From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C5C1A21AE30DB for ; Tue, 25 Sep 2018 13:57:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 203DF5F724; Tue, 25 Sep 2018 20:57:16 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-71.rdu2.redhat.com [10.10.120.71]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1A99C5E7CE; Tue, 25 Sep 2018 20:57:13 +0000 (UTC) From: Laszlo Ersek To: Hao Wu , edk2-devel@lists.01.org Cc: Eric Dong , Jiewen Yao , Liming Gao , Michael D Kinney , Star Zeng References: <20180925061259.31680-1-hao.a.wu@intel.com> Message-ID: <70117861-3590-53ec-a717-06ba41c5f22f@redhat.com> Date: Tue, 25 Sep 2018 22:57:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 25 Sep 2018 20:57:16 +0000 (UTC) Subject: Re: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2018 20:57:17 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 09/25/18 22:51, Laszlo Ersek wrote: > On 09/25/18 08:12, Hao Wu wrote: >> V2 changes: >> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it >> IA32/X64 specific. >> >> B. Add brief comments before calls of the AsmLfence() to state the >> purpose. >> >> C. Refine the patch for Variable/RuntimeDxe driver and make the change >> focus on the SMM code. >> >> V1 history: >> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues >> within SMI handlers. >> >> A more detailed explanation of the purpose of the series is under the >> 'Bounds check bypass mitigation' section of the below link: >> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation >> >> And the document at: >> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf >> >> Cc: Ard Biesheuvel >> Cc: Leif Lindholm >> Cc: Laszlo Ersek >> Cc: Jiewen Yao >> Cc: Michael D Kinney >> Cc: Liming Gao >> Cc: Star Zeng >> Cc: Eric Dong >> >> Hao Wu (5): >> MdePkg/BaseLib: Add new AsmLfence API >> MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass >> MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass >> MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass >> UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass >> >> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c | 7 ++++ >> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf | 1 + >> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 ++++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c | 31 ++++++++++++++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c | 30 ++++++++++++++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h | 13 ++++++- >> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 6 ++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 1 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 18 ++++++++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 1 + >> MdePkg/Include/Library/BaseLib.h | 13 +++++++ >> MdePkg/Library/BaseLib/BaseLib.inf | 2 ++ >> MdePkg/Library/BaseLib/Ia32/Lfence.nasm | 37 +++++++++++++++++++ >> MdePkg/Library/BaseLib/X64/Lfence.nasm | 38 ++++++++++++++++++++ >> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 5 +++ >> 15 files changed, 212 insertions(+), 1 deletion(-) >> create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c >> create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c >> create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm >> create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm >> > > I regression-tested this series using: > > (1) roughly the Linux guest steps from > . > > > Those steps cover all of the SMM variable driver, the SMM FTW driver, > the SMM lockbox, and PiSmmCpuDxeSmm. > > (2) For briefly checking the runtime (non-SMM) variable driver, I booted > Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked > "efibootmgr -v". > > series > Regression-tested-by: Laszlo Ersek It's been a long day. I meant to describe another detail of the test environment: Because of the regression reported at , OVMF is currently unbootable. Therefore I first applied my fix from on top of current master (3cb0a311cb7e). I applied this series of yours for regression testing on top of my fix. Thanks Laszlo