Re: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning

["Gerd Hoffmann" <kraxel@redhat.com>]

On Sat, Dec 17, 2022 at 03:10:25AM +0000, Yao, Jiewen wrote:
> Hi Gerd
> I would like to clarify a couple of things:
> 
> 1) "Using these builds with writable flash is not secure."
> 
> Whenever we say "secure" or "not secure", we need align the threat model at first.
> What component is trusted? Which is not trusted? Who is adversary? With which capability? Under which attack scenario? 

Well, the OS can write directly to flash, bypassing the firmware.  It
can update secure boot efi variables without the firmware enforcing the
usual restrictions (KEK signature being required for db/dbx updates
etc).

> If we are going to say something like that, we need a full description. Just saying: "not secure" is not enough.

We simply don't get the protection secure boot is supposed to provide.

> 3) What is definition of "stateless secure boot configuration" ?
> What does you mean "stateless"? Do you mean "SMM_REQUIRE=FALSE" or something else?

"stateless" means we don't have persistent efi variables.

> Then why not call it as simple as "secure boot without SMM" ?
> I don't understand how "SMM_REQUIRE=FALSE" will contribute "stateless".

Secure boot in OVMF in 2022-08 + older requires flash memory as efi
variables storage and SMM mode support to enforce all efi variable
updates being handled by the firmware.

Starting with 2022-11 it is also possible to use secure boot without SNN
mode and with the emulated variable store in RAM.  Min added that for
IntelTdx.  The firmware can't enforce variable update rules in that
case, but that is compensated by initializing the emulated variable
store content with a pristine copy from ROM on each boot.  So the OS can
tamper with the efi variables, but it can't attack the system that way
because any changes done are wiped on reset, before the firmware looks
at those variables again when checking efi binary signatures.  This also
means any regular efi variable updates (like setting Boot* variables on
install) are wiped on reset too.  This is where the term "stateless"
comes from.

I don't see how "secure boot without SMM" is easier to understand than
"stateless".  It also is x64-specific.  But the idea to give up variable
persistence to get secure boot support without processor support for a
separate privilege level can work on other platforms too.  ArmVirt for
example could get secure boot support that way without depending on
TrustZone.

> 4) What is the purpose of "Log a warning" ?
> Is that to tell people, DON'T DO IT?

Yes.

Maybe it's better to refuse to boot in that case, a warning in
a logfile is easily missed.

In 2022-08 and older the world is relatively simple.  We have
three possible build configurations

  (1) SECURE_BOOT_ENABLE=FALSE SMM_REQUIRE=FALSE
      Build without secure boot support.

  (2) SECURE_BOOT_ENABLE=TRUE SMM_REQUIRE=TRUE
      Build with secure boot support, secure.

  (3) SECURE_BOOT_ENABLE=TRUE SMM_REQUIRE=FALSE
      Build with secure boot support, not secure.

Linux Distributions typically provide builds for (1) and (2),
so (3) existing isn't much of a problem in practice because
people typically don't compile edk2 by themself.

In 2022-11 the (3) case is splitted into two:

  (3a) build being used with ROM (or r/o flash):
       -> this is the new "stateless secure boot" mode.
  (3b) build being used with writable flash:
       -> insecure configuration.

Now the same build can be secure or not depending on
runtime configuration.  So this patch tries to catch
(3b) with a runtime check.

take care,
  Gerd