From: "Min Xu" <min.m.xu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"kraxel@redhat.com" <kraxel@redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
"Erdem Aktas" <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V5 1/2] OvmfPkg: Introduce Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb
Date: Tue, 31 Aug 2021 06:17:29 +0000 [thread overview]
Message-ID: <PH0PR11MB50643C9748387A171F38F439C5CC9@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20210831051305.dhqvsh4jzqekmjly@sirius.home.kraxel.org>
On August 31, 2021 1:13 PM, Gerd Hoffmann wrote:
> Hi,
>
> > > From a security point of view I don't think it is a good idea to
> > > hard code any assumptions about the layout of the vars volume.
> > Do you mean I cannot assume the layout of VarStore?
> > At least in Ovmf the VarStore.fdf.inc defines the layout of VarStore like
> below.
>
> What prevents an attacker from creating a varstore with a different layout?
> Place the variables at the end of the file, which isn't measured (because you
> assume it is the spare part), then being able to change variables without the
> guest noticing?
If the VarStore does not follow the layout defined in VarStore.fdf.inc, do you mean
the current Variable mechanism still works? From the code of
InitNonVolatileVariableStore(), the first variable is right after the VarStoreHeader.
See GetStartPointer().
>
> take care,
> Gerd
>
>
>
>
>
next prev parent reply other threads:[~2021-08-31 6:17 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 2:35 [PATCH V5 0/2] Add Intel TDX support in OvmfPkg/ResetVector Min Xu
2021-08-30 2:35 ` [PATCH V5 1/2] OvmfPkg: Introduce Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb Min Xu
2021-08-30 7:03 ` Gerd Hoffmann
2021-08-31 3:29 ` [edk2-devel] " Min Xu
2021-08-31 5:13 ` Gerd Hoffmann
2021-08-31 6:17 ` Min Xu [this message]
2021-08-31 10:21 ` Gerd Hoffmann
2021-09-01 5:18 ` Min Xu
2021-09-01 6:10 ` Gerd Hoffmann
2021-09-01 6:57 ` Ard Biesheuvel
2021-09-01 7:19 ` Min Xu
2021-09-01 7:44 ` Gerd Hoffmann
2021-09-01 8:59 ` Yao, Jiewen
2021-09-01 16:53 ` James Bottomley
2021-09-01 19:19 ` Andrew Fish
2021-09-10 17:03 ` Erdem Aktas
2021-08-30 2:35 ` [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Min Xu
2021-08-30 7:40 ` Gerd Hoffmann
2021-08-31 3:09 ` [edk2-devel] " Min Xu
2021-08-31 5:35 ` Gerd Hoffmann
2021-09-02 0:05 ` Min Xu
2021-09-02 7:18 ` Gerd Hoffmann
2021-09-02 7:49 ` Min Xu
2021-09-03 3:03 ` Yao, Jiewen
2021-09-03 5:39 ` Gerd Hoffmann
2021-09-09 13:54 ` Min Xu
2021-09-10 8:19 ` Gerd Hoffmann
2021-09-14 3:54 ` Yao, Jiewen
2021-09-11 1:17 ` Erdem Aktas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB50643C9748387A171F38F439C5CC9@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox