From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by mx.groups.io with SMTP id smtpd.web11.15313.1682583586725361752
 for <devel@edk2.groups.io>;
 Thu, 27 Apr 2023 01:19:48 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=fO7IbgGY;
 spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1682583587; x=1714119587;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=pro50G1Jte9NvWX8i7y4GenehExa4mJ8bjtBXKaDMB8=;
  b=fO7IbgGYOkIdAKEs1h3Emdoy/YoVxpTsr12ONvnP6Y8ZV8sAIO/++FEj
   0XqmHz9ms/FSPuVqhqvPa02blCMe3XnePd8GqBf0XXJUe/l5h3k3n9ebE
   wtXLQmMrPRLAtVzeZFWh72HmtDDZ0ix2ThLEQAp9VR9X6cuw6LC50nYTD
   nrRVuYN64qYqwy8VH4peMkuLG1zC7SltBFKGxv/ui1sTCqTj9xqZBW08b
   TvPMjU02yj/b5Wap5bJMVESy3ePjlgIgF4QBQavePxRLmsMJrOkJIBB6G
   nh/QNGTQa7ZX2/0CLsDOEctu5yw0XhFzmhvB3p8XbjpslvXS+RNnbWD87
   g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10692"; a="433651676"
X-IronPort-AV: E=Sophos;i="5.99,230,1677571200"; 
   d="scan'208";a="433651676"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2023 01:19:46 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10692"; a="838281883"
X-IronPort-AV: E=Sophos;i="5.99,230,1677571200"; 
   d="scan'208";a="838281883"
Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81])
  by fmsmga001.fm.intel.com with ESMTP; 27 Apr 2023 01:19:45 -0700
Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by
 fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.23; Thu, 27 Apr 2023 01:19:43 -0700
Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by
 fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.23; Thu, 27 Apr 2023 01:19:42 -0700
Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by
 fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.23 via Frontend Transport; Thu, 27 Apr 2023 01:19:42 -0700
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (104.47.51.47) by
 edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.23; Thu, 27 Apr 2023 01:19:42 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hsM1xDFcdlXsckQ7VJN3jtIPllH/4TZ3T7ytc2Rd05DA7VrsatTWPzfmUvkSmd9jQy6EMJY0COWgstlVcmXyc5+8VZb/F20yYD1G1wUdQyqxpOCfLqYiGTeFP4T5OAqp5uLwEdYevCAJ2C5QOXU+UKhCYiP71W9zOGOfPqei0rQV/ENH9LDI5IODOkc8WWc3hNHspL8Wp6ZcBmNNntcA35qfHQlASSTCyrRbtjjpUkk8iuO8zsUj4TSZITArRu7Lm9cnmMOPxWyIK1LXSD6rNEq2qQbW5hmkohMSIZXmip28/Ye8SqCkeSm5ApLIGrb4viavjaleXAhxJ56VpJ99Hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=sJHacE/2sGypFcc9fry9I284KXtk/PpuV1eW8xrIMo8=;
 b=CQSXBYj6aA8YfFwml6nQBZGCwFzNF9vLY5WbyV8DPgHus44Aw61ijC8pHhG3Eddt5rHWkelWG6e7aLsEpLPNL15p2Wk0zobL2CmeXoKZ9s2ECQ3KElwIyyYl9dpG15nEsGSO7RroU+yncAAmNE4KL/WLarDpHv7IMI2kHvFMqCOpqQpobc3go6InO0d8eNaMZGvqS1Hazgb3RkfvYCxSCdtLf8T0AeeObDkFlC+OguoDB+t7wiHNK56b82QL7bcIFNs0n4OQWodZ654aNUAEzT2nCay4WPAxCjJvY3y+hERSw8Ohn4gt5YYla1gPqc65CgEXLihBm8UNm+Ix3ZwTrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by PH7PR11MB5960.namprd11.prod.outlook.com (2603:10b6:510:1e3::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.22; Thu, 27 Apr
 2023 08:19:40 +0000
Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::48e9:aeb0:c365:388]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::48e9:aeb0:c365:388%6]) with mapi id 15.20.6319.022; Thu, 27 Apr 2023
 08:19:40 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Nhi Pham <nhi@os.amperecomputing.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>, "Wang, Jian J" <jian.j.wang@intel.com>, "Xu, Min M"
	<min.m.xu@intel.com>
CC: "patches@amperecomputing.com" <patches@amperecomputing.com>
Subject: Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
Thread-Topic: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
 AUTH_SIG_NOT_FOUND Action
Thread-Index: AQHZbSCe01SgGP4wVkilkkf+DZTbQK8+4Q5w
Date: Thu, 27 Apr 2023 08:19:39 +0000
Message-ID: <MW4PR11MB58720A22A7FB427736C491B68C6A9@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <20230412092149.138221-1-nhi@os.amperecomputing.com>
