public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: devel@edk2.groups.io, jiewen.yao@intel.com
Cc: Konstantin Kostiuk <kkostiuk@redhat.com>,
	 Yan Vugenfirer <yvugenfi@redhat.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>
Subject: Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
Date: Fri, 15 Mar 2024 12:29:15 +0100	[thread overview]
Message-ID: <2va566btnwe6p76yhyici7imo4qqrp3rjfempvzgubw56azjxn@3kq7bf5ctl5w> (raw)
In-Reply-To: <MW4PR11MB58725DFAE7F731F4217232718C292@MW4PR11MB5872.namprd11.prod.outlook.com>

On Thu, Mar 14, 2024 at 12:05:28PM +0000, Yao, Jiewen wrote:
> I agree that not all bits make sense to virtual machine.
> However, I do see some bits should be there if we really want to add HSTI to report security propery.

Setting the bits which are obviously correct makes sense indeed.

> Please take a look at the HSTI spec - https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
> For example:
> Do you use RSA 2048 and SHA256 only (or higher but not lower than this)

Hmm.  That single line (and the spec doesn't have more) is not very
helpful.  Consider this corner case:

The virtual TPM supported by qemu has banks for sha1, sha256, sha384 and
sha512.  The default configuration created by libvirt enables only the
sha256 bank.  But it's possible to go into the firmware setup and turn
on the sha1 bank too.

How should the HSTI driver handle that?

> Compatibility Support Modules (CSM)

That one is easy, CSM support is gone, we can set it.

> Firmware Code must be present in protected storage

Typically this is the case (ROM or read-only flash), although qemu
does not enforce that the code flash is actually read-only, it can
be configured in writable mode.

Hmm.

> Secure firmware update process

IMHO doesn't apply to virtual machines.  Firmware updates are usually
handled by updating the images on the host machine, that is very
different from a physical machine.  All the questions about key handling
do not make any sense.

> Do you have backdoors to override SecureBoot

No (you can only turn it off altogether).  I think we can set this (in
secure boot enabled builds).

Use "FeaturePcdGet (PcdSecureBootSupported)" to figure whenever a given
build supports secure boot or not.

> Protection from internal and external DMA

I don't think qemu supports DMA access to NV (aka flash) storage.
Is that good enough to set that bit?

> Another question: I notice you report platform as “Intel(R) 9-Series v1”.
> Is that right configuration for current OVMF?

Probably refers to q35 (aka INTEL_Q35_MCH_DEVICE_ID).

> I think there is some configuration detection, such as https://github.com/tianocore/edk2/blob/master/OvmfPkg/PlatformPei/Platform.c.

Looking at PlatformInfoHob->HostBridgeDevId and setting the name
accordingly makes sense indeed.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116813): https://edk2.groups.io/g/devel/message/116813
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2024-03-15 11:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-14 10:24 [edk2-devel] [PATCH 0/2] OvmfPkg: Implement minimal HSTI driver Konstantin Kostiuk
2024-03-14 10:24 ` [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver Konstantin Kostiuk
2024-03-14 10:27   ` Yao, Jiewen
2024-03-14 11:43     ` Konstantin Kostiuk
2024-03-14 12:05       ` Yao, Jiewen
2024-03-15 11:29         ` Gerd Hoffmann [this message]
2024-03-14 10:24 ` [edk2-devel] [PATCH 2/2] OvmfPkg: Add VirtHstiDxe to OVMF firmware build Konstantin Kostiuk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2va566btnwe6p76yhyici7imo4qqrp3rjfempvzgubw56azjxn@3kq7bf5ctl5w \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox