From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Konstantin Kostiuk <kkostiuk@redhat.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
Yan Vugenfirer <yvugenfi@redhat.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Gerd Hoffmann" <kraxel@redhat.com>
Subject: Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
Date: Thu, 14 Mar 2024 12:05:28 +0000 [thread overview]
Message-ID: <MW4PR11MB58725DFAE7F731F4217232718C292@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CAPMcbCqGiuejoXjAY8HFRGUhEMf3gBMPxEOwE-18+ww-qZjXvQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 9110 bytes --]
I agree that not all bits make sense to virtual machine.
However, I do see some bits should be there if we really want to add HSTI to report security propery.
Please take a look at the HSTI spec - https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
For example:
Do you use RSA 2048 and SHA256 only (or higher but not lower than this)
Compatibility Support Modules (CSM)
Firmware Code must be present in protected storage
Secure firmware update process
Do you have backdoors to override SecureBoot
Protection from internal and external DMA
Another question: I notice you report platform as “Intel(R) 9-Series v1”.
Is that right configuration for current OVMF?
I think there is some configuration detection, such as https://github.com/tianocore/edk2/blob/master/OvmfPkg/PlatformPei/Platform.c.
All in all, I don’t think it is a right way to provide an *empty* one just to pass the SVVP.
That totally looses the value to having HSTI in the SVVP program.
I recommend we provide a real HSTI based on the OVMF threat model (without and with configuration computing) and current real implementation.
Thank you
Yao, Jiewen
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Sent: Thursday, March 14, 2024 7:43 PM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: devel@edk2.groups.io; Yan Vugenfirer <yvugenfi@redhat.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
On Thu, Mar 14, 2024 at 12:28 PM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Question: What is the value to provide an *empty* HSTI table?
IMHO, If the goal is to perform some security check, I think we need provide a *real* HSTI table.
HSTI is very vendor-specific and depends on features that a vendor supports. Looking at
the HSTI spec a lot of the bits don't make sense for virtual machines. Some feature depends on
hardware configuration and this check is a dummy in a virtual environment.
So, the main goal is to pass Microsoft SVVP with OVMF+QEMU.
Best Regards,
Konstantin Kostiuk.
Thank you
Yao, Jiewen
> -----Original Message-----
> From: Konstantin Kostiuk <kkostiuk@redhat.com<mailto:kkostiuk@redhat.com>>
> Sent: Thursday, March 14, 2024 6:25 PM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yan Vugenfirer <yvugenfi@redhat.com<mailto:yvugenfi@redhat.com>>; Ard Biesheuvel
> <ardb+tianocore@kernel.org<mailto:ardb%2Btianocore@kernel.org>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Gerd
> Hoffmann <kraxel@redhat.com<mailto:kraxel@redhat.com>>
> Subject: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
>
> The driver provides empty HSTI table.
>
> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com<mailto:kkostiuk@redhat.com>>
> ---
> OvmfPkg/VirtHstiDxe/VirtHstiDxe.c | 75 +++++++++++++++++++++++++++++
> OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
> 2 files changed, 139 insertions(+)
> create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
>
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> new file mode 100644
> index 0000000000..b9ed189f33
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> @@ -0,0 +1,75 @@
> +/** @file
>
> + This file contains DXE driver for publishing empty HSTI table
>
> +
>
> +Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
>
> +Copyright (c) 2024, Red Hat. Inc
>
> +
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#include <PiDxe.h>
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/UefiBootServicesTableLib.h>
>
> +#include <Library/UefiLib.h>
>
> +#include <IndustryStandard/Hsti.h>
>
> +#include <Library/HstiLib.h>
>
> +
>
> +#define HSTI_PLATFORM_NAME L"Intel(R) 9-Series v1"
>
> +#define HSTI_SECURITY_FEATURE_SIZE 1
>
> +
>
> +ADAPTER_INFO_PLATFORM_SECURITY mHstiBase = {
>
> + PLATFORM_SECURITY_VERSION_VNEXTCS,
>
> + PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,
>
> + { HSTI_PLATFORM_NAME },
>
> + HSTI_SECURITY_FEATURE_SIZE,
>
> +};
>
> +
>
> +/**
>
> + The driver's entry point.
>
> +
>
> + @param[in] ImageHandle The firmware allocated handle for the EFI image.
>
> + @param[in] SystemTable A pointer to the EFI System Table.
>
> +
>
> + @retval EFI_SUCCESS The entry point is executed successfully.
>
> + @retval other Some error occurs when executing this entry point.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +VirtHstiDxeEntrypoint (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> +
>
> + // Allocate memory for HSTI struct
>
> + // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays
>
> + // UINT8 SecurityFeaturesRequired[];
>
> + // UINT8 SecurityFeaturesImplemented[];
>
> + // UINT8 SecurityFeaturesVerified[];
>
> + // sizeof (CHAR16) is for the NULL terminator of ErrorString
>
> + // CHAR16 ErrorString[]
>
> + UINTN HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +
>
> + 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +
>
> + sizeof (CHAR16);
>
> + VOID *HstiStruct = AllocateZeroPool (HstiSize);
>
> +
>
> + if (HstiStruct == NULL) {
>
> + return EFI_OUT_OF_RESOURCES;
>
> + }
>
> +
>
> + CopyMem (HstiStruct, &mHstiBase, sizeof
> (ADAPTER_INFO_PLATFORM_SECURITY));
>
> +
>
> + Status = HstiLibSetTable (HstiStruct, HstiSize);
>
> + if (EFI_ERROR (Status)) {
>
> + if (Status != EFI_ALREADY_STARTED) {
>
> + ASSERT_EFI_ERROR (Status);
>
> + }
>
> + }
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> new file mode 100644
> index 0000000000..270aa60026
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> @@ -0,0 +1,64 @@
> +## @file
>
> +# Component description file for Virt Hsti Driver
>
> +#
>
> +# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) Microsoft Corporation.<BR>
>
> +# Copyright (c) 2024, Red Hat. Inc
>
> +#
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = VirtHstiDxe
>
> + FILE_GUID = 60740CF3-D428-4500-80E6-04A5798241ED
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + ENTRY_POINT = VirtHstiDxeEntrypoint
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Sources Section - list of files that are required for the build to succeed.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Sources]
>
> + VirtHstiDxe.c
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Package Dependency Section - list of Package files that are required for
>
> +# this module.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Library Class Section - list of Library Classes that are required for
>
> +# this module.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[LibraryClasses]
>
> + UefiDriverEntryPoint
>
> + UefiLib
>
> + BaseLib
>
> + BaseMemoryLib
>
> + MemoryAllocationLib
>
> + DebugLib
>
> + HstiLib
>
> + UefiBootServicesTableLib
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Protocol C Name Section - list of Protocol and Protocol Notify C Names
>
> +# that this module uses or produces.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Depex]
>
> + TRUE
>
> --
> 2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116750): https://edk2.groups.io/g/devel/message/116750
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 17792 bytes --]
next prev parent reply other threads:[~2024-03-14 12:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-14 10:24 [edk2-devel] [PATCH 0/2] OvmfPkg: Implement minimal HSTI driver Konstantin Kostiuk
2024-03-14 10:24 ` [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver Konstantin Kostiuk
2024-03-14 10:27 ` Yao, Jiewen
2024-03-14 11:43 ` Konstantin Kostiuk
2024-03-14 12:05 ` Yao, Jiewen [this message]
2024-03-15 11:29 ` Gerd Hoffmann
2024-03-14 10:24 ` [edk2-devel] [PATCH 2/2] OvmfPkg: Add VirtHstiDxe to OVMF firmware build Konstantin Kostiuk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB58725DFAE7F731F4217232718C292@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox