render / rpms / edk2

Forked from rpms/edk2 5 months ago
Clone
Source Code
GIT

Blame SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch

c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta edk2-hyperscale
  1.   63d87e251caa5ac03942a02b780495b62f2ff767
  2.   SOURCES
  3.   edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch
Blob History Raw
63d87e 
From 3e06fe42d63856e48c6457dbb7e816b82416c9ca Mon Sep 17 00:00:00 2001
63d87e 
From: Laszlo Ersek <lersek@redhat.com>
63d87e 
Date: Fri, 31 Jan 2020 12:42:44 +0100
63d87e 
Subject: [PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest
63d87e 
 AddImageExeInfo() call
63d87e 
MIME-Version: 1.0
63d87e 
Content-Type: text/plain; charset=UTF-8
63d87e 
Content-Transfer-Encoding: 8bit
63d87e
63d87e 
RH-Author: Laszlo Ersek <lersek@redhat.com>
63d87e 
Message-id: <20200131124248.22369-9-lersek@redhat.com>
63d87e 
Patchwork-id: 93610
63d87e 
O-Subject: [RHEL-8.2.0 edk2 PATCH 08/12] SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call
63d87e 
Bugzilla: 1751993
63d87e 
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
63d87e 
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
63d87e
63d87e 
Before the "Done" label at the end of DxeImageVerificationHandler(), we
63d87e 
now have a single access to "Status": we set "Status" to EFI_ACCESS_DENIED
63d87e 
at the top of the function. Therefore, the (Status != EFI_SUCCESS)
63d87e 
condition is always true under the "Done" label.
63d87e
63d87e 
Accordingly, unnest the AddImageExeInfo() call dependent on that
63d87e 
condition, remove the condition, and also rename the "Done" label to
63d87e 
"Failed".
63d87e
63d87e 
Functionally, this patch is a no-op. It's easier to review with:
63d87e
63d87e 
  git show -b -W
63d87e
63d87e 
Cc: Chao Zhang <chao.b.zhang@intel.com>
63d87e 
Cc: Jian J Wang <jian.j.wang@intel.com>
63d87e 
Cc: Jiewen Yao <jiewen.yao@intel.com>
63d87e 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
63d87e 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
63d87e 
Message-Id: <20200116190705.18816-8-lersek@redhat.com>
63d87e 
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
63d87e 
[lersek@redhat.com: replace EFI_D_INFO w/ DEBUG_INFO for PatchCheck.py]
63d87e 
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
63d87e 
 Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
63d87e 
 <d3fbb76dabed4e1987c512c328c82810@intel.com>]
63d87e 
(cherry picked from commit c602e97446a8e818bf09182f5dc9f3fa409ece95)
63d87e
63d87e 
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
63d87e 
---
63d87e 
 .../DxeImageVerificationLib.c                      | 34 ++++++++++------------
63d87e 
 1 file changed, 16 insertions(+), 18 deletions(-)
63d87e
63d87e 
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e 
index 6ccce1f..51968bd 100644
63d87e 
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e 
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e 
@@ -1676,7 +1676,7 @@ DxeImageVerificationHandler (
63d87e 
     // The information can't be got from the invalid PeImage
63d87e 
     //
63d87e 
     DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: PeImage invalid. Cannot retrieve image information.\n"));
63d87e 
-    goto Done;
63d87e 
+    goto Failed;
63d87e 
   }
63d87e
63d87e 
   DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase;
63d87e 
@@ -1698,7 +1698,7 @@ DxeImageVerificationHandler (
63d87e 
     // It is not a valid Pe/Coff file.
63d87e 
     //
63d87e 
     DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Not a valid PE/COFF image.\n"));
63d87e 
-    goto Done;
63d87e 
+    goto Failed;
63d87e 
   }
63d87e
63d87e 
   if (mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
63d87e 
@@ -1729,7 +1729,7 @@ DxeImageVerificationHandler (
63d87e 
     //
63d87e 
     if (!HashPeImage (HASHALG_SHA256)) {
63d87e 
       DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
63d87e 
-      goto Done;
63d87e 
+      goto Failed;
63d87e 
     }
63d87e
63d87e 
     if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
63d87e 
@@ -1737,7 +1737,7 @@ DxeImageVerificationHandler (
63d87e 
       // Image Hash is in forbidden database (DBX).
63d87e 
       //
63d87e 
       DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
63d87e 
-      goto Done;
63d87e 
+      goto Failed;
63d87e 
     }
63d87e
63d87e 
     if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
63d87e 
@@ -1751,7 +1751,7 @@ DxeImageVerificationHandler (
63d87e 
     // Image Hash is not found in both forbidden and allowed database.
63d87e 
     //
63d87e 
     DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
63d87e 
-    goto Done;
63d87e 
+    goto Failed;
63d87e 
   }
63d87e
63d87e 
   //
63d87e 
@@ -1860,7 +1860,7 @@ DxeImageVerificationHandler (
63d87e 
     SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
63d87e 
     SignatureList     = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
63d87e 
     if (SignatureList == NULL) {
63d87e 
-      goto Done;
63d87e 
+      goto Failed;
63d87e 
     }
63d87e 
     SignatureList->SignatureHeaderSize  = 0;
63d87e 
     SignatureList->SignatureListSize    = (UINT32) SignatureListSize;
63d87e 
@@ -1870,19 +1870,17 @@ DxeImageVerificationHandler (
63d87e 
     CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize);
63d87e 
   }
63d87e
63d87e 
-Done:
63d87e 
-  if (Status != EFI_SUCCESS) {
63d87e 
-    //
63d87e 
-    // Policy decides to defer or reject the image; add its information in image executable information table.
63d87e 
-    //
63d87e 
-    NameStr = ConvertDevicePathToText (File, FALSE, TRUE);
63d87e 
-    AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);
63d87e 
-    if (NameStr != NULL) {
63d87e 
-      DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr));
63d87e 
-      FreePool(NameStr);
63d87e 
-    }
63d87e 
-    Status = EFI_SECURITY_VIOLATION;
63d87e 
+Failed:
63d87e 
+  //
63d87e 
+  // Policy decides to defer or reject the image; add its information in image executable information table.
63d87e 
+  //
63d87e 
+  NameStr = ConvertDevicePathToText (File, FALSE, TRUE);
63d87e 
+  AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);
63d87e 
+  if (NameStr != NULL) {
63d87e 
+    DEBUG ((DEBUG_INFO, "The image doesn't pass verification: %s\n", NameStr));
63d87e 
+    FreePool(NameStr);
63d87e 
   }
63d87e 
+  Status = EFI_SECURITY_VIOLATION;
63d87e
63d87e 
   if (SignatureList != NULL) {
63d87e 
     FreePool (SignatureList);
63d87e 
--
63d87e 
1.8.3.1
63d87e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation