From Fedora Project Wiki
(Submitting Change to FESCo)
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Improve edk2 security <!-- The name of your change proposal --> =
= Improve edk2 security <!-- The name of your change proposal --> =


Line 27: Line 19:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForFesco]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 45: Line 37:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* [<link to devel-announce post will be added by Wrangler> Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/34RLLLEJOL6DNQHNQSWNAYFW447DF5QA/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f42-change-proposal-improve-edk2-security-self-contained/142517 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3357 #3357]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 66: Line 58:
     PcdNullPointerDetectionPropertyMask = 0x03
     PcdNullPointerDetectionPropertyMask = 0x03


This will also catch NULL pointer dereferences.
This will catch NULL pointer dereferences.


=== edk2 documentation ===
=== edk2 documentation ===
Line 76: Line 68:
The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds.  Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supplied with (security) updates still should have package updates released for shim + grub in 2024.  So fully updated linux installs should continue to work fine even with the NX bar raised.  Same applies to fully updated windows installs.
The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds.  Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supplied with (security) updates still should have package updates released for shim + grub in 2024.  So fully updated linux installs should continue to work fine even with the NX bar raised.  Same applies to fully updated windows installs.


The changes will be applied to the edk2 builds which have secure boot support turned on, using secure boot on a system which is not fully updated is not very useful from a security point of view.
The changes will be applied to the edk2 builds which have secure boot support enabled.  Using secure boot on a system which is not fully updated is not very useful from a security point of view.


=== compatibility ===
Trying to run outdated boot loaders which are not NX clean might lead to page faults like this:


The edk2 builds without secure boot support will NOT be changed and will continue to use the less strict configuration for better compatibility with old guests.  So if there is a need to run outdated guests this is possible by picking these firmware builds.  The libvirt xml for this is:
  !!!! X64 Exception Type - 0E(#PF - Page-Fault)  CPU Apic ID - 00000000 !!!!
 
=== backward compatibility ===
 
The edk2 builds without secure boot support will NOT be changed and will continue to use the less strict configuration which is used in fedora 41 and older for better compatibility with old guests.  So if there is a need to run outdated guests this is possible by picking these firmware builds.  The libvirt xml for this is:


   <os firmware='efi'>
   <os firmware='efi'>
Line 93: Line 89:


== Benefit to Fedora ==
== Benefit to Fedora ==
Improves security of UEFI virtual machines.
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
    
    
Line 123: Line 120:
== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
** Update edk2 build configuration accordingly.
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


Line 142: Line 140:


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
For the most part this should be an unnoticed change.


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Running outdated guests might require a VM config update, see
https://fedoraproject.org/wiki/Changes/Edk2Security#backward_compatibility


== Early Testing (Optional) ==
== Early Testing (Optional) ==
Line 152: Line 151:


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  This can be based off of the above section if early testing has been completed. If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
Test builds are available from https://copr.fedorainfracloud.org/coprs/kraxel/edk2.testbuilds/
 
Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this change? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the change is
working like it's supposed to?
3. What are the expected results of those actions?
-->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


== User Experience ==
== User Experience ==

Latest revision as of 22:53, 26 January 2025

Improve edk2 security

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Turn on a few security-related build time options to improve edk2 security.

Owner

Current status

Detailed Description

Turn on strict NX checking

   PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5
   PcdSetNxForStack               = TRUE
   PcdImageProtectionPolicy       = 0x03

This will partly enforce the NX requirements for secure boot binaries which are in place since 2022, see https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916

Unmap zero page

   PcdNullPointerDetectionPropertyMask = 0x03

This will catch NULL pointer dereferences.

edk2 documentation

Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec

some background information

The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds. Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supplied with (security) updates still should have package updates released for shim + grub in 2024. So fully updated linux installs should continue to work fine even with the NX bar raised. Same applies to fully updated windows installs.

The changes will be applied to the edk2 builds which have secure boot support enabled. Using secure boot on a system which is not fully updated is not very useful from a security point of view.

Trying to run outdated boot loaders which are not NX clean might lead to page faults like this:

 !!!! X64 Exception Type - 0E(#PF - Page-Fault)  CPU Apic ID - 00000000 !!!!

backward compatibility

The edk2 builds without secure boot support will NOT be changed and will continue to use the less strict configuration which is used in fedora 41 and older for better compatibility with old guests. So if there is a need to run outdated guests this is possible by picking these firmware builds. The libvirt xml for this is:

 <os firmware='efi'>
   <type arch='x86_64' machine='q35'>hvm</type>
   <firmware>
     <feature enabled='no' name='secure-boot'/>
   </firmware>
 </os>

Feedback

Benefit to Fedora

Improves security of UEFI virtual machines.

Scope

  • Proposal owners:
    • Update edk2 build configuration accordingly.
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy:

Upgrade/compatibility impact

For the most part this should be an unnoticed change.

Running outdated guests might require a VM config update, see https://fedoraproject.org/wiki/Changes/Edk2Security#backward_compatibility

Early Testing (Optional)

Do you require 'QA Blueprint' support? Y/N

How To Test

Test builds are available from https://copr.fedorainfracloud.org/coprs/kraxel/edk2.testbuilds/

User Experience

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes