(2950100002)(68736007)(6916009)(6436002)(77096006)(2501003)(2940100002)(72206003)(53936002)(8936002)(5640700003)(8676002)(55016002)(99286003)(81156014)(14454004)(81166006)(3846002)(316002)(305945005)(9686003)(74316002)(97736004)(478600001)(7736002)(102836003)(25786009)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR0701MB1849; H:CY1PR0701MB1852.namprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: cavium.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: cavium.com X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2017 16:57:53.5168 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0701MB1849 Subject: SecurityPkg: untrusted OptionRom is loaded despite DENY_EXECUTE_ON_SECURITY_VIOLATION set. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 16:54:20 -0000 Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I'd like to ask you for help with understanding Secure Boot policy mechanis= m, specifically DENY_EXECUTE_ON_SECURITY_VIOLATION for PcdOptionRomImageVer= ificationPolicy. The OptionROM in my setup is loaded while, in my opinion, = it should be rejected. I'm testing the following scenario: Secure Boot is enabled with my own PK a= nd KEK enrolled, but with no db, to make sure nothing unsigned or signed by= somebody else but me can be executed. A PCIe card with OptionROM (some EBC= code) is installed. gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerific= ationPolicy is set to 0x04 in my platform's package. What I expect, is the= OptionROM execution being denied, as it is not signed by my certificate. W= hat I observe, on the other hand, is a message on the console, that no EBC = interpreter is found, which suggest, that the OptionROM is loaded, just fa= ils at the execution of EBC. The same message is printed when Secure Boot i= s disabled. I tried to understand the code by stepping through it in the DS-5. The foll= owing part of SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificat= ionLib.c seems suspicious to me: =A0=A0=A0 SecurityStatus =3D gSecurity->FileAuthenticationState ( =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 gSecurity, =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 AuthenticationStatus, =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 OriginalFilePath =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 ); =A0 } =A0 // =A0 // Check Security Status. =A0 // =A0 if (EFI_ERROR (SecurityStatus) && SecurityStatus !=3D EFI_SECURITY_VIOL= ATION) { =A0=A0=A0 if (SecurityStatus =3D=3D EFI_ACCESS_DENIED) { =A0=A0=A0=A0=A0 // =A0=A0=A0=A0=A0 // Image was not loaded because the platform policy prohibi= ts the image from being loaded. =A0=A0=A0=A0=A0 // It's the only place we could meet EFI_ACCESS_DENIED. =A0=A0=A0=A0=A0 // =A0=A0=A0=A0=A0 *ImageHandle =3D NULL; =A0=A0=A0 } =A0=A0=A0 Status =3D SecurityStatus; =A0=A0=A0 Image =3D NULL; =A0=A0=A0 goto Done; } The return code of gSecurity->FileAuthenticationState () (which is implemen= ted in MdeModulePkg/Core/Dxe/Image/Image.c:DxeImageVerificationHandler ()),= is EFI_SECURITY_VIOLATION. Such return code skips this if-statement, that = prevents the image to be loaded. According to the comment in the if-statem= ent: for the policy to be respected, gSecurity->FileAuthenticationState () = should return EFI_ACCESS_DENIED. That being said, I stepped through DxeImageVerificationHandler (). The PCD = with OptionROM policy is checked correctly. The function handles ALWAYS_EXE= CUTE and NEVER_EXECUTE policies properly and hangs on QUERY_USER_ and ALLOW= _EXECUTE_ON_SECURITY_VIOLATION. This seems fine, however there is no code = handling the DENY_EXECUTE_ON_SECURITY_VIOLATION (0x04) case. Stepping throu= gh this function shows that the image to be loaded cannot be found in the d= b (correct, as there's no db). Then, the function jumps to its very end an= d returns EFI_SECURITY_VIOLATION, which skips the aforementioned if-stateme= nt: Done: =A0 if (Status !=3D EFI_SUCCESS) { =A0=A0=A0 // =A0=A0=A0 // Policy decides to defer or reject the image; add its informati= on in image executable information table. =A0=A0=A0 // =A0=A0=A0 NameStr =3D ConvertDevicePathToText (File, FALSE, TRUE); =A0=A0=A0 AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureL= istSize); =A0=A0=A0 if (NameStr !=3D NULL) { =A0=A0=A0=A0=A0 DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s= \n", NameStr)); =A0=A0=A0=A0=A0 FreePool(NameStr); =A0=A0=A0 } =A0=A0=A0 Status =3D EFI_SECURITY_VIOLATION; =A0 } =A0 if (SignatureList !=3D NULL) { =A0=A0=A0 FreePool (SignatureList); =A0 } =A0 return Status; } Is there anything I'm doing wrong trying to prevent untrusted OptionROM exe= cution? If my understanding is correct, my case should make DxeImageVerific= ationHandler () return EFI_ACCESS_DENIED here. For example, in the snippet = above, Status should be set to EFI_ACCESS_DENIED if Policy =3D=3D DENY_EXE= CUTE_ON_SECURITY_VIOLATION. Thank you all for your time, Wojciech Zmuda =