Re: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Laszlo Ersek <lersek@redhat.com>
To: Hao Wu <hao.a.wu@intel.com>, edk2-devel@lists.01.org
Cc: Eric Dong <eric.dong@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Star Zeng <star.zeng@intel.com>
Subject: Re: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers
Date: Tue, 25 Sep 2018 22:57:12 +0200	[thread overview]
Message-ID: <70117861-3590-53ec-a717-06ba41c5f22f@redhat.com> (raw)
In-Reply-To: <fd33e9db-9987-3ff1-4c1a-612cf8acf2e8@redhat.com>

On 09/25/18 22:51, Laszlo Ersek wrote:
> On 09/25/18 08:12, Hao Wu wrote:
>> V2 changes:
>> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
>>    IA32/X64 specific.
>>
>> B. Add brief comments before calls of the AsmLfence() to state the
>>    purpose.
>>
>> C. Refine the patch for Variable/RuntimeDxe driver and make the change
>>    focus on the SMM code.
>>
>> V1 history:
>> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
>> within SMI handlers.
>>
>> A more detailed explanation of the purpose of the series is under the
>> 'Bounds check bypass mitigation' section of the below link:
>> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
>>
>> And the document at:
>> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
>>
>> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> Cc: Leif Lindholm <leif.lindholm@linaro.org>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Cc: Star Zeng <star.zeng@intel.com>
>> Cc: Eric Dong <eric.dong@intel.com>
>>
>> Hao Wu (5):
>>   MdePkg/BaseLib: Add new AsmLfence API
>>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
>>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
>>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
>>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
>>
>>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |  7 ++++
>>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf |  1 +
>>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c                 | 10 ++++++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c              | 31 ++++++++++++++++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c              | 30 ++++++++++++++++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h      | 13 ++++++-
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c                  |  6 ++++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf      |  1 +
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c               | 18 ++++++++++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf             |  1 +
>>  MdePkg/Include/Library/BaseLib.h                                       | 13 +++++++
>>  MdePkg/Library/BaseLib/BaseLib.inf                                     |  2 ++
>>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm                                | 37 +++++++++++++++++++
>>  MdePkg/Library/BaseLib/X64/Lfence.nasm                                 | 38 ++++++++++++++++++++
>>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c                             |  5 +++
>>  15 files changed, 212 insertions(+), 1 deletion(-)
>>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
>>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
>>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
>>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
>>
> 
> I regression-tested this series using:
> 
> (1) roughly the Linux guest steps from
> <https://github.com/tianocore/tianocore.github.io/wiki/Testing-SMM-with-QEMU,-KVM-and-libvirt#tests-to-perform-in-the-installed-guest-fedora-26-guest>.
> 
> 
> Those steps cover all of the SMM variable driver, the SMM FTW driver,
> the SMM lockbox, and PiSmmCpuDxeSmm.
> 
> (2) For briefly checking the runtime (non-SMM) variable driver, I booted
> Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked
> "efibootmgr -v".
> 
> series
> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>

It's been a long day. I meant to describe another detail of the test
environment:

Because of the regression reported at
<https://bugzilla.tianocore.org/show_bug.cgi?id=1207>, OVMF is currently
unbootable. Therefore I first applied my fix from
<https://bugzilla.tianocore.org/show_bug.cgi?id=1207#c2> on top of
current master (3cb0a311cb7e). I applied this series of yours for
regression testing on top of my fix.

Thanks
Laszlo

next prev parent reply	other threads:[~2018-09-25 20:57 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-25  6:12 [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Hao Wu
2018-09-25  6:12 ` [PATCH v2 1/5] MdePkg/BaseLib: Add new AsmLfence API Hao Wu
2018-09-25 13:00   ` Laszlo Ersek
2018-09-26  1:13     ` Wu, Hao A
2018-09-29  2:33   ` Gao, Liming
2018-09-25  6:12 ` [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-29  6:21     ` Wu, Hao A
2018-09-29  6:25       ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix " Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 4/5] MdeModulePkg/Variable: " Hao Wu
2018-09-29  6:13   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: " Hao Wu
2018-09-25 12:08   ` Laszlo Ersek
2018-09-26  1:00     ` Wu, Hao A
2018-09-26  0:46   ` Dong, Eric
2018-09-25 20:51 ` [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Laszlo Ersek
2018-09-25 20:57   ` Laszlo Ersek [this message]
2018-09-26  1:17     ` Wu, Hao A
2018-09-28 13:13 ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=70117861-3590-53ec-a717-06ba41c5f22f@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox