On Sun, 2023-10-29 at 15:42 +, Yao, Jiewen wrote:
> > I'd say that's pretty close. A reviewer role is a request for
> > keeping
> > the reviewer in the loop.
>
> [Jiewen] I am disappointed on that.
> To me, that is NOT a real reviewer. See below description on what is
> "code review".
> https:
On Thu, 2023-05-04 at 17:08 +0200, Gerd Hoffmann wrote:
> On Thu, May 04, 2023 at 10:16:05AM -0400, James Bottomley wrote:
> > On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote:
> > > Use PlatformBootManagerLib with PcdBootRestrictToFirmware
> > > set to TRUE inste
On Thu, 2023-05-04 at 15:32 +0200, Gerd Hoffmann wrote:
> Use PlatformBootManagerLib with PcdBootRestrictToFirmware
> set to TRUE instead.
>
> Signed-off-by: Gerd Hoffmann
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 10 --
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/Ov
The fixes since 0.9.4 are
Andreas Schwab (1):
sbsigntool: add support for RISC-V 64-bit PE/COFF images
Daniel Axtens (1):
sbvarsign: do not include PKCS#7 attributes
James Bottomley (1):
Add support for openssl-3
Jeremi Piotrowski (1):
Fix openssl-3.0 issue
On Wed, 2022-12-07 at 17:04 +0100, Ard Biesheuvel wrote:
> On Wed, 7 Dec 2022 at 17:02, Gerd Hoffmann wrote:
> >
> > On Wed, Dec 07, 2022 at 09:14:39AM -0500, James Bottomley wrote:
> > > On Wed, 2022-12-07 at 15:09 +0100, Ard Biesheuvel wrote:
> > > > So
On Wed, 2022-12-07 at 15:09 +0100, Ard Biesheuvel wrote:
> So at some point, these drivers will be removed rather than kept
> alive by the core team unless someone steps up.
How important is keeping them alive? I can volunteer to "maintain"
them which I anticipate won't be much effort (plus I'm u
[pjones added because he's done a huge amount of work to get shim to
measure stuff correctly]
On Tue, 2022-09-20 at 13:24 +, Lu, Ken wrote:
> > > Hi Ard, I think it better let creator to measure instead of
> > > consumer to measure
> > like today's implementation in grub[1]. The creator here me
On Tue, 2022-07-26 at 10:09 -0300, Rafael Machado wrote:
> Hey everyone
>
> I have a question for the experts.
>
> Suppose I have a BIOS feature that can be set from the OS via some OS
> application (.exe) that calls the runtime services set variable ().
>
> To set this feature I have a UEFI var
On Tue, 2022-05-10 at 12:40 +0200, Gerd Hoffmann wrote:
> On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> > On Mon, 2022-05-09 at 12:03 +, Yao, Jiewen wrote:
> > > It is possible to switch to other crypt lib.
> > >
> > > For example, th
On Mon, 2022-05-09 at 12:03 +, Yao, Jiewen wrote:
> It is possible to switch to other crypt lib.
>
> For example, the *mbedtls* version POC can be found at
> https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> The advantage is: the size is much smaller.
> The disadvantage is:
On Mon, 2022-05-09 at 13:27 +0200, Gerd Hoffmann wrote:
[...]
> > 1) Please keep the good work to enable OPENSSL3.0 in your personal
> > branch.
> > 2) If you have some way to control the size, then do it. If there
> > is no much size difference by default, then you can submit to EDKII
> > directly
On Wed, 2022-04-20 at 10:16 +0200, Gerd Hoffmann wrote:
> Hi,
>
> > > Yes for validation (aka sanity-checking the fields, etc).
> > > But for measurement I don't see why the ordering matters.
> > > Whenever you do that before or after consuming the TdHob
> > > should not make a difference.
> >
. There are 2 versions of
> the TdProbeLib. Null instance of TdProbe always returns TD_PROBE_NON.
> Its OvmfPkg version checks the Ovmf work area to determine the Td
> guest type.
I tested this out with the TPM code: it restores pretty much all of the
lost performance, thanks!
Tested-by: Jam
I'm using a SEC phase which has a TPM driver to experiment with sorting
out measured boot, which is how I noticed (usually SEC doesn't do MMIO)
. What I'm seeing is after commit b6b2de884864 ("MdePkg: Support mmio
for Tdx guest in BaseIoLibIntrinsic") we get a massive slowdown of
about 100x in TPM
I've identified a serious performance regression in recent edk2, so
I've been trying to identify it by bisection, but it seems that the TDX
patches have broken bisection in edk2. You can see this by trying to
checkout b6b2de884864 and build it. It will give you
Active Platform = /home/j
When I do a measured boot of OVMF, I get a load of records including
the two EV_EFI_PLATFORM_FIRMWARE_BLOB events, which, according to the
code in Tcg2Pei.c are supposed to be measuring PEIFV and DXEFV from the
uncompressed MEMFD. However, when I compare the hashes against the
build artifacts, the
On Wed, 2021-11-24 at 14:03 +, Yao, Jiewen wrote:
> James
> I am sorry that it is hard for me to understand your point.
>
> To be honest, I am not sure what is objective on the discussion.
> Are you question the general threat model analysis on UEFI PI
> architecture?
The object is for me to
On Wed, 2021-11-24 at 11:08 +, Yao, Jiewen wrote:
> > -Original Message-
> > From: Gerd Hoffmann
[...]
> > There isn't much external input to process in PEI phase. Virtual
> > machines are a bit different than physical machines. They need to
> > process some input from the host here
On Tue, 2021-11-23 at 15:10 +, Yao, Jiewen wrote:
> I would say the PEI owns the system and all memory (including the
> DXE).
>
> A bug in PEI may override the loaded DXE memory or the whole system.
That's not the correct way to analyse the security properties. From
the security point of vi
On Tue, 2021-11-23 at 14:36 +, Yao, Jiewen wrote:
> > This strict isolation between DXE and PEI means that once we're in
> > DXE, any bugs in PEI can't be exploited to attack the DXE
> > environment.
>
> [jiewen] I would disagree the statement above.
> There is not strict isolation. Actuall
On Tue, 2021-11-23 at 13:07 +, Yao, Jiewen wrote:
> Comment below only:
>
> > I am persuaded to let config-a adopt the OVMF way, because the
> > threat model of config-A is same as the normal OVMF.
> > But config-B is NOT.
> > Different threat model drives different solution.
> > I completely
On Fri, 2021-11-12 at 01:27 +, Ni, Ray wrote:
[...]
> > +
> > + return (CurrentAttr == Attr);
>
> 2. I guess a "BOOLEAN" type cast is needed.
It shouldn't. Unless there's a major screw up in the way BOOLEAN works
in the UEFI API, all logic operations should already be of type BOOLEAN
and if
On Fri, 2021-10-22 at 11:48 -0400, Stefan Berger wrote:
> On 10/22/21 11:01 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
> >
> > > along with the quote on the sha1 bank.
> > The validator shouldn't accept that quot
On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
> On 10/22/21 10:17 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
> > > On 10/22/21 8:40 AM, James Bottomley wrote:
> > >
> > > > On Fri, 2021-10-22 at 07:57 -
On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
> On 10/22/21 8:40 AM, James Bottomley wrote:
>
> > On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> > > On 10/22/21 7:49 AM, James Bottomley wrote:
> > > > On Fri, 2021-10-22 at
On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> On 10/22/21 7:49 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> > [...]
> > > I see this also but when I get into Linux and run tpm2_pcrread I
> > > see the SHA1 ba
On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
[...]
> I see this also but when I get into Linux and run tpm2_pcrread I see
> the SHA1 bank active but not having received any PCR extensions from
> the firmware, which is not supposed to happen.
That's not entirely correct: the TCG firmware
On Sat, 2021-09-18 at 06:30 -0500, Brijesh Singh wrote:
> On 9/18/21 12:16 AM, Xu, Min M wrote:
[...]
> > I usually do the development in windows and build the OVMF image
> > with VS2019.
> > If the new feature works, then I cherry-pick the patch-sets to code
> > base in ubuntu 18.04 and build/test
On Mon, 2021-09-13 at 19:31 +, Marvin Häuser wrote:
> Hey Pedro,
>
> Same point as before really, why would an attacker have access to
> your SSH key but not your GPG key? This scenario leaves out the
> possibly of an HTTPS over SSH attack, in which case as a security-
> aware person you use
On Sat, 2021-09-11 at 19:25 +0100, Pedro Falcato wrote:
> Hi everyone,
>
> Yesterday, when pushing my first commits to edk2-platforms (as the
> Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and
> 71f3343) stick out like a sore thumb, as I have GPG signing on my
> commits on by defaul
On Wed, 2021-09-01 at 08:59 +, Yao, Jiewen wrote:
> Hi Min
> I agree with Gerd and Ard in this case.
>
> It is NOT so obvious that the FTW is produced then consumed in the
> code. What if the attacker prepares some special configuration to
> trigger the FTW process at the first boot, the code
On Wed, 2021-08-11 at 09:04 +1000, Christoph Willing wrote:
> On 11/8/21 12:26 am, James Bottomley wrote:
> [...]
> > In the working kernel dmesg Gerd requested, what does it mount as
> > root? sda? In which case what does the kernel say about where it
> > got sda from?
&
On Tue, 2021-08-10 at 10:10 +1000, Christoph Willing wrote:
> On 10/8/21 12:52 am, James Bottomley wrote:
> > On Mon, 2021-08-09 at 22:53 +1000, Christoph Willing wrote:
> > > With soft feature freeze started, I wonder if this patch could be
> > > reviewed and pushed f
On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
> This series imports code from the edk2-platforms project related to
> changing the password of the TPM2 platform hierarchy and uses it to
> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
> aspects of the following bugs:
>
On Mon, 2021-08-09 at 22:53 +1000, Christoph Willing wrote:
> With soft feature freeze started, I wonder if this patch could be
> reviewed and pushed for edk2-stable202108 tag? I think it has
> languished because I didn't initially Cc appropriately - pls add
> others as necessary.
>
> This patch i
On Mon, 2021-07-26 at 00:55 +, Yao, Jiewen wrote:
> Hi James
> "However, this ran into problems when it was decided AmdSev shouldn't
> have it's own Library."
>
> I am not clear on the history. Would you please clarify why AmdSev
> should not have its own library?
The history predates me. It
On Sun, 2021-07-25 at 10:52 +0300, Dov Murik wrote:
> And I do have one question:
> > May I know what is criteria to put a SEV module to OvmfPkg\AmdSev
> > or OvmfPkg directly?
> >
> > My original understanding is:
> > If a module is required by OvmfPkg{Ia32,Ia32X64,X64}.{dsc,fdf},
> > then it sho
c: Ashish Kalra
> Cc: Brijesh Singh
> Cc: Erdem Aktas
> Cc: James Bottomley
> Cc: Jiewen Yao
> Cc: Min Xu
> Cc: Tom Lendacky
> Cc: Tobin Feldman-Fitzthum
> Signed-off-by: Dov Murik
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 16 +++-
> OvmfPkg/Am
On Thu, 2021-06-24 at 00:24 +, Min Xu wrote:
> On 06/22/2021 9:39 PM, Laszlo wrote:
> > I should clarify: the relevant part of my preference is not that
> > "IntelTdx.dsc"
> > contain the *complete* TDVF feature set. The relevant part (for me)
> > is that
> > "OvmfPkgX64.dsc" *not* be over-comp
On Thu, 2021-06-10 at 21:38 -0400, James Bottomley wrote:
> On Fri, 2021-06-11 at 01:36 +, Yao, Jiewen wrote:
> > Hi James.
> > I attached the invitation and copied all content below:
> >
> > ==
> > ## TOPIC
> >
>
On Fri, 2021-06-11 at 01:36 +, Yao, Jiewen wrote:
> Hi James.
> I attached the invitation and copied all content below:
>
> ==
> ## TOPIC
>
> 1. NA
>
> For more info, see here: https://www.tianocore.org/design-meeting/
>
> ---
> ## Microsoft Teams meeting
>
On Thu, 2021-06-10 at 22:30 +, Xu, Min M wrote:
> Hi, All
> Thanks much for the valuable comments and discussion about the
> design.
> We have updated the slides (v0.9) in below link. If some comments or
> concerns are not answered/addressed in the new slides, please don't
> hesitate to tell us
On Wed, 2021-06-09 at 17:47 +0200, Paolo Bonzini wrote:
> On 09/06/21 16:28, James Bottomley wrote:
> > That would cut across the ApEntrypoint and the guidedStructureEnd.
> > However, nothing says anything in the reset vector guided structure
> > has to be data ... so it could
On Wed, 2021-06-09 at 13:00 +0200, Laszlo Ersek wrote:
> On 06/09/21 02:58, Xu, Min M wrote:
> > On 06/09/2021 3:33 AM, Laszlo wrote:
> > > On 06/08/21 18:01, James Bottomley wrote:
> > > > On your slide 13 Question: "Open: How will the QEMU find the
> > &
On Wed, 2021-06-09 at 02:01 +, Xu, Min M wrote:
> On 06/09/2021 12:01 AM, James Bottomley wrote:
[...]
> > On slide 19, the mucking with the reset vector really worries me
> > because we don't have that much space to play with. Given that
> > you're starting in
On Thu, 2021-06-03 at 13:51 +, Yao, Jiewen wrote:
> Hi, All
> We plan to do a design review for TDVF in OVMF package.
>
>
> The TDVF Design slides for TinaoCore Design Review Meeting (Jun 11)
> is now available in blow link:
> https://edk2.groups.io/g/devel/files/Designs/2021/0611.
>
> The
On Fri, 2021-06-04 at 15:52 +0100, Michael Brown wrote:
> On 04/06/2021 11:43, Michael Brown wrote:
> > On 04/06/2021 11:11, Laszlo Ersek wrote:
> > > And, to reiterate, just because Confidential Computing is the
> > > new hot thing, the use cases for OvmfPkgIa32, OvmfPkgIa32X64,
> > > OvmfPkgX64 d
On Tue, 2021-06-01 at 14:11 +0200, Laszlo Ersek wrote:
> Ard,
>
> I'll have a specific question for you below; please feel free to jump
> forward (search for your name). Thanks.
>
> Dov, my comments below:
>
> On 05/25/21 07:31, Dov Murik wrote:
> > Booting with SEV prevented the loading of kern
On Tue, 2021-05-25 at 15:33 -0500, Tom Lendacky wrote:
> On 5/25/21 3:08 PM, Dov Murik wrote:
> > Hi Brijesh,
> >
> > On 25/05/2021 18:48, Brijesh Singh wrote:
> > > On 5/25/21 12:31 AM, Dov Murik wrote:
> > > > Booting with SEV prevented the loading of kernel, initrd, and
> > > > kernel command-l
On Thu, 2021-05-06 at 13:57 +0300, Dov Murik wrote:
>
> On 05/05/2021 22:33, Laszlo Ersek wrote:
> > On 05/05/21 15:11, Brijesh Singh wrote:
> > > On 5/5/21 1:42 AM, Dov Murik wrote:
[...]
> > > > Would it make sense to always use EfiACPIMemoryNVS for the
> > > > injected secret area, even for reg
On Wed, 2021-05-05 at 21:33 +0200, Laszlo Ersek wrote:
> On 05/05/21 15:11, Brijesh Singh wrote:
> > On 5/5/21 1:42 AM, Dov Murik wrote:
[...]
> > > Would it make sense to always use EfiACPIMemoryNVS for the
> > > injected secret area, even for regular SEV (non-SNP)?
> >
> > Ideally yes. Maybe Jam
On Wed, 2021-04-28 at 10:19 -0700, James Bottomley wrote:
> On Wed, 2021-04-28 at 16:56 +0200, Thore Sommer wrote:
> > TPM2 @ 0x
> > : 54 50 4D 32 4C 00 00 00 04 7F 42 4F 43 48 53
> > 20 TPM2L.BOCHS
> > 0010: 42 58 50 43 54 50 4D 32
On Wed, 2021-04-28 at 16:56 +0200, Thore Sommer wrote:
> TPM2 @ 0x
> : 54 50 4D 32 4C 00 00 00 04 7F 42 4F 43 48 53 20 TPM2L.BOCHS
> 0010: 42 58 50 43 54 50 4D 32 01 00 00 00 42 58 50 43 BXPCTPM2BXPC
> 0020: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
On Tue, 2021-04-27 at 09:00 -0500, Lendacky, Thomas wrote:
> On 4/27/21 2:40 AM, Thore Sommer via groups.io wrote:
> > > I don't confirm this. I have Linux version 5.12.0-rc5+ installed
> > > and I
> > > see the attached in my binary_bios_measurements (I've run it
> > > through
> > > tpm2-eventlog
On Mon, 2021-04-26 at 21:56 +0200, Thore Sommer wrote:
> Dear Maintainers,
>
> during my testing with OVMF and swtpm I found out that kernel
> versions newer than 5.8 don't show any information in
> "/sys/kernel/security/tpm0/binary_bios_measurements" if swtpm
> emulates a TPM 2.0 device. The fil
On Mon, 2021-04-12 at 11:54 +, Yao, Jiewen wrote:
> I totally agree with you that from security perspective, the best
> idea to isolate AMD SEV/Intel TDX from standard OVMF.
There's a big difference between building tuned binaries and separating
the subsystems entirely. Ideally we don't want
On Wed, 2021-04-07 at 17:02 +0200, Laszlo Ersek wrote:
> On 04/07/21 02:44, James Bottomley wrote:
> > On Wed, 2021-04-07 at 00:21 +, Xu, Min M wrote:
> > > Hi, Laszlo
> > >
> > > For Intel TDX supported guest, all processors start in 32-bit
> > &g
On Wed, 2021-04-07 at 00:21 +, Xu, Min M wrote:
> Hi, Laszlo
>
> For Intel TDX supported guest, all processors start in 32-bit
> protected
> mode, while for Non-Td guest, it starts in 16-bit real mode. To make
> the
> ResetVector work on both Td-guest and Non-Td guest, ResetVector are
> update
On Tue, 2021-04-06 at 14:16 +0200, Laszlo Ersek wrote:
> On 04/06/21 10:11, Xu, Min M wrote:
> > Hi, Singh
> > I have a concern about the sevSnpBlock in ResetVectorVtf0.asm.
> > Actually
> > SEV has inserted 3 blocks in ResetVectorVtf0.asm and the total
> > bytes are
> > (26 + 22 + 20 = 68 bytes).
9
> >
> > Generalize the current OVMF SEV subsystem entry, so that we can use
> > it for Intel TDX in the future, ensuring proper patch circulation
> > for reviews.
> >
> > Cc: Andrew Fish
> > Cc: Ard Biesheuvel
> > Cc: Brijesh Singh
> > C
On Wed, 2021-03-10 at 15:20 +0100, Laszlo Ersek wrote:
[...]
> (2) Reviewing this patch makes me realize we've missed some
> "Maintainers.txt" updates in the past, in relation to SEV and/or
> confidential computing.
>
> Namely, we did not designated any reviewers for the following
> pathnames:
>
The fixes since 0.9.3 are
AKASHI Takahiro (1):
sbsign: allow for adding intermediate certificates
James Bottomley (8):
sbverify: fix verification with intermediate certificates
Tests: Add intermediate certificate tests to the sign-verify cases
On Fri, 2020-01-10 at 11:58 +0100, Laszlo Ersek wrote:
> On 01/09/20 19:24, James Bottomley wrote:
> > The fixes since 0.9.2 are
> >
> >James Bottomley (1):
> > README: update git location and add mailing list
> > information
On Fri, 2020-01-10 at 11:55 +0100, Laszlo Ersek wrote:
> Right, that's my understanding too -- fully open lists are not
> supported on groups.io (and at least in the edk2 community, most
> participants don't like fully open posting -- I happen to be a fan of
> open posting, FWIW). Worse, for non-su
The fixes since 0.9.2 are
James Bottomley (1):
README: update git location and add mailing list information
Laszlo Ersek (1):
sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year"
assignment
Steve McIntyre (1):
Fix PE/COF
On Thu, 2020-01-09 at 18:17 +0100, Laszlo Ersek wrote:
> Hello James,
>
> On 01/08/20 20:13, James Bottomley wrote:
> > On Wed, 2020-01-08 at 12:24 +0100, Laszlo Ersek wrote:
> > > I don't know where sbsigntools development occurs (mailing list,
> > > bug
&g
On Wed, 2020-01-08 at 12:24 +0100, Laszlo Ersek wrote:
> (+James)
>
> On 01/07/20 19:13, Eugene Khoruzhenko wrote:
> > I think I may have found the problem. I can write the
> > file_name.signed created by your scripts in NT32 emulated
> > environment and in EDKII on Minnow board that I build mysel
67 matches
Mail list logo