In-Reply-To: <20230412092149.138221-1-nhi@os.amperecomputing.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|PH7PR11MB5960:EE_
x-ms-office365-filtering-correlation-id: 10d879fa-4c75-45dc-da1d-08db46f8259b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8atufNZTPA9EnERXo2WdwJBP9xJDZY4LXYiq7q5iNK3qlRtunM7GOm2JE7wVMQvdGFA6D1IG8dI/xdD8Xb3nQ14lhj/mk8e1LYgonpZWY8TlH2qoY2fFawUEq1GVJA3RJlivPG7jQCMnTCVyMlT6YoWpgH6Vu82CnMAIS+MQReVPxc+GutwqF0eZVtwI1Vx+zJXT2h/5g+JpVgh24a4Gu58u0WmB+rAgjaRxlu0xhCyTBFd+6kKlDuWNIpgxAcK2JsY1/WxJfZ2e3QJhtuPYPQMy7giT2g98i0THNDFq1G1E8TZyxwbVNNBhc8tLZ9080/ULCjMlfz/dUMyTrZmXj02J57XVr+cJsWSZmE8Akk+ytaOFDVoJFebBsNtJ2LkGfd64o5Lx4iSaH9kJY2+9xfw148eimZYvi3y5j/A1iZd9LqOJm19aFviHo1llHXT/YeoOzY1BH2OvljBq3o6xhm6ZA9Zt9cCmU/Qh6kynJd0Hkr8drYD2auwfoWN3mmQGXDX3vvOANXTV4NVOWyoJAdt4c2f/KAQRz6fRMGzGvESKU3MFYsIkEjXUEyMIUGcpZGWNqIDXqts8OOT5fyePNEXA76RRx/z4W9rRLDhEaDc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(346002)(366004)(396003)(39860400002)(376002)(136003)(451199021)(6636002)(4326008)(316002)(110136005)(66446008)(76116006)(66946007)(66556008)(66476007)(64756008)(186003)(9686003)(6506007)(26005)(53546011)(122000001)(83380400001)(38100700002)(8676002)(5660300002)(8936002)(55016003)(86362001)(478600001)(41300700001)(71200400001)(7696005)(33656002)(38070700005)(2906002)(15650500001)(52536014)(82960400001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?iEwyIzrfzfvBLyOWoPtSHgQ23pCz/VtHLrIrtGM2c0dO/fJw4IvEM6UztF+u?=
 =?us-ascii?Q?yjcXm3wXHomjTOm+gI2EbezW+tYhXa3Aw7bgpgLaY9LNyvHF3imWmUzkgwDV?=
 =?us-ascii?Q?VGiWA2txgojC9Mn02/HQLZ+BiNgLshbdW//cZBDUMbsjLwgSblI8rHxJ8M1v?=
 =?us-ascii?Q?usK5psabWpREe8Fxs48I0gnE0DBCSzH/Dmh7sH9h3mBT9fulFVbAmnQarFoo?=
 =?us-ascii?Q?Co6D+WPQRALOZhpsxKa9jenbJPYERqYDxhw8h8bn/vZya+qWfh2AcZ3Nzd3M?=
 =?us-ascii?Q?/VK+wkqQl+LfuApS/+PvA2dW/zwzR0E5xFzXHW/QKuF7NJORJCbwYm2WhnzV?=
 =?us-ascii?Q?pFmWG1jUn44hKACLZzoAu6T2euaaQPpeUwfFj0FqnU+cL8yDfcQpRTPBbPsE?=
 =?us-ascii?Q?gpVf9zpLkYTLa76MEY13uexL9SuRUeJf341kiTviqOB8knM6waBGL61ZAVK/?=
 =?us-ascii?Q?/lycGMVTzSfsPw6r/DZzuD09UcoOXKobH35F4Eabh7gQhiwbsmK6bmwZTaYd?=
 =?us-ascii?Q?eURUk/uGat8WfO058FNJbNKmVItXrVh/M3fSOqjod6QK8ELgJ9niKTsOR064?=
 =?us-ascii?Q?k5WPu/nGGsCWQa7qYxMgcaUb8izWC22pLxkhdnsSCHaIYgmVWo9QocFYt+DS?=
 =?us-ascii?Q?+6HR7UaRt1exkOj/YRcVYNwnLAxwly2FpCbyzZc9X3AddMpbi5YQREGNPUm/?=
 =?us-ascii?Q?B2RutBa8kQKY8wqSmrXZuBNUmRpsTRfQLAPVkshVM1N4Rl2NANZ7alrBlMxR?=
 =?us-ascii?Q?8LF66tbKlkNKNwJ/4wvct51zW+5HEQnjIrT5tJgnKxF8vzAi4IsUlIEEVQWq?=
 =?us-ascii?Q?1Omg3CGI692lwcnblFtyl3LwW9moG/uiyM6l2JJ2OYUJ3c/d3fv+w3JGyio8?=
 =?us-ascii?Q?TYqCvh1aPtqfEILeGXhax964SzUeXnzaRJPqZLdE80Wq1O8JFaSO/tj7ycQK?=
 =?us-ascii?Q?BNeCz98eH6cufpqAoG+R0Ca8Qid6nO6VtKqUrQj+tOWR9IwfllgA/zmbnATJ?=
 =?us-ascii?Q?QB31IlQdB5X2BwyPmgCUcHPB06BRR9naTNTfB4vGz5Z7qI7Wr9J6WfkyCfDe?=
 =?us-ascii?Q?O+9qSNnch2fTnJRXswJ7izzDI1Kl1e0ALoCESnycU9irvTJVziokYsaLo/53?=
 =?us-ascii?Q?akFiXUzHGpACs0RJ04ytHVqDg9nxen/Z4HMOQZy9Bn4MrQU7b2IY4oJR/rlg?=
 =?us-ascii?Q?iyYtbkN9ZCdxIEwE4vAxGg1MW7OjJE1cjh8snpUG2cKbtSjHKiWdfH4dmHwe?=
 =?us-ascii?Q?9TcV9va8GX4peL5HyO75xvG0lhWLqFU33dFHYlGOYMcaOFjd/OQXjKxO2tdf?=
 =?us-ascii?Q?IB1JpuXPuAAmIPrWfRU982dK4PBB/0Z2pkPlWE2IYpAfeFbLG5iTn1JmgREi?=
 =?us-ascii?Q?zTZKXtNVcAUmm7GBOdR0J4A1Mdes53O2ufx/3HB5lZzTXjkypnSNM38ZxzgI?=
 =?us-ascii?Q?tKxyOIzI9i9rGQ0y0Bckf2uc1iY7/u9FVQ3A9W0zkjsDWdhwe/9uXOoQQ1Ed?=
 =?us-ascii?Q?jN1EBahL7fJA/zjov0Ctr2b5TJbZ0Y3o2UDb1YukpyyG6I+AzXMhpUfR4DCA?=
 =?us-ascii?Q?3ESaqcaDG0zueyueEJLbexWAlisfUMVk+pANQssI?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10d879fa-4c75-45dc-da1d-08db46f8259b
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2023 08:19:39.9391
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZdMXIMtMH8eoq0oCypQMgt1krKYQDXJDtcmt0NdRvY+RSk7i4OE5HLBHnnD90Uwl8yForMB4aPAtKu/BMQl44g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB5960
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks Nhi, to provide the fix.

The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and=
_Driver_Signing.html) defines below error code.

#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004

1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means=20
An image certificate is in the forbidden database, or
A digest of an image certifcate is in the forbidden database, or
The image signature check failed.

However, the code only contains below as forbidden database check:

    if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
      Action     =3D EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
      IsVerified =3D FALSE;
      break;
    }

The image signature check fail missed the Action. (remaining issue ?)

2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
An image certifcate is in authroized database. (or)
The image digest is in the authorized database.

However, I cannot find the code to set the value in the code. (remaining is=
sue ?)

3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
the image certificate is not found in the authorized database, and
the image digest is not in the authorized database.

It is fixed in this patch. Thank you!

4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means=20
The image has at least one certificate, and the image digest is in the forb=
idden database.

The code is there.


Would you please double check, if we have the remaining issue in 1) and 2)?




> -----Original Message-----
> From: Nhi Pham <nhi@os.amperecomputing.com>
> Sent: Wednesday, April 12, 2023 5:22 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com; Nhi Pham
> <nhi@os.amperecomputing.com>
> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> AUTH_SIG_NOT_FOUND Action
>=20
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>=20
> This is documented in the UEFI spec 2.10, table 32.5.
>=20
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>=20
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
>  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | =
1
> +
>  1 file changed, 1 insertion(+)
>=20
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> ---
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>        if (!EFI_ERROR (DbStatus) && IsFound) {
>=20
>          IsVerified =3D TRUE;
>=20
>        } else {
>=20
> +        Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>=20
>          DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed bu=
t
> signature is not allowed by DB and %s hash of image is not found in
> DB/DBX.\n", mHashTypeStr));
>=20
>        }
>=20
>      }
>=20
> --
> 2.25.1