Update DEC file and DxeImageVerificationLib to note user that ALLOW_EXECUTE_ON_SECURITY_VIOLATION is no longer supported.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14923 6f19259b-4bc3-4df7-8a09-765794883524

2 files changed, 10 insertions, 6 deletions

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 8860daeafa..2210c95f5a 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1108,10 +1108,11 @@ DxeImageVerificationHandler (
   }

 

   //

-  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.

+  // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION 

+  // violates the UEFI spec and has been removed.

   //

-  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);

-  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {

+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION);

+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) {

     CpuDeadLoop ();

   }

 

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index c07435e4b1..8cf9b39f73 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -114,7 +114,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003

   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004

   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005 

-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.

+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since

+  #  it violates the UEFI specification and has been removed.

   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001

   

   ## Pcd for removable media.

@@ -126,7 +127,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003

   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004

   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005

-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.

+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since

+  #  it violates the UEFI specification and has been removed.

   gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002

   

   ## Pcd for fixed media.

@@ -138,7 +140,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003

   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004

   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005  

-  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.

+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION since

+  #  it violates the UEFI specification and has been removed.

   gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003

   

   ## Defer Image Load policy settings.