From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiewen.yao@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.126; helo=mga18.intel.com;
 envelope-from=jiewen.yao@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 50DDC2115BE39
 for <edk2-devel@lists.01.org>; Fri, 28 Sep 2018 06:13:57 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 28 Sep 2018 06:13:56 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,315,1534834800"; d="scan'208";a="261213115"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by orsmga005.jf.intel.com with ESMTP; 28 Sep 2018 06:13:14 -0700
Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Fri, 28 Sep 2018 06:13:13 -0700
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.140]) by
 SHSMSX103.ccr.corp.intel.com ([169.254.4.245]) with mapi id 14.03.0319.002;
 Fri, 28 Sep 2018 21:13:12 +0800
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Leif Lindholm
 <leif.lindholm@linaro.org>, Laszlo Ersek <lersek@redhat.com>, "Kinney,
 Michael D" <michael.d.kinney@intel.com>, "Gao, Liming"
 <liming.gao@intel.com>, "Zeng, Star" <star.zeng@intel.com>, "Dong, Eric"
 <eric.dong@intel.com>
Thread-Topic: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in
 SMI handlers
Thread-Index: AQHUVJbVeqJkh2rMBUCIL8BefZEfgqUFsMUQ
Date: Fri, 28 Sep 2018 13:13:11 +0000
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503ADA4282@shsmsx102.ccr.corp.intel.com>
References: <20180925061259.31680-1-hao.a.wu@intel.com>
In-Reply-To: <20180925061259.31680-1-hao.a.wu@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWE2ZjhlMjEtMmE2NS00ODJmLTk1MTUtZTBhYTIxYTAxOTY4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiNnBpaDFUeGtNVjRoWFJXQzVteDNPZXI0aGZpc0YrRTNxZnVMWXR2SmNKTXRsZUNSVGsxTHk3SDE5S2JObW5HKyJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 13:13:57 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Jiewen.yao@intel.com

> -----Original Message-----
> From: Wu, Hao A
> Sent: Tuesday, September 25, 2018 2:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Ard Biesheuvel
> <ard.biesheuvel@linaro.org>; Leif Lindholm <leif.lindholm@linaro.org>;
> Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> <liming.gao@intel.com>; Zeng, Star <star.zeng@intel.com>; Dong, Eric
> <eric.dong@intel.com>
> Subject: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI
> handlers
>=20
> V2 changes:
> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
>    IA32/X64 specific.
>=20
> B. Add brief comments before calls of the AsmLfence() to state the
>    purpose.
>=20
> C. Refine the patch for Variable/RuntimeDxe driver and make the change
>    focus on the SMM code.
>=20
> V1 history:
> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issue=
s
> within SMI handlers.
>=20
> A more detailed explanation of the purpose of the series is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmw
> are-speculative-execution-side-channel-mitigation
>=20
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/defau=
l
> t/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pd=
f
>=20
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Leif Lindholm <leif.lindholm@linaro.org>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
>=20
> Hao Wu (5):
>   MdePkg/BaseLib: Add new AsmLfence API
>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check
> bypass
>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check
> bypass
>=20
>=20
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> |  7 ++++
>=20
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.in
> f |  1 +
>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
> | 10 ++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
> | 31 ++++++++++++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
> | 30 ++++++++++++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h
> | 13 ++++++-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
> |  6 ++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> |  1 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> | 18 ++++++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
> |  1 +
>  MdePkg/Include/Library/BaseLib.h
> | 13 +++++++
>  MdePkg/Library/BaseLib/BaseLib.inf
> |  2 ++
>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm
> | 37 +++++++++++++++++++
>  MdePkg/Library/BaseLib/X64/Lfence.nasm
> | 38 ++++++++++++++++++++
>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> |  5 +++
>  15 files changed, 212 insertions(+), 1 deletion(-)
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
>=20
> --
> 2.12.0.windows.1