* [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image
@ 2021-10-12 16:57 Joseph Hemann
2021-10-26 21:08 ` [edk2-devel] " Samer El-Haj-Mahmoud
0 siblings, 1 reply; 3+ messages in thread
From: Joseph Hemann @ 2021-10-12 16:57 UTC (permalink / raw)
To: devel; +Cc: nd, Joseph Hemann, Jiewen Yao, Jian J Wang, Min Xu, Joseph Hemann
If the image is not signed and the hash of image is not found
in DB/DBX, then the EFI_IMAGE_INFO_ACTION of the load of said
image should be set to,
EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Joseph Hemann <Joseph.Hemann@arm.com>
Change-Id: Ia432ebf4ec811e36d67b80bc438a6aff60bc9b67
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 0a804af2162f..e5fae732bb1f 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1848,6 +1848,7 @@ DxeImageVerificationHandler (
//
// Image Hash is not found in both forbidden and allowed database.
//
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
goto Failed;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image
2021-10-12 16:57 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image Joseph Hemann
@ 2021-10-26 21:08 ` Samer El-Haj-Mahmoud
2021-10-27 0:32 ` Yao, Jiewen
0 siblings, 1 reply; 3+ messages in thread
From: Samer El-Haj-Mahmoud @ 2021-10-26 21:08 UTC (permalink / raw)
To: devel@edk2.groups.io, Joseph Hemann
Cc: nd, Jiewen Yao, Jian J Wang, Min Xu, Samer El-Haj-Mahmoud
Hi Jiewen, Jian, and Min,
Can you please review this patch? We have a corresponding UEFI Spec "code first" ECR (https://bugzilla.tianocore.org/show_bug.cgi?id=3561), and need to clarify a couple of cases in the code.
Thanks,
--Samer
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Joseph
> Hemann via groups.io
> Sent: Tuesday, October 12, 2021 12:57 PM
> To: devel@edk2.groups.io
> Cc: nd <nd@arm.com>; Joseph Hemann <Joseph.Hemann@arm.com>; Jiewen
> Yao <jiewen.yao@intel.com>; Jian J Wang <jian.j.wang@intel.com>; Min Xu
> <min.m.xu@intel.com>; Joseph Hemann <Joseph.Hemann@arm.com>
> Subject: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set
> Action for failed unsigned image
>
> If the image is not signed and the hash of image is not found
> in DB/DBX, then the EFI_IMAGE_INFO_ACTION of the load of said
> image should be set to,
> EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
> unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
>
> Signed-off-by: Joseph Hemann <Joseph.Hemann@arm.com>
> Change-Id: Ia432ebf4ec811e36d67b80bc438a6aff60bc9b67
> ---
> .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 0a804af2162f..e5fae732bb1f 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1848,6 +1848,7 @@ DxeImageVerificationHandler (
> //
> // Image Hash is not found in both forbidden and allowed database.
> //
> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s
> hash of image is not found in DB/DBX.\n", mHashTypeStr));
> goto Failed;
> }
> --
> 2.17.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image
2021-10-26 21:08 ` [edk2-devel] " Samer El-Haj-Mahmoud
@ 2021-10-27 0:32 ` Yao, Jiewen
0 siblings, 0 replies; 3+ messages in thread
From: Yao, Jiewen @ 2021-10-27 0:32 UTC (permalink / raw)
To: Samer El-Haj-Mahmoud, devel@edk2.groups.io, Joseph Hemann
Cc: nd, Wang, Jian J, Xu, Min M
Hi Samer
Thanks for the patch.
I overlook this one when I check the title, it is quite similar to previous one. The only difference is signed v.s. unsigned.
It seems make sense. But I have same feedback as previous one.
Would you please:
1) Fila a Bugzilla - https://bugzilla.tianocore.org/ for the issue.
The CodeFirst is only for doc, not for code.
If you need submit v2, I highly recommend you bind those two in one patch set. (Still 2 patches, but in one set.)
Thank you
Yao Jiewen
> -----Original Message-----
> From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> Sent: Wednesday, October 27, 2021 5:09 AM
> To: devel@edk2.groups.io; Joseph Hemann <Joseph.Hemann@arm.com>
> Cc: nd <nd@arm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Samer El-Haj-
> Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> Subject: RE: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set
> Action for failed unsigned image
>
> Hi Jiewen, Jian, and Min,
>
> Can you please review this patch? We have a corresponding UEFI Spec "code
> first" ECR (https://bugzilla.tianocore.org/show_bug.cgi?id=3561), and need to
> clarify a couple of cases in the code.
>
> Thanks,
> --Samer
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Joseph
> > Hemann via groups.io
> > Sent: Tuesday, October 12, 2021 12:57 PM
> > To: devel@edk2.groups.io
> > Cc: nd <nd@arm.com>; Joseph Hemann <Joseph.Hemann@arm.com>; Jiewen
> > Yao <jiewen.yao@intel.com>; Jian J Wang <jian.j.wang@intel.com>; Min Xu
> > <min.m.xu@intel.com>; Joseph Hemann <Joseph.Hemann@arm.com>
> > Subject: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set
> > Action for failed unsigned image
> >
> > If the image is not signed and the hash of image is not found
> > in DB/DBX, then the EFI_IMAGE_INFO_ACTION of the load of said
> > image should be set to,
> > EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND, rather then being left
> > unset as EFI_IMAGE_EXECUTION_AUTH_UNTESTED.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> >
> > Signed-off-by: Joseph Hemann <Joseph.Hemann@arm.com>
> > Change-Id: Ia432ebf4ec811e36d67b80bc438a6aff60bc9b67
> > ---
> > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> > index 0a804af2162f..e5fae732bb1f 100644
> > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> > @@ -1848,6 +1848,7 @@ DxeImageVerificationHandler (
> > //
> > // Image Hash is not found in both forbidden and allowed database.
> > //
> > + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s
> > hash of image is not found in DB/DBX.\n", mHashTypeStr));
> > goto Failed;
> > }
> > --
> > 2.17.1
> >
> >
> >
> >
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-27 0:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-12 16:57 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Set Action for failed unsigned image Joseph Hemann
2021-10-26 21:08 ` [edk2-devel] " Samer El-Haj-Mahmoud
2021-10-27 0:32 ` Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox