From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 47313208D615C for ; Fri, 22 Feb 2019 13:41:58 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 360763688E; Fri, 22 Feb 2019 21:41:58 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-125-131.rdu2.redhat.com [10.10.125.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C40B5D717; Fri, 22 Feb 2019 21:41:55 +0000 (UTC) To: Jiewen Yao , edk2-devel@lists.01.org Cc: Eric Dong , Liming Gao , Michael D Kinney References: <20190222133036.28468-1-jiewen.yao@intel.com> From: Laszlo Ersek Message-ID: <74766c1d-254b-57a8-e356-868a7b6bbb31@redhat.com> Date: Fri, 22 Feb 2019 22:41:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190222133036.28468-1-jiewen.yao@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 22 Feb 2019 21:41:58 +0000 (UTC) Subject: Re: [PATCH V3 0/4] Add SMM CET support X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 21:41:59 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Jiewen, On 02/22/19 14:30, Jiewen Yao wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1521 > > V3: > Add Nasm.inc to include CET related instruction as MACRO. > This is the only place to use DB. > Any other NASM just use the MACRO - > SETSSBSY, READSSP_[E|R]AX, INCSSP_[E|R]AX > ===================== > > V2: > Fix emulation platform issue. > The NT32 platform cannot access CR4 register. > So we add a global PCD to choose disable CR4 access in SetJump/LongJump. > gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask > ===================== (1) I think there is another difference (I don't know if it was introduced in v2 or in v3; I only compared v1<->v3). It seems that the LongJump / SetJump changes for IA32 MSFT were implemented in v2/v3 as well. (2) When we introduce another bit for PcdControlFlowEnforcementPropertyMask, we'll have to update the checks, because currently we check the whole PCD against zero. When the next bit is introduced, we'll have to use a bitmask (with value 1) for checking. Anyway that can indeed be a later enhancement, just stating what I've noticed. (3) For the series: Regression-tested-by: Laszlo Ersek Thanks, Laszlo > > This patch series implement add CET ShadowStack support for SMM. > > The CET document can be found at: > https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf > > Patch 1 adds SSP (ShadowStackPointer) to JUMP_BUFFER. > Patch 2 adds Control Protection exception (CP#) dump info. > Patch 3 adds CET ShadowStack support in SMM. > > For more detail please refer to each patch. > > I also post all update to https://github.com/jyao1/edk2/tree/CET_V2 > > Cc: Michael D Kinney > Cc: Liming Gao > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Yao Jiewen > > Jiewen Yao (4): > MdePkg/Include: Add Nasm.inc > MdePkg/BaseLib: Add Shadow Stack Support for X86. > UefiCpuPkg/ExceptionLib: Add CET support. > UefiCpuPkg/PiSmmCpu: Add Shadow Stack Support for X86 SMM. > > MdePkg/Include/Ia32/Nasm.inc | 28 ++++ > MdePkg/Include/Library/BaseLib.h | 2 + > MdePkg/Include/X64/Nasm.inc | 28 ++++ > MdePkg/Library/BaseLib/BaseLib.inf | 3 +- > MdePkg/Library/BaseLib/Ia32/LongJump.c | 28 +++- > MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 25 +++- > MdePkg/Library/BaseLib/Ia32/SetJump.c | 28 +++- > MdePkg/Library/BaseLib/Ia32/SetJump.nasm | 23 +++- > MdePkg/Library/BaseLib/X64/LongJump.nasm | 27 +++- > MdePkg/Library/BaseLib/X64/SetJump.nasm | 23 +++- > MdePkg/MdePkg.dec | 7 + > .../Include/Library/SmmCpuFeaturesLib.h | 23 +++- > .../CpuExceptionCommon.c | 7 +- > .../CpuExceptionCommon.h | 3 +- > .../Ia32/ArchExceptionHandler.c | 5 +- > .../X64/ArchExceptionHandler.c | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/Cet.nasm | 39 ++++++ > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 38 +++++- > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm | 99 ++++++++++++++- > .../PiSmmCpuDxeSmm/Ia32/SmiException.nasm | 6 +- > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmFuncsArch.c | 57 ++++++++- > UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 12 +- > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 97 ++++++++++++-- > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 103 ++++++++++++++- > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf | 6 +- > .../PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 85 ++++++++++++- > UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 18 ++- > UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.h | 4 +- > UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 4 +- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/Cet.nasm | 40 ++++++ > UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 39 +++++- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 120 +++++++++++++++++- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 58 ++++++++- > UefiCpuPkg/UefiCpuPkg.dec | 6 +- > 34 files changed, 1034 insertions(+), 62 deletions(-) > create mode 100644 MdePkg/Include/Ia32/Nasm.inc > create mode 100644 MdePkg/Include/X64/Nasm.inc > create mode 100644 UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/Cet.nasm > create mode 100644 UefiCpuPkg/PiSmmCpuDxeSmm/X64/Cet.nasm >