Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "kraxel@redhat.com" <kraxel@redhat.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Pawel Polawski" <ppolawsk@redhat.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Oliver Steffen" <osteffen@redhat.com>,
	"Xu, Min M" <min.m.xu@intel.com>,
	"Marvin Häuser" <mhaeuser@posteo.de>,
	"jmaloy@redhat.com" <jmaloy@redhat.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
Date: Tue, 21 Mar 2023 02:28:56 +0000	[thread overview]
Message-ID: <MW4PR11MB58723373E0589DFA29B2C1898C819@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20230320150013.ykcaxygkburz4m2s@sirius.home.kraxel.org>

Sounds good. Thanks.

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: kraxel@redhat.com <kraxel@redhat.com>
> Sent: Monday, March 20, 2023 11:00 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Oliver Steffen <osteffen@redhat.com>; Xu, Min M
> <min.m.xu@intel.com>; Marvin Häuser <mhaeuser@posteo.de>;
> jmaloy@redhat.com
> Subject: Re: [edk2-devel] [PATCH v2 1/1]
> SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
> 
> On Mon, Mar 20, 2023 at 01:20:29PM +0000, Yao, Jiewen wrote:
> > Would you please share with us what test has been done for this patch?
> 
> Usual regression testing, including booting images with and without
> secure boot.  Additionally checked images with the wrong signature
> are rejected (try boot grub.efi directly instead of using the
> shim.efi -> grub.efi chain).
> 
> take care,
>   Gerd
> 
> >
> > Thank you
> > Yao, Jiewen
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
> > > Hoffmann
> > > Sent: Monday, March 20, 2023 6:02 PM
> > > To: devel@edk2.groups.io
> > > Cc: Pawel Polawski <ppolawsk@redhat.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Oliver Steffen <osteffen@redhat.com>; Xu,
> Min M
> > > <min.m.xu@intel.com>; Marvin Häuser <mhaeuser@posteo.de>; Yao,
> > > Jiewen <jiewen.yao@intel.com>; jmaloy@redhat.com
> > > Subject: Re: [edk2-devel] [PATCH v2 1/1]
> > > SecurityPkg/DxeImageVerificationLib: Check result of
> GetEfiGlobalVariable2
> > >
> > > On Fri, Mar 03, 2023 at 11:35:53AM +0100, Gerd Hoffmann wrote:
> > > > Call gRT->GetVariable() directly to read the SecureBoot variable.  It is
> > > > one byte in size so we can easily place it on the stack instead of
> > > > having GetEfiGlobalVariable2() allocate it for us, which avoids a few
> > > > possible error cases.
> > > >
> > > > Skip secure boot checks if (and only if):
> > > >
> > > >  (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according
> to
> > > >      the return value, or
> > > >  (b) the SecureBoot variable was read successfully and is set to
> > > >      SECURE_BOOT_MODE_DISABLE.
> > > >
> > > > Previously the code skipped the secure boot checks on *any*
> > > > gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
> > > > value to NULL in that case) and also on memory allocation failures.
> > > >
> > > > Fixes: CVE-2019-14560
> > > > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
> > > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > >
> > > Ping.  Any comments on this patch?
> > >
> > > take care,
> > >   Gerd
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > 
> >
> >
> 
> --

next prev parent reply	other threads:[~2023-03-21  2:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-03 10:35 [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 Gerd Hoffmann
2023-03-20 10:02 ` Gerd Hoffmann
2023-03-20 12:08   ` Min Xu
2023-03-20 13:20   ` [edk2-devel] " Yao, Jiewen
2023-03-20 15:00     ` Gerd Hoffmann
2023-03-21  2:28       ` Yao, Jiewen [this message]
2023-03-21  6:24         ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MW4PR11MB58723373E0589DFA29B2C1898C819@MW4PR11MB5872.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox