Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intel STM/PPAM support #132

Open
miczyg1 opened this issue Jun 8, 2022 · 13 comments
Open

Intel STM/PPAM support #132

miczyg1 opened this issue Jun 8, 2022 · 13 comments
Assignees
Labels

Comments

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 8, 2022

The problem you're addressing (if any)
Currently Dasharo firmware does not support Intel PPAM.

Describe the solution you'd like
Implement PPAM support.

Where is the value to a user, and who might that user be?
Better security, DRTM compatibility for Microsoft Secured Core PC.

Describe alternatives you've considered
Integrate STM instead of PPAM

Additional context
None

@miczyg1 miczyg1 added the enhancement New feature or request label Jun 9, 2022
@bdelgado1995
Copy link

bdelgado1995 commented Dec 9, 2022

coreboot supports the STM which is a useful mechanism to run SMI handlers in a virtual machine. Enabling this feature could help protect against runtime SMM vulnerabilities.

Note: I work at Intel and previously worked on the STM project but am now working in other areas.

@pietrushnic
Copy link

@bdelgado1995 yes we know about STM and even met creator of the code couple times. He was interested about our work related to TrenchBoot project. AFAIK STM is hardware-specific feature and was tested only on Skylake. I guess it is not just enable that features and it works since it is highly hardware dependent. @miczyg1 please correct me if I'm wrong. Also STM is probably way more complex concept then PPAM IIUC.

@miczyg1
Copy link
Contributor Author

miczyg1 commented Dec 12, 2022

I guess it is not just enable that features and it works since it is highly hardware dependent

It is not that much hardware dependent... Although some glue would be needed to support different microarchitectures. STM is also typically paired with TXT.

Secondly, any OS you would like to run on STM-enabled machine needs to know that STM is out there.
Thirdly, any OS you would like to run on STM-enabled must have some interface to STM implemented.

Because of those two reasons STM did not meet wide adoption. Also STM introduces a performance penalty.

STM/PPAM makes very much sense with proprietary BIOSes, where SMM is an unknown black hole. With coreboot we have fully open and auditable SMM code where STM would not add that much more security (except protection from existing not-yet-discovered vulnerabilities).

@bdelgado1995
Copy link

Good points.

There are some community-written STM launchers for Xen and Linux.

For performance, there is some performance impact when there is an SMI. Some systems can go a long period of time without SMIs in which case there is no perf impact and others have some a few times a second so each SMI would take a little longer. Linking to a paper our team wrote that gives some coverage of this.

I agree it makes sense to consider the particular SMI handlers in use and make a determination about ROI.

@miczyg1
Copy link
Contributor Author

miczyg1 commented Dec 14, 2022

Good points.

There are some community-written STM launchers for Xen and Linux.

Thank you for these pointers, these will definitely help with STM testing.

@pietrushnic
Copy link

As explained by @bdelgado1995 during vPub, we would have to talk with Intel business rep to understand how PPAM can be integrated by ISV/IBV/OSFV. It may be not that easy, so we should more likely focus on STM integration. So question is if we open new issue or agree it is part of this issue?

We should place STM support on roadmap of Dasharo releases and consider it to be presented on DUG#2.

@miczyg1 miczyg1 changed the title Intel PPAM support Intel STM/PPAM support Mar 20, 2023
@miczyg1
Copy link
Contributor Author

miczyg1 commented Mar 20, 2023

Added STM as an alternative to the description

@bdelgado1995
Copy link

If you would like to talk with an Intel business rep on the Intel System Resources Defense/PPAM, I can do some checking and see who could provide more info. Happy to try to get more info so you can get a sense of all of the options.

@pietrushnic
Copy link

@bdelgado1995, could you please set up a call for TrenchBoot Committee (Daniel P. Smith - Apertus Solutions, Rich Persaud - OpenXT, Ross Philipson - Oracle, and me)?

@bdelgado1995
Copy link

Yes. I'll do some checking. May take a little time to find the right contact, will update when I have info.

@bdelgado1995
Copy link

Building - Z690A - STM - 2024.md
savedStmConfig.txt

I have put together an experimental setup guide for the STM build/load/launch in the Markdown file. I have also attached the .config file used (called savedStmConfig.txt).

It would be excellent if the Dasharo devs could try this out and also streamline the installation.
For everyone else, please use at your own risk, this is experimental and you may need to recover your system with MSI FlashBack/hardware reflasher if things go awry.

If there are tweaks/suggestions/questions for the guide, feel free to let me know and I can update it accordingly.

@pietrushnic
Copy link

@BeataZdunczyk @macpijan, please let me know what budget will be needed here to consider this feature.

@pietrushnic
Copy link

@BeataZdunczyk @macpijan I would appreciate your attention here. @filipleple, maybe it makes sense to add this for Dell OptiPlex's upcoming release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants