From db44ea6c4e093c1a53d752bb21b9eba8ad8fdaa9 Mon Sep 17 00:00:00 2001
From: Fu Siyuan <siyuan.fu@intel.com>
Date: Wed, 28 Aug 2013 09:06:40 +0000
Subject: 1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.
 2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION). 3.
 Update override PCD setting from 5 to 4 in platform DSC file. Signed-off-by:
 Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com>
 Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14607 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c     | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'SecurityPkg/Library/DxeImageVerificationLib')

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 9e4bf8681b..2458ee2ae1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1086,6 +1086,14 @@ DxeImageVerificationHandler (
     return EFI_ACCESS_DENIED;
   }
 
+  //
+  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.
+  //
+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);
+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {
+    CpuDeadLoop ();
+  }
+
   GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
   //
   // Skip verification if SecureBoot variable doesn't exist.
-- 
cgit v1.2.3