1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.

2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION).
3. Update override PCD setting from 5 to 4 in platform DSC file.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14607 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
index 424f72fc7fb91c0b5e4c9a75dd8ea0486b0bbe67..6656e11a5a07d91ba856d860ed9e2f5470aa45dc 100644 (file)
--- a/Nt32Pkg/Nt32Pkg.dsc
+++ b/Nt32Pkg/Nt32Pkg.dsc
@@ -226,9 +226,9 @@
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r

-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r

 !endif\r
 \r
 ################################################################################\r
 !endif\r
 \r
 ################################################################################\r

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 8eb45b3a0a89dde5303a42f81b3413f1e756ec1a..41c104c6f6cf78922c622b59f86607e2b1b42258 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -303,9 +303,9 @@
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r

-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r

 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r
 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 6373ecfebeae30ec9e542f815bd81dffc914eba4..2c7b4573327ad56a62118a3911c46b878c79d570 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -309,9 +309,9 @@
 [PcdsFixedAtBuild.X64]\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
 [PcdsFixedAtBuild.X64]\r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r

-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r

 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r
 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 2530a489df478f416df34249c3a161399b920b68..9fc0183d34bbe5dd90589bb3015c3addaec037a4 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -308,9 +308,9 @@
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r
 \r
 !if $(SECURE_BOOT_ENABLE) == TRUE\r
   # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot\r

-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05\r
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04\r

 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r
 !endif\r
 \r
   # IRQs 5, 9, 10, 11 are level-triggered\r

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 9e4bf8681b959a12bbe5906c4647e534a67eceaa..2458ee2ae1c586f6f919c6ccc1dac89e7be308a8 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1086,6 +1086,14 @@ DxeImageVerificationHandler (
     return EFI_ACCESS_DENIED;\r
   }\r
 \r
     return EFI_ACCESS_DENIED;\r
   }\r
 \r

+  //\r
+  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.\r
+  //\r
+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);\r
+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {\r
+    CpuDeadLoop ();\r
+  }\r
+\r

   GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);\r
   //\r
   // Skip verification if SecureBoot variable doesn't exist.\r
   GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);\r
   //\r
   // Skip verification if SecureBoot variable doesn't exist.\r

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4c3129a8aef43d6057b86d4d71871a29eca11190..610682717e1901e2fdfe7d6ec72cec8846ec17eb 100644 (file)
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -87,7 +87,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005 \r
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005 \r

-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001\r

   \r
   ## Pcd for removable media.\r
   #  Removable media include CD-ROM, Floppy, USB and network.\r
   \r
   ## Pcd for removable media.\r
   #  Removable media include CD-ROM, Floppy, USB and network.\r


@@ -98,7 +99,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005\r
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005\r

-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05|UINT32|0x00000002\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002\r

   \r
   ## Pcd for fixed media.\r
   #  Fixed media include hard disk.\r
   \r
   ## Pcd for fixed media.\r
   #  Fixed media include hard disk.\r


@@ -109,7 +111,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005  \r
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003\r
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004\r
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005  \r

-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05|UINT32|0x00000003\r
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.\r
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003\r

   \r
   ## Defer Image Load policy settings.\r
   #  The policy is bitwise. \r
   \r
   ## Defer Image Load policy settings.\r
   #  The policy is bitwise. \r