From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=104.47.41.79; helo=nam03-dm3-obe.outbound.protection.outlook.com; envelope-from=brijesh.singh@amd.com; receiver=edk2-devel@lists.01.org Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0079.outbound.protection.outlook.com [104.47.41.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C84DB21CF58CE for ; Thu, 5 Oct 2017 13:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Nk9SO8BUvw9zo5gV4kuMVWSHplZkSdkY7aj6f6vHrMI=; b=LE4IxCbeLk9T4Htn2ccRscE4GZoJHhDWMLYedsqVA5jWG3qL/kzVQvmio0z9SsiPVABG8db/dLH1AgImff/s39qsVizUXppdbO4+ApH3hmkhye6fDVNeg4zOtlFx041lkSMUYxIpxueaWqNXWB/cwPPdbmX+h9Xx9CF03nq+eeI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from ubuntu-010236106000.amd.com (165.204.78.1) by CY1PR12MB0150.namprd12.prod.outlook.com (10.161.173.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 5 Oct 2017 20:16:53 +0000 From: Brijesh Singh To: edk2-devel@lists.01.org Cc: Brijesh Singh , Chao Zhang , Jordan Justen , Laszlo Ersek , Tom Lendacky Date: Thu, 5 Oct 2017 15:16:41 -0500 Message-Id: <20171005201642.122619-1-brijesh.singh@amd.com> X-Mailer: git-send-email 2.9.5 MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: MWHPR21CA0065.namprd21.prod.outlook.com (10.172.93.155) To CY1PR12MB0150.namprd12.prod.outlook.com (10.161.173.20) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0c229f9f-d2e7-4662-d471-08d50c2e056a X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:CY1PR12MB0150; X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150; 3:fT0/4QQYlME7iLzr6Jsb1btjOc+uhbUA9ro6hDUBZ9M5zImQ79XOofsm6yEJXjWGv2pzbNZ6WqX7t78Ta+imeD/Cp4svksbbe7lsRDDFGMWduKhQORNuKjjA9WNMCDG6rhob7qWldqZNDwSA1/NllEV7DkxUFJhuZxIiX017pmdEm2AkENQBUoFF9ZU91p7tPMw2LpQaVbvgAYbYm5qXOMyt/KrO7Ri+XZq48R1BGMuFDApgXr7rtfYZ/S98nAqX; 25:DEfdaKF+mpilsi6rhVJmCLhYRDLmfSRve/MXk2fBW/OnsA9EZyHwTQxTkznIYsB8r8CEE+oIv3flTE+9ccKZuG13ltMqdlsdYaWL3HATMgJMwh1VdDvVJIuQL2w2uzh/5hwI/7T8fzJHRKXPTcdqLSwnce/sLEug2zL7Gy1dww8bhr4sjhRXXnCFAZ70Z4/xlaUMSZmLcg1ypPPmfAsKB0rJgRZCQzxH/GTjtF+07t8LMzBI1JS6ZVOoq0bsXiZ2g/NodkQkmeuA84rURRQpGuQxsvGxiApDwdStkZ/qS7Uyjf3XAgvGpG2g7WieVRrBozmJ71wde2Mr2V3Ri736BQ==; 31:nxkERMlkDE8yiKaQEjLC/PXRojp7HEGYnRLZpSx78n1tTyA1wv7HqojNnJ3rPzRAickwCl6rBHsEesJlIyEJtExirEl9Iav9YFMs+W7XpY1Ibtv371ak1oLmeffo87d1R8s5/dN6u0ztOhSYnhnZYykin3vk0RGB1V275lWiuAQiiNEIJNMx7UZwv/uxd1Da6wosWiJNhwjJ7nAVtDrh6J9YMp7lrt5OJOSnY4nQ0v4= X-MS-TrafficTypeDiagnostic: CY1PR12MB0150: X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150; 20:u9KUn/x0gA3IXyldDog2xoFPXvLaIh7X0CsPU9393BpsQMfTVgi9VcccoBxEdZoxoKj+46LKtZt/CvYh8GEURGzavCvvOBhq3w2AydENJeQpMLpxJKkJ00rWmsdY0ifJI63nNMiQkjzJaaL7V1isKohwbOTtrx0HNMa5HWll8GMNz4FYxpCu0YiWSJ5A2foFc94fw8AZbupHu4vnNhLvy7/w3qRxrXtzs/5zNtPbGm/RsWg/pM9Dw0MOCV9nCQAonCANP2eD4tCrcTkLkYdQ1Mh2jreL0oNeMqfvfucKyWsRDelrGGHQKFQz5RB0HAfOhiKsljsO5oHRgyWDjo2ZVOnnTE4AkdZcqQatDobGM5WMGMZzBGsmwSWaI7ZL/5TGQb6PZfWdNzCLOBzhmWDhF9/yYHKhsVmuy18gnJQOXGOLIurdvxwp21PyPJTEhL1d67wchC8+zHpGiU7K9evFHubWr7siUwtTcED14NGc9el+atRHdaN+wW4wxSQiKVna; 4:hARTNoh1VGkUvAHvsjgA+LeYWR9+aPzK5bFNambW6R1deSs2oY9UsxXpUupOTSTNDrxwmWFKe0xg1oVySPbUsD+JAFc2MTtjerygm1lH7Q/+q7cRYwAqkROPryTl+k0p+b+csdp+a9loVu8E90PKWgJQLA/znFrgWnZ/+NTKoY1viO9bxeMpVQpe25osKjx4DuHTp/T3f1qpwzFctvRRklcL26WqIIkI81V5cfxf8FrPNlHpeLYcrm7GK/tAcp/FMm5P5zXFl4CWqcCiAh/wrURE1BuJSLQNWgJhBybsGya1UOFCCNxJCj97i98kVroixA3Xcw/xBfAqMxW/YADS8kJPZDcE5tzNA2DqwT6Vrd8= X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(767451399110)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123564025)(20161123560025)(20161123562025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR12MB0150; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR12MB0150; X-Forefront-PRVS: 04519BA941 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(346002)(39860400002)(15404003)(199003)(189002)(97736004)(81156014)(50226002)(6666003)(86362001)(106356001)(105586002)(3846002)(6116002)(33646002)(7736002)(50986999)(8936002)(189998001)(81166006)(6916009)(68736007)(8676002)(101416001)(966005)(1076002)(305945005)(53936002)(5003940100001)(48376002)(15650500001)(50466002)(2906002)(316002)(66066001)(2361001)(53416004)(54906003)(47776003)(5660300001)(16586007)(36756003)(4326008)(6486002)(6306002)(16526018)(478600001)(2351001)(25786009)(213903007)(14943795004); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0150; H:ubuntu-010236106000.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR12MB0150; 23:qde4HfxPDbs4CQWy2Ge92gKr/ZEUIBQdtk/HkAm/L?= =?us-ascii?Q?hSc69Alh68B0ar+3ZpYFh+R63LlxC/cXxqO8N5cEc31Yf5IssiGZd5ioz0NO?= =?us-ascii?Q?iyEGpG0x/5p9Du/ts07AqNkK3LUABq0ql27pNI2E/8ZOooR7QKyMG5JpFaDx?= =?us-ascii?Q?M43a/o3mvhjW9mFs11KsZixfGhgHRPQmFR1NVy6r/CKDZgG6LzMIawXeamIo?= =?us-ascii?Q?YI0fkZKNjraTJYaCad1Ed9mQRvuY9MGM+XteaLWa1gI5/OVcMHy1nddxWdZ6?= =?us-ascii?Q?YR6sDaSTj13uAspeSSgMmfSOWwbQOiL82lZ3PDMAKBBuki3VyJZrTzNvG7gd?= =?us-ascii?Q?NYlYQZXD5SU8GJE3zygXWqUZKEaZT0HbaR8fCGCWA4rdrUA79eOu6om+toOb?= =?us-ascii?Q?kP17eC14zF1TrtDJnI4IXbVyq3pp1iZ2obGYQSg7TnyhwhGYTRjQ9RP4qHja?= =?us-ascii?Q?LQv3Ai+JDsOMyeZ3wyARo+mHNeouw78x4H6a/NoCj+v9itCBzM0JbuxnRBFf?= =?us-ascii?Q?gNgp18KWnhdxHKiaXwojNJnBbNwblhtTze+E5d1lT7od2D21UK/G6y/DQiKr?= =?us-ascii?Q?0DihEd82ySVMMwMTqT0LeUgnes0uwBhPcCYxDDZEfRpWl1dzqOp01PbuicSW?= =?us-ascii?Q?8XmpuDemT2vPg/dKBa9A3QDXEKpZirK91fI4VkQpBdCBUy8cvftKxKOa5AxG?= =?us-ascii?Q?VlQR1NYhr5BXeOpK0zLZQVfPJhLAvxfITPMdhViI9PJWW6u3m32K9TJ9sbf4?= =?us-ascii?Q?tcW59tUFa7pgnQwSNm0NW/Z5tyJys1wPDQgPcq1d9V/CT+H3xUsWZB7WyMJF?= =?us-ascii?Q?ebGO7xsWApd5INOjHeVWq7m0Ux68v4OeBbBXdlmNpfw+FFaDtuUxI3SCVqDi?= =?us-ascii?Q?byAucI6mmoW0QMwOH4HhcXLeqx3VS8WpGitctbZXve5SSQ6oVLlf18i59bBZ?= =?us-ascii?Q?Rny24I9JtW7VW5RYLU/Q68mDDGTljVOzdA5LhDNYNq4P0RAWKE8er3/Mkr9Q?= =?us-ascii?Q?Tasu1bK1JVUTMSk1qs2MJuYUiLMsHivEAINhJtBFLQ3gprHOMNAfJJG+7qRO?= =?us-ascii?Q?3rBVOj/8hGV55X06rqAysUMZBMvyhj4MdOhJrrfT0vgaWSJQB+v3oUgY15UP?= =?us-ascii?Q?55I7/4pvptSfAiQ7IJ0UzEu2z3ucGKQtP0gnrpnYbCxxkmEM9ALHc9QzsWyX?= =?us-ascii?Q?pzv1cdJ48qYSvnKRVa1tZo8767uDocIa4ubYLS2a+Y6abs+T16Q1kS3lw=3D?= =?us-ascii?Q?=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150; 6:Bv3N7X2eQ7iUO/Wjpa6DKFvBqfe1suyEctvx27IhDxZv0j+xMDQjYuq8zRgC1WXREH6Sd77AftIPncjq1ncr0JRuIA21jDwfLqGlHPUr1f4RJpLvJk7yJsSPMaE5/OvadXtGeHE7llzvggpMJW+abi8pL3FfE908A2MRcbJSV2tP3YPpu8gkeZuCesTV9mkFAYWSPjrSUUR3gVMmfNA0ZRjiJnftp3ZE3m9Q3UOVSAtxUl7sfujx1iMsqtMkV0f2vm/yN49HGYHD3usencnyYWMeSDH6h0Y1H1YTfjWmaVSmtmBEug4jmo6ePzMolCS/RVqpXv90Qmvg9wZcMwofjw==; 5:XbHt5pITwjzxaH+LzSTnBl5YedLliicVXWoE/woxv8vJqTSoRDe/NmeR4p0tjxmGKSkVPUtbJyi0AAOS6fslgl8yETam8myb0ZX4//LZ2qt8k7M1oJk0UI/xBpTITsnX+bkmP1Katk1I/scQrp1dmw==; 24:jwnUpjsFraVsdsrlyWy8xrL+8Q5K/ZRpa709lU6ONtTS6nSnVKy+eP0Cpf7WifgT9aJqnVVsQCch+dYU3Z2q1g17J45DtDkQy6YELL59rl8=; 7:UHhzq84pJ+hb25AeH9rP9S/80kLT1JgbrvjWC9bOg8jw8U3Nk3NnZR8T+NN5xRnoj7369DUZHameWaxnP4VFUqXZMAbRvL8I3305wBv02adkExwgndJiMaxnMNwRg3xQkyFIGX2DN639Icm4hWFoMdSbOyGVIioxy14IR0Jp3F272KhcjexqdnUXNIP3Ifnhtbo7HHgzOCkXkL1IlTXROjTiK4EluVqRIupCB2BCq9g= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150; 20:ksO8DdHBqijyY2vViSyoIt+DPJdriieyQSCXBaLSLo2xbJyHn+7AtZIdnbcKNZ9VL1E0hHd+DTGh4zdumwjma6fpAuFBrMhZ4+dX8O3HKkuv7poZIybsItXcwNuuIQPIXN38+hYzqp2/5TAojkit4Iln2adoj9z5Gx5/KhlClWB3F1iFyUCKCKTs26cx5uzgarX674m0lNGVbevokq81ZYeeXHVBFwUOZSMERNuLl5zhHd+RGHsXEFGaqzuuMD/4 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2017 20:16:53.4365 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0150 Subject: [PATCH v2 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2017 20:13:34 -0000 Content-Type: text/plain By default the image verification policy for option ROM images is 0x4 (DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit: 1fea9ddb4e3f OvmfPkg: execute option ROM images regardless of Secure Boot set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option ROMs comes from host-side and most of the time cloud provider (i.e hypervisor) have full access over a guest anyway. But when secure boot is enabled, we would like to deny the execution of option ROM when SEV is active. Having dynamic Pcd will give us flexibility to set the security policy at the runtime. Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728 Cc: Chao Zhang Cc: Jordan Justen Cc: Laszlo Ersek Cc: Tom Lendacky Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh --- Changes since v1: * Add Contributed-under tag SecurityPkg/SecurityPkg.dec | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 01bff01ed50a..4e32d172d7d9 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -230,18 +230,6 @@ [Ppis] # [PcdsFixedAtBuild, PcdsPatchableInModule] - ## Image verification policy for OptionRom. Only following values are valid:

- # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
- # 0x00000000 Always trust the image.
- # 0x00000001 Never trust the image.
- # 0x00000002 Allow execution when there is security violation.
- # 0x00000003 Defer execution when there is security violation.
- # 0x00000004 Deny execution when there is security violation.
- # 0x00000005 Query user when there is security violation.
- # @Prompt Set policy for the image from OptionRom. - # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 - gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001 - ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network. # Only following values are valid:

# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
@@ -304,6 +292,18 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|UINT32|0x00000007 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## Image verification policy for OptionRom. Only following values are valid:

+ # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
+ # 0x00000000 Always trust the image.
+ # 0x00000001 Never trust the image.
+ # 0x00000002 Allow execution when there is security violation.
+ # 0x00000003 Defer execution when there is security violation.
+ # 0x00000004 Deny execution when there is security violation.
+ # 0x00000005 Query user when there is security violation.
+ # @Prompt Set policy for the image from OptionRom. + # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001 + ## Indicates the presence or absence of the platform operator during firmware booting. # If platform operator is not physical presence during boot. TPM will be locked and the TPM commands # that required operator physical presence can not run.

-- 2.9.5