On 2016/4/28 3:20, Laszlo Ersek wrote:
The first patch (for MdeModulePkg) fixes a bug that is exposed (triggered) by the third patch.The second and third patches fix a security vulnerability in OVMF that I reported to the UEFI SRT more than three weeks ago: To: secur...@uefi.org, secal...@redhat.com [...] From: Laszlo Ersek <ler...@redhat.com> Subject: OVMF PlatformBds allows circumvention of SMM Message-ID: <5701256d.8010...@redhat.com> Date: Sun, 3 Apr 2016 16:15:09 +0200 I have not received any response thus far. As can be seen above, I also reported the issue to the Red Hat SRT. While I received acknowledgement about my report, there has been no technical feedback either. Now, this issue has very low impact in my opinion: - Configurations (that is, (host kernel, QEMU, OVMF firmware) triplets) on which the issue being fixed is *actually* a vulnerability count as "very recent" and "sporadic" at best. I'm not aware of any deployments where such a configuration is put to use in a production environment. - If Secure Boot is enabled, then the attacker's job is much harder: he cannot install just any UEFI driver in DriverOrder (see the second patch for more explanation), he must instead exploit a bug in an already signed UEFI driver, before that driver is blacklisted in DBX. Independently, Ray's work for porting OvmfPkg to MdeModulePkg/BDS includes a patch, namely [edk2] [Patch v3 11/23] OvmfPkg/PlatformBds: Initialize console variables in *BeforeConsole() http://thread.gmane.org/gmane.comp.bios.edk2.devel/10859/focus=11039 that needs to connect the PCI root bridges on the call stack of PlatformBdsInit(), not the current PlatformBdsPolicyBehavior(). Since patch #2 in this series implements a superset of that requirement, and given the low impact of the security issue (and the unresponsiveness of the USRT), it makes sense for me to post this small series first, and for Ray to rebase his work on top second. I tested these changes in OVMF, with { S3 enabled, S3 disabled } x { SMM enabled, SMM disabled }, using Fedora guests. Public branch: <https://github.com/lersek/edk2/commits/lockdown_smm>. Cc: Feng Tian <feng.t...@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Jordan Justen <jordan.l.jus...@intel.com> Cc: Ruiyu Ni <ruiyu...@intel.com> Cc: Star Zeng <star.z...@intel.com> Thanks Laszlo Laszlo Ersek (3): MdeModulePkg: PiDxeS3BootScriptLib: honor PcdAcpiS3Enable OvmfPkg: PlatformBdsLib: lock down SMM in PlatformBdsInit() OvmfPkg: PlatformBdsLib: lock down SMM regardless of S3 MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf | 1 + MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c | 4 + OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c | 89 ++++++++++++-------- 3 files changed, 58 insertions(+), 36 deletions(-)
Reviewed-by: Star Zeng <star.z...@intel.com> to [1/3] And, you can have my Acked-by for other patches. Thanks, Star _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
