1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.

[mirror_edk2.git] / SecurityPkg / Library / DxeImageVerificationLib / DxeImageVerificationLib.c

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 9e4bf8681b959a12bbe5906c4647e534a67eceaa..2458ee2ae1c586f6f919c6ccc1dac89e7be308a8 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1086,6 +1086,14 @@ DxeImageVerificationHandler (
     return EFI_ACCESS_DENIED;\r
   }\r
 \r
+  //\r
+  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.\r
+  //\r
+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);\r
+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {\r
+    CpuDeadLoop ();\r
+  }\r
+\r
   GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);\r
   //\r
   // Skip verification if SecureBoot variable doesn't exist.\r