From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E6B6E210D83E0 for ; Thu, 9 Aug 2018 18:44:05 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Aug 2018 18:44:06 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,217,1531810800"; d="scan'208";a="75363399" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19]) by fmsmga002.fm.intel.com with ESMTP; 09 Aug 2018 18:44:01 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Jiewen Yao , Eric Dong , Laszlo Ersek Date: Fri, 10 Aug 2018 09:43:48 +0800 Message-Id: <20180810014348.32036-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20180810014348.32036-1-hao.a.wu@intel.com> References: <20180810014348.32036-1-hao.a.wu@intel.com> Subject: [PATCH 2/2] UefiCpuPkg/PiSmmCpuDxeSmm: Add RSB stuffing before rsm instruction X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2018 01:44:06 -0000 System Management Interrupt (SMI) handlers can leave the Return Stack Buffer (RSB) in a state that application program or operating-system does not expect. In order to avoid RSB underflow on return from SMI, this commit will add RSB stuffing logic before instruction 'rsm'. After the stuffing, RSB entries will contain a trap like: @SpecTrap: pause lfence jmp @SpecTrap to keep the speculative execution within control. Cc: Jiewen Yao Cc: Eric Dong Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm | 20 +++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm | 21 ++++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 20 +++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm | 20 +++++++++++++++++++ 4 files changed, 81 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm index 509e7a0a66..e5875353a1 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm @@ -37,6 +37,8 @@ %define PROTECT_MODE_DS 0x20 %define TSS_SEGMENT 0x40 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) extern ASM_PFX(CpuSmmDebugEntry) @@ -204,6 +206,24 @@ ASM_PFX(SmiHandler): wrmsr .7: + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec eax + jnz @Unroll1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + rsm ASM_PFX(gcSmiHandlerSize): DW $ - _SmiEntryPoint diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm index 5ff3cd2e73..fd559d25cd 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm @@ -33,6 +33,8 @@ global ASM_PFX(gcSmmInitTemplate) %define PROTECT_MODE_CS 0x8 %define PROTECT_MODE_DS 0x20 +%define RSB_STUFF_ENTRIES 0x20 + SECTION .text ASM_PFX(gcSmiInitGdtr): @@ -75,6 +77,25 @@ BITS 32 mov esp, strict dword 0 ; source operand will be patched ASM_PFX(gPatchSmmInitStack): call ASM_PFX(SmmInitHandler) + + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec eax + jnz @Unroll1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + rsm BITS 16 diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm index 97c7b01d0d..b955fa1cf1 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm @@ -48,6 +48,8 @@ %define TSS_SEGMENT 0x40 %define GDT_SIZE 0x50 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(gSmiHandlerIdtr) extern ASM_PFX(CpuSmmDebugEntry) @@ -217,6 +219,24 @@ _SmiHandler: wrmsr .1: + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec rax + jnz @Unroll1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + rsm ASM_PFX(gcSmiHandlerSize) DW $ - _SmiEntryPoint diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm index 0b0c3f28e5..bff14e809b 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm @@ -34,6 +34,8 @@ global ASM_PFX(gPatchSmmRelocationOriginalAddressPtr32) %define LONG_MODE_CS 0x38 +%define RSB_STUFF_ENTRIES 0x20 + DEFAULT REL SECTION .text @@ -101,6 +103,24 @@ ASM_PFX(gPatchSmmInitStack): movdqa xmm4, [rsp + 0x40] movdqa xmm5, [rsp + 0x50] + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec rax + jnz @Unroll1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + rsm BITS 16 -- 2.12.0.windows.1