From: "Min Xu" <min.m.xu@intel.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Pawel Polawski" <ppolawsk@redhat.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Oliver Steffen" <osteffen@redhat.com>,
"Marvin Häuser" <mhaeuser@posteo.de>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"jmaloy@redhat.com" <jmaloy@redhat.com>
Subject: Re: [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
Date: Mon, 20 Mar 2023 12:08:38 +0000 [thread overview]
Message-ID: <PH0PR11MB506444AFF8ABB617BA3F944EC5809@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20230320100208.xhoz7smo5fkhal26@sirius.home.kraxel.org>
It's good to me.
Reviewed-by: Min Xu <min.m.xu@intel.com>
Thanks
> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Monday, March 20, 2023 6:02 PM
> To: devel@edk2.groups.io
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Oliver Steffen <osteffen@redhat.com>; Xu, Min M
> <min.m.xu@intel.com>; Marvin Häuser <mhaeuser@posteo.de>; Yao, Jiewen
> <jiewen.yao@intel.com>; jmaloy@redhat.com
> Subject: Re: [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check
> result of GetEfiGlobalVariable2
>
> On Fri, Mar 03, 2023 at 11:35:53AM +0100, Gerd Hoffmann wrote:
> > Call gRT->GetVariable() directly to read the SecureBoot variable. It
> > is one byte in size so we can easily place it on the stack instead of
> > having GetEfiGlobalVariable2() allocate it for us, which avoids a few
> > possible error cases.
> >
> > Skip secure boot checks if (and only if):
> >
> > (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
> > the return value, or
> > (b) the SecureBoot variable was read successfully and is set to
> > SECURE_BOOT_MODE_DISABLE.
> >
> > Previously the code skipped the secure boot checks on *any*
> > gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
> > value to NULL in that case) and also on memory allocation failures.
> >
> > Fixes: CVE-2019-14560
> > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>
> Ping. Any comments on this patch?
>
> take care,
> Gerd
next prev parent reply other threads:[~2023-03-20 12:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-03 10:35 [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2 Gerd Hoffmann
2023-03-20 10:02 ` Gerd Hoffmann
2023-03-20 12:08 ` Min Xu [this message]
2023-03-20 13:20 ` [edk2-devel] " Yao, Jiewen
2023-03-20 15:00 ` Gerd Hoffmann
2023-03-21 2:28 ` Yao, Jiewen
2023-03-21 6:24 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB506444AFF8ABB617BA3F944EC5809@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox