Samer:
@@ -2426,6 +2433,7 @@ DxeImageVerificationHandler (
//
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest, &mCertType, mImageDigestSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Image is signed
+ but digital signature failed validation and SHA256 hash of image is in
+ DBX.\n"));
VerifyStatus = EFI_ACCESS_DENIED;
break;
} else if (EFI_ERROR (VerifyStatus)) {
Here the hash type is not fixed as SHA256 but determined by signature of
image. So it is better to print exact HASH algorithm.
Other part are good to me.
Thanks & Best regards
Chao Zhang
-----Original Message-----
From: Samer El-Haj-Mahmoud [mailto:[email protected]]
Sent: Thursday, December 24, 2015 10:56 PM
To: [email protected]
Cc: [email protected]; Zhang, Chao B; Samer El-Haj-Mahmoud; Samer El-Haj-Mahmoud
Subject: [PATCH v2] Add DEBUG messages in DxeImageerificationLib to help debug
Secure Boot image verification failures
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <[email protected]>
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 4b4d3bf..b694e10 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
+++ b.c
@@ -13,6 +13,7 @@
untrusted PE/COFF image and validate its data structure within this image
buffer before use.
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials are licensed and made available
under the terms and conditions of the BSD License which accompanies this
distribution. The full text of the license may be found at @@ -2259,6 +2260,7
@@ DxeImageVerificationHandler (
//
// The information can't be got from the invalid PeImage
//
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: PeImage invalid.
+ Cannot retrieve image information.\n"));
goto Done;
}
@@ -2282,6 +2284,7 @@ DxeImageVerificationHandler (
//
// It is not a valid Pe/Coff file.
//
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Not a valid PE/COFF
+ image.\n"));
goto Done;
}
@@ -2327,6 +2330,7 @@ DxeImageVerificationHandler (
// and not be reflected in the security data base "dbx".
//
if (!HashPeImage (HASHALG_SHA256)) {
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Failed to hash
+ this image using SHA256.\n"));
goto Done;
}
@@ -2334,6 +2338,7 @@ DxeImageVerificationHandler (
//
// Image Hash is in forbidden database (DBX).
//
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Image is not
+ signed and SHA256 hash of image is in DBX.\n"));
goto Done;
}
@@ -2347,6 +2352,7 @@ DxeImageVerificationHandler (
//
// Image Hash is not found in both forbidden and allowed database.
//
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Image is not signed
+ and SHA256 hash of image is not found in DB/DBX.\n"));
goto Done;
}
@@ -2409,6 +2415,7 @@ DxeImageVerificationHandler (
if (IsForbiddenByDbx (AuthData, AuthDataSize, FALSE, NULL, NULL)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
VerifyStatus = EFI_ACCESS_DENIED;
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Image is signed
+ but signature is rejcected by DBX.\n"));
break;
}
@@ -2426,6 +2433,7 @@ DxeImageVerificationHandler (
//
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest, &mCertType, mImageDigestSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_ERROR, "DxeImageVerificationLib: Image is signed
+ but digital signature failed validation and SHA256 hash of image is in
+ DBX.\n"));
VerifyStatus = EFI_ACCESS_DENIED;
break;
} else if (EFI_ERROR (VerifyStatus)) {
--
2.6.3.windows.1
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
