From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "jejb@linux.ibm.com" <jejb@linux.ibm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>,
"Xu, Min M" <min.m.xu@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Erdem Aktas <erdemaktas@google.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx
Date: Tue, 23 Nov 2021 14:36:47 +0000 [thread overview]
Message-ID: <1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com> (raw)
In-Reply-To: <a993c0c660ab6b61075093ece8225fbd7c3d24e8.camel@linux.ibm.com>
> This strict isolation between DXE and PEI means that once we're in DXE,
> any bugs in PEI can't be exploited to attack the DXE environment.
[jiewen] I would disagree the statement above.
There is not strict isolation. Actually no isolation at all.
The DXE is loaded by PEI.
A bug in PEI has global impact and it can definitely be used to attack the DXE.
thank you!
Yao, Jiewen
> 在 2021年11月23日,下午10:27,James Bottomley <jejb@linux.ibm.com> 写道:
>
> On Tue, 2021-11-23 at 13:07 +0000, Yao, Jiewen wrote:
>> Comment below only:
>>
>>> I am persuaded to let config-a adopt the OVMF way, because the
>>> threat model of config-A is same as the normal OVMF.
>>> But config-B is NOT.
>>> Different threat model drives different solution.
>>> I completely don't understand why they must be same.
>>
>> I don't understand why you want separate them. Improving OvmfPkg
>> security is good for both OVMF and TDVF. For TDVF it is clearly much
>> more important due to the different threat model, but it is good for
>> OVMF too. Likewise edk2 in general.
>>
>> [Jiewen] My answer is very clear as I mentioned multiple times.
>> The threat model is different.
>> IMHO, talking about "Improving OvmfPkg security" without a clear
>> threat model is *meaningless*.
>> All mitigation must be based upon threat mode and security objective.
>> Otherwise, what you are doing might be either unnecessary or
>> insufficient.
>
> Can we take a step back and look at the bigger picture. The way EFI is
> supposed to operate, according to the architecture model:
>
> https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.pdf
> (Figure 1 and Table 4)
>
> is that SEC is supposed to be as small and compact as possible, so it
> could be ROM installed without worrying about upgrade issues. It's job
> is only to get the CPU initialized to the point it can run PEI, measure
> PEI and transfer control. Security depends on the smallness of SEC
> because if it's rom installed (as a root of trust ought to be) it can't
> be upgraded to fix a bug.
>
> PEI is supposed to initialize the hardware: set up the CPU, memory
> Application Processors and board configuration so we're in a known
> state with described features for DXE. It then measures DXE (only if
> SEC didn't measure it) and hands off to DXE. PEI code is designed not
> to interact with anything except setup to minimize external
> exploitation of internal bugs.
>
> DXE is supposed to contain only runtime code, including device drivers.
>
> The security point here is that the job of PEI is over as soon as it
> hands off to DXE, so at that point all the PEI code could be discarded
> (it usually isn't, but it could be).
>
> This strict isolation between DXE and PEI means that once we're in DXE,
> any bugs in PEI can't be exploited to attack the DXE environment. This
> allows us to minimize DXE which is where most of the main risk of
> configuration based exploitation is.
>
> In this security model, you increase security by moving as much code as
> you can from DXE to PEI because the true attack surface is DXE.
>
> To a lot of us, cutting out PEI, which requires redistributing code
> into DXE sounds like an increase not a reduction in the attack surface
> of the code. You can argue that OVMF doesn't obey the model above and
> has a lot of initialization code in DXE anyway, but then the correct
> route would be to fix our PEI/DXE separation to recover the security
> properties.
>
>>> If you force me to add PEI to config-B. Finally, that causes TDVF
>>> config-B is compromised due to an issue in PEI.
>>> Who will take the responsibility? Will you or RedHat take that?
>>
>> Bugs happen. There could also be bugs in the additional SEC code you
>> need for platform setup in a non-PEI configuration ...
>>
>> [Jiewen] I agree. That is why we need smaller code.
>> We can just focus on review that small portion of code what we have
>> written for TDVF, instead of the whole PEI.
>> We have process to review and maintain the extra TDVF code.
>
> This depends ... if you agree with the security model outlined above,
> bugs in PEI are less of a problem because they can't be exploited. Or
> do you not agree with this security model?
>
> Security isn't about total bug elimination, it's about exploit
> elimination. You fix a security vulnerability either by fixing the bug
> that can be exploited or removing the ability to exploit it. This is
> the reason for technologies like NX ... they don't stop people
> exploiting bugs to write code to the stack, but they do mean that once
> you have the code on the stack you can no-longer execute it and the
> attackers have to move on to other means of gaining control.
>
> The great thing about exploit elimination vs bug elimination is the
> former can usually be done on a whole class of bugs and the latter
> requires a whack-a-mole per bug type approach.
>
> James
>
>
next prev parent reply other threads:[~2021-11-23 14:36 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-01 13:15 [PATCH V3 00/29] Enable Intel TDX in OvmfPkg (Config-A) Min Xu
2021-11-01 13:15 ` [PATCH V3 01/29] MdePkg: Add Tdx.h Min Xu
2021-11-01 13:15 ` [PATCH V3 02/29] MdePkg: Add TdxLib to wrap Tdx operations Min Xu
2021-11-02 14:06 ` Gerd Hoffmann
2021-11-10 4:58 ` [edk2-devel] " Min Xu
2021-11-10 10:38 ` Erdem Aktas
2021-11-12 2:38 ` Min Xu
2021-11-12 2:42 ` Yao, Jiewen
2021-11-12 5:29 ` Min Xu
2021-11-12 5:33 ` Yao, Jiewen
2021-11-01 13:15 ` [PATCH V3 03/29] UefiCpuPkg: Extend VmgExitLibNull to handle #VE exception Min Xu
2021-11-02 14:11 ` Gerd Hoffmann
2021-11-01 13:15 ` [PATCH V3 04/29] OvmfPkg: Extend VmgExitLib " Min Xu
2021-11-02 14:23 ` Gerd Hoffmann
2021-11-10 6:46 ` Min Xu
2021-11-17 0:32 ` Erdem Aktas
2021-11-01 13:15 ` [PATCH V3 05/29] UefiCpuPkg/CpuExceptionHandler: Add base support for the " Min Xu
2021-11-02 14:24 ` Gerd Hoffmann
2021-11-01 13:15 ` [PATCH V3 06/29] MdePkg: Add helper functions for Tdx guest in BaseIoLibIntrinsic Min Xu
2021-11-01 13:15 ` [PATCH V3 07/29] MdePkg: Support mmio " Min Xu
2021-11-01 13:15 ` [PATCH V3 08/29] MdePkg: Support IoFifo " Min Xu
2021-11-01 13:15 ` [PATCH V3 09/29] MdePkg: Support IoRead/IoWrite " Min Xu
2021-11-01 13:15 ` [PATCH V3 10/29] UefiPayloadPkg: PreparePrepare UefiPayloadPkg to use TdxLib Min Xu
2021-11-01 15:31 ` Guo Dong
2021-11-01 15:58 ` Ma, Maurice
2021-11-02 0:07 ` Min Xu
2021-11-02 14:32 ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 11/29] UefiCpuPkg: Support TDX in BaseXApicX2ApicLib Min Xu
2021-11-02 14:33 ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 12/29] UefiCpuPkg: Define ConfidentialComputingGuestAttr Min Xu
2021-11-02 14:36 ` Gerd Hoffmann
2021-11-03 8:32 ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 13/29] MdePkg: Add macro to check SEV/TDX guest Min Xu
2021-11-02 14:36 ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 14/29] UefiCpuPkg: Enable Tdx support in MpInitLib Min Xu
2021-11-03 6:09 ` Gerd Hoffmann
2021-11-03 12:57 ` Min Xu
2021-11-04 8:10 ` Gerd Hoffmann
2021-11-04 15:21 ` Lendacky, Thomas
2021-11-04 23:24 ` Min Xu
2021-11-05 6:46 ` [edk2-devel] " Gerd Hoffmann
2021-11-05 6:53 ` Min Xu
2021-11-09 2:44 ` Min Xu
2021-11-01 13:16 ` [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Min Xu
2021-11-03 6:30 ` Gerd Hoffmann
2021-11-16 12:11 ` Min Xu
2021-11-17 15:19 ` Gerd Hoffmann
2021-11-18 9:59 ` Yao, Jiewen
2021-11-19 15:11 ` Gerd Hoffmann
2021-11-20 3:18 ` Yao, Jiewen
2021-11-23 12:38 ` Gerd Hoffmann
2021-11-23 13:07 ` Yao, Jiewen
2021-11-23 14:26 ` James Bottomley
2021-11-23 14:36 ` Yao, Jiewen [this message]
2021-11-23 14:51 ` James Bottomley
2021-11-23 15:10 ` Yao, Jiewen
2021-11-23 15:37 ` [edk2-devel] " James Bottomley
2021-11-24 3:15 ` Yao, Jiewen
2021-11-24 8:12 ` Gerd Hoffmann
2021-11-24 11:08 ` Yao, Jiewen
2021-11-24 13:35 ` James Bottomley
2021-11-24 14:03 ` Yao, Jiewen
2021-11-24 14:07 ` James Bottomley
2021-11-24 14:59 ` Yao, Jiewen
2021-11-25 8:32 ` Gerd Hoffmann
2021-11-26 6:29 ` Yao, Jiewen
2021-12-01 13:55 ` Gerd Hoffmann
2021-12-02 13:22 ` Yao, Jiewen
2021-12-06 14:57 ` Gerd Hoffmann
2021-12-07 2:28 ` Yao, Jiewen
2021-12-07 8:04 ` Gerd Hoffmann
2021-12-08 5:13 ` Min Xu
[not found] ` <16BA8381113E7B1B.22735@groups.io>
2021-11-24 15:30 ` Yao, Jiewen
[not found] ` <16BA5D1709524394.9880@groups.io>
2021-11-24 3:21 ` Yao, Jiewen
2021-11-01 13:16 ` [PATCH V3 16/29] OvmfPkg: Add IntelTdx.h in OvmfPkg/Include/IndustryStandard Min Xu
2021-11-01 13:16 ` [PATCH V3 17/29] OvmfPkg: Add TdxMailboxLib Min Xu
2021-11-01 13:16 ` [PATCH V3 18/29] MdePkg: Add EFI_RESOURCE_ATTRIBUTE_ENCRYPTED in PiHob.h Min Xu
2021-11-01 13:16 ` [PATCH V3 19/29] OvmfPkg: Enable Tdx in SecMain.c Min Xu
2021-11-01 13:16 ` [PATCH V3 20/29] OvmfPkg: Check Tdx in QemuFwCfgPei to avoid DMA operation Min Xu
2021-11-03 6:50 ` Gerd Hoffmann
2021-11-03 13:07 ` Min Xu
2021-11-03 13:35 ` Min Xu
2021-11-04 14:36 ` Brijesh Singh
2021-11-01 13:16 ` [PATCH V3 21/29] MdeModulePkg: EFER should not be changed in TDX Min Xu
2021-11-03 6:51 ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 22/29] MdeModulePkg: Set shared bit in Mmio region for Tdx guest Min Xu
2021-11-03 6:57 ` Gerd Hoffmann
2021-11-04 7:03 ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 23/29] UefiCpuPkg: Update AddressEncMask in CpuPageTable Min Xu
2021-11-03 7:00 ` Gerd Hoffmann
2021-11-22 3:09 ` [edk2-devel] " Ni, Ray
2021-12-07 3:50 ` Min Xu
2021-12-07 7:15 ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 24/29] OvmfPkg: Update PlatformPei to support TDX Min Xu
2021-11-01 13:16 ` [PATCH V3 25/29] OvmfPkg: Update AcpiPlatformDxe to alter MADT table Min Xu
2021-11-01 13:16 ` [PATCH V3 26/29] OvmfPkg: Add TdxDxe driver Min Xu
2021-11-01 13:16 ` [PATCH V3 27/29] OvmfPkg/BaseMemEncryptTdxLib: Add TDX helper library Min Xu
2021-11-03 7:10 ` Gerd Hoffmann
2021-12-08 8:37 ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 28/29] OvmfPkg/QemuFwCfgLib: Support Tdx in QemuFwCfgDxe Min Xu
2021-11-03 7:12 ` Gerd Hoffmann
2021-12-13 2:06 ` Min Xu
2021-11-01 13:16 ` [PATCH V3 29/29] OvmfPkg: Update IoMmuDxe to support TDX Min Xu
2021-11-03 7:17 ` Gerd Hoffmann
2021-12-13 2:39 ` [edk2-devel] " Min Xu
2021-12-13 6:42 ` Gerd Hoffmann
2021-12-13 7:33 ` Min Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox