From bf88198555ce964377a56176de8e5e9b45e43e25 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Sat, 6 Jun 2020 01:16:09 +0200 Subject: OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: - new patch - the patch is being upstreamed; it's not a backport because the rebase deadline is close - upstream references: - https://bugzilla.tianocore.org/show_bug.cgi?id=2785 - http://mid.mail-archive.com/20200605235242.32442-1-lersek@redhat.com - https://edk2.groups.io/g/devel/message/60825 - https://www.redhat.com/archives/edk2-devel-archive/2020-June/msg00344.html [downstream note ends, upstream commit message starts] When an image fails Secure Boot validation, LoadImage() returns EFI_SECURITY_VIOLATION if the platform policy is DEFER_EXECUTE_ON_SECURITY_VIOLATION. If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain loaded). (Before , this difference would be masked, as DxeImageVerificationLib would incorrectly return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as well.) In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon seeing EFI_ACCESS_DENIED too. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Philippe Mathieu-Daudé Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785 Signed-off-by: Laszlo Ersek --- .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c index ef753be7ea..931553c0c1 100644 --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c @@ -320,15 +320,21 @@ QemuLoadKernelImage ( case EFI_SECURITY_VIOLATION: // - // We are running with UEFI secure boot enabled, and the image failed to - // authenticate. For compatibility reasons, we fall back to the legacy - // loader in this case. Since the image has been loaded, we need to unload - // it before proceeding + // Since the image has been loaded, we need to unload it before proceeding + // to the EFI_ACCESS_DENIED case below. // gBS->UnloadImage (KernelImageHandle); // // Fall through // + case EFI_ACCESS_DENIED: + // + // We are running with UEFI secure boot enabled, and the image failed to + // authenticate. For compatibility reasons, we fall back to the legacy + // loader in this case. + // + // Fall through + // case EFI_UNSUPPORTED: // // The image is not natively supported or cross-type supported. Let's try -- 2.18.1