Latest revision as of 22:53, 26 January 2025

Improve edk2 security

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Turn on a few security-related build time options to improve edk2 security.

Owner

Name: Gerd Hoffmann
Email: kraxel@redhat.com

Current status

Targeted release: Fedora Linux 42
Last updated: 2025-01-26
Announced
Discussion thread
FESCo issue: #3357
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Turn on strict NX checking

   PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5
   PcdSetNxForStack               = TRUE
   PcdImageProtectionPolicy       = 0x03

This will partly enforce the NX requirements for secure boot binaries which are in place since 2022, see https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916

Unmap zero page

   PcdNullPointerDetectionPropertyMask = 0x03

This will catch NULL pointer dereferences.

edk2 documentation

Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec

some background information

The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds. Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supplied with (security) updates still should have package updates released for shim + grub in 2024. So fully updated linux installs should continue to work fine even with the NX bar raised. Same applies to fully updated windows installs.

The changes will be applied to the edk2 builds which have secure boot support enabled. Using secure boot on a system which is not fully updated is not very useful from a security point of view.

Trying to run outdated boot loaders which are not NX clean might lead to page faults like this:

 !!!! X64 Exception Type - 0E(#PF - Page-Fault)  CPU Apic ID - 00000000 !!!!

backward compatibility

The edk2 builds without secure boot support will NOT be changed and will continue to use the less strict configuration which is used in fedora 41 and older for better compatibility with old guests. So if there is a need to run outdated guests this is possible by picking these firmware builds. The libvirt xml for this is:

 <os firmware='efi'>
   <type arch='x86_64' machine='q35'>hvm</type>
   <firmware>
     <feature enabled='no' name='secure-boot'/>
   </firmware>
 </os>

Feedback

Benefit to Fedora

Improves security of UEFI virtual machines.

Scope

Proposal owners:
- Update edk2 build configuration accordingly.

Other developers:

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with the Fedora Strategy:

Upgrade/compatibility impact

For the most part this should be an unnoticed change.

Running outdated guests might require a VM config update, see https://fedoraproject.org/wiki/Changes/Edk2Security#backward_compatibility

Early Testing (Optional)

Do you require 'QA Blueprint' support? Y/N

How To Test

Test builds are available from https://copr.fedorainfracloud.org/coprs/kraxel/edk2.testbuilds/

User Experience

Dependencies

Contingency Plan

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
-<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 = Improve edk2 security <!-- The name of your change proposal --> =
@@ Line 19: / Line 11: @@
 This should link to your home wiki page so we know who you are.
 -->
-* Name: [[User:FASAccountName| Your Name]]
+* Name: [[User:kraxel| Gerd Hoffmann]]
 <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
-* Email: <your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS>
+* Email: kraxel@redhat.com
 <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
 -->
 == Current status ==
-[[Category:ChangePageIncomplete]]
+[[Category:ChangeReadyForFesco]]
 <!-- When your change proposal page is completed and ready for review and announcement -->
 <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
@@ Line 38: / Line 29: @@
 <!-- [[Category:SystemWideChange]] -->
-* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f<VERSION>/ Fedora Linux <VERSION>]
+* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42]
 * Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
 <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page
@@ Line 46: / Line 37: @@
 ON_QA -> change is fully code complete
 -->
-* [<link to devel-announce post will be added by Wrangler> Announced]
+* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/34RLLLEJOL6DNQHNQSWNAYFW447DF5QA/ Announced]
-* [<will be assigned by the Wrangler> Discussion thread]
+* [https://discussion.fedoraproject.org/t/f42-change-proposal-improve-edk2-security-self-contained/142517 Discussion thread]
-* FESCo issue: <will be assigned by the Wrangler>
+* FESCo issue: [https://pagure.io/fesco/issue/3357 #3357]
 * Tracker bug: <will be assigned by the Wrangler>
 * Release notes tracker: <will be assigned by the Wrangler>
 == Detailed Description ==
-<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
+=== Turn on strict NX checking ===
+    PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5
+    PcdSetNxForStack               = TRUE
+    PcdImageProtectionPolicy       = 0x03
+This will partly enforce the NX requirements for secure boot binaries which are in place since 2022, see
+https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916
+=== Unmap zero page ===
+    PcdNullPointerDetectionPropertyMask = 0x03
+This will catch NULL pointer dereferences.
+=== edk2 documentation ===
+Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec
+=== some background information ===
+The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds.  Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supplied with (security) updates still should have package updates released for shim + grub in 2024.  So fully updated linux installs should continue to work fine even with the NX bar raised.  Same applies to fully updated windows installs.
+The changes will be applied to the edk2 builds which have secure boot support enabled.  Using secure boot on a system which is not fully updated is not very useful from a security point of view.
+Trying to run outdated boot loaders which are not NX clean might lead to page faults like this:
+  !!!! X64 Exception Type - 0E(#PF - Page-Fault)  CPU Apic ID - 00000000 !!!!
+=== backward compatibility ===
+The edk2 builds without secure boot support will NOT be changed and will continue to use the less strict configuration which is used in fedora 41 and older for better compatibility with old guests.  So if there is a need to run outdated guests this is possible by picking these firmware builds.  The libvirt xml for this is:
+  <os firmware='efi'>
+    <type arch='x86_64' machine='q35'>hvm</type>
+    <firmware>
+      <feature enabled='no' name='secure-boot'/>
+    </firmware>
+  </os>
 == Feedback ==
@@ Line 59: / Line 89: @@
 == Benefit to Fedora ==
+Improves security of UEFI virtual machines.
 <!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
@@ Line 89: / Line 120: @@
 == Scope ==
 * Proposal owners:
+** Update edk2 build configuration accordingly.
 <!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
@@ Line 108: / Line 140: @@
 == Upgrade/compatibility impact ==
-<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
+For the most part this should be an unnoticed change.
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+Running outdated guests might require a VM config update, see
+https://fedoraproject.org/wiki/Changes/Edk2Security#backward_compatibility
 == Early Testing (Optional) ==
@@ Line 118: / Line 151: @@
 == How To Test ==
-<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  This can be based off of the above section if early testing has been completed. If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
+Test builds are available from https://copr.fedorainfracloud.org/coprs/kraxel/edk2.testbuilds/
-Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
-A good "how to test" should answer these four questions:
-. What special hardware / data / etc. is needed (if any)?
-. How do I prepare my system to test this change? What packages
-need to be installed, config files edited, etc.?
-. What specific actions do I perform to check that the change is
-working like it's supposed to?
-. What are the expected results of those actions?
--->
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 == User Experience ==

Search

Changes/Edk2Security: Difference between revisions