From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web11.13702.1679318433192029163 for ; Mon, 20 Mar 2023 06:20:33 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=bKGHb2p0; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679318433; x=1710854433; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/jpTl+9IQz/Q3n9OdM5hlodKla+yH0eb2byB5p6mr08=; b=bKGHb2p0HAsPeyqzbbpkXSZ4dJiepTJtsgxIIJ1JIM+wgVdRNvvQh06/ mao09t7o8wNozyvmla4eHivqpQcbizEzpLJG/V2V4JOPJV2Yf9gyCwnUP /I/JhIZGUqXSt0XQBKQGhglNm4y7lhr1bzY8AMsdh2gyFnSpIJnufUYss ZKJhi6t4KlyYWYBDR7aMIt0AGP29p8whaUJn1RHAhrWImMBxPol5EcPLk 1Quf7Oy3h9EznAHl+dPS+gT3WNQde9qqBaY9+wTefSG2yN7Ka/SW5olrm el8RBMhYHvi5ND0FiiWs+gRcP7YlqkPLkXuGZwuFTQ3a7/rtOBO4j+AJ3 A==; X-IronPort-AV: E=McAfee;i="6600,9927,10655"; a="341016460" X-IronPort-AV: E=Sophos;i="5.98,274,1673942400"; d="scan'208";a="341016460" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Mar 2023 06:20:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10655"; a="750094597" X-IronPort-AV: E=Sophos;i="5.98,274,1673942400"; d="scan'208";a="750094597" Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by fmsmga004.fm.intel.com with ESMTP; 20 Mar 2023 06:20:32 -0700 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Mon, 20 Mar 2023 06:20:31 -0700 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Mon, 20 Mar 2023 06:20:31 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Mon, 20 Mar 2023 06:20:31 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LqErZzHtO1fwDu07toVvn9Cpg+sXZA/2rBYOJBsp2YcCXqFRFawzJnzPNKZv/HCsFHwZkb60rY2UJ2ykYJycbn/qhYLZUksnMWkUEfOmCVJxzYtU2T89YD6ukfRTfABrPLSXnl5sizLX1q/WEldWqujXLWyNSZNqRWNIG6NZB0c9CpZY+zwn1J4VUm1tR6A1uv/McuN8rimxXi36LmGcKWbs85mdEPeTKfJciL4d7N9Nijh1CHanQMls9fTyxez3plIuaMEmWRzlqPVg7Xgh9SDTvEYrRwFHvw5xLSh6iu4g8Su39kVxLgYg9Exqa7pCHh6xg68naFfzhqgxJwHTVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Cdu4/t4KjE78RqwT3Z9P75eLa6YiaZ+neMUiKgTYF3c=; b=PNebuJvGDzFYw9gjQ4zHNcIgif0Zw8SkBTxHH5BT7nhbjCPCZ8mOD4oiddXsExzdLzSjMADR7EpLWQw/O1suj5b1OS9B4GXnViUY7NjDCpHYLsFN98lBHiJTJ+Wq6Izh06Rf4OnuE1KLVqFXqMQP7nZCNdP1itwxmzt2Gr4ztyYmB4QBqb5IkqA94J14LE5k42RksOSzGSpq4V3mcNNA+SMzNoUJSApnFcGAXrs+Q9y8py8feQT8lr7HdAiMAVOciNNcgjT1zV9dOzULH34xTt0ji6QTlGsBRu7Zmp1elEQd01aDGHaDaOyJviKoOG7jsgpS/gv66LQvxrTJQ20F/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by MW5PR11MB5931.namprd11.prod.outlook.com (2603:10b6:303:198::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.19; Mon, 20 Mar 2023 13:20:29 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::c0c0:4b46:1dd4:80d6]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::c0c0:4b46:1dd4:80d6%5]) with mapi id 15.20.6178.037; Mon, 20 Mar 2023 13:20:29 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "kraxel@redhat.com" CC: Pawel Polawski , "Wang, Jian J" , Oliver Steffen , "Xu, Min M" , =?iso-8859-1?Q?Marvin_H=E4user?= , "jmaloy@redhat.com" Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 Thread-Topic: [edk2-devel] [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 Thread-Index: AQHZTbv5ATxtbkmMjU+2TqglVnCmYq8DipcAgAA3TIA= Date: Mon, 20 Mar 2023 13:20:29 +0000 Message-ID: References: <20230303103553.804781-1-kraxel@redhat.com> <20230320100208.xhoz7smo5fkhal26@sirius.home.kraxel.org> In-Reply-To: <20230320100208.xhoz7smo5fkhal26@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|MW5PR11MB5931:EE_ x-ms-office365-filtering-correlation-id: 4b97d9f3-a7b0-4abd-a0d5-08db2945e04a x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: r3fDWGn5nr7FhWt4ebiF00cUBA8XyzDutiC4R+d39uUIvSxddroYSIFh0i6OMQjFGqVmegJHFGg0PkdwpXXxVy3/jIh5LD0zahj8LcH3GzLnGKQiVTmLUQOjNiH9FXuPRZJL806NX7yvbCe/dS8kcRCnBkFPNDoJc58Q4MNDbOCLx6JXo3WJXITBmK55jpFA0j1yjT2e+F/2bjDNSIKw+T/lVea0tqAjh6YRJg+rP9VsJiqEMmw/AimFNOY2a4EH28R1tFvw6mqjk4o09FP6VheklCAhcavOYpmh1NsfTBnHELmmcrAscGG7IQHHkpDJZcEytEdd2+3ne3KDnCO0NsUc1iNesGldyoWsl1Swmbh3Aa7rZ69Ut5KNIqGxIBeITBOT6UU6Z9/V0jg5LvwfywQ/Ty7cuyk9nnwUYQpCG/zyXdL+ZAYAv1AHwE7YtMXnJ/aSySiVGiyi4wjbKxUW78PRDXrielFfQPMSh543x1sV9CpTHcHvAOi4+Ak0yASYwGU2naf4YewAOeu/i4xucnU2/d3XUjVc81yNcWqGWNDRNGsJeQWR+257kZcSEUJnFNsBxBvODD+2kWNNlRTCvmNnff+gdB7vVIfMAmVSKrkpHlJNQfhpNqrGnxtp8gXiIOz+CfPILSn28Ok1I12vAXH67q8LJTt1TjVZwRRf+yDbW/rnLMvmBArzMIjLPK1oruDpNGZsV9zKq2KXZRSLW804eIbPvdDWbuRoctf2l9U= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(376002)(136003)(39860400002)(346002)(366004)(396003)(451199018)(26005)(33656002)(316002)(86362001)(54906003)(4326008)(64756008)(83380400001)(19627235002)(66899018)(966005)(55016003)(110136005)(7696005)(2906002)(6506007)(9686003)(66446008)(186003)(478600001)(5660300002)(8676002)(66556008)(66476007)(71200400001)(41300700001)(122000001)(76116006)(53546011)(52536014)(15650500001)(82960400001)(66946007)(38100700002)(8936002)(38070700005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?OCzaTL0Cu7wz4/4DylVfNgIbaj8SSE7uKhAR/KYBbvXsQjBvpo6n6o8t5G?= =?iso-8859-1?Q?F/ohfwEoM0HHfs3hfT+xZ0PGrOjEyJkJHjIuTC7D7t6pjjA/+ojyiqhiLM?= =?iso-8859-1?Q?987VOIlom8MBjUDP2Ip0mh92/ynMESYl9dUA66T73n9PfXWWuS3TReTeDn?= =?iso-8859-1?Q?cCBc69VUpjx+VJQAjn/6WHskR01++CEH5rCngxUTGTNh+v9PfNIa40JNoO?= =?iso-8859-1?Q?BKK4QSI0kBPqC6KBhPytqSHDi7QUP7GHHHQVYXS9/S7uum46g/D9gEEc0V?= =?iso-8859-1?Q?ceOhnKGZ8StvYcfQQekLzNUWa6VK++ME2hCBRZtx80g+MdDrHXCRCjJNpr?= =?iso-8859-1?Q?+YPuvg+cRcZe/qRmIZFoIRTAYfNzJL5aMMse7ZlpVVsdveQNrxKubEuBEF?= =?iso-8859-1?Q?Pylz1PBd2Z8Pm4Ds2+nfRT6PTL7LfavY5MFBrvYiNj5MMIN3KtVR8UVNRU?= =?iso-8859-1?Q?p3lE2wEOzPu8uZi09raMUOkibuh+PywJyutVtdg62vr9UkNQMXyFt8vIOR?= =?iso-8859-1?Q?O3FJhABj5tOJonwq29vgctkfIjQLxSGVLtynDGinaCT/1IXXVZdrN8bk7p?= =?iso-8859-1?Q?webR1CmVUJgSfifvaNvqQKEhHNk9X5R6ijINQiMe/0KJ1KJr0k5fQST5/w?= =?iso-8859-1?Q?qSe/sXbPBb1tKXp5AKF+P0sCYZBEEH817mdmV9mXZhnt9yQaT/gP1Wf/HX?= =?iso-8859-1?Q?V/qEpCYW4wZFyyYriBrqsJXIAvm/pbklavzyYm+WBnDac6MfftN8B8+NFo?= =?iso-8859-1?Q?w5k4mSJaC0eU9iG016QV6CQeUU2/iv+UHqSqMz/AWuDNmmYHnC6Hsh21aF?= =?iso-8859-1?Q?2zA+Rm1+XBYR+PekSE1p4Iu0lv53dE/BQ8J3CvCMh8c93J4E61eocj2Q74?= =?iso-8859-1?Q?iZmG0ny8BYPCxVUGDRr4tS1/4G9BE4NemZeD6iv7QmLWMzYE5bEjFX3SDq?= =?iso-8859-1?Q?q1NpSHoYjPlnBBMrmH7WXoHFlKu3SaXIdy5m/cAqJ7o1u3PDm5/XBFVUjm?= =?iso-8859-1?Q?UHov3jEsALsaZ6zEJgvm4+1TF4gkU4Eyf1mCdp0GHGYgcA9MYKMfiJ09wR?= =?iso-8859-1?Q?u6Uf25qmBtuRB9Ow1m5e7QVIRoMKROdTD4b7MgCzLyPAiUkSpNQ7v/zNpR?= =?iso-8859-1?Q?D4hhazozKx8LMIx6QqKhfEsdAATOgHLlsfCLBzy81rrmzPWoa25afLn8WY?= =?iso-8859-1?Q?Cufk7HFxttHeMSCcH1nXXzgJJBCSM84EJEbXw314XoAOBQFZe4xo7SLRzi?= =?iso-8859-1?Q?+dI9nADfUBLE+/w3U6B52ww2LkschrAS07e1KtpV4eKn6Xr5+uhnyu/fLH?= =?iso-8859-1?Q?im6/uTKPA3WRbulwSwCy6yNo5amv3rfA1Q5CEX2GiJfdMDBX8kqmRCs4kZ?= =?iso-8859-1?Q?KfPrfhIwoQavZEJZ3xHz9o0G1e374XJWBs3GSBbmNZM/LiMJh7iGuF7eMZ?= =?iso-8859-1?Q?IM/azeaiNdsPq+HuOXAI2/S1YS4BcAUJmpdstp+j6aTlhwTgWk00yquDQg?= =?iso-8859-1?Q?TIwu4WvHdp9EH9SjHf8B6m3VdE0rVtMvd718Wfz51jHR+lKMngHdRKwcjd?= =?iso-8859-1?Q?8dBnxuBxE1Z6Nthx8DiEhZriABmgwfWPHzZUQXfrdAthxekGuG1nNni4MK?= =?iso-8859-1?Q?w+f9KVZq1gUXnxm4xduK3KCELdwRSlpd6r?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b97d9f3-a7b0-4abd-a0d5-08db2945e04a X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2023 13:20:29.5057 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 9x/TY2L8tZC/jUz2+0ZmJ4J44zuUdovKTA/OEK6q1mAsoWYaUY1+fFh8pCko3/KC4yEvRW6ETot2K0ctyfb+ig== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW5PR11MB5931 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Would you please share with us what test has been done for this patch? Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Gerd > Hoffmann > Sent: Monday, March 20, 2023 6:02 PM > To: devel@edk2.groups.io > Cc: Pawel Polawski ; Wang, Jian J > ; Oliver Steffen ; Xu, Min M > ; Marvin H=E4user ; Yao, > Jiewen ; jmaloy@redhat.com > Subject: Re: [edk2-devel] [PATCH v2 1/1] > SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable= 2 >=20 > On Fri, Mar 03, 2023 at 11:35:53AM +0100, Gerd Hoffmann wrote: > > Call gRT->GetVariable() directly to read the SecureBoot variable. It i= s > > one byte in size so we can easily place it on the stack instead of > > having GetEfiGlobalVariable2() allocate it for us, which avoids a few > > possible error cases. > > > > Skip secure boot checks if (and only if): > > > > (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according t= o > > the return value, or > > (b) the SecureBoot variable was read successfully and is set to > > SECURE_BOOT_MODE_DISABLE. > > > > Previously the code skipped the secure boot checks on *any* > > gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable > > value to NULL in that case) and also on memory allocation failures. > > > > Fixes: CVE-2019-14560 > > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2167 > > Signed-off-by: Gerd Hoffmann >=20 > Ping. Any comments on this patch? >=20 > take care, > Gerd >=20 >=20 >=20 >=20 >=20