Sure. This patch is merged https://github.com/tianocore/edk2/pull/4321.
Thanks for the contribution. Look forward to your investigation result. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nhi > Pham via groups.io > Sent: Friday, April 28, 2023 11:14 AM > To: Yao, Jiewen <jiewen....@intel.com>; Nhi Pham > <n...@os.amperecomputing.com>; devel@edk2.groups.io; Wang, Jian J > <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com> > Cc: patc...@amperecomputing.com > Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: > Add AUTH_SIG_NOT_FOUND Action > > Thanks Yao Jiewen for reviewing. I will make further investigation for > other cases based on your findings. > > In the meantime, could you help merge my patch? > > -Nhi > > On 4/27/2023 3:19 PM, Yao, Jiewen wrote: > > Thanks Nhi, to provide the fix. > > > > The UEFI specification > (https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html) > defines below error code. > > > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 > > #define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 > > > > 1) EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED means > > An image certificate is in the forbidden database, or > > A digest of an image certifcate is in the forbidden database, or > > The image signature check failed. > > > > However, the code only contains below as forbidden database check: > > > > if (IsForbiddenByDbx (AuthData, AuthDataSize)) { > > Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED; > > IsVerified = FALSE; > > break; > > } > > > > The image signature check fail missed the Action. (remaining issue ?) > > > > 2) EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED means > > An image certifcate is in authroized database. (or) > > The image digest is in the authorized database. > > > > However, I cannot find the code to set the value in the code. (remaining > issue ?) > > > > 3) EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND means > > the image certificate is not found in the authorized database, and > > the image digest is not in the authorized database. > > > > It is fixed in this patch. Thank you! > > > > 4) EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND means > > The image has at least one certificate, and the image digest is in the > forbidden database. > > > > The code is there. > > > > > > Would you please double check, if we have the remaining issue in 1) and 2)? > > > > > > > > > >> -----Original Message----- > >> From: Nhi Pham <n...@os.amperecomputing.com> > >> Sent: Wednesday, April 12, 2023 5:22 PM > >> To: devel@edk2.groups.io; Yao, Jiewen <jiewen....@intel.com>; Wang, > >> Jian J <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com> > >> Cc: patc...@amperecomputing.com; Nhi Pham > >> <n...@os.amperecomputing.com> > >> Subject: [PATCH 1/1] SecurityPkg/DxeImageVerificationLib: Add > >> AUTH_SIG_NOT_FOUND Action > >> > >> Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info > Table > >> when the Image is signed but signature is not allowed by DB and the > >> hash of image is not found in DB/DBX. > >> > >> This is documented in the UEFI spec 2.10, table 32.5. > >> > >> This issue is found by the SIE SCT with the error message as follows: > >> SecureBoot - TestImage1.bin in Image Execution Info Table with > >> SIG_NOT_FOUND. --FAILURE > >> B3A670AA-0FBA-48CA-9D01-0EE9700965A9 > >> SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ > >> ImageLoadingBBTest.c:1079:Status Success > >> > >> Signed-off-by: Nhi Pham <n...@os.amperecomputing.com> > >> --- > >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > | 1 > >> + > >> 1 file changed, 1 insertion(+) > >> > >> diff --git > >> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> index b3d40c21e975..5d8dbd546879 100644 > >> --- > >> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> +++ > >> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > >> @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( > >> if (!EFI_ERROR (DbStatus) && IsFound) { > >> > >> IsVerified = TRUE; > >> > >> } else { > >> > >> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; > >> > >> DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed > but > >> signature is not allowed by DB and %s hash of image is not found in > >> DB/DBX.\n", mHashTypeStr)); > >> > >> } > >> > >> } > >> > >> -- > >> 2.25.1 > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#103774): https://edk2.groups.io/g/devel/message/103774 Mute This Topic: https://groups.io/mt/98215665/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
