On 2016-04-27 12:20:46, Laszlo Ersek wrote: > The first patch (for MdeModulePkg) fixes a bug that is exposed > (triggered) by the third patch. > > The second and third patches fix a security vulnerability in OVMF that I > reported to the UEFI SRT more than three weeks ago: > > To: secur...@uefi.org, secal...@redhat.com [...] > From: Laszlo Ersek <ler...@redhat.com> > Subject: OVMF PlatformBds allows circumvention of SMM > Message-ID: <5701256d.8010...@redhat.com> > Date: Sun, 3 Apr 2016 16:15:09 +0200 > > I have not received any response thus far. > > As can be seen above, I also reported the issue to the Red Hat SRT. > While I received acknowledgement about my report, there has been no > technical feedback either. > > Now, this issue has very low impact in my opinion: > > - Configurations (that is, (host kernel, QEMU, OVMF firmware) triplets) > on which the issue being fixed is *actually* a vulnerability count as > "very recent" and "sporadic" at best. I'm not aware of any deployments > where such a configuration is put to use in a production environment. > > - If Secure Boot is enabled, then the attacker's job is much harder: he > cannot install just any UEFI driver in DriverOrder (see the second > patch for more explanation), he must instead exploit a bug in an > already signed UEFI driver, before that driver is blacklisted in DBX. > > Independently, Ray's work for porting OvmfPkg to MdeModulePkg/BDS > includes a patch, namely > > [edk2] [Patch v3 11/23] OvmfPkg/PlatformBds: Initialize console > variables in *BeforeConsole() > http://thread.gmane.org/gmane.comp.bios.edk2.devel/10859/focus=11039 > > that needs to connect the PCI root bridges on the call stack of > PlatformBdsInit(), not the current PlatformBdsPolicyBehavior(). Since > patch #2 in this series implements a superset of that requirement, and > given the low impact of the security issue (and the unresponsiveness of > the USRT), it makes sense for me to post this small series first, and > for Ray to rebase his work on top second. > > I tested these changes in OVMF, with > > { S3 enabled, S3 disabled } x { SMM enabled, SMM disabled }, > > using Fedora guests. > > Public branch: <https://github.com/lersek/edk2/commits/lockdown_smm>. > > Cc: Feng Tian <feng.t...@intel.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Cc: Ruiyu Ni <ruiyu...@intel.com> > Cc: Star Zeng <star.z...@intel.com> > > Thanks > Laszlo > > Laszlo Ersek (3): > MdeModulePkg: PiDxeS3BootScriptLib: honor PcdAcpiS3Enable > OvmfPkg: PlatformBdsLib: lock down SMM in PlatformBdsInit() > OvmfPkg: PlatformBdsLib: lock down SMM regardless of S3
2 & 3 Reviewed-by: Jordan Justen <jordan.l.jus...@intel.com> > > MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf | 1 + > MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c | 4 + > OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c | 89 > ++++++++++++-------- > 3 files changed, 58 insertions(+), 36 deletions(-) > > -- > 1.8.3.1 > _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
