From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web10.2988.1594176375248160105 for ; Tue, 07 Jul 2020 19:46:15 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: guomin.jiang@intel.com) IronPort-SDR: VJFUnqTwOdURsnLZm1B8tae9eURg95JGvAOl7/Q5JTSDUPHrhLixeGtr+ZgPpfURKcFwdLRruN UCEc/FWWAr4A== X-IronPort-AV: E=McAfee;i="6000,8403,9675"; a="149242149" X-IronPort-AV: E=Sophos;i="5.75,326,1589266800"; d="scan'208";a="149242149" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jul 2020 19:46:14 -0700 IronPort-SDR: zewKRHWrpE5+Zc51V0w8azGiJ0qu9jrRdO7y8qCwTwpttW8O5mYN9+4E8Lp/ZGb7DuRgNrOBrS 7PJFVwHOVckA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,326,1589266800"; d="scan'208";a="483271544" Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95]) by fmsmga006.fm.intel.com with ESMTP; 07 Jul 2020 19:46:09 -0700 From: "Guomin Jiang" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Dandan Bi , Liming Gao , Debkumar De , Harry Han , Catharine West , Eric Dong , Ray Ni , Jordan Justen , Andrew Fish , Laszlo Ersek , Ard Biesheuvel , Anthony Perard , Julien Grall , Leif Lindholm , Rahul Kumar , Jiewen Yao , Chao Zhang , Qi Zhang , Micheal Kubacki Subject: [PATCH v3 00/11] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Date: Wed, 8 Jul 2020 10:45:57 +0800 Message-Id: <20200708024608.915-1-guomin.jiang@intel.com> X-Mailer: git-send-email 2.25.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value. The issue occur when BootGuard measure IBB and access flash code after NEM disable. the reason why we access the flash code is that we have some pointer to flash. To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address. v2: Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature. v3: Remove changes which is not related with the feature and disable the feature in virtual platform. Cc: Jian J Wang Cc: Hao A Wu Cc: Dandan Bi Cc: Liming Gao Cc: Debkumar De Cc: Harry Han Cc: Catharine West Cc: Eric Dong Cc: Ray Ni Cc: Jordan Justen Cc: Andrew Fish Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Anthony Perard Cc: Julien Grall Cc: Leif Lindholm Cc: Rahul Kumar Cc: Jiewen Yao Cc: Chao Zhang Cc: Qi Zhang Cc: Micheal Kubacki Guomin Jiang (8): MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) ArmVirtPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes EmulatorPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes OvmfPkg: Disable PcdMigrateTemporaryRamFirmwareVolumes MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) UefiCpuPkg: Correct some typos. Michael Kubacki (3): MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) MdeModulePkg/MdeModulePkg.dec | 8 + UefiCpuPkg/UefiCpuPkg.dec | 4 + ArmVirtPkg/ArmVirt.dsc.inc | 2 + EmulatorPkg/EmulatorPkg.dsc | 2 + OvmfPkg/OvmfPkgIa32.dsc | 2 + OvmfPkg/OvmfPkgIa32X64.dsc | 2 + OvmfPkg/OvmfPkgX64.dsc | 2 + OvmfPkg/OvmfXen.dsc | 2 + UefiCpuPkg/UefiCpuPkg.dsc | 1 + MdeModulePkg/Core/Pei/PeiMain.inf | 3 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 + UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 4 + UefiCpuPkg/SecCore/SecCore.inf | 2 + .../SecMigrationPei/SecMigrationPei.inf | 67 +++ MdeModulePkg/Core/Pei/PeiMain.h | 169 +++++++ MdeModulePkg/Include/Guid/MigratedFvInfo.h | 22 + UefiCpuPkg/CpuMpPei/CpuMpPei.h | 12 + UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ UefiCpuPkg/SecCore/SecMain.h | 1 + UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 154 +++++++ MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 430 ++++++++++++++++++ MdeModulePkg/Core/Pei/Image/Image.c | 115 +++++ MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82 ++++ MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 22 + MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 ++++++++++++ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 +- UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 ++ UefiCpuPkg/CpuMpPei/CpuPaging.c | 37 +- .../Ia32/ArchExceptionHandler.c | 4 +- .../SecPeiCpuException.c | 2 +- UefiCpuPkg/SecCore/SecMain.c | 26 +- UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 378 +++++++++++++++ MdeModulePkg/MdeModulePkg.uni | 6 + .../SecMigrationPei/SecMigrationPei.uni | 13 + 34 files changed, 1970 insertions(+), 14 deletions(-) create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni -- 2.25.1.windows.1