[PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Nhi Pham]

Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
when the Image is signed but signature is not allowed by DB and the
hash of image is not found in DB/DBX.

This is documented in the UEFI spec 2.10, table 32.5.

This issue is found by the SIE SCT with the error message as follows:
SecureBoot - TestImage1.bin in Image Execution Info Table with
SIG_NOT_FOUND. --FAILURE
B3A670AA-0FBA-48CA-9D01-0EE9700965A9
SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
ImageLoadingBBTest.c:1079:Status Success

Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3d40c21e975..5d8dbd546879 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
       if (!EFI_ERROR (DbStatus) && IsFound) {
         IsVerified = TRUE;
       } else {
+        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
         DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
       }
     }
-- 
2.25.1

Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Nhi Pham]

Hi,

Ping for reviewing.

Let me know if I need anything for this patch.

Thanks,

Nhi

On 4/12/2023 4:21 PM, Nhi Pham wrote:
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
>   SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>         if (!EFI_ERROR (DbStatus) && IsFound) {
>
>           IsVerified = TRUE;
>
>         } else {
>
> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
>           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
>
>         }
>
>       }
>

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Min Xu]

On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> Hi,
> 
> Ping for reviewing.
> 
> Let me know if I need anything for this patch.
Do you test the change and what's the test result? Can you provide the validation result?

Thanks
Min

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Nhi Pham]

Hi Min,

This SEI test passes:

SecureBoot - TestImage2.bin in Image Execution Info Table with 
SIG_NOT_FOUND. -- PASS
00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c:1103:Status 
- Success

The test image binary is different to the one in the commit message due 
to some bug fixes in the SEI test suite. The right test case to catch 
this bug is 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75

You can check the test code at 
https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c

Thanks,

Nhi

On 4/19/2023 6:20 AM, Xu, Min M wrote:
> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
>> Hi,
>>
>> Ping for reviewing.
>>
>> Let me know if I need anything for this patch.
> Do you test the change and what's the test result? Can you provide the validation result?
>
> Thanks
> Min

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Min Xu]

It's good to me.
Reviewed-by: Min Xu <min.m.xu@intel.com>

Thanks

> -----Original Message-----
> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
> Sent: Thursday, April 20, 2023 11:49 AM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
> 
> Hi Min,
> 
> This SEI test passes:
> 
> SecureBoot - TestImage2.bin in Image Execution Info Table with
> SIG_NOT_FOUND. -- PASS
> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa
> dingBBTest.c:1103:Status
> - Success
> 
> The test image binary is different to the one in the commit message due to some
> bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2-
> 39D5-4D35-B7E7-587CA0F3CB75
> 
> You can check the test code at
> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
> 
> Thanks,
> 
> Nhi
> 
> On 4/19/2023 6:20 AM, Xu, Min M wrote:
> > On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> >> Hi,
> >>
> >> Ping for reviewing.
> >>
> >> Let me know if I need anything for this patch.
> > Do you test the change and what's the test result? Can you provide the
> validation result?
> >
> > Thanks
> > Min

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Nhi Pham]

Thanks Min.

Could you help merge this patch to edk2?

Regards,

Nhi

On 4/26/2023 2:54 PM, Xu, Min M wrote:
> It's good to me.
> Reviewed-by: Min Xu <min.m.xu@intel.com>
>
> Thanks
>
>> -----Original Message-----
>> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
>> Sent: Thursday, April 20, 2023 11:49 AM
>> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
>> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
>> Jian J <jian.j.wang@intel.com>
>> Cc: patches@amperecomputing.com
>> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
>> Add AUTH_SIG_NOT_FOUND Action
>>
>> Hi Min,
>>
>> This SEI test passes:
>>
>> SecureBoot - TestImage2.bin in Image Execution Info Table with
>> SIG_NOT_FOUND. -- PASS
>> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
>> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ImageLoa
>> dingBBTest.c:1103:Status
>> - Success
>>
>> The test image binary is different to the one in the commit message due to some
>> bug fixes in the SEI test suite. The right test case to catch this bug is 00C3C2F2-
>> 39D5-4D35-B7E7-587CA0F3CB75
>>
>> You can check the test code at
>> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
>> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
>>
>> Thanks,
>>
>> Nhi
>>
>> On 4/19/2023 6:20 AM, Xu, Min M wrote:
>>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
>>>> Hi,
>>>>
>>>> Ping for reviewing.
>>>>
>>>> Let me know if I need anything for this patch.
>>> Do you test the change and what's the test result? Can you provide the
>> validation result?
>>> Thanks
>>> Min

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Min Xu]

Hi, Nhi Pham
Yao, Jiewen and Wang, Jian are the maintainers of SecurityPkg.

They can help to merge the patch if they have no concerns about the patch.

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi Pham
> via groups.io
> Sent: Thursday, April 27, 2023 1:38 PM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
> 
> Thanks Min.
> 
> Could you help merge this patch to edk2?
> 
> Regards,
> 
> Nhi
> 
> On 4/26/2023 2:54 PM, Xu, Min M wrote:
> > It's good to me.
> > Reviewed-by: Min Xu <min.m.xu@intel.com>
> >
> > Thanks
> >
> >> -----Original Message-----
> >> From: Nhi Pham <nhi@amperemail.onmicrosoft.com>
> >> Sent: Thursday, April 20, 2023 11:49 AM
> >> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io;
> >> nhi@os.amperecomputing.com; Yao, Jiewen <jiewen.yao@intel.com>;
> Wang,
> >> Jian J <jian.j.wang@intel.com>
> >> Cc: patches@amperecomputing.com
> >> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> >> Add AUTH_SIG_NOT_FOUND Action
> >>
> >> Hi Min,
> >>
> >> This SEI test passes:
> >>
> >> SecureBoot - TestImage2.bin in Image Execution Info Table with
> >> SIG_NOT_FOUND. -- PASS
> >> 00C3C2F2-39D5-4D35-B7E7-587CA0F3CB75
> >>
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/Imag
> >> eLoa
> >> dingBBTest.c:1103:Status
> >> - Success
> >>
> >> The test image binary is different to the one in the commit message
> >> due to some bug fixes in the SEI test suite. The right test case to
> >> catch this bug is 00C3C2F2-
> >> 39D5-4D35-B7E7-587CA0F3CB75
> >>
> >> You can check the test code at
> >> https://github.com/ARM-software/bbr-acs/blob/main/bbsr/sct-
> >> tests/SecureBoot/BlackBoxTest/ImageLoadingBBTest.c
> >>
> >> Thanks,
> >>
> >> Nhi
> >>
> >> On 4/19/2023 6:20 AM, Xu, Min M wrote:
> >>> On Friday, April 14, 2023 1:18 PM, Nhi Pham wrote:
> >>>> Hi,
> >>>>
> >>>> Ping for reviewing.
> >>>>
> >>>> Let me know if I need anything for this patch.
> >>> Do you test the change and what's the test result? Can you provide
> >>> the
> >> validation result?
> >>> Thanks
> >>> Min
> 
> 
> 
> 

Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Yao, Jiewen]

Thanks Nhi, to provide the fix.

The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code.

#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004

1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means 
An image certificate is in the forbidden database, or
A digest of an image certifcate is in the forbidden database, or
The image signature check failed.

However, the code only contains below as forbidden database check:

    if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
      Action     = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
      IsVerified = FALSE;
      break;
    }

The image signature check fail missed the Action. (remaining issue ?)

2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
An image certifcate is in authroized database. (or)
The image digest is in the authorized database.

However, I cannot find the code to set the value in the code. (remaining issue ?)

3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
the image certificate is not found in the authorized database, and
the image digest is not in the authorized database.

It is fixed in this patch. Thank you!

4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means 
The image has at least one certificate, and the image digest is in the forbidden database.

The code is there.


Would you please double check, if we have the remaining issue in 1) and 2)?




> -----Original Message-----
> From: Nhi Pham <nhi@os.amperecomputing.com>
> Sent: Wednesday, April 12, 2023 5:22 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com; Nhi Pham
> <nhi@os.amperecomputing.com>
> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> AUTH_SIG_NOT_FOUND Action
> 
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
> 
> This is documented in the UEFI spec 2.10, table 32.5.
> 
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
> 
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
>  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
> +
>  1 file changed, 1 insertion(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> ---
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>        if (!EFI_ERROR (DbStatus) && IsFound) {
> 
>          IsVerified = TRUE;
> 
>        } else {
> 
> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> 
>          DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature is not allowed by DB and %s hash of image is not found in
> DB/DBX.\n", mHashTypeStr));
> 
>        }
> 
>      }
> 
> --
> 2.25.1

Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Nhi Pham]

Thanks Yao Jiewen for reviewing. I will make further investigation for 
other cases based on your findings.

In the meantime, could you help merge my patch?

-Nhi

On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
> Thanks Nhi, to provide the fix.
>
> The UEFI specification (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) defines below error code.
>
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003
> #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004
>
> 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
> An image certificate is in the forbidden database, or
> A digest of an image certifcate is in the forbidden database, or
> The image signature check failed.
>
> However, the code only contains below as forbidden database check:
>
>      if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
>        Action     = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
>        IsVerified = FALSE;
>        break;
>      }
>
> The image signature check fail missed the Action. (remaining issue ?)
>
> 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
> An image certifcate is in authroized database. (or)
> The image digest is in the authorized database.
>
> However, I cannot find the code to set the value in the code. (remaining issue ?)
>
> 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
> the image certificate is not found in the authorized database, and
> the image digest is not in the authorized database.
>
> It is fixed in this patch. Thank you!
>
> 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
> The image has at least one certificate, and the image digest is in the forbidden database.
>
> The code is there.
>
>
> Would you please double check, if we have the remaining issue in 1) and 2)?
>
>
>
>
>> -----Original Message-----
>> From: Nhi Pham <nhi@os.amperecomputing.com>
>> Sent: Wednesday, April 12, 2023 5:22 PM
>> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
>> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
>> Cc: patches@amperecomputing.com; Nhi Pham
>> <nhi@os.amperecomputing.com>
>> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
>> AUTH_SIG_NOT_FOUND Action
>>
>> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
>> when the Image is signed but signature is not allowed by DB and the
>> hash of image is not found in DB/DBX.
>>
>> This is documented in the UEFI spec 2.10, table 32.5.
>>
>> This issue is found by the SIE SCT with the error message as follows:
>> SecureBoot - TestImage1.bin in Image Execution Info Table with
>> SIG_NOT_FOUND. --FAILURE
>> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
>> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
>> ImageLoadingBBTest.c:1079:Status Success
>>
>> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
>> ---
>>   SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
>> +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git
>> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> index b3d40c21e975..5d8dbd546879 100644
>> ---
>> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> +++
>> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
>> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
>>         if (!EFI_ERROR (DbStatus) && IsFound) {
>>
>>           IsVerified = TRUE;
>>
>>         } else {
>>
>> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>>
>>           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
>> signature is not allowed by DB and %s hash of image is not found in
>> DB/DBX.\n", mHashTypeStr));
>>
>>         }
>>
>>       }
>>
>> --
>> 2.25.1

Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action

[Yao, Jiewen]

Sure. This patch is merged https://github.com/tianocore/edk2/pull/4321.

Thanks for the contribution.
Look forward to your investigation result.


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi
> Pham via groups.io
> Sent: Friday, April 28, 2023 11:14 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Nhi Pham
> <nhi@os.amperecomputing.com>; devel@edk2.groups.io; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> Cc: patches@amperecomputing.com
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib:
> Add AUTH_SIG_NOT_FOUND Action
> 
> Thanks Yao Jiewen for reviewing. I will make further investigation for
> other cases based on your findings.
> 
> In the meantime, could you help merge my patch?
> 
> -Nhi
> 
> On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
> > Thanks Nhi, to provide the fix.
> >
> > The UEFI specification
> (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html)
> defines below error code.
> >
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003
> > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004
> >
> > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
> > An image certificate is in the forbidden database, or
> > A digest of an image certifcate is in the forbidden database, or
> > The image signature check failed.
> >
> > However, the code only contains below as forbidden database check:
> >
> >      if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> >        Action     = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> >        IsVerified = FALSE;
> >        break;
> >      }
> >
> > The image signature check fail missed the Action. (remaining issue ?)
> >
> > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
> > An image certifcate is in authroized database. (or)
> > The image digest is in the authorized database.
> >
> > However, I cannot find the code to set the value in the code. (remaining
> issue ?)
> >
> > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
> > the image certificate is not found in the authorized database, and
> > the image digest is not in the authorized database.
> >
> > It is fixed in this patch. Thank you!
> >
> > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
> > The image has at least one certificate, and the image digest is in the
> forbidden database.
> >
> > The code is there.
> >
> >
> > Would you please double check, if we have the remaining issue in 1) and 2)?
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: Nhi Pham <nhi@os.amperecomputing.com>
> >> Sent: Wednesday, April 12, 2023 5:22 PM
> >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> >> Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
> >> Cc: patches@amperecomputing.com; Nhi Pham
> >> <nhi@os.amperecomputing.com>
> >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
> >> AUTH_SIG_NOT_FOUND Action
> >>
> >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info
> Table
> >> when the Image is signed but signature is not allowed by DB and the
> >> hash of image is not found in DB/DBX.
> >>
> >> This is documented in the UEFI spec 2.10, table 32.5.
> >>
> >> This issue is found by the SIE SCT with the error message as follows:
> >> SecureBoot - TestImage1.bin in Image Execution Info Table with
> >> SIG_NOT_FOUND. --FAILURE
> >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> >> ImageLoadingBBTest.c:1079:Status Success
> >>
> >> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> >> ---
> >>   SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> | 1
> >> +
> >>   1 file changed, 1 insertion(+)
> >>
> >> diff --git
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> index b3d40c21e975..5d8dbd546879 100644
> >> ---
> >>
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> +++
> >>
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> >>         if (!EFI_ERROR (DbStatus) && IsFound) {
> >>
> >>           IsVerified = TRUE;
> >>
> >>         } else {
> >>
> >> +        Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
> >>
> >>           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
> but
> >> signature is not allowed by DB and %s hash of image is not found in
> >> DB/DBX.\n", mHashTypeStr));
> >>
> >>         }
> >>
> >>       }
> >>
> >> --
> >> 2.25.1
> 
> 
> 
>