From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web10.1999.1580858893854679305 for ; Tue, 04 Feb 2020 15:28:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QwkENTV5; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580858893; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mXtuHjT6niublQg+NWPVmYoTsKKsyjD3lsF+tdkiNp4=; b=QwkENTV5bSFA6YD22nfqCdveDPH2HlKVk0P0x8O1ks7v0y2K3FFvh5Kvus15Z4V4aT6U11 92qhFH72NMtni1rfDEQgEbE+A+Sna1l2U9jqk4rc+Bn7N6UpQnL0DjewPHL6Vc311xerSJ kCCDAhiFYxHUf8LVjgRs0MU1++HiBZk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-401-X8-eAubbPp642ykLKemyrA-1; Tue, 04 Feb 2020 18:28:11 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5C027800D54; Tue, 4 Feb 2020 23:28:10 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-30.ams2.redhat.com [10.36.116.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7CC205C1D8; Tue, 4 Feb 2020 23:28:06 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg: Fix incorrect return value in documentation To: devel@edk2.groups.io, philmd@redhat.com Cc: Jiewen Yao , Jian J Wang , Chao Zhang References: <20200204222624.7478-1-philmd@redhat.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 5 Feb 2020 00:28:05 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200204222624.7478-1-philmd@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: X8-eAubbPp642ykLKemyrA-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Phil, On 02/04/20 23:26, Philippe Mathieu-Daud=C3=A9 wrote: > The DxeTpmMeasureBootHandler and DxeTpm2MeasureBootHandler handlers > are SECURITY2_FILE_AUTHENTICATION_HANDLER prototype. This prototype > can not return EFI_INVALID_PARAMETER. >=20 > The prototype documentation states it returns EFI_ACCESS_DENIED if: >=20 > "The file specified by File and FileBuffer did not authenticate, > and the platform policy dictates that the DXE Foundation may not > use File." >=20 > Note in practice both functions return EFI_SECURITY_VIOLATION: >=20 > "The file specified by DevicePath and FileBuffer did not > authenticate, and the platform policy dictates that the file > should be placed in the untrusted state. The image has been > added to the file execution table." >=20 > Noticed while reviewing commit 6d57592740cdd0b6868baeef7929d6e6fef. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Chao Zhang > Signed-off-by: Philippe Mathieu-Daude > --- > .../Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 2 +- > SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBoot= Lib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c > index 04b9b0d7fbf3..0c07f65c6835 100644 > --- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c > +++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c > @@ -384,7 +384,7 @@ Finish: > and other exception operations. The File parameter allows for possibl= e logging > within the SAP of the driver. > =20 > - If File is NULL, then EFI_INVALID_PARAMETER is returned. > + If File is NULL, then EFI_ACCESS_DENIED is returned. > =20 > If the file specified by File with an authentication status specified = by > AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS= is returned. I've tried seeing where this code actually returns EFI_INVALID_PARAMETER, but I can't find it. If File is NULL in DxeTpm2MeasureBootHandler(), then first we seem to do: OrigDevicePathNode =3D DuplicateDevicePath (File); which I believe will produce a NULL. Then we seem to pass this NULL around a little bit, so I think there's a fair chance of crashing there. I wonder if this code should be fixed, to check "File" in the first place, and then return EFI_ACCESS_DENIED. There are also some other places in the function that could apparently return a wide array of error codes -- FvbProtocol->GetPhysicalAddress() (EFI_UNSUPPORTED?), PeCoffLoaderGetImageInfo(), etc. I do agree this patch is an improvement, however; at least it says what *should* be returned. So with that in mind: Acked-by: Laszlo Ersek Thanks Laszlo > diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLi= b.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c > index 1f2eed29a1df..0dccbb66eb26 100644 > --- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c > +++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c > @@ -678,7 +678,7 @@ Finish: > and other exception operations. The File parameter allows for possibl= e logging > within the SAP of the driver. > =20 > - If File is NULL, then EFI_INVALID_PARAMETER is returned. > + If File is NULL, then EFI_ACCESS_DENIED is returned. > =20 > If the file specified by File with an authentication status specified = by > AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS= is returned. >=20