-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intel STM/PPAM support #132
Comments
coreboot supports the STM which is a useful mechanism to run SMI handlers in a virtual machine. Enabling this feature could help protect against runtime SMM vulnerabilities. Note: I work at Intel and previously worked on the STM project but am now working in other areas. |
@bdelgado1995 yes we know about STM and even met creator of the code couple times. He was interested about our work related to TrenchBoot project. AFAIK STM is hardware-specific feature and was tested only on Skylake. I guess it is not just enable that features and it works since it is highly hardware dependent. @miczyg1 please correct me if I'm wrong. Also STM is probably way more complex concept then PPAM IIUC. |
It is not that much hardware dependent... Although some glue would be needed to support different microarchitectures. STM is also typically paired with TXT. Secondly, any OS you would like to run on STM-enabled machine needs to know that STM is out there. Because of those two reasons STM did not meet wide adoption. Also STM introduces a performance penalty. STM/PPAM makes very much sense with proprietary BIOSes, where SMM is an unknown black hole. With coreboot we have fully open and auditable SMM code where STM would not add that much more security (except protection from existing not-yet-discovered vulnerabilities). |
Good points. There are some community-written STM launchers for Xen and Linux. For performance, there is some performance impact when there is an SMI. Some systems can go a long period of time without SMIs in which case there is no perf impact and others have some a few times a second so each SMI would take a little longer. Linking to a paper our team wrote that gives some coverage of this. I agree it makes sense to consider the particular SMI handlers in use and make a determination about ROI. |
As explained by @bdelgado1995 during vPub, we would have to talk with Intel business rep to understand how PPAM can be integrated by ISV/IBV/OSFV. It may be not that easy, so we should more likely focus on STM integration. So question is if we open new issue or agree it is part of this issue? We should place STM support on roadmap of Dasharo releases and consider it to be presented on DUG#2. |
Added STM as an alternative to the description |
If you would like to talk with an Intel business rep on the Intel System Resources Defense/PPAM, I can do some checking and see who could provide more info. Happy to try to get more info so you can get a sense of all of the options. |
@bdelgado1995, could you please set up a call for TrenchBoot Committee (Daniel P. Smith - Apertus Solutions, Rich Persaud - OpenXT, Ross Philipson - Oracle, and me)? |
Yes. I'll do some checking. May take a little time to find the right contact, will update when I have info. |
Building - Z690A - STM - 2024.md I have put together an experimental setup guide for the STM build/load/launch in the Markdown file. I have also attached the .config file used (called savedStmConfig.txt). It would be excellent if the Dasharo devs could try this out and also streamline the installation. If there are tweaks/suggestions/questions for the guide, feel free to let me know and I can update it accordingly. |
@BeataZdunczyk @macpijan, please let me know what budget will be needed here to consider this feature. |
@BeataZdunczyk @macpijan I would appreciate your attention here. @filipleple, maybe it makes sense to add this for Dell OptiPlex's upcoming release? |
The problem you're addressing (if any)
Currently Dasharo firmware does not support Intel PPAM.
Describe the solution you'd like
Implement PPAM support.
Where is the value to a user, and who might that user be?
Better security, DRTM compatibility for Microsoft Secured Core PC.
Describe alternatives you've considered
Integrate STM instead of PPAM
Additional context
None
The text was updated successfully, but these errors were encountered: