On Tue, 8 Jan 2019 at 02:11, Laszlo Ersek <ler...@redhat.com> wrote: > > On 01/07/19 20:37, Ard Biesheuvel wrote: > > On Mon, 7 Jan 2019 at 20:21, Achin Gupta <achin.gu...@arm.com> wrote: > > >> Could you please explain the need for End of DXE signalling and > >> the traditional SMM IPL. It is not obvious to me :o( > >> > > > > The point is that there are PI specified events that we are currently > > not signalling in standalone MM, so in that sense, we are not > > implementing the PI spec fully. > > > > Note that EndOfDxe is security sensitive - it is used as a trigger to > > lock down and/or secure stuff, and if it never get signalled, > > standalone MM drivers may falsely assume that the context is more > > secure than it is. > > Yes, see PI 1.6, Vol2 ("DXE"), 18.104.22.168 "End of DXE Event". > > (I won't quote the spec here, as I could quote the entire section; all > of it is relevant here.) > > In my interpretation anyway, the MM infrastructure basically "trusts" > DXE until End-of-DXE is signaled. See also: > - 5.6 "DXE MM Ready to Lock Protocol", > - 4.6 "MM Ready to Lock Protocol", > in Vol4. > > The kind of "early distrust" that Achin describes up-thread may be > well-founded, and it might obviate the above event groups. I'm not sure.
I disagree. The whole point of standalone MM is to have parity with x86 in terms of having a separate execution context where platform specific services can reside. Even though DXE_SMM_DRIVER and MM_STANDALONE modules are dispatched in different ways, they should be able to be built from a shared source, and not signalling the EndOfDxe event is highly likely to cause more problems that it solves. And actually, I think it is a valid security model to distinguish between before and after EndOfDxe, since EndOfDxe will be signalled before loading any third-party drivers, and so whatever has executed up to that point can be held to higher standards in terms of trust. > The concept is novel to me (after having struggled for months in ~2015 > to wrap my brain around traditional SMM in the first place), so I'm > having trouble at reasoning about standalone MM. > I think that applies to all of us :-) _______________________________________________ edk2-devel mailing list email@example.com https://lists.01.org/mailman/listinfo/edk2-devel