Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx

["Yao, Jiewen" <jiewen.yao@intel.com>]

James
I am sorry that it is hard for me to understand your point.

To be honest, I am not sure what is objective on the discussion.
Are you question the general threat model analysis on UEFI PI architecture?
Or are you trying to persuade me we should include PEI in TDVF, because you think it is safer to add code in PEI ?
Or something else?

Please enlighten me that.


Thank you
Yao Jiewen

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of James
> Bottomley
> Sent: Wednesday, November 24, 2021 9:35 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd
> Hoffmann <kraxel@redhat.com>
> Cc: Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
> Brijesh Singh <brijesh.singh@amd.com>; Erdem Aktas
> <erdemaktas@google.com>; Tom Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to
> support Tdx
> 
> On Wed, 2021-11-24 at 11:08 +0000, Yao, Jiewen wrote:
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> [...]
> > > There isn't much external input to process in PEI phase.  Virtual
> > > machines are a bit different than physical machines.  They need to
> > > process some input from the host here which describes the virtual
> > > hardware so they can initialize it properly.  For example parse the
> > > etc/e820 fw_cfg file to figure how much memory is installed (or
> > > parse the td hob in case tdx is used).
> > >
> > > That platform-specific code for virtual machine initialization must
> > > do careful sanity checking when you don't want trust the VMM of
> > > course. Whenever that code lives in SEC or PEI doesn't change the
> > > picture much though.
> 
> I don't disagree on this because we don't have a rom root of trust in
> OVMF ... however it matters for most of the rest of edk2
> 
> > [Jiewen] I am not sure what information you are trying to convey.
> > I never said that TDVF don’t need check the input after remove PEI.
> > The check is always needed, no matter in PEI or SEC. I totally agree.
> >
> > However, what I want to say is PEI has much more unnecessary code
> > than SEC.
> > You never know the quality of the those unnecessary code. Maybe it
> > has a security bug, but it is just not triggered.
> > For example, can you guarantee PEI code has not bug? Or DXE IPL has
> > not bug?
> 
> Code removal to thin down the image is orthogonal to the location of
> that code ... I don't think anyone objected to securing the path
> through PEI by reducing unnecessary code; the doubt is that the
> elimination of PEI somehow improves security.
> 
> >
> > What I did is a process of risk management - if PEI is removed, I
> > don’t need care the risk brought by PEI.
> 
> Well, as I said above, you can remove the unnecessary code in PEI (and
> SEC and DXE).  However, once you've done that, you don't eliminate risk
> by removing PEI because all you do is move the necessary code that was
> in PEI to somewhere else.  If you move it to SEC, I agree with Gerd
> that it doesn't alter the security position much because SEC is a low
> exposure domain like PEI.  If you move it to DXE it actually decreases
> your security measurably because DXE is a high exposure security
> domain.
> 
> > Unless you can prove that the risk of PEI is zero, then the risk is
> > there.
> 
> But you don't make it zero by eliminating PEI, you simply move the risk
> elsewhere because the necessary code still has to execute.
> 
> > > > 2. "bugs in PEI code can't be used to exploit the system when it
> > > > has transitioned to the DXE domain."
> > > > [Jiewen] I disagree. A bug in PEI code may already modify the
> > > > HOB, while the HOB is an architecture data input for DXE.
> > > > If DXE relies on some malicious data from PEI, DXE might be
> > > > exploited later.
> > >
> > > Attacking PEI is harder though because the external input it
> > > processes is limited when compared to DXE.
> > >
> > > Once you are transitioned to DXE you can't call into PEI Modules
> > > any more.
> > >
> > > So, how would an attacker trick PEI code into modifying HOBs (or
> > > carrying out other actions under attackers control)?
> >
> > [Jiewen] I would disagree " Attacking PEI is harder though because
> > the external input it processes is limited when compared to DXE "
> > First, the number of extern input != the difficulty of the attack.
> > Second, the number of extern input != the severity of the
> > consequence.
> 
> Attacking PEI is harder than attacking DXE because of the limited
> exposure to external influences. It doesn't mean it can't be done but
> it does mean exploiting the same code can be harder or impossible in
> PEI compared to DXE.
> 
> The key point is there are some classes of bug that can't be exploited
> in PEI because of the limited exposure.  These bugs can be exploited in
> DXE because of the wider exposure.  This is why moving code from DXE to
> PEI increases the risk.
> 
> > On how to trick PEI, if you search the public UEFI BIOS attack
> > history in the web, you can find example.
> > The attack simply used an integer overflow, to cause buffer overflow.
> > And the buffer overflow can be used to inject shellcode, then gain
> > the execution privilege.
> > Finally, it can control the whole system.
> >
> > Modifying HOB is not a difficult task, as long as there is proper
> > vulnerability, being used to gain a memory write.
> >
> > In security world, we always say: Even if you cannot do it, you
> > cannot assume other people cannot do it.
> > Unless you can prove it cannot be done. Otherwise, anything might be
> > possible.
> >
> > That is why people are in favor of crypto notation and formal
> > verification to prove something is correct.
> 
> There are many ways of improving security.  Formal verification has its
> place, but grows exponentially harder with the complexity of the
> system.  Separation into multiple security domains is also a common
> technique (which also facilitates formal verification because it
> reduces the state space).  What I worry about is that elimination of
> one of the UEFI security domains causes code to move to places that
> makes it more exploitable.
> 
> James
> 
> 
> 
> 
> 
>