Inlined > -----Original Message----- > From: Gerd Hoffmann <kra...@redhat.com> > Sent: Tuesday, April 19, 2022 8:49 PM > To: devel@edk2.groups.io; Xu, Min M <min.m...@intel.com> > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>; Yao, Jiewen > <jiewen....@intel.com>; Justen, Jordan L <jordan.l.jus...@intel.com>; Brijesh > Singh <brijesh.si...@amd.com>; Aktas, Erdem <erdemak...@google.com>; > James Bottomley <j...@linux.ibm.com>; Tom Lendacky > <thomas.lenda...@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > On Tue, Apr 19, 2022 at 11:12:39AM +0000, Min Xu wrote: > > On April 19, 2022 2:59 PM, Gerd Hoffmann wrote: > > > On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > > > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > > > > > TdHobList and Configuration FV are external data provided by Host VMM. > > > > These are not trusted in Td guest. So they should be validated , > > > > measured and extended to Td RTMR registers. In the meantime 2 > > > > EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash > > > value > > > > of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be > > > > created based on these > > > > 2 GUIDed HOBs. > > > > > > Why this is done in the SEC phase? > > TdHobList is consumed in SEC phase. So before it is consumed, it should be > validated, measured. > > Yes for validation (aka sanity-checking the fields, etc). > But for measurement I don't see why the ordering matters. > Whenever you do that before or after consuming the TdHob > should not make a difference.
[Jiewen] I disagree. The order matters from security perspective. If you use it, there is risk that the buggy code will compromise the system before you have chance to measure it. There was already known attacks: The measurement was in wrong place, which caused the attack can forge the measurement. The best practice is always: measure then use. > > > CFV contains the information provisioned by host VMM, for example, the > > secure boot parameters. These external data should be validated and > > measured as well. > > Same argument here. > > You pull a bunch of stuff into SEC (sha384, ...), and I'm wondering > whenever it would be better to move measurement to DXE instead where > you just don't need that kind of changes. > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89077): https://edk2.groups.io/g/devel/message/89077 Mute This Topic: https://groups.io/mt/90531017/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
