From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.5904.1612519138366299370 for ; Fri, 05 Feb 2021 01:58:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=qDSuHDVx; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) IronPort-SDR: cTJq9rhykFjCaRjbDv4lzPy5YMdOij7fPSDdHcwKbaxc5xLQtzw70ijQTB/HPHmoVslq5Lp4wZ 54TQG8AOIaCg== X-IronPort-AV: E=McAfee;i="6000,8403,9885"; a="180634817" X-IronPort-AV: E=Sophos;i="5.81,154,1610438400"; d="scan'208";a="180634817" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Feb 2021 01:58:57 -0800 IronPort-SDR: SWHZihb4j68Ttx6awxWLRLsyrZOQ27Ii9pkSakqyzzk9ODDFAdx241z+Vvya75tBKq4xkbWRcW cAgzmwGe0n9A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,154,1610438400"; d="scan'208";a="397400531" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga007.jf.intel.com with ESMTP; 05 Feb 2021 01:58:56 -0800 Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 5 Feb 2021 01:58:56 -0800 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 5 Feb 2021 01:58:56 -0800 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Fri, 5 Feb 2021 01:58:56 -0800 Received: from NAM02-BL2-obe.outbound.protection.outlook.com (104.47.38.55) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Fri, 5 Feb 2021 01:58:55 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VgYOwVL26TY0LdoAsYKKT0hKvsVZupP31XN4Y2j+72s5IICH5C/FHScCxaWOh/dMeOHmOt6eFpvT52AS7fMp1q9GOuu41C3imFiY6hQU3vKrsr9buPeXWcryV0JJicS4qRtp2cZCfx0necrY9v00eS/BOo1rrGP7s7R0cj1eYDJWqkdjxA9RruZtPMzDdYkb+eAH9tL6XDKX6VWIyIhNcclsh8EYFkeDtSI8UfcxKIoZO0G/X+R/EuUZqM+hkCJhpSK6BE8MM5dnJVeH7AXKCb3xdHqTBOgK0J7PZfj+Keb9p6fiMBUnswfZp5szxtvYWIwoFhQXu0q7DP+vAo5OoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ht1+dbED/2KCTfe47ikBA/SqZyLFvtsu18e27EadnqY=; b=V03RR8DM5necL0RB1/Sme6l4BvRZJyfyqynKWRHTWlvhqTYaW1rvpQzqaEcmaZzI2nSHeKtkpBpHwO1l+XXJy2gJAeNr2NYWmo7jsMmE/9PRpkBORG9weWKBfTAYc0n+iBapxnHjgHoMPLDqTL9+Cbvl318VUvERUMuTla/+10xQdaijukIbHYR6aWIyNXfAeaW/rz4VpdcEq7wAv/A7jEK/l0HO+wDVYY/c6vXD11ngrdgkcArFSUseR9GnSc+Ijyszn2YLdiQWopAtvV0Ua/xbbmFkUxfpnXhmqHCAlEFY607TXkDd5spCVX1GmaIrasWfNISeSksdweD+gY3reA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ht1+dbED/2KCTfe47ikBA/SqZyLFvtsu18e27EadnqY=; b=qDSuHDVx4FtUWAKuag8ATYLphW2jgTjAoQk+xBgwvwBBYwjpVaWjbJ49Vt4wb9//AEuLq7MPsn/UNRX07psWMyJtWbsm7LzgY/U414iCes93BVLcGh/uqhInauzqH1C4PKNkGs0s7YrSdtB1rwdrGXeb3XRFeHYa/JEPMmSItKc= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by SJ0PR11MB5054.namprd11.prod.outlook.com (2603:10b6:a03:2d3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.23; Fri, 5 Feb 2021 09:58:53 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132%4]) with mapi id 15.20.3805.028; Fri, 5 Feb 2021 09:58:53 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Dong, Eric" , "Ni, Ray" , "Laszlo Ersek" , "Kumar, Rahul1" , "Feng, Roger" Subject: Re: [PATCH v2 1/1] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Topic: [PATCH v2 1/1] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Index: AQHW+6FCiqEwv5ZPuUS96kiSjOpHIqpJUZbA Date: Fri, 5 Feb 2021 09:58:53 +0000 Message-ID: References: <20210205092800.90624-1-w.sheng@intel.com> <20210205092800.90624-2-w.sheng@intel.com> In-Reply-To: <20210205092800.90624-2-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a46c3c87-2527-411f-5d4e-08d8c9bca53b x-ms-traffictypediagnostic: SJ0PR11MB5054: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: