From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.130]) by mx.groups.io with SMTP id smtpd.web11.2054.1681449504185555253 for ; Thu, 13 Apr 2023 22:18:24 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="no key for verify" header.i=@amperemail.onmicrosoft.com header.s=selector1-amperemail-onmicrosoft-com header.b=sMqYPN5a; spf=pass (domain: os.amperecomputing.com, ip: 40.107.223.130, mailfrom: nhi@os.amperecomputing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kFuePym88hp+faEqc4732LIFTgiGR0EdJvqlwU3liVy3IaZAyk+7b/8rS9no0eJfiNwHQ59kfdWxBiNTSt+m7QtqfieL7DDOEL3Z2oz7A8nV22SjTuWi55tStYWgcZ0KFYUy3WBDhODahHywkDtm+vxjisvrhc1RI8R5TFTa7eLASxbgphCnAd1peO6rAlvJw1MX2cLcWs0JyCDdoVEoMfrxL1ZrwCZQzLjCRu9L5cPntWnKr3s3SNQAOk8YGBUEw/U6+AHAUppX1cD7F5kMvSsEIKG9M0IygmoK4yiyijn8oBve+WU0foIg8YoqotKWPn2EdLA7SDXT5t7ZcnwZvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OxkzM7gtiDRqnzgzDWP776+2+O3FzgNuBrsrbD+qSzk=; b=MMNyV1AotdDVCKeK6DFlEbtKbT+aHH6DxMsekcS1K32IfpNgcork+VwSiJFx/mIH/Q5fnXkKnL1pTeRlCXpbJRdccT+P+4bg3C6RB+KH9TYUqbw6lDM1kIkR1KAMr1QXpyjlhr68XNjXMknrNTsqA1rZXNvuUkrxPoPK8F47T2XE8Yl8QUGp+8ytzIK9w/X7kQom0FC5MS15G1TGsSto8aUMQn98/g5a52nM7R3vwU0CqBiJ1CzrWYNF3dJ4G83yt0nCOoPt0tL6fc1+iSihC9CG7I17vvS2PnHqFk8U/0Pr6v0lq7WtkRXHJwBNdI2rEQ/vcpsuG10tR7M4ShALIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=amperemail.onmicrosoft.com; dkim=pass header.d=amperemail.onmicrosoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amperemail.onmicrosoft.com; s=selector1-amperemail-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OxkzM7gtiDRqnzgzDWP776+2+O3FzgNuBrsrbD+qSzk=; b=sMqYPN5ampn0QiCpE5rmU1/Imc73LG2wFZ4JkUxjdQ8gIQgW1Tn9mqXC1kIY2mQyVMIPDSaxtAlBGcn9QfG5wPwEnlifCd/iSJrsHqbf71wnFXcOTaC3o6FJViop2PoPkKfxz5V9JWT1KHCkVqJhuhMWsBqnXOcWj6DWlzz9hDg= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amperemail.onmicrosoft.com; Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by MN2PR01MB6095.prod.exchangelabs.com (2603:10b6:208:18a::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.6; Fri, 14 Apr 2023 05:18:19 +0000 Received: from PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99]) by PH0PR01MB7287.prod.exchangelabs.com ([fe80::4904:fc7d:35e6:f99%7]) with mapi id 15.20.6319.004; Fri, 14 Apr 2023 05:18:19 +0000 Message-ID: Date: Fri, 14 Apr 2023 12:18:10 +0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action To: Nhi Pham , devel@edk2.groups.io, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com Cc: patches@amperecomputing.com References: <20230412092149.138221-1-nhi@os.amperecomputing.com> From: "Nhi Pham" In-Reply-To: <20230412092149.138221-1-nhi@os.amperecomputing.com> X-ClientProxiedBy: SG2PR02CA0126.apcprd02.prod.outlook.com (2603:1096:4:188::11) To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) Return-Path: nhi@os.amperecomputing.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR01MB7287:EE_|MN2PR01MB6095:EE_ X-MS-Office365-Filtering-Correlation-Id: dc45df16-8b9a-4f94-e7a1-08db3ca7a894 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fxOoPJGvmLx0zDSLiR4GF56G1g41QeiDzWme17OQe4QOJzubFA5Me5v9SGcJTfFtLp1deAwz/HxpUo3g6BFmDOW1OkNP3w3lI6kTGHmyeWfyHn5/Sog2kZcOlGAtBTPbLSQOpew2pA4u9ETPkqcvGN/VezutTzhitbgjJPMQK5EE0Y67+sCJCrykh9tlFdCQfM5vkG8LAS0Ea1K5KcA3tIgr0A3UGN/8ncj/IggLnjAZL6z3TD5d4M2MDOecoO/njigLb82TJyOcqxkRiyrBChCj/ikkyAI9MqpNff6nx7kMO0NM3NNyxRrp8S5vbjYpa21RtFFrh0L5ovk+cg6kGCyTGWedKDQIoHPPl71I46vmmg+NsBXZHU1k6I9cIb4C+LINSfsNP2XgsC+3K0yyS27s1x5HA7uxtJ/TUIecdXntBcPrb2R/5R92u25rNTNx/JWp5LOo70095+LDzlg0JwsVI8hgsqaR94lmOsLXcYUFZ02iZbIWZ6kFkZ7hg/ImKZG+sjMdGULh8mZHwjz3F5WZ5Zpid0m5wlrIgqR3XImoCiPSAtP5PBpyoFmjk6n9wEUE2+pJpN2048mf1+u1gjrofPQAYcDdzWksXVhdXUVrojXE5MyTKI3KmREG9DdI X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR01MB7287.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(39850400004)(376002)(366004)(396003)(136003)(346002)(451199021)(53546011)(26005)(42882007)(31686004)(6512007)(6506007)(186003)(83380400001)(2616005)(107886003)(6486002)(6666004)(5660300002)(41300700001)(316002)(8676002)(8936002)(38100700002)(478600001)(31696002)(4326008)(66946007)(66476007)(66556008)(83170400001)(2906002)(15650500001)(43740500002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?a3hGV0twLy9HcWF4eExaTGs5SkFUenBZazIzUWRSdEhvd1RFMDhMY0NoaWZI?= =?utf-8?B?eS9mOWtUbjJhb2JSU0o3VEhCZCtGcTdQQks1RnE2a1NzZTVLQzFoV284WURs?= =?utf-8?B?QUdrRGE1d0FXenBEeXh5NGJrZlZMTlg0by9XdThjOWRadFBBbXhnMm9TV0R6?= =?utf-8?B?dTVNZ1NtZ2wyRWUyZEJBeVhTWWd5endFZWxoS3ptb3UzWmczSjFranNBVlda?= =?utf-8?B?L2RCSFJ5WjFDVzB2TXpMaGdkd0pSSzVVOGdScDk0RDlJbGVSY3ZDb2tpdGU2?= =?utf-8?B?aUE4cGxlcldlMjMvSWhlZnZzRDlBRTJwR0E1SENiZkNVbFg2TlFjVUR2cGkw?= =?utf-8?B?V2FmeDFwWXA4S0JBWlFzenNFemJjV2gyQVJGdmhuczRoZGpYZ0E2MExVa2li?= =?utf-8?B?dkEzVWZLdHZuWG5QN05WY05nd0g3VU00dzdtWW5nWHFjaFBTNmNjang4cy81?= =?utf-8?B?WENEU2JBeWVITGVWMHhGRHIwRmFhZXhqbTR1aG1rNnJ0NE5lOW52TkVQNURM?= =?utf-8?B?YW9nTTcxZUNmRjlEdTNIdzk1S1lhNHBCa2xrN1pEelJnOFUxR2NGOVYreGg0?= =?utf-8?B?c2Izc1BBSHdmb2dhdXB1TGNsZHpMRC9oTVA5MjloMTFZMnFjU04xK1hNWXZr?= =?utf-8?B?VGFWQUgwRGRSVkJDMm5BVEUrZDJOU29SNE9hay9KZ3pjQTJmZFR2TmtKTXpz?= =?utf-8?B?V2ZhNzlkY0lOa1RRU2ZzcFpqdWZGVEl3eCs2MExpcDNsU1RLSUNFWVlESVFy?= =?utf-8?B?RHpiT2pwY1RxTjEvSytiTmtJZS9IbmR5elp3WlRLZDRneW1YZUNXeWNQUTU0?= =?utf-8?B?a1pTQk1qOFkxYmU2dEVvaUFBN2tnTkxkbG5YMThUZFBTSzdMaElLekdweFY2?= =?utf-8?B?RUpQSitpNDY3RENzVk9GTzFRTWRtOUVEL21FMEZ0ajA2ZEkvS1ZGb3lHWDAw?= =?utf-8?B?ekdBNEk5Y0pSNjF4V2E0WndveE1JTVVQT3lLQmlQNXAvUmFwbkZWSXFMTVRx?= =?utf-8?B?VGlrc0xtbDVUOXJJY3hoUEgrK0JUNFFRVjhBTXBlVEE2ek5vbHJIbitRNllr?= =?utf-8?B?WUNZYUNqUmxIWFd0clpmNnovQ21SMzFJc2VMZzNBWlFBMUp4RzlFdTArdUcz?= =?utf-8?B?SURYazBHN3c2bVVnbzJOS0d3bjBQYVQvQzlLQTFoeHptQjQzUHNrNTRQZUk3?= =?utf-8?B?Smwrdm9MK3VWbHIyVGh1dUM5Zi9tTGVGYzdHNXRoWkdmcHZQSXBkdGxCd2g5?= =?utf-8?B?cVVEYmhHYlBWbzczcE9IWjEvRE9NcExTU2dPd2JHdWZXYW13SWgyNkV6Zk9R?= =?utf-8?B?T3JIN3pUTnk0NmFjdnltL0hFTmVtMUxvZzVmR1pKbTRrRzE5UHVjcDkrRUN6?= =?utf-8?B?cWQzeVJXcW9VM0lBaXlKNkZPYm80SFF5dDFJeXM4YVV6WnEveEJWMzRuVnNN?= =?utf-8?B?eFQwY1pWeVM0NnR3V3UvRmxQYmNOSG9TK1B4T1hqVEIyaUNrZVRtR0JDWFhX?= =?utf-8?B?NmFwMzNERFZ5VnpTVm1iZ1lDNlQ1by9YSmlkQ1hkcEQraEtaVy9LVWc1YUdP?= =?utf-8?B?K3lrZnNibk9yYVhYUGhnT0JRcXV3YTV3YkxOeVZkeWRXRmRaZXZESmtjYWVW?= =?utf-8?B?eXg4V0pCMzcrUHd3U3VQZXN6VmYvcW5FU2dKZjluWDdLMTZzdGN3YnVPUEZx?= =?utf-8?B?b24rM3FWTFhDQlR2K3dpUmtqV05MOFNNb3o3VFJJUm45QUY1UDFkeithei9l?= =?utf-8?B?Yi9LTVh0b0dkTmt0VmRiMVFaR3R4WlA5dlpic1RpYmdwNXlyQVRhRklXa01N?= =?utf-8?B?V2NLK2NiZDBBVHUyczhMRHJ4a2VWTERQWWZaNWhDVEEwTzFlSm1jbXZqM1pI?= =?utf-8?B?MHRSMnBpNVU1Um9ieUZsK2ZuTCtxcE9WR1kzZzcxaUpJMWhZZHFRekJyVUZT?= =?utf-8?B?SzhwYU1kVVZNTlpkREhYeUI2T1VpK0JKMzkraDlTUVRLTXBBWVdXV1dtM2hF?= =?utf-8?B?RjJyQlczaExvOFJNWkNoa01hb1RGdEM5RGFkZ1VYWjBnY1ZJblhQcFRSTnZB?= =?utf-8?B?Q3lBNXpVbW5RemlONXVzdFFNSGgwaDVzN2JXN0k3VjEyYUJWOWJ4aVlsTjRU?= =?utf-8?B?MEF6Zi9yQ3gvaGVuRHVhN1h5VXdTL3RtckdkUG15aE5MY29WK3o5ZUVHeHFa?= =?utf-8?Q?ElhFq4eBj9jA6f6XT+EVrIQ=3D?= X-OriginatorOrg: amperemail.onmicrosoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: dc45df16-8b9a-4f94-e7a1-08db3ca7a894 X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Apr 2023 05:18:19.1918 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JVIA+qP04ggpzGe5x9c8vUG2DkyPk8+VEcqR6xmJ59e7cHMYr4P9WgZ+lSoHCkJeQt9iuz4GrJuvPKSgDD5rduhQ65KxsqL5u36MsAQm348= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR01MB6095 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi, Ping for reviewing. Let me know if I need anything for this patch. Thanks, Nhi On 4/12/2023 4:21 PM, Nhi Pham wrote: > Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table > when the Image is signed but signature is not allowed by DB and the > hash of image is not found in DB/DBX. > > This is documented in the UEFI spec 2.10, table 32.5. > > This issue is found by the SIE SCT with the error message as follows: > SecureBoot - TestImage1.bin in Image Execution Info Table with > SIG_NOT_FOUND. --FAILURE > B3A670AA-0FBA-48CA-9D01-0EE9700965A9 > SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ > ImageLoadingBBTest.c:1079:Status Success > > Signed-off-by: Nhi Pham > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index b3d40c21e975..5d8dbd546879 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( > if (!EFI_ERROR (DbStatus) && IsFound) { > > IsVerified = TRUE; > > } else { > > + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); > > } > > } >