[tianocore/edk2] bfb1a4: SecurityPkg: SecureBootVariableLib: Prevent Invali...

Wed, 16 Apr 2025 22:38:53 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/tianocore/edk2
  Commit: bfb1a45eec911757e39b4ccc993604d9b1ca500d
      
https://github.com/tianocore/edk2/commit/bfb1a45eec911757e39b4ccc993604d9b1ca500d
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-17 (Thu, 17 Apr 2025)

  Changed paths:
    M SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c

  Log Message:
  -----------
  SecurityPkg: SecureBootVariableLib: Prevent Invalid DBX

This commit adds the ability to skip the setting the Dbx variable if
the Default being provided is less than the size of the
EFI_SIGNATURE_LIST structure. This is to prevent the
setting of an invalid DBX which would cause the system to fail to boot.

Additionally, this can be used to signal that setting the DBX
should leave DBX undefined for Platforms that want to let the OS
be the sole servicer of the DBX.

Breakdown of the math is as follows:

1. **`sizeof(EFI_SIGNATURE_LIST)`**:
   - This is the size of the `EFI_SIGNATURE_LIST` structure itself,
   which includes:
     - `EFI_GUID SignatureType` (16 bytes)
     - `UINT32 SignatureListSize` (4 bytes)
     - `UINT32 SignatureHeaderSize` (4 bytes)
     - `UINT32 SignatureSize` (4 bytes)
   - Total: `16 + 4 + 4 + 4 = 28 bytes`

2. **`SignatureHeaderSize`**:
   - This is the size of the optional signature header. If no header is
   provided, this value is `0`.

3. **`SignatureSize`**:
   - This is the size of each `EFI_SIGNATURE_DATA` entry. For an empty
   list, this value is `0`.

The total size of an empty `EFI_SIGNATURE_LIST` is:
```c
sizeof(EFI_SIGNATURE_LIST) + SignatureHeaderSize
```

1. **No Signature Header**:
   - If `SignatureHeaderSize = 0`, the size is:
     ```c
     28 + 0 = 28 bytes
     ```

2. **With a Signature Header**:
   - If `SignatureHeaderSize = 16` (example size for a header), the
   size is:
     ```c
     28 + 16 = 44 bytes
     ```

- **Minimum Size**: `28 bytes` (if `SignatureHeaderSize = 0`).
- **Additional Size**: Add the value of `SignatureHeaderSize` if a
header is included.

Signed-off-by: Doug Flick <dougfl...@microsoft.com>


  Commit: eefd4fdb788f1b126719bd621449acc976b8e795
      
https://github.com/tianocore/edk2/commit/eefd4fdb788f1b126719bd621449acc976b8e795
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-17 (Thu, 17 Apr 2025)

  Changed paths:
    M 
SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c

  Log Message:
  -----------
  SecurityPkg: Update SecureBootVariableLibUnitTest

Updates SecureBootVariableLibUnitTest to use a valid
EFI_SIGNATURE_LIST and EFI_SIGNATURE_DATA

Signed-off-by: Doug Flick <dougfl...@microsoft.com>


Compare: https://github.com/tianocore/edk2/compare/5f5cf1c1abd2...eefd4fdb788f

To unsubscribe from these emails, change your notification settings at 
https://github.com/tianocore/edk2/settings/notifications


_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits

Reply via email to