From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.3549.1614304038923082862 for ; Thu, 25 Feb 2021 17:47:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=ClL3Tjcf; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: jiewen.yao@intel.com) IronPort-SDR: UvojSHZJpVYsdo2tD0fN9/VN0+pyLlhQlmIJmgnOwIE/U8G5OfPWi2O5u8M8U7cy7dM4aKfzr0 LB+zEs8hpicg== X-IronPort-AV: E=McAfee;i="6000,8403,9906"; a="247163003" X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="247163003" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Feb 2021 17:47:18 -0800 IronPort-SDR: xswLVmmPMxX6GeYiPoZKIwsJ0er0PF5TSP/vxzNnuFyuI5twNrmf5h5H/YWPRGbPLBTM+jyfnh TV9UHZQmW7KA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="404702535" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga007.jf.intel.com with ESMTP; 25 Feb 2021 17:47:16 -0800 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 25 Feb 2021 17:47:15 -0800 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Thu, 25 Feb 2021 17:47:15 -0800 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.108) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Thu, 25 Feb 2021 17:47:15 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hayQgUay6rio3d634yfEuyhTW0Ml2TCbo0zbSqInv9SiS7dgRGSHxeOvK87oJ9CBX5X1A1CEl4CG6o73wW08lkF7TwEnqPAoDw+kYfXnA4f3RakkLS3ech4pUeYfDY1sRX7ShMqwYkLYHfa/wJEjnVLOCWvHV8KpHsIhb3+LFAIyJVSPe6SXQ2vbM/8qfpGMAmcyVbeQY6RWrkOjiBsarwMafhv1UKsD75dARjRUYuipyv3bfBWJrOChk758YVHQjru1BIuzP3l7VxSASzZ+p/SLg0SaF6KkIb7w9lM2bQGXwTEFKDCv5aG/iWG15vj5Kkc/UevWiADlH+ln3laYiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kmOhU8JN9qU8cKO7ezy7Aicx6SheifgnK2A0+RY5wUU=; b=R0CEy2RGfwu1jwtLa97Qf9IJxXZmGfM0CX13F4VOWCYg/jBO+hkJp2SESpip245D5XfEcIToyrnB+s7Uvou7qnLZICOx+n1hBj7A9PRmnq8odZTjEn+tKI2IMTW7EbcuHhLIkjRuBoPvhKK7tFdYKUMWAyRE0zfO9r+cgeUppdsWVPMbCzD5TFP7E//Wu3ccP9xVR8wWH/8u+XcugNLQEGHuOZFJtiiPPd5/zZLDjzFTKUhTBJ+FUM4BiOQrVlPtcoexp+4nQ0F1YSpmpTVHVVWF5kNgESzbngzyQec0kKkCl2IlpuCK/UIPdWZ42v4pxuMD1j3TCRHwxfKTvDScSg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kmOhU8JN9qU8cKO7ezy7Aicx6SheifgnK2A0+RY5wUU=; b=ClL3TjcfbXHZzqeSVdQa6I+gGifRT+h9uH6NDsYDeIlbW0aMevGoDIf9FpWXEfM0KUERKhf9wr5B0ncAo41gD38V2GFMXuRsXvlfcN10PyzDhoeoU7rcvHBHSyg1xOpDwESaZTaHsTa0EojJK2mj6F4CI0QbSnPmUsyzVYuqMDM= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by SJ0PR11MB4783.namprd11.prod.outlook.com (2603:10b6:a03:2af::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Fri, 26 Feb 2021 01:47:14 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132%4]) with mapi id 15.20.3868.033; Fri, 26 Feb 2021 01:47:14 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "Sheng, W" CC: "Dong, Eric" , "Ni, Ray" , "Laszlo Ersek" , "Kumar, Rahul1" , "Feng, Roger" Subject: Re: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Topic: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Index: AQHXBzayol2kxyl/ckSOl5683H2tIapptB8Q Date: Fri, 26 Feb 2021 01:47:14 +0000 Message-ID: References: <20210220031501.24284-1-w.sheng@intel.com> <20210220031501.24284-3-w.sheng@intel.com> In-Reply-To: <20210220031501.24284-3-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 84049ec3-4f5b-4836-91b1-08d8d9f87110 x-ms-traffictypediagnostic: SJ0PR11MB4783: x-ms-exchange-minimumurldomainage: groups.io#3763 x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: GX6oisKUlvkKg40y/ttEGC31Phwki9koONwEZKyivQBLaa18XIkJ442Z+kv5pYlAX3bIP4WDvIgAzmuZ+NvDK4m72dEt8tkgLFDxQcjszJTv3PEhCR8d70utug0eblCT6VWfhNbavm7cuni3We8gsLzI9VcGbPXmXRx6lLMam+e5TSfL/eId3oOL3pgj5VyvaXtwacFlfm7zbXNSo8Xv+hoF+OOiudvJPiW5mneC9rPsVthpSTe6E2FjUYnj+JJkQo0y2vzEu/skP+59Ik+DKhNqfnT6GR6YM2ipZ1puLiX9KoSSqDe0Qh88paGsdnnS2hkRhImsQVYSOR0ilMSKouoO1giuUPp/qzPaM+xZQty9S/cS5aqE1GRyiF/lHP61uCrxPhqtZcIE7Bc+oQC6qzrNYvh1LXLPzc32SOf6pXvVLaZUObb58wlbn/Z6stOktS/1fyUKsLc/+c/ToQAh8o+kHr/7XHfIgMk0bD6zke0+Ay7v6N3ZiS/uz1e2jS44njr7MJHuLZn0KnEdwUFm4jgTJJrx8gWWDsKkcOgyJ3xsbezoJbg5NcnvwzO1JhCCcBDGXVjFEi+gStZRNwrABviIGoYMsl9Ns7iLPm81jUo= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(39860400002)(376002)(396003)(366004)(346002)(33656002)(66946007)(966005)(66556008)(8676002)(71200400001)(6636002)(64756008)(6506007)(66446008)(9686003)(5660300002)(55016002)(66476007)(53546011)(83380400001)(86362001)(186003)(76116006)(26005)(107886003)(478600001)(52536014)(2906002)(4326008)(8936002)(316002)(54906003)(110136005)(7696005)(19627235002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?Ga9sKikJA54/QYWq3BuMT0cXwIolwQ2vKcTNTWIB9byBK50zl5PqyLlT+ZfO?= =?us-ascii?Q?L4j/qk2Z+tNUQzArEMH/3wEOPtUDDPadCIT4vJeGfCFne9t4z7eqdNAFbOeN?= =?us-ascii?Q?qI1hA+JIJh1JpLgmGeoSBeqf1tVVxnB4rGMq2w0xzjrvW/HockMk/nx9HuDR?= =?us-ascii?Q?vUGfFLPhaekpVC6gxSLwCsiYM8eZADZy01U/TTGttxF8GGP2nSkeZpUN+aGg?= =?us-ascii?Q?lQs6P5ZUmT0jurSnNCChi87d8fVAPhmpHgAi07geZX3B42pM5m7R1BOkeCEI?= =?us-ascii?Q?1xKRyJDDza8WeVfeuBx6011Ls3hKVMvPjNkSsp6hNrCvunk0yVmZ6xJzBXVx?= =?us-ascii?Q?/8BP0RAJwxaCI/DY85++9r7o4RbKklaO59B/jUCsQgKTC8WRpvLSwOROpkS+?= =?us-ascii?Q?S3y1WqIDF54IQ2evmnEZyXdRG9vPQn5B+PhTe4uA805FpBaUcXrarGpkD5ba?= =?us-ascii?Q?W9Hpe+Lu9B/KYjSreHbRSpd7DVZ3zndwhVEso+1yLSBNwboLnSBFrYhWQTaT?= =?us-ascii?Q?CdIjKCPxh0tm54PpYMEQfz++YuEBLrjpV2UgG01uKCSl+Oh8/o9YFAHgGqCd?= =?us-ascii?Q?Bdg10T/jMc1LY0YAh/TRhhWI/JvpcgS5FEugzYe2K8FVDKDdti1nD/VsGop5?= =?us-ascii?Q?+LI7CSm0nDt7ORuSZmCFYfdmtxYJV8ATDaJJQy1NjsRcWQhTQ9UacDwi71Yp?= =?us-ascii?Q?OR6uLX7WoAuqTps2oc6IxhQI+us4nznz1u60JwjiLXroDtGUDjj4ZYd65MlB?= =?us-ascii?Q?pAF2P62Ol/CThj+lIzsUT1uSf6lA6BMtPXsecEyMXQE7+ch8vsZVMHcdwyrK?= =?us-ascii?Q?Jtd8Gzc4kWCBb72Tr2myIwfLryTAH5WYLHLfVLG5tRv9SX6SmKi096Q2ZvBj?= =?us-ascii?Q?5cinrNiY68xy5XTBUp7g0c4wRx4rDpUfIxvfM3EzLZazRzWYaBBUX1qm0wC1?= =?us-ascii?Q?DTFWMLzRRH1yPrwmt+Y8rCiF4vR3HqAnf0NKYqGONxcFeyXl3YN7sVKYvjTI?= =?us-ascii?Q?W2VGKVbelI4iOV5Hfprjal1Re1A+ui3DZ2AqnOzoMFbxLuLv4h1QIBKKx5RW?= =?us-ascii?Q?b17Xm6Jc4+86r3dThiQ5zBbmHaubj6o1oNrgHGGyu3e2UjFob4/m1KRDF9Y0?= =?us-ascii?Q?T+n+DXIQUNgmokp2lTI8NIiimZtg84qJYbOXRRDF9sBqkXzQy9gSpHyt6yZd?= =?us-ascii?Q?pe5IbymNaEzcst/ipGD2iLVwMFob4174No9I+CZreWmiBD3kQv63vgalsddh?= =?us-ascii?Q?K/eEBiXn4FAbvSt0jLP2PhSZzBQwJa8q+90cbuMPkpnVZi8J+nYuAm7w2dN2?= =?us-ascii?Q?qLAuKa75D6XxRewiyQSBWMch?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 84049ec3-4f5b-4836-91b1-08d8d9f87110 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2021 01:47:14.3234 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: XOEZnxizAGL157U0wiEyqiYh6OLnYUVCZXRwj7rjTxDEMqex9dFfyd03BaqIoyvHRJInMzsQ9iAIu0kelKU8GA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4783 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Sheng Wei > Sent: Saturday, February 20, 2021 11:15 AM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo= Ersek > ; Kumar, Rahul1 ; Yao, Jiewen > ; Feng, Roger > Subject: [edk2-devel] [PATCH v5 2/2] UefiCpuPkg/CpuExceptionHandlerLib: > Clear CET shadow stack token busy bit >=20 > If CET shadows stack feature enabled in SMM and stack switch is enabled. > When code execute from SMM handler to SMM exception, CPU will check SMM > exception shadow stack token busy bit if it is cleared or not. > If it is set, it will trigger #DF exception. > If it is not set, CPU will set the busy bit when enter SMM exception. > So, the busy bit should be cleared when return back form SMM exception t= o > SMM handler. Otherwise, keeping busy bit 1 will cause to trigger #DF > exception when enter SMM exception next time. > So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the > shadow stack token busy bit before RETF instruction in SMM exception. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3192 >=20 > Signed-off-by: Sheng Wei > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Jiewen Yao > Cc: Roger Feng > --- > .../DxeCpuExceptionHandlerLib.inf | 3 ++ > .../PeiCpuExceptionHandlerLib.inf | 3 ++ > .../SecPeiCpuExceptionHandlerLib.inf | 4 ++ > .../SmmCpuExceptionHandlerLib.inf | 3 ++ > .../X64/Xcode5ExceptionHandlerAsm.nasm | 46 > +++++++++++++++++++++- > .../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++ > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 15 ++++++- > 7 files changed, 75 insertions(+), 3 deletions(-) >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.in= f > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.in= f > index 07b34c92a8..e7a81bebdb 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.in= f > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.in= f > @@ -43,6 +43,9 @@ > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > [Packages] > MdePkg/MdePkg.dec > MdeModulePkg/MdeModulePkg.dec > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.in= f > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.in= f > index feae7b3e06..cf5bfe4083 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.in= f > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.in= f > @@ -57,3 +57,6 @@ > [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib= .i > nf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib= .i > nf > index 967cb61ba6..8ae4feae62 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib= .i > nf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib= .i > nf > @@ -49,3 +49,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.in= f > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.in= f > index ea5b10b5c8..c9f20da058 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.in= f > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.in= f > @@ -53,3 +53,6 @@ > DebugLib > VmgExitLib >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > index 26cae56cc5..ebe0eec874 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAs > m.nasm > @@ -13,6 +13,7 @@ > ; Notes: > ; > ;----------------------------------------------------------------------= -------- > +%include "Nasm.inc" >=20 > ; > ; CommonExceptionHandler() > @@ -23,6 +24,7 @@ > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag > extern ASM_PFX(CommonExceptionHandler) > +extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) >=20 > SECTION .data >=20 > @@ -371,8 +373,48 @@ DoReturn: > push qword [rax + 0x18] ; save EFLAGS in new location > mov rax, [rax] ; restore rax > popfq ; restore EFLAGS > - DB 0x48 ; prefix to composite "retq" with next "= retf" > - retf ; far return > + > + ; The follow algorithm is used for clear shadow stack token busy bi= t. > + ; The comment is based on the sample shadow stack. > + ; The sample shadow stack layout : > + ; Address | Context > + ; +-------------------------+ > + ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA & CS.L)= , after > SAVEPREVSSP. > + ; +-------------------------+ > + ; 0xFD8 | Prev SSP | > + ; +-------------------------+ > + ; 0xFE0 | RIP | > + ; +-------------------------+ > + ; 0xFE8 | CS | > + ; +-------------------------+ > + ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after CLRSS= BSY > + ; +-------------------------+ > + ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) | > + ; +-------------------------+ > + ; Instructions for Intel Control Flow Enforcement Technology (CET) = are > supported since NASM version 2.15.01. > + push rax ; SSP should be 0xFD8 at this point > + cmp byte [dword ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))],= 0 > + jz CetDone > + mov rax, cr4 > + and rax, 0x800000 ; check if CET is enabled > + jz CetDone > + mov rax, 0x04 ; advance past cs:lip:prevssp;superviso= r shadow stack > token > + INCSSP_RAX ; After this SSP should be 0xFF8 > + SAVEPREVSSP ; now the shadow stack restore token wi= ll be created > at 0xFD0 > + READSSP_RAX ; Read new SSP, SSP should be 0x1000 > + push rax > + sub rax, 0x10 > + CLRSSBSY_RAX ; Clear token at 0xFF0, SSP should be 0= after this > + sub rax, 0x20 > + RSTORSSP_RAX ; Restore to token at 0xFD0, new SSP wi= ll be 0xFD0 > + pop rax > + mov rax, 0x01 ; Pop off the new save token created > + INCSSP_RAX ; SSP should be 0xFD8 now > +CetDone: > + pop rax ; restore rax > + > + DB 0x48 ; prefix to composite "retq" with next = "retf" > + retf ; far return > DoIret: > iretq >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > index 743c2aa766..a15f125d5b 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHan > dlerLib.inf > @@ -54,3 +54,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > index 28f8e8e133..7ef3b1d488 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > @@ -173,6 +173,7 @@ InitShadowStack ( > { > UINTN SmmShadowStackSize; > UINT64 *InterruptSspTable; > + UINT32 InterruptSsp; >=20 > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > mCetSupported) { > SmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES (PcdGet= 32 > (PcdCpuSmmShadowStackSize))); > @@ -191,7 +192,19 @@ InitShadowStack ( > ASSERT (mSmmInterruptSspTables !=3D 0); > DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > mSmmInterruptSspTables)); > } > - mCetInterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_S= IZE(1) > - sizeof(UINT64)); > + > + // > + // The highest address on the stack (0xFF8) is a save-previous-ss= p token > pointing to a location that is 40 bytes away - 0xFD0. > + // The supervisor shadow stack token is just above it at address = 0xFF0. This > is where the interrupt SSP table points. > + // So when an interrupt of exception occurs, we can use > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow stack, > + // due to the reason the RETF in SMM exception handler cannot cle= ar the > BUSY flag with same CPL. > + // (only IRET or RETF with different CPL can clear BUSY flag) > + // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 = for the > full stack frame at runtime. > + // > + InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE(= 1) - > sizeof(UINT64)); > + *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64)= * 4) | 0x2; > + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > + > mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTables = + > sizeof(UINT64) * 8 * CpuIndex); > InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTable; > InterruptSspTable[1] =3D mCetInterruptSsp; > -- > 2.16.2.windows.1 >=20 >=20 >=20 >=20 >=20