From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Erdem Aktas <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Subject: [PATCH] OvmfPkg/AmdSev: Erase secret area content on ExitBootServices
Date: Tue, 2 Nov 2021 08:25:06 +0000 [thread overview]
Message-ID: <20211102082506.366921-1-dovmurik@linux.ibm.com> (raw)
The confidential computing secrets area is marked as EfiBootServicesData
region, which means it is released for the OS use when the OS EFI stub
calls ExitBootServices. However, its content is not erased, and
therefore the OS might unintentionally reuse this sensitive memory area
and expose the injected secrets.
Erase the content of the secret area on ExitBootServices so that the
memory released to the OS contains zeros. If the OS needs to keep the
secrets for its own use, it must copy the secrets area to another memory
area before calling ExitBootServices (for example in efi/libstub in
Linux).
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
Code is in: https://github.com/confidential-containers-demo/edk2/tree/erase-secret-area
---
OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +
OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 47 ++++++++++++++++++--
2 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
index 40bda7ff846c..ff831afaeb66 100644
--- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
@@ -23,6 +23,8 @@ [Packages]
MdePkg/MdePkg.dec
[LibraryClasses]
+ BaseMemoryLib
+ DebugLib
UefiBootServicesTableLib
UefiDriverEntryPoint
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
index 934ad207632b..085759f0e523 100644
--- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
@@ -5,6 +5,8 @@
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Guid/ConfidentialComputingSecret.h>
@@ -13,6 +15,35 @@ STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxeTable = {
FixedPcdGet32 (PcdSevLaunchSecretSize),
};
+STATIC EFI_EVENT mSecretDxeExitBootEvent;
+
+/**
+ ExitBootServices event notification function for the secret table.
+
+ This function erases the content of the secret area so the secrets don't leak
+ via released BootServices memory. If the OS wants to keep the secrets for
+ its own use, it must copy the secrets area to another memory area before
+ calling ExitBootServices (for example in efi/libstub in Linux).
+
+ @param[in] Event The ExitBoot event that has been signaled.
+
+ @param[in] Context Unused.
+**/
+STATIC
+VOID
+EFIAPI
+SecretDxeExitBoot (
+ IN EFI_EVENT Event,
+ IN VOID *Context
+ )
+{
+ ASSERT(mSecretDxeTable.Base != 0);
+ ASSERT(mSecretDxeTable.Size > 0);
+
+ ZeroMem ((VOID *) ((UINTN) mSecretDxeTable.Base), mSecretDxeTable.Size);
+}
+
+
EFI_STATUS
EFIAPI
InitializeSecretDxe(
@@ -20,8 +51,16 @@ InitializeSecretDxe(
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- return gBS->InstallConfigurationTable (
- &gConfidentialComputingSecretGuid,
- &mSecretDxeTable
- );
+ EFI_STATUS Status;
+
+ Status = gBS->InstallConfigurationTable (
+ &gConfidentialComputingSecretGuid,
+ &mSecretDxeTable
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ return gBS->CreateEvent (EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
+ SecretDxeExitBoot, NULL, &mSecretDxeExitBootEvent);
}
--
2.25.1
next reply other threads:[~2021-11-02 8:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 8:25 Dov Murik [this message]
2021-11-02 10:05 ` [PATCH] OvmfPkg/AmdSev: Erase secret area content on ExitBootServices Gerd Hoffmann
2021-11-18 11:40 ` Dov Murik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211102082506.366921-1-dovmurik@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox