Re: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return EFI_ACCESS_DENIED after image check fail

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Guomin Jiang" <guomin.jiang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Jiang, Guomin" <guomin.jiang@intel.com>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Zhang, Chao B" <chao.b.zhang@intel.com>
Subject: Re: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return EFI_ACCESS_DENIED after image check fail
Date: Wed, 8 Apr 2020 05:30:54 +0000	[thread overview]
Message-ID: <DM6PR11MB2955C407A154DDCFD84F37A69DC00@DM6PR11MB2955.namprd11.prod.outlook.com> (raw)
In-Reply-To: <16018CE9AA0B23BF.12919@groups.io>

Hi Jiewen, Jiang, Chao,

Could you help review the change.

Best Regards
Guomin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Wednesday, April 1, 2020 9:11 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return
> EFI_ACCESS_DENIED after image check fail
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2652
> 
> If check the File at the begin of function, it will only allow the File is present
> and forbid image from buffer.
> It is possible that image come from the memory buffer, so make it can run
> and check the File after it.
> It is improvement for 4b026f0d5af36faf3a3629a3ad49c51b5b3be12f.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
>  .../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c  | 14 +++++++-----
> --
>  .../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c    | 14 +++++++------
> -
>  2 files changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> index f0e95e5ec0..fdb4758cbe 100644
> ---
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> +++
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> @@ -435,13 +435,6 @@ DxeTpm2MeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32                              Index; -
> //-  // Check for invalid parameters.-  //-  if (File == NULL) {-    return
> EFI_ACCESS_DENIED;-  }-   Status = gBS->LocateProtocol
> (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);   if (EFI_ERROR
> (Status)) {     //@@ -615,6 +608,13 @@ DxeTpm2MeasureBootHandler (
>    //   Status = PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ERROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (File == NULL) {+
> Status = EFI_ACCESS_DENIED;+    }+     //     // The information can't be got
> from the invalid PeImage     //diff --git
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> index d499371e7a..20f7d94d6b 100644
> ---
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> +++
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> @@ -732,13 +732,6 @@ DxeTpmMeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32                              Index; -
> //-  // Check for invalid parameters.-  //-  if (File == NULL) {-    return
> EFI_ACCESS_DENIED;-  }-   Status = gBS->LocateProtocol
> (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);   if (EFI_ERROR
> (Status)) {     //@@ -912,6 +905,13 @@ DxeTpmMeasureBootHandler (
>    //   Status = PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ERROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (File == NULL) {+
> return EFI_ACCESS_DENIED;+    }+     //     // The information can't be got from
> the invalid PeImage     //--
> 2.25.1.windows.1
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> 
> View/Reply Online (#56805): https://edk2.groups.io/g/devel/message/56805
> Mute This Topic: https://groups.io/mt/72691331/4399222
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [guomin.jiang@intel.com] -=-=-=-=-=-=

next      parent reply	other threads:[~2020-04-08  5:31 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <16018CE9AA0B23BF.12919@groups.io>
2020-04-08  5:30 ` Guomin Jiang [this message]
2020-04-01  1:11 [PATCH] SecurityPkg/MeasureBootLib: Return EFI_ACCESS_DENIED after image check fail Guomin Jiang
2020-04-08 10:46 ` [edk2-devel] " Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM6PR11MB2955C407A154DDCFD84F37A69DC00@DM6PR11MB2955.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox