Image

Read-only variable

Post Reply
ChuckD
Member
Posts: 11
Joined: Wed Apr 04, 2018 2:06 pm

Read-only variable

Post by ChuckD » Wed Apr 04, 2018 2:14 pm

Intel mentioned the following about mitigating UEFI attacks in 2018 spring UEFI Plugfest.
To me, seems this is way too heavy and too many rules for developers to follow... your opinion?
0.jpeg
0.jpeg (498.5 KiB) Viewed 722 times
Last edited by ChuckD on Sun Apr 08, 2018 12:58 pm, edited 2 times in total.

User avatar
BobJC
Member
Posts: 21
Joined: Wed Apr 04, 2018 2:07 pm

Re: Read-only variable

Post by BobJC » Wed Apr 04, 2018 2:33 pm

Agree. Imagine those junior developers in ODM who has full control of the BIOS code, who the hell knows what kind of vulnerbilities will be planted in the flash rom. :oops:

james.r
Member
Posts: 15
Joined: Sun Apr 08, 2018 2:11 pm

Re: Read-only variable

Post by james.r » Sun Apr 08, 2018 2:20 pm

Agree, the implementation of the mechanism is not that complicated, but to educate/ensure developers to follow it correctly is almost a mission impassible.

future
Member
Posts: 6
Joined: Sun Apr 08, 2018 11:28 am

Re: Read-only variable

Post by future » Wed Apr 11, 2018 11:18 pm

it is not good idea to lock all the variables in DXE phase, some still need be updated in bds.

thops
Junior Member
Posts: 1
Joined: Mon Apr 09, 2018 8:41 pm

Re: Read-only variable

Post by thops » Mon Apr 16, 2018 11:11 pm

The UEFI spec already has provisions for making a variable inaccessible after BDS, just don't use the EFI_VARIABLE_RUNTIME_ACCESS attribute.
This functionality is specifically about protecting a variable from 3rd party code that is run during (or after) BDS.
If your variable needs BDS write access, don't do anything differently. Nothing is "locking all variables".

Regarding the concept of complexity and junior devs at an ODM, I would hopethat most organizations employ some form of code review.
Furthermore, I would hope that ODM features are designed with security concepts in mind.
Do we need to modify this variable outside of this code? If not, lock the variable.
There is nothing too complicated, all you need to do to protect a variable is call requestToLock() after you are done modifying your variable.
Everything else is done by the variable services code.

User avatar
armstrong
Member
Posts: 23
Joined: Sun Apr 01, 2018 4:34 pm

Re: Read-only variable

Post by armstrong » Tue Apr 17, 2018 12:56 am

We should never rely on ODM/OEM to make sure they are follwing the best practice. You can see how desperate the author is while he yelling at ODM/OEM on page18 in following link.

Another approach is to think about using RequestToUnlock() instead. This might walkaround the hurdle.

http://www.uefi.org/sites/default/files ... %20SMM.pdf

matt.huang
Enthusiast
Posts: 30
Joined: Fri Apr 20, 2018 12:06 pm

Re: Read-only variable

Post by matt.huang » Fri Apr 20, 2018 12:21 pm

The way EDK2 and its vendors years before handles the variables was extremely unsafe, you can just hack the whole thing using user mode scripts, I cringed just by looking at the code. Now every silicon vendor binds their logic to make it safer (ME / PSP/ TPM / TCM or even BMCs), but still not safe enough, you can still make it through with a little bit grub knowledge, repository based data structure is always unsafe. The point is how you use it.

And don't forget we have dynamic PCDs which is abused by careless developers even more, a threat in the near future I might say.

Post Reply