From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web12.2682.1594259811903593619 for ; Wed, 08 Jul 2020 18:56:51 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: guomin.jiang@intel.com) IronPort-SDR: LzsP7JsLc7trOIOiVHfWH3EZn0YhT//ay1WYqaNA6F10UQNebzxu6ahvMfwnS6bdzrWXh+Qk+O gost5aORSkvg== X-IronPort-AV: E=McAfee;i="6000,8403,9676"; a="127511712" X-IronPort-AV: E=Sophos;i="5.75,330,1589266800"; d="scan'208";a="127511712" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2020 18:56:51 -0700 IronPort-SDR: CI9ADNHTNWW3vRec5PKQ+qG2NTuGqb5g9x0GWtAWScfXNiI5OXvMRuJJras3/0NEcO7btgTHtJ MTDXTTVpcqFg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,330,1589266800"; d="scan'208";a="483615259" Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95]) by fmsmga006.fm.intel.com with ESMTP; 08 Jul 2020 18:56:46 -0700 From: "Guomin Jiang" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Dandan Bi , Liming Gao , Debkumar De , Harry Han , Catharine West , Eric Dong , Ray Ni , Jordan Justen , Andrew Fish , Laszlo Ersek , Ard Biesheuvel , Anthony Perard , Julien Grall , Leif Lindholm , Rahul Kumar , Jiewen Yao , Chao Zhang , Qi Zhang Subject: [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Date: Thu, 9 Jul 2020 09:56:36 +0800 Message-Id: <20200709015645.336-1-guomin.jiang@intel.com> X-Mailer: git-send-email 2.25.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value. The issue occur when BootGuard measure IBB and access flash code after NEM disable. the reason why we access the flash code is that we have some pointer to flash. To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address. v2: Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature. v3: Remove changes which is not related with the feature and disable the feature in virtual platform. v4: Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei v5: Initialize local variable Shadow and return EFI_ABORTED when RepublishSecPpi not installed. Cc: Jian J Wang Cc: Hao A Wu Cc: Dandan Bi Cc: Liming Gao Cc: Debkumar De Cc: Harry Han Cc: Catharine West Cc: Eric Dong Cc: Ray Ni Cc: Jordan Justen Cc: Andrew Fish Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Anthony Perard Cc: Julien Grall Cc: Leif Lindholm Cc: Rahul Kumar Cc: Jiewen Yao Cc: Chao Zhang Cc: Qi Zhang Guomin Jiang (6): MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) UefiCpuPkg: Correct some typos. SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) Michael Kubacki (3): MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) MdeModulePkg/MdeModulePkg.dec | 10 + UefiCpuPkg/UefiCpuPkg.dec | 4 + UefiCpuPkg/UefiCpuPkg.dsc | 1 + MdeModulePkg/Core/Pei/PeiMain.inf | 3 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 + SecurityPkg/Tcg/TcgPei/TcgPei.inf | 1 + UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 4 + UefiCpuPkg/SecCore/SecCore.inf | 2 + .../SecMigrationPei/SecMigrationPei.inf | 67 +++ MdeModulePkg/Core/Pei/PeiMain.h | 169 +++++++ MdeModulePkg/Include/Guid/MigratedFvInfo.h | 22 + UefiCpuPkg/CpuMpPei/CpuMpPei.h | 14 +- UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ .../CpuExceptionCommon.h | 4 +- UefiCpuPkg/SecCore/SecMain.h | 1 + UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 154 +++++++ MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 430 ++++++++++++++++++ MdeModulePkg/Core/Pei/Image/Image.c | 115 +++++ MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82 ++++ MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 24 + MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 ++++++++++++ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 +- SecurityPkg/Tcg/TcgPei/TcgPei.c | 29 +- UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 ++ UefiCpuPkg/CpuMpPei/CpuPaging.c | 42 +- .../Ia32/ArchExceptionHandler.c | 4 +- .../SecPeiCpuException.c | 2 +- .../X64/ArchExceptionHandler.c | 4 +- UefiCpuPkg/SecCore/SecMain.c | 26 +- UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 381 ++++++++++++++++ MdeModulePkg/MdeModulePkg.uni | 6 + .../SecMigrationPei/SecMigrationPei.uni | 13 + 32 files changed, 2003 insertions(+), 21 deletions(-) create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni -- 2.25.1.windows.1