From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by mx.groups.io with SMTP id smtpd.web11.3834.1630473503176574243
 for <devel@edk2.groups.io>;
 Tue, 31 Aug 2021 22:18:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=WmXMUegM;
 spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: min.m.xu@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10093"; a="282344176"
X-IronPort-AV: E=Sophos;i="5.84,368,1620716400"; 
   d="scan'208";a="282344176"
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2021 22:18:17 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.84,368,1620716400"; 
   d="scan'208";a="541382481"
Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15])
  by fmsmga002.fm.intel.com with ESMTP; 31 Aug 2021 22:18:17 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Tue, 31 Aug 2021 22:18:16 -0700
Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by
 ORSMSX610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.10; Tue, 31 Aug 2021 22:18:16 -0700
Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by
 orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12 via Frontend Transport; Tue, 31 Aug 2021 22:18:16 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.43) by
 edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.10; Tue, 31 Aug 2021 22:18:13 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=jX8pV4nUsLE9x+VB2TO9MvOyo6cf07JgfrtAmefG1OMp99qYNzvpX+uzZFXDzTGpG9OgZOKeIxSS+ZuTOfgz2T3ud91jyj96Popx9K/aUkHs9DxPkqkDhsqztfBjmmNIYEQ1c4FPbs4fMjjfNKbSz7bes5+soNuH+kqn1c5XwNH3ffIDfwKnts5esRKkHhlzPAiXBw+tOYxpjyQrpjC0ci8OhmGD63a9XZwm9pDwvQrWnQnitHVLplEpSS52ZVPvxL95ECKHw/UBm0vhMsqeRbUFR/lm2EjJTTuo5sS1OYYQ6LoDv8Iw1+S4kTBeTxuL5FjT58FZkliRdrc9AfJ2Sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=eFxd3w62UAymndNILtcAoZlFJs7pzpNWPn9ebzg8ImY=;
 b=GzQpn47mO2mFIm9DG2qRlW35lAPIcVmqLwGPEdarmL12kM4IIJOb+vTmIdqk+PZoZ+WhXTSHJgQ3nhqwE2JiY9mrJzogp+8QlpGn4Ha3r4Hj8gDvP5xLtWe9pQNhDqcWRapBWLyfiLZ4fc4z7xzLjPGEgPVrBCNAY7W8neKRm8jwod+jSOGd/vHqYlHXUtQLwr0LSZzAonNbMQtxFiXvYJilOjCdwnV2Bvr0C/zZ9QChw1mHTOfZCAudc20WTZvKJNajR0xDxJFwOuxWSdDoHmnQDau+Gx/3H1PMrbuPb4nS146EZ5a+vAAjxndOvQArfX77umxD39ltz1s4Xmk2vQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=eFxd3w62UAymndNILtcAoZlFJs7pzpNWPn9ebzg8ImY=;
 b=WmXMUegM72clMxzLYX6/OAf7gvgAKsPUdi60cbVlKLg2xop5XBXGi5RFl+3d80neu6Lg+AqscrjCqsLP/SS62dxquAm8+Suo93+k58lHuXIwtwHJDPUAIU09iLIxQmtZdKQ4VeaVmBnCBatdrA0o6s8R7HkR6TT0sP6xkW8TczA=
Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15)
 by PH0PR11MB5030.namprd11.prod.outlook.com (2603:10b6:510:41::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.23; Wed, 1 Sep
 2021 05:18:11 +0000
Received: from PH0PR11MB5064.namprd11.prod.outlook.com
 ([fe80::c93:200e:5aeb:e11b]) by PH0PR11MB5064.namprd11.prod.outlook.com
 ([fe80::c93:200e:5aeb:e11b%3]) with mapi id 15.20.4415.029; Wed, 1 Sep 2021
 05:18:11 +0000
From: "Min Xu" <min.m.xu@intel.com>
To: "kraxel@redhat.com" <kraxel@redhat.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Ard Biesheuvel
	<ardb+tianocore@kernel.org>, "Justen, Jordan L" <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>, Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>, "Yao, Jiewen" <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V5 1/2] OvmfPkg: Introduce Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb
Thread-Topic: [edk2-devel] [PATCH V5 1/2] OvmfPkg: Introduce Tdx BFV/CFV PCDs
 and PcdOvmfImageSizeInKb
Thread-Index: AQHXnUe4YoRICQS34UKQwQm3+qtkS6uLn8GAgAFQ3+CAACKSgIAADl7wgABHwgCAATb40A==
Date: Wed, 1 Sep 2021 05:18:11 +0000
Message-ID: <PH0PR11MB5064085212FC5261798E3DDAC5CD9@PH0PR11MB5064.namprd11.prod.outlook.com>
References: <cover.1630289827.git.min.m.xu@intel.com>
 <77440edd1e175207dffcaaa052ce26ae71e6c66c.1630289827.git.min.m.xu@intel.com>
 <20210830070339.u47qq3g7hb4rq3xc@sirius.home.kraxel.org>
 <PH0PR11MB5064F555390C7DD73AD18531C5CC9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <20210831051305.dhqvsh4jzqekmjly@sirius.home.kraxel.org>
 <PH0PR11MB50643C9748387A171F38F439C5CC9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <20210831102120.kh2b6boorxets75j@sirius.home.kraxel.org>
In-Reply-To: <20210831102120.kh2b6boorxets75j@sirius.home.kraxel.org>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-reaction: no-action
dlp-version: 11.5.1.3
authentication-results: redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 18972c79-7a15-457d-2e84-08d96d07e450
x-ms-traffictypediagnostic: PH0PR11MB5030:
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <PH0PR11MB503099762E56A6BFA26E2BEEC5CD9@PH0PR11MB5030.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xE9ZPeDnJTvfnLhBzVBCHHS7o6YRnw36I/uMRGoZFqU7wLGyRx7qh3e/gHq4a1vnbpW1je+KydEz0ry2S+DR4PihZmtZj3H3+nogR+YeeqvM5JSb6ZnA0vt82e1zNp8/zjnKnpCG2X74qWBhCGtcP5P/2PimK0h5RKtr7g8FzAMzGgoqu7/oJSgCxsWeWYpfvbNIrDs05OTp47UDt8M07HTYQxvtwNmGclHyvn5e5AWSLqMx5zj7uLJ9Mg0+SYVmuDRdFTOazbneux3SI276jMXBECMpYFgUIdcUZR0/JozBfNIhZK7FskOzx70TZWxGfWWGCjoiXgPIj21wOjJ8MjFQ9TymFRZI4PFNf5O8gORI0F2LMesXyhWD2futMmLuLDD8pUb2EAyJf0DIJ18jU3qM/cHcmn4XVEhoJKDMfA6EzE1hwakYQ++3ukvG7fVn6ZPNnsIPu1T+kd8qbgJ6e6nnRLMYNuFnVL/O9f8uExzS8MtOxoBjJYp057Kd+2f3A1SDnNXYNV6qYum0OqZK65sG2W+YVpNXrTUIMmKR8HDaaR8ylvO5qUXngfe7nzcmNRPoFMOgurXSjrSGq63zMZvY7I2zPyMq/xWQG+Ppt8BvOTUIuymRFqBsC3keVCn1xFf8VIPPgVbU1r5a+PkmU44CZ3ghTvAUFFHnrRPvhvRdin8kc/B0GfZrQ1gEYoK/6GeCTi2U43B/RS06Gy553g==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(4636009)(39860400002)(366004)(396003)(136003)(376002)(346002)(6916009)(9686003)(186003)(26005)(86362001)(8936002)(7696005)(5660300002)(4326008)(8676002)(316002)(66556008)(66476007)(76116006)(2906002)(66446008)(33656002)(71200400001)(478600001)(83380400001)(122000001)(52536014)(66946007)(64756008)(54906003)(38100700002)(6506007)(55016002)(38070700005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?fM0rw94KVpOV/gerKdD4xipPcDRKrXNZ2ZRu++xTKlmnS16YZmOAmg2TPXc1?=
 =?us-ascii?Q?0wVYaf2u9WAC8ZbxG2rqeRGidgy7ipetBpWg0lCoW9KYCnJMSOuN/o4VDjH0?=
 =?us-ascii?Q?riytHEqCqrCzXDC1VwkCepdTmN3VOe8lv3PV92yawhHcKZwIAKIinCqQBIxG?=
 =?us-ascii?Q?Aq+6vLvlNdXxEHm1ruebkZU0G6q7L11Sg8oQl6uvW06KcpCDNS2MURK5cZ9B?=
 =?us-ascii?Q?1gaxhoQm4xs4EicpNfXtKOtrRsc89Y8F+qJi6sGD9IX3+JwpBLYyeKtkByWn?=
 =?us-ascii?Q?L/h6jOiEQSXm8GrVj809w9OSPVOJ5FjVCPu+4iFmP5emo/UIkqE7YMJk55Ca?=
 =?us-ascii?Q?X6kpNowDXmWvfnT20IFXCZZOJra6hPdpiLGEnQlBzLIxgyADOrgn8FZhbFtM?=
 =?us-ascii?Q?bEVj3LnEMmVg/V5c4AxfFh/eghHn4rDYr6ahHYnbdD3Ac3DsVgw9BU5RokcL?=
 =?us-ascii?Q?NcvMwPjOJJFk5VIbCcueU9n7QiJd0jGSHiKFmuwGrbxaXPWnkAGwDLNXIUpF?=
 =?us-ascii?Q?S4eTdnyqQYPjZhH5wWOdNlZ9xd/Vzc4FIkpUPJXh0yhs/EufZuDUE4BZTDjT?=
 =?us-ascii?Q?ny2vbCdE5zSl/X6Nlvgxao+VaCBOtQNZGe1s1nCeAcEPiVkp/vJaudxdJX7Y?=
 =?us-ascii?Q?TbEsoTlnktQTvPwzB9E0kTFYmdOIuEv+voV4/GSRx8QhQKkIRhiN9Pzvaqi6?=
 =?us-ascii?Q?oc8Q5viGh2pXVBOwK40JTbWsL599zl67T1Hl0NfIkfatLN7TjUCiAggKa/Og?=
 =?us-ascii?Q?YMa03C6Aoayi0Su1xmhQJF/SB42KMSpeFKKHvh167/tFnT4V3u/L4QWzrkwX?=
 =?us-ascii?Q?k43Kygl4OQNoGj/+0c6DhsPwaF3DbV+K6bygl2tOP2BZtYghFhTl0jw1gvzl?=
 =?us-ascii?Q?++AvM1YHYgbgEsowbQ9J6sAK1jznO8MC4h7m4UQktaXo5s+WzngFJWftotDw?=
 =?us-ascii?Q?Ycx+ICujX3On0fPpq+DdUhHC4YNtMsTgWJfFX7nH5FrkLiYADr9y0mwTZ4uF?=
 =?us-ascii?Q?J7q4v7TKm3moFt+tEmDcxYWE2TOM3gHwud6miKjsajXedB+JgXVxZanCgJGp?=
 =?us-ascii?Q?A40chN7sKHfWEPlM07nBnN6SCx0rdHmexS8urgeYEUHDHcpTjx4IDJ0b9XVV?=
 =?us-ascii?Q?EYGxHn4OF3NQtTtS2Gppb1wXIix1U8R2Hl93DTIcNneTlBSZZD8oVlZI9oKC?=
 =?us-ascii?Q?E5y12zlhbTeu66MKoR83RISAWDG/E3eRkWM4cX1gSYWJrnlkDEsqkiNtqFaR?=
 =?us-ascii?Q?7o6VAOwmUf7wT34uf9T1IiZjxe06chXntYBe/AghbGGhDap/2qQOt1MwUp2/?=
 =?us-ascii?Q?hq1MIIgZaRplKGNNFwseXVjg?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 18972c79-7a15-457d-2e84-08d96d07e450
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2021 05:18:11.0761
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: givSjAKVi7097t4rqYorb9U8VK7848K2EakZl8nuoFOfXDk+jnAF5su0KBzNx8Oa42gDgLnaz3H0nE7BMbr6SA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5030
Return-Path: min.m.xu@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

On August 31, 2021 6:21 PM, Gerd Hoffmann wrote:
> On Tue, Aug 31, 2021 at 06:17:29AM +0000, Xu, Min M wrote:
> > On August 31, 2021 1:13 PM, Gerd Hoffmann wrote:
> > >   Hi,
> > >
> > > > > From a security point of view I don't think it is a good idea to
> > > > > hard code any assumptions about the layout of the vars volume.
> > > > Do you mean I cannot assume the layout of VarStore?
> > > > At least in Ovmf the VarStore.fdf.inc defines the layout of
> > > > VarStore like
> > > below.
> > >
> > > What prevents an attacker from creating a varstore with a different l=
ayout?
> > > Place the variables at the end of the file, which isn't measured
> > > (because you assume it is the spare part), then being able to change
> > > variables without the guest noticing?
> > If the VarStore does not follow the layout defined in
> > VarStore.fdf.inc, do you mean the current Variable mechanism still
> > works? From the code of InitNonVolatileVariableStore(), the first varia=
ble is
> right after the VarStoreHeader.
> > See GetStartPointer().
>=20
> I didn't fully investigate what kind of attacks one can do.  I'm pretty s=
ure simply
> making the variable store larger and the spare smaller works, so parts of=
 the
> variable store are outside the area you are measuring.  Not fully sure wh=
enever
> one can actually reorder the sections to move the varstore completely int=
o the
> unmeasured area.  Or play out other attacks with the same effect, like bl=
oating
> some header struct.
>=20
> Simply measuring everything (including the spare) will stop all that.
> Changes wouldn't go unnoticed, period.  No ifs and buts.  So I'm wonderin=
g why
> you not doing that?  Performance?  Wouldn't be the first time a performan=
ce
> optimization pokes a hole into a security concept ...
>=20
The measurement value of the CFV (provisioned configuration data) is extend=
ed to
RTMR registers (similar to TPM PCRs). At the same time it is recorded in th=
e TD Event
log.=20
These information will be used by the Attestation server (This is the so-ca=
lled Attestation).
In other words there is a known *good* CFV measurement value. Any changes t=
o
the CFV, for example the layout, the order of the variables, the content of=
 the variables
will produce a *bad* CFV measurement. Then in the later Attestation phase t=
hose
changes will be detected.

Thanks!
Min