From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web08.5186.1635294768845618162 for ; Tue, 26 Oct 2021 17:32:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=lfMgRHdf; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10149"; a="253590910" X-IronPort-AV: E=Sophos;i="5.87,184,1631602800"; d="scan'208";a="253590910" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Oct 2021 17:32:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,184,1631602800"; d="scan'208";a="537338519" Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17]) by fmsmga008.fm.intel.com with ESMTP; 26 Oct 2021 17:32:46 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Tue, 26 Oct 2021 17:32:44 -0700 Received: from orsmsx601.amr.corp.intel.com (10.22.229.14) by ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Tue, 26 Oct 2021 17:32:44 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Tue, 26 Oct 2021 17:32:44 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.100) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Tue, 26 Oct 2021 17:32:44 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EJRoVHIp2aMZGO7Q0sqXx/4JasMX3PYY/RwB9hACQGJHx3Q2ZhFRGC7A/AIGDgTIeGm9/gaDpeyWPDEJ4aQjjn0isytMrTvHurwL80PeADy+SO8ST/Vx4Hgoxjhbwx4r6XGBFl9nW8PEBY1Zc1PgZtkPaRcB59g/SWpQGpg6eaV6FlBUXAyepEgf79q9SPyR3GRZnWoLxXkchyW+hL7ypn0S7nXljg4mggO+aMSgXo81HhsXl9GrobGKa3i5ogoef8G6fv2xE5qgERqmZJeelQW/9ndYgBiTYfOz5Wxf4INRvaKOJBKudgs3fDGOC3AUwjZIKAk6apPjK62i76usHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JrmjgprQ9I3+mByzrUUGi4Yesbif+TA6pV9v3fKUQ+Y=; b=eW09DN4NgKHze4LaV8VxNX3gLghFCzqMHHb4jpXD9fYfPnEZchz6f9DlyI/AkZM2PUUnGCyS1sUcVung6+wr3KBX6Hv9ymIDPIdua0u4pBbbCYOp2RF13wnpMXfpCp4ERhdOCOEvkgldmn60FF/2zMkSKKjmAucmsQZOVQlg7k2vwOmKClhiMi1UHZ9+y/wJvQLGNg1bVPUn2LD89SNXAKDW2/qDlMjvjIOMpBgaEvGngH2cSxK5Vhyx1nVfdDdYYC38E2p1stkf4XbPi4dWujk8NbQ+gpKKR1sqIYMAstFkyyqKzkoe+KEgVgTsu7OwSl5w9QwJnkwfXVd8dBuR0g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JrmjgprQ9I3+mByzrUUGi4Yesbif+TA6pV9v3fKUQ+Y=; b=lfMgRHdflJWWE4GdLVqiNC24pstamcNDMYAveLhEqJoa9MB9vEmvsqO2wa1GENUaYnTHfYkMXhcdUCT4V7Qq8FM85IHD2Dq95TcXAJL0A6XFmI8SF1Wn5y6NHpwN1lHtxoBNrslSj8MYy/YRJ+QAqT9b7OLQXvCUxlVjud3RYhA= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB4999.namprd11.prod.outlook.com (2603:10b6:510:37::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Wed, 27 Oct 2021 00:32:42 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80%5]) with mapi id 15.20.4628.020; Wed, 27 Oct 2021 00:32:42 +0000 From: "Yao, Jiewen" To: Samer El-Haj-Mahmoud , "devel@edk2.groups.io" , Joseph Hemann CC: nd , "Wang, Jian J" , "Xu, Min M" Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image Thread-Topic: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image Thread-Index: AQHXv4pB7k0aiEuebUmh+5yNnHXfCKvl3DKAgAA2rVA= Date: Wed, 27 Oct 2021 00:32:42 +0000 Message-ID: References: <20211012165701.52619-1-joseph.hemann@arm.