From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mx.groups.io with SMTP id smtpd.web12.6297.1586323861904141402
 for <devel@edk2.groups.io>;
 Tue, 07 Apr 2020 22:31:01 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=UO6eQoHJ;
 spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: guomin.jiang@intel.com)
IronPort-SDR: H8AiQCHB0GwJ/cXrL+k+Td1XamCCC2okPGek1FcAmOvISJGn4Xw1A87mRmzSqPvnMhb59jNdsx
 5UleXsm71oSA==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2020 22:31:01 -0700
IronPort-SDR: IoG30ikpiEE/TaC4r5MRk54U1sZCx/n2ZAgoe7/M37SdN3olM/Zjy5YLCoQSxS5tE/XDWM1Ql/
 apPp6BeiSYJg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.72,357,1580803200"; 
   d="scan'208";a="361749953"
Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132])
  by fmsmga001.fm.intel.com with ESMTP; 07 Apr 2020 22:31:00 -0700
Received: from orsmsx601.amr.corp.intel.com (10.22.229.14) by
 ORSMSX105.amr.corp.intel.com (10.22.225.132) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Tue, 7 Apr 2020 22:31:00 -0700
Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by
 ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1713.5; Tue, 7 Apr 2020 22:31:00 -0700
Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by
 orsmsx609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5
 via Frontend Transport; Tue, 7 Apr 2020 22:31:00 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.168)
 by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Tue, 7 Apr 2020 22:30:59 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=MXB3rdTSe6nxJ0x6A2KviNI1jYWPMn5IQ5P2sPx4uw6ep9DGuAOSl+nue1lm3RRy2+kQ/Tou6zZ+sDJHd80DfEx34q6PRjMavmFvhJ8+7nT3CgRaRB2AmbcuUdKdH6z4H7I2lvDS+wq/T+5ng1i4rhGTC5cdnli0+olHgJTOLKJGst/OraxPfi9nrTvoQNmSj0nmp5x4dq7ZRVNgxo+SLNaEiKZbqRKVEuaSNE2Zjmi5zkMbyawU6ECX1Hq3CmoTTytdGKisJeTgFPxMRpLv8R96RkHA1OJF1w2HuCShPmCNuntA4E9UVvTz0pTvfJsvlogwMDPXQ5JXcJgdQOoO+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=2xXtYiqe/a46Aw1USTK3NKBKMC1UzhIt/Hveb/OQ9M4=;
 b=a9H+bU2ZG0+P6bs8qGbueq1zFZNJUFOu+861xouROCMv7TCd70hQF1eaZtWTtzvSDptDUCZ/caxfkxAq9S8h/z0XCUQqK9mPmBWLFGOkLS/JLyr/GGn0i+yggbWWr8aXHvVUtjStFZIqGrFTfP8Wwo/ZpkLJFTfRPB44Y/nsyf//mqlb7RO97FFYx/K+jOAUjFI+daUOJL5uq5LaLlPIXYv9ZBT2oth8mNqvVN85v1TVem+tOMamP9vXU+kX6LllSu+CMV5InTRM3jzvZxuV1DoB3cWJ5TWmvQ/nMuUkVDrf0bRMj6Xn4dA32I25gYK+T4ZrCY44EJZX8LJmm3O10g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=2xXtYiqe/a46Aw1USTK3NKBKMC1UzhIt/Hveb/OQ9M4=;
 b=UO6eQoHJrXC4ezsUZ5px62gt4mIKHxtV/M283T4ZqvQ/H8nsOnwRiHYByWdK2nEvXS1TiMKNQa1sJJmpflxSGDcbe8vmqATriJyhglo/9YAJYcZM6uyjiNboe67OOHUMKQ7J3QOq9sm97NyrRCt9RcYKsvBgOwaAK4+xccUWMFM=
Received: from DM6PR11MB2955.namprd11.prod.outlook.com (2603:10b6:5:65::31) by
 DM6PR11MB2729.namprd11.prod.outlook.com (2603:10b6:5:ce::13) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2878.19; Wed, 8 Apr 2020 05:30:54 +0000
Received: from DM6PR11MB2955.namprd11.prod.outlook.com
 ([fe80::f1ec:734d:b127:4519]) by DM6PR11MB2955.namprd11.prod.outlook.com
 ([fe80::f1ec:734d:b127:4519%3]) with mapi id 15.20.2878.022; Wed, 8 Apr 2020
 05:30:54 +0000
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Jiang, Guomin"
	<guomin.jiang@intel.com>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, "Wang, Jian J"
	<jian.j.wang@intel.com>, "Zhang, Chao B" <chao.b.zhang@intel.com>
Subject: Re: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return EFI_ACCESS_DENIED after image check fail
Thread-Topic: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return
 EFI_ACCESS_DENIED after image check fail
Thread-Index: AQHWB8J1JQo/0UR+XEKx9DjSrGdUS6huvfcw
Date: Wed, 8 Apr 2020 05:30:54 +0000
Message-ID: <DM6PR11MB2955C407A154DDCFD84F37A69DC00@DM6PR11MB2955.namprd11.prod.outlook.com>
References: <16018CE9AA0B23BF.12919@groups.io>
In-Reply-To: <16018CE9AA0B23BF.12919@groups.io>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.2.0.6
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=guomin.jiang@intel.com; 
x-originating-ip: [192.55.52.200]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 69ec3df8-495d-4173-7f1c-08d7db7e0248
x-ms-traffictypediagnostic: DM6PR11MB2729:
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR11MB2729AB39C33D18398D0430AE9DC00@DM6PR11MB2729.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714;
x-forefront-prvs: 0367A50BB1
