From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61])
 by mx.groups.io with SMTP id smtpd.web12.9448.1593780502317769774
 for <devel@edk2.groups.io>;
 Fri, 03 Jul 2020 05:48:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=VaFR6zvN;
 spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1593780501;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=bO8K9Dg1weU0yBeLH32O/iW6VarlDVZkjCdQlosNcmk=;
	b=VaFR6zvN9LTZiGESy5pwjCXnfFhtSJRrCS4RNc3NHUJYQElYIewoW+tVFvV4ToFg9UO//y
	zjupc/UiP62adBbOhtwvWz4weqeFCVl04ts8tBN14CNQ/5poue3hxGS+1TFY+Ymv7HBVdl
	scJZa5UFqa6h5OywnjT7WHItR+57mJE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-190-jFwO4ym9PcG0BYjm0CNgdg-1; Fri, 03 Jul 2020 08:48:13 -0400
X-MC-Unique: jFwO4ym9PcG0BYjm0CNgdg-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CDC12107ACCA;
	Fri,  3 Jul 2020 12:48:09 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-238.ams2.redhat.com [10.36.114.238])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A4B8C5BAD5;
	Fri,  3 Jul 2020 12:48:07 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v2 7/9] MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature (CVE-2019-11098)
To: devel@edk2.groups.io, guomin.jiang@intel.com
Cc: Jian J Wang <jian.j.wang@intel.com>, Hao A Wu <hao.a.wu@intel.com>,
 Dandan Bi <dandan.bi@intel.com>, Liming Gao <liming.gao@intel.com>,
 Debkumar De <debkumar.de@intel.com>, Harry Han <harry.han@intel.com>,
 Catharine West <catharine.west@intel.com>
References: <20200702051525.1102-1-guomin.jiang@intel.com>
 <20200702051525.1102-8-guomin.jiang@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <333f71a6-f302-f4c4-03c1-b52a1c9a79a6@redhat.com>
Date: Fri, 3 Jul 2020 14:48:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20200702051525.1102-8-guomin.jiang@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 07/02/20 07:15, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> Add total switch to enable or disable TOCTOU feature, the vulnerability is
> critical, so the switch is on normally but if you can disable it according
> to your needs.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Debkumar De <debkumar.de@intel.com>
> Cc: Harry Han <harry.han@intel.com>
> Cc: Catharine West <catharine.west@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
>  MdeModulePkg/Core/Pei/PeiMain.inf       | 1 +
>  MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 5 +++--
>  MdeModulePkg/MdeModulePkg.dec           | 5 +++++
>  3 files changed, 9 insertions(+), 2 deletions(-)

(1) The subject line of the patch is wrong. The expression "TOCTOU
feature" makes no sense.

Instead, the patch adds a PCD for controlling the "temporary RAM
evacuation" feature that is implemented in patch#1 in this series.

Please fix both the subject line, and the commit message -- as both
contain the wrong expression "TOCTOU feature".

> 
> diff --git a/MdeModulePkg/Core/Pei/PeiMain.inf b/MdeModulePkg/Core/Pei/PeiMain.inf
> index c80d16b4efa6..0cf357371a16 100644
> --- a/MdeModulePkg/Core/Pei/PeiMain.inf
> +++ b/MdeModulePkg/Core/Pei/PeiMain.inf
> @@ -111,6 +111,7 @@ [Pcd]
>    gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnS3Boot                      ## CONSUMES
>    gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot                        ## CONSUMES
>    gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack                    ## CONSUMES
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes      ## CONSUMES
>  
>  # [BootMode]
>  # S3_RESUME             ## SOMETIMES_CONSUMES
> diff --git a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
> index 802cd239e2eb..bc78c3f8ad59 100644
> --- a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
> +++ b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
> @@ -419,8 +419,9 @@ PeiCore (
>      }
>    } else {
>      if (
> -      (!(PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
> -      ((PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))
> +      ((!(PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
> +      ((PrivateData.HobList.HandoffInformationTable->BootMode == BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))) &&
> +      PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)

(2) The indentation of the new code is wrong. Before the patch, we have

      (A) ||
      (B)

After the patch, we have

      ((A) ||
      (B)) &&
      C

The indentation of the line with "B" is wrong. It should be:

      ((A) ||
       (B)) &&
      C

But, anyway, I've suggested under patch#1 a different way for expressing
the same condition. So ultimately, in this patch, we should produce:

  BOOLEAN Shadow;

  Shadow = FALSE;

  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
    if (PrivateData.HobList.HandoffInformationTable->BootMode ==
        BOOT_ON_S3_RESUME) {
      Shadow = PcdGetBool (PcdShadowPeimOnS3Boot);
    } else {
      Shadow = PcdGetBool (PcdShadowPeimOnBoot);
    }
  }

  if (Shadow) {
    //
    // ...
    //
  }

>        ) {
>        DEBUG ((DEBUG_VERBOSE, "PPI lists before temporary RAM evacuation:\n"));
>        DumpPpiList (&PrivateData);
> diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
> index 5e25cbe98ada..0a5a167f3e8b 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1223,6 +1223,11 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
>    # @Prompt Shadow Peim and PeiCore on boot
>    gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
>  
> +  ## Indicate if to evacuate from temporary to permanent memory.
> +  # TRUE - Evacuate from temporary memory

(3) Please drop the word "from".

> +  # FALSE - Keep the original behavior

(4) You mean "original" as "before patch#1". Because, if the PCD is set
to FALSE, then the feature introduced in patch#1 is disabled.

But the word "original" lacks context when someone looks at the DEC
file, later.

Please explain unambiguously what happens when the PCD is set to FALSE.

> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|TRUE|BOOLEAN|0x3000102A
> +
>    ## The mask is used to control memory profile behavior.<BR><BR>
>    #  BIT0 - Enable UEFI memory profile.<BR>
>    #  BIT1 - Enable SMRAM profile.<BR>
> 

Thanks
Laszlo