[RFC] Error reporting upon SecureBoot image validation failures?


Aaron Young
 

Hello, I have a question about user error reporting during SecureBoot image validation.

From my testing with OVMF/Secureboot, when an image to be loaded fails validation (i.e. due to missing or incorrect signature), it silently fails. i.e. there is no indication given to the user via the console. All that seems to be done as a result is an entry added to the Image Execution Information Table.

I see there used to be code implemented to give an indication (e.g. QUERY_USER_ON_SECURITY_VIOLATION), but it was deemed a violation of the UEFI spec and removed.


I didn't see any code in edk2 at present which appears to consume the data in the Image Execution Information Table (though I may have missed it).

The UEFI spec (Version 2.8, Section 32.4.2) briefly discusses an "agent that executes later" can consume the table data, but is vague about what this agent can/should do.

We'd like users to be able to see image validation failures and the reason for the failure. There are currently some DEBUG output statements in the code, but this is inadequate for general user applications.

Questions:

Is there any (planned) replacement for QUERY_USER_ON_SECURITY_VIOLATION support? i.e. to give users an indication of the image validation failure?

Is there any "agent" code (as I reference above) at present to process the Image Execution Information Table - or any work planned in this area?


What I envisioned is some HII code added to the Boot Manager to display the contents of the Image Execution Information Table in a human readable manner. Does this seem reasonable?

Thanks in advance for any insight/comments/etc.

-Aaron Young

Join rfc@edk2.groups.io to automatically receive all group messages.