From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 426CA740034 for ; Tue, 7 Nov 2023 18:56:53 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Qzl5U4rMibLUmmypoZseJwsV7bsNg/yr9dh6omjK0LY=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699383411; v=1; b=pjFxbzDoGpdWiD1g3tF0eoibn5MV1nHd9GXpZ//DjWi7o1vguK4VbCR5GQUaoDeE+Qh+8KRQ Gfs8OmEepyNJJo502uL1ABUPez1bu3tHVwIHEEnuKKEHSp2ijay60XGR2igQhF7JAtUdGilLsh+ u6eWZCQXDryN8np/LdbgmZE4= X-Received: by 127.0.0.2 with SMTP id WVkuYY7687511xtdrx9gdfGM; Tue, 07 Nov 2023 10:56:51 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.3119.1699383411082753940 for ; Tue, 07 Nov 2023 10:56:51 -0800 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-136-QUJaqpnUN0aOLmpiWV4A1Q-1; Tue, 07 Nov 2023 13:56:47 -0500 X-MC-Unique: QUJaqpnUN0aOLmpiWV4A1Q-1 X-Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8905A8371C5; Tue, 7 Nov 2023 18:56:46 +0000 (UTC) X-Received: from [10.39.193.64] (unknown [10.39.193.64]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3AA67492BFA; Tue, 7 Nov 2023 18:56:45 +0000 (UTC) Message-ID: <4da369dd-abbc-aec4-f7ed-b0173100bd8f@redhat.com> Date: Tue, 7 Nov 2023 19:56:44 +0100 MIME-Version: 1.0 Subject: Re: [edk2-devel] [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET enable To: devel@edk2.groups.io, jiaxin.wu@intel.com Cc: Eric Dong , Ray Ni , Zeng Star , Gerd Hoffmann , Rahul Kumar References: <20231107012445.7808-1-jiaxin.wu@intel.com> From: "Laszlo Ersek" In-Reply-To: <20231107012445.7808-1-jiaxin.wu@intel.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: uofuYhEX5hCJyTBgQ8ioHVMix7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=pjFxbzDo; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 11/7/23 02:24, Wu, Jiaxin wrote: > Root cause: > 1. Before DisableReadonlyPageWriteProtect() is called, the return > address (#1) is pushed in shadow stack. > 2. CET is disabled. > 3. DisableReadonlyPageWriteProtect() returns to #1. > 4. Page table is modified. > 5. EnableReadonlyPageWriteProtect() is called, but the return > address (#2) is not pushed in shadow stack. > 6. CET is enabled. > 7. EnableReadonlyPageWriteProtect() returns to #2. > #CP exception happens because the actual return address (#2) > doesn't match the return address stored in shadow stack (#1). >=20 > Analysis: > Shadow stack will stop update after CET disable (DisableCet() in > DisableReadOnlyPageWriteProtect), but normal smi stack will be > continue updated with the function called and return > (DisableReadOnlyPageWriteProtect & EnableReadOnlyPageWriteProtect), > thus leading stack mismatch after CET re-enabled (EnableCet() in > EnableReadOnlyPageWriteProtect). >=20 > According SDM Vol 3, 6.15-Control Protection Exception: > Normal smi stack and shadow stack must be matched when CET enable, > otherwise CP Exception will happen, which is caused by a near RET > instruction. >=20 > CET is disabled in DisableCet(), while can be enabled in > EnableCet(). This way won't cause the problem because they are > implemented in a way that return address of DisableCet() is > poped out from shadow stack (Incsspq performs a pop to increases > the shadow stack) and EnableCet() doesn't use "RET" but "JMP" to > return to caller. So calling EnableCet() and DisableCet() doesn't > have the same issue as calling DisableReadonlyPageWriteProtect() > and EnableReadonlyPageWriteProtect(). >=20 > With above root cause & analysis, define below 2 macros instead of > functions for WP & CET operation: > WRITE_UNPROTECT_RO_PAGES (Wp, Cet) > WRITE_PROTECT_RO_PAGES (Wp, Cet) > Because DisableCet() & EnableCet() must be in the same function > to avoid shadow stack and normal SMI stack mismatch. >=20 > Note: WRITE_UNPROTECT_RO_PAGES () must be called pair with > WRITE_PROTECT_RO_PAGES () in same function. >=20 > Cc: Eric Dong > Cc: Ray Ni > Cc: Zeng Star > Cc: Gerd Hoffmann > Cc: Rahul Kumar > Cc: Laszlo Ersek > Signed-off-by: Jiaxin Wu > --- > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 59 +++++++++++++---= - > UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 73 +++++++++-------= ------ > UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 7 ++- > 3 files changed, 81 insertions(+), 58 deletions(-) Reviewed-by: Laszlo Ersek -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110875): https://edk2.groups.io/g/devel/message/110875 Mute This Topic: https://groups.io/mt/102434876/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-