From: "Nhi Pham" <nhi@os.amperecomputing.com>
To: Nhi Pham <nhi@os.amperecomputing.com>,
devel@edk2.groups.io, jiewen.yao@intel.com,
jian.j.wang@intel.com, min.m.xu@intel.com
Cc: patches@amperecomputing.com
Subject: Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action
Date: Fri, 14 Apr 2023 12:18:10 +0700 [thread overview]
Message-ID: <f0e6f92e-0ce5-7e85-e491-0db449a42ba3@amperemail.onmicrosoft.com> (raw)
In-Reply-To: <20230412092149.138221-1-nhi@os.amperecomputing.com>
Hi,
Ping for reviewing.
Let me know if I need anything for this patch.
Thanks,
Nhi
On 4/12/2023 4:21 PM, Nhi Pham wrote:
> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
> when the Image is signed but signature is not allowed by DB and the
> hash of image is not found in DB/DBX.
>
> This is documented in the UEFI spec 2.10, table 32.5.
>
> This issue is found by the SIE SCT with the error message as follows:
> SecureBoot - TestImage1.bin in Image Execution Info Table with
> SIG_NOT_FOUND. --FAILURE
> B3A670AA-0FBA-48CA-9D01-0EE9700965A9
> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
> ImageLoadingBBTest.c:1079:Status Success
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b3d40c21e975..5d8dbd546879 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
> if (!EFI_ERROR (DbStatus) && IsFound) {
>
> IsVerified = TRUE;
>
> } else {
>
> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
>
> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
>
> }
>
> }
>
next prev parent reply other threads:[~2023-04-14 5:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-12 9:21 [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Nhi Pham
2023-04-14 5:18 ` Nhi Pham [this message]
2023-04-18 23:20 ` [edk2-devel] " Min Xu
2023-04-20 3:48 ` Nhi Pham
2023-04-26 7:54 ` Min Xu
2023-04-27 5:38 ` Nhi Pham
2023-04-27 5:46 ` Min Xu
2023-04-27 8:19 ` Yao, Jiewen
2023-04-28 3:14 ` Nhi Pham
2023-04-28 11:08 ` [edk2-devel] " Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f0e6f92e-0ce5-7e85-e491-0db449a42ba3@amperemail.onmicrosoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox