diff --git a/README.md b/README.md index 4e87a6cde6f1fe8eac6dca8b38e13a806d440b57..37baf90a981801b2c2460544bd2a52f539e0dc7b 100644 --- a/README.md +++ b/README.md @@ -353,6 +353,10 @@ the result of some tests with the following ones: `KNOWN SIZE LIMITATION` Genuine limitations, we know about them; they are due to secure storage size limitations and they do not prevent Secure Boot. + + `KNOWN ACS LIMITATION` Genuine bugs, which are fixed in a more recent + version of the ACS or which must ultimately be fixed + and which we know about. ------------------------------------------------------------------------------- [BBSR]: https://developer.arm.com/documentation/den0107/b/?lang=en diff --git a/SIE.yaml b/SIE.yaml index ead4e2fa61fd905332053a96bbd3098e3f0b6ab8..c791e7be2e4d0042711294e35e037374f9e88889 100644 --- a/SIE.yaml +++ b/SIE.yaml @@ -185,3 +185,71 @@ sub set: ImageLoading update: result: KNOWN ACS LIMITATION + +############################################################################### +# Known ACS limitations # +############################################################################### + +# We force the following tests result as `KNOWN ACS LIMITATION'. They are +# genuine bugs, which are fixed in a more recent version of the ACS or which +# must ultimately be fixed and which we know about. + +- rule: Force unsigned authenticated variable update failure with ACS-IR + v23.09_2.1.0 as known ACS limitation + The SIE SCT sends a random, very large, blob which FW handles differently to + an invalid key and returns INVALID_PARAMETER, while the SIE SCT expects only + SECURITY_VIOLATION. + criteria: + descr: Secure Boot Test + device path: No device path + group: RuntimeServicesTest + guid: D2073163-EDB0-4D6B-BA8F-5C6116C1592C + log: Status - Invalid Parameter + name: SecureBoot - Verify unsigned KEK update + result: FAILURE + revision: '0x00010000' + set guid: 495CB6D7-0817-4015-A479-0DB4C2308626 + sub set: VariableUpdates + test set: SecureBootTest + update: + result: KNOWN ACS LIMITATION + +- rule: Force unsigned authenticated variable update failure (2) with ACS-IR + v23.09_2.1.0 as known ACS limitation + The SIE SCT sends a random, very large, blob which FW handles differently to + an invalid key and returns INVALID_PARAMETER, while the SIE SCT expects only + SECURITY_VIOLATION. + criteria: + descr: Secure Boot Test + device path: No device path + group: RuntimeServicesTest + guid: 25AD4F9B-6533-4A96-9447-FEED03EEC3E2 + log: Status - Invalid Parameter + name: SecureBoot - Verify unsigned db update + result: FAILURE + revision: '0x00010000' + set guid: 495CB6D7-0817-4015-A479-0DB4C2308626 + sub set: VariableUpdates + test set: SecureBootTest + update: + result: KNOWN ACS LIMITATION + +- rule: Force unsigned authenticated variable update failure (3) with ACS-IR + v23.09_2.1.0 as known ACS limitation + The SIE SCT sends a random, very large, blob which FW handles differently to + an invalid key and returns INVALID_PARAMETER, while the SIE SCT expects only + SECURITY_VIOLATION. + criteria: + descr: Secure Boot Test + device path: No device path + group: RuntimeServicesTest + guid: 70FEBF5B-27D6-44AE-AB43-059DDD8B2947 + log: Status - Invalid Parameter + name: SecureBoot - Verify unsigned dbx update + result: FAILURE + revision: '0x00010000' + set guid: 495CB6D7-0817-4015-A479-0DB4C2308626 + sub set: VariableUpdates + test set: SecureBootTest + update: + result: KNOWN ACS LIMITATION diff --git a/schemas/common-schema.yaml b/schemas/common-schema.yaml index 8dbef1f389d5ca33707312f3328179b909cbbeab..fe900cda838a3abc34955f9abf995da0cbdf1473 100644 --- a/schemas/common-schema.yaml +++ b/schemas/common-schema.yaml @@ -28,6 +28,7 @@ $defs: - SBBR UEFI System Environment and Configuration Tests - SBBRRuntimeServices Tests - SbbrBootServices Tests + - Secure Boot Test - Simple Input Protocol Test - Simple Network Protocol Test - Simple Text Input Ex Protocol Test @@ -285,6 +286,7 @@ $defs: - SbbrBootServices - SbbrEfiSpecVerLvl - SbbrSysEnvConfig + - SecureBootTest - SimpleFileSystemProtocolTest - SimpleInputProtocolTest - SimpleNetworkProtocolTest