Hi, > 1. " the PEI domain has very limited exposure, it's the DXE domain that has > full exposure " > [Jiewen] I don’t understand how that is concluded, on " limited exposure ", " > full exposure ".
exposure == "the need to process external input, which an attacker might use to exploit bugs in edk2 by crafting input data accordingly." There isn't much external input to process in PEI phase. Virtual machines are a bit different than physical machines. They need to process some input from the host here which describes the virtual hardware so they can initialize it properly. For example parse the etc/e820 fw_cfg file to figure how much memory is installed (or parse the td hob in case tdx is used). That platform-specific code for virtual machine initialization must do careful sanity checking when you don't want trust the VMM of course. Whenever that code lives in SEC or PEI doesn't change the picture much though. > 2. "bugs in PEI code can't be used to exploit the system when it has > transitioned to the DXE domain." > [Jiewen] I disagree. A bug in PEI code may already modify the HOB, while the > HOB is an architecture data input for DXE. > If DXE relies on some malicious data from PEI, DXE might be exploited later. Attacking PEI is harder though because the external input it processes is limited when compared to DXE. Once you are transitioned to DXE you can't call into PEI Modules any more. So, how would an attacker trick PEI code into modifying HOBs (or carrying out other actions under attackers control)? take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84021): https://edk2.groups.io/g/devel/message/84021 Mute This Topic: https://groups.io/mt/86739864/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
