It's good to me. Reviewed-by: Min Xu <min.m...@intel.com> Thanks
> -----Original Message----- > From: Gerd Hoffmann <kra...@redhat.com> > Sent: Monday, March 20, 2023 6:02 PM > To: devel@edk2.groups.io > Cc: Pawel Polawski <ppola...@redhat.com>; Wang, Jian J > <jian.j.w...@intel.com>; Oliver Steffen <ostef...@redhat.com>; Xu, Min M > <min.m...@intel.com>; Marvin Häuser <mhaeu...@posteo.de>; Yao, Jiewen > <jiewen....@intel.com>; jma...@redhat.com > Subject: Re: [PATCH v2 1/1] SecurityPkg/DxeImageVerificationLib: Check > result of GetEfiGlobalVariable2 > > On Fri, Mar 03, 2023 at 11:35:53AM +0100, Gerd Hoffmann wrote: > > Call gRT->GetVariable() directly to read the SecureBoot variable. It > > is one byte in size so we can easily place it on the stack instead of > > having GetEfiGlobalVariable2() allocate it for us, which avoids a few > > possible error cases. > > > > Skip secure boot checks if (and only if): > > > > (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to > > the return value, or > > (b) the SecureBoot variable was read successfully and is set to > > SECURE_BOOT_MODE_DISABLE. > > > > Previously the code skipped the secure boot checks on *any* > > gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable > > value to NULL in that case) and also on memory allocation failures. > > > > Fixes: CVE-2019-14560 > > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2167 > > Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > > Ping. Any comments on this patch? > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101432): https://edk2.groups.io/g/devel/message/101432 Mute This Topic: https://groups.io/mt/97359253/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
