Hi, > > Yes for validation (aka sanity-checking the fields, etc). > > But for measurement I don't see why the ordering matters. > > Whenever you do that before or after consuming the TdHob > > should not make a difference. > > [Jiewen] I disagree. The order matters from security perspective. > If you use it, there is risk that the buggy code will compromise the system > before you have chance to measure it.
Measurement will only record hashes for verification later on. It will not prevent running possibly buggy/compromised code. So, no matter what the order is, you'll figure the system got compromised after the fact, when checking the hashes later, and in turn take actions like refusing to hand out secrets to the compromised system. > There was already known attacks: The measurement was in wrong place, > which caused the attack can forge the measurement. Do you have a link or CVE number for me? thanks, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89125): https://edk2.groups.io/g/devel/message/89125 Mute This Topic: https://groups.io/mt/90531017/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
