public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Achin Gupta <Achin.Gupta@arm.com>,
	Jagadeesh Ujja <Jagadeesh.Ujja@arm.com>,
	"Gao, Liming" <liming.gao@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	"Zhang, Chao B" <chao.b.zhang@intel.com>,
	Leif Lindholm <leif.lindholm@linaro.org>,
	Supreeth Venkatesh <Supreeth.Venkatesh@arm.com>,
	Jian J Wang <jian.j.wang@intel.com>, nd <nd@arm.com>
Subject: Re: [PATCH v2 04/11] MdePkg/Include: Add StandaloneMmServicesTableLib library
Date: Tue, 8 Jan 2019 17:52:25 +0100	[thread overview]
Message-ID: <c53c18bf-4ca3-113c-8242-b0f1680b3cc1@redhat.com> (raw)
In-Reply-To: <CAKv+Gu_cnysyMBrb4BeuRUxMwi3PXD4Eir1Q3w8w76=a-qdvjQ@mail.gmail.com>

On 01/08/19 14:27, Ard Biesheuvel wrote:
> On Tue, 8 Jan 2019 at 02:11, Laszlo Ersek <lersek@redhat.com> wrote:
>>
>> On 01/07/19 20:37, Ard Biesheuvel wrote:
>>> On Mon, 7 Jan 2019 at 20:21, Achin Gupta <Achin.Gupta@arm.com> wrote:
>>
>>>> Could you please explain the need for End of DXE signalling and
>>>> the traditional SMM IPL. It is not obvious to me :o(
>>>>
>>>
>>> The point is that there are PI specified events that we are currently
>>> not signalling in standalone MM, so in that sense, we are not
>>> implementing the PI spec fully.
>>>
>>> Note that EndOfDxe is security sensitive - it is used as a trigger to
>>> lock down and/or secure stuff, and if it never get signalled,
>>> standalone MM drivers may falsely assume that the context is more
>>> secure than it is.
>>
>> Yes, see PI 1.6, Vol2 ("DXE"), 5.1.2.1 "End of DXE Event".
>>
>> (I won't quote the spec here, as I could quote the entire section; all
>> of it is relevant here.)
>>
>> In my interpretation anyway, the MM infrastructure basically "trusts"
>> DXE until End-of-DXE is signaled. See also:
>> - 5.6 "DXE MM Ready to Lock Protocol",
>> - 4.6 "MM Ready to Lock Protocol",
>> in Vol4.
>>
>> The kind of "early distrust" that Achin describes up-thread may be
>> well-founded, and it might obviate the above event groups. I'm not sure.
> 
> I disagree. The whole point of standalone MM is to have parity with
> x86 in terms of having a separate execution context where platform
> specific services can reside. Even though DXE_SMM_DRIVER and
> MM_STANDALONE modules are dispatched in different ways, they should be
> able to be built from a shared source, and not signalling the EndOfDxe
> event is highly likely to cause more problems that it solves.
> 
> And actually, I think it is a valid security model to distinguish
> between before and after EndOfDxe, since EndOfDxe will be signalled
> before loading any third-party drivers, and so whatever has executed
> up to that point can be held to higher standards in terms of trust.

What you describe is absolutely *easier* to understand and to agree
with, so I'm naturally drawn to it.

I'm just pointing out -- sort of reasoning against myself! -- that Achin
wrote up-thread,

> The idea behind MM Standalone mode was to sandbox MM code in self
> sufficient execution context. This was a step to avoid some of the
> vulnerabilities in traditional SMM due to code and data sharing with
> DXE.

Through this, Achin seemed to imply that some SMM vulnerabilities had
occurred due to SMM being *capable* of reading *any* RAM (and MMIO too)
outside of SMRAM ("data sharing"); hence invalid pointer dereferences
(even just reads) could lead to really bad problems.

Then, I tried to fill the term "sandbox" with meaning -- i.e. MM would
be prevented from reading any DXE data (anything outside of MMRAM). This
looked sort of consistent with the extra restriction that standalone MM
code couldn't consume UEFI protocols even at init time.

And then I extrapolated: if MM can't trust DXE *at all*, then MM needs
no notification that, due to BDS reaching a specific point, MM can trust
DXE even *less* than before. There is no "less" than "not at all".

In short, I agree with you, I'm just trying to comprehend the "threat
model" (is that the right term?) behind Achin's story (AIUI).

Thanks!
Laszlo

>> The concept is novel to me (after having struggled for months in ~2015
>> to wrap my brain around traditional SMM in the first place), so I'm
>> having trouble at reasoning about standalone MM.
>>
> 
> I think that applies to all of us :-)
> 



  reply	other threads:[~2019-01-08 16:52 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-02 13:13 [PATCH v2 00/11] Extend secure variable service to be usable from Standalone MM Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 01/11] StandaloneMmPkg: Remove MM_STANDALONE LIBRARY_CLASS from StandaloneMmCoreHobLib Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 02/11] StandaloneMmPkg: Adding the library packages used by MM_STANDALONE drivers Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 03/11] MdeModulePkg: Add a PCD to indicate Standalone MM supports secure variable Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 04/11] MdePkg/Include: Add StandaloneMmServicesTableLib library Jagadeesh Ujja
2019-01-03 11:03   ` Ard Biesheuvel
2019-01-03 16:14     ` Laszlo Ersek
2019-01-04 11:57       ` Ard Biesheuvel
2019-01-07 15:28         ` Laszlo Ersek
2019-01-07 17:33           ` Ard Biesheuvel
2019-01-07 18:50             ` Achin Gupta
2019-01-07 18:55               ` Ard Biesheuvel
2019-01-07 19:21                 ` Achin Gupta
2019-01-07 19:37                   ` Ard Biesheuvel
2019-01-08  1:11                     ` Laszlo Ersek
2019-01-08 13:27                       ` Ard Biesheuvel
2019-01-08 16:52                         ` Laszlo Ersek [this message]
2019-01-13 12:42                     ` Cohen, Eugene
2019-01-14 18:51                       ` Ard Biesheuvel
2019-01-02 13:13 ` [PATCH v2 05/11] MdeModulePkg/FaultTolerantWriteDxe: allow reusability as a MM driver Jagadeesh Ujja
2019-01-02 17:15   ` Ard Biesheuvel
2019-01-02 13:13 ` [PATCH v2 06/11] MdeModulePkg/Variable/RuntimeDxe: adapt for usability with MM Standalone Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 07/11] MdeModulePkg/Variable/RuntimeDxe: adapt as a MM Standalone driver Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 08/11] MdeModulePkg/VarCheckLib: allow MM_STANDALONE drivers to use this library Jagadeesh Ujja
2019-01-04 10:36   ` Ard Biesheuvel
2019-01-02 13:13 ` [PATCH v2 09/11] ArmPlatformPkg/NorFlashDxe: allow reusability as a MM driver Jagadeesh Ujja
2019-01-02 13:13 ` [PATCH v2 10/11] SecurityPkg/AuthVariableLib: allow MM_STANDALONE drivers to use this library Jagadeesh Ujja
2019-01-03  1:14   ` Zhang, Chao B
2019-01-03  6:15     ` Jagadeesh Ujja
2019-01-04 10:41       ` Ard Biesheuvel
2019-01-02 13:13 ` [PATCH v2 11/11] CryptoPkg/BaseCryptLib: " Jagadeesh Ujja
2019-01-04 10:35   ` Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c53c18bf-4ca3-113c-8242-b0f1680b3cc1@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox