[Corrected the typos with a new version - proofreading is a good thing]
I'm confused about something and hope I can get some help understanding this.
If we have a signed FV that is extracted in PEI it doesn't look like the
AuthenticationStatus gets propagated to DXE.
The hob doesn't store authentication status and the core produces FVB with
AuthenticationStatus forced to zero, even though the FV was signed and verified.
This seems to mess up policy code in DXE because it is the AuthenticationStatus
is not accurate.
MdeModulePkg\Core\Dxe\FwVolBlock\FwVolBlock.c, FwVolBlockDriverInit:
while ((FvHob.Raw = GetNextHob (EFI_HOB_TYPE_FV, FvHob.Raw)) != NULL) {
//
// Produce an FVB protocol for it
//
ProduceFVBProtocolOnBuffer (FvHob.FirmwareVolume->BaseAddress,
FvHob.FirmwareVolume->Length, NULL, 0, NULL);
FvHob.Raw = GET_NEXT_HOB (FvHob);
}
Note the hardcoded zero in the second-to-last argument.
Is this expected? How would DXE policy code know if the FV was verified in
PEI? It looks like the HOB definitions do not propagate PEI-phase
Authentication status forward.
Thanks,
Eugene
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Cohen,
Eugene
Sent: Friday, November 06, 2015 11:12 AM
To: edk2-devel@lists.01.org
Cc: Thompson, Mark L. (Boise IPG) <mark.l.thomp...@hp.com>
Subject: [edk2] Authentication status for signed FVs extracted in PEI
I'm confused about something and hope I can help some help understanding this.
If we have a signed FV that is extracted in PEI it doesn't look like the
AuthenticationStatus gets propagated to DXE.
The hob doesn't store authentication status and the core products FVB with
AuthenticationStatus forced to zero, even though the FV was signed and verified.
This seems to mess up policy code we want to have in DXE because it is not
accurate.
MdeModulePkg\Core\Dxe\FwVolBlock\FwVolBlock.c, FwVolBlockDriverInit:
while ((FvHob.Raw = GetNextHob (EFI_HOB_TYPE_FV, FvHob.Raw)) != NULL) {
//
// Produce an FVB protocol for it
//
ProduceFVBProtocolOnBuffer (FvHob.FirmwareVolume->BaseAddress,
FvHob.FirmwareVolume->Length, NULL, 0, NULL);
FvHob.Raw = GET_NEXT_HOB (FvHob);
}
Is this expected? How would DXE policy code know if the FV was verified in PEI?
Thanks,
Eugene
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
