From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 by mx.groups.io with SMTP id smtpd.web10.360.1593666932487247443
 for <devel@edk2.groups.io>;
 Wed, 01 Jul 2020 22:15:32 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: guomin.jiang@intel.com)
IronPort-SDR: fOWEsO0dmCK5q2S3DKGYbyQcaTXuDtMXhEsgrv8sqimah4izJBrcOcSPT3PY+kgzb2sbX4lg5N
 9OmtknkgfGkQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9669"; a="208319001"
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="208319001"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2020 22:15:30 -0700
IronPort-SDR: APhgKM1WvYcfwy04zR8THZ5DF3a//e+vEGFy4Tr9bAUGkiVUDsrgkOg5UtnfqKXgrftfGpQmvn
 QypC9JrV0IdA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="455384831"
Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95])
  by orsmga005.jf.intel.com with ESMTP; 01 Jul 2020 22:15:26 -0700
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Dandan Bi <dandan.bi@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	Debkumar De <debkumar.de@intel.com>,
	Harry Han <harry.han@intel.com>,
	Catharine West <catharine.west@intel.com>,
	Eric Dong <eric.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Rahul Kumar <rahul1.kumar@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>,
	Qi Zhang <qi1.zhang@intel.com>
Subject: [PATCH v2 0/9] Migrate Pointer from flash to permanent memory (CVE-2019-11098)
Date: Thu,  2 Jul 2020 13:15:16 +0800
Message-Id: <20200702051525.1102-1-guomin.jiang@intel.com>
X-Mailer: git-send-email 2.25.1.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
The issue occur when BootGuard measure IBB and access flash code after NEM disable.
the reason why we access the flash code is that we have some pointer to flash.
To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Debkumar De <debkumar.de@intel.com>
Cc: Harry Han <harry.han@intel.com>
Cc: Catharine West <catharine.west@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>

Guomin Jiang (5):
  MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature
    (CVE-2019-11098)
  UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU
    (CVE-2019-11098)

Jian J Wang (1):
  MdeModulePkg/DxeIplPeim: Register for shadow on S3 shadowed boot
    (CVE-2019-11098)

Michael Kubacki (3):
  MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support
    (CVE-2019-11098)
  UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)

 MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf       |   3 +
 MdeModulePkg/Core/DxeIplPeim/DxeLoad.c        |   2 +-
 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 417 ++++++++++++++++++
 MdeModulePkg/Core/Pei/Image/Image.c           | 115 +++++
 MdeModulePkg/Core/Pei/Memory/MemoryServices.c |  82 ++++
 MdeModulePkg/Core/Pei/PeiMain.h               | 169 +++++++
 MdeModulePkg/Core/Pei/PeiMain.inf             |   3 +
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |  17 +
 MdeModulePkg/Core/Pei/Ppi/Ppi.c               | 287 ++++++++++++
 MdeModulePkg/Include/Guid/MigratedFvInfo.h    |  22 +
 MdeModulePkg/MdeModulePkg.dec                 |   8 +
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c             |  31 +-
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.c                |  40 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.h                |  13 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   3 +
 UefiCpuPkg/CpuMpPei/CpuPaging.c               |  31 +-
 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h      |  54 +++
 .../Ia32/ArchExceptionHandler.c               |   4 +-
 .../SecPeiCpuException.c                      |   2 +-
 UefiCpuPkg/SecCore/SecCore.inf                |   2 +
 UefiCpuPkg/SecCore/SecMain.c                  |  26 +-
 UefiCpuPkg/SecCore/SecMain.h                  |   1 +
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c  | 374 ++++++++++++++++
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h  | 170 +++++++
 .../SecMigrationPei/SecMigrationPei.inf       |  68 +++
 .../SecMigrationPei/SecMigrationPei.uni       |  13 +
 UefiCpuPkg/UefiCpuPkg.dec                     |   4 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
 29 files changed, 1947 insertions(+), 16 deletions(-)
 create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
 create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni

-- 
2.25.1.windows.1