Page 1 of 1

Read-only variable

Posted: Wed Apr 04, 2018 2:14 pm
by ChuckD
Intel mentioned the following about mitigating UEFI attacks in 2018 spring UEFI Plugfest.
To me, seems this is way too heavy and too many rules for developers to follow... your opinion?
0.jpeg
0.jpeg (498.5 KiB) Viewed 742 times

Re: Read-only variable

Posted: Wed Apr 04, 2018 2:33 pm
by BobJC
Agree. Imagine those junior developers in ODM who has full control of the BIOS code, who the hell knows what kind of vulnerbilities will be planted in the flash rom. :oops:

Re: Read-only variable

Posted: Sun Apr 08, 2018 2:20 pm
by james.r
Agree, the implementation of the mechanism is not that complicated, but to educate/ensure developers to follow it correctly is almost a mission impassible.

Re: Read-only variable

Posted: Wed Apr 11, 2018 11:18 pm
by future
it is not good idea to lock all the variables in DXE phase, some still need be updated in bds.

Re: Read-only variable

Posted: Mon Apr 16, 2018 11:11 pm
by thops
The UEFI spec already has provisions for making a variable inaccessible after BDS, just don't use the EFI_VARIABLE_RUNTIME_ACCESS attribute.
This functionality is specifically about protecting a variable from 3rd party code that is run during (or after) BDS.
If your variable needs BDS write access, don't do anything differently. Nothing is "locking all variables".

Regarding the concept of complexity and junior devs at an ODM, I would hopethat most organizations employ some form of code review.
Furthermore, I would hope that ODM features are designed with security concepts in mind.
Do we need to modify this variable outside of this code? If not, lock the variable.
There is nothing too complicated, all you need to do to protect a variable is call requestToLock() after you are done modifying your variable.
Everything else is done by the variable services code.

Re: Read-only variable

Posted: Tue Apr 17, 2018 12:56 am
by armstrong
We should never rely on ODM/OEM to make sure they are follwing the best practice. You can see how desperate the author is while he yelling at ODM/OEM on page18 in following link.

Another approach is to think about using RequestToUnlock() instead. This might walkaround the hurdle.

http://www.uefi.org/sites/default/files ... %20SMM.pdf

Re: Read-only variable

Posted: Fri Apr 20, 2018 12:21 pm
by matt.huang
The way EDK2 and its vendors years before handles the variables was extremely unsafe, you can just hack the whole thing using user mode scripts, I cringed just by looking at the code. Now every silicon vendor binds their logic to make it safer (ME / PSP/ TPM / TCM or even BMCs), but still not safe enough, you can still make it through with a little bit grub knowledge, repository based data structure is always unsafe. The point is how you use it.

And don't forget we have dynamic PCDs which is abused by careless developers even more, a threat in the near future I might say.