From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.7066.1682066249739051879 for ; Fri, 21 Apr 2023 01:37:30 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=hGYY14Mk; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: dun.tan@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1682066250; x=1713602250; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=pV5UIjj03nXjER5r1lJl2W9KgAvFCXLooe1BiDETz0o=; b=hGYY14Mkaz/cTlGjoMZ7UB6ftSHrb4LIrqoUXoCK7GWjI3RcpzPwIIt7 lrHSjOrlbMpzHMpk/g85mtl76Zh2oP5uKEbqQf1EOoKAdjV3aWXdtQ9mF O7y/E/qYKG5sAUU7knq4F5ZpSaYEyrnaqUvTpofUjcVHDhLU1CGIIgkeD ELF64kTNYOo0w3vmZgZ1gcLubejNEflt8G8MTVYHjdm5SmGhZNo+C/XGe 09qQ8RsN8ZWW9gIIgkls/VH9GThc7nvO0KGsq26LguwfGQd4ZEQpOYcGo qEr6W9WnssCPmQxqRGVg0BrF2vfg02JnK7no0Y2X/O4DQF69eSft6j4XU Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10686"; a="373869766" X-IronPort-AV: E=Sophos;i="5.99,214,1677571200"; d="scan'208";a="373869766" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Apr 2023 01:37:06 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10686"; a="669650489" X-IronPort-AV: E=Sophos;i="5.99,214,1677571200"; d="scan'208";a="669650489" Received: from shwdeopenlab702.ccr.corp.intel.com ([10.239.55.92]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Apr 2023 01:37:04 -0700 From: "duntan" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Rahul Kumar , Gerd Hoffmann Subject: [Patch V3 08/11] UefiCpuPkg/PiSmmCpuDxeSmm: Clear CR0.WP before modify page table Date: Fri, 21 Apr 2023 16:36:25 +0800 Message-Id: <20230421083628.1408-9-dun.tan@intel.com> X-Mailer: git-send-email 2.31.1.windows.1 In-Reply-To: <20230421083628.1408-1-dun.tan@intel.com> References: <20230421083628.1408-1-dun.tan@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Clear CR0.WP before modify smm page table. Currently, there is an assumption that smm pagetable is always RW before ReadyToLock. However, when AMD SEV is enabled, FvbServicesSmm driver calls MemEncryptSevClearMmioPageEncMask to clear AddressEncMask bit in smm page table for this range: [PcdOvmfFdBaseAddress,PcdOvmfFdBaseAddress+PcdOvmfFirmwareFdSize] If page slpit happens in this process, new memory for smm page table is allocated. Then the newly allocated page table memory is marked as RO in smm page table in this FvbServicesSmm driver, which may lead to PF if smm code doesn't clear CR0.WP before modify smm page table when ReadyToLock. Signed-off-by: Dun Tan Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: Gerd Hoffmann --- UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 11 +++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c index eb3547247d..110a8f3d81 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c @@ -992,6 +992,8 @@ SetMemMapAttributes ( IA32_MAP_ENTRY *Map; UINTN Count; UINT64 MemoryAttribute; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; Count = 0; Map = NULL; @@ -1028,6 +1030,8 @@ SetMemMapAttributes ( MemoryMap = NEXT_MEMORY_DESCRIPTOR (MemoryMap, DescriptorSize); } + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + MemoryMap = MemoryMapStart; for (Index = 0; Index < MemoryMapEntryCount; Index++) { DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory Entry - 0x%lx, 0x%x\n", MemoryMap->PhysicalStart, MemoryMap->NumberOfPages)); @@ -1055,6 +1059,7 @@ SetMemMapAttributes ( MemoryMap = NEXT_MEMORY_DESCRIPTOR (MemoryMap, DescriptorSize); } + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); FreePool (Map); PatchSmmSaveStateMap (); @@ -1361,9 +1366,13 @@ SetUefiMemMapAttributes ( UINTN MemoryMapEntryCount; UINTN Index; EFI_MEMORY_DESCRIPTOR *Entry; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n")); + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + if (mUefiMemoryMap != NULL) { MemoryMapEntryCount = mUefiMemoryMapSize/mUefiDescriptorSize; MemoryMap = mUefiMemoryMap; @@ -1442,6 +1451,8 @@ SetUefiMemMapAttributes ( } } + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + // // Do not free mUefiMemoryAttributesTable, it will be checked in IsSmmCommBufferForbiddenAddress(). // diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c index 1b0b6673e1..5625ba0cac 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c @@ -574,6 +574,8 @@ InitPaging ( BOOLEAN Nx; IA32_CR4 Cr4; BOOLEAN Enable5LevelPaging; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; Cr4.UintN = AsmReadCr4 (); Enable5LevelPaging = (BOOLEAN)(Cr4.Bits.LA57 == 1); @@ -620,6 +622,7 @@ InitPaging ( NumberOfPdptEntries = 4; } + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); // // Go through page table and change 2MB-page into 4KB-page. // @@ -800,6 +803,8 @@ InitPaging ( } // end for PML4 } // end for PML5 + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + // // Flush TLB // -- 2.39.1.windows.1