From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
Hao A Wu <hao.a.wu@intel.com>, Dandan Bi <dandan.bi@intel.com>,
Liming Gao <liming.gao@intel.com>,
Debkumar De <debkumar.de@intel.com>,
Harry Han <harry.han@intel.com>,
Catharine West <catharine.west@intel.com>,
Eric Dong <eric.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Andrew Fish <afish@apple.com>, Laszlo Ersek <lersek@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>,
Anthony Perard <anthony.perard@citrix.com>,
Julien Grall <julien@xen.org>, Leif Lindholm <leif@nuviainc.com>,
Rahul Kumar <rahul1.kumar@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Chao Zhang <chao.b.zhang@intel.com>,
Qi Zhang <qi1.zhang@intel.com>,
Micheal Kubacki <michael.kubacki@outlook.com>
Subject: [PATCH v3 00/11] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)
Date: Wed, 8 Jul 2020 10:45:57 +0800 [thread overview]
Message-ID: <20200708024608.915-1-guomin.jiang@intel.com> (raw)
The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
The issue occur when BootGuard measure IBB and access flash code after NEM disable.
the reason why we access the flash code is that we have some pointer to flash.
To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.
v2:
Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.
v3:
Remove changes which is not related with the feature and disable the feature in virtual platform.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Debkumar De <debkumar.de@intel.com>
Cc: Harry Han <harry.han@intel.com>
Cc: Catharine West <catharine.west@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Micheal Kubacki <michael.kubacki@outlook.com>
Guomin Jiang (8):
MdeModulePkg: Add new PCD to control the evacuate temporary memory
feature (CVE-2019-11098)
ArmVirtPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes
EmulatorPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes
OvmfPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes
MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash
(CVE-2019-11098)
SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash
(CVE-2019-11098)
UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU
(CVE-2019-11098)
UefiCpuPkg: Correct some typos.
Michael Kubacki (3):
MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore
(CVE-2019-11098)
UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support
(CVE-2019-11098)
UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)
MdeModulePkg/MdeModulePkg.dec | 8 +
UefiCpuPkg/UefiCpuPkg.dec | 4 +
ArmVirtPkg/ArmVirt.dsc.inc | 2 +
EmulatorPkg/EmulatorPkg.dsc | 2 +
OvmfPkg/OvmfPkgIa32.dsc | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.dsc | 2 +
OvmfPkg/OvmfXen.dsc | 2 +
UefiCpuPkg/UefiCpuPkg.dsc | 1 +
MdeModulePkg/Core/Pei/PeiMain.inf | 3 +
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +
UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 4 +
UefiCpuPkg/SecCore/SecCore.inf | 2 +
.../SecMigrationPei/SecMigrationPei.inf | 67 +++
MdeModulePkg/Core/Pei/PeiMain.h | 169 +++++++
MdeModulePkg/Include/Guid/MigratedFvInfo.h | 22 +
UefiCpuPkg/CpuMpPei/CpuMpPei.h | 12 +
UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++
UefiCpuPkg/SecCore/SecMain.h | 1 +
UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 154 +++++++
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 430 ++++++++++++++++++
MdeModulePkg/Core/Pei/Image/Image.c | 115 +++++
MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82 ++++
MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 22 +
MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 ++++++++++++
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 +-
UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 ++
UefiCpuPkg/CpuMpPei/CpuPaging.c | 37 +-
.../Ia32/ArchExceptionHandler.c | 4 +-
.../SecPeiCpuException.c | 2 +-
UefiCpuPkg/SecCore/SecMain.c | 26 +-
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 378 +++++++++++++++
MdeModulePkg/MdeModulePkg.uni | 6 +
.../SecMigrationPei/SecMigrationPei.uni | 13 +
34 files changed, 1970 insertions(+), 14 deletions(-)
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni
--
2.25.1.windows.1
next reply other threads:[~2020-07-08 2:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-08 2:45 Guomin Jiang [this message]
2020-07-08 2:45 ` [PATCH v3 01/11] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Guomin Jiang
2020-07-08 2:45 ` [PATCH v3 02/11] ArmVirtPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 03/11] EmulatorPkg: " Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 04/11] OvmfPkg: " Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 05/11] MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 06/11] UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 07/11] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 08/11] MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 09/11] SecurityPkg/Tcg2Pei: Use " Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 10/11] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Guomin Jiang
2020-07-08 2:46 ` [PATCH v3 11/11] UefiCpuPkg: Correct some typos Guomin Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200708024608.915-1-guomin.jiang@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox