[DRAFT][WIP] SecurityPkg: DxeImageValidationLib rewrite

[Javagedes]

Description

This is a complete rewrite of DxeImageValidationLib.

Please review the Scenario scoped tests found in GoogleTest/DxeImageVerificationLibGoogleTest.cpp.

Notable differences from original implementation:

1. Policy management has been simplified (almost completely removed). Policy now dictates that if the image comes from an FV, it should be ALWAYS_EXECUTE. Anything else is set to DENY_EXECUTE_ON_SECURITY_VIOLATION and must go through the handler. There are no longer PCDs to configure Policy for certain scenarios.
2. PE image parsing is delegated to PeCoffLib.
3. Hashing is delegated to BaseCryptLib.
4. AuditMode has been removed. Secureboot is either enabled or disabled and that logic comes from the existing SecureBootVariableLib.
5. Multi-signed images only require one signer to fully validate. The previous implementation requires all signers fully validate.
6. Added X509 cert hash support in the DB
7. Global data, including digests, have been removed. A Cache system has been created to reduce duplicate hashing.
8. Functionality has been compartmentalized into small testable functions that do not rely on global state
9. Test coverage is around 95%

TODOS

1. Write action to Image Execution Information Table when denying image
2. Write to PCR7 when allowing image that is validated via signer
3. Implement IsSignedImageRevoked

[mu-automation]

⏳ QEMU Validation In Progress

A new QEMU validation run has started. Results from any previous run(s) are now outdated.

Note: Previous results are available in this comment's edit history.

Workflow run: https://github.com/microsoft/mu_basecore/actions/runs/27289352428

This comment was automatically generated by the Mu QEMU PR Validation workflow.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 38 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release/202511@a3a9cc8). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
MdePkg/Library/BasePeCoffLib/BasePeCoff.c	0.00%	38 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             release/202511    #1809   +/-   ##
=================================================
  Coverage                  ?    1.10%           
=================================================
  Files                     ?     1477           
  Lines                     ?   377980           
  Branches                  ?     4863           
=================================================
  Hits                      ?     4160           
  Misses                    ?   372901           
  Partials                  ?      919           

Flag	Coverage Δ
FmpDevicePkg	9.53% <ø> (?)
MdeModulePkg	0.26% <ø> (?)
MdePkg	3.30% <0.00%> (?)
NetworkPkg	0.55% <ø> (?)
PolicyServicePkg	30.42% <ø> (?)
UefiCpuPkg	3.00% <ø> (?)
UnitTestFrameworkPkg	11.70% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[makubacki]

I wasn't sure about adding the AI skills to this repo. But in any case, it shouldn't be included in this PR.

[jyao1]

I checked the code with AI.

It seems the code does not handle 2 cases:

1. intermediate cert in DBX.
   Thinking of a case that: Chain leaf→intermediate→root, db trusts root, dbx lists the intermediate:
   I think the expectation is to revoke the image, right? But it seems allow.
   Is there a test to cover that?

2. signed image hash in DBX
   It seems the code only check unsigned image hash in DBX, not signed image hash.
   Is there a test to cover that?

I have not got chance to review all the code yet. Maybe I am wrong.

But I feel we have better have a test to cover that.