From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.65; helo=mga03.intel.com;
 envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 5D94F21106FA6
 for <edk2-devel@lists.01.org>; Fri, 28 Sep 2018 23:57:43 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 28 Sep 2018 23:57:43 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,318,1534834800"; d="scan'208";a="94950099"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19])
 by orsmga001.jf.intel.com with ESMTP; 28 Sep 2018 23:57:37 -0700
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Leif Lindholm <leif.lindholm@linaro.org>, Laszlo Ersek <lersek@redhat.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>
Date: Sat, 29 Sep 2018 14:57:31 +0800
Message-Id: <20180929065736.12796-1-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
Subject: [PATCH v3 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Sep 2018 06:57:44 -0000

V3 changes:
A. Fix wrong file (should be LoadFenceSmm.c) gets listed in
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf

B. Rename the newly introduced internal function from 'VariableLoadFence'
   to 'MemoryLoadFence' within
   MdeModulePkg/Universal/Variable/RuntimeDxe/

C. Remove extra empty line before EOF for files:
   MdePkg/Library/BaseLib/Ia32/Lfence.nasm
   MdePkg/Library/BaseLib/X64/Lfence.nasm

D. Remove dummy message within commit log messages

Since A. has functional impact. Thus send V3 of the series.


V2 history:
A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
   IA32/X64 specific.

B. Add brief comments before calls of the AsmLfence() to state the
   purpose.

C. Refine the patch for Variable/RuntimeDxe driver and make the change
   focus on the SMM code.

V1 history:
The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
within SMI handlers.

A more detailed explanation of the purpose of the series is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Hao Wu (5):
  MdePkg/BaseLib: Add new AsmLfence API
  MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
  MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
  MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
  UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass

 MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |  7 ++++
 MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf |  1 +
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c                 | 10 ++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c              | 31 ++++++++++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c              | 30 ++++++++++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h      | 13 ++++++-
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c                  |  6 ++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf      |  1 +
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c               | 18 ++++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf             |  1 +
 MdePkg/Include/Library/BaseLib.h                                       | 13 +++++++
 MdePkg/Library/BaseLib/BaseLib.inf                                     |  2 ++
 MdePkg/Library/BaseLib/Ia32/Lfence.nasm                                | 36 +++++++++++++++++++
 MdePkg/Library/BaseLib/X64/Lfence.nasm                                 | 37 ++++++++++++++++++++
 UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c                             |  5 +++
 15 files changed, 210 insertions(+), 1 deletion(-)
 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
 create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
 create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm

-- 
2.12.0.windows.1