diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2019-10-10 15:02:17 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-02-19 14:08:23 +0000 |
| commit | b1c11470598416c89c67b75c991fd0773bcbab9d (patch) | |
| tree | 2ef03455b77ddc9f3377753ba7c7aaf609da002d /BaseTools/Source/Python/AutoGen/IncludesAutoGen.py | |
| parent | cb30c8f25162e6d8142c6b098f14c1e4e7f125ce (diff) | |
| download | edk2-b1c11470598416c89c67b75c991fd0773bcbab9d.tar.gz edk2-b1c11470598416c89c67b75c991fd0773bcbab9d.tar.bz2 edk2-b1c11470598416c89c67b75c991fd0773bcbab9d.zip | |
SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2) (CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
To avoid false-negative issue in check hash against dbx, both error
condition (as return value) and check result (as out parameter) of
IsSignatureFoundInDatabase() are added. So the caller of this function
will know exactly if a failure is caused by a black list hit or
other error happening, and enforce a more secure operation to prevent
secure boot from being bypassed. For a white list check (db), there's
no such necessity.
All intermediate results inside this function will be checked and
returned immediately upon any failure or error, like out-of-resource,
hash calculation error or certificate retrieval failure.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'BaseTools/Source/Python/AutoGen/IncludesAutoGen.py')
0 files changed, 0 insertions, 0 deletions