Eugene: Thanks for the info. You are right. The temp solution logic in PeiRsa2048Sha256GuidedSectionExtractLib is no longer needed since EFI_PEI_SECURITY2_PPI is supported by Core. I will provide patch to remove them. For platform code, you need to make sure FVMAIN_COMPACT is processed after your private Security Handler is hooked when you have more than one PEI FV.
Thanks & Best regards Chao Zhang -----Original Message----- From: Cohen, Eugene [mailto:eug...@hp.com] Sent: Monday, November 02, 2015 9:48 PM To: Zhang, Chao B Cc: edk2-devel@lists.01.org Subject: RE: SecurityPkg: PeiRsa2048Sha256GuidedSectionExtractLib error handling > What kind of FV does the RSA2048Sha256 section exist in? BFV, Other FV must > be processed in PEI (containing required Peim or DxeCore) or FV can be > processed in DXE This is the compressed FV containing the DXE phase modules so we FVMAIN inside FVMAIN_COMPRESSED inside FVMAIN_COMPRESSED_SIGNED. We load up the FVMAIN_COMPRESSED_SIGNED FV in PEI. > What is the behavior of your Authentication Failure Handler We need to handle the authentication failure so we can recover the system (find something else to run that's valid). With the authentication failure causing EFI_ACCESS_DENIED we never get a chance to run our handler and then we can never recover the system and instead we just hang. We tested removing this statement and it does allow our handler to run so I think this just needs to be deleted (as implied by the comment saying 'Temp solution'). Do you agree? Thanks, Eugene -----Original Message----- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang, Chao B Sent: Sunday, November 01, 2015 6:51 PM To: Cohen, Eugene <eug...@hp.com> Cc: edk2-devel@lists.01.org Subject: Re: [edk2] SecurityPkg: PeiRsa2048Sha256GuidedSectionExtractLib error handling Eugene: May I know details about your problem? 1. What kind of FV does the RSA2048Sha256 section exist in? BFV, Other FV must be processed in PEI (containing required Peim or DxeCore) or FV can be processed in DXE 2. What is the behavior of your Authentication Failure Handler Thanks & Best regards Chao Zhang From: Cohen, Eugene [mailto:eug...@hp.com] Sent: Friday, October 30, 2015 7:45 PM To: Zhang, Chao B Cc: edk2-devel@lists.01.org Subject: SecurityPkg: PeiRsa2048Sha256GuidedSectionExtractLib error handling Dear SecurityPkg maintainer, I'm trying to track down the best way for platform policy to handle an authentication failure in the PEI Rsa2048Sha256 guided section extraction library and ran across this curious state near the end of Rsa2048Sha256GuidedSectionHandler. // // Temp solution until PeiCore checks AUTH Status. // if ((*AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) { Status = EFI_ACCESS_DENIED; } >From what I can tell the caller is checking AuthenticationStatus so this may >be some development code that was not removed. Setting the return status to EFI_ACCESS_DENIED prevents us from getting to platform policy code (via the EFI_PEI_SECURITY2_PPI) Status = ParentFvPpi->FindSectionByType ( ParentFvPpi, EFI_SECTION_FIRMWARE_VOLUME_IMAGE, ParentFvFileHandle, (VOID **)&FvHeader ); } if (EFI_ERROR (Status)) { return Status; <--- we bail out here } Status = VerifyPeim (PrivateData, ParentFvHandle, ParentFvFileHandle, AuthenticationStatus); <-- this would have called the EFI_PEI_SECURITY2_PPI if (Status == EFI_SECURITY_VIOLATION) { return Status; } Because of this issue we cannot run a policy handler that we'd like to because we remain in the PEI core going down error paths. I think this fix may be as simple as removing the 'Temp solution' block but since I'm unfamiliar with the intent I wanted to check with you what the intended flow is for platform code discovering and handling authentication errors. Thanks, Eugene _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
