From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web09.15101.1636720384608506852 for ; Fri, 12 Nov 2021 04:33:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=zAi1e3FF; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: ray.ni@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10165"; a="231849406" X-IronPort-AV: E=Sophos;i="5.87,229,1631602800"; d="scan'208";a="231849406" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Nov 2021 04:32:57 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,229,1631602800"; d="scan'208";a="502543427" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by fmsmga007.fm.intel.com with ESMTP; 12 Nov 2021 04:32:57 -0800 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Fri, 12 Nov 2021 04:32:56 -0800 Received: from orsmsx604.amr.corp.intel.com (10.22.229.17) by ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Fri, 12 Nov 2021 04:32:56 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Fri, 12 Nov 2021 04:32:56 -0800 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.44) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Fri, 12 Nov 2021 04:32:56 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FYmCLJQ+MkQi8qhkkFy7rAMVxIGQzMgfguWFsaFKH9/eUlrnYBxVfqfowi0N2QzfFthbu3VaZ2cAQduwIQKGU9QxqR2+mo0OhcocQnzai4S5KMzvpqcvF/d3vhxTQVoT95ikLVJLQJ6w7cpVGYZcfhJP7k6yb7DmGWlJQSir5ksTVA1rfh34x4Zp+MJgF3sU0BZ8go9i/qJuYaIzbParoJMg2VC2ihcKm7bOmglc41DuyPxM1VmzN0u6tf8uqLFm+ciXqFSFs2zYBJ84kTVYaKOgwH8QiZhCA2JhXEKnUNt3gsQKKji7jgoY4+7rFQZFrzudYBkE7vjFIG5n2PnvUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MchD5obIqqx/qVfu2jUUuB+TYZfqTQ+2vFPvw7N4xXk=; b=WahXGv2AJntZoHzzweM55+TDGzTy/LNq18Zvo+2YDSoneypd+pEQjWkNc6KqXIvt9pyGQdYMOwvnulDpTuaCDCU7OcHNNRNoxN19/EfPWUnNR2YS0Jpa8GS1zfgx1iamLpOXD1V2zyaRydZL5u4tEeh/8LO8DwxRrJlC5jIW5tJ1yZ7yV9tm6eo6BJoKvcGBATZTwiRuCGstVEe7iH1vCygEhpBR9Nb1ihQNiHmJzy3yRy5ZPGvXpnZmHuKoew/gQCqBN7I/XpapZmO2+eZckoBaelVphXR+u6QSwx4c5XavuG4T30vkPJmxxFcCxvkHcsG8Fvvr8H/Uz3UOrJDfrA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MchD5obIqqx/qVfu2jUUuB+TYZfqTQ+2vFPvw7N4xXk=; b=zAi1e3FFH3bpUmnQtTMvLhlY6mgvZTTxUfDQg97kq37XE/ts/at0ZaGUJj38yY9I9gTFXjGxJ0S77w8m3JtlGxFCBNyQC8+t46AQN3An8jgDLI7fGkeET0E89oaPZ1PUrJUXhFhF5hlP1ZVLcqadBytn1CGx7E+hlAVtIbuFxzI= Received: from BN0PR11MB5696.namprd11.prod.outlook.com (2603:10b6:408:14b::11) by BN6PR11MB1988.namprd11.prod.outlook.com (2603:10b6:404:48::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.18; Fri, 12 Nov 2021 12:32:54 +0000 Received: from BN0PR11MB5696.namprd11.prod.outlook.com ([fe80::317e:de35:e920:7778]) by BN0PR11MB5696.namprd11.prod.outlook.com ([fe80::317e:de35:e920:7778%3]) with mapi id 15.20.4669.013; Fri, 12 Nov 2021 12:32:54 +0000 From: "Ni, Ray" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Dong, Eric" , "Kumar, Rahul1" Subject: Re: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM Interrupt Shadow Stack Thread-Topic: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM Interrupt Shadow Stack Thread-Index: AQHX12ZOeJxVJDXTS0OgChfQ8hN6Vqv/OZmQgAAfCLCAAHtd8A== Date: Fri, 12 Nov 2021 12:32:54 +0000 Message-ID: References: <20211112014028.9520-1-w.sheng@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0768ba33-adf8-41a4-ca63-08d9a5d88cea x-ms-traffictypediagnostic: BN6PR11MB1988: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: d6k6c1au6RfZBz/VFCEv4KTnFG2STZozhZWnYKBooOTfTS4qtIABYWNyM+1y77jzFryWfbFTdb+Wr5PuZuM64gVvDrYTARxARcamPQJwBPEgo9pc03tiVKHVi9zfVXyzrKCty9bs1flebVKQuAIDAxRS2z/qeXV1c/E1WXGXGM3OO3ysvzDoGEM/vw3ubTT0RsbwL7pTL/itjNMdQ7ogMolOQR38rozFZELe3jsOv0K7+QEcQmAI4azXxlrJkR/EQCLe34vz3x1Q7JE2QDVpUo7B8+oLPLnuABr9g/FbIbF1cMGIun2s+jbHLDIZUsLfOCGmG4mESWmhHVz1k5KXt/W//ezrGMBTHyFi2oDTkJgOPjbc0a8EuaUTCvPnjBiJ2zyIW9pBxrncc6BmnyuqwsX49F7ArZlQQDNNQnFogXQJ7nsasPvqkZZnD0MonK/85AbByubmCdr+Va2UrKi1M6krCq4MANqGaU2APTGtPA85wQle85YnHaLsYEhPodYtkUspcOqUk66skWW+lyC4h8/1ikmYLqRVMq+bPwIJqcDI36P5D4M5hCEtJUb91ONUmybNUBqrN+k31OVRFtcAnltAx8eeDiq3qT1MWwiPu93bpTLwEThoA2nco1sS4MW9bj6o5ar1D1EWOCc3jPc2FhJxeUb0+bCv/1aYpeQOmVC1sjzii/BeKe4H0UnXajt7QkKOKdHx1RSiBsjbLoOMcmZSVCmGnijTV1N0RgInjXePbQcZ9zramN7Uz7MLYYZPD0YZFcKWAkwx6RljAyOwWapGU62VOhx8rF554BFky0MfOsQXP58WuqOhQ1FOkKSIX5srUu80cvUipEpHGgggng== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR11MB5696.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(366004)(30864003)(4326008)(19627235002)(122000001)(5660300002)(55016002)(38070700005)(38100700002)(53546011)(6506007)(8676002)(7696005)(9686003)(2906002)(110136005)(52536014)(71200400001)(76116006)(66476007)(66946007)(54906003)(66556008)(186003)(64756008)(86362001)(107886003)(8936002)(508600001)(26005)(82960400001)(66446008)(966005)(83380400001)(33656002)(316002)(579004);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-2022-jp?B?bE11VVZiMDUzWTdjbkoyV2xqcjZZT3ErRU4zaU9yN1dhR3FiUkY2RnZ4?= =?iso-2022-jp?B?cVpMelhpT3R2M2Y1YngyZXQybUF0U1VQWkdsNUkzYkhrNmpLckkvS0VT?= =?iso-2022-jp?B?ODd6eXQ3UWtaL0J5QlZmQUdNeGozdnBDcTVPZnROWkFremovRThyQnJ2?= =?iso-2022-jp?B?V2htd3p4M1FiR28weDQwK0doT1VVR3BPRmhUM1JndzBxVVpLTmtQUUdP?= =?iso-2022-jp?B?L2VPQkRpMGxxVmtFKzMvTjlxMEFnR2Yxeng3d0puVGNPMTJSclBwMGJv?= =?iso-2022-jp?B?WUZ5T0wxVmlqaUU2TFRkOGFkaUdnMHF5aHEwMURjV2krcmZ4ZUZyVjhP?= =?iso-2022-jp?B?MG9hZFR2ZEdRZGhuMzVIT3RZU3lGVzJuaDMxSDR2T3dsNCsvdDd6UURw?= =?iso-2022-jp?B?TE51MFhnZ1BldnpPdDVsMTlxaENNQnppTGcwcVc1WDBpZFFGMFRrMnBC?= =?iso-2022-jp?B?NFZ3MklhRHBpcnNYRDBMVzdoOTZzZXRPVEF5c3djTzRxSmljbmNtNm5F?= =?iso-2022-jp?B?Sm9IWWkrNllqMTIvK0RldTVJSUl2UmFkandiTEJtMTBlMlpvMzdCSFBv?= =?iso-2022-jp?B?MVdOaTk5M2dWRS84dHZRWHU2RVE5MkZweDZmK1d6NXNyNjZVb0dwTmMr?= =?iso-2022-jp?B?L3hMZnUwY2tkTHlUMjliL291Z3hjb3BZTy9WSGlXM2lGcGdiQnNLTTJp?= =?iso-2022-jp?B?d1NQVnVQbkUweU1RY2JpTXJmcnF1VVBsekdGOTlKVm94amdLS3dFV3FT?= =?iso-2022-jp?B?RHIxUUpQZFRmK2RlWnFQQ2Jad0hZS2p5eVlpMXJtZlJVNWsvY3dvYU04?= =?iso-2022-jp?B?WUpNTTQ2UzJleWQyd0gxZ29PYVRybHBoN2NBa1B2eks0dHUzSWZsbFQ3?= =?iso-2022-jp?B?N1VYazgyVzFObUVBeG9LcFRnY1VseWRUOHBxQ1BzckdIdFhTZ0hNNVd5?= =?iso-2022-jp?B?NndDTTJnUUs1RlBjUWNqWFpPbXBRWEQyYzhMNzRJVEdiOWxGdmVvMlM5?= =?iso-2022-jp?B?dXF4WThmSXFCZFJ0bnRUeW5maGJyMFZrN2N4S3hLcGhYUnZBUzh0Qktv?= =?iso-2022-jp?B?TnFudnJxRyt3Y3BtZUtHaERMSmVlaTVVSlVyNThGTEJuTkdmUmR6bkg2?= =?iso-2022-jp?B?Y1dVWXNkVnRqN2RJYUpnUU1SYURpamJzLzFpNXVvQmhnV0R5STYwKzlB?= =?iso-2022-jp?B?bVNMNStxUFhoa1B3Q1owR3FIOFBKRUJJVXcxQVB5b1dwcGVlb0twYkNE?= =?iso-2022-jp?B?eXdMdWxtWVV4ODMxZXRJTk1FZ21TeTVHUzlDNHNHS092WExGWHpJcVRT?= =?iso-2022-jp?B?a3NtVDgvdGh6alVtc3R1cGZJOW52Q1ZZTzA1ajVaQW1jYkgxQ1lxQkpW?= =?iso-2022-jp?B?eVgwK3dmd1FmTDFmWmw3d2pnM1cvbWs0RFUwQWVSdXBpeis4ckx2Mmpx?= =?iso-2022-jp?B?em15eTRvQnlVUEZqZzRsanF5a29OaGtDcGZ6c25QZkUvMVJhNkJXQ3Jp?= =?iso-2022-jp?B?NlYxdThtd2kxd3QyaDJ6MUdyTko0d3FmSWRCUFp0YTE1OGRKNGJwMWFa?= =?iso-2022-jp?B?UnJrMWQxMlpISmx6VjFDRXExUU9CSHpkN1l3d3E1blF3eENwWHJVejds?= =?iso-2022-jp?B?Rm5Hd24vN0tON1JoSmZDVEFGSlh0Mjh3dnlRYUtlSFVYczA4cndlY0cx?= =?iso-2022-jp?B?Y01RcUpwck5PMGVkWFUxKzFPTmtPMFg1OHFNY1YyNTdtUVpBdG1BdTBR?= =?iso-2022-jp?B?M2dwRUNhYjdIangyMGhMTjA1REtSRVdTOTNoNGF1eTlGbjdKUmZXQ1N3?= =?iso-2022-jp?B?NjJUOVowNVBLU3lKWFdwOWdwdGQ4RjFRcVNNSnVSZEFkZXoySUpId3Ni?= =?iso-2022-jp?B?UGxvdFJqSHFjVnhMN1ZVb09qTzNpQXVFQWZCRE1GckZFTDdCdTNIZkMw?= =?iso-2022-jp?B?aGw3Z3kzcG9MMVFDRVNVVVRmdEM5cWdTSmkwZXIzTHdudUlQcU1qU0w3?= =?iso-2022-jp?B?c1FJbzRQWkZGNXg1K1Fsb29INzJ6cEs2OC9sY2kyZXVhcWFSRjh4YTAr?= =?iso-2022-jp?B?cTVPSFB6cW02bHVtOFhQWVM3eThYR1E3aFlqK3FXVFN1UDE0cWh6R3pl?= =?iso-2022-jp?B?ZzltYzRJd1lKc1BIYUZobzFkVUhPM0pkU21QTGtJNEdhV3dkd3VmYmdS?= =?iso-2022-jp?B?Ri8zRlkxekxWc3VDcG9COEpyVmhHNE1lMmIrdzg1WTNPMWp5VXBIM2p4?= =?iso-2022-jp?B?Q1pVV3R3dGhxL2pQaWxsZm9HM2k0aElYTTNkTU1VWWt6MUZQa2hhZUM5?= =?iso-2022-jp?B?VWphOG1WMm1oTjZFWE5vdHBhTnh2YW9vZDRDcGM1T01CSFpBb252ZXVN?= =?iso-2022-jp?B?bzc2cXM9?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0PR11MB5696.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0768ba33-adf8-41a4-ca63-08d9a5d88cea X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2021 12:32:54.3749 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8BR7vHwfAyTA6y7j18Iu0MbUsxU8Dau+OLk+hf89dLLNlamzTZmMi5MDCyUbfk3TAYdelVZ5AMuDiN+aKAg0lg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1988 Return-Path: ray.ni@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable https://github.com/tianocore/edk2/pull/2203 is created. > -----Original Message----- > From: Sheng, W > Sent: Friday, November 12, 2021 1:12 PM > To: Ni, Ray ; devel@edk2.groups.io > Cc: Dong, Eric ; Kumar, Rahul1 > Subject: RE: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM Interrupt Shad= ow Stack >=20 > Hi Ray, > Thank you very much for the help. > BR > Sheng Wei >=20 > > -----Original Message----- > > From: Ni, Ray > > Sent: 2021=1B$BG/=1B(B11=1B$B7n=1B(B12=1B$BF|=1B(B 11:21 > > To: Sheng, W ; devel@edk2.groups.io > > Cc: Dong, Eric ; Kumar, Rahul1 > > > > Subject: RE: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM > > Interrupt Shadow Stack > > > > Reviewed-by: Ray Ni > > > > I will create PR by end of my today since this patch fixes a critical i= ssue when > > enabling CET in SMM. > > > > > -----Original Message----- > > > From: Sheng, W > > > Sent: Friday, November 12, 2021 9:40 AM > > > To: devel@edk2.groups.io > > > Cc: Dong, Eric ; Ni, Ray ; > > > Kumar, Rahul1 > > > Subject: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM Interrupt > > > Shadow Stack > > > > > > When CET shadow stack feature is enabled, it needs to use IST for the > > > exceptions, and uses interrupt shadow stack for the stack switch. > > > Shadow stack should be 32 bytes aligned. > > > Check IST field, when clear shadow stack token busy bit when using re= tf. > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3728 > > > > > > Signed-off-by: Sheng Wei > > > Cc: Eric Dong > > > Cc: Ray Ni > > > Cc: Rahul Kumar > > > Reviewed-by: Ray Ni > > > --- > > > .../X64/Xcode5ExceptionHandlerAsm.nasm | 66 ++++++++++++= ------ > > > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 61 > > +++++++++++----- > > > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 14 ++++ > > > UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 12 +++- > > > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 81 > > ++++++++++++---------- > > > 5 files changed, 157 insertions(+), 77 deletions(-) > > > > > > diff --git > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > r > > > Asm.nasm > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > r > > > Asm.nasm > > > index 4881a02848..84a12ddb88 100644 > > > --- > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > r > > > Asm.nasm > > > +++ > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHan > > > +++ dlerAsm.nasm > > > @@ -15,17 +15,36 @@ > > > > > > ;--------------------------------------------------------------------= - > > > --------- > > > %include "Nasm.inc" > > > > > > +; > > > +; Equivalent NASM structure of IA32_DESCRIPTOR ; struc > > > +IA32_DESCRIPTOR > > > + .Limit CTYPE_UINT16 1 > > > + .Base CTYPE_UINTN 1 > > > +endstruc > > > + > > > +; > > > +; Equivalent NASM structure of IA32_IDT_GATE_DESCRIPTOR ; struc > > > +IA32_IDT_GATE_DESCRIPTOR > > > + .OffsetLow CTYPE_UINT16 1 > > > + .Selector CTYPE_UINT16 1 > > > + .Reserved_0 CTYPE_UINT8 1 > > > + .GateType CTYPE_UINT8 1 > > > + .OffsetHigh CTYPE_UINT16 1 > > > + .OffsetUpper CTYPE_UINT32 1 > > > + .Reserved_1 CTYPE_UINT32 1 > > > +endstruc > > > + > > > ; > > > ; CommonExceptionHandler() > > > ; > > > > > > %define VC_EXCEPTION 29 > > > -%define PF_EXCEPTION 14 > > > > > > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions > > > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag extern > > > ASM_PFX(CommonExceptionHandler) -extern ASM_PFX(FeaturePcdGet > > > (PcdCpuSmmStackGuard)) > > > > > > SECTION .data > > > > > > @@ -282,42 +301,49 @@ DrFinish: > > > > > > ; The follow algorithm is used for clear shadow stack token busy= bit. > > > ; The comment is based on the sample shadow stack. > > > + ; Shadow stack is 32 bytes aligned. > > > ; The sample shadow stack layout : > > > ; Address | Context > > > ; +-------------------------+ > > > - ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA & CS= .L), after > > SAVEPREVSSP. > > > + ; 0xFB8 | FREE | It is 0xFC0|0x02|(LMA & CS= .L), after > > SAVEPREVSSP. > > > ; +-------------------------+ > > > - ; 0xFD8 | Prev SSP | > > > + ; 0xFC0 | Prev SSP | > > > ; +-------------------------+ > > > - ; 0xFE0 | RIP | > > > + ; 0xFC8 | RIP | > > > ; +-------------------------+ > > > - ; 0xFE8 | CS | > > > + ; 0xFD0 | CS | > > > ; +-------------------------+ > > > - ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after CL= RSSBSY > > > + ; 0xFD8 | 0xFD8 | BUSY | BUSY flag cleared after CL= RSSBSY > > > ; +-------------------------+ > > > - ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) | > > > + ; 0xFE0 | 0xFC0|0x02|(LMA & CS.L) | > > > ; +-------------------------+ > > > ; Instructions for Intel Control Flow Enforcement Technology (CE= T) are > > supported since NASM version 2.15.01. > > > cmp qword [ASM_PFX(mDoFarReturnFlag)], 0 > > > jz CetDone > > > - cmp qword [rbp + 8], PF_EXCEPTION ; check if it is a Page = Fault > > > - jnz CetDone > > > - cmp byte [dword ASM_PFX(FeaturePcdGet > > (PcdCpuSmmStackGuard))], 0 > > > - jz CetDone > > > mov rax, cr4 > > > - and rax, 0x800000 ; check if CET is enabled > > > + and rax, 0x800000 ; Check if CET is enabled > > > + jz CetDone > > > + sub rsp, 0x10 > > > + sidt [rsp] > > > + mov rcx, qword [rsp + IA32_DESCRIPTOR.Base]; Get IDT base ad= dress > > > + add rsp, 0x10 > > > + mov rax, qword [rbp + 8]; Get exception number > > > + sal rax, 0x04 ; Get IDT offset > > > + add rax, rcx ; Get IDT gate descriptor address > > > + mov al, byte [rax + IA32_IDT_GATE_DESCRIPTOR.Reserved_0] > > > + and rax, 0x01 ; Check IST field > > > jz CetDone > > > - ; SSP should be 0xFD8 at this point > > > + ; SSP should be 0xFC0 at this point > > > mov rax, 0x04 ; advance past cs:lip:prevssp;superv= isor shadow > > stack token > > > - INCSSP_RAX ; After this SSP should be 0xFF8 > > > - SAVEPREVSSP ; now the shadow stack restore token= will be > > created at 0xFD0 > > > - READSSP_RAX ; Read new SSP, SSP should be 0x1000 > > > + INCSSP_RAX ; After this SSP should be 0xFE0 > > > + SAVEPREVSSP ; now the shadow stack restore token= will be > > created at 0xFB8 > > > + READSSP_RAX ; Read new SSP, SSP should be 0xFE8 > > > sub rax, 0x10 > > > - CLRSSBSY_RAX ; Clear token at 0xFF0, SSP should b= e 0 after this > > > + CLRSSBSY_RAX ; Clear token at 0xFD8, SSP should b= e 0 after this > > > sub rax, 0x20 > > > - RSTORSSP_RAX ; Restore to token at 0xFD0, new SSP= will be > > 0xFD0 > > > + RSTORSSP_RAX ; Restore to token at 0xFB8, new SSP= will be > > 0xFB8 > > > mov rax, 0x01 ; Pop off the new save token created > > > - INCSSP_RAX ; SSP should be 0xFD8 now > > > + INCSSP_RAX ; SSP should be 0xFC0 now > > > CetDone: > > > > > > cli > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > > index 67ad9a4c07..2b2e1a5390 100644 > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > > @@ -861,35 +861,58 @@ PiCpuSmmEntry ( > > > mSmmStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES (PcdGet32 > > (PcdCpuSmmStackSize))); > > > if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > // > > > - // 2 more pages is allocated for each processor. > > > - // one is guard page and the other is known good stack. > > > + // SMM Stack Guard Enabled > > > + // 2 more pages is allocated for each processor, one is guard = page and > > the other is known good stack. > > > // > > > - // +-------------------------------------------+-----+----------= ---------------------- > > -----------+ > > > - // | Known Good Stack | Guard Page | SMM Stack | ... | Known Goo= d > > Stack | Guard Page | SMM Stack | > > > - // +-------------------------------------------+-----+----------= ---------------------- > > -----------+ > > > - // | | | = | > > > - // |<-------------- Processor 0 -------------->| |<---------= ----- Processor n > > -------------->| > > > + // +--------------------------------------------------+-----+---= ---------------------- > > -------------------------+ > > > + // | Known Good Stack | Guard Page | SMM Stack | ... | Kn= own > > Good Stack | Guard Page | SMM Stack | > > > + // +--------------------------------------------------+-----+---= ---------------------- > > -------------------------+ > > > + // | 4K | 4K PcdCpuSmmStackSize| | = 4K | 4K > > PcdCpuSmmStackSize| > > > + // |<---------------- mSmmStackSize ----------------->| |<--= -------------- > > mSmmStackSize ----------------->| > > > + // | | | = | > > > + // |<------------------ Processor 0 ----------------->| |<--= ---------------- > > Processor n ----------------->| > > > // > > > mSmmStackSize +=3D EFI_PAGES_TO_SIZE (2); > > > } > > > > > > mSmmShadowStackSize =3D 0; > > > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > > mCetSupported) { > > > - // > > > - // Append Shadow Stack after normal stack > > > - // > > > - // |=3D Stacks > > > - // +--------------------------------------------------+---------= ----------------------- > > -------------------------------+ > > > - // | Known Good Stack | Guard Page | SMM Stack | Known Go= od > > Shadow Stack | Guard Page | SMM Shadow Stack | > > > - // +--------------------------------------------------+---------= ----------------------- > > -------------------------------+ > > > - // | |PcdCpuSmmStackSize| > > |PcdCpuSmmShadowStackSize| > > > - // |<---------------- mSmmStackSize ----------------->|<--------= ------------- > > mSmmShadowStackSize ------------------->| > > > - // | = | > > > - // |<-------------------------------------------- Processor N --= -------------------- > > --------------------------------->| > > > - // > > > mSmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES > > > (PcdGet32 (PcdCpuSmmShadowStackSize))); > > > + > > > if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > + // > > > + // SMM Stack Guard Enabled > > > + // Append Shadow Stack after normal stack > > > + // 2 more pages is allocated for each processor, one is guar= d page and > > the other is known good shadow stack. > > > + // > > > + // |=3D Stacks > > > + // +--------------------------------------------------+-------= ----------------------- > > ---------------------------------+ > > > + // | Known Good Stack | Guard Page | SMM Stack | Known = Good > > Shadow Stack | Guard Page | SMM Shadow Stack | > > > + // +--------------------------------------------------+-------= ----------------------- > > ---------------------------------+ > > > + // | 4K | 4K |PcdCpuSmmStackSize| = 4K | 4K > > |PcdCpuSmmShadowStackSize| > > > + // |<---------------- mSmmStackSize ----------------->|<------= --------------- > > mSmmShadowStackSize ------------------->| > > > + // | = | > > > + // |<-------------------------------------------- Processor N = -------------------- > > ----------------------------------->| > > > + // > > > mSmmShadowStackSize +=3D EFI_PAGES_TO_SIZE (2); > > > + } else { > > > + // > > > + // SMM Stack Guard Disabled (Known Good Stack is still require= d for > > potential stack switch.) > > > + // Append Shadow Stack after normal stack with 1 more page a= s > > known good shadow stack. > > > + // 1 more pages is allocated for each processor, it is known= good stack. > > > + // > > > + // > > > + // |=3D Stacks > > > + // +-------------------------------------+--------------------= ----------------------- > > -------+ > > > + // | Known Good Stack | SMM Stack | Known Good Shadow S= tack | > > SMM Shadow Stack | > > > + // +-------------------------------------+--------------------= ----------------------- > > -------+ > > > + // | 4K |PcdCpuSmmStackSize| 4K > > |PcdCpuSmmShadowStackSize| > > > + // |<---------- mSmmStackSize ---------->|<--------------- > > mSmmShadowStackSize ------------>| > > > + // | = | > > > + // |<-------------------------------- Processor N ------------= -------------------- > > --------->| > > > + // > > > + mSmmShadowStackSize +=3D EFI_PAGES_TO_SIZE (1); > > > + mSmmStackSize +=3D EFI_PAGES_TO_SIZE (1); > > > } > > > } > > > > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h > > > index 2248a8c5ee..fc9b748948 100644 > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h > > > @@ -557,6 +557,20 @@ InitializeIDTSmmStackGuard ( > > > VOID > > > ); > > > > > > +/** > > > + Initialize IDT IST Field. > > > + > > > + @param[in] ExceptionType Exception type. > > > + @param[in] Ist IST value. > > > + > > > +**/ > > > +VOID > > > +EFIAPI > > > +InitializeIdtIst ( > > > + IN EFI_EXCEPTION_TYPE ExceptionType, > > > + IN UINT8 Ist > > > + ); > > > + > > > /** > > > Initialize Gdt for all processors. > > > > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > index d6f8dd94d3..211a78b1c4 100644 > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > @@ -481,7 +481,17 @@ SmmInitPageTable ( > > > // Additional SMM IDT initialization for SMM stack guard > > > // > > > if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > - InitializeIDTSmmStackGuard (); > > > + DEBUG ((DEBUG_INFO, "Initialize IDT IST field for SMM Stack > > Guard\n")); > > > + InitializeIdtIst (EXCEPT_IA32_PAGE_FAULT, 1); } > > > + > > > + // > > > + // Additional SMM IDT initialization for SMM CET shadow stack // > > > + if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > > mCetSupported) { > > > + DEBUG ((DEBUG_INFO, "Initialize IDT IST field for SMM Shadow > > Stack\n")); > > > + InitializeIdtIst (EXCEPT_IA32_PAGE_FAULT, 1); > > > + InitializeIdtIst (EXCEPT_IA32_MACHINE_CHECK, 1); > > > } > > > > > > // > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > index ca3f5ff91a..ce7afce6d4 100644 > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > @@ -24,24 +24,24 @@ UINT32 mCetInterruptSspTable; > > > UINTN mSmmInterruptSspTables; > > > > > > /** > > > - Initialize IDT for SMM Stack Guard. > > > + Initialize IDT IST Field. > > > + > > > + @param[in] ExceptionType Exception type. > > > + @param[in] Ist IST value. > > > > > > **/ > > > VOID > > > EFIAPI > > > -InitializeIDTSmmStackGuard ( > > > - VOID > > > +InitializeIdtIst ( > > > + IN EFI_EXCEPTION_TYPE ExceptionType, > > > + IN UINT8 Ist > > > ) > > > { > > > IA32_IDT_GATE_DESCRIPTOR *IdtGate; > > > > > > - // > > > - // If SMM Stack Guard feature is enabled, set the IST field of > > > - // the interrupt gate for Page Fault Exception to be 1 > > > - // > > > IdtGate =3D (IA32_IDT_GATE_DESCRIPTOR *)gcSmiIdtr.Base; > > > - IdtGate +=3D EXCEPT_IA32_PAGE_FAULT; > > > - IdtGate->Bits.Reserved_0 =3D 1; > > > + IdtGate +=3D ExceptionType; > > > + IdtGate->Bits.Reserved_0 =3D Ist; > > > } > > > > > > /** > > > @@ -89,7 +89,7 @@ InitGdt ( > > > GdtDescriptor->Bits.BaseMid =3D (UINT8)((UINTN)TssBase >> 16); > > > GdtDescriptor->Bits.BaseHigh =3D (UINT8)((UINTN)TssBase >> 24); > > > > > > - if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > + if ((FeaturePcdGet (PcdCpuSmmStackGuard)) || ((PcdGet32 > > (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > > > mCetSupported)) { > > > // > > > // Setup top of known good stack as IST1 for each processor. > > > // > > > @@ -177,8 +177,16 @@ InitShadowStack ( > > > > > > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > > mCetSupported) { > > > SmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES > > (PcdGet32 (PcdCpuSmmShadowStackSize))); > > > + // > > > + // Add 1 page as known good shadow stack > > > + // > > > + SmmShadowStackSize +=3D EFI_PAGES_TO_SIZE (1); > > > + > > > if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > - SmmShadowStackSize +=3D EFI_PAGES_TO_SIZE (2); > > > + // > > > + // Add one guard page between Known Good Shadow Stack and SMM > > Shadow Stack. > > > + // > > > + SmmShadowStackSize +=3D EFI_PAGES_TO_SIZE (1); > > > } > > > mCetPl0Ssp =3D (UINT32)((UINTN)ShadowStack + SmmShadowStackSize = - > > sizeof(UINT64)); > > > PatchInstructionX86 (mPatchCetPl0Ssp, mCetPl0Ssp, 4); > > > @@ -186,33 +194,32 @@ InitShadowStack ( > > > DEBUG ((DEBUG_INFO, "ShadowStack - 0x%x\n", ShadowStack)); > > > DEBUG ((DEBUG_INFO, " SmmShadowStackSize - 0x%x\n", > > SmmShadowStackSize)); > > > > > > - if (FeaturePcdGet (PcdCpuSmmStackGuard)) { > > > - if (mSmmInterruptSspTables =3D=3D 0) { > > > - mSmmInterruptSspTables =3D (UINTN)AllocateZeroPool(sizeof(UI= NT64) > > * 8 * gSmmCpuPrivate- > > > >SmmCoreEntryContext.NumberOfCpus); > > > - ASSERT (mSmmInterruptSspTables !=3D 0); > > > - DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > > mSmmInterruptSspTables)); > > > - } > > > - > > > - // > > > - // The highest address on the stack (0xFF8) is a save-previous= -ssp > > token pointing to a location that is 40 bytes away - 0xFD0. > > > - // The supervisor shadow stack token is just above it at addre= ss 0xFF0. > > This is where the interrupt SSP table points. > > > - // So when an interrupt of exception occurs, we can use > > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow > > > stack, > > > - // due to the reason the RETF in SMM exception handler cannot = clear > > the BUSY flag with same CPL. > > > - // (only IRET or RETF with different CPL can clear BUSY flag) > > > - // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X= 64 for > > the full stack frame at runtime. > > > - // > > > - InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SI= ZE(1) > > - sizeof(UINT64)); > > > - *(UINT64 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT= 64) * 4) | > > 0x2; > > > - mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > > > - > > > - mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTabl= es > > + sizeof(UINT64) * 8 * CpuIndex); > > > - InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTable; > > > - InterruptSspTable[1] =3D mCetInterruptSsp; > > > - PatchInstructionX86 (mPatchCetInterruptSsp, mCetInterruptSsp, = 4); > > > - PatchInstructionX86 (mPatchCetInterruptSspTable, > > mCetInterruptSspTable, 4); > > > - DEBUG ((DEBUG_INFO, "mCetInterruptSsp - 0x%x\n", > > mCetInterruptSsp)); > > > - DEBUG ((DEBUG_INFO, "mCetInterruptSspTable - 0x%x\n", > > mCetInterruptSspTable)); > > > + if (mSmmInterruptSspTables =3D=3D 0) { > > > + mSmmInterruptSspTables =3D (UINTN)AllocateZeroPool(sizeof(UINT= 64) > > * 8 * gSmmCpuPrivate- > > > >SmmCoreEntryContext.NumberOfCpus); > > > + ASSERT (mSmmInterruptSspTables !=3D 0); > > > + DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > > mSmmInterruptSspTables)); > > > } > > > + > > > + // > > > + // The highest address on the stack (0xFE0) is a save-previous-s= sp token > > pointing to a location that is 40 bytes away - 0xFB8. > > > + // The supervisor shadow stack token is just above it at address= 0xFD8. > > This is where the interrupt SSP table points. > > > + // So when an interrupt of exception occurs, we can use > > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow > > > stack, > > > + // due to the reason the RETF in SMM exception handler cannot cl= ear > > the BUSY flag with same CPL. > > > + // (only IRET or RETF with different CPL can clear BUSY flag) > > > + // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X64= for > > the full stack frame at runtime. > > > + // According to SDM (ver. 075 June 2021), shadow stack should be= 32 > > bytes aligned. > > > + // > > > + InterruptSsp =3D (UINT32)(((UINTN)ShadowStack + EFI_PAGES_TO_SIZ= E(1) > > - (sizeof(UINT64) * 4)) & ~0x1f); > > > + *(UINT64 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64= ) * 4) | > > 0x2; > > > + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > > > + > > > + mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTables= + > > sizeof(UINT64) * 8 * CpuIndex); > > > + InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTable; > > > + InterruptSspTable[1] =3D mCetInterruptSsp; > > > + PatchInstructionX86 (mPatchCetInterruptSsp, mCetInterruptSsp, 4)= ; > > > + PatchInstructionX86 (mPatchCetInterruptSspTable, > > mCetInterruptSspTable, 4); > > > + DEBUG ((DEBUG_INFO, "mCetInterruptSsp - 0x%x\n", > > mCetInterruptSsp)); > > > + DEBUG ((DEBUG_INFO, "mCetInterruptSspTable - 0x%x\n", > > mCetInterruptSspTable)); > > > } > > > } > > > > > > -- > > > 2.16.2.windows.1