From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.469.1671246892289000188 for ; Fri, 16 Dec 2022 19:14:52 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=YfwO1tC7; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1671246892; x=1702782892; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=0jw30F26ytNaep8cfaxxfVu66bk+5c84Hypq9WwJ+30=; b=YfwO1tC7vFPPwPjSlTLkq4wRW/8ag12JGTGy2C9soyxpoS+y6j3SBbbo sK2T04KXXhU8QNMlUhsWYSiyAfjdvXElqDIg/43dlFT5MtwW5T2L70H2g ODuRMMiecrS5kWvaEMSemnrGLiyyDPivbQnwYUQm7MTVBWJDSXkpqrhFh qTir/hXLpiLZG3NNMUq11ZHKz/+cwT2HUaSIpuN+wNJyZTW0XME6T3F2o /0FrmKUk2jGjBRzN23FXhRSZhiGHMGjKMK2FR07FA1nOOSfzYKVia1uUR FSrCk5SgPLXtj8Cnlu4Pr+D8HwTuduLZxAvWVWmcrCvFUsunAaLNy2UT9 A==; X-IronPort-AV: E=McAfee;i="6500,9779,10563"; a="306774724" X-IronPort-AV: E=Sophos;i="5.96,252,1665471600"; d="scan'208";a="306774724" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Dec 2022 19:14:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10563"; a="792294365" X-IronPort-AV: E=Sophos;i="5.96,252,1665471600"; d="scan'208";a="792294365" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga001.fm.intel.com with ESMTP; 16 Dec 2022 19:14:51 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Fri, 16 Dec 2022 19:14:50 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Fri, 16 Dec 2022 19:14:50 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Fri, 16 Dec 2022 19:14:50 -0800 Received: from NAM04-MW2-obe.outbound.protection.outlook.com (104.47.73.169) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 16 Dec 2022 19:14:50 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GFoj5OLc0N6HML0fZNTgC7DZl/I+CkkZrP9t+nf3PpkXlVzQ/AMKCCqodcRtV5iBa8d99+bgUPqKnE3e5q8/0YXd1APTF0/fGxzWAsgw6LfNWzyBisNtDbWQrp2Baax+Op5cO71bnMTWmy5UIRSDKdbVFtaR7hFww/2T306Yz2D1nPI4dhipjEdRPCi1ZrUFtH5rL+at8um+zzGP7JhfkeJK53vQ9MqPHawxoXfTOq2P07EuoPndCap8Cfa//5aYwF3LaFHPBUqx7aaMr9N+p+htS9xdgEqEMR5p/rtac0t03L9h2lhQn1aFBDpp3QsEDsky8Zc8PKXBJ/wZ23YEDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=k7F+0yC7vtRSy2dfzOyRGwcE/X5G5Bu6GyBPJQkcg8s=; b=FrTrdOFSYM7ug3O1wSQGFY5ZfoVqSZhPhI4r28dQrGup28dq55nYEEsJGVr0K8T3cHnkfZmwkBb8+c0Ilnhv+XRaeKA2JxzpMXtwRIzolR/UkwgCQdLzVRxK03xBsJcwKYMopFlw4aTT18xdmCxgr5D85mPUHnNj237Rw1C5bsovF0cgHtW+kfknQxMS9f53CnUt+Z7Yt/Ramd+ZpK22o1ZcG0rpr9eteNhy+vMRlAcTwf7jylnXIRuWhDlO1Xe55XpJQXgx8GG2xKUqr7TRfcJ2ekdvaT4UEALjwb9R25V3j75gP3V90Hr6UhevHh8rqaX37Vn9LBNm9U09uTMTsA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CY5PR11MB6284.namprd11.prod.outlook.com (2603:10b6:930:20::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Sat, 17 Dec 2022 03:14:48 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041%7]) with mapi id 15.20.5924.012; Sat, 17 Dec 2022 03:14:48 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "Yao, Jiewen" , Gerd Hoffmann CC: "Justen, Jordan L" , Ard Biesheuvel , Oliver Steffen , "Pawel Polawski" Subject: Re: [edk2-devel] [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Thread-Topic: [edk2-devel] [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning Thread-Index: AQHZETbWM5zr0lwsBkqfXhaXhHkp1K5xYs9QgAAFw8A= Date: Sat, 17 Dec 2022 03:14:48 +0000 Message-ID: References: <20221216101134.2201546-1-kraxel@redhat.com> <173175F495CB0C1B.6312@groups.io> In-Reply-To: <173175F495CB0C1B.6312@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|CY5PR11MB6284:EE_ x-ms-office365-filtering-correlation-id: 089261f8-4589-44bf-743f-08dadfdcdaea x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9dlRj1w1lkPneZz8sG2dAsEIQ5SZGzHuEJQNuhpKi182Qf+1w8/LffwWvDNKoW9mVFy55Gd9J3FqK6NBQiYCcLghU4xjPOEqqLSpuED3VBuYvfouEPk5CzJkANOtOmXvcWeDAe2NOQylnQaDK7yB1HckgeSYEC8Qa+xi6C1zSkWl3I/vI6Zkt8UkkPe1WwioM04owPvMtzv5qI0SR9rgVlKp43eyqBPAHySoHDKjlEucIQCy64aVwuO4QJLzs/s9VAX/GoazKrREPmIbWNn9e/o5mo6OhYd0NIwqDfJIgyX89jwkdgbbx6mAl8KAQmA4yYsx3NZdHa3vUJnP0neE400k4JLVWOCjShE7bhIDC+ukRrRIk64zFYWPUqw5bDjGkgGdqb9FkYevbHhsAeSEF27HnKIRYGV2d2t4gXJNbCqp0U5vo8JAmfSyqvi314H/wqpuRpytMnofQJGDCsYVhMP+JvKjQRFTHit0vtnns/f5M4MfPkTQgoyGD9gbx9GbqBvF3F6KbhRAbEMn+VKTZgWvfGlDRA2pJaMCuDxVJ90pCgrW0wJdsll60DGVsx1zufN42HgNtVms2F3kaa2FRgbqTEhGGuiQDY7ZhwSVcQKyhoS3E/VuYJm43NWiQ48kx6W8qXWfCI5SF59YeALmx7eXTwE5oIrMWlbI6qwwmR6/4kfWujzYrVwHADzEvBnT0O1PTVXP5WmHi7ZVTUR22TPLsjwnXasGwhqB0QWmiGgbk/abLpR0w4fRwzwCHCprZXuhIPgMfFsyHxB9yyyLsj1cfk5zYjAY8O+yUACfgX0= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(39860400002)(376002)(396003)(346002)(136003)(366004)(451199015)(38070700005)(55016003)(122000001)(38100700002)(186003)(15650500001)(82960400001)(2906002)(66899015)(8676002)(5660300002)(66556008)(71200400001)(966005)(66446008)(4326008)(26005)(66476007)(86362001)(33656002)(64756008)(9686003)(52536014)(8936002)(41300700001)(110136005)(83380400001)(54906003)(7696005)(478600001)(76116006)(6506007)(66946007)(316002)(53546011)(213903007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?UYVEhNDSMFrdcW2gKBvgw2BbXbIsbMbQyvAtq7uUx9d8G+1f9w5Q2A1LP6xl?= =?us-ascii?Q?JhWbSLeZeZKJdWvo5ZVhfT/KJ5q9weLKsI0K2YIgy7nhUDk1wxIgdWp2UrZQ?= =?us-ascii?Q?8s9CxKulPB6OBi0+aV016SzM5ljvsQHNldefIHMCNz11PcbyZ49J7qcir5P8?= =?us-ascii?Q?AJw5qeOZDPVERtWWdGTPtYbMqjB5GGmD+/SpjL4KPy3P+65lI/sF837jnNKF?= =?us-ascii?Q?PgOsv2U4k6v/cNYrY9A+StBpRWUYOkFFYUAdjEm073NRboxKFr4gTHbRfKcM?= =?us-ascii?Q?UG3cUD0QmMDDdUorZqz9i+XO9J0E2Ul2U7F/6FJg3fsKQh2vCak5DZG43Z6H?= =?us-ascii?Q?+GDeX4nZwtAQsBo/Kx1rC4ItFIm+wm4zBz4GArs5SRs0uKdMTuZymi5RIqvB?= =?us-ascii?Q?qK7+veW2lYbaPLgZixFz6nOgRYQ6hPrNuBgLMGJjv2X/IBrSMh5itZmjqfKc?= =?us-ascii?Q?ZTnRtd6M3KFTz05QqtilM7/2SkMeJm+KuzWQ+wIZsZpk6ag3Bla7qpdfDNR0?= =?us-ascii?Q?xqOvQNpM4se7b1Xac6TedKTCiqr7ifp+6Bi7k6KfwE8OOkDTAeDPtI2rYWah?= =?us-ascii?Q?o974UmryGNElP0vh5/QHlIi/SvELfoiW1HwuiOVt+7WfR9aun5ftetiw+cEo?= =?us-ascii?Q?8Sdayrqq4dDKKGj30c5JX62XXR09SSUY2UAn2jdXbCR/te7oaBUs0WgTyuqI?= =?us-ascii?Q?mrDop/etXmtQZ69CQyaMoprWHSMCYtkmOQmAahr3Z5qY9fKQBKPtAJqVV8aW?= =?us-ascii?Q?pW8hB5TH58U9KOWDqbr1FZclzU4FNO1MBl/dVkLvlFl7rSv4FyKg+mghAmtt?= =?us-ascii?Q?msQPBJywFXM9Nv0ukilTKX5dku8sXzvHfCBoki0AMPA4vcpP9Pz9gffOIpTa?= =?us-ascii?Q?2+LjELU7syUfNDRQ04aNq5G1wjvuQC/tIOTXs3XrDvJAd7XqZpLqS2NBTgje?= =?us-ascii?Q?4+UJ3uC/OYMgjgv2MGyHNtRJhfbqGskSuqFdX4q/ApDHkXNJhr12osiXpeFk?= =?us-ascii?Q?7DLgJbM02hrudIGrDLbh+VVobUpXffNjkYbOs6crioaIPBWGNrzu/rEeaDmk?= =?us-ascii?Q?7shfqpXqGFlnN3qakx2C6CksQ9SUGFsszimzhi4xeLgOfemGBGAhcvyN2Qhk?= =?us-ascii?Q?O8Rj0wpnfQy0bANG87LKp5f09avyBVxqDa3WWFPUkzu05QUXC43NAHh78dtl?= =?us-ascii?Q?JwhzJ8f4xC+6qWPJWR78eTUbOI4xuj8OY9JDQpDWKqBOW+tHcmxnZDBNQbty?= =?us-ascii?Q?tOclTvDAEH6oetFvrwFGOFtfOrF2GcR9R3PlvasES01tlmSucMsWEbCqkUuJ?= =?us-ascii?Q?N9F/wuSXQ8UR82ppuIu0jKdx6ghxVAnqHzwS6+i5BUYkJpAAz+lR+iae/4yH?= =?us-ascii?Q?xF3AkYD6AbHa04reUF3yxJxD8de9spUeO74WeL7px8oa0MwVw62LmPC0m2EC?= =?us-ascii?Q?n7D8XuksE0AeTbPZPpvXIaWD5YAjDXfMMwXsjZdFhqMhSDY9iS9E+awfH0jZ?= =?us-ascii?Q?tu7JzHsJiVGlRISCoJF2U9CHXYC15/JiCEVZQ0HdzcQE5KrGDlTXbSvmkDkO?= =?us-ascii?Q?MKVmopEKH+dCQhPt0qankP3PLv4dzG+l7TXqKIen?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 089261f8-4589-44bf-743f-08dadfdcdaea X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2022 03:14:48.4475 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Md/WOz7cJywGkHBRAXcGbQHsXV4RFHcW/oNeSWRDWdvE0f1GVdvcxi6FrsEQ0T9xA+ot9f34wPnZzlfyup1Xaw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6284 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sorry, fix typo: 2. With reason above, I feel that adding comment in the code might not be t= he best idea, because it is so simple that it will easily introduce misunde= rstanding and confusing. > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Yao, > Jiewen > Sent: Saturday, December 17, 2022 11:10 AM > To: Gerd Hoffmann ; devel@edk2.groups.io > Cc: Justen, Jordan L ; Ard Biesheuvel > ; Oliver Steffen ; Pawel > Polawski > Subject: Re: [edk2-devel] [PATCH 1/1] > OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add security warning >=20 > Hi Gerd > I would like to clarify a couple of things: >=20 > 1) "Using these builds with writable flash is not secure." >=20 > Whenever we say "secure" or "not secure", we need align the threat model > at first. > What component is trusted? Which is not trusted? Who is adversary? With > which capability? Under which attack scenario? >=20 > Sometimes, we also say: "UEFI secure boot is not secure", because it cann= ot > resist the offline hardware attack the flash chip. > We only say "UEFI secure boot can resist the system software attack." >=20 > Also many time, we need debate if DOS attack is in scope or not. >=20 > If we are going to say something like that, we need a full description. J= ust > saying: "not secure" is not enough. >=20 > 2) With reason above, I feel that adding comment in the code might not be > the best idea, because it is too simple to introduce misunderstanding and > confusing. > Can we add better description in readme? Such as > https://github.com/tianocore/edk2/blob/master/OvmfPkg/README >=20 > 3) What is definition of "stateless secure boot configuration" ? > What does you mean "stateless"? Do you mean "SMM_REQUIRE=3DFALSE" or > something else? > Then why not call it as simple as "secure boot without SMM" ? > I don't understand how "SMM_REQUIRE=3DFALSE" will contribute "stateless". >=20 > I hope we can clarify the terminology if we choose 2). >=20 > 4) What is the purpose of "Log a warning" ? > Is that to tell people, DON'T DO IT? > Or is that to tell people, you may play with it by yourself, but don't us= e it a > production? > Or something else? >=20 > I think we need give a clear answer after we clarify the threat model. > Otherwise, a WARNING just adds confusing, IMHO. >=20 > Thank you > Yao Jiewen >=20 >=20 > > -----Original Message----- > > From: Gerd Hoffmann > > Sent: Friday, December 16, 2022 6:12 PM > > To: devel@edk2.groups.io > > Cc: Justen, Jordan L ; Gerd Hoffmann > > ; Ard Biesheuvel ; > Oliver > > Steffen ; Pawel Polawski ; > > Yao, Jiewen > > Subject: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: add > > security warning > > > > OVMF builds in stateless secure boot configuration > > (SECURE_BOOT_ENABLE=3DTRUE + SMM_REQUIRE=3DFALSE) are expected to > use > > the > > emulated variable store (EmuVariableFvbRuntimeDxe) with the store being > > re-initialized on each reset (see PlatformInitEmuVariableNvStore()) > > > > Using these builds with writable flash is not secure. Log a warning > > message saying so in case we find such a configuration. > > > > Signed-off-by: Gerd Hoffmann > > --- > > OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 5 > +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git > a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c > > b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c > > index 61e1f2e196e5..ab7154685424 100644 > > --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c > > +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c > > @@ -57,6 +57,11 @@ InstallProtocolInterfaces ( > > NULL > > ); > > ASSERT_EFI_ERROR (Status); > > + #ifdef SECURE_BOOT_FEATURE_ENABLED > > + DEBUG ((DEBUG_WARN, "This build is configured for stateless secure > > boot.\n")); > > + DEBUG ((DEBUG_WARN, "Using this build with writable flash is NOT > > secure.\n")); > > + // should we ASSERT(0) here? > > + #endif > > } else if (IsDevicePathEnd (FvbDevice->DevicePath)) { > > // > > // Device already exists, so reinstall the FVB protocol > > -- > > 2.38.1 >=20 >=20 >=20 >=20 >=20