OaXStzBv4ohXo7BteYAF5kDGi1aJ2lZnSFoU/+hA26oH/br9A5Gr87g2ELAPZFoyugat3rCmDBEbgTbBey+UcuudPI2DQjuD3WkfdYg7pjAkmhSsUzYb4MSlTF5cttuHCifBHAl68o1O3r6fZJ11snRfyPg7p9GI0zZKhMmI+rWpielxej7UpcvnJzcQInYdYaNUHocGBgrUGqlGTUAONC6kYGQPG86InYbcY2hESk4wa5rVQsnejrCmKTJJg6GrlQ2kwRd6A761lHJWqT8nQNCjb+XhlBrhDuXwQNo8tJtg/PHkmg6AkC/HZPSHzGrTVzv6i7vwOYENEBru1ZJ/rAptVxmpKnTWzgcY5e48k/z0/wwPJKWUrCtqdC2l//xHNGG0VynRVnd6yXyJgmxRykpuV4Pd5wvjxmpeFR12xW2xt8bEjpTRc8fjfAjOkvrB+Rye5ZPLBsNs3aQ2RlWYN88ikDbrxH76SiUGe3j92bfRpU/zGZc7OM6xHEuCCL2nimtUVwml0xFry+PSylHfKA91ZtW1+u8+Z+O6iQbEEsc/LEmefANwA4uf2QUhfpB+dgTUiOGp7B7WF9o5var6Wuy3Xyb3H/FAMLS0h+oxj3o= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(366004)(396003)(136003)(39860400002)(376002)(54906003)(71200400001)(19627235002)(5660300002)(53546011)(6506007)(110136005)(66556008)(66476007)(2906002)(66946007)(26005)(76116006)(64756008)(55016002)(66446008)(966005)(8936002)(8676002)(4326008)(33656002)(9686003)(478600001)(316002)(186003)(52536014)(83380400001)(7696005)(86362001)(107886003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?+zh0EZIOB9IXbNL7c77OEftuLO8H+zDK2UsRBrpqRQUdZzr5USYDMo2TMGoP?= =?us-ascii?Q?seQBg4zR/epvPP6ASIHHEhgMo2u3a+bm2s5neUMeVavs6Y4bucFtRy/uSaRI?= =?us-ascii?Q?+1pi3USdTgBjHTDf33moECv3SzFgQirxsEPUSOs2HsihyFc/xXsouN/MzgvA?= =?us-ascii?Q?wLJpNPTdDfiwyKlPuBkVOXLegPPIsziwy/GJl54zUrA6aWINhPBLKD+n/m/v?= =?us-ascii?Q?Lt0pH4KWse6YhwtptmwR7FFmfOmuuacFujqGaJ6VwUTLkcNThl1QaUyO9Tio?= =?us-ascii?Q?vexkTtvBs4cQRH6OJG08jrJcct7e7w+M5oAZNK1WpuMqH75qq8sgoWVJaQrT?= =?us-ascii?Q?wCc+BSQ3AVN+LB9ctY5eGPTePDLctl+YbwZdbSAtjcHWsduo1iS4JPfSiEDK?= =?us-ascii?Q?sE82w7GCVnpkIf4n9/COQxa8LSesqURf2Kemi9jMB+tgwYaZJvqlvX9VRSIu?= =?us-ascii?Q?kmgWcWMpb0lA8OloOA4JeBN1s/jha9v3YrbPqxSltjuJ7XjUfoPEiRdaHNsh?= =?us-ascii?Q?WSkcixQHBVRXwIKpdxR4GJtAMqwgV45csO9E1XW3zpA/NX4fq5uSS4lE8ZMJ?= =?us-ascii?Q?C5iYc3rsoDCfucnx6AkmmWtw4Vl7vu8id4AUzGouJGSaEPkpE5hMYPvZAxLE?= =?us-ascii?Q?e0CIYRMfY9gyyQKYBY4A9VrKj7ix+WILmyp9iBwMRnG6fbNZ2l8SOWdBv5L2?= =?us-ascii?Q?IijhF8Cc5ahbOrDemaC2q7E2KaAuyNfI8rOWxaCJN/aZUsH7UJv8xaWuXPQ8?= =?us-ascii?Q?Z/KWDdZIUELPrOB8U58r2SGUzs09sYqw3EDkwC3eWzdP/Qzf7R6XQLbZB0Fr?= =?us-ascii?Q?sAymG6EN7R4VHf35tcUUkEFregxnuVJ7AIaxatwU9rkl10g1OqEagheW/fvh?= =?us-ascii?Q?ogL3p7iaF14Q0RUXzI4aLY06mwaYSibGgp4Dc3OuyIEfk1P7IBcxlRsdfVh9?= =?us-ascii?Q?ZDhENEvA9B0O2UveB9z742CrCGsQXEXEeuMn1FdX/ij1VxfPyy/0IGeZuM9j?= =?us-ascii?Q?jUge0kuOpMZgYmVQTTxR93BIpb8Yd2lCBCGyacB6/827vugbjUoHsPt1clRB?= =?us-ascii?Q?JIOfTCcKPZ3cYbk/uL2ieaodfdr23UHSamcB2nYwkmvrSaz7sz8CFftj6IcT?= =?us-ascii?Q?J6YhQkIHivBdtwifYpTA3uicK4muOGqZoq6EHCcf7Y8R5Y4UTxNcuyEk7CoH?= =?us-ascii?Q?xTr+1/8lK0pbbljwxVfQYNKNjJe5V58+jtDYhLhF6nq8EsUUjPGa+7MKsIAY?= =?us-ascii?Q?2DKcEOYg2wDEhrfZS8ODnF8FYANnKVbhNjAvWsZ2al3iTQJUJ4nDk4oOSJHS?= =?us-ascii?Q?t2Il8pslOh6tTYyiwyJxjf3l?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a46c3c87-2527-411f-5d4e-08d8c9bca53b X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2021 09:58:53.5131 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: eHEcs74URGEwBSPDyPm6j4ViowJPkOKdFLGD3SEAEdGZv1oG4JQLdqXzJmKDUWuhWn74oVU4zfAy5Q4CWAGZNQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5054 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Would you please add comment on why we need reserve and program the 8 bytes= here? Something like: // // The highest address on the stack (0xFF8) is a save-previous-ssp token po= inting to a location that is 40 bytes away - 0xFD0. // The supervisor shadow stack token is just above it at address 0xFF0. Thi= s is where the interrupt SSP table points. // So when an interrupt of exception occurs, we can use SAVESSP/RESTORESSP/= CLEARSSBUSY for the supervisor shadow stack, // due to the reason the RETF in SMM exception handler cannot clear the BUS= Y flag with same CPL. // (only IRET or RETF with different CPL can clear BUSY flag) // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 for the fu= ll stack frame at runtime. // - mCetInterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE= (1) - sizeof(UINT64)); + InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE(1) = - sizeof(UINT64)); + *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64) * = 4) | 0x2; + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > -----Original Message----- > From: Sheng, W > Sent: Friday, February 5, 2021 5:28 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo = Ersek > ; Kumar, Rahul1 ; Yao, Jiewen > ; Feng, Roger > Subject: [PATCH v2 1/1] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shad= ow > stack token busy bit >=20 > If CET shadows stack feature enabled in SMM and stack switch is enabled. > When code execute from SMM handler to SMM exception, CPU will check SMM > exception shadow stack token busy bit if it is cleared or not. > If it is set, it will trigger #DF exception. > If it is not set, CPU will set the busy bit when enter SMM exception. > So, the busy bit should be cleared when return back form SMM exception to > SMM handler. Otherwise, keeping busy bit 1 will cause to trigger #DF > exception when enter SMM exception next time. > So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the > shadow stack token busy bit before RETF instruction in SMM exception. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3192 >=20 > Signed-off-by: Sheng Wei > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Jiewen Yao > Cc: Roger Feng > --- > .../DxeCpuExceptionHandlerLib.inf | 3 ++ > .../PeiCpuExceptionHandlerLib.inf | 3 ++ > .../SecPeiCpuExceptionHandlerLib.inf | 4 ++ > .../SmmCpuExceptionHandlerLib.inf | 3 ++ > .../X64/Xcode5ExceptionHandlerAsm.nasm | 48 > ++++++++++++++++++++-- > .../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++ > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 5 ++- > 7 files changed, 66 insertions(+), 4 deletions(-) >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf > index 07b34c92a8..e7a81bebdb 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf > @@ -43,6 +43,9 @@ > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > [Packages] > MdePkg/MdePkg.dec > MdeModulePkg/MdeModulePkg.dec > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf > index feae7b3e06..cf5bfe4083 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf > @@ -57,3 +57,6 @@ > [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.= i > nf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.= i > nf > index 967cb61ba6..8ae4feae62 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.= i > nf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.= i > nf > @@ -49,3 +49,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf > index 4cdb11c04e..5c3d1f7cfd 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf > @@ -53,3 +53,6 @@ > DebugLib > VmgExitLib >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > index 26cae56cc5..05a802a633 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > @@ -1,5 +1,5 @@ > ;-----------------------------------------------------------------------= ------- ; > -; Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
> +; Copyright (c) 2012 - 2021, Intel Corporation. All rights reserved.
> ; SPDX-License-Identifier: BSD-2-Clause-Patent > ; > ; Module Name: > @@ -13,6 +13,7 @@ > ; Notes: > ; > ;-----------------------------------------------------------------------= ------- > +%include "Nasm.inc" >=20 > ; > ; CommonExceptionHandler() > @@ -23,6 +24,7 @@ > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag > extern ASM_PFX(CommonExceptionHandler) > +extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) >=20 > SECTION .data >=20 > @@ -371,8 +373,48 @@ DoReturn: > push qword [rax + 0x18] ; save EFLAGS in new location > mov rax, [rax] ; restore rax > popfq ; restore EFLAGS > - DB 0x48 ; prefix to composite "retq" with next "r= etf" > - retf ; far return > + > + ; The follow algorithm is used for clear shadow stack token busy bit= . > + ; The comment is based on the sample shadow stack. > + ; The sample shadow stack layout : > + ; Address | Context > + ; +-------------------------+ > + ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA & CS.L),= after > SAVEPREVSSP. > + ; +-------------------------+ > + ; 0xFD8 | Prev SSP | > + ; +-------------------------+ > + ; 0xFE0 | RIP | > + ; +-------------------------+ > + ; 0xFE8 | CS | > + ; +-------------------------+ > + ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after CLRSSB= SY > + ; +-------------------------+ > + ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) | > + ; +-------------------------+ > + ; Instructions for Intel Control Flow Enforcement Technology (CET) a= re > supported since NASM version 2.15.01. > + push rax ; SSP should be 0xFD8 at this point > + cmp byte [dword ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))], = 0 > + jz CetDone > + mov rax, cr4 > + and rax, 0x800000 ; check if CET is enabled > + jz CetDone > + mov rax, 0x04 ; advance past cs:lip:prevssp;supervisor= shadow stack > token > + INCSSP_RAX ; After this SSP should be 0xFF8 > + DB 0xF3, 0x0F, 0x01, 0xEA ; SAVEPREVSSP ; now the shadow stack res= tore > token will be created at 0xFD0 > + READSSP_RAX ; Read new SSP, SSP should be 0x1000 > + push rax > + sub rax, 0x10 > + DB 0xF3, 0x0F, 0xAE, 0x30 ; CLRSSBSY RAX ; Clear token at 0xFF0 ; = SSP > should be 0 after this > + sub rax, 0x20 > + DB 0xF3, 0x0F, 0x01, 0x28 ; RSTORSSP RAX ; Restore to token at 0xF= D0, new > SSP will be 0xFD0 > + pop rax > + mov rax, 0x01 ; Pop off the new save token created > + INCSSP_RAX ; SSP should be 0xFD8 now > +CetDone: > + pop rax ; restore rax > + > + DB 0x48 ; prefix to composite "retq" with next "= retf" > + retf ; far return > DoIret: > iretq >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > index 743c2aa766..a15f125d5b 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > @@ -54,3 +54,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > index 28f8e8e133..1aa1102f56 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > @@ -173,6 +173,7 @@ InitShadowStack ( > { > UINTN SmmShadowStackSize; > UINT64 *InterruptSspTable; > + UINT32 InterruptSsp; >=20 > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > mCetSupported) { > SmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES (PcdGet3= 2 > (PcdCpuSmmShadowStackSize))); > @@ -191,7 +192,9 @@ InitShadowStack ( > ASSERT (mSmmInterruptSspTables !=3D 0); > DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > mSmmInterruptSspTables)); > } > - mCetInterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SI= ZE(1) > - sizeof(UINT64)); > + InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE(1= ) - > sizeof(UINT64)); > + *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64) = * 4) | 0x2; > + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTables + > sizeof(UINT64) * 8 * CpuIndex); > InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTable; > InterruptSspTable[1] =3D mCetInterruptSsp; > -- > 2.16.2.windows.1