From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120]) by mx.groups.io with SMTP id smtpd.web12.5166.1583922199202803849 for ; Wed, 11 Mar 2020 03:23:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Mg4Hr++l; spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583922198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=utd+uH93RQoiFAPR+lstBDhqQR/ZBq6j/cRB9ys3Kk4=; b=Mg4Hr++lFgkcXn6r+nxMI1OdX9Ng/QQnQr3K7il4F40D6ws8blGxZlxfW+q/Ikg4XM6dlg 9gZlYZzMxKl7tiMLsBxynD6vRHjDhIWrjWHTwewmxpTn98X9M1tItHJ1KQzitTKIF2zbC+ SXd5fdhUz/EZvQXyGMHDBUg7rKGrKQ8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-364-IP9MLrHdNHaufQH4-NSHcQ-1; Wed, 11 Mar 2020 06:23:10 -0400 X-MC-Unique: IP9MLrHdNHaufQH4-NSHcQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9B2C51B2C984; Wed, 11 Mar 2020 10:23:09 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (unknown [10.36.119.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 93F635D9C9; Wed, 11 Mar 2020 10:23:08 +0000 (UTC) Subject: Re: WSMT bits To: "Yao, Jiewen" Cc: edk2-devel-groups-io , "Ni, Ray" References: <3c32815c-3ee9-261a-b473-1be341bdfb0c@redhat.com> <74D8A39837DF1E4DA445A8C0B3885C503F97B579@shsmsx102.ccr.corp.intel.com> From: "Laszlo Ersek" Message-ID: <85cca7fb-ee64-317a-24b1-2a43e512b42d@redhat.com> Date: Wed, 11 Mar 2020 11:23:07 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F97B579@shsmsx102.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 03/11/20 03:01, Yao, Jiewen wrote: > Thanks Laszlo. I am glad that you like the whitepaper. > > Right. The platform should assert the WSMT bit, because the platform need make sure that all SMI handlers do right thing for SMM communication buffer. > Using PcdCpuSmmRestrictedMemoryAccess is a good way to ensure any violation can be caught. It is highly recommend, unless it conflicts with some other features such as heap guard debug, or server memory hotplug. Thanks for your answer! And yes, PcdCpuSmmRestrictedMemoryAccess is TRUE in OVMF. (Inheriting the DEC default.) > > I recommend we keep MemoryTypeInfo as a separate topic for https://bugzilla.tianocore.org/show_bug.cgi?id=1086 > I still think memory type information should be used - 1.3.2. Right. In the end, I posted an OvmfPkg patch series yesterday, for covering point (1.3.2) -- adaptive MemoryTypeInfo: [edk2-devel] [PATCH 0/5] OvmfPkg: improve SMM comms security with adaptive MemoryTypeInformation http://mid.mail-archive.com/20200310222739.26717-1-lersek@redhat.com https://edk2.groups.io/g/devel/message/55726 I decided that TianoCore#1086 should not be considered a blocker for this feature. My reasoning is captured here: https://bugzilla.tianocore.org/show_bug.cgi?id=386#c15 > I just do not understand well enough on your comment - " OVMF can be booted with 128 MiB RAM and 1 TiB RAM just the same, and so a platform PEIM cannot tell, in advance, what is a valid Memory Type Information variable that the DXE core will accept ..." > You are right that OVMF can boot with 128MB or 1TB. But that is all DRAM, right? > BIN size should be same, because BIN only includes Runtime/ACPI/Reserved memory. That is no reason to make them different between 128MB and 1TB. > Or do I misunderstand something? Would you please educate me why they are different? This is a great point, and I remember that both of your white papers ("Memory Map and Practices in UEFI BIOS", and "Secure SMM Communication") recommend that only Runtime/ACPI/Reserved memory be tracked by MemoryTypeInfo. That will indeed make the guest RAM size irrelevant. For now, the series that I posted, sticks with the *pre-existent* OVMF practice that boot services data/code too are tracked by MemoryTypeInfo: { EfiACPIMemoryNVS, 0x004 }, { EfiACPIReclaimMemory, 0x008 }, { EfiReservedMemoryType, 0x004 }, { EfiRuntimeServicesData, 0x024 }, { EfiRuntimeServicesCode, 0x030 }, { EfiBootServicesCode, 0x180 }, { EfiBootServicesData, 0xF00 }, { EfiMaxMemoryType, 0x000 } I didn't want to diverge from that practice at once, in the current patch series. I'd like to adopt the recommendation from the white papers -- i.e., stop tracking EfiACPIReclaimMemory, EfiBootServicesCode, and EfiBootServicesData -- as a separate work item. Actually, can you please clarify: the "Secure SMM Communication" does not recommend tracking EfiACPIReclaimMemory, but "Memory Map and Practices in UEFI BIOS" does. So what is the right thing to do, should we continue tracking EfiACPIReclaimMemory? Anyway, let me thank you very much, as I didn't make the connection myself that Runtime/ACPI/Reserved are not expected to *scale* with the guest RAM size, even if the BS and Loader memory footprint of various UEFI applications / drivers could. Cheers! Laszlo > > Thank you > Yao Jiewen > > >> -----Original Message----- >> From: Laszlo Ersek >> Sent: Tuesday, March 10, 2020 9:48 PM >> To: Yao, Jiewen >> Cc: edk2-devel-groups-io ; Ni, Ray >> Subject: Re: WSMT bits >> >> Hi again Jiewen, >> >> On 03/10/20 10:36, Laszlo Ersek wrote: >>> Hi Jiewen, >>> >>> reading the following chapter: >>> >>> https://edk2-docs.gitbooks.io/a-tour-beyond-bios-memory-protection-in- >> uefi-bios/content/memory-protection-in-SMM.html >>> >>> I'm having trouble associating the protection features implemented in >>> edk2 with the various bits in the WSMT (per >>> "MdePkg/Include/IndustryStandard/WindowsSmmSecurityMitigationTable.h"). >>> >>> For example, it seems like the bits a platform sets in the WSMT *might* >>> depend on "PcdCpuSmmRestrictedMemoryAccess". >>> >>> Can someone clarify these please? >>> >>> >>> FWIW, in the edk2-platforms tree, the >>> "Platform/Intel/Vlv2TbltDevicePkg/AcpiPlatform/AcpiPlatform.c" source >>> file sets EFI_WSMT_PROTECTION_FLAGS_FIXED_COMM_BUFFERS and >>> >> EFI_WSMT_PROTECTION_FLAGS_COMM_BUFFER_NESTED_PTR_PROTECTION. >> It does not >>> set EFI_WSMT_PROTECTION_FLAGS_SYSTEM_RESOURCE_PROTECTION. >>> >>> Is this bitmask (from Vlv2TbltDevicePkg) the general pattern that other >>> edk2 platforms with SMM support should expose too, as a starting point? >> >> I have now read another whitepaper from you: >> >> A Tour Beyond BIOS >> Secure SMM Communication in the EFI Developer Kit II >> >> It's a great whitepaper, it answers all my questions. Based on it, I >> think that OVMF should enable all three bits in the WSMT: >> >> (1) BIT0 -- FIXED_COMM_BUFFERS: >> >> (1.1) OVMF uses the standard edk2 SMM infrastructure. Drivers in that >> infrastructure verify that the communication buffers that they receive >> are in permitted regions (no overlap with SMRAM, and resident in >> permitted memory types), via SmmIsBufferOutsideSmmValid(). >> >> (1.2) OVMF contains only one custom SMI handler (which is for CPU >> hotplug). This handler does use normal RAM for a bit of communication >> with hot-added CPUs, but the RAM used for this purpose is allocated as >> reserved memory, and before End-of-Dxe. >> >> Furthermore, TOC-TOU is actively considered and mitigated, as the >> "communication area" is a single byte (a boolean flag), and the design >> considers the OS actively attacking that byte. >> >> (2) BIT1 -- COMM_BUFFER_NESTED_PTR_PROTECTION: >> >> OVMF uses the standard edk2 SMM infra, which validates the targets of >> nested pointers. >> >> The custom SMI handler (for CPU hotplug) does not process pointers that >> arrive from an untrusted context. >> >> (3) BIT2 -- SYSTEM_RESOURCE_PROTECTION: >> >> This bit is defined somewhat unclearly, but OVMF does lock both TSEG, >> and the QEMU-specific "SMRAM at default SMBASE", at SmmReadyToLock. See >> e.g. commit 9108fc17b09c ("OvmfPkg/SmmAccess: close and lock SMRAM at >> default SMBASE", 2020-02-05). >> >> So I think OVMF should install the WSMT, and set all three bits. >> >> >> However, there's a catch, for (1) FIXED_COMM_BUFFERS: >> >> (1.3) While OVMF produces a Memory Type Information HOB, it is not >> *adaptive*. >> >> I'm not sure what the whitepaper suggests: >> >> (1.3.1) that the HOB exist (because then released / unused BINs will >> never become usable memory in the final memory map), >> >> (1.3.2) or that BINs should actually accommodate all the allocations (so >> that no runtime memory is reallocated *ever*). >> >> Because, in the non-adaptive approach (1.3.1), what happens if there is >> a RuntimeData reallocation after End-of-Dxe, but even the *previous* >> allocation (that's now getting released) used to live outside of a BIN? >> >> Unfortunately, enabling the adaptive Memory Type Information (1.3.2) for >> OVMF is challenging, due to >> . OVMF can be >> booted with 128 MiB RAM and 1 TiB RAM just the same, and so a platform >> PEIM cannot tell, in advance, what is a valid Memory Type Information >> variable that the DXE core will accept, vs. an invalid Memory Type >> Information variable that the DXE core will reject (and hang upon, due >> to BIN priming failure). >> >> Thanks >> Laszlo >