From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.6489.1635841517567100130 for ; Tue, 02 Nov 2021 01:25:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=pbNumw1I; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1A266hQk026866; Tue, 2 Nov 2021 08:25:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : mime-version; s=pp1; bh=2vVJUlaQ/jjeKfjYQtqRXBzjjI4FWQ2r2ZPaBeA4NCQ=; b=pbNumw1IenPYq6H8SKc6LvesDvsSaMR0mv2zUMqPAXZbjXt2goD5G8XLq90TJxCTyoU/ oEYeZjeP6zAoJPSEuOIVrOQWtlIuxh7wEdt9/lh/MC198X29a8NAibd0oBf0ReQxJaeg hCFLeaa/MxZdBheESLkDVPceycaCfEMjEOtVJgzE2qTO+GPe38kQ/ylJhZw1VHW8hDr1 uRXQoypzR8G0kOvk64Tv06QWtWHWJTk+uMr66DlsM1QwXD1YcHPUkCxAR/JX3zIhdjD5 bOqf+N4v0rlpn5TrSruEjD8MF2Zed9rm9as+1UgXy5QR1FziOI9O3QcTJjLAnixQ9hqy aQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3c2mvmeuw8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 08:25:13 +0000 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1A28M5ng015792; Tue, 2 Nov 2021 08:25:13 GMT Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 3c2mvmeuvt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 08:25:13 +0000 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1A28COAp019008; Tue, 2 Nov 2021 08:25:12 GMT Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma03dal.us.ibm.com with ESMTP id 3c0wpasaua-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 08:25:12 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1A28PAPg33948142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Nov 2021 08:25:10 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4F895C605D; Tue, 2 Nov 2021 08:25:10 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4FD3CC606D; Tue, 2 Nov 2021 08:25:09 +0000 (GMT) Received: from amdrome3.watson.ibm.com (unknown [9.2.130.16]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 2 Nov 2021 08:25:09 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Brijesh Singh , Erdem Aktas , James Bottomley , Jiewen Yao , Min Xu , Tom Lendacky , Tobin Feldman-Fitzthum Subject: [PATCH] OvmfPkg/AmdSev: Erase secret area content on ExitBootServices Date: Tue, 2 Nov 2021 08:25:06 +0000 Message-Id: <20211102082506.366921-1-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: g8N9B_4ldXglr4pWIiB2JuYYRMiulTHn X-Proofpoint-ORIG-GUID: 7Ez2OZ6w-n3auT9KHkigbtggNCd1HS5u X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-02_06,2021-11-01_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 adultscore=0 clxscore=1015 priorityscore=1501 mlxscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111020048 Content-Transfer-Encoding: quoted-printable The confidential computing secrets area is marked as EfiBootServicesData region, which means it is released for the OS use when the OS EFI stub calls ExitBootServices. However, its content is not erased, and therefore the OS might unintentionally reuse this sensitive memory area and expose the injected secrets. Erase the content of the secret area on ExitBootServices so that the memory released to the OS contains zeros. If the OS needs to keep the secrets for its own use, it must copy the secrets area to another memory area before calling ExitBootServices (for example in efi/libstub in Linux). Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Cc: Tobin Feldman-Fitzthum Signed-off-by: Dov Murik --- Code is in: https://github.com/confidential-containers-demo/edk2/tree/erase= -secret-area --- OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 + OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 47 ++++++++++++++++++-- 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/Secret= Dxe/SecretDxe.inf index 40bda7ff846c..ff831afaeb66 100644 --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf @@ -23,6 +23,8 @@ [Packages] MdePkg/MdePkg.dec=0D =0D [LibraryClasses]=0D + BaseMemoryLib=0D + DebugLib=0D UefiBootServicesTableLib=0D UefiDriverEntryPoint=0D =0D diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDx= e/SecretDxe.c index 934ad207632b..085759f0e523 100644 --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c @@ -5,6 +5,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent=0D **/=0D #include =0D +#include =0D +#include =0D #include =0D #include =0D =0D @@ -13,6 +15,35 @@ STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxe= Table =3D { FixedPcdGet32 (PcdSevLaunchSecretSize),=0D };=0D =0D +STATIC EFI_EVENT mSecretDxeExitBootEvent;=0D +=0D +/**=0D + ExitBootServices event notification function for the secret table.=0D +=0D + This function erases the content of the secret area so the secrets don't= leak=0D + via released BootServices memory. If the OS wants to keep the secrets f= or=0D + its own use, it must copy the secrets area to another memory area before= =0D + calling ExitBootServices (for example in efi/libstub in Linux).=0D +=0D + @param[in] Event The ExitBoot event that has been signaled.=0D +=0D + @param[in] Context Unused.=0D +**/=0D +STATIC=0D +VOID=0D +EFIAPI=0D +SecretDxeExitBoot (=0D + IN EFI_EVENT Event,=0D + IN VOID *Context=0D + )=0D +{=0D + ASSERT(mSecretDxeTable.Base !=3D 0);=0D + ASSERT(mSecretDxeTable.Size > 0);=0D +=0D + ZeroMem ((VOID *) ((UINTN) mSecretDxeTable.Base), mSecretDxeTable.Size);= =0D +}=0D +=0D +=0D EFI_STATUS=0D EFIAPI=0D InitializeSecretDxe(=0D @@ -20,8 +51,16 @@ InitializeSecretDxe( IN EFI_SYSTEM_TABLE *SystemTable=0D )=0D {=0D - return gBS->InstallConfigurationTable (=0D - &gConfidentialComputingSecretGuid,=0D - &mSecretDxeTable=0D - );=0D + EFI_STATUS Status;=0D +=0D + Status =3D gBS->InstallConfigurationTable (=0D + &gConfidentialComputingSecretGuid,=0D + &mSecretDxeTable=0D + );=0D + if (EFI_ERROR (Status)) {=0D + return Status;=0D + }=0D +=0D + return gBS->CreateEvent (EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,=0D + SecretDxeExitBoot, NULL, &mSecretDxeExitBootEvent);=0D }=0D --=20 2.25.1