Revision: 14607
http://sourceforge.net/p/edk2/code/14607
Author: sfu5
Date: 2013-08-28 09:06:40 +0000 (Wed, 28 Aug 2013)
Log Message:
-----------
1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.
2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION).
3. Update override PCD setting from 5 to 4 in platform DSC file.
Signed-off-by: Fu Siyuan <[email protected]>
Reviewed-by: Ni Ruiyu <[email protected]>
Reviewed-by: Ye Ting <[email protected]>
Modified Paths:
--------------
trunk/edk2/Nt32Pkg/Nt32Pkg.dsc
trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc
trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc
trunk/edk2/OvmfPkg/OvmfPkgX64.dsc
trunk/edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
trunk/edk2/SecurityPkg/SecurityPkg.dec
Modified: trunk/edk2/Nt32Pkg/Nt32Pkg.dsc
===================================================================
--- trunk/edk2/Nt32Pkg/Nt32Pkg.dsc 2013-08-27 09:17:20 UTC (rev 14606)
+++ trunk/edk2/Nt32Pkg/Nt32Pkg.dsc 2013-08-28 09:06:40 UTC (rev 14607)
@@ -226,9 +226,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all
sources are verified in secure boot
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
################################################################################
Modified: trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc 2013-08-27 09:17:20 UTC (rev 14606)
+++ trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc 2013-08-28 09:06:40 UTC (rev 14607)
@@ -303,9 +303,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all
sources are verified in secure boot
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
Modified: trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc 2013-08-27 09:17:20 UTC (rev
14606)
+++ trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc 2013-08-28 09:06:40 UTC (rev
14607)
@@ -309,9 +309,9 @@
[PcdsFixedAtBuild.X64]
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all
sources are verified in secure boot
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
Modified: trunk/edk2/OvmfPkg/OvmfPkgX64.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgX64.dsc 2013-08-27 09:17:20 UTC (rev 14606)
+++ trunk/edk2/OvmfPkg/OvmfPkgX64.dsc 2013-08-28 09:06:40 UTC (rev 14607)
@@ -308,9 +308,9 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
# override the default values from SecurityPkg to ensure images from all
sources are verified in secure boot
- gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05
- gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
!endif
# IRQs 5, 9, 10, 11 are level-triggered
Modified:
trunk/edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
===================================================================
---
trunk/edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
2013-08-27 09:17:20 UTC (rev 14606)
+++
trunk/edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
2013-08-28 09:06:40 UTC (rev 14607)
@@ -1086,6 +1086,14 @@
return EFI_ACCESS_DENIED;
}
+ //
+ // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and
has been removed.
+ //
+ ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);
+ if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {
+ CpuDeadLoop ();
+ }
+
GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
//
// Skip verification if SecureBoot variable doesn't exist.
Modified: trunk/edk2/SecurityPkg/SecurityPkg.dec
===================================================================
--- trunk/edk2/SecurityPkg/SecurityPkg.dec 2013-08-27 09:17:20 UTC (rev
14606)
+++ trunk/edk2/SecurityPkg/SecurityPkg.dec 2013-08-28 09:06:40 UTC (rev
14607)
@@ -87,7 +87,8 @@
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
-
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the
UEFI specification and has been removed.
+
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
## Pcd for removable media.
# Removable media include CD-ROM, Floppy, USB and network.
@@ -98,7 +99,8 @@
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
-
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05|UINT32|0x00000002
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the
UEFI specification and has been removed.
+
gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002
## Pcd for fixed media.
# Fixed media include hard disk.
@@ -109,7 +111,8 @@
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
-
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05|UINT32|0x00000003
+ # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the
UEFI specification and has been removed.
+
gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003
## Defer Image Load policy settings.
# The policy is bitwise.
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
