public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "jejb@linux.ibm.com" <jejb@linux.ibm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>,
	"Xu, Min M" <min.m.xu@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Erdem Aktas <erdemaktas@google.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx
Date: Tue, 23 Nov 2021 14:36:47 +0000	[thread overview]
Message-ID: <1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com> (raw)
In-Reply-To: <a993c0c660ab6b61075093ece8225fbd7c3d24e8.camel@linux.ibm.com>

> This strict isolation between DXE and PEI means that once we're in DXE,
> any bugs in PEI can't be exploited to attack the DXE environment.  

[jiewen] I would disagree the statement above. 
There is not strict isolation. Actually no isolation at all.
The DXE is loaded by PEI. 
A bug in PEI has global impact and it can definitely be used to attack the DXE.

thank you!
Yao, Jiewen


> 在 2021年11月23日,下午10:27,James Bottomley <jejb@linux.ibm.com> 写道:
> 
> On Tue, 2021-11-23 at 13:07 +0000, Yao, Jiewen wrote:
>> Comment below only:
>> 
>>> I am persuaded to let config-a adopt the OVMF way, because the
>>> threat model of config-A is same as the normal OVMF.
>>> But config-B is NOT.
>>> Different threat model drives different solution.
>>> I completely don't understand why they must be same.
>> 
>> I don't understand why you want separate them.  Improving OvmfPkg
>> security is good for both OVMF and TDVF.  For TDVF it is clearly much
>> more important due to the different threat model, but it is good for
>> OVMF too.  Likewise edk2 in general.
>> 
>> [Jiewen] My answer is very clear as I mentioned multiple times.
>> The threat model is different.
>> IMHO, talking about "Improving OvmfPkg security" without a clear
>> threat model is *meaningless*.
>> All mitigation must be based upon threat mode and security objective.
>> Otherwise, what you are doing might be either unnecessary or
>> insufficient.
> 
> Can we take a step back and look at the bigger picture.  The way EFI is
> supposed to operate, according to the architecture model:
> 
> https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.pdf
> (Figure 1 and Table 4)
> 
> is that SEC is supposed to be as small and compact as possible, so it
> could be ROM installed without worrying about upgrade issues.  It's job
> is only to get the CPU initialized to the point it can run PEI, measure
> PEI and transfer control.  Security depends on the smallness of SEC
> because if it's rom installed (as a root of trust ought to be) it can't
> be upgraded to fix a bug.
> 
> PEI is supposed to initialize the hardware: set up the CPU, memory
> Application Processors and board configuration so we're in a known
> state with described features for DXE.  It then measures DXE (only if
> SEC didn't measure it) and hands off to DXE.  PEI code is designed not
> to interact with anything except setup to minimize external
> exploitation of internal bugs.
> 
> DXE is supposed to contain only runtime code, including device drivers.
> 
> The security point here is that the job of PEI is over as soon as it
> hands off to DXE, so at that point all the PEI code could be discarded
> (it usually isn't, but it could be).
> 
> This strict isolation between DXE and PEI means that once we're in DXE,
> any bugs in PEI can't be exploited to attack the DXE environment.  This
> allows us to minimize DXE which is where most of the main risk of
> configuration based exploitation is.
> 
> In this security model, you increase security by moving as much code as
> you can from DXE to PEI because the true attack surface is DXE.
> 
> To a lot of us, cutting out PEI, which requires redistributing code
> into DXE sounds like an increase not a reduction in the attack surface
> of the code.  You can argue that OVMF doesn't obey the model above and
> has a lot of initialization code in DXE anyway, but then the correct
> route would be to fix our PEI/DXE separation to recover the security
> properties.
> 
>>> If you force me to add PEI to config-B. Finally, that causes TDVF
>>> config-B is compromised due to an issue in PEI.
>>> Who will take the responsibility?  Will you or RedHat take that?
>> 
>> Bugs happen.  There could also be bugs in the additional SEC code you
>> need for platform setup in a non-PEI configuration ...
>> 
>> [Jiewen] I agree. That is why we need smaller code.
>> We can just focus on review that small portion of code what we have
>> written for TDVF, instead of the whole PEI.
>> We have process to review and maintain the extra TDVF code.
> 
> This depends ... if you agree with the security model outlined above,
> bugs in PEI are less of a problem because they can't be exploited.  Or
> do you not agree with this security model?
> 
> Security isn't about total bug elimination, it's about exploit
> elimination.  You fix a security vulnerability either by fixing the bug
> that can be exploited or removing the ability to exploit it.  This is
> the reason for technologies like NX ... they don't stop people
> exploiting bugs to write code to the stack, but they do mean that once
> you have the code on the stack you can no-longer execute it and the
> attackers have to move on to other means of gaining control.
> 
> The great thing about exploit elimination vs bug elimination is the
> former can usually be done on a whole class of bugs and the latter
> requires a whack-a-mole per bug type approach.
> 
> James
> 
> 

  reply	other threads:[~2021-11-23 14:36 UTC|newest]

Thread overview: 107+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-01 13:15 [PATCH V3 00/29] Enable Intel TDX in OvmfPkg (Config-A) Min Xu
2021-11-01 13:15 ` [PATCH V3 01/29] MdePkg: Add Tdx.h Min Xu
2021-11-01 13:15 ` [PATCH V3 02/29] MdePkg: Add TdxLib to wrap Tdx operations Min Xu
2021-11-02 14:06   ` Gerd Hoffmann
2021-11-10  4:58     ` [edk2-devel] " Min Xu
2021-11-10 10:38   ` Erdem Aktas
2021-11-12  2:38     ` Min Xu
2021-11-12  2:42       ` Yao, Jiewen
2021-11-12  5:29         ` Min Xu
2021-11-12  5:33           ` Yao, Jiewen
2021-11-01 13:15 ` [PATCH V3 03/29] UefiCpuPkg: Extend VmgExitLibNull to handle #VE exception Min Xu
2021-11-02 14:11   ` Gerd Hoffmann
2021-11-01 13:15 ` [PATCH V3 04/29] OvmfPkg: Extend VmgExitLib " Min Xu
2021-11-02 14:23   ` Gerd Hoffmann
2021-11-10  6:46     ` Min Xu
2021-11-17  0:32   ` Erdem Aktas
2021-11-01 13:15 ` [PATCH V3 05/29] UefiCpuPkg/CpuExceptionHandler: Add base support for the " Min Xu
2021-11-02 14:24   ` Gerd Hoffmann
2021-11-01 13:15 ` [PATCH V3 06/29] MdePkg: Add helper functions for Tdx guest in BaseIoLibIntrinsic Min Xu
2021-11-01 13:15 ` [PATCH V3 07/29] MdePkg: Support mmio " Min Xu
2021-11-01 13:15 ` [PATCH V3 08/29] MdePkg: Support IoFifo " Min Xu
2021-11-01 13:15 ` [PATCH V3 09/29] MdePkg: Support IoRead/IoWrite " Min Xu
2021-11-01 13:15 ` [PATCH V3 10/29] UefiPayloadPkg: PreparePrepare UefiPayloadPkg to use TdxLib Min Xu
2021-11-01 15:31   ` Guo Dong
2021-11-01 15:58   ` Ma, Maurice
2021-11-02  0:07     ` Min Xu
2021-11-02 14:32   ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 11/29] UefiCpuPkg: Support TDX in BaseXApicX2ApicLib Min Xu
2021-11-02 14:33   ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 12/29] UefiCpuPkg: Define ConfidentialComputingGuestAttr Min Xu
2021-11-02 14:36   ` Gerd Hoffmann
2021-11-03  8:32     ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 13/29] MdePkg: Add macro to check SEV/TDX guest Min Xu
2021-11-02 14:36   ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 14/29] UefiCpuPkg: Enable Tdx support in MpInitLib Min Xu
2021-11-03  6:09   ` Gerd Hoffmann
2021-11-03 12:57     ` Min Xu
2021-11-04  8:10       ` Gerd Hoffmann
2021-11-04 15:21         ` Lendacky, Thomas
2021-11-04 23:24           ` Min Xu
2021-11-05  6:46             ` [edk2-devel] " Gerd Hoffmann
2021-11-05  6:53               ` Min Xu
2021-11-09  2:44               ` Min Xu
2021-11-01 13:16 ` [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx Min Xu
2021-11-03  6:30   ` Gerd Hoffmann
2021-11-16 12:11     ` Min Xu
2021-11-17 15:19       ` Gerd Hoffmann
2021-11-18  9:59         ` Yao, Jiewen
2021-11-19 15:11           ` Gerd Hoffmann
2021-11-20  3:18             ` Yao, Jiewen
2021-11-23 12:38               ` Gerd Hoffmann
2021-11-23 13:07                 ` Yao, Jiewen
2021-11-23 14:26                   ` James Bottomley
2021-11-23 14:36                     ` Yao, Jiewen [this message]
2021-11-23 14:51                       ` James Bottomley
2021-11-23 15:10                         ` Yao, Jiewen
2021-11-23 15:37                           ` [edk2-devel] " James Bottomley
2021-11-24  3:15                             ` Yao, Jiewen
2021-11-24  8:12                               ` Gerd Hoffmann
2021-11-24 11:08                                 ` Yao, Jiewen
2021-11-24 13:35                                   ` James Bottomley
2021-11-24 14:03                                     ` Yao, Jiewen
2021-11-24 14:07                                       ` James Bottomley
2021-11-24 14:59                                         ` Yao, Jiewen
2021-11-25  8:32                                           ` Gerd Hoffmann
2021-11-26  6:29                                             ` Yao, Jiewen
2021-12-01 13:55                                               ` Gerd Hoffmann
2021-12-02 13:22                                                 ` Yao, Jiewen
2021-12-06 14:57                                                   ` Gerd Hoffmann
2021-12-07  2:28                                                     ` Yao, Jiewen
2021-12-07  8:04                                                       ` Gerd Hoffmann
2021-12-08  5:13                                                         ` Min Xu
     [not found]                                         ` <16BA8381113E7B1B.22735@groups.io>
2021-11-24 15:30                                           ` Yao, Jiewen
     [not found]                             ` <16BA5D1709524394.9880@groups.io>
2021-11-24  3:21                               ` Yao, Jiewen
2021-11-01 13:16 ` [PATCH V3 16/29] OvmfPkg: Add IntelTdx.h in OvmfPkg/Include/IndustryStandard Min Xu
2021-11-01 13:16 ` [PATCH V3 17/29] OvmfPkg: Add TdxMailboxLib Min Xu
2021-11-01 13:16 ` [PATCH V3 18/29] MdePkg: Add EFI_RESOURCE_ATTRIBUTE_ENCRYPTED in PiHob.h Min Xu
2021-11-01 13:16 ` [PATCH V3 19/29] OvmfPkg: Enable Tdx in SecMain.c Min Xu
2021-11-01 13:16 ` [PATCH V3 20/29] OvmfPkg: Check Tdx in QemuFwCfgPei to avoid DMA operation Min Xu
2021-11-03  6:50   ` Gerd Hoffmann
2021-11-03 13:07     ` Min Xu
2021-11-03 13:35     ` Min Xu
2021-11-04 14:36       ` Brijesh Singh
2021-11-01 13:16 ` [PATCH V3 21/29] MdeModulePkg: EFER should not be changed in TDX Min Xu
2021-11-03  6:51   ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 22/29] MdeModulePkg: Set shared bit in Mmio region for Tdx guest Min Xu
2021-11-03  6:57   ` Gerd Hoffmann
2021-11-04  7:03     ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 23/29] UefiCpuPkg: Update AddressEncMask in CpuPageTable Min Xu
2021-11-03  7:00   ` Gerd Hoffmann
2021-11-22  3:09     ` [edk2-devel] " Ni, Ray
2021-12-07  3:50       ` Min Xu
2021-12-07  7:15         ` Gerd Hoffmann
2021-11-01 13:16 ` [PATCH V3 24/29] OvmfPkg: Update PlatformPei to support TDX Min Xu
2021-11-01 13:16 ` [PATCH V3 25/29] OvmfPkg: Update AcpiPlatformDxe to alter MADT table Min Xu
2021-11-01 13:16 ` [PATCH V3 26/29] OvmfPkg: Add TdxDxe driver Min Xu
2021-11-01 13:16 ` [PATCH V3 27/29] OvmfPkg/BaseMemEncryptTdxLib: Add TDX helper library Min Xu
2021-11-03  7:10   ` Gerd Hoffmann
2021-12-08  8:37     ` [edk2-devel] " Min Xu
2021-11-01 13:16 ` [PATCH V3 28/29] OvmfPkg/QemuFwCfgLib: Support Tdx in QemuFwCfgDxe Min Xu
2021-11-03  7:12   ` Gerd Hoffmann
2021-12-13  2:06     ` Min Xu
2021-11-01 13:16 ` [PATCH V3 29/29] OvmfPkg: Update IoMmuDxe to support TDX Min Xu
2021-11-03  7:17   ` Gerd Hoffmann
2021-12-13  2:39     ` [edk2-devel] " Min Xu
2021-12-13  6:42       ` Gerd Hoffmann
2021-12-13  7:33         ` Min Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox