Security Advisory
Search…
Security Advisory
1.0.0
Security Advisory
1. Insecure Default Secure Boot Policy for Option ROMs
2. Incorrect PKCS#1v1.5 Padding Verification for RSA Signature Check
3. UEFI Variable “Reinstallation”
4. Overwrite from Performance Data Variable
5. CommBuffer SMM Overwrite/Exposure
6. TOCTOU Issue with CommBuffer
7. SMRAM Overwrite in Fault Tolerant Write SMI Handler
8. SMRAM Overwrite in SmmVariableHandler
9. Integer/Heap Overflow in SetVariable
10. Heap Overflow in UpdateVariable
11. Overwrite from FirmwarePerformance Variable
12. Integer/Buffer Overflow in TpmDxe Driver
13. Protection of PhysicalPresence Variable
14. Boot Failure Related to UEFI Variable Usage
15. Buffer Overflows in Capsule Update
16. Boot Failure Related to TPM Measurements
17. Buffer Overflow in Variable Reclaim
18. Overflow in Processing of AuthVarKeyDatabase
19. Counter Based Authenticated Variable Issue
20. Honoring Memory Only Reset Control and correct MOR spec imlementation
21. TCG PP S4 issue
22. BIOS Password
23. OPAL driver has PP issue on BlockSid
24. OPAL driver has PSID issue
25. DHCP misses boundary check for network packet
26. SmmCore comm buffer check has TOCTOU issue
27. UEFI Variable Deletion/Corruption
28. EDK II Untested memory not covered by SMM page protection
29. Unauthenticated Firmware Chain-of-Trust Bypass
30. EDK II Authenticated Variable Bypass
31. EDK II TianoCompress Bounds Checking Issues
32. DNS Packet Size Check
33. Opal BlockSid Setting Disabled after S3
34. PartitionDxe and Udf Buffer Overflow
35. Stack Overflow on Corrupted BMP
36. Buffer Overflow in BlockIo service for RAM disk
37. XHCI stack local stack overflow
38. SW SMI Confused Deputy SmramSaveState.c
39. Unlimited FV Recursion
40. AuthVariable Timestamp Zeroing on APPEND_WRITE
41. BootGuard TOCTOU
Powered By GitBook
23. OPAL driver has PP issue on BlockSid

Description:

EDKII open source has OPAL driver at SecurityPkg\Tcg\Opal. It includes a feature named BlockSid, which is defined in TCG Physical Presence and TCG OPAL BlockSid specification. The TCG PP spec defines PP opcode to enable/disableBlockSid, which may need user confirmation. However, current EDKII OPAL driver just uses a normal variable (OPAL_EXTRA_INFO_VAR_NAME/gOpalExtraInfoVariableGuid) to store the BlockSid enable/disable. This driver does not follow TCG recommendation to use PP process to request user confirmation on BlockSid state change. Also this variable is NOT locked. It means any one can overwrite this variable and bypass BlockSid operation.

Recommendation:

We had better follow TCG PP specification, and implement TCG storage operation (96~101). So that: 1. User confirmation is needed when BlockSid state is changed. (This follows TCG PP spec) 2. This BlockSid state is still saved into variable, but the variable is locked via EDKII_VARIABLE_LOCK_PROTOCOL (This makes sure no malicious code may modify BlockSid enable/disable state.)
This is addressed by EDK2 GIT e92ddda2b547f0b952935abaf44fd72e97dbf755..4e3b05a49f454bc257252ae9090421e3c8447737, bee13c00218f3ed3118d8d87683c11b31ca04564, 01dd077315c6759c94af9af4232f8318db13cf8d.

Acknowledgments:

Reported by Yao, Jiewen [email protected].

References:

  • USRT M1620
  • TCG PC Client Platform Physical Presence Interface Specification
  • TCG Storage Feature Set: Block SID Authentication
Previous
22. BIOS Password
Next
24. OPAL driver has PSID issue
Last modified 2yr ago
Copy link
Contents
Description:
Recommendation:
Acknowledgments:
References: