]> git.proxmox.com Git - mirror_edk2.git/commit - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
projects / mirror_edk2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: adc6898) | patch
SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1) (CVE-2019...
authorJian J Wang <jian.j.wang@intel.com>
Mon, 16 Sep 2019 08:52:58 +0000 (16:52 +0800)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Wed, 19 Feb 2020 14:08:23 +0000 (14:08 +0000)
commita83dbf008cc73406cbdc0d5ac3164cc19fff6683
tree76b7e87a2e6c94c1b77679b254ab24fd61afd880tree
parentadc6898366298d1f64b91785e50095527f682758commit | diff
SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1) (CVE-2019-14575)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608

To avoid false-negative issue in check hash against dbx, both error
condition (as return value) and check result (as out parameter) of
IsCertHashFoundInDatabase() are added. So the caller of this function
will know exactly if a failure is caused by a black list hit or
other error happening, and enforce a more secure operation to prevent
secure boot from being bypassed. For a white list check (db), there's
no such necessity.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c diff | blob | blame | history
EFI Development Kit II mirror for PVE