From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120]) by mx.groups.io with SMTP id smtpd.web11.51447.1595840180146575925 for ; Mon, 27 Jul 2020 01:56:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=I3hC7zw/; spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595840179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Kd5WkBlSOsyW3JiB9EroLf2i3YAOmIi8mZeBsnhllb8=; b=I3hC7zw/YWFlMC77xyVXnxejejHUNCr+/XKIDB0nVxNwoivQTDuz6SqdUUcoaBYOF7fwzZ /IcvgDvhZPEsZRftoNu7rJSUQdxz2GvhkLSSLtRxxPQ5HbOLXz5fsyJUhCeY/0pl2XF0QQ 7KsambXIRzNADTU5YUApHmWZ9VMEpb4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-47-gtHTrfrOPD2E3iHyTaC5UQ-1; Mon, 27 Jul 2020 04:56:12 -0400 X-MC-Unique: gtHTrfrOPD2E3iHyTaC5UQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BE77518C63C7; Mon, 27 Jul 2020 08:56:10 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-235.ams2.redhat.com [10.36.113.235]) by smtp.corp.redhat.com (Postfix) with ESMTP id 085E6756AA; Mon, 27 Jul 2020 08:56:07 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v8 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) To: devel@edk2.groups.io, guomin.jiang@intel.com Cc: Jian J Wang , Hao A Wu References: <20200724095446.598-1-guomin.jiang@intel.com> <20200724095446.598-2-guomin.jiang@intel.com> From: "Laszlo Ersek" Message-ID: <0dcdedc9-ad2b-1473-bb86-2ae58453cc64@redhat.com> Date: Mon, 27 Jul 2020 10:56:06 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200724095446.598-2-guomin.jiang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/24/20 11:54, Guomin Jiang wrote: > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > The security researcher found that we can get control after NEM disable. > > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. > > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. > > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. > > When enable the PcdMigrateTemporaryRamFirmwareVolumes, always shadow > all PEIMs no matter the condition of PcdShadowPeimOnBoot or > PcdShadowPeimOnS3Boot. > > Cc: Jian J Wang > Cc: Hao A Wu > Signed-off-by: Guomin Jiang > --- > MdeModulePkg/MdeModulePkg.dec | 9 +++++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 15 insertions(+) > > diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec > index 843e963ad34b..45874e9c8236 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1220,6 +1220,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Shadow Peim and PeiCore on boot > gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029 > > + ## Enable the feature that evacuate temporary memory to permanent memory or not

> + # Set FALSE as default, if the developer need this feature to avoid this vulnerability, please > + # enable it to shadow all PEIMs no matter the behavior controled by PcdShadowPeimOnBoot or > + # PcdShadowPeimOnS3Boot
> + # TRUE - Evacuate temporary memory, the actions include copy memory, convert PPI pointers and so on.
> + # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers and so on.
> + # @Prompt Evacuate temporary memory to permanent memory > + gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|FALSE|BOOLEAN|0x3000102A > + > ## The mask is used to control memory profile behavior.

> # BIT0 - Enable UEFI memory profile.
> # BIT1 - Enable SMRAM profile.
> diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni > index 2007e0596c4f..5235dee561ad 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -214,6 +214,12 @@ > "TRUE - Shadow PEIM on S3 boot path after memory is ready.
\n" > "FALSE - Not shadow PEIM on S3 boot path after memory is ready.
" > > +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_HELP #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not.

\n" > + "It will allocate page to save the temporary PEIMs resided in NEM(or CAR) to the permanent memory and change all pointers pointed to the NEM(or CAR) to permanent memory.

\n" > + "After then, there are no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be avoid.

\n" > + > +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_PROMPT #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not" > + > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT #language en-US "Default OEM ID for ACPI table creation" > > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP #language en-US "Default OEM ID for ACPI table creation, its length must be 0x6 bytes to follow ACPI specification." > Acked-by: Laszlo Ersek