OvmfPkg/PlatformBmPrintScLib: hint at Secure Boot verification

The UEFI spec 2.11 documents EFI_SECURITY_VIOLATION for both
gBS->LoadImage() and gBS->StartImage() as

> [Image was loaded and an ImageHandle was created with a valid
> EFI_LOADED_IMAGE_PROTOCOL. However,] the current platform policy
> specifies that the image should not be started.

Additionally, the spec documents EFI_ACCESS_DENIED for gBS->LoadImage() as

> Image was not loaded because the platform policy prohibits the image
> from being loaded. NULL is returned in ImageHandle.

When image loading/starting fails under the above conditions (according to
the status code being reported), print a hint about Secure Boot. This
should help users diagnose and fix their Secure Boot configuration.

Updates: 77874ce
Fixes: #10901
Signed-off-by: Laszlo Ersek <[email protected]>

Author: lersek

OvmfPkg/Library/PlatformBmPrintScLib/StatusCodeHandler.c

@@ -214,14 +214,20 @@ HandleStatusCode (
       DevPathString
       );
   } else {
+    EFI_STATUS  ReturnStatus;
+
+    ReturnStatus = ((EFI_RETURN_STATUS_EXTENDED_DATA *)Data)->ReturnStatus;
     Print (
-      L"%a: failed to %a %s \"%s\" from %s: %r\n",
+      L"%a: failed to %a %s \"%s\" from %s: %r%a\n",
       gEfiCallerBaseName,
       Value == mLoadFail ? "load" : "start",
       BootOptionName,
       BmBootOption.Description,
       DevPathString,
-      ((EFI_RETURN_STATUS_EXTENDED_DATA *)Data)->ReturnStatus
+      ReturnStatus,
+      ((ReturnStatus == EFI_SECURITY_VIOLATION ||
+        (Value == mLoadFail && ReturnStatus == EFI_ACCESS_DENIED)) ?
+       " -- rejected probably by Secure Boot" : "")
       );
   }