Update DEC file and DxeImageVerificationLib to note user that ALLOW_EXECUTE_ON_SECURI...

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14923 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 8860daeafac4781a5d0ccfcb6bf873d23df333af..2210c95f5aaec0a8cefae1f94efbf7ca941150af 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1108,10 +1108,11 @@ DxeImageVerificationHandler (
   }\r
 \r
   //\r
-  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.\r
+  // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION \r
+  // violates the UEFI spec and has been removed.\r
   //\r
-  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);\r
-  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {\r
+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION);\r
+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) {\r
     CpuDeadLoop ();\r
   }\r
 \r

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index c07435e4b1c33d317a64b2878fc6fda0e1f3bda4..8cf9b39f73346f0c83b7e13161b1e978c856e810 100644 (file)
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -114,7 +114,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005 \r
-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since\r
+  #  it violates the UEFI specification and has been removed.\r
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001\r
   \r
   ## Pcd for removable media.\r
@@ -126,7 +127,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005\r
-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since\r
+  #  it violates the UEFI specification and has been removed.\r
   gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002\r
   \r
   ## Pcd for fixed media.\r
@@ -138,7 +140,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005  \r
-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since\r
+  #  it violates the UEFI specification and has been removed.\r
   gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003\r
   \r
   ## Defer Image Load policy settings.\r