From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [])
 by mx.groups.io with SMTP id smtpd.web12.2682.1594259811903593619
 for <devel@edk2.groups.io>;
 Wed, 08 Jul 2020 18:56:52 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=fail (domain: intel.com, ip: <nil>, mailfrom: guomin.jiang@intel.com)
IronPort-SDR: ZIMBorCHIoaJUpdzeK+z18He2nlDAUyPpcp3B10MsIAq9nZLl4A3IGRZRJZN0y33V4sjuq6Z2G
 tnSQkXxd92pQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9676"; a="127511717"
X-IronPort-AV: E=Sophos;i="5.75,330,1589266800"; 
   d="scan'208";a="127511717"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2020 18:56:52 -0700
IronPort-SDR: j4UhZ/ZARQRROaaXGWfSL10FjUA5dyX9ZoJG7rq1oJ3s+SYtS7GT+Arq0rYH0zry4DfbUeJs+R
 IhcsqeViruww==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,330,1589266800"; 
   d="scan'208";a="483615273"
Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95])
  by fmsmga006.fm.intel.com with ESMTP; 08 Jul 2020 18:56:51 -0700
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)
Date: Thu,  9 Jul 2020 09:56:37 +0800
Message-Id: <20200709015645.336-2-guomin.jiang@intel.com>
X-Mailer: git-send-email 2.25.1.windows.1
In-Reply-To: <20200709015645.336-1-guomin.jiang@intel.com>
References: <20200709015645.336-1-guomin.jiang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

The security researcher found that we can get control after NEM disable.

The reason is that the flash content reside in NEM at startup and the
code will get the content from flash directly after disable NEM.

To avoid this vulnerability, the feature will copy the PEIMs from
temporary memory to permanent memory and only execute the code in
permanent memory.

The vulnerability is exist in physical platform and haven't report in
virtual platform, so the virtual can disable the feature currently.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
---
 MdeModulePkg/MdeModulePkg.dec | 7 +++++++
 MdeModulePkg/MdeModulePkg.uni | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 843e963ad34b..16db17d0a873 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1220,6 +1220,13 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
   # @Prompt Shadow Peim and PeiCore on boot
   gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
 
+  ## Enable the feature that evacuate temporary memory to permanent memory or not
+  #  Set FALSE as default, if the developer need this feature to avoid this vulnerability, please
+  #  enable it in dsc file.
+  # TRUE - Evacuate temporary memory, the actions include copy memory, convert PPI pointers and so on.
+  # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers and so on.
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|FALSE|BOOLEAN|0x3000102A
+
   ## The mask is used to control memory profile behavior.<BR><BR>
   #  BIT0 - Enable UEFI memory profile.<BR>
   #  BIT1 - Enable SMRAM profile.<BR>
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
index 2007e0596c4f..5235dee561ad 100644
--- a/MdeModulePkg/MdeModulePkg.uni
+++ b/MdeModulePkg/MdeModulePkg.uni
@@ -214,6 +214,12 @@
                                                                                        "TRUE  - Shadow PEIM on S3 boot path after memory is ready.<BR>\n"
                                                                                        "FALSE - Not shadow PEIM on S3 boot path after memory is ready.<BR>"
 
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_HELP #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not.<BR><BR>\n"
+                                                                                                      "It will allocate page to save the temporary PEIMs resided in NEM(or CAR) to the permanent memory and change all pointers pointed to the NEM(or CAR) to permanent memory.<BR><BR>\n"
+                                                                                                      "After then, there are no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be avoid.<BR><BR>\n"
+
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_PROMPT #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not"
+
 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT  #language en-US "Default OEM ID for ACPI table creation"
 
 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP  #language en-US "Default OEM ID for ACPI table creation, its length must be 0x6 bytes to follow ACPI specification."
-- 
2.25.1.windows.1