When an image fails Secure Boot validation, LoadImage() returns
EFI_SECURITY_VIOLATION if the platform policy is
DEFER_EXECUTE_ON_SECURITY_VIOLATION.
If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
loaded).
(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
difference would be masked, as DxeImageVerificationLib would incorrectly
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
well.)
In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
seeing EFI_ACCESS_DENIED too.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
Notes:
Repo: https://pagure.io/lersek/edk2.git
Branch: x86_qlil_access_denied
OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
index ef753be7ea90..931553c0c1fb 100644
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@@ -319,13 +319,19 @@ QemuLoadKernelImage (
return EFI_NOT_FOUND;
case EFI_SECURITY_VIOLATION:
+ //
+ // Since the image has been loaded, we need to unload it before proceeding
+ // to the EFI_ACCESS_DENIED case below.
+ //
+ gBS->UnloadImage (KernelImageHandle);
+ //
+ // Fall through
+ //
+ case EFI_ACCESS_DENIED:
//
// We are running with UEFI secure boot enabled, and the image failed to
// authenticate. For compatibility reasons, we fall back to the legacy
- // loader in this case. Since the image has been loaded, we need to unload
- // it before proceeding
- //
- gBS->UnloadImage (KernelImageHandle);
+ // loader in this case.
//
// Fall through
//
--
2.19.1.3.g30247aa5d201
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#60825): https://edk2.groups.io/g/devel/message/60825
Mute This Topic: https://groups.io/mt/74705045/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
On 6/6/20 1:52 AM, Laszlo Ersek wrote: > When an image fails Secure Boot validation, LoadImage() returns > EFI_SECURITY_VIOLATION if the platform policy is > DEFER_EXECUTE_ON_SECURITY_VIOLATION. > > If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then > LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain > loaded). > > (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this > difference would be masked, as DxeImageVerificationLib would incorrectly > return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as > well.) > > In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon > seeing EFI_ACCESS_DENIED too. > > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> > Cc: Jordan Justen <jordan.l.justen@intel.com> > Cc: Philippe Mathieu-Daudé <philmd@redhat.com> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 > Signed-off-by: Laszlo Ersek <lersek@redhat.com> > --- > > Notes: > Repo: https://pagure.io/lersek/edk2.git > Branch: x86_qlil_access_denied > > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > index ef753be7ea90..931553c0c1fb 100644 > --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > @@ -319,13 +319,19 @@ QemuLoadKernelImage ( > return EFI_NOT_FOUND; > > case EFI_SECURITY_VIOLATION: > + // > + // Since the image has been loaded, we need to unload it before proceeding > + // to the EFI_ACCESS_DENIED case below. > + // > + gBS->UnloadImage (KernelImageHandle); > + // > + // Fall through Nice catch. Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> > + // > + case EFI_ACCESS_DENIED: > // > // We are running with UEFI secure boot enabled, and the image failed to > // authenticate. For compatibility reasons, we fall back to the legacy > - // loader in this case. Since the image has been loaded, we need to unload > - // it before proceeding > - // > - gBS->UnloadImage (KernelImageHandle); > + // loader in this case. > // > // Fall through > // > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60843): https://edk2.groups.io/g/devel/message/60843 Mute This Topic: https://groups.io/mt/74705045/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 6/6/20 1:52 AM, Laszlo Ersek wrote: > When an image fails Secure Boot validation, LoadImage() returns > EFI_SECURITY_VIOLATION if the platform policy is > DEFER_EXECUTE_ON_SECURITY_VIOLATION. > > If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then > LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain > loaded). > > (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this > difference would be masked, as DxeImageVerificationLib would incorrectly > return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as > well.) > > In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon > seeing EFI_ACCESS_DENIED too. > > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> > Cc: Jordan Justen <jordan.l.justen@intel.com> > Cc: Philippe Mathieu-Daudé <philmd@redhat.com> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 > Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com> > --- > > Notes: > Repo: https://pagure.io/lersek/edk2.git > Branch: x86_qlil_access_denied > > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > index ef753be7ea90..931553c0c1fb 100644 > --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > @@ -319,13 +319,19 @@ QemuLoadKernelImage ( > return EFI_NOT_FOUND; > > case EFI_SECURITY_VIOLATION: > + // > + // Since the image has been loaded, we need to unload it before proceeding > + // to the EFI_ACCESS_DENIED case below. > + // > + gBS->UnloadImage (KernelImageHandle); > + // > + // Fall through > + // > + case EFI_ACCESS_DENIED: > // > // We are running with UEFI secure boot enabled, and the image failed to > // authenticate. For compatibility reasons, we fall back to the legacy > - // loader in this case. Since the image has been loaded, we need to unload > - // it before proceeding > - // > - gBS->UnloadImage (KernelImageHandle); > + // loader in this case. > // > // Fall through > // > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60854): https://edk2.groups.io/g/devel/message/60854 Mute This Topic: https://groups.io/mt/74705045/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 06/06/20 01:52, Laszlo Ersek wrote: > When an image fails Secure Boot validation, LoadImage() returns > EFI_SECURITY_VIOLATION if the platform policy is > DEFER_EXECUTE_ON_SECURITY_VIOLATION. > > If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then > LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain > loaded). > > (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this > difference would be masked, as DxeImageVerificationLib would incorrectly > return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as > well.) > > In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon > seeing EFI_ACCESS_DENIED too. > > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> > Cc: Jordan Justen <jordan.l.justen@intel.com> > Cc: Philippe Mathieu-Daudé <philmd@redhat.com> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 > Signed-off-by: Laszlo Ersek <lersek@redhat.com> > --- > > Notes: > Repo: https://pagure.io/lersek/edk2.git > Branch: x86_qlil_access_denied > > OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > index ef753be7ea90..931553c0c1fb 100644 > --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c > @@ -319,13 +319,19 @@ QemuLoadKernelImage ( > return EFI_NOT_FOUND; > > case EFI_SECURITY_VIOLATION: > + // > + // Since the image has been loaded, we need to unload it before proceeding > + // to the EFI_ACCESS_DENIED case below. > + // > + gBS->UnloadImage (KernelImageHandle); > + // > + // Fall through > + // > + case EFI_ACCESS_DENIED: > // > // We are running with UEFI secure boot enabled, and the image failed to > // authenticate. For compatibility reasons, we fall back to the legacy > - // loader in this case. Since the image has been loaded, we need to unload > - // it before proceeding > - // > - gBS->UnloadImage (KernelImageHandle); > + // loader in this case. > // > // Fall through > // > Merged as commit dafce295e6f4 via <https://github.com/tianocore/edk2/pull/671>. Thanks! Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60984): https://edk2.groups.io/g/devel/message/60984 Mute This Topic: https://groups.io/mt/74705045/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.