From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=ray.ni@intel.com; receiver=edk2-devel@lists.01.org Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D7C282095DBA5 for ; Fri, 22 Feb 2019 04:54:39 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Feb 2019 04:54:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,399,1544515200"; d="scan'208";a="136374346" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga002.jf.intel.com with ESMTP; 22 Feb 2019 04:54:38 -0800 Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 22 Feb 2019 04:54:38 -0800 Received: from shsmsx106.ccr.corp.intel.com (10.239.4.159) by FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 22 Feb 2019 04:54:37 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.102]) by SHSMSX106.ccr.corp.intel.com ([169.254.10.174]) with mapi id 14.03.0415.000; Fri, 22 Feb 2019 20:54:35 +0800 From: "Ni, Ray" To: "Yao, Jiewen" , "edk2-devel@lists.01.org" CC: "Dong, Eric" , Laszlo Ersek Thread-Topic: [PATCH V2 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86. Thread-Index: AQHUyp3CrknO1RgtY0O6HpnVjy12Z6Xrxewg Date: Fri, 22 Feb 2019 12:54:34 +0000 Deferred-Delivery: Fri, 22 Feb 2019 12:54:00 +0000 Message-ID: <734D49CCEBEEF84792F5B80ED585239D5C02D0D3@SHSMSX104.ccr.corp.intel.com> References: <20190222105940.32236-1-jiewen.yao@intel.com> <20190222105940.32236-2-jiewen.yao@intel.com> In-Reply-To: <20190222105940.32236-2-jiewen.yao@intel.com> Accept-Language: en-US, zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYjIzZDNlMDAtZTU4ZS00NmNiLWJmZGEtYTYwYzNjZmY5OTg5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiVEpQNWIzQjA5VEJYb2laYlVZOEw1dkhXWGRsKzV0Q1YxUFBlWU9odUQ0UmxON1hXQitBNTdaU2lIZHJtZm1mRyJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH V2 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 12:54:40 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ray Ni > -----Original Message----- > From: Yao, Jiewen > Sent: Friday, February 22, 2019 7:00 PM > To: edk2-devel@lists.01.org > Cc: Dong, Eric ; Ni, Ray ; Laszlo = Ersek > ; Yao, Jiewen > Subject: [PATCH V2 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1521 >=20 > This patch adds SSP - shadow stack pointer to JumpBuffer. > It will be used for the platform that enabled CET/ShadowStack. >=20 > We add gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask > to control the global enable/disable. >=20 > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Yao Jiewen > --- > MdePkg/Include/Library/BaseLib.h | 2 ++ > MdePkg/Library/BaseLib/BaseLib.inf | 3 ++- > MdePkg/Library/BaseLib/Ia32/LongJump.c | 28 +++++++++++++++++++- > MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 23 +++++++++++++++- > MdePkg/Library/BaseLib/Ia32/SetJump.c | 28 +++++++++++++++++++- > MdePkg/Library/BaseLib/Ia32/SetJump.nasm | 21 ++++++++++++++- > MdePkg/Library/BaseLib/X64/LongJump.nasm | 25 ++++++++++++++++- > MdePkg/Library/BaseLib/X64/SetJump.nasm | 21 ++++++++++++++- > MdePkg/MdePkg.dec | 7 +++++ > 9 files changed, 151 insertions(+), 7 deletions(-) >=20 > diff --git a/MdePkg/Include/Library/BaseLib.h > b/MdePkg/Include/Library/BaseLib.h > index 9c42f82a7d..616ba2e95b 100644 > --- a/MdePkg/Include/Library/BaseLib.h > +++ b/MdePkg/Include/Library/BaseLib.h > @@ -31,6 +31,7 @@ typedef struct { > UINT32 Ebp; > UINT32 Esp; > UINT32 Eip; > + UINT32 Ssp; > } BASE_LIBRARY_JUMP_BUFFER; >=20 > #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 4 @@ -54,6 +55,7 @@ > typedef struct { > UINT64 Rip; > UINT64 MxCsr; > UINT8 XmmBuffer[160]; ///< XMM6-XMM15. > + UINT64 Ssp; > } BASE_LIBRARY_JUMP_BUFFER; >=20 > #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 8 diff --git > a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/BaseLib.inf > index f25a067a23..a0d6c372f9 100644 > --- a/MdePkg/Library/BaseLib/BaseLib.inf > +++ b/MdePkg/Library/BaseLib/BaseLib.inf > @@ -1,7 +1,7 @@ > ## @file > # Base Library implementation. > # > -# Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved. > +# Copyright (c) 2007 - 2019, Intel Corporation. All rights > +reserved.
> # Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved. # > Portions copyright (c) 2011 - 2013, ARM Ltd. All rights reserved.
# = @@ - > 620,6 +620,7 @@ > gEfiMdePkgTokenSpaceGuid.PcdMaximumLinkedListLength ## > SOMETIMES_CONSUMES > gEfiMdePkgTokenSpaceGuid.PcdMaximumAsciiStringLength ## > SOMETIMES_CONSUMES > gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength ## > SOMETIMES_CONSUMES > + gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask ## > SOMETIMES_CONSUMES >=20 > [FeaturePcd] > gEfiMdePkgTokenSpaceGuid.PcdVerifyNodeInList ## CONSUMES diff --git > a/MdePkg/Library/BaseLib/Ia32/LongJump.c > b/MdePkg/Library/BaseLib/Ia32/LongJump.c > index 73973a9cce..2c1feb8373 100644 > --- a/MdePkg/Library/BaseLib/Ia32/LongJump.c > +++ b/MdePkg/Library/BaseLib/Ia32/LongJump.c > @@ -1,7 +1,7 @@ > /** @file > Implementation of _LongJump() on IA-32. >=20 > - Copyright (c) 2006 - 2008, Intel Corporation. All rights reserved.
> + Copyright (c) 2006 - 2019, Intel Corporation. All rights > + reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the = BSD > License > which accompanies this distribution. The full text of the license may= be found > at @@ -36,6 +36,32 @@ InternalLongJump ( > ) > { > _asm { > + mov eax, [PcdGet32 (PcdControlFlowEnforcementPropertyMask)] > + test eax, eax > + jz CetDone > + _emit 0x0F > + _emit 0x20 > + _emit 0xE0 ; mov eax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + mov edx, [esp + 4] ; edx =3D JumpBuffer > + mov edx, [edx + 24] ; edx =3D target SSP > + _emit 0xF3 > + _emit 0x0F > + _emit 0x1E > + _emit 0xC8 ; READSSP EAX > + sub edx, eax ; edx =3D delta > + mov eax, edx ; eax =3D delta > + > + shr eax, 2 ; eax =3D delta/sizeof(UINT32) > + _emit 0xF3 > + _emit 0x0F > + _emit 0xAE > + _emit 0xE8 ; INCSSP EAX > + > +CetDone: > + > pop eax ; skip return address > pop edx ; edx <- JumpBuffer > pop eax ; eax <- Value > diff --git a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm > b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm > index 7ef03462ee..1e806fb635 100644 > --- a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm > +++ b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm > @@ -1,6 +1,6 @@ > ;-----------------------------------------------------------------------= ------- > ; > -; Copyright (c) 2006, Intel Corporation. All rights reserved.
> +; Copyright (c) 2006 - 2019, Intel Corporation. All rights > +reserved.
> ; This program and the accompanying materials ; are licensed and made > available under the terms and conditions of the BSD License ; which > accompanies this distribution. The full text of the license may be found= at @@ - > 21,6 +21,8 @@ >=20 > SECTION .text >=20 > +extern ASM_PFX(PcdGet32 (PcdControlFlowEnforcementPropertyMask)) > + > ;-----------------------------------------------------------------------= ------- > ; VOID > ; EFIAPI > @@ -31,6 +33,25 @@ > ;-----------------------------------------------------------------------= ------- > global ASM_PFX(InternalLongJump) > ASM_PFX(InternalLongJump): > + > + mov eax, [ASM_PFX(PcdGet32 > (PcdControlFlowEnforcementPropertyMask))] > + test eax, eax > + jz CetDone > + mov eax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + mov edx, [esp + 4] ; edx =3D JumpBuffer > + mov edx, [edx + 24] ; edx =3D target SSP > + DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX > + sub edx, eax ; edx =3D delta > + mov eax, edx ; eax =3D delta > + > + shr eax, 2 ; eax =3D delta/sizeof(UINT32) > + DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX > + > +CetDone: > + > pop eax ; skip return address > pop edx ; edx <- JumpBuffer > pop eax ; eax <- Value > diff --git a/MdePkg/Library/BaseLib/Ia32/SetJump.c > b/MdePkg/Library/BaseLib/Ia32/SetJump.c > index 652d45d53b..d608fd9ccb 100644 > --- a/MdePkg/Library/BaseLib/Ia32/SetJump.c > +++ b/MdePkg/Library/BaseLib/Ia32/SetJump.c > @@ -1,7 +1,7 @@ > /** @file > Implementation of SetJump() on IA-32. >=20 > - Copyright (c) 2006 - 2008, Intel Corporation. All rights reserved.
> + Copyright (c) 2006 - 2019, Intel Corporation. All rights > + reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the = BSD > License > which accompanies this distribution. The full text of the license may= be found > at @@ -62,6 +62,32 @@ SetJump ( > pop ecx > pop ecx > mov edx, [esp] > + > + xor eax, eax > + mov [edx + 24], eax ; save 0 to SSP > + > + mov eax, [PcdGet32 (PcdControlFlowEnforcementPropertyMask)] > + test eax, eax > + jz CetDone > + _emit 0x0F > + _emit 0x20 > + _emit 0xE0 ; mov eax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + mov eax, 1 > + _emit 0xF3 > + _emit 0x0F > + _emit 0xAE > + _emit 0xE8 ; INCSSP EAX to read original SSP > + _emit 0xF3 > + _emit 0x0F > + _emit 0x1E > + _emit 0xC8 ; READSSP EAX > + mov [edx + 0x24], eax ; save SSP > + > +CetDone: > + > mov [edx], ebx > mov [edx + 4], esi > mov [edx + 8], edi > diff --git a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm > b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm > index 6d3a5a25bb..95d7247050 100644 > --- a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm > +++ b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm > @@ -1,6 +1,6 @@ > ;-----------------------------------------------------------------------= ------- > ; > -; Copyright (c) 2006, Intel Corporation. All rights reserved.
> +; Copyright (c) 2006 - 2019, Intel Corporation. All rights > +reserved.
> ; This program and the accompanying materials ; are licensed and made > available under the terms and conditions of the BSD License ; which > accompanies this distribution. The full text of the license may be found= at @@ - > 22,6 +22,7 @@ > SECTION .text >=20 > extern ASM_PFX(InternalAssertJumpBuffer) > +extern ASM_PFX(PcdGet32 (PcdControlFlowEnforcementPropertyMask)) >=20 > ;-----------------------------------------------------------------------= ------- > ; UINTN > @@ -37,6 +38,24 @@ ASM_PFX(SetJump): > pop ecx > pop ecx ; ecx <- return address > mov edx, [esp] > + > + xor eax, eax > + mov [edx + 24], eax ; save 0 to SSP > + > + mov eax, [ASM_PFX(PcdGet32 > (PcdControlFlowEnforcementPropertyMask))] > + test eax, eax > + jz CetDone > + mov eax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + mov eax, 1 > + DB 0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX to read original SSP > + DB 0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX > + mov [edx + 0x24], eax ; save SSP > + > +CetDone: > + > mov [edx], ebx > mov [edx + 4], esi > mov [edx + 8], edi > diff --git a/MdePkg/Library/BaseLib/X64/LongJump.nasm > b/MdePkg/Library/BaseLib/X64/LongJump.nasm > index 3bac27469e..87a54a59f7 100644 > --- a/MdePkg/Library/BaseLib/X64/LongJump.nasm > +++ b/MdePkg/Library/BaseLib/X64/LongJump.nasm > @@ -1,6 +1,6 @@ > ;-----------------------------------------------------------------------= ------- > ; > -; Copyright (c) 2006, Intel Corporation. All rights reserved.
> +; Copyright (c) 2006 - 2019, Intel Corporation. All rights > +reserved.
> ; This program and the accompanying materials ; are licensed and made > available under the terms and conditions of the BSD License ; which > accompanies this distribution. The full text of the license may be found= at @@ - > 22,6 +22,8 @@ > DEFAULT REL > SECTION .text >=20 > +extern ASM_PFX(PcdGet32 (PcdControlFlowEnforcementPropertyMask)) > + > ;-----------------------------------------------------------------------= ------- > ; VOID > ; EFIAPI > @@ -32,6 +34,27 @@ > ;-----------------------------------------------------------------------= ------- > global ASM_PFX(InternalLongJump) > ASM_PFX(InternalLongJump): > + > + mov eax, [ASM_PFX(PcdGet32 > (PcdControlFlowEnforcementPropertyMask))] > + test eax, eax > + jz CetDone > + mov rax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + push rdx ; save rdx > + > + mov rdx, [rcx + 0xF8] ; rdx =3D target SSP > + DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX > + sub rdx, rax ; rdx =3D delta > + mov rax, rdx ; rax =3D delta > + > + shr rax, 3 ; rax =3D delta/sizeof(UINT64) > + DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX > + > + pop rdx ; restore rdx > +CetDone: > + > mov rbx, [rcx] > mov rsp, [rcx + 8] > mov rbp, [rcx + 0x10] > diff --git a/MdePkg/Library/BaseLib/X64/SetJump.nasm > b/MdePkg/Library/BaseLib/X64/SetJump.nasm > index b1d0ff7121..b478327b95 100644 > --- a/MdePkg/Library/BaseLib/X64/SetJump.nasm > +++ b/MdePkg/Library/BaseLib/X64/SetJump.nasm > @@ -1,6 +1,6 @@ > ;-----------------------------------------------------------------------= ------- > ; > -; Copyright (c) 2006, Intel Corporation. All rights reserved.
> +; Copyright (c) 2006 - 2019, Intel Corporation. All rights > +reserved.
> ; This program and the accompanying materials ; are licensed and made > available under the terms and conditions of the BSD License ; which > accompanies this distribution. The full text of the license may be found= at @@ - > 23,6 +23,7 @@ > SECTION .text >=20 > extern ASM_PFX(InternalAssertJumpBuffer) > +extern ASM_PFX(PcdGet32 (PcdControlFlowEnforcementPropertyMask)) >=20 > ;-----------------------------------------------------------------------= ------- > ; UINTN > @@ -39,6 +40,24 @@ ASM_PFX(SetJump): > add rsp, 0x20 > pop rcx > pop rdx > + > + xor rax, rax > + mov [rcx + 0xF8], rax ; save 0 to SSP > + > + mov eax, [ASM_PFX(PcdGet32 > (PcdControlFlowEnforcementPropertyMask))] > + test eax, eax > + jz CetDone > + mov rax, cr4 > + bt eax, 23 ; check if CET is enabled > + jnc CetDone > + > + mov rax, 1 > + DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX to read original S= SP > + DB 0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX > + mov [rcx + 0xF8], rax ; save SSP > + > +CetDone: > + > mov [rcx], rbx > mov [rcx + 8], rsp > mov [rcx + 0x10], rbp > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index > c859b4a511..69a9575a04 100644 > --- a/MdePkg/MdePkg.dec > +++ b/MdePkg/MdePkg.dec > @@ -2087,6 +2087,13 @@ > # @Prompt Fixed Debug Message Print Level. >=20 > gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF|UINT32 > |0x30001016 >=20 > + ## Indicates the control flow enforcement enabling state. > + # If enabled, it uses control flow enforcement technology to prevent = ROP or > JOP.

> + # BIT0 - SMM CET Shadow Stack is enabled.
> + # Other - reserved > + # @Prompt Enable control flow enforcement. > + > + > gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask|0x0|UI > N > + T32|0x30001017 > + > [PcdsFixedAtBuild,PcdsPatchableInModule] > ## Indicates the maximum length of unicode string used in the followin= g > # BaseLib functions: StrLen(), StrSize(), StrCmp(), StrnCmp(), StrCpy= (), > StrnCpy()

> -- > 2.19.2.windows.1