From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 21B3D21CF58DD for ; Mon, 9 Oct 2017 08:17:07 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C67DC81E0D; Mon, 9 Oct 2017 15:20:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C67DC81E0D Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lersek@redhat.com Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-84.rdu2.redhat.com [10.10.121.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 93713675E6; Mon, 9 Oct 2017 15:20:32 +0000 (UTC) To: "Zeng, Star" , edk2-devel-01 Cc: "Yao, Jiewen" , "Dong, Eric" References: <20171003212834.25740-1-lersek@redhat.com> <20171003212834.25740-7-lersek@redhat.com> <0C09AFA07DD0434D9E2A0C6AEB0483103B97F30F@shsmsx102.ccr.corp.intel.com> From: Laszlo Ersek Message-ID: <620b6a28-2087-aecb-8818-71739f36073b@redhat.com> Date: Mon, 9 Oct 2017 17:20:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <0C09AFA07DD0434D9E2A0C6AEB0483103B97F30F@shsmsx102.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 09 Oct 2017 15:20:33 +0000 (UTC) Subject: Re: [PATCH 6/6] MdeModulePkg/Variable/RuntimeDxe: delete and lock OS-created MOR variable X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 15:17:07 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/09/17 09:12, Zeng, Star wrote: > Laszlo, > > Do you think VariableRuntimeDxe(TcgMorLockDxe.c) also needs to delete and lock OS-created MOR variable? Maybe -- I'm not sure. If an edk2 platform uses "VariableRuntimeDxe", then it cannot securely support MorLock, that's for sure. However, the same platform might still support plain MOR. How can we determine if the platform wants to support MOR? Should we again look for the presence of the TCG / TCG2 protocols? I cannot tell if TcgMor.inf, and other modules under SecurityPkg, intend to support a "no-SMM" configuration. So I can only give you a conditional answer: (a) If an edk2 platform can *never* sensibly support plain MOR without SMM, then yes, we should delete and lock the MOR variable in "TcgMorLockDxe.c", function MorLockInit(). (b) If an edk2 platform *may* opt to support plain MOR (but not MorLock) without SMM, then we should apply the same End-of-Dxe trick as in the SMM case. This is however quite a bit of development and I suggest that we postpone it -- file a BZ about it -- until an edk2 platform actually needs this. (It looks like a quite unlikely use case though: MOR is a security feature that is not really secure without MorLock, and MorLock is insecure without SMM. So one might reason that MOR-without-SMM is useless.) (c) We can also say "we don't care", because, technically speaking, no inconsistency between the MOR and MorLock variables can be created in the "no-SMM" case (because it is never possible to create MorLock without MOR -- since creating MorLock is prevented already). So, I don't know. If Jiewen thinks that "MOR without SMM" is useless (because it is inherently insecure --> option (a)), I can append a small patch #7, in order to delete and lock MOR too, in MorLockInit() [TcgMorLockDxe.c]. Here's another idea: if the "no SMM" case requires extra thinking and regression testing (i.e. the patch would be more complex than simple MOR deletion + locking) , can we go ahead with this series for now, and file a TianoCore BZ about the "no SMM" case? (I should say in advance that I'm not volunteering to address the "no SMM" Bugzilla any time soon; I don't know much (yet) about the TCG modules in SecurityPkg, and I think I won't have time for the investigation in the next weeks.) Jiewen, what do you say? Thanks! Laszlo > -----Original Message----- > From: Laszlo Ersek [mailto:lersek@redhat.com] > Sent: Wednesday, October 4, 2017 5:29 AM > To: edk2-devel-01 > Cc: Dong, Eric ; Yao, Jiewen ; Ladi Prosek ; Zeng, Star > Subject: [PATCH 6/6] MdeModulePkg/Variable/RuntimeDxe: delete and lock OS-created MOR variable > > According to the TCG Platform Reset Attack Mitigation Specification (May 15, 2008): > >> 5 Interface for UEFI >> 5.1 UEFI Variable >> 5.1.1 The MemoryOverwriteRequestControl >> >> Start of informative comment: >> >> [...] The OS loader should not create the variable. Rather, the >> firmware is required to create it and must support the semantics described here. >> >> End of informative comment. > > However, some OS kernels create the MOR variable even if the platform firmware does not support it (see one Bugzilla reference below). This OS issue breaks the logic added in the last patch. > > Strengthen the MOR check by searching for the TCG or TCG2 protocols, as edk2's implementation of MOR depends on (one of) those protocols. > > The protocols are defined under MdePkg, thus there's no inter-package dependency issue. In addition, calling UEFI services in > MorLockInitAtEndOfDxe() is safe, due to the following order of events / > actions: > > - platform BDS signals the EndOfDxe event group, > - the SMM core installs the SmmEndOfDxe protocol, > - MorLockInitAtEndOfDxe() is invoked, and it calls UEFI services, > - some time later, platform BDS installs the DxeSmmReadyToLock protocol, > - SMM / SMRAM is locked down and UEFI services become unavailable to SMM > drivers. > > Cc: Eric Dong > Cc: Jiewen Yao > Cc: Ladi Prosek > Cc: Star Zeng > Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1498159 > Suggested-by: Jiewen Yao > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Laszlo Ersek > --- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 + MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 81 ++++++++++++++++++-- > 2 files changed, 77 insertions(+), 7 deletions(-) > > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > index 404164366579..69966f0d37ee 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > @@ -74,6 +74,7 @@ [LibraryClasses] > SmmMemLib > AuthVariableLib > VarCheckLib > + UefiBootServicesTableLib > > [Protocols] > gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES > @@ -85,6 +86,8 @@ [Protocols] > gEfiSmmVariableProtocolGuid > gEfiSmmEndOfDxeProtocolGuid ## NOTIFY > gEdkiiSmmVarCheckProtocolGuid ## PRODUCES > + gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES > + gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES > > [Guids] > ## SOMETIMES_CONSUMES ## GUID # Signature of Variable store header > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > index 6d14b0042f4d..0a0281e44bc1 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > @@ -21,6 +21,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. > #include > #include > #include > +#include > #include "Variable.h" > > typedef struct { > @@ -33,6 +34,8 @@ VARIABLE_TYPE mMorVariableType[] = { > {MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid}, > }; > > +BOOLEAN mMorPassThru = FALSE; > + > #define MOR_LOCK_DATA_UNLOCKED 0x0 > #define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY 0x1 > #define MOR_LOCK_DATA_LOCKED_WITH_KEY 0x2 > @@ -364,6 +367,13 @@ SetVariableCheckHandlerMor ( > // Mor Variable > // > > + // > + // Permit deletion for passthru request. > + // > + if (((Attributes == 0) || (DataSize == 0)) && mMorPassThru) { > + return EFI_SUCCESS; > + } > + > // > // Basic Check > // > @@ -411,6 +421,8 @@ MorLockInitAtEndOfDxe ( { > UINTN MorSize; > EFI_STATUS MorStatus; > + EFI_STATUS TcgStatus; > + VOID *TcgInterface; > > if (!mMorLockInitializationRequired) { > // > @@ -438,17 +450,72 @@ MorLockInitAtEndOfDxe ( > > if (MorStatus == EFI_BUFFER_TOO_SMALL) { > // > - // The MOR variable exists; set the MOR Control Lock variable to report the > - // capability to the OS. > + // The MOR variable exists. > // > - SetMorLockVariable (0); > - return; > + // Some OSes don't follow the TCG's Platform Reset Attack Mitigation spec > + // in that the OS should never create the MOR variable, only read and write > + // it -- these OSes (unintentionally) create MOR if the platform firmware > + // does not produce it. Whether this is the case (from the last OS boot) > + // can be deduced from the absence of the TCG / TCG2 protocols, as edk2's > + // MOR implementation depends on (one of) those protocols. > + // > + TcgStatus = gBS->LocateProtocol ( > + &gEfiTcgProtocolGuid, > + NULL, // Registration > + &TcgInterface > + ); > + if (EFI_ERROR (TcgStatus)) { > + TcgStatus = gBS->LocateProtocol ( > + &gEfiTcg2ProtocolGuid, > + NULL, // Registration > + &TcgInterface > + ); > + } > + > + if (!EFI_ERROR (TcgStatus)) { > + // > + // The MOR variable originates from the platform firmware; set the MOR > + // Control Lock variable to report the locking capability to the OS. > + // > + SetMorLockVariable (0); > + return; > + } > + > + // > + // The MOR variable's origin is inexplicable; delete it. > + // > + DEBUG (( > + DEBUG_WARN, > + "%a: deleting unexpected / unsupported variable %g:%s\n", > + __FUNCTION__, > + &gEfiMemoryOverwriteControlDataGuid, > + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME > + )); > + > + mMorPassThru = TRUE; > + VariableServiceSetVariable ( > + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, > + &gEfiMemoryOverwriteControlDataGuid, > + 0, // Attributes > + 0, // DataSize > + NULL // Data > + ); > + mMorPassThru = FALSE; > } > > // > - // The platform does not support the MOR variable. Delete the MOR Control > - // Lock variable (should it exists for some reason) and prevent other modules > - // from creating it. > + // The MOR variable is absent; the platform firmware does not support it. > + // Lock the variable so that no other module may create it. > + // > + VariableLockRequestToLock ( > + NULL, // This > + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, > + &gEfiMemoryOverwriteControlDataGuid > + ); > + > + // > + // Delete the MOR Control Lock variable too (should it exists for > + some // reason) and prevent other modules from creating it. > // > mMorLockPassThru = TRUE; > VariableServiceSetVariable ( > -- > 2.14.1.3.gb7cf6e02401b > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel >