> -----Original Message----- > From: Ard Biesheuvel <a...@kernel.org> > Sent: Tuesday, July 18, 2023 12:26 AM > To: Pedro Falcato <pedro.falc...@gmail.com> > Cc: devel@edk2.groups.io; t...@taylorbeebe.com; Wang, Jian J > <jian.j.w...@intel.com>; Gao, Liming <gaolim...@byosoft.com.cn>; Bi, > Dandan <dandan...@intel.com>; Ard Biesheuvel > <ardb+tianoc...@kernel.org>; Yao, Jiewen <jiewen....@intel.com>; Justen, > Jordan L <jordan.l.jus...@intel.com>; Gerd Hoffmann <kra...@redhat.com>; > Leif Lindholm <quic_llind...@quicinc.com>; Sami Mujawar > <sami.muja...@arm.com>; Andrew Fish <af...@apple.com>; Ni, Ray > <ray...@intel.com>; Dong, Eric <eric.d...@intel.com>; Kumar, Rahul R > <rahul.r.ku...@intel.com>; Dong, Guo <guo.d...@intel.com>; Rhodes, Sean > <sean@starlabs.systems>; Lu, James <james...@intel.com>; Guo, Gua > <gua....@intel.com> > Subject: Re: [edk2-devel] [PATCH 00/14] Implement Dynamic Memory > Protections > > On Mon, 17 Jul 2023 at 18:15, Pedro Falcato <pedro.falc...@gmail.com> > wrote: > > > > On Wed, Jul 12, 2023 at 12:53 AM Taylor Beebe <t...@taylorbeebe.com> > wrote: > > > > > > In the past, memory protection settings were configured via FixedAtBuild > PCDs, > > > which resulted in a build-time configuration of memory mitigations. This > > > approach limited the flexibility of applying mitigations to the > > > system and made it difficult to update or adjust the settings post-build. > > > > How do you mitigate the possibility of an attack overwriting the > > dynamic configuration data (the HOBs)? > > It seems most dangerous to me to publish this sort of > > security-sensitive configuration knobs dynamically such that an > > attacker can change them. > > > > That is a very good point. One of the things I have on my TODO list > for the memory attributes PEI work is to remap HOB memory read-only > before entering DXE. They are conceptually read-only anyway when PEI > completes, so they should never be modified afterwards.
DXE Core migrates the HOB to a new location. So the protection needs to be re-done after that. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106980): https://edk2.groups.io/g/devel/message/106980 Mute This Topic: https://groups.io/mt/100090629/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
