From 68fc0c7319d9c72e2f2e7fffdf9e1e8fb1e272d1 Mon Sep 17 00:00:00 2001 From: Fu Siyuan Date: Mon, 2 Dec 2013 07:52:35 +0000 Subject: [PATCH] Update DEC file and DxeImageVerificationLib to note user that ALLOW_EXECUTE_ON_SECURITY_VIOLATION is no longer supported. Signed-off-by: Fu Siyuan Reviewed-by: Dong, Guo git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14923 6f19259b-4bc3-4df7-8a09-765794883524 --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 7 ++++--- SecurityPkg/SecurityPkg.dec | 9 ++++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 8860daeafa..2210c95f5a 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1108,10 +1108,11 @@ DxeImageVerificationHandler ( } // - // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed. + // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION + // violates the UEFI spec and has been removed. // - ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION); - if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) { + ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION); + if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) { CpuDeadLoop (); } diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index c07435e4b1..8cf9b39f73 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -114,7 +114,8 @@ # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003 # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004 # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 - # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed. + # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since + # it violates the UEFI specification and has been removed. gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001 ## Pcd for removable media. @@ -126,7 +127,8 @@ # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003 # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004 # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 - # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed. + # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since + # it violates the UEFI specification and has been removed. gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002 ## Pcd for fixed media. @@ -138,7 +140,8 @@ # DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003 # DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004 # QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 - # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed. + # NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since + # it violates the UEFI specification and has been removed. gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003 ## Defer Image Load policy settings.