From d226811a6644c1746c0c92dbba3f85b7b4b6b476 Mon Sep 17 00:00:00 2001 From: Nhi Pham Date: Wed, 12 Apr 2023 17:21:49 +0800 Subject: SecurityPkg/DxeImageVerificationLib: Add AUTH_SIG_NOT_FOUND Action Add the AUTH_SIG_NOT_FOUND Action to the Image Execution Info Table when the Image is signed but signature is not allowed by DB and the hash of image is not found in DB/DBX. This is documented in the UEFI spec 2.10, table 32.5. This issue is found by the SIE SCT with the error message as follows: SecureBoot - TestImage1.bin in Image Execution Info Table with SIG_NOT_FOUND. --FAILURE B3A670AA-0FBA-48CA-9D01-0EE9700965A9 SctPkg/TestCase/UEFI/EFI/RuntimeServices/SecureBoot/BlackBoxTest/ ImageLoadingBBTest.c:1079:Status Success Signed-off-by: Nhi Pham Reviewed-by: Min Xu Reviewed-by: Jiewen Yao --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index b3d40c21e9..5d8dbd5468 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1993,6 +1993,7 @@ DxeImageVerificationHandler ( if (!EFI_ERROR (DbStatus) && IsFound) { IsVerified = TRUE; } else { + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND; DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); } } -- cgit v1.2.3