Thanks Yao Jiewen for reviewing. I will make further investigation for
other cases based on your findings.
In the meantime, could you help merge my patch?
-Nhi
On 4/27/2023 3:19 PM, Yao, Jiewen wrote:
Thanks Nhi, to provide the fix.
The UEFI specification
(https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html)
defines below error code.
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means
An image certificate is in the forbidden database, or
A digest of an image certifcate is in the forbidden database, or
The image signature check failed.
However, the code only contains below as forbidden database check:
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
IsVerified = FALSE;
break;
}
The image signature check fail missed the Action. (remaining issue ?)
2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means
An image certifcate is in authroized database. (or)
The image digest is in the authorized database.
However, I cannot find the code to set the value in the code. (remaining issue
?)
3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means
the image certificate is not found in the authorized database, and
the image digest is not in the authorized database.
It is fixed in this patch. Thank you!
4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means
The image has at least one certificate, and the image digest is in the
forbidden database.
The code is there.
Would you please double check, if we have the remaining issue in 1) and 2)?
-----Original Message-----
From: Nhi Pham <n...@os.amperecomputing.com>
Sent: Wednesday, April 12, 2023 5:22 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen....@intel.com>; Wang,
Jian J <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com>
Cc: patc...@amperecomputing.com; Nhi Pham
<n...@os.amperecomputing.com>
Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add
AUTH_SIG_NOT_FOUND Action
Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table
when the Image is signed but signature is not allowed by DB and the
hash of image is not found in DB/DBX.
This is documented in the UEFI spec 2.10, table 32.5.
This issue is found by the SIE SCT with the error message as follows:
SecureBoot - TestImage1.bin in Image Execution Info Table with
SIG_NOT_FOUND. --FAILURE
B3A670AA-0FBA-48CA-9D01-0EE9700965A9
SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/
ImageLoadingBBTest.c:1079:Status Success
Signed-off-by: Nhi Pham <n...@os.amperecomputing.com>
---
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1
+
1 file changed, 1 insertion(+)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3d40c21e975..5d8dbd546879 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1993,6 +1993,7 @@ DxeImageVerificationHandler (
if (!EFI_ERROR (DbStatus) && IsFound) {
IsVerified = TRUE;
} else {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND;
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
signature is not allowed by DB and %s hash of image is not found in
DB/DBX.\n", mHashTypeStr));
}
}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#103735): https://edk2.groups.io/g/devel/message/103735
Mute This Topic: https://groups.io/mt/98215665/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
