1. Patchew
  2. Xen
  3. [PATCH 0/3] efi: Shim LoadImage improvements
  4. View patch

[PATCH 3/3] efi: Limit Shim's Verify success to EFI_SUCCESS

Gerald Elder-Vass posted 3 patches 5 months ago
[PATCH 3/3] efi: Limit Shim's Verify success to EFI_SUCCESS
Posted by Gerald Elder-Vass 5 months ago 
Commit 59a1d6d3ea1e replaced the Verify status check with
!EFI_ERROR(...), this changed the behaviour to consider any warnings
(EFI_WARN_) to be considered a successful verification.

This commit reverts that behaviour change.

Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@cloud.com>
---
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: "Daniel P. Smith" <dpsmith@apertussolutions.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Julien Grall <julien@xen.org>
CC: "Roger Pau Monné" <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
---
 xen/common/efi/boot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index ca162db0d8d3..36e1e2cf9d4a 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1090,7 +1090,7 @@ static void __init efi_verify_kernel(EFI_HANDLE ImageHandle)
     if ( !verified &&
          !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
                                            (void **)&shim_lock)) &&
-         !EFI_ERROR(shim_lock->Verify(kernel.ptr, kernel.size)) )
+         shim_lock->Verify(kernel.ptr, kernel.size) == EFI_SUCCESS )
         verified = true;
 
     if ( !verified )
-- 
2.47.3
Re: [PATCH 3/3] efi: Limit Shim's Verify success to EFI_SUCCESS
Posted by Jan Beulich 5 months ago 
On 11.09.2025 10:24, Gerald Elder-Vass wrote:
> Commit 59a1d6d3ea1e replaced the Verify status check with
> !EFI_ERROR(...), this changed the behaviour to consider any warnings
> (EFI_WARN_) to be considered a successful verification.
> 
> This commit reverts that behaviour change.

Reported-by: Jan Beulich <jbeulich@suse.com>
Fixes: ...

> Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@cloud.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>
Re: [PATCH 3/3] efi: Limit Shim's Verify success to EFI_SUCCESS
Posted by Marek Marczykowski-Górecki 4 months, 2 weeks ago 
On Thu, Sep 11, 2025 at 10:35:51AM +0200, Jan Beulich wrote:
> On 11.09.2025 10:24, Gerald Elder-Vass wrote:
> > Commit 59a1d6d3ea1e replaced the Verify status check with
> > !EFI_ERROR(...), this changed the behaviour to consider any warnings
> > (EFI_WARN_) to be considered a successful verification.
> > 
> > This commit reverts that behaviour change.
> 
> Reported-by: Jan Beulich <jbeulich@suse.com>
> Fixes: ...
> 
> > Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@cloud.com>
> 
> Reviewed-by: Jan Beulich <jbeulich@suse.com>

Acked-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.