Add DEBUG messages in DxeImageerificationLib to help debug
Secure Boot image verification failures
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <el...@hpe.com>
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 4b4d3bf..888cd04 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -13,6 +13,7 @@
untrusted PE/COFF image and validate its data structure within this image
buffer before use.
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -2259,6 +2260,7 @@ DxeImageVerificationHandler (
//
// The information can't be got from the invalid PeImage
//
+ DEBUG ((DEBUG_ERROR, "PeImage invald. Cannot retrieve image
information.\n"));
goto Done;
}
@@ -2282,6 +2284,7 @@ DxeImageVerificationHandler (
//
// It is not a valid Pe/Coff file.
//
+ DEBUG ((DEBUG_ERROR, "Not a valid PE/COFF image.\n"));
goto Done;
}
@@ -2327,6 +2330,7 @@ DxeImageVerificationHandler (
// and not be reflected in the security data base "dbx".
//
if (!HashPeImage (HASHALG_SHA256)) {
+ DEBUG ((DEBUG_ERROR, "Failed to hash this image.\n"));
goto Done;
}
@@ -2334,6 +2338,7 @@ DxeImageVerificationHandler (
//
// Image Hash is in forbidden database (DBX).
//
+ DEBUG ((DEBUG_ERROR, "Image is not signed and hash is in DBX.\n"));
goto Done;
}
@@ -2347,6 +2352,7 @@ DxeImageVerificationHandler (
//
// Image Hash is not found in both forbidden and allowed database.
//
+ DEBUG ((DEBUG_ERROR, "Image is not signed and hash is not found in
DB/DBX.\n"));
goto Done;
}
@@ -2409,6 +2415,7 @@ DxeImageVerificationHandler (
if (IsForbiddenByDbx (AuthData, AuthDataSize, FALSE, NULL, NULL)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
VerifyStatus = EFI_ACCESS_DENIED;
+ DEBUG ((DEBUG_ERROR, "Image is signed but digital signature is in
DBX.\n"));
break;
}
@@ -2426,11 +2433,13 @@ DxeImageVerificationHandler (
//
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest, &mCertType, mImageDigestSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_ERROR, "Image is signed but digital signature failed
validation and hash is in DBX.\n"));
VerifyStatus = EFI_ACCESS_DENIED;
break;
} else if (EFI_ERROR (VerifyStatus)) {
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE,
mImageDigest, &mCertType, mImageDigestSize)) {
VerifyStatus = EFI_SUCCESS;
+ DEBUG ((DEBUG_ERROR, "Image is signed but digital signature failed
validation and hash is not found in DB/DBX.\n"));
}
}
}
--
2.6.3.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
