On Tue, 8 Jan 2019 at 02:11, Laszlo Ersek <ler...@redhat.com> wrote:
> On 01/07/19 20:37, Ard Biesheuvel wrote:
> > On Mon, 7 Jan 2019 at 20:21, Achin Gupta <achin.gu...@arm.com> wrote:
> >> Could you please explain the need for End of DXE signalling and
> >> the traditional SMM IPL. It is not obvious to me :o(
> >>
> >
> > The point is that there are PI specified events that we are currently
> > not signalling in standalone MM, so in that sense, we are not
> > implementing the PI spec fully.
> >
> > Note that EndOfDxe is security sensitive - it is used as a trigger to
> > lock down and/or secure stuff, and if it never get signalled,
> > standalone MM drivers may falsely assume that the context is more
> > secure than it is.
> Yes, see PI 1.6, Vol2 ("DXE"), "End of DXE Event".
> (I won't quote the spec here, as I could quote the entire section; all
> of it is relevant here.)
> In my interpretation anyway, the MM infrastructure basically "trusts"
> DXE until End-of-DXE is signaled. See also:
> - 5.6 "DXE MM Ready to Lock Protocol",
> - 4.6 "MM Ready to Lock Protocol",
> in Vol4.
> The kind of "early distrust" that Achin describes up-thread may be
> well-founded, and it might obviate the above event groups. I'm not sure.

I disagree. The whole point of standalone MM is to have parity with
x86 in terms of having a separate execution context where platform
specific services can reside. Even though DXE_SMM_DRIVER and
MM_STANDALONE modules are dispatched in different ways, they should be
able to be built from a shared source, and not signalling the EndOfDxe
event is highly likely to cause more problems that it solves.

And actually, I think it is a valid security model to distinguish
between before and after EndOfDxe, since EndOfDxe will be signalled
before loading any third-party drivers, and so whatever has executed
up to that point can be held to higher standards in terms of trust.

> The concept is novel to me (after having struggled for months in ~2015
> to wrap my brain around traditional SMM in the first place), so I'm
> having trouble at reasoning about standalone MM.

I think that applies to all of us :-)
edk2-devel mailing list

Reply via email to