Re: [edk2-devel] TianoCore Community Design Meeting Minutes - Feb 21, 2020

["Wang, Sunny (HPS SW)" <sunnywang@hpe.com>]

Sorry for not making any progress since last meeting.
Sure! I will work on enhancing the variable policy to support partial protection and recovery. However, the update will be late because I need to first deal with other urgent stuff.
By the way, thanks for giving a lot of valuable comments at our offline discussion, Ray.  :)

Regards,
Sunny Wang

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Ni, Ray
Sent: Wednesday, March 4, 2020 11:46 AM
To: Sean Brogan <sean.brogan@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com>
Cc: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] TianoCore Community Design Meeting Minutes - Feb 21, 2020

Variable policy works well on protecting a whole variable.
But the BootOrder in Sunny's case may require a partial protection, which means portion of the variable buffer needs to be read-only.
Today's variable policy proposal doesn't take this into consideration.
If we could enhance variable policy to support partial protection, @Sunny can you please check whether it can meet your requirement?

The enhancement I think of is: Introduce two fields to the policy structure Offset and Length.
Offset (-1) indicates a whole variable protection.
Offset (>= 0) indicates a partial variable protection and the protection range starts from Offset with Length bytes.

This enhancement is also useful when some policy fields inside a big policy structure needs to be read-only.
Protecting multiple discontinuous ranges of  a variable can be achieved by adding multiple policy entries with different Offset/Length.


Thanks,
Ray

> -----Original Message-----
> From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of 
> Ni, Ray
> Sent: Friday, February 21, 2020 5:17 PM
> To: announce@edk2.groups.io
> Subject: [edk2-announce] TianoCore Community Design Meeting Minutes - 
> Feb 21, 2020
> 
> OPEN:
>   Today's meeting is using Zoom because of the long latency using BlueJeans.
>   The URL to join meeting is changed. Make sure to check https://edk2.groups.io/g/devel/calendar  for details.
>   We will try Zoom for next meeting as well. If everything is good, we will continue to use Zoom.
> 
> 1. Platform Libraries for Supporting UEFI Variable Resiliency (HPE)
> Presenter: Sunny Wang
> Slides:
> INVALID URI REMOVED
> devel_files_Designs_2020_0221_Platform-2520Libraries-2520for-2520Suppo
> rting-2520UEFI-2520Variable-25&d=DwIFAg&c=C5b8zRQO1miGmBeVZ2LFWg&r=Z9c
> LgEMdGZCI1_R0bW6KqOAGzCXLJUR24f8N3205AYw&m=U5okqrn3H585vxU4GwALnIBwi0s
> 0dQ0hYIDuFj2z-4Y&s=oG0quXKBZu3XD7Drm04CsF445C8kfOGOJGzeqACJxAA&e=
> 20Resiliency.pdf
> 
> Problem: Support UEFI variable resiliency to compliant to security 
> related guidelines and requirements. #page 2
> 
> Locking BootOrder causes issues in OSes which is not acceptable.
> EDKII is lack of interfaces for adding platform variable protection.
> Today's presentation is to propose a solution.
> Basic rule of how variable resiliency manages BootOrder changes: #5-#6
> - Put down untrusted changes
> - Keep trusted changes
> 
> @Mike: Where is the reference data stored?
> @Sunny: In BMC.
> 
> <Can variable policy protocol help?>
> @Mike: Would like to see a small enhancement in variable policy protocol proposed by Microsoft to meet your case.
> @Sunny: I checked the variable policy proposal by Microsoft. Using that might be complicated.
> @Sean: We (Microsoft) have looked this. Variable hook in DXE phase not 
> in SMM is a security hole. Don't like the way of managing BootOrder by 
> allowing OS to change BootOrder and reverting. Boot#### may contain critical data for OS and reverting that may cause troubles.
> @Sunny: I cannot think of solutions for OS runtime change.
> 
> <Problem discussion>
> @Mike: I would break the big problem to 3 smaller ones:
>    1. variable data corruption
>         It requires a way to detect corruption and recovery.
>    2. critical platform variables
>         It usually requires a lock mechanism and variable policy proposal is more general for this protection.
>    3. UEFI variables with multiple producers
>         How to protect them could be a topic for USWG.
> @Sean: The scope of the problem discussed in this presentation is 
> huge. Can a platform module run at a different point of time to manage the variable storage instead of using hook way?
> @Sunny: BootOrder is just one of the variables that need protection.
> 
> <Can using a separate platform module instead of hooking help?>
> @Mike: Using a separate platform module might be better because it 
> will also check the variables not changed by firmware.
> @Sean: PEI modules may access the wrong data modified by untrusted entity.
> @Ray: Is the protection based on not just the variable GUID/name, but also who requests the change?
> @Sunny: Yes. Following sides (#page 10+) will talk about protection from non-trusted entity.
> @Ray: Let's move to email discussion first. Identify the scope of the problem first.
> 
> Thanks,
> Ray
> 
>