Re: WSMT bits

["Laszlo Ersek" <lersek@redhat.com>]

Hi again Jiewen,

On 03/10/20 10:36, Laszlo Ersek wrote:
> Hi Jiewen,
> 
> reading the following chapter:
> 
>   https://edk2-docs.gitbooks.io/a-tour-beyond-bios-memory-protection-in-uefi-bios/content/memory-protection-in-SMM.html
> 
> I'm having trouble associating the protection features implemented in
> edk2 with the various bits in the WSMT (per
> "MdePkg/Include/IndustryStandard/WindowsSmmSecurityMitigationTable.h").
> 
> For example, it seems like the bits a platform sets in the WSMT *might*
> depend on "PcdCpuSmmRestrictedMemoryAccess".
> 
> Can someone clarify these please?
> 
> 
> FWIW, in the edk2-platforms tree, the
> "Platform/Intel/Vlv2TbltDevicePkg/AcpiPlatform/AcpiPlatform.c" source
> file sets EFI_WSMT_PROTECTION_FLAGS_FIXED_COMM_BUFFERS and
> EFI_WSMT_PROTECTION_FLAGS_COMM_BUFFER_NESTED_PTR_PROTECTION. It does not
> set EFI_WSMT_PROTECTION_FLAGS_SYSTEM_RESOURCE_PROTECTION.
> 
> Is this bitmask (from Vlv2TbltDevicePkg) the general pattern that other
> edk2 platforms with SMM support should expose too, as a starting point?

I have now read another whitepaper from you:

  A Tour Beyond BIOS
  Secure SMM Communication in the EFI Developer Kit II

It's a great whitepaper, it answers all my questions. Based on it, I
think that OVMF should enable all three bits in the WSMT:

(1) BIT0 -- FIXED_COMM_BUFFERS:

(1.1) OVMF uses the standard edk2 SMM infrastructure. Drivers in that
infrastructure verify that the communication buffers that they receive
are in permitted regions (no overlap with SMRAM, and resident in
permitted memory types), via SmmIsBufferOutsideSmmValid().

(1.2) OVMF contains only one custom SMI handler (which is for CPU
hotplug). This handler does use normal RAM for a bit of communication
with hot-added CPUs, but the RAM used for this purpose is allocated as
reserved memory, and before End-of-Dxe.

Furthermore, TOC-TOU is actively considered and mitigated, as the
"communication area" is a single byte (a boolean flag), and the design
considers the OS actively attacking that byte.

(2) BIT1 -- COMM_BUFFER_NESTED_PTR_PROTECTION:

OVMF uses the standard edk2 SMM infra, which validates the targets of
nested pointers.

The custom SMI handler (for CPU hotplug) does not process pointers that
arrive from an untrusted context.

(3) BIT2 -- SYSTEM_RESOURCE_PROTECTION:

This bit is defined somewhat unclearly, but OVMF does lock both TSEG,
and the QEMU-specific "SMRAM at default SMBASE", at SmmReadyToLock. See
e.g. commit 9108fc17b09c ("OvmfPkg/SmmAccess: close and lock SMRAM at
default SMBASE", 2020-02-05).

So I think OVMF should install the WSMT, and set all three bits.


However, there's a catch, for (1) FIXED_COMM_BUFFERS:

(1.3) While OVMF produces a Memory Type Information HOB, it is not
*adaptive*.

I'm not sure what the whitepaper suggests:

(1.3.1) that the HOB exist (because then released / unused BINs will
never become usable memory in the final memory map),

(1.3.2) or that BINs should actually accommodate all the allocations (so
that no runtime memory is reallocated *ever*).

Because, in the non-adaptive approach (1.3.1), what happens if there is
a RuntimeData reallocation after End-of-Dxe, but even the *previous*
allocation (that's now getting released) used to live outside of a BIN?

Unfortunately, enabling the adaptive Memory Type Information (1.3.2) for
OVMF is challenging, due to
<https://bugzilla.tianocore.org/show_bug.cgi?id=1086>. OVMF can be
booted with 128 MiB RAM and 1 TiB RAM just the same, and so a platform
PEIM cannot tell, in advance, what is a valid Memory Type Information
variable that the DXE core will accept, vs. an invalid Memory Type
Information variable that the DXE core will reject (and hang upon, due
to BIN priming failure).

Thanks
Laszlo