dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard

Published 20 hours ago verified publisher icon Dasharo

Intel STM/PPAM support

Open miczyg1 opened this issue 3 years ago • 13 comments

The problem you're addressing (if any) Currently Dasharo firmware does not support Intel PPAM.

Describe the solution you'd like Implement PPAM support.

Where is the value to a user, and who might that user be? Better security, DRTM compatibility for Microsoft Secured Core PC.

Describe alternatives you've considered Integrate STM instead of PPAM

Additional context None

miczyg1 avatar Jun 08 '22 14:06 miczyg1

coreboot supports the STM which is a useful mechanism to run SMI handlers in a virtual machine. Enabling this feature could help protect against runtime SMM vulnerabilities.

Note: I work at Intel and previously worked on the STM project but am now working in other areas.

bdelgado1995 avatar Dec 09 '22 22:12 bdelgado1995

@bdelgado1995 yes we know about STM and even met creator of the code couple times. He was interested about our work related to TrenchBoot project. AFAIK STM is hardware-specific feature and was tested only on Skylake. I guess it is not just enable that features and it works since it is highly hardware dependent. @miczyg1 please correct me if I'm wrong. Also STM is probably way more complex concept then PPAM IIUC.

pietrushnic avatar Dec 11 '22 20:12 pietrushnic

I guess it is not just enable that features and it works since it is highly hardware dependent

It is not that much hardware dependent... Although some glue would be needed to support different microarchitectures. STM is also typically paired with TXT.

Secondly, any OS you would like to run on STM-enabled machine needs to know that STM is out there. Thirdly, any OS you would like to run on STM-enabled must have some interface to STM implemented.

Because of those two reasons STM did not meet wide adoption. Also STM introduces a performance penalty.

STM/PPAM makes very much sense with proprietary BIOSes, where SMM is an unknown black hole. With coreboot we have fully open and auditable SMM code where STM would not add that much more security (except protection from existing not-yet-discovered vulnerabilities).

miczyg1 avatar Dec 12 '22 10:12 miczyg1

Good points.

There are some community-written STM launchers for Xen and Linux.

For performance, there is some performance impact when there is an SMI. Some systems can go a long period of time without SMIs in which case there is no perf impact and others have some a few times a second so each SMI would take a little longer. Linking to a paper our team wrote that gives some coverage of this.

I agree it makes sense to consider the particular SMI handlers in use and make a determination about ROI.

bdelgado1995 avatar Dec 12 '22 18:12 bdelgado1995

Good points.

There are some community-written STM launchers for Xen and Linux.

Thank you for these pointers, these will definitely help with STM testing.

miczyg1 avatar Dec 14 '22 10:12 miczyg1

As explained by @bdelgado1995 during vPub, we would have to talk with Intel business rep to understand how PPAM can be integrated by ISV/IBV/OSFV. It may be not that easy, so we should more likely focus on STM integration. So question is if we open new issue or agree it is part of this issue?

We should place STM support on roadmap of Dasharo releases and consider it to be presented on DUG#2.

pietrushnic avatar Mar 20 '23 09:03 pietrushnic

Added STM as an alternative to the description

miczyg1 avatar Mar 20 '23 10:03 miczyg1

If you would like to talk with an Intel business rep on the Intel System Resources Defense/PPAM, I can do some checking and see who could provide more info. Happy to try to get more info so you can get a sense of all of the options.

bdelgado1995 avatar Mar 22 '23 16:03 bdelgado1995

@bdelgado1995, could you please set up a call for TrenchBoot Committee (Daniel P. Smith - Apertus Solutions, Rich Persaud - OpenXT, Ross Philipson - Oracle, and me)?

pietrushnic avatar Mar 22 '23 22:03 pietrushnic

Yes. I'll do some checking. May take a little time to find the right contact, will update when I have info.

bdelgado1995 avatar Mar 22 '23 23:03 bdelgado1995

Building - Z690A - STM - 2024.md savedStmConfig.txt

I have put together an experimental setup guide for the STM build/load/launch in the Markdown file. I have also attached the .config file used (called savedStmConfig.txt).

It would be excellent if the Dasharo devs could try this out and also streamline the installation. For everyone else, please use at your own risk, this is experimental and you may need to recover your system with MSI FlashBack/hardware reflasher if things go awry.

If there are tweaks/suggestions/questions for the guide, feel free to let me know and I can update it accordingly.

bdelgado1995 avatar Apr 29 '24 21:04 bdelgado1995

@BeataZdunczyk @macpijan, please let me know what budget will be needed here to consider this feature.

pietrushnic avatar Apr 30 '24 09:04 pietrushnic

@BeataZdunczyk @macpijan I would appreciate your attention here. @filipleple, maybe it makes sense to add this for Dell OptiPlex's upcoming release?

pietrushnic avatar Jul 30 '24 14:07 pietrushnic