On 05/21/13 21:37, Thomas Rognon wrote: > I made a test driver called TestDxe.efi that just prints "hello world" > and used the efirom tool to make a rom image from the efi image. In the > shell I executed "loadpcirom TestDxe.rom" and it printed "LoadPciRom: > Load image #0 error - Security Violation". > > I looked through the shell code and it loops through all the images in > the rom and calls LoadImage and StartImage. The only place I can see > that it would return EFI_SECURITY_VIOLATION is in LoadImage. However, > doing "load TestDxe.efi" works just fine. > > What am I not understanding?
I'm likely misattributing this behavior, but: you can assign different verification policies to image origins. See the following PCDs in SecurityPkg/SecurityPkg.dec: - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy - gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy - gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy The possible values (ALWAYS_EXECUTE, NEVER_EXECUTE, QUERY_USER_ON_SECURITY_VIOLATION, etc) are also listed there. I guess that your .dsc file assigns something strict to PcdOptionRomImageVerificationPolicy, and something lenient to PcdFixedMediaImageVerificationPolicy. The policies set in the PCDs are enforced in DxeImageVerificationHandler(), file "SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c". The LoadImage() arguments (esp. SourceBuffer) are different between - LoadDriver() [ShellPkg/Library/UefiShellLevel2CommandsLib/Load.c] and - LoadEfiDriversFromRomImage() [ShellPkg/Library/UefiShellDebug1CommandsLib/LoadPciRom.c]. The latter seems to run the (possibly decompressed) image from memory actually, even though the containing ROM was loaded from a file... It's a long shot but perhaps worth looking into. Laszlo ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
