[edk2-devel] [PATCH V3 15/29] OvmfPkg: Update SecEntry.nasm to support Tdx
James Bottomley
jejb at linux.ibm.com
Tue Nov 23 14:51:44 UTC 2021
On Tue, 2021-11-23 at 14:36 +0000, Yao, Jiewen wrote:
> > This strict isolation between DXE and PEI means that once we're in
> > DXE, any bugs in PEI can't be exploited to attack the DXE
> > environment.
>
> [jiewen] I would disagree the statement above.
> There is not strict isolation. Actually no isolation at all.
> The DXE is loaded by PEI.
Not in OVMF ... DXE and PEI are actually loaded by SEC. PEI eventually
jumps to execute DXE but that's after all its own tasks are completed.
> A bug in PEI has global impact and it can definitely be used to
> attack the DXE.
Only if it can be exploited. Moving things to PEI is mitigating the
exploitability not the bugs. The point about exploitability and PEI is
that it doesn't read any config files, it can't execute any EFI
binaries and it has no Human Interface modules so can't be influenced
even by a physically present attacker. No ability to influence is what
removes the ability to exploit.
James
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83949): https://edk2.groups.io/g/devel/message/83949
Mute This Topic: https://groups.io/mt/86739864/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list