Reporting Issues
Bug 728 - OvmfPkg/PlatformPei: set PcdOptionRomImageVerificationPolicy to DENY_EXECUTE_ON_SECURITY_VIOLATION if SEV is active
Summary: OvmfPkg/PlatformPei: set PcdOptionRomImageVerificationPolicy to DENY_EXECUTE_...
Status: RESOLVED FIXED
Alias: None
Product: EDK2
Classification: Unclassified
Component: Code (show other bugs)
Version: Current
Hardware: All All
: Lowest normal
Assignee: BRIJESH SINGH
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-01 04:30 UTC by Laszlo Ersek
Modified: 2017-10-17 15:31 UTC (History)
2 users (show)

See Also:
EDK II Code First industry standard specifications: ---
Branch URL:
Release(s) the issue is observed: EDK II Master
The OS the target platform is running: ---
Package: OvmfPkg
Release(s) the issues must be fixed: EDK II Master
Tianocore documents:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Laszlo Ersek 2017-10-01 04:30:07 UTC 
Discussion from:
http://mid.mail-archive.com/210c74c8-5ced-94cd-2025-29f94c71fdf2@amd.com

On 10/01/17 02:09, Brijesh Singh wrote:
| On 9/29/17 4:58 PM, Laszlo Ersek wrote:
|| The expansion ROMs (containing UEFI drivers) of emulated PCI devices,
|| and the same of assigned physical PCI devices, constitute another
|| channel through which code enters the guest from the outside (i.e., from
|| the Cloud Provider). The ROM BARs from which the guest firmware reads
|| the UEFI binaries are not guest RAM, they are MMIO. (For execution, the
|| drivers are copied into encrypted guest RAM.)
||
|| If the guest has Secure Boot enabled, then the oproms are verified[*]
|| (and not launched if verification fails), but this is slightly different
|| from what I understand under audit-by-GO. It means the GO wouldn't get a
|| measurement of the oproms for one-by-one clearing, when about to
|| green-light a guest startup. Instead the GO would ensure that Secure
|| Boot be enabled with the right certificates (and/or executable hashes)
|| enrolled off the bat, and then implicitly trust all oprom drivers
|| accepted by those certs / hashes. It's another layer of indirection.
||
|| This is likely nothing new qualitatively, but "the devil is in the
|| details", so I thought it was worth raising.
||
|| [*] For edk2 / OvmfPkg specifics, I'll mention
||
||   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
||
|| The SecurityPkg default is 0x04 ("Deny execution when there is security
|| violation"). However, OVMF sets it to 0x00 ("Always trust the image").
|| Please see the following commit for the reasons:
||
||   https://github.com/tianocore/edk2/commit/1fea9ddb4e3fd
||
|| Brijesh, for SEV guests, we likely want to flip this PCD to 0x04, in the
|| AmdSevInitialize() function, in "OvmfPkg/PlatformPei/AmdSev.c". For that
|| we'll also have to change the PCD from fixed-at-build to dynamic, but
|| that in turn will require a change to "SecurityPkg.dec" itself
|| (currently it only allows fixed-at-build or patchable, not dynamic). Do
|| you want me to file a BZ in the TianoCore tracker for this, and assign
|| it to you? If you don't have time for writing the patch, I'm glad to do
|| it too, but then the review could be slower; both other OvmfPkg
|| co-maintainers are busy with other things.)
|
| Very good point Laszlo. Please submit the BZ and assign it me - thank
| you. we will take a look at implementing the required support.
Comment 1 Laszlo Ersek 2017-10-05 15:48:28 UTC 
v1 series from Brijesh at:

https://lists.01.org/pipermail/edk2-devel/2017-October/015655.html

[edk2] [PATCH 1/2] SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic
[edk2] [PATCH 2/2] OvmfPkg/PlatformPei: DENY_EXECUTE_ON_SECURITY_VIOLATION when
                   SEV is active
Comment 2 Laszlo Ersek 2017-10-05 16:32:34 UTC 
v2 from Brijesh:

https://lists.01.org/pipermail/edk2-devel/2017-October/015662.html
Comment 3 Laszlo Ersek 2017-10-17 15:31:28 UTC 
Fixed in commit range 65c77f02104c..6041ac65ae87.