From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web08.3379.1637741532541610595
 for <devel@edk2.groups.io>;
 Wed, 24 Nov 2021 00:12:12 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=P6tWv7B+;
 spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1637741531;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=6VxNF8XnNT5mVRof0NMJmKvj5GHGdCv36BEkZWaN648=;
	b=P6tWv7B+AZxLuH5gEAqQlrvJcOtA1EXjAe4ksIPbrdm9WV8zkMnpSaSn0aADEj8O1u/HUD
	5O7pwoR9+/bIUjDuf+n7jVZcHkYDaV1YNdZTrhC8mqWan//TBS+kna/R3aeX7hLUZA+Vo+
	HVBp2iBSist5FQdQbS7ZvPmrLCSIxAY=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-577-wrUeoWi4MGiiIj_rHCzuTw-1; Wed, 24 Nov 2021 03:12:07 -0500
X-MC-Unique: wrUeoWi4MGiiIj_rHCzuTw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 464921006AA0;
	Wed, 24 Nov 2021 08:12:06 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.79])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D3BE419733;
	Wed, 24 Nov 2021 08:12:05 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id 2321E180084B; Wed, 24 Nov 2021 09:12:04 +0100 (CET)
Date: Wed, 24 Nov 2021 09:12:04 +0100
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "jejb@linux.ibm.com" <jejb@linux.ibm.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Xu, Min M" <min.m.xu@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Erdem Aktas <erdemaktas@google.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx
Message-ID: <20211124081204.ortxlgwgp2c5dlhw@sirius.home.kraxel.org>
References: <20211119151130.g2wcnuhivt3lxvzi@sirius.home.kraxel.org>
 <MW4PR11MB58727D56379266D93B897CFF8C9D9@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20211123123821.q4fanslttg72n2r3@sirius.home.kraxel.org>
 <MW4PR11MB58729F7D5BED6A8895B1F5758C609@MW4PR11MB5872.namprd11.prod.outlook.com>
 <a993c0c660ab6b61075093ece8225fbd7c3d24e8.camel@linux.ibm.com>
 <1D6AF5B4-87BD-4773-A5C7-4779016A0673@intel.com>
 <d4d1f57188b235d64c13c71aa383a294b74aa4a5.camel@linux.ibm.com>
 <1DF0C062-BF78-44E2-BE96-2C8727C36845@intel.com>
 <5ec6897681e46fe181193651164f0f17d5d1205d.camel@linux.ibm.com>
 <MW4PR11MB5872CD6E772550B62D52F5F18C619@MW4PR11MB5872.namprd11.prod.outlook.com>
MIME-Version: 1.0
In-Reply-To: <MW4PR11MB5872CD6E772550B62D52F5F18C619@MW4PR11MB5872.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

  Hi,

> 1. " the PEI domain has very limited exposure, it's the DXE domain that has full exposure "
> [Jiewen] I don’t understand how that is concluded, on " limited exposure ", " full exposure ". 

exposure == "the need to process external input, which an attacker might
use to exploit bugs in edk2 by crafting input data accordingly."

There isn't much external input to process in PEI phase.  Virtual
machines are a bit different than physical machines.  They need to
process some input from the host here which describes the virtual
hardware so they can initialize it properly.  For example parse the
etc/e820 fw_cfg file to figure how much memory is installed (or parse
the td hob in case tdx is used).

That platform-specific code for virtual machine initialization must do
careful sanity checking when you don't want trust the VMM of course.
Whenever that code lives in SEC or PEI doesn't change the picture much
though.

> 2. "bugs in PEI code can't be used to exploit the system when it has transitioned to the DXE domain."
> [Jiewen] I disagree. A bug in PEI code may already modify the HOB, while the HOB is an architecture data input for DXE.
> If DXE relies on some malicious data from PEI, DXE might be exploited later.

Attacking PEI is harder though because the external input it
processes is limited when compared to DXE.

Once you are transitioned to DXE you can't call into PEI Modules
any more.

So, how would an attacker trick PEI code into modifying HOBs (or
carrying out other actions under attackers control)?

take care,
  Gerd