Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

["Yao, Jiewen" <jiewen.yao@intel.com>]

Sure. This patch is merged https://github.com/tianocore/edk2/pull/4321.

Thanks for the contribution.
Look forward to your investigation result.


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi
> Pham via groups.io
> Sent: Friday, April 28, 2023 11:14 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Nhi Pham
> <nhi@os.amperecomputing.com>; devel@edk2.groups.io; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
> 
> Thanks Yao Jiewen for reviewing. I will make further investigation for
> other cases based on your findings.
> 
> In the meantime, could you help merge my patch?
> 
> -Nhi
> 
> On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
> > Thanks Nhi, to provide the fix.
> >
> > The UEFI specification
> (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html)
> defines below error code.
> >
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004
> >
> > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
> > An image certificate is in the forbidden database, or
> > A digest of an image certifcate is in the forbidden database, or
> > The image signature check failed.
> >
> > However, the code only contains below as forbidden database check:
> >
> >      if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> >        Action     = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> >        IsVerified = FALSE;
> >        break;
> >      }
> >
> > The image signature check fail missed the Action. (remaining issue ?)
> >
> > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
> > An image certifcate is in authroized database. (or)
> > The image digest is in the authorized database.
> >
> > However, I cannot find the code to set the value in the code. (remaining
> issue ?)
> >
> > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
> > the image certificate is not found in the authorized database, and
> > the image digest is not in the authorized database.
> >
> > It is fixed in this patch. Thank you!
> >
> > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
> > The image has at least one certificate, and the image digest is in the
> forbidden database.
> >
> > The code is there.
> >
> >
> > Would you please double check, if we have the remaining issue in 1) and 2)?
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: Nhi Pham <nhi@os.amperecomputing.com>
> >> Sent: Wednesday, April 12, 2023 5:22 PM
> >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> >> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> >> Cc: patches@amperecomputing.com; Nhi Pham
> >> <nhi@os.amperecomputing.com>
> >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> >> AUTH_SIG_NOT_FOUND Action
> >>
> >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info
> Table
> >> when the Image is signed but signature is not allowed by DB and the
> >> hash of image is not found in DB/DBX.
> >>
> >> This is documented in the UEFI spec 2.10, table 32.5.
> >>
> >> This issue is found by the SIE SCT with the error message as follows:
> >> SecureBoot - TestImage1.bin in Image Execution Info Table with
> >> SIG_NOT_FOUND. --FAILURE
> >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> >> ImageLoadingBBTest.c:1079:Status Success
> >>
> >> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> >> ---
> >>   SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> | 1
> >> +
> >>   1 file changed, 1 insertion(+)
> >>
> >> diff --git
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> index b3d40c21e975..5d8dbd546879 100644
> >> ---
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> +++
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> >>         if (!EFI_ERROR (DbStatus) && IsFound) {
> >>
> >>           IsVerified = TRUE;
> >>
> >>         } else {
> >>
> >> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> >>
> >>           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
> but
> >> signature is not allowed by DB and %s hash of image is not found in
> >> DB/DBX.\n", mHashTypeStr));
> >>
> >>         }
> >>
> >>       }
> >>
> >> --
> >> 2.25.1
> 
> 
> 
>