From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga06.intel.com (mga06.intel.com [])
 by mx.groups.io with SMTP id smtpd.web10.360.1593666932487247443
 for <devel@edk2.groups.io>;
 Wed, 01 Jul 2020 22:15:50 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=fail (domain: intel.com, ip: <nil>, mailfrom: guomin.jiang@intel.com)
IronPort-SDR: Kd2sXVXU5RRWTaDIyETNeCLNQVV3pqGV3qsoaYqC4/NrHjFNb6UZyP/ytGvMsLuAE6Zjm3qmaD
 37iVyVjd5AZw==
X-IronPort-AV: E=McAfee;i="6000,8403,9669"; a="208319093"
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="208319093"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2020 22:15:49 -0700
IronPort-SDR: GzVJDPWPqWE23dgye/cyzfJ0twEdF8zQeHJaiWMDgXf772CJeXhVE7UzvBXX7Pw+Fx1FUhzWiL
 srAClE95hoAA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; 
   d="scan'208";a="455385061"
Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95])
  by orsmga005.jf.intel.com with ESMTP; 01 Jul 2020 22:15:48 -0700
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Eric Dong <eric.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Rahul Kumar <rahul1.kumar@intel.com>
Subject: [PATCH v2 8/9] UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098)
Date: Thu,  2 Jul 2020 13:15:24 +0800
Message-Id: <20200702051525.1102-9-guomin.jiang@intel.com>
X-Mailer: git-send-email 2.25.1.windows.1
In-Reply-To: <20200702051525.1102-1-guomin.jiang@intel.com>
References: <20200702051525.1102-1-guomin.jiang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

SecMigrationPei create RepublishSecPpi, if the TOCTOU switch is off,
the Ppi is meaningless, so relate it with TOCTOU switch to avoid
producing useless PPI.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
---
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c   | 8 +++++---
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf | 4 ++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
index f96013b09b21..ab8066e8e0de 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
@@ -363,10 +363,12 @@ SecMigrationPeiInitialize (
   IN CONST EFI_PEI_SERVICES  **PeiServices
   )
 {
-  EFI_STATUS  Status;
+  EFI_STATUS  Status = EFI_SUCCESS;
 
-  Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
-  ASSERT_EFI_ERROR (Status);
+  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+    Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
+    ASSERT_EFI_ERROR (Status);
+  }
 
   return Status;
 }
diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
index e29c04710941..8edbd3aa23a9 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
@@ -60,5 +60,9 @@ [Ppis]
   ## SOMETIMES_PRODUCES
   gEfiSecPlatformInformation2PpiGuid
 
+[Pcd]
+  ## CONSUMES
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes
+
 [Depex]
   TRUE
-- 
2.25.1.windows.1