From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>
Cc: "Justen, Jordan L" <jordan.l.justen@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Oliver Steffen <osteffen@redhat.com>,
"Pawel Polawski" <ppolawsk@redhat.com>
Subject: Re: [edk2-devel] [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning
Date: Sat, 17 Dec 2022 03:14:48 +0000 [thread overview]
Message-ID: <MW4PR11MB58723C3F71C4D5A1AED93FB48CE79@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <173175F495CB0C1B.6312@groups.io>
Sorry, fix typo:
2. With reason above, I feel that adding comment in the code might not be the best idea, because it is so simple that it will easily introduce misunderstanding and confusing.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> Jiewen
> Sent: Saturday, December 17, 2022 11:10 AM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Oliver Steffen <osteffen@redhat.com>; Pawel
> Polawski <ppolawsk@redhat.com>
> Subject: Re: [edk2-devel] [PATCH 1/1]
> OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning
>
> Hi Gerd
> I would like to clarify a couple of things:
>
> 1) "Using these builds with writable flash is not secure."
>
> Whenever we say "secure" or "not secure", we need align the threat model
> at first.
> What component is trusted? Which is not trusted? Who is adversary? With
> which capability? Under which attack scenario?
>
> Sometimes, we also say: "UEFI secure boot is not secure", because it cannot
> resist the offline hardware attack the flash chip.
> We only say "UEFI secure boot can resist the system software attack."
>
> Also many time, we need debate if DOS attack is in scope or not.
>
> If we are going to say something like that, we need a full description. Just
> saying: "not secure" is not enough.
>
> 2) With reason above, I feel that adding comment in the code might not be
> the best idea, because it is too simple to introduce misunderstanding and
> confusing.
> Can we add better description in readme? Such as
> https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
>
> 3) What is definition of "stateless secure boot configuration" ?
> What does you mean "stateless"? Do you mean "SMM_REQUIRE=FALSE" or
> something else?
> Then why not call it as simple as "secure boot without SMM" ?
> I don't understand how "SMM_REQUIRE=FALSE" will contribute "stateless".
>
> I hope we can clarify the terminology if we choose 2).
>
> 4) What is the purpose of "Log a warning" ?
> Is that to tell people, DON'T DO IT?
> Or is that to tell people, you may play with it by yourself, but don't use it a
> production?
> Or something else?
>
> I think we need give a clear answer after we clarify the threat model.
> Otherwise, a WARNING just adds confusing, IMHO.
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Friday, December 16, 2022 6:12 PM
> > To: devel@edk2.groups.io
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Gerd Hoffmann
> > <kraxel@redhat.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>;
> Oliver
> > Steffen <osteffen@redhat.com>; Pawel Polawski <ppolawsk@redhat.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>
> > Subject: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add
> > security warning
> >
> > OVMF builds in stateless secure boot configuration
> > (SECURE_BOOT_ENABLE=TRUE + SMM_REQUIRE=FALSE) are expected to
> use
> > the
> > emulated variable store (EmuVariableFvbRuntimeDxe) with the store being
> > re-initialized on each reset (see PlatformInitEmuVariableNvStore())
> >
> > Using these builds with writable flash is not secure. Log a warning
> > message saying so in case we find such a configuration.
> >
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > ---
> > OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 5
> +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git
> a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
> > b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
> > index 61e1f2e196e5..ab7154685424 100644
> > --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
> > +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
> > @@ -57,6 +57,11 @@ InstallProtocolInterfaces (
> > NULL
> > );
> > ASSERT_EFI_ERROR (Status);
> > + #ifdef SECURE_BOOT_FEATURE_ENABLED
> > + DEBUG ((DEBUG_WARN, "This build is configured for stateless secure
> > boot.\n"));
> > + DEBUG ((DEBUG_WARN, "Using this build with writable flash is NOT
> > secure.\n"));
> > + // should we ASSERT(0) here?
> > + #endif
> > } else if (IsDevicePathEnd (FvbDevice->DevicePath)) {
> > //
> > // Device already exists, so reinstall the FVB protocol
> > --
> > 2.38.1
>
>
>
>
>
prev parent reply other threads:[~2022-12-17 3:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-16 10:11 [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Gerd Hoffmann
2022-12-17 3:10 ` Yao, Jiewen
2022-12-19 8:53 ` Gerd Hoffmann
2022-12-19 14:47 ` [edk2-devel] " Yao, Jiewen
2022-12-20 7:18 ` Gerd Hoffmann
2022-12-21 6:25 ` Yao, Jiewen
[not found] ` <173175F495CB0C1B.6312@groups.io>
2022-12-17 3:14 ` Yao, Jiewen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB58723C3F71C4D5A1AED93FB48CE79@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox