public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"lersek@redhat.com" <lersek@redhat.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "Zhang, Chao B" <chao.b.zhang@intel.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy
Date: Fri, 31 Jan 2020 02:59:34 +0000	[thread overview]
Message-ID: <E92EE9817A31E24EB0585FDF735412F5B9E81C62@ORSMSX113.amr.corp.intel.com> (raw)
In-Reply-To: <20200116190705.18816-1-lersek@redhat.com>

Hi Laszlo,

I have reviewed this patch series.  All the patches look
good.  The detailed description of each change made it 
easy to review.

Series Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>

I have one question about that is not directly related to
this logic change.

I see this logic that checks for invalid policy settings and
ASSERT()s and halts in a deadloop if either of 2 specific values
are used that have been removed from the UEFI Spec.

  //
  // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION
  // violates the UEFI spec and has been removed.
  //
  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION);
  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) {
    CpuDeadLoop ();
  }

There are 3 conditions where the Policy comes from a PCD.

  //
  // Check the image type and get policy setting.
  //
  switch (GetImageType (File)) {

  case IMAGE_FROM_FV:
    Policy = ALWAYS_EXECUTE;
    break;

  case IMAGE_FROM_OPTION_ROM:
    Policy = PcdGet32 (PcdOptionRomImageVerificationPolicy);
    break;

  case IMAGE_FROM_REMOVABLE_MEDIA:
    Policy = PcdGet32 (PcdRemovableMediaImageVerificationPolicy);
    break;

  case IMAGE_FROM_FIXED_MEDIA:
    Policy = PcdGet32 (PcdFixedMediaImageVerificationPolicy);
    break;

  default:
    Policy = DENY_EXECUTE_ON_SECURITY_VIOLATION;
    break;
  }

However, there are no checks in this function to verify that 
Policy is set to one of the allowed values.  This means
an invalid PCD value will fall through to the EFI_ACCESS_DENIED
case.  Is this the expected behavior for an invalid PCD setting?
If so, then why is there a check for the retired values from
the UEFI Spec and a deadloop performed.  That seems inconsistent
and not a good idea to deadloop if we do not have to.  Would
it be better to return EFI_ACCESS_DENIED for these 2 retired
Policy values as well?

I am ok if you consider this to be a different issue. 

Thanks,

Mike

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On
> Behalf Of Laszlo Ersek
> Sent: Thursday, January 16, 2020 11:07 AM
> To: edk2-devel-groups-io <devel@edk2.groups.io>
> Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Wang, Jian
> J <jian.j.wang@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: [edk2-devel] [PATCH 00/11]
> SecurityPkg/DxeImageVerificationHandler: fix retval for
> "deny" policy
> 
> Ref:
> https://bugzilla.tianocore.org/show_bug.cgi?id=2129
> Repo:   https://github.com/lersek/edk2.git
> Branch: deny_execute_2129
> 
> The DxeImageVerificationHandler() function does not
> handle the
> DENY_EXECUTE_ON_SECURITY_VIOLATION policy correctly.
> When an image is
> rejected, and the platform sets this policy for the
> corresponding image
> source, the function should return EFI_ACCESS_DENIED.
> Instead, the
> function currently returns EFI_SECURITY_VIOLATION. The
> consequence is
> that gBS->LoadImage() will keep the image loaded (in
> untrusted state),
> rather than unloading it immediately. If the platform
> sets the
> DENY_EXECUTE_ON_SECURITY_VIOLATION policy for all image
> sources, then
> the platform may not expect EFI_SECURITY_VIOLATION at
> all. Then,
> rejected images may linger in RAM, in untrusted state,
> and may be leaked
> forever.
> 
> This series refactors the DxeImageVerificationHandler()
> function,
> simplifying the control flow. The series also improves
> the conformance
> of the return values to the
> SECURITY2_FILE_AUTHENTICATION_HANDLER
> prototype. The last two patches are actual bugfixes,
> with the last one
> fixing the problem laid out above.
> 
> The patches in this posting have been formatted with
> "--function-context", for easier review.
> 
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> 
> Thanks,
> Laszlo
> 
> Laszlo Ersek (11):
>   SecurityPkg/DxeImageVerificationHandler: simplify
> "VerifyStatus"
>   SecurityPkg/DxeImageVerificationHandler: remove
> "else" after
>     return/break
>   SecurityPkg/DxeImageVerificationHandler: keep PE/COFF
> info status
>     internal
>   SecurityPkg/DxeImageVerificationHandler: narrow down
> PE/COFF hash
>     status
>   SecurityPkg/DxeImageVerificationHandler: fix retval
> on memalloc
>     failure
>   SecurityPkg/DxeImageVerificationHandler: remove
> superfluous Status
>     setting
>   SecurityPkg/DxeImageVerificationHandler: unnest
> AddImageExeInfo() call
>   SecurityPkg/DxeImageVerificationHandler: eliminate
> "Status" variable
>   SecurityPkg/DxeImageVerificationHandler: fix retval
> for
>     (FileBuffer==NULL)
>   SecurityPkg/DxeImageVerificationHandler: fix imgexec
> info on memalloc
>     fail
>   SecurityPkg/DxeImageVerificationHandler: fix "defer"
> vs. "deny"
>     policies
> 
> 
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVer
> ificationLib.c | 118 ++++++++++----------
>  1 file changed, 59 insertions(+), 59 deletions(-)
> 
> --
> 2.19.1.3.g30247aa5d201
> 
> 
> 


  parent reply	other threads:[~2020-01-31  2:59 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 19:06 [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy Laszlo Ersek
2020-01-16 19:06 ` [PATCH 01/11] SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus" Laszlo Ersek
2020-01-16 19:06 ` [PATCH 02/11] SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break Laszlo Ersek
2020-01-16 19:06 ` [PATCH 03/11] SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status internal Laszlo Ersek
2020-01-16 19:06 ` [PATCH 04/11] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status Laszlo Ersek
2020-01-16 19:06 ` [PATCH 05/11] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure Laszlo Ersek
2020-01-16 19:07 ` [PATCH 06/11] SecurityPkg/DxeImageVerificationHandler: remove superfluous Status setting Laszlo Ersek
2020-01-16 19:07 ` [PATCH 07/11] SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call Laszlo Ersek
2020-01-16 19:07 ` [PATCH 08/11] SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable Laszlo Ersek
2020-01-16 19:07 ` [PATCH 09/11] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL) Laszlo Ersek
2020-01-16 19:07 ` [PATCH 10/11] SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc fail Laszlo Ersek
2020-01-16 19:07 ` [PATCH 11/11] SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies Laszlo Ersek
2020-01-31  2:59 ` Michael D Kinney [this message]
2020-01-31  8:12   ` [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy Laszlo Ersek
2020-01-31  9:28     ` Laszlo Ersek
2020-01-31 10:01       ` Laszlo Ersek
2020-01-31 10:07       ` Laszlo Ersek
2020-01-31 16:52       ` Michael D Kinney
2020-01-31 16:59         ` Laszlo Ersek
2020-01-31 17:28           ` Michael D Kinney
2020-01-31 20:19             ` Laszlo Ersek
2020-02-05 13:02               ` setting the push label at once, when opening a PR [was: SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy] Laszlo Ersek
2020-02-05 16:16                 ` Michael D Kinney
2020-02-05 20:01                   ` Laszlo Ersek
2020-01-31 16:31     ` [edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy Michael D Kinney
2020-01-31 17:00       ` Laszlo Ersek
2020-01-31 17:12         ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E92EE9817A31E24EB0585FDF735412F5B9E81C62@ORSMSX113.amr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox