From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Sheng, W" <w.sheng@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Ni, Ray" <ray.ni@intel.com>
Cc: "Dong, Eric" <eric.dong@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
"Kumar, Rahul1" <rahul1.kumar@intel.com>,
"Feng, Roger" <roger.feng@intel.com>
Subject: Re: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit
Date: Fri, 26 Feb 2021 01:48:09 +0000 [thread overview]
Message-ID: <BY5PR11MB4166CA30DA8A8E1CA40926EC8C9D9@BY5PR11MB4166.namprd11.prod.outlook.com> (raw)
In-Reply-To: <MN2PR11MB44791B8590CA252825EC6788E19E9@MN2PR11MB4479.namprd11.prod.outlook.com>
Thank you. I have reviewed that.
We still need UefiCpuPkg and MdePkg maintainer's review before merge.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, February 25, 2021 1:58 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Sheng, W
> <w.sheng@intel.com>; Ni, Ray <ray.ni@intel.com>
> Cc: Dong, Eric <eric.dong@intel.com>; Laszlo Ersek <lersek@redhat.com>;
> Kumar, Rahul1 <rahul1.kumar@intel.com>; Feng, Roger <roger.feng@intel.com>
> Subject: RE: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib:
> Clear CET shadow stack token busy bit
>
> HI Jiewen,
> I have refined the comment in the code.
> It is working with PcdCpuSmmRestrictedMemoryAccess enabled.
> Add the sample code in file
> https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/PiSmmCpuDxeSm
> m/X64/SmmFuncsArch.c
> [PATCH v5 1/2] is the patch of add CET instruction DX define in nasm.inc file.
> https://edk2.groups.io/g/devel/message/72182
>
> Do have any comment for the patch of fix CET shadow stack token busy bit
> issue ?
> Could you give review-by for this patch ?
>
> Thank you
> BR
> Sheng Wei
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> > Wei
> > Sent: 2021年2月23日 15:52
> > To: devel@edk2.groups.io; Sheng, W <w.sheng@intel.com>; Ni, Ray
> > <ray.ni@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> > Cc: Dong, Eric <eric.dong@intel.com>; Laszlo Ersek <lersek@redhat.com>;
> > Kumar, Rahul1 <rahul1.kumar@intel.com>; Feng, Roger
> > <roger.feng@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v5 2/2]
> > UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit
> >
> > Hi Jiewen, Ray,
> > Could you help to review and give Review-by for this patch for fix CET
> > shadow stack token busy bit issue ?
> > As the common in v5 patch 1/2 by Limin, since it is a bug fix, it can still be
> > merged in 202102 stable tag soft feature freeze phase.
> > https://edk2.groups.io/g/devel/message/72013
> > Thank you.
> > BR
> > Sheng Wei
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> > > Wei
> > > Sent: 2021年2月22日 10:15
> > > To: devel@edk2.groups.io; Sheng, W <w.sheng@intel.com>
> > > Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>;
> > > Laszlo Ersek <lersek@redhat.com>; Kumar, Rahul1
> > > <rahul1.kumar@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Feng,
> > > Roger <roger.feng@intel.com>
> > > Subject: Re: [edk2-devel] [PATCH v5 2/2]
> > > UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy
> > > bit
> > >
> > > Hi Jiewen,
> > > Thank you for review the patch.
> > > Could you give review-by on this patch?
> > > Thank you.
> > > BR
> > > Sheng Wei
> > >
> > >
> > > > -----Original Message-----
> > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > Sheng
> > > > Wei
> > > > Sent: 2021年2月20日 11:15
> > > > To: devel@edk2.groups.io
> > > > Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>;
> > > > Laszlo Ersek <lersek@redhat.com>; Kumar, Rahul1
> > > > <rahul1.kumar@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Feng,
> > > > Roger <roger.feng@intel.com>
> > > > Subject: [edk2-devel] [PATCH v5 2/2]
> > UefiCpuPkg/CpuExceptionHandlerLib:
> > > > Clear CET shadow stack token busy bit
> > > >
> > > > If CET shadows stack feature enabled in SMM and stack switch is enabled.
> > > > When code execute from SMM handler to SMM exception, CPU will
> > check
> > > > SMM exception shadow stack token busy bit if it is cleared or not.
> > > > If it is set, it will trigger #DF exception.
> > > > If it is not set, CPU will set the busy bit when enter SMM exception.
> > > > So, the busy bit should be cleared when return back form SMM
> > > > exception to SMM handler. Otherwise, keeping busy bit 1 will cause
> > > > to trigger #DF exception when enter SMM exception next time.
> > > > So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear
> > > > the shadow stack token busy bit before RETF instruction in SMM
> > exception.
> > > >
> > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3192
> > > >
> > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > Cc: Eric Dong <eric.dong@intel.com>
> > > > Cc: Ray Ni <ray.ni@intel.com>
> > > > Cc: Laszlo Ersek <lersek@redhat.com>
> > > > Cc: Rahul Kumar <rahul1.kumar@intel.com>
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Roger Feng <roger.feng@intel.com>
> > > > ---
> > > > .../DxeCpuExceptionHandlerLib.inf | 3 ++
> > > > .../PeiCpuExceptionHandlerLib.inf | 3 ++
> > > > .../SecPeiCpuExceptionHandlerLib.inf | 4 ++
> > > > .../SmmCpuExceptionHandlerLib.inf | 3 ++
> > > > .../X64/Xcode5ExceptionHandlerAsm.nasm | 46
> > > > +++++++++++++++++++++-
> > > > .../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++
> > > > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 15 ++++++-
> > > > 7 files changed, 75 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.
> > > > inf
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib
> > > > .inf
> > > > index 07b34c92a8..e7a81bebdb 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.
> > > > inf
> > > > +++
> > > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLi
> > > > +++ b.inf
> > > > @@ -43,6 +43,9 @@
> > > > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList
> > > > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize
> > > >
> > > > +[FeaturePcd]
> > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ##
> > > > CONSUMES
> > > > +
> > > > [Packages]
> > > > MdePkg/MdePkg.dec
> > > > MdeModulePkg/MdeModulePkg.dec
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.
> > > > i
> > > > nf
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.
> > > > i
> > > > nf
> > > > index feae7b3e06..cf5bfe4083 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.
> > > > i
> > > > nf
> > > > +++
> > > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLi
> > > > +++ b.inf
> > > > @@ -57,3 +57,6 @@
> > > > [Pcd]
> > > > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES
> > > >
> > > > +[FeaturePcd]
> > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ##
> > > > CONSUMES
> > > > +
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler
> > > > Lib.inf
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler
> > > > Lib.inf
> > > > index 967cb61ba6..8ae4feae62 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler
> > > > Lib.inf
> > > > +++
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandle
> > > > +++ rLib.inf
> > > > @@ -49,3 +49,7 @@
> > > > LocalApicLib
> > > > PeCoffGetEntryPointLib
> > > > VmgExitLib
> > > > +
> > > > +[FeaturePcd]
> > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ##
> > > > CONSUMES
> > > > +
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi
> > > > b.inf
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi
> > > > b.inf
> > > > index ea5b10b5c8..c9f20da058 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi
> > > > b.inf
> > > > +++
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi
> > > > +++ b.inf
> > > > @@ -53,3 +53,6 @@
> > > > DebugLib
> > > > VmgExitLib
> > > >
> > > > +[FeaturePcd]
> > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ##
> > > > CONSUMES
> > > > +
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle
> > > > rAsm.nasm
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle
> > > > rAsm.nasm
> > > > index 26cae56cc5..ebe0eec874 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle
> > > > rAsm.nasm
> > > > +++
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandl
> > > > +++ erAsm.nasm
> > > > @@ -13,6 +13,7 @@
> > > > ; Notes:
> > > > ;
> > > >
> > > > ;-------------------------------------------------------------------
> > > > --
> > > > ---------
> > > > +%include "Nasm.inc"
> > > >
> > > > ;
> > > > ; CommonExceptionHandler()
> > > > @@ -23,6 +24,7 @@
> > > > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions
> > > > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag extern
> > > > ASM_PFX(CommonExceptionHandler)
> > > > +extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))
> > > >
> > > > SECTION .data
> > > >
> > > > @@ -371,8 +373,48 @@ DoReturn:
> > > > push qword [rax + 0x18] ; save EFLAGS in new location
> > > > mov rax, [rax] ; restore rax
> > > > popfq ; restore EFLAGS
> > > > - DB 0x48 ; prefix to composite "retq" with next "retf"
> > > > - retf ; far return
> > > > +
> > > > + ; The follow algorithm is used for clear shadow stack token busy bit.
> > > > + ; The comment is based on the sample shadow stack.
> > > > + ; The sample shadow stack layout :
> > > > + ; Address | Context
> > > > + ; +-------------------------+
> > > > + ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA & CS.L), after
> > > > SAVEPREVSSP.
> > > > + ; +-------------------------+
> > > > + ; 0xFD8 | Prev SSP |
> > > > + ; +-------------------------+
> > > > + ; 0xFE0 | RIP |
> > > > + ; +-------------------------+
> > > > + ; 0xFE8 | CS |
> > > > + ; +-------------------------+
> > > > + ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after CLRSSBSY
> > > > + ; +-------------------------+
> > > > + ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) |
> > > > + ; +-------------------------+
> > > > + ; Instructions for Intel Control Flow Enforcement Technology
> > > > + (CET) are
> > > > supported since NASM version 2.15.01.
> > > > + push rax ; SSP should be 0xFD8 at this point
> > > > + cmp byte [dword ASM_PFX(FeaturePcdGet
> > > > (PcdCpuSmmStackGuard))], 0
> > > > + jz CetDone
> > > > + mov rax, cr4
> > > > + and rax, 0x800000 ; check if CET is enabled
> > > > + jz CetDone
> > > > + mov rax, 0x04 ; advance past cs:lip:prevssp;supervisor shadow
> > > > stack token
> > > > + INCSSP_RAX ; After this SSP should be 0xFF8
> > > > + SAVEPREVSSP ; now the shadow stack restore token will be
> > > > created at 0xFD0
> > > > + READSSP_RAX ; Read new SSP, SSP should be 0x1000
> > > > + push rax
> > > > + sub rax, 0x10
> > > > + CLRSSBSY_RAX ; Clear token at 0xFF0, SSP should be 0 after
> > this
> > > > + sub rax, 0x20
> > > > + RSTORSSP_RAX ; Restore to token at 0xFD0, new SSP will be
> > > 0xFD0
> > > > + pop rax
> > > > + mov rax, 0x01 ; Pop off the new save token created
> > > > + INCSSP_RAX ; SSP should be 0xFD8 now
> > > > +CetDone:
> > > > + pop rax ; restore rax
> > > > +
> > > > + DB 0x48 ; prefix to composite "retq" with next "retf"
> > > > + retf ; far return
> > > > DoIret:
> > > > iretq
> > > >
> > > > diff --git
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException
> > > > HandlerLib.inf
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException
> > > > HandlerLib.inf
> > > > index 743c2aa766..a15f125d5b 100644
> > > > ---
> > > >
> > >
> > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException
> > > > HandlerLib.inf
> > > > +++
> > > >
> > >
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException
> > > > +++ HandlerLib.inf
> > > > @@ -54,3 +54,7 @@
> > > > LocalApicLib
> > > > PeCoffGetEntryPointLib
> > > > VmgExitLib
> > > > +
> > > > +[FeaturePcd]
> > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ##
> > > > CONSUMES
> > > > +
> > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
> > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
> > > > index 28f8e8e133..7ef3b1d488 100644
> > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
> > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c
> > > > @@ -173,6 +173,7 @@ InitShadowStack ( {
> > > > UINTN SmmShadowStackSize;
> > > > UINT64 *InterruptSspTable;
> > > > + UINT32 InterruptSsp;
> > > >
> > > > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) != 0) &&
> > > > mCetSupported) {
> > > > SmmShadowStackSize = EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES
> > > > (PcdGet32 (PcdCpuSmmShadowStackSize))); @@ -191,7 +192,19 @@
> > > > InitShadowStack (
> > > > ASSERT (mSmmInterruptSspTables != 0);
> > > > DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n",
> > > > mSmmInterruptSspTables));
> > > > }
> > > > - mCetInterruptSsp = (UINT32)((UINTN)ShadowStack +
> > > > EFI_PAGES_TO_SIZE(1) - sizeof(UINT64));
> > > > +
> > > > + //
> > > > + // The highest address on the stack (0xFF8) is a
> > > > + save-previous-ssp token
> > > > pointing to a location that is 40 bytes away - 0xFD0.
> > > > + // The supervisor shadow stack token is just above it at address
> > 0xFF0.
> > > > This is where the interrupt SSP table points.
> > > > + // So when an interrupt of exception occurs, we can use
> > > > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow stack,
> > > > + // due to the reason the RETF in SMM exception handler cannot
> > > > + clear
> > > > the BUSY flag with same CPL.
> > > > + // (only IRET or RETF with different CPL can clear BUSY flag)
> > > > + // Please refer to
> > > > + UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 for
> > > > the full stack frame at runtime.
> > > > + //
> > > > + InterruptSsp = (UINT32)((UINTN)ShadowStack +
> > > > + EFI_PAGES_TO_SIZE(1)
> > > > - sizeof(UINT64));
> > > > + *(UINT32 *)(UINTN)InterruptSsp = (InterruptSsp - sizeof(UINT64)
> > > > + * 4) |
> > > > 0x2;
> > > > + mCetInterruptSsp = InterruptSsp - sizeof(UINT64);
> > > > +
> > > > mCetInterruptSspTable = (UINT32)(UINTN)(mSmmInterruptSspTables
> > > > +
> > > > sizeof(UINT64) * 8 * CpuIndex);
> > > > InterruptSspTable = (UINT64 *)(UINTN)mCetInterruptSspTable;
> > > > InterruptSspTable[1] = mCetInterruptSsp;
> > > > --
> > > > 2.16.2.windows.1
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
prev parent reply other threads:[~2021-02-26 1:51 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-20 3:14 [PATCH v5 0/2] Fix CET shadow stack token busy bit clear issue Sheng Wei
2021-02-20 3:15 ` [PATCH v5 1/2] MdePkg/Include: Add CET instructions to Nasm.inc Sheng Wei
2021-02-20 5:35 ` 回复: [edk2-devel] " gaoliming
2021-02-22 2:12 ` Sheng Wei
2021-02-22 2:22 ` Zhiguang Liu
2021-02-23 1:01 ` 回复: " gaoliming
2021-02-23 2:21 ` Michael D Kinney
2021-02-25 1:53 ` 回复: " gaoliming
2021-02-25 5:48 ` Sheng Wei
2021-02-25 13:44 ` 回复: " gaoliming
2021-02-26 1:45 ` Sheng Wei
2021-03-01 5:20 ` Sheng Wei
2021-03-01 8:07 ` 回复: " gaoliming
[not found] ` <16682970DB33FFC1.25260@groups.io>
2021-03-02 1:42 ` gaoliming
2021-03-02 4:53 ` Sheng Wei
2021-02-26 1:47 ` Yao, Jiewen
2021-02-20 3:15 ` [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Sheng Wei
2021-02-26 1:47 ` [edk2-devel] " Yao, Jiewen
[not found] ` <1665564E9CEC9D4A.5517@groups.io>
2021-02-22 2:15 ` Sheng Wei
[not found] ` <1665F02F00621E09.19946@groups.io>
2021-02-23 7:51 ` Sheng Wei
[not found] ` <166651222AB8BC36.9724@groups.io>
2021-02-25 5:57 ` Sheng Wei
2021-02-26 1:48 ` Yao, Jiewen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BY5PR11MB4166CA30DA8A8E1CA40926EC8C9D9@BY5PR11MB4166.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox