[edk2-devel] [PATCH 00/11] SecurityPkg/DxeImageVerificationHandler: fix retval for "deny" policy

Thu, 16 Jan 2020 11:07:48 -0800 

Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Repo:   https://github.com/lersek/edk2.git
Branch: deny_execute_2129

The DxeImageVerificationHandler() function does not handle the
DENY_EXECUTE_ON_SECURITY_VIOLATION policy correctly. When an image is
rejected, and the platform sets this policy for the corresponding image
source, the function should return EFI_ACCESS_DENIED. Instead, the
function currently returns EFI_SECURITY_VIOLATION. The consequence is
that gBS->LoadImage() will keep the image loaded (in untrusted state),
rather than unloading it immediately. If the platform sets the
DENY_EXECUTE_ON_SECURITY_VIOLATION policy for all image sources, then
the platform may not expect EFI_SECURITY_VIOLATION at all. Then,
rejected images may linger in RAM, in untrusted state, and may be leaked
forever.

This series refactors the DxeImageVerificationHandler() function,
simplifying the control flow. The series also improves the conformance
of the return values to the SECURITY2_FILE_AUTHENTICATION_HANDLER
prototype. The last two patches are actual bugfixes, with the last one
fixing the problem laid out above.

The patches in this posting have been formatted with
"--function-context", for easier review.

Cc: Chao Zhang <chao.b.zh...@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Jiewen Yao <jiewen....@intel.com>

Thanks,
Laszlo

Laszlo Ersek (11):
  SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus"
  SecurityPkg/DxeImageVerificationHandler: remove "else" after
    return/break
  SecurityPkg/DxeImageVerificationHandler: keep PE/COFF info status
    internal
  SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash
    status
  SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc
    failure
  SecurityPkg/DxeImageVerificationHandler: remove superfluous Status
    setting
  SecurityPkg/DxeImageVerificationHandler: unnest AddImageExeInfo() call
  SecurityPkg/DxeImageVerificationHandler: eliminate "Status" variable
  SecurityPkg/DxeImageVerificationHandler: fix retval for
    (FileBuffer==NULL)
  SecurityPkg/DxeImageVerificationHandler: fix imgexec info on memalloc
    fail
  SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny"
    policies

 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 118 
++++++++++----------
 1 file changed, 59 insertions(+), 59 deletions(-)

-- 
2.19.1.3.g30247aa5d201


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#53314): https://edk2.groups.io/g/devel/message/53314
Mute This Topic: https://groups.io/mt/69752218/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to