* [PATCH v1 0/1][UDK branches][CVE-2017-5715] Stuff RSB before RSM @ 2018-11-16 1:37 Hao Wu 2018-11-16 1:37 ` [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] " Hao Wu 0 siblings, 1 reply; 3+ messages in thread From: Hao Wu @ 2018-11-16 1:37 UTC (permalink / raw) To: edk2-devel; +Cc: Hao Wu, Jiewen Yao, Laszlo Ersek, Michael D Kinney, Eric Dong The series aims to mitigate the Branch Target Injection (CVE-2017-5715) issues for 'RSM' instructions. Moreover, this series focuses on the UDK branches where .NASM file is not added for a module. Patch 1/1 will be applied on the below UDK branches: UDK2015 A more detailed explanation of the purpose of commit is under the 'Branch target injection mitigation' section of the below link: https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Eric Dong <eric.dong@intel.com> Hao Wu (1): UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM UefiCpuPkg/Include/StuffRsbAsm.inc | 60 ++++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm | 5 +- 5 files changed, 76 insertions(+), 4 deletions(-) create mode 100644 UefiCpuPkg/Include/StuffRsbAsm.inc -- 2.12.0.windows.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM 2018-11-16 1:37 [PATCH v1 0/1][UDK branches][CVE-2017-5715] Stuff RSB before RSM Hao Wu @ 2018-11-16 1:37 ` Hao Wu 2018-11-19 2:00 ` Dong, Eric 0 siblings, 1 reply; 3+ messages in thread From: Hao Wu @ 2018-11-16 1:37 UTC (permalink / raw) To: edk2-devel; +Cc: Hao Wu, Jiewen Yao, Laszlo Ersek, Michael D Kinney, Eric Dong REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1093 Return Stack Buffer (RSB) is used to predict the target of RET instructions. When the RSB underflows, some processors may fall back to using branch predictors. This might impact software using the retpoline mitigation strategy on those processors. This commit will add RSB stuffing logic before returning from SMM (the RSM instruction) to avoid interfering with non-SMM usage of the retpoline technique. After the stuffing, RSB entries will contain a trap like: SpecTrap: pause lfence jmp SpecTrap A more detailed explanation of the purpose of commit is under the 'Branch target injection mitigation' section of the below link: https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation This commit introduces a .INC file that contains the RSB logic and it can be included by .ASM files. This file is placed at directory 'UefiCpuPkg/Include/'. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Eric Dong <eric.dong@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> --- UefiCpuPkg/Include/StuffRsbAsm.inc | 60 ++++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm | 5 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm | 5 +- 5 files changed, 76 insertions(+), 4 deletions(-) diff --git a/UefiCpuPkg/Include/StuffRsbAsm.inc b/UefiCpuPkg/Include/StuffRsbAsm.inc new file mode 100644 index 0000000000..daaaaf36ad --- /dev/null +++ b/UefiCpuPkg/Include/StuffRsbAsm.inc @@ -0,0 +1,60 @@ +;------------------------------------------------------------------------------ ; +; Copyright (c) 2018, Intel Corporation. All rights reserved.<BR> +; This program and the accompanying materials +; are licensed and made available under the terms and conditions of the BSD License +; which accompanies this distribution. The full text of the license may be found at +; http://opensource.org/licenses/bsd-license.php. +; +; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +; +; Module Name: +; +; StuffRsbAsm.inc +; +; Abstract: +; +; This file provides macro definitions for stuffing the Return Stack Buffer (RSB) +; for .ASM files. +; +;------------------------------------------------------------------------------- + +RSB_STUFF_ENTRIES Equ 20h + +; +; parameters: +; @param 1: register to use as counter (e.g. IA32:eax, X64:rax) +; @param 2: stack pointer to restore (IA32:esp, X64:rsp) +; @param 3: the size of a stack frame (IA32:4, X64:8) +; +StuffRsb MACRO Reg, StackPointer, Size + local Unroll1, Unroll2, SpecTrap1, SpecTrap2, StuffLoop + mov Reg, RSB_STUFF_ENTRIES / 2 +Unroll1: + call Unroll2 +SpecTrap1: + pause + lfence + jmp SpecTrap1 +Unroll2: + call StuffLoop +SpecTrap2: + pause + lfence + jmp SpecTrap2 +StuffLoop: + dec Reg + jnz Unroll1 + add StackPointer, RSB_STUFF_ENTRIES * Size ; Restore the stack pointer + ENDM + +; +; RSB stuffing macros for IA32 and X64 +; +StuffRsb32 MACRO + StuffRsb eax, esp, 4 + ENDM + +StuffRsb64 MACRO + StuffRsb rax, rsp, 8 + ENDM diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm index ac1a9b48dd..ea906d6434 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm @@ -1,5 +1,5 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> ; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -22,6 +22,8 @@ .model flat,C .xmm +INCLUDE StuffRsbAsm.inc + DSC_OFFSET EQU 0fb00h DSC_GDTPTR EQU 30h DSC_GDTSIZ EQU 38h @@ -169,6 +171,7 @@ _SmiHandler PROC call eax pop ecx + StuffRsb32 rsm _SmiHandler ENDP diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm index 9ba2aebe69..a606bde749 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm @@ -1,5 +1,5 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> ; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -22,6 +22,8 @@ .xmm .model flat,C +INCLUDE StuffRsbAsm.inc + SmmInitHandler PROTO C EXTERNDEF C gSmmCr0:DWORD @@ -70,6 +72,7 @@ gSmmJmpAddr LABEL QWORD DB 0bch ; mov esp, imm32 gSmmInitStack DD ? call SmmInitHandler + StuffRsb32 rsm SmmStartup ENDP diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm index 094cf2c3da..a4063cb0dc 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm @@ -1,5 +1,5 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> ; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -18,6 +18,8 @@ ; ;------------------------------------------------------------------------------- +INCLUDE StuffRsbAsm.inc + ; ; Variables referenced by C code ; @@ -189,6 +191,7 @@ _SmiHandler: DB 48h ; FXRSTOR64 fxrstor [rsp] + StuffRsb64 rsm gcSmiHandlerSize DW $ - _SmiEntryPoint diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm index 9182f0293a..2301a208d6 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm @@ -1,5 +1,5 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> ; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -18,6 +18,8 @@ ; ;------------------------------------------------------------------------------- +INCLUDE StuffRsbAsm.inc + EXTERNDEF SmmInitHandler:PROC EXTERNDEF gSmmCr0:DWORD EXTERNDEF gSmmCr3:DWORD @@ -88,6 +90,7 @@ gSmmInitStack DQ ? movdqa xmm4, [rsp + 40h] movdqa xmm5, [rsp + 50h] + StuffRsb64 rsm SmmStartup ENDP -- 2.12.0.windows.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM 2018-11-16 1:37 ` [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] " Hao Wu @ 2018-11-19 2:00 ` Dong, Eric 0 siblings, 0 replies; 3+ messages in thread From: Dong, Eric @ 2018-11-19 2:00 UTC (permalink / raw) To: Wu, Hao A, edk2-devel@lists.01.org Cc: Yao, Jiewen, Laszlo Ersek, Kinney, Michael D Reviewed-by: Eric Dong <eric.dong@intel.com> > -----Original Message----- > From: Wu, Hao A > Sent: Friday, November 16, 2018 9:37 AM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A <hao.a.wu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; > Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Dong, Eric <eric.dong@intel.com> > Subject: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1093 > > Return Stack Buffer (RSB) is used to predict the target of RET > instructions. When the RSB underflows, some processors may fall back to > using branch predictors. This might impact software using the retpoline > mitigation strategy on those processors. > > This commit will add RSB stuffing logic before returning from SMM (the RSM > instruction) to avoid interfering with non-SMM usage of the retpoline > technique. > > After the stuffing, RSB entries will contain a trap like: > > SpecTrap: > pause > lfence > jmp SpecTrap > > A more detailed explanation of the purpose of commit is under the > 'Branch target injection mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > This commit introduces a .INC file that contains the RSB logic and it can > be included by .ASM files. This file is placed at directory > 'UefiCpuPkg/Include/'. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Laszlo Ersek <lersek@redhat.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Eric Dong <eric.dong@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <hao.a.wu@intel.com> > --- > UefiCpuPkg/Include/StuffRsbAsm.inc | 60 ++++++++++++++++++++ > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm | 5 +- > 5 files changed, 76 insertions(+), 4 deletions(-) > > diff --git a/UefiCpuPkg/Include/StuffRsbAsm.inc > b/UefiCpuPkg/Include/StuffRsbAsm.inc > new file mode 100644 > index 0000000000..daaaaf36ad > --- /dev/null > +++ b/UefiCpuPkg/Include/StuffRsbAsm.inc > @@ -0,0 +1,60 @@ > +;------------------------------------------------------------------------------ ; > +; Copyright (c) 2018, Intel Corporation. All rights reserved.<BR> > +; This program and the accompanying materials > +; are licensed and made available under the terms and conditions of the BSD > License > +; which accompanies this distribution. The full text of the license may be > found at > +; http://opensource.org/licenses/bsd-license.php. > +; > +; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" > BASIS, > +; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER > EXPRESS OR IMPLIED. > +; > +; Module Name: > +; > +; StuffRsbAsm.inc > +; > +; Abstract: > +; > +; This file provides macro definitions for stuffing the Return Stack Buffer > (RSB) > +; for .ASM files. > +; > +;------------------------------------------------------------------------------- > + > +RSB_STUFF_ENTRIES Equ 20h > + > +; > +; parameters: > +; @param 1: register to use as counter (e.g. IA32:eax, X64:rax) > +; @param 2: stack pointer to restore (IA32:esp, X64:rsp) > +; @param 3: the size of a stack frame (IA32:4, X64:8) > +; > +StuffRsb MACRO Reg, StackPointer, Size > + local Unroll1, Unroll2, SpecTrap1, SpecTrap2, StuffLoop > + mov Reg, RSB_STUFF_ENTRIES / 2 > +Unroll1: > + call Unroll2 > +SpecTrap1: > + pause > + lfence > + jmp SpecTrap1 > +Unroll2: > + call StuffLoop > +SpecTrap2: > + pause > + lfence > + jmp SpecTrap2 > +StuffLoop: > + dec Reg > + jnz Unroll1 > + add StackPointer, RSB_STUFF_ENTRIES * Size ; Restore the stack > pointer > + ENDM > + > +; > +; RSB stuffing macros for IA32 and X64 > +; > +StuffRsb32 MACRO > + StuffRsb eax, esp, 4 > + ENDM > + > +StuffRsb64 MACRO > + StuffRsb rax, rsp, 8 > + ENDM > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > index ac1a9b48dd..ea906d6434 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > @@ -1,5 +1,5 @@ > ;------------------------------------------------------------------------------ ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -22,6 +22,8 @@ > .model flat,C > .xmm > > +INCLUDE StuffRsbAsm.inc > + > DSC_OFFSET EQU 0fb00h > DSC_GDTPTR EQU 30h > DSC_GDTSIZ EQU 38h > @@ -169,6 +171,7 @@ _SmiHandler PROC > call eax > pop ecx > > + StuffRsb32 > rsm > _SmiHandler ENDP > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > index 9ba2aebe69..a606bde749 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > @@ -1,5 +1,5 @@ > ;------------------------------------------------------------------------------ ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -22,6 +22,8 @@ > .xmm > .model flat,C > > +INCLUDE StuffRsbAsm.inc > + > SmmInitHandler PROTO C > > EXTERNDEF C gSmmCr0:DWORD > @@ -70,6 +72,7 @@ gSmmJmpAddr LABEL QWORD > DB 0bch ; mov esp, imm32 > gSmmInitStack DD ? > call SmmInitHandler > + StuffRsb32 > rsm > SmmStartup ENDP > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > index 094cf2c3da..a4063cb0dc 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > @@ -1,5 +1,5 @@ > ;------------------------------------------------------------------------------ ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -18,6 +18,8 @@ > ; > ;------------------------------------------------------------------------------- > > +INCLUDE StuffRsbAsm.inc > + > ; > ; Variables referenced by C code > ; > @@ -189,6 +191,7 @@ _SmiHandler: > DB 48h ; FXRSTOR64 > fxrstor [rsp] > > + StuffRsb64 > rsm > > gcSmiHandlerSize DW $ - _SmiEntryPoint > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > index 9182f0293a..2301a208d6 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > @@ -1,5 +1,5 @@ > ;------------------------------------------------------------------------------ ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -18,6 +18,8 @@ > ; > ;------------------------------------------------------------------------------- > > +INCLUDE StuffRsbAsm.inc > + > EXTERNDEF SmmInitHandler:PROC > EXTERNDEF gSmmCr0:DWORD > EXTERNDEF gSmmCr3:DWORD > @@ -88,6 +90,7 @@ gSmmInitStack DQ ? > movdqa xmm4, [rsp + 40h] > movdqa xmm5, [rsp + 50h] > > + StuffRsb64 > rsm > SmmStartup ENDP > > -- > 2.12.0.windows.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-19 2:00 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-11-16 1:37 [PATCH v1 0/1][UDK branches][CVE-2017-5715] Stuff RSB before RSM Hao Wu 2018-11-16 1:37 ` [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] " Hao Wu 2018-11-19 2:00 ` Dong, Eric
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox