From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 398FA21B02822 for ; Tue, 25 Sep 2018 18:19:11 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2018 18:19:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,304,1534834800"; d="scan'208";a="83269219" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by FMSMGA003.fm.intel.com with ESMTP; 25 Sep 2018 18:17:57 -0700 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 25 Sep 2018 18:17:57 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 25 Sep 2018 18:17:57 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.183]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.37]) with mapi id 14.03.0319.002; Wed, 26 Sep 2018 09:17:30 +0800 From: "Wu, Hao A" To: Laszlo Ersek , "edk2-devel@lists.01.org" CC: "Kinney, Michael D" , "Zeng, Star" , "Yao, Jiewen" , "Dong, Eric" , "Gao, Liming" Thread-Topic: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Thread-Index: AQHUVJbVcvcdgh4Ut0SNCEI3ZaNyYqUA88MAgAABnACAAM3o4A== Date: Wed, 26 Sep 2018 01:17:30 +0000 Message-ID: References: <20180925061259.31680-1-hao.a.wu@intel.com> <70117861-3590-53ec-a717-06ba41c5f22f@redhat.com> In-Reply-To: <70117861-3590-53ec-a717-06ba41c5f22f@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2018 01:19:11 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of La= szlo > Ersek > Sent: Wednesday, September 26, 2018 4:57 AM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Kinney, Michael D; Zeng, Star; Yao, Jiewen; Dong, Eric; Gao, Liming > Subject: Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass is= sue > in SMI handlers >=20 > On 09/25/18 22:51, Laszlo Ersek wrote: > > On 09/25/18 08:12, Hao Wu wrote: > >> V2 changes: > >> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes i= t > >> IA32/X64 specific. > >> > >> B. Add brief comments before calls of the AsmLfence() to state the > >> purpose. > >> > >> C. Refine the patch for Variable/RuntimeDxe driver and make the change > >> focus on the SMM code. > >> > >> V1 history: > >> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) > issues > >> within SMI handlers. > >> > >> A more detailed explanation of the purpose of the series is under the > >> 'Bounds check bypass mitigation' section of the below link: > >> https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > >> > >> And the document at: > >> https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf > >> > >> Cc: Ard Biesheuvel > >> Cc: Leif Lindholm > >> Cc: Laszlo Ersek > >> Cc: Jiewen Yao > >> Cc: Michael D Kinney > >> Cc: Liming Gao > >> Cc: Star Zeng > >> Cc: Eric Dong > >> > >> Hao Wu (5): > >> MdePkg/BaseLib: Add new AsmLfence API > >> MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check > bypass > >> MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass > >> MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass > >> UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass > >> > >> > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c | > 7 ++++ > >> > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf > | 1 + > >> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c > | 10 ++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c = | > 31 ++++++++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c > | 30 ++++++++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h > | 13 ++++++- > >> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c = | 6 > ++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 1 + > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c = | > 18 ++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf = | > 1 + > >> MdePkg/Include/Library/BaseLib.h = | 13 +++++++ > >> MdePkg/Library/BaseLib/BaseLib.inf = | 2 ++ > >> MdePkg/Library/BaseLib/Ia32/Lfence.nasm = | 37 > +++++++++++++++++++ > >> MdePkg/Library/BaseLib/X64/Lfence.nasm = | 38 > ++++++++++++++++++++ > >> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c = | 5 > +++ > >> 15 files changed, 212 insertions(+), 1 deletion(-) > >> create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c > >> create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c > >> create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm > >> create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm > >> > > > > I regression-tested this series using: > > > > (1) roughly the Linux guest steps from > > QEMU,-KVM-and-libvirt#tests-to-perform-in-the-installed-guest-fedora-26- > guest>. > > > > > > Those steps cover all of the SMM variable driver, the SMM FTW driver, > > the SMM lockbox, and PiSmmCpuDxeSmm. > > > > (2) For briefly checking the runtime (non-SMM) variable driver, I boote= d > > Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked > > "efibootmgr -v". > > > > series > > Regression-tested-by: Laszlo Ersek >=20 > It's been a long day. I meant to describe another detail of the test > environment: >=20 > Because of the regression reported at > , OVMF is currentl= y > unbootable. Therefore I first applied my fix from > on top of > current master (3cb0a311cb7e). I applied this series of yours for > regression testing on top of my fix. Hi Laszlo, Really appreciate the help for the regression tests. I will document the those regression tests (also with the details) within the BZ trackers: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1193 https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 Best Regards, Hao Wu >=20 > Thanks > Laszlo > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel