Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-12 Thread Nate DeSimone
; devel@edk2.groups.io; Johnson, Michael ; Kubacki, Michael A Subject: RE: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Nate I believe this SMI reduction work only handle GetVariable. VarCheckLib only handles SetVariable. VarCheckLib does not handle GetVaraible. Thank you Yao

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-11 Thread Kubacki, Michael A
, Michael ; Kubacki, Michael A Subject: RE: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Nate I believe this SMI reduction work only handle GetVariable. VarCheckLib only handles SetVariable. VarCheckLib does not handle GetVaraible. Thank you Yao Jiewen From: Desimone

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-10 Thread Yao, Jiewen
; Kubacki, Michael A Subject: RE: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Hi All, There is a security issue with regard to the way VarCheckLib works. There are plenty of usages of VarCheckLib that are intended to prevent ring0 from reading a variable after ReadyToBoot

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-10 Thread Nate DeSimone
, Michael ; Kubacki, Michael A Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Hey, from security perspective, I am not clear what is difference on below 2 scenario – TPM or read-modify-write. Whenever we return some data from SMM, we are in ring0, any program in ring0

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-08 Thread Yao, Jiewen
buffer. Thank you Yao Jiewen From: devel@edk2.groups.io On Behalf Of Johnson, Michael Sent: Saturday, September 7, 2019 5:52 AM To: Kubacki, Michael A ; devel@edk2.groups.io Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Yes - both things I bring up are just

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-06 Thread Johnson, Michael
: Johnson, Michael ; devel@edk2.groups.io Subject: RE: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction My understanding is both of your points return to the issue of a ring 0 entity potentially modifying the runtime cache. As the SetVariable ( ) API is already accessible to ring 0

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-06 Thread Kubacki, Michael A
secure boot related keys. From: Johnson, Michael Sent: Thursday, September 5, 2019 1:59 PM To: Kubacki; Kubacki, Michael A ; devel@edk2.groups.io Subject: Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction Your primary concern is my primary concern. I can think of two scenarios

Re: [edk2-devel] [edk2-rfc] [edk2-devel] UEFI Variable SMI Reduction

2019-09-05 Thread Johnson, Michael
Your primary concern is my primary concern.  I can think of two scenarios where a runtime memory varstore would hurt. The less severe one is that any variables measured into a TPM could appear to be modified when read back so that if/when some entity wants to verify or unseal something, they wo