From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 41D57740034 for ; Fri, 15 Mar 2024 11:29:25 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=aKNRU+1hWXM7d6IENbdyMJR7nh8l1HReZJnWnB6gFMw=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition:Content-Transfer-Encoding; s=20240206; t=1710502164; v=1; b=e/WQvYZuFBeeP7ApCdaKtSM68ySXnx1i96f5+VQ4TV1NeUHsTlWvSasNZu2n8XjhhtIRlbsY uP2IHFSy+21iWwZf/T6ZzE3anTYCkI33EbkSypIvhklfHbh0ELgDJdkzWGKCBrXVfAtrQxbcFig sW/225UUudt2vMnhPyKuZPH8FNdhXkAH8h/KnPov2L15gMZO2PqrM7aXFPk4H3Hmb6H1rohoOAk UdarVwvMiiGass2n1q543s7hbeGnVmu/KsCEWyARTQoeVKd4rrEzaclU5e9MwPHj4aSQ8htiHpZ hOJ6Xcx+lvUad39tL3PFqvrwooLvdT0RMdcIQPKAtYMGg== X-Received: by 127.0.0.2 with SMTP id LizRYY7687511xz2JofstSfY; Fri, 15 Mar 2024 04:29:24 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.19622.1710502163168461879 for ; Fri, 15 Mar 2024 04:29:23 -0700 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-654-MVp_KSvlNOqaEsTlcgJfJQ-1; Fri, 15 Mar 2024 07:29:16 -0400 X-MC-Unique: MVp_KSvlNOqaEsTlcgJfJQ-1 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 926CE1C01B38; Fri, 15 Mar 2024 11:29:16 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.192.3]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F779111E5; Fri, 15 Mar 2024 11:29:16 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5F17E1800DD4; Fri, 15 Mar 2024 12:29:15 +0100 (CET) Date: Fri, 15 Mar 2024 12:29:15 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, jiewen.yao@intel.com Cc: Konstantin Kostiuk , Yan Vugenfirer , Ard Biesheuvel Subject: Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver Message-ID: <2va566btnwe6p76yhyici7imo4qqrp3rjfempvzgubw56azjxn@3kq7bf5ctl5w> References: <20240314102447.24313-1-kkostiuk@redhat.com> <20240314102447.24313-2-kkostiuk@redhat.com> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 15 Mar 2024 04:29:23 -0700 Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: kcIWX4WgVWdnsiKhyfmla93Sx7686176AA= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b="e/WQvYZu"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Thu, Mar 14, 2024 at 12:05:28PM +0000, Yao, Jiewen wrote: > I agree that not all bits make sense to virtual machine. > However, I do see some bits should be there if we really want to add HSTI to report security propery. Setting the bits which are obviously correct makes sense indeed. > Please take a look at the HSTI spec - https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification > For example: > Do you use RSA 2048 and SHA256 only (or higher but not lower than this) Hmm. That single line (and the spec doesn't have more) is not very helpful. Consider this corner case: The virtual TPM supported by qemu has banks for sha1, sha256, sha384 and sha512. The default configuration created by libvirt enables only the sha256 bank. But it's possible to go into the firmware setup and turn on the sha1 bank too. How should the HSTI driver handle that? > Compatibility Support Modules (CSM) That one is easy, CSM support is gone, we can set it. > Firmware Code must be present in protected storage Typically this is the case (ROM or read-only flash), although qemu does not enforce that the code flash is actually read-only, it can be configured in writable mode. Hmm. > Secure firmware update process IMHO doesn't apply to virtual machines. Firmware updates are usually handled by updating the images on the host machine, that is very different from a physical machine. All the questions about key handling do not make any sense. > Do you have backdoors to override SecureBoot No (you can only turn it off altogether). I think we can set this (in secure boot enabled builds). Use "FeaturePcdGet (PcdSecureBootSupported)" to figure whenever a given build supports secure boot or not. > Protection from internal and external DMA I don't think qemu supports DMA access to NV (aka flash) storage. Is that good enough to set that bit? > Another question: I notice you report platform as “Intel(R) 9-Series v1”. > Is that right configuration for current OVMF? Probably refers to q35 (aka INTEL_Q35_MCH_DEVICE_ID). > I think there is some configuration detection, such as https://github.com/tianocore/edk2/blob/master/OvmfPkg/PlatformPei/Platform.c. Looking at PlatformInfoHob->HostBridgeDevId and setting the name accordingly makes sense indeed. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116813): https://edk2.groups.io/g/devel/message/116813 Mute This Topic: https://groups.io/mt/104923813/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-