From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Nhi Pham <nhi@os.amperecomputing.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>
Cc: "patches@amperecomputing.com" <patches@amperecomputing.com>
Subject: Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
Date: Thu, 27 Apr 2023 08:19:39 +0000 [thread overview]
Message-ID: <MW4PR11MB58720A22A7FB427736C491B68C6A9@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20230412092149.138221-1-nhi@os.amperecomputing.com>
Thanks Nhi, to provide the fix.
The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code.
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
An image certificate is in the forbidden database, or
A digest of an image certifcate is in the forbidden database, or
The image signature check failed.
However, the code only contains below as forbidden database check:
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
IsVerified = FALSE;
break;
}
The image signature check fail missed the Action. (remaining issue ?)
2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
An image certifcate is in authroized database. (or)
The image digest is in the authorized database.
However, I cannot find the code to set the value in the code. (remaining issue ?)
3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
the image certificate is not found in the authorized database, and
the image digest is not in the authorized database.
It is fixed in this patch. Thank you!
4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
The image has at least one certificate, and the image digest is in the forbidden database.
The code is there.
Would you please double check, if we have the remaining issue in 1) and 2)?
> -----Original Message-----
> From: Nhi Pham <nhi@os.amperecomputing.com>
> Sent: Wednesday, April 12, 2023 5:22 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com; Nhi Pham
> <nhi@os.amperecomputing.com>
> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> AUTH_SIG_NOT_FOUND Action
>
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
> +
> 1 file changed, 1 insertion(+)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> ---
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> if (!EFI_ERROR (DbStatus) && IsFound) {
>
> IsVerified = TRUE;
>
> } else {
>
> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature is not allowed by DB and %s hash of image is not found in
> DB/DBX.\n", mHashTypeStr));
>
> }
>
> }
>
> --
> 2.25.1
next prev parent reply other threads:[~2023-04-27 8:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham
2023-04-14 5:18 ` Nhi Pham
2023-04-18 23:20 ` [edk2-devel] " Min Xu
2023-04-20 3:48 ` Nhi Pham
2023-04-26 7:54 ` Min Xu
2023-04-27 5:38 ` Nhi Pham
2023-04-27 5:46 ` Min Xu
2023-04-27 8:19 ` Yao, Jiewen [this message]
2023-04-28 3:14 ` Nhi Pham
2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB58720A22A7FB427736C491B68C6A9@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox