dehanj
commented
3 months ago It is possible to make the CDI writable in app-mode. It is also quite easy hardware wise. What we do today is to simply check if we are in fw-mode or in app-mode. If we are in app-mode we remove the write_enable for the CDI, so it becomes read-only.
We have discussed this internally as well, to keep the CDI writable, but we have not landed in any decision. You bring up a good point, to have it writable simply for the reason of removing access to sensitive data, once the app has used it for whatever its purpose is.
cobratbq
secworks
I'm posting this idea from software-development perspective. I may ask something that's hard to achieve or just an exceptional case.
Would it be possible to allow writing to the CDI addresses from the loaded program-binary? That would allow initialization to do the necessary processing, then afterwards clear the CDI. (An alternative would be to allow clearing the MMIO address pointers, although strictly speaking this introduces obscurity rather than security.)
The threat I'm thinking of, is when an attacker manages to manipulate a pointer address such that the CDI is addressed rather than any other arbitrary piece of memory. I can compute values on-the-fly and securely wipe them, but the CDI remains available.
I suspect one can argue for and against this idea. I suspect it depends on the way a program is developed whether this feature is useful.