[edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()

Laszlo Ersek posted 1 patch 3 years, 9 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/edk2 tags/patchew/20200605235242.32442-1-lersek@redhat.com
OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
[edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
Posted by Laszlo Ersek 3 years, 9 months ago
When an image fails Secure Boot validation, LoadImage() returns
EFI_SECURITY_VIOLATION if the platform policy is
DEFER_EXECUTE_ON_SECURITY_VIOLATION.

If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
loaded).

(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
difference would be masked, as DxeImageVerificationLib would incorrectly
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
well.)

In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
seeing EFI_ACCESS_DENIED too.

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    Repo:   https://pagure.io/lersek/edk2.git
    Branch: x86_qlil_access_denied

 OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
index ef753be7ea90..931553c0c1fb 100644
--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
@@ -319,13 +319,19 @@ QemuLoadKernelImage (
     return EFI_NOT_FOUND;
 
   case EFI_SECURITY_VIOLATION:
+    //
+    // Since the image has been loaded, we need to unload it before proceeding
+    // to the EFI_ACCESS_DENIED case below.
+    //
+    gBS->UnloadImage (KernelImageHandle);
+    //
+    // Fall through
+    //
+  case EFI_ACCESS_DENIED:
     //
     // We are running with UEFI secure boot enabled, and the image failed to
     // authenticate. For compatibility reasons, we fall back to the legacy
-    // loader in this case. Since the image has been loaded, we need to unload
-    // it before proceeding
-    //
-    gBS->UnloadImage (KernelImageHandle);
+    // loader in this case.
     //
     // Fall through
     //
-- 
2.19.1.3.g30247aa5d201


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60825): https://edk2.groups.io/g/devel/message/60825
Mute This Topic: https://groups.io/mt/74705045/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
Posted by Philippe Mathieu-Daudé 3 years, 9 months ago
On 6/6/20 1:52 AM, Laszlo Ersek wrote:
> When an image fails Secure Boot validation, LoadImage() returns
> EFI_SECURITY_VIOLATION if the platform policy is
> DEFER_EXECUTE_ON_SECURITY_VIOLATION.
> 
> If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
> LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
> loaded).
> 
> (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
> difference would be masked, as DxeImageVerificationLib would incorrectly
> return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
> well.)
> 
> In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
> seeing EFI_ACCESS_DENIED too.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> 
> Notes:
>     Repo:   https://pagure.io/lersek/edk2.git
>     Branch: x86_qlil_access_denied
> 
>  OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> index ef753be7ea90..931553c0c1fb 100644
> --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> @@ -319,13 +319,19 @@ QemuLoadKernelImage (
>      return EFI_NOT_FOUND;
>  
>    case EFI_SECURITY_VIOLATION:
> +    //
> +    // Since the image has been loaded, we need to unload it before proceeding
> +    // to the EFI_ACCESS_DENIED case below.
> +    //
> +    gBS->UnloadImage (KernelImageHandle);
> +    //
> +    // Fall through

Nice catch.

Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>

> +    //
> +  case EFI_ACCESS_DENIED:
>      //
>      // We are running with UEFI secure boot enabled, and the image failed to
>      // authenticate. For compatibility reasons, we fall back to the legacy
> -    // loader in this case. Since the image has been loaded, we need to unload
> -    // it before proceeding
> -    //
> -    gBS->UnloadImage (KernelImageHandle);
> +    // loader in this case.
>      //
>      // Fall through
>      //
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60843): https://edk2.groups.io/g/devel/message/60843
Mute This Topic: https://groups.io/mt/74705045/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
Posted by Ard Biesheuvel 3 years, 9 months ago
On 6/6/20 1:52 AM, Laszlo Ersek wrote:
> When an image fails Secure Boot validation, LoadImage() returns
> EFI_SECURITY_VIOLATION if the platform policy is
> DEFER_EXECUTE_ON_SECURITY_VIOLATION.
> 
> If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
> LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
> loaded).
> 
> (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
> difference would be masked, as DxeImageVerificationLib would incorrectly
> return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
> well.)
> 
> In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
> seeing EFI_ACCESS_DENIED too.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>

> ---
> 
> Notes:
>      Repo:   https://pagure.io/lersek/edk2.git
>      Branch: x86_qlil_access_denied
> 
>   OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
>   1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> index ef753be7ea90..931553c0c1fb 100644
> --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> @@ -319,13 +319,19 @@ QemuLoadKernelImage (
>       return EFI_NOT_FOUND;
>   
>     case EFI_SECURITY_VIOLATION:
> +    //
> +    // Since the image has been loaded, we need to unload it before proceeding
> +    // to the EFI_ACCESS_DENIED case below.
> +    //
> +    gBS->UnloadImage (KernelImageHandle);
> +    //
> +    // Fall through
> +    //
> +  case EFI_ACCESS_DENIED:
>       //
>       // We are running with UEFI secure boot enabled, and the image failed to
>       // authenticate. For compatibility reasons, we fall back to the legacy
> -    // loader in this case. Since the image has been loaded, we need to unload
> -    // it before proceeding
> -    //
> -    gBS->UnloadImage (KernelImageHandle);
> +    // loader in this case.
>       //
>       // Fall through
>       //
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60854): https://edk2.groups.io/g/devel/message/60854
Mute This Topic: https://groups.io/mt/74705045/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
Posted by Laszlo Ersek 3 years, 9 months ago
On 06/06/20 01:52, Laszlo Ersek wrote:
> When an image fails Secure Boot validation, LoadImage() returns
> EFI_SECURITY_VIOLATION if the platform policy is
> DEFER_EXECUTE_ON_SECURITY_VIOLATION.
> 
> If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
> LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
> loaded).
> 
> (Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
> difference would be masked, as DxeImageVerificationLib would incorrectly
> return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
> well.)
> 
> In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
> seeing EFI_ACCESS_DENIED too.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> 
> Notes:
>     Repo:   https://pagure.io/lersek/edk2.git
>     Branch: x86_qlil_access_denied
> 
>  OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> index ef753be7ea90..931553c0c1fb 100644
> --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
> @@ -319,13 +319,19 @@ QemuLoadKernelImage (
>      return EFI_NOT_FOUND;
>  
>    case EFI_SECURITY_VIOLATION:
> +    //
> +    // Since the image has been loaded, we need to unload it before proceeding
> +    // to the EFI_ACCESS_DENIED case below.
> +    //
> +    gBS->UnloadImage (KernelImageHandle);
> +    //
> +    // Fall through
> +    //
> +  case EFI_ACCESS_DENIED:
>      //
>      // We are running with UEFI secure boot enabled, and the image failed to
>      // authenticate. For compatibility reasons, we fall back to the legacy
> -    // loader in this case. Since the image has been loaded, we need to unload
> -    // it before proceeding
> -    //
> -    gBS->UnloadImage (KernelImageHandle);
> +    // loader in this case.
>      //
>      // Fall through
>      //
> 

Merged as commit dafce295e6f4 via
<https://github.com/tianocore/edk2/pull/671>.

Thanks!
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60984): https://edk2.groups.io/g/devel/message/60984
Mute This Topic: https://groups.io/mt/74705045/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-