From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.27249.1626697365987634438 for ; Mon, 19 Jul 2021 05:22:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Z9Pj4NuV; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16JC49ea128618; Mon, 19 Jul 2021 08:22:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=P4/3sBBI/0QiWp9ypsRsyCKrtFfU3LsXrBwRPJIUzzk=; b=Z9Pj4NuVquDey4EBaEQ4B4FXjA34kc+Gf/sZJv4cFW4p7i18muAQVP7U+ZO8q9Opvrw2 dux0jV/RvR5JfK/qRoiILMBs3QFqVeL1L6FEs1MaX36KTCZu6agtb47wy7oTdkpzQzHs aEHRbiWaGBQefknKSaYehi/ub3ALMqJgJ7N1EFUyMjcsN9Xvpsv9R9EC19oO1PzhvrVK t21q/zZO7hS/QSaaivUvufbNwjYN7koUSBoxxRezFoF0LDGjnRc9V9gMcC0CEo5JK1+A pgU1s6NVJP5Ah2wlEomKGRpnpSW2fqxxzfEzl3zrqgGbz6RDfo+h6sOBbwazJcwPQzDI Ug== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39w8md9meg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 08:22:43 -0400 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16JC4HF2134916; Mon, 19 Jul 2021 08:22:42 -0400 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 39w8md9mdv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 08:22:42 -0400 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16JCD8hM006214; Mon, 19 Jul 2021 12:22:42 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma04wdc.us.ibm.com with ESMTP id 39upua5hyy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 12:22:41 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16JCMeMB38797602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Jul 2021 12:22:40 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9E90E124053; Mon, 19 Jul 2021 12:22:40 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DED0D124054; Mon, 19 Jul 2021 12:22:37 +0000 (GMT) Received: from [9.65.195.237] (unknown [9.65.195.237]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 19 Jul 2021 12:22:37 +0000 (GMT) Subject: Re: [PATCH v2 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg To: Brijesh Singh , devel@edk2.groups.io Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> <20210706085501.1260662-8-dovmurik@linux.ibm.com> <02974eb3-d919-f147-10f8-605ca7c152cb@amd.com> From: "Dov Murik" Message-ID: Date: Mon, 19 Jul 2021 15:22:36 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 In-Reply-To: <02974eb3-d919-f147-10f8-605ca7c152cb@amd.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 8OGAPOxAUvr8-Xw7j0_UoGEEsFuxgUio X-Proofpoint-ORIG-GUID: e41PNMYkt28tJacOLTpT8nRsxVVn1yUF X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-19_05:2021-07-16,2021-07-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 mlxscore=0 adultscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107190069 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 18/07/2021 18:47, Brijesh Singh wrote: > > On 7/6/21 3:54 AM, Dov Murik wrote: >> In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content >> of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a >> call to VerifyBlob after fetching to allow BlobVerifierLib >> implementations to add a verification step for these blobs. >> >> This will allow confidential computing OVMF builds to add verification >> mechanisms for these blobs that originate from an untrusted source >> (QEMU). >> >> The null implementation of BlobVerifierLib does nothing in VerifyBlob, >> and therefore no functional change is expected. >> >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Jordan Justen >> Cc: Ashish Kalra >> Cc: Brijesh Singh >> Cc: Erdem Aktas >> Cc: James Bottomley >> Cc: Jiewen Yao >> Cc: Min Xu >> Cc: Tom Lendacky >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 >> Co-developed-by: James Bottomley >> Signed-off-by: James Bottomley >> Signed-off-by: Dov Murik > > The patch itself is okay. Just curious, do we also need to add a > verification for the QEMU FW cfg file ? > I don't really understand. This patch adds the VerifyBlob() call on blobs that were read by FetchBlob(), which in turn reads the contents of kernel/initrd/cmdline from QEMU FW cfg (using QemuFwCfgReadBytes for example). We currently *don't* add verification for all other FW cfg settings, like number of CPUs, E820 memory entries, ... similar to what we (don't) do in SEV boot with encrypted root image (in which only OVMF is measured). What else do you think we should verify? -Dov