public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic
@ 2017-10-05 18:48 Brijesh Singh
  2017-10-05 18:48 ` [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active Brijesh Singh
  0 siblings, 1 reply; 4+ messages in thread
From: Brijesh Singh @ 2017-10-05 18:48 UTC (permalink / raw)
  To: edk2-devel
  Cc: Brijesh Singh, Chao Zhang, Jordan Justen, Laszlo Ersek,
	Tom Lendacky

By default the image verification policy for option ROM images is 0x4
(DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit:

1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot

set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option
ROMs comes from host-side and most of the time cloud provider (i.e
hypervisor) have full access over a guest anyway. But when secure boot
is enabled, we would like to deny the execution of option ROM when
SEV is active. Having a dynamic Pcd will give us flexibility to set the
security policy at the runtime.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 SecurityPkg/SecurityPkg.dec | 24 ++++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 01bff01ed50a..4e32d172d7d9 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -230,18 +230,6 @@
 #
 
 [PcdsFixedAtBuild, PcdsPatchableInModule]
-  ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
-  #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
-  #  0x00000000      Always trust the image.<BR>
-  #  0x00000001      Never trust the image.<BR>
-  #  0x00000002      Allow execution when there is security violation.<BR>
-  #  0x00000003      Defer execution when there is security violation.<BR>
-  #  0x00000004      Deny execution when there is security violation.<BR>
-  #  0x00000005      Query user when there is security violation.<BR>
-  # @Prompt Set policy for the image from OptionRom.
-  # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
-
   ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network.
   #  Only following values are valid:<BR><BR>
   #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
@@ -304,6 +292,18 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|UINT32|0x00000007
 
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
+  #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
+  #  0x00000000      Always trust the image.<BR>
+  #  0x00000001      Never trust the image.<BR>
+  #  0x00000002      Allow execution when there is security violation.<BR>
+  #  0x00000003      Defer execution when there is security violation.<BR>
+  #  0x00000004      Deny execution when there is security violation.<BR>
+  #  0x00000005      Query user when there is security violation.<BR>
+  # @Prompt Set policy for the image from OptionRom.
+  # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
+
   ## Indicates the presence or absence of the platform operator during firmware booting.
   #  If platform operator is not physical presence during boot. TPM will be locked and the TPM commands 
   #  that required operator physical presence can not run.<BR><BR>
-- 
2.9.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active
  2017-10-05 18:48 [PATCH 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic Brijesh Singh
@ 2017-10-05 18:48 ` Brijesh Singh
  2017-10-05 19:46   ` Laszlo Ersek
  0 siblings, 1 reply; 4+ messages in thread
From: Brijesh Singh @ 2017-10-05 18:48 UTC (permalink / raw)
  To: edk2-devel
  Cc: Brijesh Singh, Chao Zhang, Jordan Justen, Laszlo Ersek,
	Tom Lendacky

The following commit:

1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot

sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion
ROMs attached to the emulated PCI devices. A expansion ROM constitute
another channel through which a cloud provider (i.e hypervisor) can
inject a code in guest boot flow to compromise it.

When SEV is enabled, the bios code has been verified by the guest owner
via the SEV guest launch sequence before its executed. When secure boot,
is enabled, lets make sure that we do not allow guest bios to execute a
code which is not signed by the guest owner.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/OvmfPkgIa32X64.dsc          | 9 +++++----
 OvmfPkg/OvmfPkgX64.dsc              | 9 +++++----
 OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++
 OvmfPkg/PlatformPei/AmdSev.c        | 7 +++++++
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 7f9220ccb90a..4bcbddb95768 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -489,10 +489,6 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000
 !endif
 
-!if $(SECURE_BOOT_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!endif
-
   # IRQs 5, 9, 10, 11 are level-triggered
   gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20
 
@@ -552,6 +548,11 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
 !endif
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+!endif
+
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform.
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 36c60fc19c40..e52a3bd4db9b 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -488,10 +488,6 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000
 !endif
 
-!if $(SECURE_BOOT_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!endif
-
   # IRQs 5, 9, 10, 11 are level-triggered
   gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20
 
@@ -551,6 +547,11 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
 !endif
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+!endif
+
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform.
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 16a8db7b0bd2..de7434d93dc0 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -41,6 +41,7 @@
   IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
   UefiCpuPkg/UefiCpuPkg.dec
   OvmfPkg/OvmfPkg.dec
 
@@ -96,6 +97,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
   gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
   gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 26f7c3fdbb13..1539e5b5cdce 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -59,4 +59,11 @@ AmdSevInitialize (
   ASSERT_RETURN_ERROR (PcdStatus);
 
   DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
+
+  //
+  // Set Pcd to Deny the execution of option ROM when security
+  // violation.
+  //
+  PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
+  ASSERT_RETURN_ERROR (PcdStatus);
 }
-- 
2.9.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active
  2017-10-05 18:48 ` [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active Brijesh Singh
@ 2017-10-05 19:46   ` Laszlo Ersek
  2017-10-05 19:52     ` Brijesh Singh
  0 siblings, 1 reply; 4+ messages in thread
From: Laszlo Ersek @ 2017-10-05 19:46 UTC (permalink / raw)
  To: Brijesh Singh, edk2-devel; +Cc: Jordan Justen, Tom Lendacky, Chao Zhang

Hi Brijesh,

I've got three comments:

On 10/05/17 20:48, Brijesh Singh wrote:
> The following commit:
> 
> 1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot
> 
> sets the OptionRomImageVerificationPolicy to ALWAYS_EXECUTE the expansion
> ROMs attached to the emulated PCI devices. A expansion ROM constitute
> another channel through which a cloud provider (i.e hypervisor) can
> inject a code in guest boot flow to compromise it.
> 
> When SEV is enabled, the bios code has been verified by the guest owner
> via the SEV guest launch sequence before its executed. When secure boot,
> is enabled, lets make sure that we do not allow guest bios to execute a
> code which is not signed by the guest owner.
> 
> Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  OvmfPkg/OvmfPkgIa32X64.dsc          | 9 +++++----
>  OvmfPkg/OvmfPkgX64.dsc              | 9 +++++----
>  OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++
>  OvmfPkg/PlatformPei/AmdSev.c        | 7 +++++++
>  4 files changed, 19 insertions(+), 8 deletions(-)
> 
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 7f9220ccb90a..4bcbddb95768 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -489,10 +489,6 @@
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000
>  !endif
>  
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
> -!endif
> -
>    # IRQs 5, 9, 10, 11 are level-triggered
>    gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20
>  
> @@ -552,6 +548,11 @@
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
>  !endif
>  
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
> +!endif
> +
> +
>  ################################################################################
>  #
>  # Components Section - list of all EDK II Modules needed by this Platform.

(1) It's hard to see what section of the DSC file the lines are moved
from, and to what section.

Git can be configured so that it display the section names in the diff
hunk header (following the "@@" marks). Please refer to the following:

https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-05

https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-09

In particular, see the "diff.ini.xfuncname" config option, and the
matching "diff=ini" attributes.

(This remark does not affect the patch, only how it is formatted.
Showing the DSC section names in the diff hunk headers helps quite a bit
with review.)


> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 36c60fc19c40..e52a3bd4db9b 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -488,10 +488,6 @@
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackSize|0x4000
>  !endif
>  
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
> -!endif
> -
>    # IRQs 5, 9, 10, 11 are level-triggered
>    gPcAtChipsetPkgTokenSpaceGuid.Pcd8259LegacyModeEdgeLevel|0x0E20
>  
> @@ -551,6 +547,11 @@
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000
>  !endif
>  
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
> +!endif
> +
> +
>  ################################################################################
>  #
>  # Components Section - list of all EDK II Modules needed by this Platform.

(2) Please apply the same code movement to "OvmfPkg/OvmfPkgIa32.dsc".

As written, the PcdSet32S() macro invocation in PlatformPei below will
not even compile for OvmfPkgIa32. Namely, the PCD will remain
fixed-at-build, and because of that, the replacement text of the
PcdSet32S() macro, i.e.

  _PCD_SET_MODE_32_S_##TokenName    ((Value))

from

  MdePkg/Include/Library/PcdLib.h

will not have any *further* replacement text, from "AutoGen.h".


> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
> index 16a8db7b0bd2..de7434d93dc0 100644
> --- a/OvmfPkg/PlatformPei/PlatformPei.inf
> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
> @@ -41,6 +41,7 @@
>    IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec
>    MdePkg/MdePkg.dec
>    MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
>    UefiCpuPkg/UefiCpuPkg.dec
>    OvmfPkg/OvmfPkg.dec
>  
> @@ -96,6 +97,7 @@
>    gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable
>    gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
>    gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
> +  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index 26f7c3fdbb13..1539e5b5cdce 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -59,4 +59,11 @@ AmdSevInitialize (
>    ASSERT_RETURN_ERROR (PcdStatus);
>  
>    DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
> +
> +  //
> +  // Set Pcd to Deny the execution of option ROM when security
> +  // violation.
> +  //
> +  PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
> +  ASSERT_RETURN_ERROR (PcdStatus);
>  }
> 

(3) I find it sub-optimal that the

  DENY_EXECUTE_ON_SECURITY_VIOLATION

macro, from

  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h

is internal to that library instance, and isn't exposed in some library
class header.

Anyway, I guess we can't do much about it here, and at least
SecurityPkg.dec spells out the meanings of the values. So this hunk
looks fine to me.

Thanks!
Laszlo


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active
  2017-10-05 19:46   ` Laszlo Ersek
@ 2017-10-05 19:52     ` Brijesh Singh
  0 siblings, 0 replies; 4+ messages in thread
From: Brijesh Singh @ 2017-10-05 19:52 UTC (permalink / raw)
  To: Laszlo Ersek, edk2-devel
  Cc: brijesh.singh, Jordan Justen, Tom Lendacky, Chao Zhang

Hi Laszlo,

On 10/05/2017 02:46 PM, Laszlo Ersek wrote:

....>>   ################################################################################
>>   #
>>   # Components Section - list of all EDK II Modules needed by this Platform.
> 
> (1) It's hard to see what section of the DSC file the lines are moved
> from, and to what section.
> 
> Git can be configured so that it display the section names in the diff
> hunk header (following the "@@" marks). Please refer to the following:
> 
> https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-05
> 
> https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-09
> 
> In particular, see the "diff.ini.xfuncname" config option, and the
> matching "diff=ini" attributes.
> 
> (This remark does not affect the patch, only how it is formatted.
> Showing the DSC section names in the diff hunk headers helps quite a bit
> with review.)
> 

I recently changed by build box and I did carried over my previous gitconfig
setting so that it generate the correct formating per your week but I might
have missed something in the process. I will fix it. sorry about that.


> 
> 
> (2) Please apply the same code movement to "OvmfPkg/OvmfPkgIa32.dsc".
> 
> As written, the PcdSet32S() macro invocation in PlatformPei below will
> not even compile for OvmfPkgIa32. Namely, the PCD will remain
> fixed-at-build, and because of that, the replacement text of the
> PcdSet32S() macro, i.e.
> 
>    _PCD_SET_MODE_32_S_##TokenName    ((Value))
> 
> from
> 
>    MdePkg/Include/Library/PcdLib.h
> 
> will not have any *further* replacement text, from "AutoGen.h".
> 

Ah good catch. I will fix in v2.

>>
> 
> (3) I find it sub-optimal that the
> 
>    DENY_EXECUTE_ON_SECURITY_VIOLATION
> 
> macro, from
> 
>    SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> 
> is internal to that library instance, and isn't exposed in some library
> class header.
> 

Yep, I had similar concern but as you said SecurityPkg.dec spells out
very well hence I did not bother to move the header file from internal
to somewhere its accessible by other modules.


> Anyway, I guess we can't do much about it here, and at least
> SecurityPkg.dec spells out the meanings of the values. So this hunk
> looks fine to me.
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-10-05 19:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-05 18:48 [PATCH 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic Brijesh Singh
2017-10-05 18:48 ` [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when SEV is active Brijesh Singh
2017-10-05 19:46   ` Laszlo Ersek
2017-10-05 19:52     ` Brijesh Singh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox