]> git.proxmox.com Git - mirror_edk2.git/commit
projects / mirror_edk2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 82e0b2f) | patch
OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()
authorLaszlo Ersek <lersek@redhat.com>
Fri, 5 Jun 2020 23:52:42 +0000 (01:52 +0200)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Tue, 9 Jun 2020 20:19:04 +0000 (20:19 +0000)
commitdafce295e6f447ed8905db4e29241e2c6c2a4389
tree2b1f8e0b2015611815526308a5094ff2d052a53atree
parent82e0b2f043c17bdb3d5ada7d9fe2bc13624cef27commit | diff
OvmfPkg/X86QemuLoadImageLib: handle EFI_ACCESS_DENIED from LoadImage()

When an image fails Secure Boot validation, LoadImage() returns
EFI_SECURITY_VIOLATION if the platform policy is
DEFER_EXECUTE_ON_SECURITY_VIOLATION.

If the platform policy is DENY_EXECUTE_ON_SECURITY_VIOLATION, then
LoadImage() returns EFI_ACCESS_DENIED (and the image does not remain
loaded).

(Before <https://bugzilla.tianocore.org/show_bug.cgi?id=2129>, this
difference would be masked, as DxeImageVerificationLib would incorrectly
return EFI_SECURITY_VIOLATION for DENY_EXECUTE_ON_SECURITY_VIOLATION as
well.)

In X86QemuLoadImageLib, proceed to the legacy Linux/x86 Boot Protocol upon
seeing EFI_ACCESS_DENIED too.

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2785
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200605235242.32442-1-lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c diff | blob | blame | history
EFI Development Kit II mirror for PVE