In the DxeImageVerificationHandler() function, the "VerifyStatus" variable
can only contain one of two values: EFI_SUCCESS and EFI_ACCESS_DENIED.
Furthermore, the variable is only consumed with EFI_ERROR().
Therefore, using the EFI_STATUS type for the variable is unnecessary.
Worse, given the complex meanings of the function's return values, using
EFI_STATUS for "VerifyStatus" is actively confusing.
Rename the variable to "IsVerified", and make it a simple BOOLEAN.
This patch is a no-op, regarding behavior.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <
20200116190705.18816-2-lersek@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
<
d3fbb76dabed4e1987c512c328c82810@intel.com>]
{\r
EFI_STATUS Status;\r
EFI_IMAGE_DOS_HEADER *DosHdr;\r
{\r
EFI_STATUS Status;\r
EFI_IMAGE_DOS_HEADER *DosHdr;\r
- EFI_STATUS VerifyStatus;\r
EFI_SIGNATURE_LIST *SignatureList;\r
UINTN SignatureListSize;\r
EFI_SIGNATURE_DATA *Signature;\r
EFI_SIGNATURE_LIST *SignatureList;\r
UINTN SignatureListSize;\r
EFI_SIGNATURE_DATA *Signature;\r
PkcsCertData = NULL;\r
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;\r
Status = EFI_ACCESS_DENIED;\r
PkcsCertData = NULL;\r
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;\r
Status = EFI_ACCESS_DENIED;\r
- VerifyStatus = EFI_ACCESS_DENIED;\r
//\r
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {\r
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;\r
//\r
if (IsForbiddenByDbx (AuthData, AuthDataSize)) {\r
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;\r
- VerifyStatus = EFI_ACCESS_DENIED;\r
break;\r
}\r
\r
//\r
// Check the digital signature against the valid certificate in allowed database (db).\r
//\r
break;\r
}\r
\r
//\r
// Check the digital signature against the valid certificate in allowed database (db).\r
//\r
- if (EFI_ERROR (VerifyStatus)) {\r
if (IsAllowedByDb (AuthData, AuthDataSize)) {\r
if (IsAllowedByDb (AuthData, AuthDataSize)) {\r
- VerifyStatus = EFI_SUCCESS;\r
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));\r
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));\r
- VerifyStatus = EFI_ACCESS_DENIED;\r
- } else if (EFI_ERROR (VerifyStatus)) {\r
+ } else if (!IsVerified) {\r
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
- VerifyStatus = EFI_SUCCESS;\r
} else {\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));\r
}\r
} else {\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));\r
}\r
//\r
// The Size in Certificate Table or the attribute certificate table is corrupted.\r
//\r
//\r
// The Size in Certificate Table or the attribute certificate table is corrupted.\r
//\r
- VerifyStatus = EFI_ACCESS_DENIED;\r
- if (!EFI_ERROR (VerifyStatus)) {\r
return EFI_SUCCESS;\r
} else {\r
Status = EFI_ACCESS_DENIED;\r
return EFI_SUCCESS;\r
} else {\r
Status = EFI_ACCESS_DENIED;\r