[edk2-devel] [PATCH v2 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg
Dov Murik
dovmurik at linux.ibm.com
Mon Jul 19 19:54:13 UTC 2021
On 19/07/2021 18:19, Brijesh Singh wrote:
>
>
> On 7/19/21 7:22 AM, Dov Murik wrote:
>>> The patch itself is okay. Just curious, do we also need to add a
>>> verification for the QEMU FW cfg file ?
>>>
>>
>> I don't really understand. This patch adds the VerifyBlob() call on
>> blobs that were read by FetchBlob(), which in turn reads the contents of
>> kernel/initrd/cmdline from QEMU FW cfg (using QemuFwCfgReadBytes for
>> example).
>>
>> We currently *don't* add verification for all other FW cfg settings,
>> like number of CPUs, E820 memory entries, ... similar to what we (don't)
>> do in SEV boot with encrypted root image (in which only OVMF is
>> measured).
>>
>> What else do you think we should verify?
>>
>
> As I understand that your series is attempting to add more security
> checks in the SEV boot sequence; i.e. after this series is merged, we
> can verify the kernel,cmdline and initrd passed through qemu. But there
> are several other configuration parameters (such as e820, acpi) that
> gets passed by the qemu and consumed by the ovmf. Are you considering to
> add the checks to cover those blobs in the future series? To me it seems
> that the framework built here can be extended to cover those as well.
>
You're right -- it can be extended. Currently that's not the plan; the
Guest Owner should be able to verify the measurement, which, with this
patch series, is a combination of the OVMF, kernel, initrd, and cmdline.
Adding the other QEMU FW CFG values will make that even harder for the
Guest Owner. Also, the measurement will be different if, for example,
the guest is launched with 8GB memory instead of 4GB, or with 8 vcpus
instead of 4 vcpus. If there's an obvious attack possible via one of
those fw_cfg settings, we can think how to extend the measurement to
cover the problematic settings (or not support them at all, if possible).
> Reviewed-by: Brijesh Singh <brijesh.singh at amd.com>
>
Thanks!
-Dov
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77921): https://edk2.groups.io/g/devel/message/77921
Mute This Topic: https://groups.io/mt/84016359/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list