From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from a7-17.smtp-out.eu-west-1.amazonses.com (a7-17.smtp-out.eu-west-1.amazonses.com [54.240.7.17]) by mx.groups.io with SMTP id smtpd.web11.3366.1683581497258962621 for ; Mon, 08 May 2023 14:31:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ipxe.org header.s=cphpx6z2rfcgehlykjjh3gknqe3hsoe2 header.b=LKw+e7QA; spf=pass (domain: eu-west-1.amazonses.com, ip: 54.240.7.17, mailfrom: 01020187fd46e7d4-9dba3e15-efcc-4ea7-87ba-2391a3f372d5-000000@eu-west-1.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=cphpx6z2rfcgehlykjjh3gknqe3hsoe2; d=ipxe.org; t=1683581495; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; bh=Ez8ujir+XBUUOWDCLbEi9+zgYe2drLDIWqSd/sgA+EU=; b=LKw+e7QAbqMJgj/OJdARvhNxszjXiJ34Li2Rb1dlAhlnTPKwzVg41kLdvo11h+O4 yZHaaVH8WsQoDssFahyC97IGhlvYjKKdxfGZqLTxkZjvfLo4gTV3I1DvgO9W1xPD/Fb M0zf2surj63IpNz8MSynRZZW0Z7GHkh5/Nj6FmLhNVfyZCs9c7VVoBBwDnna7W5zwFe hvpItNQTtxPxzV9Px+ie68n+Q/zbBkpSDXDa1jMMozx6L0WXhgekrpV7OylNDcB35lI MUvyNeWTyqMljluO6F8UvRkzsUld80hum4ySDWc3Vlp77DMDURYgGWPGBKc27ElsJmd pH+S9+9+Bg== DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; t=1683581495; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Feedback-ID; bh=Ez8ujir+XBUUOWDCLbEi9+zgYe2drLDIWqSd/sgA+EU=; b=BeJffm3LTk3J0SL/JvuA+KHaHo3MpiV/bxnRXg2KiS65I9381/pe7dpgImI9MZZN JSXEVHhSDZ3Pr/lHHam9MEpje+VtV5K2+QdyCBPW4BO1uixS5XF2NXTwozGI+6vPyjz h4oMjhfcBW7/dv+yS/bxef5HbJoNbpe9YwfsEshM= From: "Michael Brown" To: devel@edk2.groups.io Cc: Michael Brown , Gerd Hoffmann , Laszlo Ersek Subject: [PATCH 2/2] OvmfPkg: Relax assertion that interrupts do not occur at TPL_HIGH_LEVEL Date: Mon, 8 May 2023 21:31:35 +0000 Message-ID: <01020187fd46e7d4-9dba3e15-efcc-4ea7-87ba-2391a3f372d5-000000@eu-west-1.amazonses.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230508213100.3949708-1-mcb30@ipxe.org> References: <476bbc17-6484-9afd-9be9-08de14d1d72e@redhat.com> <20230508213100.3949708-1-mcb30@ipxe.org> MIME-Version: 1.0 X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on blyat.fensystems.co.uk Feedback-ID: 1.eu-west-1.fspj4M/5bzJ9NLRzJP0PaxRwxrpZqiDQJ1IF94CF2TA=:AmazonSES X-SES-Outgoing: 2023.05.08-54.240.7.17 Content-Transfer-Encoding: 8bit At TPL_HIGH_LEVEL, CPU interrupts are disabled (as per the UEFI specification) and so we should never encounter a situation in which an interrupt occurs at TPL_HIGH_LEVEL. The specification also restricts usage of TPL_HIGH_LEVEL to the firmware itself. However, nothing prevents a rogue UEFI application from illegally calling gBS->RaiseTPL(TPL_HIGH_LEVEL) and then deliberately violating the invariant by enabling interrupts via the STI or equivalent instruction. Some versions of the Microsoft Windows bootloader are known to do this. NestedInterruptTplLib maintains the invariant that interrupts are disabled at TPL_HIGH_LEVEL (even when performing the dark art of deliberately manipulating the stack so that IRET will return with interrupts still disabled), but does not itself rely on external code maintaining this invariant. Relax the assertion that the interrupted TPL is below TPL_HIGH_LEVEL to an error message, to allow rogue UEFI applications such as the Microsoft Windows bootloader to continue to function. Debugged-by: Gerd Hoffmann Debugged-by: Laszlo Ersek Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2189136 Signed-off-by: Michael Brown --- OvmfPkg/Library/NestedInterruptTplLib/Tpl.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/Library/NestedInterruptTplLib/Tpl.c b/OvmfPkg/Library/NestedInterruptTplLib/Tpl.c index e921a09c5599..a91f2d3cb8c7 100644 --- a/OvmfPkg/Library/NestedInterruptTplLib/Tpl.c +++ b/OvmfPkg/Library/NestedInterruptTplLib/Tpl.c @@ -34,12 +34,27 @@ NestedInterruptRaiseTPL ( // // Raise TPL and assert that we were called from within an interrupt - // handler (i.e. with TPL below TPL_HIGH_LEVEL but with interrupts - // disabled). + // handler (i.e. with interrupts already disabled before raising the + // TPL). // ASSERT (GetInterruptState () == FALSE); InterruptedTPL = gBS->RaiseTPL (TPL_HIGH_LEVEL); - ASSERT (InterruptedTPL < TPL_HIGH_LEVEL); + + // + // At TPL_HIGH_LEVEL, CPU interrupts are disabled (as per the UEFI + // specification) and so we should never encounter a situation in + // which InterruptedTPL==TPL_HIGH_LEVEL. The specification also + // restricts usage of TPL_HIGH_LEVEL to the firmware itself. + // + // However, nothing prevents a rogue UEFI application from illegally + // calling gBS->RaiseTPL(TPL_HIGH_LEVEL) and then deliberately + // violating the invariant by enabling interrupts via the STI or + // equivalent instruction. Some versions of the Microsoft Windows + // bootloader are known to do this. + // + if (InterruptedTPL >= TPL_HIGH_LEVEL) { + DEBUG ((DEBUG_ERROR, "Illegal interrupt at TPL_HIGH_LEVEL!\n")); + } return InterruptedTPL; } -- 2.39.0