public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Johnson, Michael" <michael.johnson@intel.com>,
	"Kubacki, Michael A" <michael.a.kubacki@intel.com>
Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction
Date: Sun, 8 Sep 2019 22:36:21 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F7A1613@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <9DB7F8038713D946B98D79CA523B7F95E96E3CCF@ORSMSX122.amr.corp.intel.com>

[-- Attachment #1: Type: text/plain, Size: 3757 bytes --]

Hey, from security perspective, I am not clear what is difference on below 2 scenario – TPM or read-modify-write.

Whenever we return some data from SMM, we are in ring0, any program in ring0 may modify the variable content in the communication buffer.
If we assume ring0 is malicious, then the malicious code may let one AP keep looping to monitor the communication data, when BSP call get (authenticated) variable. Once communication buffer is updated and status is filled to EFI_SUCCESS, the AP may modify the communication buffer, then the BSP will return *modified* data to caller. Or an interrupt handler in BSP may also modify the communication buffer before the data is returned to caller. This race condition exists today.

I think putting cache buffer to SMM just raise the BAR, but *NOT* a security solution, because SMM communication buffer in reserved memory is same as cache buffer.

Thank you
Yao Jiewen

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Johnson, Michael
Sent: Saturday, September 7, 2019 5:52 AM
To: Kubacki, Michael A <michael.a.kubacki@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

Yes - both things I bring up are just *different* ring 0 accesses than are (easily) allowed today, so are not fundamentally new.  Generally we either trust all of ring 0 or none of it, so neither is a showstopper.

Reading back from real varstore/SMM if the variable has the auth attribute removes any interesting vectors so all that changes is a bad ring 0 agent can go through memory instead of the RT API, which is not threatening.

I have no problems if write and auth-read come from SMM and all else comes from cache.

From: Kubacki, Michael A
Sent: Friday, September 6, 2019 2:48 PM
To: Johnson, Michael <michael.johnson@intel.com<mailto:michael.johnson@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Subject: RE: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

My understanding is both of your points return to the issue of a ring 0 entity potentially modifying the runtime cache. As the SetVariable ( ) API is already accessible to ring 0, the variables could similarly be updated today so that should not be an issue. You have a good point for authenticated variables where the update is authenticated in SMM so the variable data should continue to be returned from SMM.

How about if the variable has the authenticated attribute set, those are sent to GetVariable ( ) in SMM? This should be relatively rare with the most common case likely being secure boot related keys.

From: Johnson, Michael <michael.johnson@intel.com<mailto:michael.johnson@intel.com>>
Sent: Thursday, September 5, 2019 1:59 PM
To: Kubacki; Kubacki, Michael A <michael.a.kubacki@intel.com<mailto:michael.a.kubacki@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

Your primary concern is my primary concern.  I can think of two scenarios where a runtime memory varstore would hurt.

The less severe one is that any variables measured into a TPM could appear to be modified when read back so that if/when some entity wants to verify or unseal something, they would be unable to match the TPM's PCR values and unable to verify/unseal.  This turns access to runtime EFI memory into a denial of service for TPM-based post-boot software.

The more worrying possibility is if somebody decides to use a read-modify-write pattern for some variable they have an interest in and thus end up defeating the security of the variable write method.  Today a read-modify-write is safe, but after this change it would not be.


[-- Attachment #2: Type: text/html, Size: 8263 bytes --]

  reply	other threads:[~2019-09-08 22:36 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-05 19:54 [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Kubacki, Michael A
2019-09-05 20:59 ` [edk2-devel] " Johnson, Michael
2019-09-06 21:47   ` Kubacki, Michael A
2019-09-06 21:52     ` Johnson, Michael
2019-09-08 22:36       ` Yao, Jiewen [this message]
2019-09-11  2:42         ` Nate DeSimone
2019-09-11  3:31           ` Yao, Jiewen
2019-09-11 20:48             ` Kubacki, Michael A
2019-09-12 15:02             ` Nate DeSimone
2019-09-09 15:31 ` Laszlo Ersek
2019-09-09 18:03   ` Kubacki, Michael A
2019-09-11 13:16     ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503F7A1613@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox