In case the signers' certificate stack, retrieved from the PE/COFF image's Authenticode blob, has zero elements (= there are zero signer certificates), then we should consider the image forbidden by DBX, not accepted by DBX.
Cc: Jiewen Yao <jiewen....@intel.com> Cc: Chao Zhang <chao.b.zh...@intel.com> Signed-off-by: Jian J Wang <jian.j.w...@intel.com> Reviewed-by: Laszlo Ersek <ler...@redhat.com> --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 74dbffa122..5dcd6efed5 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1326,7 +1326,7 @@ IsForbiddenByDbx ( // UINT8 Certn[]; // Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength); - if ((BufferLength == 0) || (CertBuffer == NULL)) { + if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) { IsForbidden = TRUE; goto Done; } -- 2.24.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#53868): https://edk2.groups.io/g/devel/message/53868 Mute This Topic: https://groups.io/mt/71023418/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-