From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web11.3587.1614304273710206905 for ; Thu, 25 Feb 2021 17:51:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=foJEcIAH; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) IronPort-SDR: Q9ne40/QYkYhL3hpfjB3Fc7Hs+3ZclRMonivpZQV9Me1WLA1Is+4LU/Z+NxheR4DgUPKPbl64s CbEoTaHx8fSg== X-IronPort-AV: E=McAfee;i="6000,8403,9906"; a="182316136" X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="182316136" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Feb 2021 17:51:12 -0800 IronPort-SDR: KZkmgQq0z7xosTyjL6/AvtJtzCUGUHbEx8jl1qRKE52b2DS9wlqk7pVnsPEaPYFxJ2JbcplfiW 3q/vQCoSwLLQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="434158829" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga002.fm.intel.com with ESMTP; 25 Feb 2021 17:51:05 -0800 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 25 Feb 2021 17:48:10 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Thu, 25 Feb 2021 17:48:10 -0800 Received: from NAM04-CO1-obe.outbound.protection.outlook.com (104.47.45.56) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Thu, 25 Feb 2021 17:48:10 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lj86EiTkKOFwOj7mCh1dSevUTqMxOy9HZod3bvHh6HfOLbcd/pSiV+93au3+DGg9DZoqdZLOn0PSUHmrPmhprFTSDyVNdz25PQPTFL1CZa+fT/hcWyEJiFbOvHHEgxauuw15T2Y457hwPLoQFxf0d8IW3TzG7BvrmxkROUF5fArokgewKIh2NfApk7JG9SDRo8RPAEBVTHoxvoSX/8VEssqrFqLsLJ7V9b5kDDsCesIFEay9gRp+A6XnqKkogHBWMoKcR5zjN6ZNQfKGZz6EJCDA5daMsXdY3rXqxgz1pXPLgaL/0aASjurtk2h8l3O27jRRgtkQuuuEocG6A1+DbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bA9rzXO1AfztcaXUukNfyUuKVLq566AHYcHMZjCdQ1k=; b=m+NeFtY1S7fxbzOAcw7VH3Qf9a6vH4j4MFROeqyDOYsxx2u261eQrmvVR+zWl9KVp4D/lNo+20wBYLbswMyx3goByOfUun+ITyBMuEFD3od91X0Aa1d9knToahURZe5UJ1nvP3lAUCqcWXWaQElyWY4d9EFpvpBTrzzwf63oHk37LviuB40KsBuVKhbLQXs498Dn3l+X3xhtSA9oJINdhm4v5AuJzQ3OvTgiVdyQBJO7/WTENyqEBa5ldUR7qixgeCEIaTPtFAPj2jvt0e6apv/yv6zLJERAkGqcX63yb/Kn3ZAs575sAtYj5JKm2/HuUwzhlXV4JENbDdn5FOpPaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bA9rzXO1AfztcaXUukNfyUuKVLq566AHYcHMZjCdQ1k=; b=foJEcIAHyFr/z3kYkomnPvND7PrDH0SWjFWSwXeP/IliQA2SQQZ6X3f+T5M/2PZyYiZgf7RK0lj9OYC/k7qiNdMRAGFIPUelRgb/mpKjlyX0CNYzzqhe5keaaHrX8OTM5WCh4sZG22NL6Am+KljC6b+AI5SukDPeWzYU7vM8Kqs= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by BYAPR11MB3781.namprd11.prod.outlook.com (2603:10b6:a03:b1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.27; Fri, 26 Feb 2021 01:48:09 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132%4]) with mapi id 15.20.3868.033; Fri, 26 Feb 2021 01:48:09 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" , "Ni, Ray" CC: "Dong, Eric" , Laszlo Ersek , "Kumar, Rahul1" , "Feng, Roger" Subject: Re: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Topic: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Index: AQHXCzsbGMxD7mxpMkO3DAGTd6p2K6pprDiQ Date: Fri, 26 Feb 2021 01:48:09 +0000 Message-ID: References: <20210220031501.24284-1-w.sheng@intel.com> <1665564E9CEC9D4A.5517@groups.io> <1665F02F00621E09.19946@groups.io> <166651222AB8BC36.9724@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4518a8d9-9523-411e-7581-08d8d9f891ec x-ms-traffictypediagnostic: BYAPR11MB3781: x-ms-exchange-minimumurldomainage: groups.io#3763 x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: j5SigZWPYMEI0zoKNO4wBU8JhmKJV5cIm5t+/hXwfr+I+Y+YNOCpgwGLnMuhqlr7aJZOxZ97hs/CurMZPao4O7JT4/bYWlaRtFT4366ZYuqCTx01vO7tDNS5CyLVLymRJcVI9+iP7JNP1vZAbA6/vQVKURnExO9BKs6OKc55IDsaEeu5HiMJxUL8gMeJIJdPkEy3W/SPePPa2e7wgAKhyzHZ5hK9gV4Minb8eHzTDm86j2d9ascScThtYP3w4G5eTxEUX5N9J2hlWBUZrjuhETTGgFo+qKrFWKzsMgLSkczp3l+WX1k0NaaqI3SynyxP2FMmFVuNjRFmVjItBvbuqOV57Xnk5OmxXWQ+1VPd+/xffTBn8cAOMDKaNDC68kxGr4K/W4IC8zN8gqB2HwKQUb8XqWfN9Rm876Sq/VrcqtRF/jmWqiWY9cO8pdHzzctW3wj3iyin8PHp8+ryrX69QAl8f1EV7drqHTORF0IES3gvR7SqiK7DUcmZlSe6JDrhZrHxJmhhklHiKAxymsjckXyFRk0sSBO6EfgoVwif6zZMD/mXw08cAufqu16WDFLW6CfRRRSowbkWSSX7j8zB+hDSQ4AWKuiyhSeK5rabxsg= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(136003)(396003)(346002)(39860400002)(366004)(66476007)(316002)(52536014)(33656002)(66446008)(9686003)(66946007)(66556008)(2906002)(64756008)(5660300002)(76116006)(55016002)(107886003)(7696005)(30864003)(83380400001)(19627235002)(478600001)(8936002)(110136005)(54906003)(6636002)(966005)(71200400001)(8676002)(186003)(53546011)(86362001)(6506007)(4326008)(26005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?iso-2022-jp?B?dnpoZmRiRFAxODBiMnFPSkd5V2Rqdkd5YlpkWkdEMTk0NUVOR1IyOUJZ?= =?iso-2022-jp?B?LzVhSGpLdmtmSmlnQUExUVZjWDBVTDBuWnpvak9RZExSVkJpNzBzcEVn?= =?iso-2022-jp?B?eXRhVWFUVTVGSFpwNFpoaFFhV2oydDVleDdmUU9FY0s0b0hJbnA5SWFW?= =?iso-2022-jp?B?bEVlZnNwaGF4ZGNxWWRBTVM1cG85blRzYXQraWE0TTNDZHhqb3g1YXV5?= =?iso-2022-jp?B?MEoyRVJhMkZMVDNxQUZteE5EaXM3QW5YQ2R3OEt2ZG1OcWFJUWFiZ2hw?= =?iso-2022-jp?B?TmpmNlF0djloakdTTjBwYlJOTE4rNFZEZEhZeTZSYTZqdmRjZXhXWG1R?= =?iso-2022-jp?B?VTRzRWNrRU1EcU5YZXpjcXJwQzZDVVpiK05uZG14YlBLQ01jS09maHZN?= =?iso-2022-jp?B?OXlNYmtZN2c2bFR3NXBvSlhxaU5VZkVZQ3oycFpaR0xpSys1ZDAvNzQ0?= =?iso-2022-jp?B?MXVlSGpCczFoS3FnZ08rNU1NQk9oL1lHczJnR3dLZ1pYSkVZdFV6emF1?= =?iso-2022-jp?B?YVhiL0hvVEt5M1Z2LzBxaHVhc1ZYS3JUay9yTjJ2N2RtRGdJNHVGM2pl?= =?iso-2022-jp?B?TXAzOHB3VFUzZVVVVDlnSTIxc0QxcmNCZU0yWk9JWXNhTHVYa284R0RK?= =?iso-2022-jp?B?a3VFc3J3ZkJFTjlRa1FKRUc4enF4VzU5QTMyMmdzTU5Qc1BkRWxOL1dI?= =?iso-2022-jp?B?OTFDOGJvUU9UbldBQkVqaUIvWFRsUjgzVXRXWHVGWXVubnpwYXlWa01H?= =?iso-2022-jp?B?RW1XM1NqWGk1TFJ2K0ZGeHZlRmZzOUY2dTB3YTJ0bTlTOWJHMUYxcENv?= =?iso-2022-jp?B?a0Q4VWtUVElsbEQvQXZRVWxET1Nka1RuaXFVOVgvVUpMZldTSUxmTWZF?= =?iso-2022-jp?B?WDNaTlRUdlBjaDdrTUxqUTFXNnljajlUUERHYVUvUCtMMWdiUnkzT0lU?= =?iso-2022-jp?B?QWpRV0tiZWpIWDEveXdiQW8wY2FOT1M3S1htYmVQV2Z6Z09jdVNuVmdX?= =?iso-2022-jp?B?elJ4SkhsRlZScTFaNmpKVkNXZjYzT0F1Uzc4VWNkcE4wWSs3VSs4ek54?= =?iso-2022-jp?B?ZGhDMHZINStjTG5laktBeGtvOUxxVmtEM1hodzJNdXNLMzlEbTdrQWs5?= =?iso-2022-jp?B?YXNxK2dHQXhvNUErQUtJS011KzF2WFpmdWpjb0dobXdsQTA4QmNTbzV6?= =?iso-2022-jp?B?REN3QTdnMzEvckk0dU00enRETXYwRkw1L0xpRWhUTlhrd0JDYkhGMXdW?= =?iso-2022-jp?B?b3pQd25nUlRFMERyaWhnVVlmNG9XWjR0Qy8rTGZRSjNOVVZGcjBFNDV1?= =?iso-2022-jp?B?QnFDUndYUTRPcHEwQ3ZFUzl0VUdScDd5bGhLeGNiVDMwZ04vZE1WQnpk?= =?iso-2022-jp?B?ckxlVzdwei9iQWFOSkNLVlZXSU1IMXBEaDBCUzNSOTdTUFZsYlhldWZq?= =?iso-2022-jp?B?N3hPejVVMlJsY0FCRHNlYmVMOCtnVEpuK0NoYlVQazJLblpGNnlwRmZt?= =?iso-2022-jp?B?TTNYLzJ2TnJhdU9wUG5yR3ZuSDRnUFVlMHgzbkJWYzF6UDArM01aQ3gr?= =?iso-2022-jp?B?T3Rub1dQSkprT0paVC9xYTREd2cyQUpTcWM0akNRY3hRcStBaVZGVG1G?= =?iso-2022-jp?B?ckUwUnI5aDhZdWFmdmtHOFp4NHdrU2dmR1JWbVhNWG1zN1grUitFcFhB?= =?iso-2022-jp?B?MXZtbVpqOFNCaXZ0c3dDSDhZYmxyMXhVNjlOV2NlcktVQU9BQzNGMFFo?= =?iso-2022-jp?B?NUFTU2lEekx6MmFubzlENUR3eWFKaS9WajQyOXBzYXNNWEQyYWxYMFAy?= =?iso-2022-jp?B?WlAyUGduanh4RWRJa3VEeWZPa2FPWFhQMVFEbmRaSmJrS29FUTFjNkR0?= =?iso-2022-jp?B?YUQwZ01maDNJMWxPKytmTmM5MVRLelJLSmdRc1RqaUwxRGpwYUdvQVpk?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4518a8d9-9523-411e-7581-08d8d9f891ec X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2021 01:48:09.4256 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: fw8gHQmZQuBy5kKjYMFPdplC6XoMtiryo+UxrrompP/LJM3x0iP0LSUzYI2L+SUtqbYbwlcDdcAzSpk70CtxFg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3781 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Thank you. I have reviewed that. We still need UefiCpuPkg and MdePkg maintainer's review before merge. Thank you Yao Jiewen > -----Original Message----- > From: Sheng, W > Sent: Thursday, February 25, 2021 1:58 PM > To: devel@edk2.groups.io; Yao, Jiewen ; Sheng, W > ; Ni, Ray > Cc: Dong, Eric ; Laszlo Ersek ; > Kumar, Rahul1 ; Feng, Roger > Subject: RE: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerL= ib: > Clear CET shadow stack token busy bit >=20 > HI Jiewen, > I have refined the comment in the code. > It is working with PcdCpuSmmRestrictedMemoryAccess enabled. > Add the sample code in file > https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/PiSmmCpuDxeSm > m/X64/SmmFuncsArch.c > [PATCH v5 1/2] is the patch of add CET instruction DX define in nasm.inc= file. > https://edk2.groups.io/g/devel/message/72182 >=20 > Do have any comment for the patch of fix CET shadow stack token busy bit > issue ? > Could you give review-by for this patch ? >=20 > Thank you > BR > Sheng Wei >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Sheng > > Wei > > Sent: 2021=1B$BG/=1B(B2=1B$B7n=1B(B23=1B$BF|=1B(B 15:52 > > To: devel@edk2.groups.io; Sheng, W ; Ni, Ray > > ; Yao, Jiewen > > Cc: Dong, Eric ; Laszlo Ersek = ; > > Kumar, Rahul1 ; Feng, Roger > > > > Subject: Re: [edk2-devel] [PATCH v5 2/2] > > UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy b= it > > > > Hi Jiewen, Ray, > > Could you help to review and give Review-by for this patch for fix CET > > shadow stack token busy bit issue ? > > As the common in v5 patch 1/2 by Limin, since it is a bug fix, it can = still be > > merged in 202102 stable tag soft feature freeze phase. > > https://edk2.groups.io/g/devel/message/72013 > > Thank you. > > BR > > Sheng Wei > > > > > -----Original Message----- > > > From: devel@edk2.groups.io On Behalf Of Sheng > > > Wei > > > Sent: 2021=1B$BG/=1B(B2=1B$B7n=1B(B22=1B$BF|=1B(B 10:15 > > > To: devel@edk2.groups.io; Sheng, W > > > Cc: Dong, Eric ; Ni, Ray ; > > > Laszlo Ersek ; Kumar, Rahul1 > > > ; Yao, Jiewen ; Feng, > > > Roger > > > Subject: Re: [edk2-devel] [PATCH v5 2/2] > > > UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy > > > bit > > > > > > Hi Jiewen, > > > Thank you for review the patch. > > > Could you give review-by on this patch? > > > Thank you. > > > BR > > > Sheng Wei > > > > > > > > > > -----Original Message----- > > > > From: devel@edk2.groups.io On Behalf Of > > Sheng > > > > Wei > > > > Sent: 2021=1B$BG/=1B(B2=1B$B7n=1B(B20=1B$BF|=1B(B 11:15 > > > > To: devel@edk2.groups.io > > > > Cc: Dong, Eric ; Ni, Ray ; > > > > Laszlo Ersek ; Kumar, Rahul1 > > > > ; Yao, Jiewen ; Feng= , > > > > Roger > > > > Subject: [edk2-devel] [PATCH v5 2/2] > > UefiCpuPkg/CpuExceptionHandlerLib: > > > > Clear CET shadow stack token busy bit > > > > > > > > If CET shadows stack feature enabled in SMM and stack switch is en= abled. > > > > When code execute from SMM handler to SMM exception, CPU will > > check > > > > SMM exception shadow stack token busy bit if it is cleared or not. > > > > If it is set, it will trigger #DF exception. > > > > If it is not set, CPU will set the busy bit when enter SMM excepti= on. > > > > So, the busy bit should be cleared when return back form SMM > > > > exception to SMM handler. Otherwise, keeping busy bit 1 will cause > > > > to trigger #DF exception when enter SMM exception next time. > > > > So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear > > > > the shadow stack token busy bit before RETF instruction in SMM > > exception. > > > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3192 > > > > > > > > Signed-off-by: Sheng Wei > > > > Cc: Eric Dong > > > > Cc: Ray Ni > > > > Cc: Laszlo Ersek > > > > Cc: Rahul Kumar > > > > Cc: Jiewen Yao > > > > Cc: Roger Feng > > > > --- > > > > .../DxeCpuExceptionHandlerLib.inf | 3 ++ > > > > .../PeiCpuExceptionHandlerLib.inf | 3 ++ > > > > .../SecPeiCpuExceptionHandlerLib.inf | 4 ++ > > > > .../SmmCpuExceptionHandlerLib.inf | 3 ++ > > > > .../X64/Xcode5ExceptionHandlerAsm.nasm | 46 > > > > +++++++++++++++++++++- > > > > .../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++ > > > > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 15 ++++++- > > > > 7 files changed, 75 insertions(+), 3 deletions(-) > > > > > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib. > > > > inf > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib > > > > .inf > > > > index 07b34c92a8..e7a81bebdb 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib. > > > > inf > > > > +++ > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLi > > > > +++ b.inf > > > > @@ -43,6 +43,9 @@ > > > > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList > > > > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize > > > > > > > > +[FeaturePcd] > > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard = ## > > > > CONSUMES > > > > + > > > > [Packages] > > > > MdePkg/MdePkg.dec > > > > MdeModulePkg/MdeModulePkg.dec > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib. > > > > i > > > > nf > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib. > > > > i > > > > nf > > > > index feae7b3e06..cf5bfe4083 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib. > > > > i > > > > nf > > > > +++ > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLi > > > > +++ b.inf > > > > @@ -57,3 +57,6 @@ > > > > [Pcd] > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES > > > > > > > > +[FeaturePcd] > > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard = ## > > > > CONSUMES > > > > + > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > > > > Lib.inf > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > > > > Lib.inf > > > > index 967cb61ba6..8ae4feae62 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > > > > Lib.inf > > > > +++ > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandle > > > > +++ rLib.inf > > > > @@ -49,3 +49,7 @@ > > > > LocalApicLib > > > > PeCoffGetEntryPointLib > > > > VmgExitLib > > > > + > > > > +[FeaturePcd] > > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard = ## > > > > CONSUMES > > > > + > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > > > > b.inf > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > > > > b.inf > > > > index ea5b10b5c8..c9f20da058 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > > > > b.inf > > > > +++ > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > > > > +++ b.inf > > > > @@ -53,3 +53,6 @@ > > > > DebugLib > > > > VmgExitLib > > > > > > > > +[FeaturePcd] > > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard = ## > > > > CONSUMES > > > > + > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > > > rAsm.nasm > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > > > rAsm.nasm > > > > index 26cae56cc5..ebe0eec874 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > > > > rAsm.nasm > > > > +++ > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandl > > > > +++ erAsm.nasm > > > > @@ -13,6 +13,7 @@ > > > > ; Notes: > > > > ; > > > > > > > > ;-----------------------------------------------------------------= -- > > > > -- > > > > --------- > > > > +%include "Nasm.inc" > > > > > > > > ; > > > > ; CommonExceptionHandler() > > > > @@ -23,6 +24,7 @@ > > > > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptio= ns > > > > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag extern > > > > ASM_PFX(CommonExceptionHandler) > > > > +extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) > > > > > > > > SECTION .data > > > > > > > > @@ -371,8 +373,48 @@ DoReturn: > > > > push qword [rax + 0x18] ; save EFLAGS in new locatio= n > > > > mov rax, [rax] ; restore rax > > > > popfq ; restore EFLAGS > > > > - DB 0x48 ; prefix to composite "retq" with = next "retf" > > > > - retf ; far return > > > > + > > > > + ; The follow algorithm is used for clear shadow stack token b= usy bit. > > > > + ; The comment is based on the sample shadow stack. > > > > + ; The sample shadow stack layout : > > > > + ; Address | Context > > > > + ; +-------------------------+ > > > > + ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA &= CS.L), after > > > > SAVEPREVSSP. > > > > + ; +-------------------------+ > > > > + ; 0xFD8 | Prev SSP | > > > > + ; +-------------------------+ > > > > + ; 0xFE0 | RIP | > > > > + ; +-------------------------+ > > > > + ; 0xFE8 | CS | > > > > + ; +-------------------------+ > > > > + ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after= CLRSSBSY > > > > + ; +-------------------------+ > > > > + ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) | > > > > + ; +-------------------------+ > > > > + ; Instructions for Intel Control Flow Enforcement Technology > > > > + (CET) are > > > > supported since NASM version 2.15.01. > > > > + push rax ; SSP should be 0xFD8 at this poi= nt > > > > + cmp byte [dword ASM_PFX(FeaturePcdGet > > > > (PcdCpuSmmStackGuard))], 0 > > > > + jz CetDone > > > > + mov rax, cr4 > > > > + and rax, 0x800000 ; check if CET is enabled > > > > + jz CetDone > > > > + mov rax, 0x04 ; advance past cs:lip:prevssp;sup= ervisor shadow > > > > stack token > > > > + INCSSP_RAX ; After this SSP should be 0xFF8 > > > > + SAVEPREVSSP ; now the shadow stack restore to= ken will be > > > > created at 0xFD0 > > > > + READSSP_RAX ; Read new SSP, SSP should be 0x1= 000 > > > > + push rax > > > > + sub rax, 0x10 > > > > + CLRSSBSY_RAX ; Clear token at 0xFF0, SSP shoul= d be 0 after > > this > > > > + sub rax, 0x20 > > > > + RSTORSSP_RAX ; Restore to token at 0xFD0, new = SSP will be > > > 0xFD0 > > > > + pop rax > > > > + mov rax, 0x01 ; Pop off the new save token crea= ted > > > > + INCSSP_RAX ; SSP should be 0xFD8 now > > > > +CetDone: > > > > + pop rax ; restore rax > > > > + > > > > + DB 0x48 ; prefix to composite "retq" with= next "retf" > > > > + retf ; far return > > > > DoIret: > > > > iretq > > > > > > > > diff --git > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > > > > HandlerLib.inf > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > > > > HandlerLib.inf > > > > index 743c2aa766..a15f125d5b 100644 > > > > --- > > > > > > > > > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > > > > HandlerLib.inf > > > > +++ > > > > > > > > > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > > > > +++ HandlerLib.inf > > > > @@ -54,3 +54,7 @@ > > > > LocalApicLib > > > > PeCoffGetEntryPointLib > > > > VmgExitLib > > > > + > > > > +[FeaturePcd] > > > > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard = ## > > > > CONSUMES > > > > + > > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > > index 28f8e8e133..7ef3b1d488 100644 > > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > > > > @@ -173,6 +173,7 @@ InitShadowStack ( { > > > > UINTN SmmShadowStackSize; > > > > UINT64 *InterruptSspTable; > > > > + UINT32 InterruptSsp; > > > > > > > > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) &= & > > > > mCetSupported) { > > > > SmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES > > > > (PcdGet32 (PcdCpuSmmShadowStackSize))); @@ -191,7 +192,19 @@ > > > > InitShadowStack ( > > > > ASSERT (mSmmInterruptSspTables !=3D 0); > > > > DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > > > > mSmmInterruptSspTables)); > > > > } > > > > - mCetInterruptSsp =3D (UINT32)((UINTN)ShadowStack + > > > > EFI_PAGES_TO_SIZE(1) - sizeof(UINT64)); > > > > + > > > > + // > > > > + // The highest address on the stack (0xFF8) is a > > > > + save-previous-ssp token > > > > pointing to a location that is 40 bytes away - 0xFD0. > > > > + // The supervisor shadow stack token is just above it at ad= dress > > 0xFF0. > > > > This is where the interrupt SSP table points. > > > > + // So when an interrupt of exception occurs, we can use > > > > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow stack, > > > > + // due to the reason the RETF in SMM exception handler cann= ot > > > > + clear > > > > the BUSY flag with same CPL. > > > > + // (only IRET or RETF with different CPL can clear BUSY fla= g) > > > > + // Please refer to > > > > + UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 for > > > > the full stack frame at runtime. > > > > + // > > > > + InterruptSsp =3D (UINT32)((UINTN)ShadowStack + > > > > + EFI_PAGES_TO_SIZE(1) > > > > - sizeof(UINT64)); > > > > + *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(U= INT64) > > > > + * 4) | > > > > 0x2; > > > > + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > > > > + > > > > mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspT= ables > > > > + > > > > sizeof(UINT64) * 8 * CpuIndex); > > > > InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTabl= e; > > > > InterruptSspTable[1] =3D mCetInterruptSsp; > > > > -- > > > > 2.16.2.windows.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >=20 > >