[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] docs: UEFI Secure Boot security policy

To: Demi Marie Obenour <demiobenour@xxxxxxxxx>
From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Jun 2025 22:29:12 +0200
Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Trammell Hudson <hudson@xxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, Kevin Lampis <kevin.lampis@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 12 Jun 2025 20:29:38 +0000
Feedback-id: i1568416f:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Jun 12, 2025 at 11:22:39AM -0400, Demi Marie Obenour wrote:
> On 6/12/25 06:06, Jan Beulich wrote:
> > On 12.06.2025 01:58, Andrew Cooper wrote:
> >> 2) Pre-boot DMA Protection.  Microsoft consider this a platform feature
> >> requiring OEM enablement, and do not consider its absence to be a Secure 
> >> Boot
> >> vulnerability.  But, it is less clear what the policy ought to be for Xen
> >> booting on a capable system and failing to do a correct live-handover of 
> >> the
> >> IOMMU across ExitBootServices().
> > 
> > Shouldn't this be another TODO item at the bottom? We don't support yet 
> > taking
> > over when the IOMMUs are already enabled, do we?
> 
> Dasharo supports leaving the IOMMU enabled when transferring to the OS, and
> this message was sent from a Qubes OS box booted in this configuration.

"Not explode" doesn't mean it "works" or is "supported". For example
there is no guarantee that IOMMU don't get disabled in the process
opening a window for an attack. (and I do know this issue is the case)

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

References:
- [PATCH] docs: UEFI Secure Boot security policy
  - From: Andrew Cooper
- Re: [PATCH] docs: UEFI Secure Boot security policy
  - From: Jan Beulich
- Re: [PATCH] docs: UEFI Secure Boot security policy
  - From: Demi Marie Obenour

Prev by Date: Re: [PATCH] x86: Fix build warnings about export.h
Next by Date: Re: [PATCH 2/4] xsm/silo: Support hwdom/control domains
Previous by thread: Re: [PATCH] docs: UEFI Secure Boot security policy
Next by thread: Re: [PATCH] docs: UEFI Secure Boot security policy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.