From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga06.intel.com (mga06.intel.com [])
 by mx.groups.io with SMTP id smtpd.web10.360.1593666932487247443
 for <devel@edk2.groups.io>;
 Wed, 01 Jul 2020 22:15:48 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=fail (domain: intel.com, ip: <nil>, mailfrom: guomin.jiang@intel.com)
IronPort-SDR: DM5z7EP4pVzxLTyLBfKgwxgj/s6z0UWKsF6Xyc6qyMZown+U9wlJTQkalDaek3a0H5mW494SI/
 kcE9UU54MISw==
X-IronPort-AV: E=McAfee;i="6000,8403,9669"; a="208319080"
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="208319080"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2020 22:15:47 -0700
IronPort-SDR: dXU6S+XJImh3lH2gcuuHgLQTvAX8gDZJpoMu/E81lAUXJSrA86XpkB6q5aGeL3yfIw1s87EV5J
 yg/Mw3ek9u8Q==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="455385040"
Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95])
  by orsmga005.jf.intel.com with ESMTP; 01 Jul 2020 22:15:45 -0700
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Dandan Bi <dandan.bi@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	Debkumar De <debkumar.de@intel.com>,
	Harry Han <harry.han@intel.com>,
	Catharine West <catharine.west@intel.com>
Subject: [PATCH v2 7/9] MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature (CVE-2019-11098)
Date: Thu,  2 Jul 2020 13:15:23 +0800
Message-Id: <20200702051525.1102-8-guomin.jiang@intel.com>
X-Mailer: git-send-email 2.25.1.windows.1
In-Reply-To: <20200702051525.1102-1-guomin.jiang@intel.com>
References: <20200702051525.1102-1-guomin.jiang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

Add total switch to enable or disable TOCTOU feature, the vulnerability is
critical, so the switch is on normally but if you can disable it according
to your needs.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Debkumar De <debkumar.de@intel.com>
Cc: Harry Han <harry.han@intel.com>
Cc: Catharine West <catharine.west@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
---
 MdeModulePkg/Core/Pei/PeiMain.inf       | 1 +
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 5 +++--
 MdeModulePkg/MdeModulePkg.dec           | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/MdeModulePkg/Core/Pei/PeiMain.inf b/MdeModulePkg/Core/Pei/PeiMain.inf
index c80d16b4efa6..0cf357371a16 100644
--- a/MdeModulePkg/Core/Pei/PeiMain.inf
+++ b/MdeModulePkg/Core/Pei/PeiMain.inf
@@ -111,6 +111,7 @@ [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnS3Boot                      ## CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot                        ## CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack                    ## CONSUMES
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes      ## CONSUMES
 
 # [BootMode]
 # S3_RESUME             ## SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
index 802cd239e2eb..bc78c3f8ad59 100644
--- a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
+++ b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
@@ -419,8 +419,9 @@ PeiCore (
     }
   } else {
     if (
-      (!(PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
-      ((PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))
+      ((!(PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
+      ((PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))) &&
+      PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)
       ) {
       DEBUG ((DEBUG_VERBOSE, "PPI lists before temporary RAM evacuation:\n"));
       DumpPpiList (&PrivateData);
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 5e25cbe98ada..0a5a167f3e8b 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1223,6 +1223,11 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
   # @Prompt Shadow Peim and PeiCore on boot
   gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
 
+  ## Indicate if to evacuate from temporary to permanent memory.
+  # TRUE - Evacuate from temporary memory
+  # FALSE - Keep the original behavior
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|TRUE|BOOLEAN|0x3000102A
+
   ## The mask is used to control memory profile behavior.<BR><BR>
   #  BIT0 - Enable UEFI memory profile.<BR>
   #  BIT1 - Enable SMRAM profile.<BR>
-- 
2.25.1.windows.1