git.proxmox.com Git - mirror

author	Laszlo Ersek <lersek@redhat.com>
	Tue, 3 Sep 2019 15:08:45 +0000 (17:08 +0200)
committer	Laszlo Ersek <lersek@redhat.com>
	Thu, 5 Sep 2019 17:22:43 +0000 (19:22 +0200)
commit	ae9f12058d71d9c5971c3cf36191cd813ecc9554
tree	6a05eada9504db4e20e8522567dc25c6247a9657	tree
parent	23908d0f5cc6bc04a0d19f694cd8c2a392077da0	commit \| diff

ArmVirtPkg/PlatformBootManagerLib: unload image on EFI_SECURITY_VIOLATION

The LoadImage() boot service is a bit unusual in that it allocates
resources in a particular failure case; namely, it produces a valid
"ImageHandle" when it returns EFI_SECURITY_VIOLATION. This is supposed to
happen e.g. when Secure Boot verification fails for the image, but the
platform policy for the particular image origin (such as "fixed media" or
"removable media") is DEFER_EXECUTE_ON_SECURITY_VIOLATION. The return code
allows platform logic to selectively override the verification failure,
and launch the image nonetheless.

ArmVirtPkg/PlatformBootManagerLib does not override EFI_SECURITY_VIOLATION
for the kernel image loaded from fw_cfg -- any LoadImage() error is
considered fatal. When we simply treat EFI_SECURITY_VIOLATION like any
other LoadImage() error, we leak the resources associated with
"KernelImageHandle". From a resource usage perspective,
EFI_SECURITY_VIOLATION must be considered "success", and rolled back.

Implement this rollback, without breaking the proper "nesting" of error
handling jumps and labels.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1992
Fixes: 23d04b58e27b382bbd3f9b16ba9adb1cb203dad5
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>