From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web10.4186.1594292494238631077 for ; Thu, 09 Jul 2020 04:01:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=P7cTBuow; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594292493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vpHI/U/BU3Lr4hD5LwgJ8hxtTDuLijYJNC4Ir6u4wi4=; b=P7cTBuowa9J0YjZx8S/01jWlb5WK2atpjfTU8fQkRuN+XYo5ydfudCdvqXUlIaV27Vir/6 BTf00pIvT4syUNne4UHyWM2O78l112reWcT361pvZlHcZw3FH51vGYWSpvHkUygQOfjY7r kaCFWcPgGBPg2299JS6b0y+ssBJ7070= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-427-3bJLLCCnNf-47cJb0Ag0tQ-1; Thu, 09 Jul 2020 07:01:31 -0400 X-MC-Unique: 3bJLLCCnNf-47cJb0Ag0tQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 51D93192FDA1; Thu, 9 Jul 2020 11:01:29 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-104.ams2.redhat.com [10.36.114.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 511BE610F2; Thu, 9 Jul 2020 11:01:27 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v5 4/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) To: devel@edk2.groups.io, guomin.jiang@intel.com Cc: Michael Kubacki , Eric Dong , Ray Ni , Rahul Kumar , Debkumar De , Harry Han , Catharine West References: <20200709015645.336-1-guomin.jiang@intel.com> <20200709015645.336-5-guomin.jiang@intel.com> From: "Laszlo Ersek" Message-ID: <160e3737-b813-1217-e11e-bfaf8144f304@redhat.com> Date: Thu, 9 Jul 2020 13:01:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200709015645.336-5-guomin.jiang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/09/20 03:56, Guomin Jiang wrote: > From: Michael Kubacki > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > Adds a PEIM that republishes structures produced in SEC. This > is done because SEC modules may not be shadowed in some platforms > due to space constraints or special alignment requirements. The > SecMigrationPei module locates interfaces that may be published in > SEC and reinstalls the interface with permanent memory addresses. > > This is important if pre-memory address access is forbidden after > memory initialization and data such as a PPI descriptor, PPI GUID, > or PPI inteface reside in pre-memory. > > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Debkumar De > Cc: Harry Han > Cc: Catharine West > Signed-off-by: Michael Kubacki > Acked-by: Laszlo Ersek > --- > UefiCpuPkg/UefiCpuPkg.dec | 4 + > UefiCpuPkg/UefiCpuPkg.dsc | 1 + > UefiCpuPkg/SecCore/SecCore.inf | 2 + > .../SecMigrationPei/SecMigrationPei.inf | 67 +++ > UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ > UefiCpuPkg/SecCore/SecMain.h | 1 + > UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 154 +++++++ > UefiCpuPkg/SecCore/SecMain.c | 26 +- > UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 381 ++++++++++++++++++ > .../SecMigrationPei/SecMigrationPei.uni | 13 + > 10 files changed, 701 insertions(+), 2 deletions(-) > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni > +/** > + This function is the entry point which installs an instance of REPUBLISH_SEC_PPI_PPI. > + > + It install the RepublishSecPpi depent on PcdMigrateTemporaryRamFirmwareVolumes, install > + the PPI when the PcdMigrateTemporaryRamFirmwareVolumes enabled. > + > + @param[in] FileHandle Pointer to image file handle. > + @param[in] PeiServices Pointer to PEI Services Table > + > + @retval EFI_ABORTED Disable evacuate temporary memory feature by disable > + PcdMigrateTemporaryRamFirmwareVolumes. > + EFI_SUCCESS An instance of REPUBLISH_SEC_PPI_PPI was installed successfully. I think "@retval" should be used in front of every single return value, that is, EFI_SUCCESS as well. But, please do not resubmit the series just because of this remark; it's not important enough. If you need to post a v6 for another reason, then please consider adding the "@retval" word here. My Acked-by stands with or without "@retval". Thanks! Laszlo > + @retval Others An error occurred installing and instance of REPUBLISH_SEC_PPI_PPI. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecMigrationPeiInitialize ( > + IN EFI_PEI_FILE_HANDLE FileHandle, > + IN CONST EFI_PEI_SERVICES **PeiServices > + ) > +{ > + EFI_STATUS Status; > + > + Status = EFI_ABORTED; > + > + if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > + Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor); > + ASSERT_EFI_ERROR (Status); > + } > + > + return Status; > +}