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2955.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(396003)(39860400002)(366004)(136003)(376002)(346002)(110136005)(66556008)(52536014)(5660300002)(66446008)(33656002)(76116006)(966005)(66476007)(316002)(478600001)(19627235002)(64756008)(86362001)(26005)(7696005)(55016002)(2906002)(66946007)(8676002)(9686003)(186003)(81156014)(71200400001)(54906003)(15650500001)(53546011)(8936002)(107886003)(4326008)(81166007)(6506007);DIR:OUT;SFP:1102;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +iFYqBoUihJCG4LrmNHUzJskSove/EAoRP07joQ5DGgOcwRYG0NlWQkQY8FrgNkoMbRmC51dul7MIInyKdb10Qspkr2aZ2xiTfsIFfSxy2cePfM+SgQukRVugnJvbgsn7dhQjgb95KL9yUmL+Qh/VU3i2EDe6lBsneBDQz87Ljms3gLwrvsVI6Rji1yE7ExbgFruc/dKpR9MtHyQZrby2Ixd0nYHDvID5EA7fJf+wENZm36/abLNaUa2+p+cL3ulUG8yiQPTvKIeunObqG+auWU0Eq5iev+JSWiHRr4EPAemCILU1dzcSY+JlZRcrAlNkleIFHgo6KO/uan59vTu9YPve1n/WKAzlxJtwn0Em7iBNfK1QMb1XFPjphXVkGfHByXR9wwoZYjx3HcQRzj0qFoEjlsVqfrkK6gOF4OREnWi2y150b6fSq3isp9yCJvIVALjIUZG4PMnMM/1S4FdgEuL5HcKMJz7/S91OZPIVHWWIx1JJYkcRjGx0XXW61itSXSHa4WTmwi2QbFfkxFCdw==
x-ms-exchange-antispam-messagedata: ih0ib1bYOp1cKYUvuF7ltCF8jbIIjEw751WUMG/0n71MrhQj9RRVylvqg+hzZlk+nrsF2kMC2ELEvGcPcPFtXmDstINBF3XCyReED26Flb+jQTfaqxrzujTId1EbP6Mr7QeaaWnn62S1fOs0BWEUMA==
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 69ec3df8-495d-4173-7f1c-08d7db7e0248
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2020 05:30:54.6232
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YqIUCX5L0+bG3u2cvedsnmI4GzmhX4CBTJdPsV/2y5wExZbHBQa01Upo0GTPaAesY4WY3UcUAd9gZZzV3IH2DQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2729
Return-Path: guomin.jiang@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Jiewen, Jiang, Chao,

Could you help review the change.

Best Regards
Guomin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Wednesday, April 1, 2020 9:11 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return
> EFI_ACCESS_DENIED after image check fail
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2652
>=20
> If check the File at the begin of function, it will only allow the File i=
s present
> and forbid image from buffer.
> It is possible that image come from the memory buffer, so make it can run
> and check the File after it.
> It is improvement for 4b026f0d5af36faf3a3629a3ad49c51b5b3be12f.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
>  .../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c  | 14 +++++++-----
> --
>  .../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c    | 14 +++++++------
> -
>  2 files changed, 14 insertions(+), 14 deletions(-)
>=20
> diff --git
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> index f0e95e5ec0..fdb4758cbe 100644
> ---
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> +++
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> @@ -435,13 +435,6 @@ DxeTpm2MeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32               =
               Index; -
> //-  // Check for invalid parameters.-  //-  if (File =3D=3D NULL) {-    =
return
> EFI_ACCESS_DENIED;-  }-   Status =3D gBS->LocateProtocol
> (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);   if (EFI_ERROR
> (Status)) {     //@@ -615,6 +608,13 @@ DxeTpm2MeasureBootHandler (
>    //   Status =3D PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ER=
ROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (Fi=
le =3D=3D NULL) {+
> Status =3D EFI_ACCESS_DENIED;+    }+     //     // The information can't =
be got
> from the invalid PeImage     //diff --git
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> index d499371e7a..20f7d94d6b 100644
> ---
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> +++
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> @@ -732,13 +732,6 @@ DxeTpmMeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32               =
               Index; -
> //-  // Check for invalid parameters.-  //-  if (File =3D=3D NULL) {-    =
return
> EFI_ACCESS_DENIED;-  }-   Status =3D gBS->LocateProtocol
> (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);   if (EFI_ERROR
> (Status)) {     //@@ -912,6 +905,13 @@ DxeTpmMeasureBootHandler (
>    //   Status =3D PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ER=
ROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (Fi=
le =3D=3D NULL) {+
> return EFI_ACCESS_DENIED;+    }+     //     // The information can't be g=
ot from
> the invalid PeImage     //--
> 2.25.1.windows.1
>=20
>=20
> -=3D-=3D-=3D-=3D-=3D-=3D
> Groups.io Links: You receive all messages sent to this group.
>=20
> View/Reply Online (#56805): https://edk2.groups.io/g/devel/message/56805
> Mute This Topic: https://groups.io/mt/72691331/4399222
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [guomin.jiang@intel.com] -=3D-=3D-=3D-=3D-=3D-=3D