From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, guomin.jiang@intel.com
Cc: Jian J Wang <jian.j.wang@intel.com>, Hao A Wu <hao.a.wu@intel.com>
Subject: Re: [edk2-devel] [PATCH v8 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)
Date: Mon, 27 Jul 2020 10:56:06 +0200 [thread overview]
Message-ID: <0dcdedc9-ad2b-1473-bb86-2ae58453cc64@redhat.com> (raw)
In-Reply-To: <20200724095446.598-2-guomin.jiang@intel.com>
On 07/24/20 11:54, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
>
> The security researcher found that we can get control after NEM disable.
>
> The reason is that the flash content reside in NEM at startup and the
> code will get the content from flash directly after disable NEM.
>
> To avoid this vulnerability, the feature will copy the PEIMs from
> temporary memory to permanent memory and only execute the code in
> permanent memory.
>
> The vulnerability is exist in physical platform and haven't report in
> virtual platform, so the virtual can disable the feature currently.
>
> When enable the PcdMigrateTemporaryRamFirmwareVolumes, always shadow
> all PEIMs no matter the condition of PcdShadowPeimOnBoot or
> PcdShadowPeimOnS3Boot.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
> MdeModulePkg/MdeModulePkg.dec | 9 +++++++++
> MdeModulePkg/MdeModulePkg.uni | 6 ++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
> index 843e963ad34b..45874e9c8236 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1220,6 +1220,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
> # @Prompt Shadow Peim and PeiCore on boot
> gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
>
> + ## Enable the feature that evacuate temporary memory to permanent memory or not<BR><BR>
> + # Set FALSE as default, if the developer need this feature to avoid this vulnerability, please
> + # enable it to shadow all PEIMs no matter the behavior controled by PcdShadowPeimOnBoot or
> + # PcdShadowPeimOnS3Boot<BR>
> + # TRUE - Evacuate temporary memory, the actions include copy memory, convert PPI pointers and so on.<BR>
> + # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers and so on.<BR>
> + # @Prompt Evacuate temporary memory to permanent memory
> + gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|FALSE|BOOLEAN|0x3000102A
> +
> ## The mask is used to control memory profile behavior.<BR><BR>
> # BIT0 - Enable UEFI memory profile.<BR>
> # BIT1 - Enable SMRAM profile.<BR>
> diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
> index 2007e0596c4f..5235dee561ad 100644
> --- a/MdeModulePkg/MdeModulePkg.uni
> +++ b/MdeModulePkg/MdeModulePkg.uni
> @@ -214,6 +214,12 @@
> "TRUE - Shadow PEIM on S3 boot path after memory is ready.<BR>\n"
> "FALSE - Not shadow PEIM on S3 boot path after memory is ready.<BR>"
>
> +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_HELP #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not.<BR><BR>\n"
> + "It will allocate page to save the temporary PEIMs resided in NEM(or CAR) to the permanent memory and change all pointers pointed to the NEM(or CAR) to permanent memory.<BR><BR>\n"
> + "After then, there are no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be avoid.<BR><BR>\n"
> +
> +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_PROMPT #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not"
> +
> #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT #language en-US "Default OEM ID for ACPI table creation"
>
> #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP #language en-US "Default OEM ID for ACPI table creation, its length must be 0x6 bytes to follow ACPI specification."
>
Acked-by: Laszlo Ersek <lersek@redhat.com>
next prev parent reply other threads:[~2020-07-27 8:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 9:54 [PATCH v8 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Guomin Jiang
2020-07-27 8:56 ` Laszlo Ersek [this message]
2020-07-24 9:54 ` [PATCH v8 2/9] MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) Guomin Jiang
2020-07-27 9:18 ` [edk2-devel] " Laszlo Ersek
2020-07-24 9:54 ` [PATCH v8 3/9] UefiCpuPkg/CpuMpPei: Add GDT migration support (CVE-2019-11098) Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 4/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 5/9] MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 6/9] SecurityPkg/Tcg2Pei: Use " Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 7/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 8/9] UefiCpuPkg: Correct some typos Guomin Jiang
2020-07-24 9:54 ` [PATCH v8 9/9] SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-27 3:54 ` [edk2-devel] [PATCH v8 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Liming Gao
[not found] ` <16257FBE49F7E3E5.11956@groups.io>
2020-07-28 1:25 ` Liming Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0dcdedc9-ad2b-1473-bb86-2ae58453cc64@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox