From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by mx.groups.io with SMTP id smtpd.web12.1250.1625539997918983579
 for <devel@edk2.groups.io>;
 Mon, 05 Jul 2021 19:53:18 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=tmtS/+Jl;
 spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: eric.dong@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="294687622"
X-IronPort-AV: E=Sophos;i="5.83,327,1616482800"; 
   d="scan'208";a="294687622"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Jul 2021 19:53:04 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.83,327,1616482800"; 
   d="scan'208";a="491162800"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16])
  by orsmga001.jf.intel.com with ESMTP; 05 Jul 2021 19:53:03 -0700
Received: from orsmsx606.amr.corp.intel.com (10.22.229.19) by
 ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.10; Mon, 5 Jul 2021 19:53:03 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by
 orsmsx606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.10 via Frontend Transport; Mon, 5 Jul 2021 19:53:03 -0700
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.176)
 by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.4; Mon, 5 Jul 2021 19:53:03 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=TwiL5EI/QgQB64z1gUPZpNUfusip001MAdnXypFMPg96XxGEr9jo9W8OAsWpgZ4Ktg/OwA6GvN6p9wMSC1c+lmGlco+blSe0swZRnK003aZC0mjriAYgHbYtVHc8/p/yXjRncbC92NmO9rUsS2n+e4T48LKkihorKj9TTIZwaiFLcWop9Ecp1ingeGMhTFa5oEb/YK3vZUeEtLOg3wNo3NpQ5iyh0jDYzW0DdmTk2dafd5VdK0Gg50thBJNgxYvekTfCvHyJZk4MA6/8i8HU5Aan+lhKamsak6OGuFIrSjDVlYpMH4yx2P4lTFkKM7V5lzWicoCSRbdwl/nvnNTlqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=O3mw1QfsQJ+GYNMAm8bgyUaKFI5kEKajnOAkeZft4p0=;
 b=HFgS+CerFAXmdel6IBtEcbtxGCzYhPy0nrqFwN5GEJeNU72gp2DVWZeyupul9v7ViqAAWHjqmZVmIW963Y/fLh+FMj40rPsYamfp3pCiZRIYKc7VIMWXfxfkDYa/Hkbk6s8jFnOl1R+PS4Ip3lj37Clfv3hblg3CvhcAg3FFJjgvWYD5oSUvwTGJsZCojIiMJONhnrGPz1UOrUgXF1iVGLA6SAuBIsNQsbx9VF4RJoyfQ4ztvmlveJKN/79EZOAeGxuu/fYJ9dDx7HANdNiI+ttIs+My0pNOvUXKpH2Wo7mf6Vs6pRiMG5WAUxsrccO895DjHjtQPd9UKtDY40+3Jg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=O3mw1QfsQJ+GYNMAm8bgyUaKFI5kEKajnOAkeZft4p0=;
 b=tmtS/+JlzcCnc4oiOn/gB4mdspLNKySXkjOVCb+siTSJsQymWD9KRHmtBdCEMvLJY5cQ2ovF8SFMEx0hhZTte/Xg1I/Nb+rlv9jdn6/dvWjWXSm8nZx/Sv4apRVJ9nIYPc9UMtlOZinegS/TdPxlzzyHjDH8GAq7+DitJtvqGEw=
Received: from BN9PR11MB5258.namprd11.prod.outlook.com (2603:10b6:408:133::13)
 by BN7PR11MB2578.namprd11.prod.outlook.com (2603:10b6:406:b2::24) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.23; Tue, 6 Jul
 2021 02:53:02 +0000
Received: from BN9PR11MB5258.namprd11.prod.outlook.com
 ([fe80::c73:8099:7af4:1f09]) by BN9PR11MB5258.namprd11.prod.outlook.com
 ([fe80::c73:8099:7af4:1f09%6]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021
 02:53:02 +0000
From: "Dong, Eric" <eric.dong@intel.com>
To: "Sheng, W" <w.sheng@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Ni, Ray" <ray.ni@intel.com>, Laszlo Ersek <lersek@redhat.com>, "Kumar,
 Rahul1" <rahul1.kumar@intel.com>, "Yao, Jiewen" <jiewen.yao@intel.com>,
	"Zhuang, Qihua" <qihua.zhuang@intel.com>, "Dong, Daquan"
	<daquan.dong@intel.com>, "Tong, Justin" <justin.tong@intel.com>, "Xu, Tom"
	<tom.xu@intel.com>
Subject: Re: [PATCH] UefiCpuPkg/ExceptionLib: Conditionally clear shadow stack token busy bit
Thread-Topic: [PATCH] UefiCpuPkg/ExceptionLib: Conditionally clear shadow
 stack token busy bit
Thread-Index: AQHXbwMmsSlWG4jYlk61Q98ib/19Fas1Re+w
Date: Tue, 6 Jul 2021 02:53:01 +0000
Message-ID: <BN9PR11MB52583721DFFB25C6D9758456FE1B9@BN9PR11MB5258.namprd11.prod.outlook.com>
References: <20210702052840.15860-1-w.sheng@intel.com>
In-Reply-To: <20210702052840.15860-1-w.sheng@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [192.198.142.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f79a1102-d25d-477e-17c5-08d940292bb2
x-ms-traffictypediagnostic: BN7PR11MB2578:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN7PR11MB2578425BFBEFB0A9E612A2F8FE1B9@BN7PR11MB2578.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5iFRPkEF1iq6Hl3bOmvSqmUvfGuHmLJI3Hh1PyzrmGwQHeEWnLapM3Fit2XT+faNRV1XxlINuci+qU2y7FezB+KLE193ICXE1ZJciAT90Q9vtCjhYB+XgMmKmI+cI/5HGZQJpocVbEd5+xFSCuZ7r3vgSJG1bwVhxq2yY1F2XOvrsgaM56mXmzn3ApQNeZ+NLN9UI0noIkOnPCckWb5nFVi2UjwD6pLZQRndsd/YmWT18KQeKUMulnnxtX7sRJxMjqo6F9VPPNAq+m3TF3cfLn04MhS5o3H494B1jaG4iU/pn1ewXz19wwku4tQIqWf1ReCe6S7HhN8OvV+M4l6+ZXLz4uc2WYA8lDOisyP3/uAn2gIQ/ibfJjDc8701Q3DALxCUTEdDgiuGqa3qzSno4sJpLQvpFMO7ubY3PIZvfusNDF2XbHkDW7vPd69psOi30FdiC9fr7AjVipeNAGSXOKmTzzH3ogGCexXeRnapZNQDok92agsUaf+Oa6DPIOWXe3erGyYcJkS4X/mhCF3SEZwD/LX4KiBC9ZoLHNtf0ctUXKvJnjb+zczUPu5QhmxTEmrvyiIuIwbCTXP/sgrfbL3dXXGBXc3KayC+qj+0YEhlX/ZlP9MifKlb6JlN8o9DTbmS3nirnSknvbs4PXf4OL5aDhKedHjpP1jLl3caJiNE/zvCFJRczxltknVd/6ssNQOw10Lgt4t+JLbEihxz9yTsZj0veDcAw48mP4I6v3k=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN9PR11MB5258.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(39860400002)(376002)(136003)(396003)(53546011)(6506007)(66476007)(8936002)(66446008)(52536014)(19627235002)(66556008)(7696005)(316002)(64756008)(110136005)(54906003)(76116006)(26005)(8676002)(71200400001)(966005)(122000001)(478600001)(55016002)(5660300002)(33656002)(38100700002)(2906002)(9686003)(86362001)(186003)(4326008)(107886003)(83380400001)(66946007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?M/4TooEPrKmYWwcTJ6TPg2lwOGt8xd1pqI+OlGvncJ98KKGymIFP9BTzvmnj?=
 =?us-ascii?Q?aGfTdyAXUYk5pgX8PCuJ8MG2fI2i0eQ9TLJu9pqTBzZQ2yrXGqXR8KcDeMUG?=
 =?us-ascii?Q?Izu9FBAp/BR+NA/rDBuKWm40huICG8HxDuybrQfJM3tnl0QyxEgapK7tgBBU?=
 =?us-ascii?Q?IploiSpRvuL2R1IYrG8+zas/gK7LkxZjm2mxHS5fyPnKBs9++OAwg1/lwXgQ?=
 =?us-ascii?Q?VhM+XdBqGD6FUrv7yLVAq19GKsCrwszUxzuq+eRbdpztw1EUQv5uDrBU5mCC?=
 =?us-ascii?Q?eTmCsNNo9iQi1NSaNu5m/Qxurxozq7TGR6YJAPuP7ivDyrOFQvTSX9uu1E0f?=
 =?us-ascii?Q?JbsZ9RuBLWf0ikLz2y05yDyW25dc0SQagqMyA7D9oImGliqDKlryO4lCcPM1?=
 =?us-ascii?Q?iJIsxIVnk8vAseaaL7HYGqxQmUJrPfUwACu9+i5ALX9VulZLNCPXnFEWYqGk?=
 =?us-ascii?Q?dlF3fh+VMAjdyY08MCddizPtqmvy7SKwKE/m5aK4x28olOim30+FbxkdbwPK?=
 =?us-ascii?Q?vgDcg3liRt3sSMRvARgfS7WO+VhGg1OKp0AN+iN4+G2VaaArazf2khhaayaj?=
 =?us-ascii?Q?VhZSiqdr36u5FN/TAwxXjaRw0bhYCGM3A0rg2/bq0VAvK/li25LLMQUueApL?=
 =?us-ascii?Q?o249pgEPaQGOg7PNJ5c9AwaCtm+4IqtR+oi/CPLM5/xW3aHagD9XLwi1KPs7?=
 =?us-ascii?Q?NvF4ODKjahNOJ9BgvPRr8KD7UrOu68+RvuUBE0a46FfoQJA8KMgszZd6IS//?=
 =?us-ascii?Q?cYrr00yPsWCLJThq31hBwuv9FW4hNsAlj5lzxEDvMTVi1ZMh/sN8P36xR3Sm?=
 =?us-ascii?Q?X9/oUxFUDpaPI73pvGU+Thn+ez41ryJYJRpcT9N3ysQ4yi6RcVFKJcohAJyI?=
 =?us-ascii?Q?0zETSW26Rtw9n4KTm/7dBKa4JB4RlJZn2LjDyWrjDS5FIvKVylC5PAYfb9Bb?=
 =?us-ascii?Q?ZhlliKd9HrsZZ4jkWZIx9jXWHds2OPZEhA6L0FLMI2PKPgtpOWJOFYrPYP+7?=
 =?us-ascii?Q?Sdvh9a0Ble5fE2v+ZQLTDCs8oJDb4SMmj8KfRsEm+KfRfoO6bxqx39fVDsZM?=
 =?us-ascii?Q?EDbMUK2g+eUVOmndGbibUgL3FPqN97FlWWNYl0xdWN2ziVgptkkr4ibepTiM?=
 =?us-ascii?Q?I/59eMoQ3bkb4CfwnScUCUtx7j+k95LqcwyK+kFxWOwtsK1NKELEDa0AKjUB?=
 =?us-ascii?Q?7t64R314ENDh9WFx/i8kVDSbBqhglNxpiAC8pT/moGp6dZ4HNRLMXAjkmgjd?=
 =?us-ascii?Q?T9aorqXfFleVUPMUskup83D5p5IqIbT3yFR1l+r1UkWRhbx0chLyq95OdEdZ?=
 =?us-ascii?Q?1osfPEUzHobyQ4Sh3yzj3WHv?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5258.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f79a1102-d25d-477e-17c5-08d940292bb2
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 02:53:01.9399
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1+HoEsdEj6TmgC7QwX6eIwbu4G9VA87MyPSLVHR5FCJkyBN8HyIUa3iSiVF2UKWEbWY3rDFGM2VrK/phdUY7mQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2578
Return-Path: eric.dong@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Eric Dong <eric.dong@intel.com>

-----Original Message-----
From: Sheng, W <w.sheng@intel.com>=20
Sent: Friday, July 2, 2021 1:29 PM
To: devel@edk2.groups.io
Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Laszlo Er=
sek <lersek@redhat.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>; Yao, Jiewe=
n <jiewen.yao@intel.com>; Zhuang, Qihua <qihua.zhuang@intel.com>; Dong, Daq=
uan <daquan.dong@intel.com>; Tong, Justin <justin.tong@intel.com>; Xu, Tom =
<tom.xu@intel.com>
Subject: [PATCH] UefiCpuPkg/ExceptionLib: Conditionally clear shadow stack =
token busy bit

When enter SMM exception, there will be a stack switch only if the IST fiel=
d of the interrupt gate is set. When CET shadow stack feature is enabled, i=
f there is a stack switch between SMM exception and SMM, the shadow stack t=
oken busy bit needs to be cleared when return from SMM exception to SMM. In=
 UEFI BIOS, only page fault exception does the stack swith when SMM shack g=
uard feature is enabled. The condition of clear shadow stack token busy bit=
 should be SMM stack guard enabled, CET shadows stack feature enabled and p=
age fault exception.
The shadow stack token should be initialized by UINT64.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3462

Signed-off-by: Sheng Wei <w.sheng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Qihua Zhuang <qihua.zhuang@intel.com>
Cc: Daquan Dong <daquan.dong@intel.com>
Cc: Justin Tong <justin.tong@intel.com>
Cc: Tom Xu <tom.xu@intel.com>
---
 .../X64/Xcode5ExceptionHandlerAsm.nasm             | 83 +++++++++++-------=
----
 UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c       |  2 +-
 2 files changed, 43 insertions(+), 42 deletions(-)

diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionH=
andlerAsm.nasm b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5Except=
ionHandlerAsm.nasm
index ebe0eec874..4881a02848 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerA=
sm.nasm
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandl
+++ erAsm.nasm
@@ -20,6 +20,7 @@
 ;
=20
 %define VC_EXCEPTION 29
+%define PF_EXCEPTION 14
=20
 extern ASM_PFX(mErrorCodeFlag)    ; Error code flags for exceptions
 extern ASM_PFX(mDoFarReturnFlag)  ; Do far return flag @@ -279,6 +280,46 @=
@ DrFinish:
     call    ASM_PFX(CommonExceptionHandler)
     add     rsp, 4 * 8 + 8
=20
+    ; The follow algorithm is used for clear shadow stack token busy bit.
+    ; The comment is based on the sample shadow stack.
+    ; The sample shadow stack layout :
+    ; Address | Context
+    ;         +-------------------------+
+    ;  0xFD0  |   FREE                  | it is 0xFD8|0x02|(LMA & CS.L), a=
fter SAVEPREVSSP.
+    ;         +-------------------------+
+    ;  0xFD8  |  Prev SSP               |
+    ;         +-------------------------+
+    ;  0xFE0  |   RIP                   |
+    ;         +-------------------------+
+    ;  0xFE8  |   CS                    |
+    ;         +-------------------------+
+    ;  0xFF0  |  0xFF0 | BUSY           | BUSY flag cleared after CLRSSBSY
+    ;         +-------------------------+
+    ;  0xFF8  | 0xFD8|0x02|(LMA & CS.L) |
+    ;         +-------------------------+
+    ; Instructions for Intel Control Flow Enforcement Technology (CET) are=
 supported since NASM version 2.15.01.
+    cmp     qword [ASM_PFX(mDoFarReturnFlag)], 0
+    jz      CetDone
+    cmp     qword [rbp + 8], PF_EXCEPTION   ; check if it is a Page Fault
+    jnz     CetDone
+    cmp     byte [dword ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))], 0
+    jz      CetDone
+    mov     rax, cr4
+    and     rax, 0x800000       ; check if CET is enabled
+    jz      CetDone
+                                ; SSP should be 0xFD8 at this point
+    mov     rax, 0x04           ; advance past cs:lip:prevssp;supervisor s=
hadow stack token
+    INCSSP_RAX                  ; After this SSP should be 0xFF8
+    SAVEPREVSSP                 ; now the shadow stack restore token will =
be created at 0xFD0
+    READSSP_RAX                 ; Read new SSP, SSP should be 0x1000
+    sub     rax, 0x10
+    CLRSSBSY_RAX                ; Clear token at 0xFF0, SSP should be 0 af=
ter this
+    sub     rax, 0x20
+    RSTORSSP_RAX                ; Restore to token at 0xFD0, new SSP will =
be 0xFD0
+    mov     rax, 0x01           ; Pop off the new save token created
+    INCSSP_RAX                  ; SSP should be 0xFD8 now
+CetDone:
+
     cli
 ;; UINT64  ExceptionData;
     add     rsp, 8
@@ -373,47 +414,7 @@ DoReturn:
     push    qword [rax + 0x18]       ; save EFLAGS in new location
     mov     rax, [rax]        ; restore rax
     popfq                     ; restore EFLAGS
-
-    ; The follow algorithm is used for clear shadow stack token busy bit.
-    ; The comment is based on the sample shadow stack.
-    ; The sample shadow stack layout :
-    ; Address | Context
-    ;         +-------------------------+
-    ;  0xFD0  |   FREE                  | it is 0xFD8|0x02|(LMA & CS.L), a=
fter SAVEPREVSSP.
-    ;         +-------------------------+
-    ;  0xFD8  |  Prev SSP               |
-    ;         +-------------------------+
-    ;  0xFE0  |   RIP                   |
-    ;         +-------------------------+
-    ;  0xFE8  |   CS                    |
-    ;         +-------------------------+
-    ;  0xFF0  |  0xFF0 | BUSY           | BUSY flag cleared after CLRSSBSY
-    ;         +-------------------------+
-    ;  0xFF8  | 0xFD8|0x02|(LMA & CS.L) |
-    ;         +-------------------------+
-    ; Instructions for Intel Control Flow Enforcement Technology (CET) are=
 supported since NASM version 2.15.01.
-    push     rax                ; SSP should be 0xFD8 at this point
-    cmp      byte [dword ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))], 0
-    jz       CetDone
-    mov      rax, cr4
-    and      rax, 0x800000      ; check if CET is enabled
-    jz       CetDone
-    mov      rax, 0x04          ; advance past cs:lip:prevssp;supervisor s=
hadow stack token
-    INCSSP_RAX                  ; After this SSP should be 0xFF8
-    SAVEPREVSSP                 ; now the shadow stack restore token will =
be created at 0xFD0
-    READSSP_RAX                 ; Read new SSP, SSP should be 0x1000
-    push     rax
-    sub      rax, 0x10
-    CLRSSBSY_RAX                ; Clear token at 0xFF0, SSP should be 0 af=
ter this
-    sub      rax, 0x20
-    RSTORSSP_RAX                ; Restore to token at 0xFD0, new SSP will =
be 0xFD0
-    pop      rax
-    mov      rax, 0x01          ; Pop off the new save token created
-    INCSSP_RAX                  ; SSP should be 0xFD8 now
-CetDone:
-    pop      rax                ; restore rax
-
-    DB       0x48               ; prefix to composite "retq" with next "re=
tf"
+    DB      0x48                ; prefix to composite "retq" with next "re=
tf"
     retf                        ; far return
 DoIret:
     iretq
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c b/UefiCpuPkg/PiSm=
mCpuDxeSmm/X64/SmmFuncsArch.c
index 661c1ba294..ca3f5ff91a 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
@@ -202,7 +202,7 @@ InitShadowStack (
       // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 for=
 the full stack frame at runtime.
       //
       InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE(1) =
- sizeof(UINT64));
-      *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64) * =
4) | 0x2;
+      *(UINT64 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64) *=
=20
+ 4) | 0x2;
       mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64);
=20
       mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTables + s=
izeof(UINT64) * 8 * CpuIndex);
--
2.16.2.windows.1