From: Laszlo Ersek <lersek@redhat.com>
To: Jiewen Yao <jiewen.yao@intel.com>, edk2-devel@lists.01.org
Cc: Eric Dong <eric.dong@intel.com>,
Liming Gao <liming.gao@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>
Subject: Re: [PATCH V3 0/4] Add SMM CET support
Date: Fri, 22 Feb 2019 22:41:54 +0100 [thread overview]
Message-ID: <74766c1d-254b-57a8-e356-868a7b6bbb31@redhat.com> (raw)
In-Reply-To: <20190222133036.28468-1-jiewen.yao@intel.com>
Hi Jiewen,
On 02/22/19 14:30, Jiewen Yao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1521
>
> V3:
> Add Nasm.inc to include CET related instruction as MACRO.
> This is the only place to use DB.
> Any other NASM just use the MACRO -
> SETSSBSY, READSSP_[E|R]AX, INCSSP_[E|R]AX
> =====================
>
> V2:
> Fix emulation platform issue.
> The NT32 platform cannot access CR4 register.
> So we add a global PCD to choose disable CR4 access in SetJump/LongJump.
> gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask
> =====================
(1) I think there is another difference (I don't know if it was
introduced in v2 or in v3; I only compared v1<->v3). It seems that the
LongJump / SetJump changes for IA32 MSFT were implemented in v2/v3 as well.
(2) When we introduce another bit for
PcdControlFlowEnforcementPropertyMask, we'll have to update the checks,
because currently we check the whole PCD against zero. When the next bit
is introduced, we'll have to use a bitmask (with value 1) for checking.
Anyway that can indeed be a later enhancement, just stating what I've
noticed.
(3) For the series:
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
Thanks,
Laszlo
>
> This patch series implement add CET ShadowStack support for SMM.
>
> The CET document can be found at:
> https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
>
> Patch 1 adds SSP (ShadowStackPointer) to JUMP_BUFFER.
> Patch 2 adds Control Protection exception (CP#) dump info.
> Patch 3 adds CET ShadowStack support in SMM.
>
> For more detail please refer to each patch.
>
> I also post all update to https://github.com/jyao1/edk2/tree/CET_V2
>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Yao Jiewen <jiewen.yao@intel.com>
>
> Jiewen Yao (4):
> MdePkg/Include: Add Nasm.inc
> MdePkg/BaseLib: Add Shadow Stack Support for X86.
> UefiCpuPkg/ExceptionLib: Add CET support.
> UefiCpuPkg/PiSmmCpu: Add Shadow Stack Support for X86 SMM.
>
> MdePkg/Include/Ia32/Nasm.inc | 28 ++++
> MdePkg/Include/Library/BaseLib.h | 2 +
> MdePkg/Include/X64/Nasm.inc | 28 ++++
> MdePkg/Library/BaseLib/BaseLib.inf | 3 +-
> MdePkg/Library/BaseLib/Ia32/LongJump.c | 28 +++-
> MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 25 +++-
> MdePkg/Library/BaseLib/Ia32/SetJump.c | 28 +++-
> MdePkg/Library/BaseLib/Ia32/SetJump.nasm | 23 +++-
> MdePkg/Library/BaseLib/X64/LongJump.nasm | 27 +++-
> MdePkg/Library/BaseLib/X64/SetJump.nasm | 23 +++-
> MdePkg/MdePkg.dec | 7 +
> .../Include/Library/SmmCpuFeaturesLib.h | 23 +++-
> .../CpuExceptionCommon.c | 7 +-
> .../CpuExceptionCommon.h | 3 +-
> .../Ia32/ArchExceptionHandler.c | 5 +-
> .../X64/ArchExceptionHandler.c | 5 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/Cet.nasm | 39 ++++++
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 38 +++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm | 99 ++++++++++++++-
> .../PiSmmCpuDxeSmm/Ia32/SmiException.nasm | 6 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmFuncsArch.c | 57 ++++++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 12 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 97 ++++++++++++--
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 103 ++++++++++++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf | 6 +-
> .../PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 85 ++++++++++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 18 ++-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.h | 4 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 4 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/Cet.nasm | 40 ++++++
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 39 +++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 120 +++++++++++++++++-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 58 ++++++++-
> UefiCpuPkg/UefiCpuPkg.dec | 6 +-
> 34 files changed, 1034 insertions(+), 62 deletions(-)
> create mode 100644 MdePkg/Include/Ia32/Nasm.inc
> create mode 100644 MdePkg/Include/X64/Nasm.inc
> create mode 100644 UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/Cet.nasm
> create mode 100644 UefiCpuPkg/PiSmmCpuDxeSmm/X64/Cet.nasm
>
next prev parent reply other threads:[~2019-02-22 21:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 13:30 [PATCH V3 0/4] Add SMM CET support Jiewen Yao
2019-02-22 13:30 ` [PATCH V3 1/4] MdePkg/Include: Add Nasm.inc Jiewen Yao
2019-02-22 13:30 ` [PATCH V3 2/4] MdePkg/BaseLib: Add Shadow Stack Support for X86 Jiewen Yao
2019-02-22 13:30 ` [PATCH V3 3/4] UefiCpuPkg/ExceptionLib: Add CET support Jiewen Yao
2019-02-22 13:30 ` [PATCH V3 4/4] UefiCpuPkg/PiSmmCpu: Add Shadow Stack Support for X86 SMM Jiewen Yao
2019-02-22 14:29 ` [PATCH V3 0/4] Add SMM CET support Ni, Ray
2019-02-22 21:41 ` Laszlo Ersek [this message]
2019-02-23 1:08 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74766c1d-254b-57a8-e356-868a7b6bbb31@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox