From: Jiewen Yao <jiewen.yao@intel.com>
To: edk2-devel@lists.01.org
Cc: Michael D Kinney <michael.d.kinney@intel.com>,
Liming Gao <liming.gao@intel.com>,
Eric Dong <eric.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
Yao Jiewen <jiewen.yao@intel.com>
Subject: [PATCH 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86.
Date: Fri, 22 Feb 2019 12:15:56 +0800 [thread overview]
Message-ID: <20190222041558.25312-2-jiewen.yao@intel.com> (raw)
In-Reply-To: <20190222041558.25312-1-jiewen.yao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1521
This patch adds SSP - shadow stack pointer to JumpBuffer.
It will be used for the platform that enabled CET/ShadowStack.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Yao Jiewen <jiewen.yao@intel.com>
---
MdePkg/Include/Library/BaseLib.h | 2 ++
MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 18 +++++++++++++++++-
MdePkg/Library/BaseLib/Ia32/SetJump.nasm | 17 ++++++++++++++++-
MdePkg/Library/BaseLib/X64/LongJump.nasm | 20 +++++++++++++++++++-
MdePkg/Library/BaseLib/X64/SetJump.nasm | 17 ++++++++++++++++-
5 files changed, 70 insertions(+), 4 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h
index 9c42f82a7d..616ba2e95b 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -31,6 +31,7 @@ typedef struct {
UINT32 Ebp;
UINT32 Esp;
UINT32 Eip;
+ UINT32 Ssp;
} BASE_LIBRARY_JUMP_BUFFER;
#define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 4
@@ -54,6 +55,7 @@ typedef struct {
UINT64 Rip;
UINT64 MxCsr;
UINT8 XmmBuffer[160]; ///< XMM6-XMM15.
+ UINT64 Ssp;
} BASE_LIBRARY_JUMP_BUFFER;
#define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 8
diff --git a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
index 7ef03462ee..e0f98c195e 100644
--- a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
+++ b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
; This program and the accompanying materials
; are licensed and made available under the terms and conditions of the BSD License
; which accompanies this distribution. The full text of the license may be found at
@@ -31,6 +31,22 @@
;------------------------------------------------------------------------------
global ASM_PFX(InternalLongJump)
ASM_PFX(InternalLongJump):
+
+ mov eax, cr4
+ bt eax, 23 ; check if CET is enabled
+ jnc CetDone
+
+ mov edx, [esp + 4] ; edx = JumpBuffer
+ mov edx, [edx + 24] ; edx = target SSP
+ DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX
+ sub edx, eax ; eax = delta
+ mov eax, edx ; eax = delta
+
+ shr eax, 2 ; eax = delta/sizeof(UINT32)
+ DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX
+
+CetDone:
+
pop eax ; skip return address
pop edx ; edx <- JumpBuffer
pop eax ; eax <- Value
diff --git a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
index 6d3a5a25bb..51e0d5351c 100644
--- a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
+++ b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
; This program and the accompanying materials
; are licensed and made available under the terms and conditions of the BSD License
; which accompanies this distribution. The full text of the license may be found at
@@ -37,6 +37,21 @@ ASM_PFX(SetJump):
pop ecx
pop ecx ; ecx <- return address
mov edx, [esp]
+
+ xor eax, eax
+ mov [edx + 24], eax ; save 0 to SSP
+
+ mov eax, cr4
+ bt eax, 23 ; check if CET is enabled
+ jnc CetDone
+
+ mov eax, 1
+ DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX to read original SSP
+ DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX
+ mov [edx + 0x24], eax ; save SSP
+
+CetDone:
+
mov [edx], ebx
mov [edx + 4], esi
mov [edx + 8], edi
diff --git a/MdePkg/Library/BaseLib/X64/LongJump.nasm b/MdePkg/Library/BaseLib/X64/LongJump.nasm
index 3bac27469e..5f3f07da07 100644
--- a/MdePkg/Library/BaseLib/X64/LongJump.nasm
+++ b/MdePkg/Library/BaseLib/X64/LongJump.nasm
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
; This program and the accompanying materials
; are licensed and made available under the terms and conditions of the BSD License
; which accompanies this distribution. The full text of the license may be found at
@@ -32,6 +32,24 @@
;------------------------------------------------------------------------------
global ASM_PFX(InternalLongJump)
ASM_PFX(InternalLongJump):
+
+ mov rax, cr4
+ bt eax, 23 ; check if CET is enabled
+ jnc CetDone
+
+ push rdx ; save rdx
+
+ mov rdx, [rcx + 0xF8] ; rdx = target SSP
+ DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX
+ sub rdx, rax ; rdx = delta
+ mov rax, rdx ; rax = delta
+
+ shr rax, 3 ; rax = delta/sizeof(UINT64)
+ DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX
+
+ pop rdx ; restore rdx
+CetDone:
+
mov rbx, [rcx]
mov rsp, [rcx + 8]
mov rbp, [rcx + 0x10]
diff --git a/MdePkg/Library/BaseLib/X64/SetJump.nasm b/MdePkg/Library/BaseLib/X64/SetJump.nasm
index b1d0ff7121..6ec6a3f39e 100644
--- a/MdePkg/Library/BaseLib/X64/SetJump.nasm
+++ b/MdePkg/Library/BaseLib/X64/SetJump.nasm
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
; This program and the accompanying materials
; are licensed and made available under the terms and conditions of the BSD License
; which accompanies this distribution. The full text of the license may be found at
@@ -39,6 +39,21 @@ ASM_PFX(SetJump):
add rsp, 0x20
pop rcx
pop rdx
+
+ xor rax, rax
+ mov [rcx + 0xF8], rax ; save 0 to SSP
+
+ mov rax, cr4
+ bt eax, 23 ; check if CET is enabled
+ jnc CetDone
+
+ mov rax, 1
+ DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX to read original SSP
+ DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX
+ mov [rcx + 0xF8], rax ; save SSP
+
+CetDone:
+
mov [rcx], rbx
mov [rcx + 8], rsp
mov [rcx + 0x10], rbp
--
2.19.2.windows.1
next prev parent reply other threads:[~2019-02-22 4:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 4:15 [PATCH 0/3] Add SMM CET support Jiewen Yao
2019-02-22 4:15 ` Jiewen Yao [this message]
2019-02-22 4:15 ` [PATCH 2/3] UefiCpuPkg/ExceptionLib: Add " Jiewen Yao
2019-02-22 4:15 ` [PATCH 3/3] UefiCpuPkg/PiSmmCpu: Add Shadow Stack Support for X86 SMM Jiewen Yao
2019-02-22 7:06 ` [PATCH 0/3] Add SMM CET support Gao, Liming
2019-02-22 9:06 ` Laszlo Ersek
2019-02-22 11:02 ` Yao, Jiewen
2019-02-22 12:00 ` Laszlo Ersek
2019-02-22 12:11 ` Yao, Jiewen
2019-02-22 13:32 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190222041558.25312-2-jiewen.yao@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox