From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=jiewen.yao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C2D8C21B02822 for ; Thu, 21 Feb 2019 20:16:15 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Feb 2019 20:16:15 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,398,1544515200"; d="scan'208";a="116876451" Received: from jyao1-mobl2.ccr.corp.intel.com ([10.239.192.59]) by orsmga007.jf.intel.com with ESMTP; 21 Feb 2019 20:16:14 -0800 From: Jiewen Yao To: edk2-devel@lists.01.org Cc: Michael D Kinney , Liming Gao , Eric Dong , Ray Ni , Laszlo Ersek , Yao Jiewen Date: Fri, 22 Feb 2019 12:15:56 +0800 Message-Id: <20190222041558.25312-2-jiewen.yao@intel.com> X-Mailer: git-send-email 2.19.2.windows.1 In-Reply-To: <20190222041558.25312-1-jiewen.yao@intel.com> References: <20190222041558.25312-1-jiewen.yao@intel.com> MIME-Version: 1.0 Subject: [PATCH 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 04:16:16 -0000 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1521 This patch adds SSP - shadow stack pointer to JumpBuffer. It will be used for the platform that enabled CET/ShadowStack. Cc: Michael D Kinney Cc: Liming Gao Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Yao Jiewen --- MdePkg/Include/Library/BaseLib.h | 2 ++ MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 18 +++++++++++++++++- MdePkg/Library/BaseLib/Ia32/SetJump.nasm | 17 ++++++++++++++++- MdePkg/Library/BaseLib/X64/LongJump.nasm | 20 +++++++++++++++++++- MdePkg/Library/BaseLib/X64/SetJump.nasm | 17 ++++++++++++++++- 5 files changed, 70 insertions(+), 4 deletions(-) diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h index 9c42f82a7d..616ba2e95b 100644 --- a/MdePkg/Include/Library/BaseLib.h +++ b/MdePkg/Include/Library/BaseLib.h @@ -31,6 +31,7 @@ typedef struct { UINT32 Ebp; UINT32 Esp; UINT32 Eip; + UINT32 Ssp; } BASE_LIBRARY_JUMP_BUFFER; #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 4 @@ -54,6 +55,7 @@ typedef struct { UINT64 Rip; UINT64 MxCsr; UINT8 XmmBuffer[160]; ///< XMM6-XMM15. + UINT64 Ssp; } BASE_LIBRARY_JUMP_BUFFER; #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 8 diff --git a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm index 7ef03462ee..e0f98c195e 100644 --- a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm +++ b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm @@ -1,6 +1,6 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2006, Intel Corporation. All rights reserved.
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -31,6 +31,22 @@ ;------------------------------------------------------------------------------ global ASM_PFX(InternalLongJump) ASM_PFX(InternalLongJump): + + mov eax, cr4 + bt eax, 23 ; check if CET is enabled + jnc CetDone + + mov edx, [esp + 4] ; edx = JumpBuffer + mov edx, [edx + 24] ; edx = target SSP + DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX + sub edx, eax ; eax = delta + mov eax, edx ; eax = delta + + shr eax, 2 ; eax = delta/sizeof(UINT32) + DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX + +CetDone: + pop eax ; skip return address pop edx ; edx <- JumpBuffer pop eax ; eax <- Value diff --git a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm index 6d3a5a25bb..51e0d5351c 100644 --- a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm +++ b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm @@ -1,6 +1,6 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2006, Intel Corporation. All rights reserved.
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -37,6 +37,21 @@ ASM_PFX(SetJump): pop ecx pop ecx ; ecx <- return address mov edx, [esp] + + xor eax, eax + mov [edx + 24], eax ; save 0 to SSP + + mov eax, cr4 + bt eax, 23 ; check if CET is enabled + jnc CetDone + + mov eax, 1 + DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX to read original SSP + DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX + mov [edx + 0x24], eax ; save SSP + +CetDone: + mov [edx], ebx mov [edx + 4], esi mov [edx + 8], edi diff --git a/MdePkg/Library/BaseLib/X64/LongJump.nasm b/MdePkg/Library/BaseLib/X64/LongJump.nasm index 3bac27469e..5f3f07da07 100644 --- a/MdePkg/Library/BaseLib/X64/LongJump.nasm +++ b/MdePkg/Library/BaseLib/X64/LongJump.nasm @@ -1,6 +1,6 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2006, Intel Corporation. All rights reserved.
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -32,6 +32,24 @@ ;------------------------------------------------------------------------------ global ASM_PFX(InternalLongJump) ASM_PFX(InternalLongJump): + + mov rax, cr4 + bt eax, 23 ; check if CET is enabled + jnc CetDone + + push rdx ; save rdx + + mov rdx, [rcx + 0xF8] ; rdx = target SSP + DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX + sub rdx, rax ; rdx = delta + mov rax, rdx ; rax = delta + + shr rax, 3 ; rax = delta/sizeof(UINT64) + DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX + + pop rdx ; restore rdx +CetDone: + mov rbx, [rcx] mov rsp, [rcx + 8] mov rbp, [rcx + 0x10] diff --git a/MdePkg/Library/BaseLib/X64/SetJump.nasm b/MdePkg/Library/BaseLib/X64/SetJump.nasm index b1d0ff7121..6ec6a3f39e 100644 --- a/MdePkg/Library/BaseLib/X64/SetJump.nasm +++ b/MdePkg/Library/BaseLib/X64/SetJump.nasm @@ -1,6 +1,6 @@ ;------------------------------------------------------------------------------ ; -; Copyright (c) 2006, Intel Corporation. All rights reserved.
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BSD License ; which accompanies this distribution. The full text of the license may be found at @@ -39,6 +39,21 @@ ASM_PFX(SetJump): add rsp, 0x20 pop rcx pop rdx + + xor rax, rax + mov [rcx + 0xF8], rax ; save 0 to SSP + + mov rax, cr4 + bt eax, 23 ; check if CET is enabled + jnc CetDone + + mov rax, 1 + DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX to read original SSP + DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX + mov [rcx + 0xF8], rax ; save SSP + +CetDone: + mov [rcx], rbx mov [rcx + 8], rsp mov [rcx + 0x10], rbp -- 2.19.2.windows.1