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 640d3e6a-ad6c-43d3-8081-08d998e14a27 x-ms-traffictypediagnostic: PH0PR11MB4999: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: FNJP4wjAzVbfgKCvCvU3AsGUqbVewCOnI1/wwSKm4CG5z5TvS24A+i8ArKldMmyGLVtEhxUUPcgH5NMH8UAJykXdagkoY79CBuXOkJ4kMNt7m/niIxfoiv1qhAhQxB6/8RZtlo97s0d/28VpIoL0tCBB3eRDyNFQH5nwI7VWF4JdL2yZ4tjY55uiE3gvBILGca6JOiAgy6b2OwWKNeNctC71HkPKzZdTjLE/ODt17WvvufcNaEsISnel5u/K6Q/omoEcBVEP0YQ1sIDpNojdHgio7NXa7+w9fWsBu5BWga0c0LzGIxin4WWLRfQ0qMg+dSgHK2aZ0n1aZYncYcVIaum3x+Qk12XK5Chtd7F54XpWO8c0+LJ0fDqrd6qDs7iJsBX/LlWE8Rsr+CSoMOsxhT0Boshk4wlbJOc7MffuEzpro70WozXPWexQ/DRJF0FZ+dcTAB+G8mMLGZFqp/0N0DELCrT3N6ylwJpxzwHNvmq4x/qfikGQMi54Q8kyM+XntMEMdSJNCtooxVoC0bBOHzJlLhhASyIZ/N5slGJHyehDuqwQ6i6MqoEmhnjHC+fE/7PwYcVeWLRgOrO9IbqN18yallCOpy0NSgrDdaQytdqpd5CXk1bTsEvUEyV1+7SjUlRZN0YRNmFGELoBY2FpPpCW8Q5zpUgZeQkDhhYSjEYJNNuP5h0fUKhek0lamQLeIQAxc4v+yoEI+A1D6Igl3YT6RuXxOXr+NorO5cUQ+TYklnEEfiY7VGcoQ7rKnH4bkUcaWMYRde4BBOICQy46SGb2M0NfPxNIWFoTgrUaAZWnn0izyPXVn6nK/rYfyTLF3EO62u/i5nFyC/tPi5eHLw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(55016002)(966005)(4326008)(186003)(83380400001)(508600001)(82960400001)(66476007)(71200400001)(15650500001)(86362001)(66556008)(33656002)(110136005)(66446008)(8936002)(66946007)(76116006)(122000001)(54906003)(9686003)(52536014)(26005)(53546011)(8676002)(6506007)(2906002)(5660300002)(38070700005)(7696005)(316002)(107886003)(64756008)(38100700002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?bf7T/e7Nb4c1FSmDS4v8nG4b4FJqOHhYS8//Syp3vuPIHGi5z8NO168H8BL1?= =?us-ascii?Q?aveXjx3x/mMgixFxP7JwLTrpC7fZyJvthJfIwpHaB7NTT+uah22OVlNbuITb?= =?us-ascii?Q?V+YRS/TjccZBGUA6+YpbGY9JdSeir0+oBDgM1mvqwB7TQpHBu5BthGcbZM6b?= =?us-ascii?Q?O9pDpwj3WqLia8UO2EWdWCo/nHZE+06U6f3Xv6YFPWdtshzFkrP5t635YASM?= =?us-ascii?Q?gOeCNohmDMsehfdTEVBjr9tCGQ06rt22NvqJFeLESO11+tRRmKfMyQsRC+4o?= =?us-ascii?Q?EaXutSJWwZqil8t/uslkzOSM1SfNWItxVTTxaJEX3+t/LeLpgIi+0Gv5zVd0?= =?us-ascii?Q?9PRm1OKiE4SjHLqVX3JPGB2R1SXXzBifzQvP3JTQVz3Y94FEPNK/mIx855pw?= =?us-ascii?Q?/vAVrIgesbPLFnoozAMqBqS9am02r8d3OObYHrmia+gsW+2RQeHqLd+p/m1v?= =?us-ascii?Q?aPtPRIr5hsLaX0rTiQ+GI/85arcDYpS6RlJOWPx+7xgIU2HUDuZCV/Jabft9?= =?us-ascii?Q?n7+9AQ18+kF0YAejXykoGc95mUu0IPdnc3kedfB1zfjAXsZuF/AxINy4P8dJ?= =?us-ascii?Q?z+gGzXTkAt5utalE7PTWLHq7o5yQB7hAV9KANKJvI4rzxvGUTYRO/fgJNMG3?= =?us-ascii?Q?k9P4AQUe7Z/PV8k0RzMz09NVsO1J374aTL1x0huM5dfDLCzdmfw2FT7GGwJN?= =?us-ascii?Q?/9v8BfxHzyb66EzB2cAiKIIDLR6+I2yMe9GF1LMk2Dl6O4bbSpU23/ldCVX4?= =?us-ascii?Q?UtJMp33x6HJZXH31hC5fPgv9vryCrSoiiwOyNTrkliA3iUwc67foeOmlIgkF?= =?us-ascii?Q?hW9CBG+MsthasSA+8ibPFHfV4NvOQXURaH1+4m1WOAZUbzGlcZvk+sw3UvAH?= =?us-ascii?Q?EssW1CAiOGfom1XPOvzZVhkRwVWytpbEIjr76VPp/VLADMo1cMmU+Yx5vp/E?= =?us-ascii?Q?H4Oa9sWNxzYd4GreYkNfeTw4n22EVSjv1/pYu+FXueAOWKBNCJg9/lPWyz8H?= =?us-ascii?Q?DhbGqs8ww88xlkYjUIdp+CIj3rBVK7uwU7uPC6MCgOb2QJrHFpNjb+5Vi8Sm?= =?us-ascii?Q?V97HL2OzU/TY8JCq4nCzus6G1XnX1Otjtp/PBUx0guMaBgpzmeghYT1y6+Lc?= =?us-ascii?Q?RleR1Ga3u3whntS1bUlMDrFiZrHJdCrzkSZkygMWYu6JgCMxwPkbjVDUbPPa?= =?us-ascii?Q?5m8D7MBgUp/XCxdQL+coOBiWok6K6RecWnhho+O3ICTxSxY1u+SVzuxlGYoy?= =?us-ascii?Q?t43ZyrirYxLn8aPwlbKk5KNx2LGS8cozVrTKLa343r2oFsk5+SYTzpif8O/T?= =?us-ascii?Q?joypDrJov9ra4ODsLtUGYj/ciCJdQCppBgUXJqk8qjX+mR/8H67GFjZmF0UI?= =?us-ascii?Q?4Qm9ol9qzkPe3o8miQNhgNr6XKt9Mm93XI87/G6t8He1zm/XxLSCCOJWiSt/?= =?us-ascii?Q?71yRi+1uDr64LMbculBpP+uiExGjoo+LfRRr46ZrKnbR5spc2aBj85+Nala3?= =?us-ascii?Q?KUWHZr7ZaN1gfdGhwdbgYM89tLRHp2CtYUNaMPYRf1iOUu29pljvDAy9Z4OX?= =?us-ascii?Q?i0W/JVMWlr97ALqpr5tfsz1fSg0GTs4nYrvsOU11CanVtZZOl7q7URPnApGi?= =?us-ascii?Q?PpxIcnIZDIuFK3sIt+UfZBs=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 640d3e6a-ad6c-43d3-8081-08d998e14a27 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2021 00:32:42.7577 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4oLTPC/Lo162pEoKdXMCWKex6T/xse+w7Lxqg1egYyrbb4iasMOvshpYPaCTrtZpr7l3NlSo8Di9JbtpmBhVEg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4999 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Samer Thanks for the patch. I overlook this one when I check the title, it is quite similar to previous= one. The only difference is signed v.s. unsigned. It seems make sense. But I have same feedback as previous one. Would you please: 1) Fila a Bugzilla - https://bugzilla.tianocore.org/ for the issue. The CodeFirst is only for doc, not for code. If you need submit v2, I highly recommend you bind those two in one patch s= et. (Still 2 patches, but in one set.) Thank you Yao Jiewen > -----Original Message----- > From: Samer El-Haj-Mahmoud > Sent: Wednesday, October 27, 2021 5:09 AM > To: devel@edk2.groups.io; Joseph Hemann > Cc: nd ; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; Samer El-Haj- > Mahmoud > Subject: RE: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib= : Set > Action for failed unsigned image >=20 > Hi Jiewen, Jian, and Min, >=20 > Can you please review this patch? We have a corresponding UEFI Spec "code > first" ECR (https://bugzilla.tianocore.org/show_bug.cgi?id=3D3561), and n= eed to > clarify a couple of cases in the code. >=20 > Thanks, > --Samer >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Joseph > > Hemann via groups.io > > Sent: Tuesday, October 12, 2021 12:57 PM > > To: devel@edk2.groups.io > > Cc: nd ; Joseph Hemann ; Jiewen > > Yao ; Jian J Wang ; Min Xu > > ; Joseph Hemann > > Subject: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: = Set > > Action for failed unsigned image > > > > If the image is not signed and the hash of image is not found > > in DB/DBX, then the EFI_IMAGE_INFO_ACTION of the load of said > > image should be set to, > > EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left > > unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED. > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Min Xu > > > > Signed-off-by: Joseph Hemann > > Change-Id: Ia432ebf4ec811e36d67b80bc438a6aff60bc9b67 > > --- > > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > > index 0a804af2162f..e5fae732bb1f 100644 > > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c > > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c > > @@ -1848,6 +1848,7 @@ DxeImageVerificationHandler ( > > // > > // Image Hash is not found in both forbidden and allowed database. > > // > > + Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed > and %s > > hash of image is not found in DB/DBX.\n", mHashTypeStr)); > > goto Failed; > > } > > -- > > 2.17.1 > > > > > > > >=20 > >