Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx

["James Bottomley" <jejb@linux.ibm.com>]

On Wed, 2021-11-24 at 11:08 +0000, Yao, Jiewen wrote:
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
[...]
> > There isn't much external input to process in PEI phase.  Virtual
> > machines are a bit different than physical machines.  They need to
> > process some input from the host here which describes the virtual
> > hardware so they can initialize it properly.  For example parse the
> > etc/e820 fw_cfg file to figure how much memory is installed (or
> > parse the td hob in case tdx is used).
> > 
> > That platform-specific code for virtual machine initialization must
> > do careful sanity checking when you don't want trust the VMM of
> > course. Whenever that code lives in SEC or PEI doesn't change the
> > picture much though.

I don't disagree on this because we don't have a rom root of trust in
OVMF ... however it matters for most of the rest of edk2

> [Jiewen] I am not sure what information you are trying to convey.
> I never said that TDVF don’t need check the input after remove PEI.
> The check is always needed, no matter in PEI or SEC. I totally agree.
> 
> However, what I want to say is PEI has much more unnecessary code
> than SEC.
> You never know the quality of the those unnecessary code. Maybe it
> has a security bug, but it is just not triggered.
> For example, can you guarantee PEI code has not bug? Or DXE IPL has
> not bug?

Code removal to thin down the image is orthogonal to the location of
that code ... I don't think anyone objected to securing the path
through PEI by reducing unnecessary code; the doubt is that the
elimination of PEI somehow improves security.

> 
> What I did is a process of risk management - if PEI is removed, I
> don’t need care the risk brought by PEI.

Well, as I said above, you can remove the unnecessary code in PEI (and
SEC and DXE).  However, once you've done that, you don't eliminate risk
by removing PEI because all you do is move the necessary code that was
in PEI to somewhere else.  If you move it to SEC, I agree with Gerd
that it doesn't alter the security position much because SEC is a low
exposure domain like PEI.  If you move it to DXE it actually decreases
your security measurably because DXE is a high exposure security
domain.

> Unless you can prove that the risk of PEI is zero, then the risk is
> there.

But you don't make it zero by eliminating PEI, you simply move the risk
elsewhere because the necessary code still has to execute.

> > > 2. "bugs in PEI code can't be used to exploit the system when it
> > > has transitioned to the DXE domain."
> > > [Jiewen] I disagree. A bug in PEI code may already modify the
> > > HOB, while the HOB is an architecture data input for DXE.
> > > If DXE relies on some malicious data from PEI, DXE might be
> > > exploited later.
> > 
> > Attacking PEI is harder though because the external input it
> > processes is limited when compared to DXE.
> > 
> > Once you are transitioned to DXE you can't call into PEI Modules
> > any more.
> > 
> > So, how would an attacker trick PEI code into modifying HOBs (or
> > carrying out other actions under attackers control)?
> 
> [Jiewen] I would disagree " Attacking PEI is harder though because
> the external input it processes is limited when compared to DXE " 
> First, the number of extern input != the difficulty of the attack.
> Second, the number of extern input != the severity of the
> consequence.

Attacking PEI is harder than attacking DXE because of the limited
exposure to external influences. It doesn't mean it can't be done but
it does mean exploiting the same code can be harder or impossible in
PEI compared to DXE.

The key point is there are some classes of bug that can't be exploited
in PEI because of the limited exposure.  These bugs can be exploited in
DXE because of the wider exposure.  This is why moving code from DXE to
PEI increases the risk.

> On how to trick PEI, if you search the public UEFI BIOS attack
> history in the web, you can find example.
> The attack simply used an integer overflow, to cause buffer overflow.
> And the buffer overflow can be used to inject shellcode, then gain
> the execution privilege.
> Finally, it can control the whole system.
> 
> Modifying HOB is not a difficult task, as long as there is proper
> vulnerability, being used to gain a memory write.
> 
> In security world, we always say: Even if you cannot do it, you
> cannot assume other people cannot do it.
> Unless you can prove it cannot be done. Otherwise, anything might be
> possible.
> 
> That is why people are in favor of crypto notation and formal
> verification to prove something is correct.

There are many ways of improving security.  Formal verification has its
place, but grows exponentially harder with the complexity of the
system.  Separation into multiple security domains is also a common
technique (which also facilitates formal verification because it
reduces the state space).  What I worry about is that elimination of
one of the UEFI security domains causes code to move to places that
makes it more exploitable.

James