public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Oliver Steffen <osteffen@redhat.com>,
	Pawel Polawski <ppolawsk@redhat.com>
Subject: Re: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning
Date: Mon, 19 Dec 2022 09:53:03 +0100	[thread overview]
Message-ID: <20221219085303.gzqitjjjex3mauve@sirius.home.kraxel.org> (raw)
In-Reply-To: <MW4PR11MB5872DA3AE2C08D7B4678C3168CE79@MW4PR11MB5872.namprd11.prod.outlook.com>

On Sat, Dec 17, 2022 at 03:10:25AM +0000, Yao, Jiewen wrote:
> Hi Gerd
> I would like to clarify a couple of things:
> 
> 1) "Using these builds with writable flash is not secure."
> 
> Whenever we say "secure" or "not secure", we need align the threat model at first.
> What component is trusted? Which is not trusted? Who is adversary? With which capability? Under which attack scenario? 

Well, the OS can write directly to flash, bypassing the firmware.  It
can update secure boot efi variables without the firmware enforcing the
usual restrictions (KEK signature being required for db/dbx updates
etc).

> If we are going to say something like that, we need a full description. Just saying: "not secure" is not enough.

We simply don't get the protection secure boot is supposed to provide.

> 3) What is definition of "stateless secure boot configuration" ?
> What does you mean "stateless"? Do you mean "SMM_REQUIRE=FALSE" or something else?

"stateless" means we don't have persistent efi variables.

> Then why not call it as simple as "secure boot without SMM" ?
> I don't understand how "SMM_REQUIRE=FALSE" will contribute "stateless".

Secure boot in OVMF in 2022-08 + older requires flash memory as efi
variables storage and SMM mode support to enforce all efi variable
updates being handled by the firmware.

Starting with 2022-11 it is also possible to use secure boot without SNN
mode and with the emulated variable store in RAM.  Min added that for
IntelTdx.  The firmware can't enforce variable update rules in that
case, but that is compensated by initializing the emulated variable
store content with a pristine copy from ROM on each boot.  So the OS can
tamper with the efi variables, but it can't attack the system that way
because any changes done are wiped on reset, before the firmware looks
at those variables again when checking efi binary signatures.  This also
means any regular efi variable updates (like setting Boot* variables on
install) are wiped on reset too.  This is where the term "stateless"
comes from.

I don't see how "secure boot without SMM" is easier to understand than
"stateless".  It also is x64-specific.  But the idea to give up variable
persistence to get secure boot support without processor support for a
separate privilege level can work on other platforms too.  ArmVirt for
example could get secure boot support that way without depending on
TrustZone.

> 4) What is the purpose of "Log a warning" ?
> Is that to tell people, DON'T DO IT?

Yes.

Maybe it's better to refuse to boot in that case, a warning in
a logfile is easily missed.

In 2022-08 and older the world is relatively simple.  We have
three possible build configurations

  (1) SECURE_BOOT_ENABLE=FALSE SMM_REQUIRE=FALSE
      Build without secure boot support.

  (2) SECURE_BOOT_ENABLE=TRUE SMM_REQUIRE=TRUE
      Build with secure boot support, secure.

  (3) SECURE_BOOT_ENABLE=TRUE SMM_REQUIRE=FALSE
      Build with secure boot support, not secure.

Linux Distributions typically provide builds for (1) and (2),
so (3) existing isn't much of a problem in practice because
people typically don't compile edk2 by themself.

In 2022-11 the (3) case is splitted into two:

  (3a) build being used with ROM (or r/o flash):
       -> this is the new "stateless secure boot" mode.
  (3b) build being used with writable flash:
       -> insecure configuration.

Now the same build can be secure or not depending on
runtime configuration.  So this patch tries to catch
(3b) with a runtime check.

take care,
  Gerd


  reply	other threads:[~2022-12-19  8:53 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-16 10:11 [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Gerd Hoffmann
2022-12-17  3:10 ` Yao, Jiewen
2022-12-19  8:53   ` Gerd Hoffmann [this message]
2022-12-19 14:47     ` [edk2-devel] " Yao, Jiewen
2022-12-20  7:18       ` Gerd Hoffmann
2022-12-21  6:25         ` Yao, Jiewen
     [not found] ` <173175F495CB0C1B.6312@groups.io>
2022-12-17  3:14   ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221219085303.gzqitjjjex3mauve@sirius.home.kraxel.org \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox