From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web10.10981.1595385746020209901 for ; Tue, 21 Jul 2020 19:42:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=xgXSAUPG; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: jian.j.wang@intel.com) IronPort-SDR: /vhVYX3vfdbydEWdLivQWWtbIjkrxYDe+bCnd01/9IZc6WmVfPmVlwpE6MDHxBdrbI/qI8SEAU dqVtdrLEoxSg== X-IronPort-AV: E=McAfee;i="6000,8403,9689"; a="211804836" X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="211804836" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jul 2020 19:42:24 -0700 IronPort-SDR: ORpiV1xloNBeStD646XkyNSbMamikDOrYZRGzimeVKUN6nWCbIJTUxftPJxnDwyScNunxMYBlr MJRH7yskIXDQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="318534049" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga008.jf.intel.com with ESMTP; 21 Jul 2020 19:42:24 -0700 Received: from FMSEDG002.ED.cps.intel.com (10.1.192.134) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 19:42:24 -0700 Received: from NAM04-CO1-obe.outbound.protection.outlook.com (104.47.45.57) by edgegateway.intel.com (192.55.55.69) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 19:42:24 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cw31GzCHxPoUu9Bi4kv1DteDRTl6/S8t9rwrvu/CaVXn67qQfUPv0YqfM4UNjtRxrT389gULlb51lUUbvP/V3cmSz4NLmhXg+BsPugKDO13G31fe5FvXaCGM4iBU4ak7LYUA8xmfd2NOKPpVXJ0+y2d8wFW9vM0AxHMZDbHCwPBQboR6/O+Ah0w8zMcNNQq1LyEXK/fcgf1nfeu0HDevANAbti3zUNBD+HI/WbTUJc3MczsSzt3mZtYAym1VeV6YYL91vyKiAA+h/PMUGkXauMjomjQqLGtJPvSftA8LHRPNbw0XljCL/Dmx2qZX9djDe6Ifyi7LCBj383yJSUTZ9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e2YbhRw5u6gKgbD7BxsPR0mtNPS8LsXjD5c4soGNwg4=; b=fTrFncUqOQLDJ5H/iZI29JUdK2Z5DLHNYbQJ7m/uKLeh5+4dAxQAmLlyS10M3aWR0+ndZ4H2+Hc7mXg8v+3rR2cjsYrSp5IEQqfJFiyuERicWlRvODhuouogGoIIihlyUgRlvsEsKLZxBLCMKGxwFbf759YqFueO7vIAofwwPA58qognw/QnlqpQCtyrw1jteyZ4NvxA7CD1TBupyP60yNy8F2wH4vyTwikmwQIJEJyWD5oqgWhxbKcY07ATFAJmigGEYxvZ7ebxUXf75rxvMK/B2TaHaJMl+HufIdabrnqNAHP8ZzTp2qnmmDrLyiPh/d6o4tvL4hW6WnFPQHWXiw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e2YbhRw5u6gKgbD7BxsPR0mtNPS8LsXjD5c4soGNwg4=; b=xgXSAUPGPB1fAd/EqSEg6gKntqSHk6yNiXnWEWWwCsAq9ulKyjolqah+oWihoE6L87Aw3nzH/Jdz3w9y8rLYbTizYvk3Kx4C9p+W9m+lnZrDcC81FE/zIIpiQMb9hE/ypwf6MsNtCmrQb/8rSMF5/hY8a3JoOb8c8M1d/XKPsps= Received: from BYAPR11MB3303.namprd11.prod.outlook.com (2603:10b6:a03:18::15) by BYAPR11MB3350.namprd11.prod.outlook.com (2603:10b6:a03:1a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.17; Wed, 22 Jul 2020 02:42:23 +0000 Received: from BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd]) by BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd%7]) with mapi id 15.20.3195.025; Wed, 22 Jul 2020 02:42:23 +0000 From: "Wang, Jian J" To: "devel@edk2.groups.io" , "Jiang, Guomin" CC: "Wu, Hao A" , Laszlo Ersek Subject: Re: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Topic: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Index: AQHWXolDQRbUH3yHCUqv7q8BH4hAtKkS5lMQ Date: Wed, 22 Jul 2020 02:42:23 +0000 Message-ID: References: <20200720113022.675-1-guomin.jiang@intel.com> <20200720113022.675-2-guomin.jiang@intel.com> In-Reply-To: <20200720113022.675-2-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMjIyMTgwZTUtMGM0ZC00MDI3LTkxNGYtNDYyYjFhYmM2YzI1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiQmgzZEU4c1JyaHV1dFBmVlUrOEhOaVI5ek9yN1NBc1lQOTdoZld6N0hqV29PZ1wvTzNmdk04YXJaVVptWFVzZHEifQ== dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows x-ctpclassification: CTP_NT authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2d24a08b-0534-4237-29c3-08d82de8dce5 x-ms-traffictypediagnostic: BYAPR11MB3350: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: sL4QbFSsDW0zbSaypyDOKFv8lUbqWoyJkev7E4TE5A9SrOGEWVtD1+8+4vR75X/tgGVtvVNZFXN8Xcd2dd9P/Ua25Uyd6aq3UBq/kGMBws7bXfSVk9p7TKDh+/nURmMs3IYHFb+ZZvbIotGMYgF2hlr45Pqfgmqz+QUUoU37mdowyUEr5yZi5sVElkXES7zIPqL3QB1C09X9Vw0w8N9KKxL4DauZyGjoo+P5aNkxzjabms2rUV6S5ypzpuFfFH3XEl1QYwK1fQA1PAnu32kv/bSOnDsFDDLK+39c6k65OmEVcQry2FkDCh8NzRlcmLSrWVjXyAdqudzjbfHgPj8yJpi9RHuvpAixZ9jYWKQkM/eZjhKbU9Q6NUxYO9ToMxksw738mCFLPC4Q7VU9e09sgg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3303.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(346002)(376002)(136003)(396003)(39860400002)(366004)(71200400001)(64756008)(66556008)(66476007)(66446008)(5660300002)(86362001)(52536014)(66946007)(54906003)(76116006)(316002)(2906002)(6506007)(8936002)(966005)(33656002)(9686003)(55016002)(4326008)(83380400001)(6636002)(7696005)(110136005)(8676002)(478600001)(186003)(53546011)(26005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: 3dCZ8J7TQLS+7TbTX+u8UjYm6jTafA8T871AO4exhDcTkVG0nx2PXX6PvUfV/HLgMFcpkyiLtrUI0+E6ReT/2eJhXjZNAKiQoMPUb12LiFdE49SXKLqycOjWBcDtjKHFDMXxT5Hj2bBKdMvd5diyFhKNCmADmrldzS0C2RykodQ7SZTY2ynn9yP+OHvgmeC39Fu+sMq174vJKK5M1WYEDp90/NflYYhBi0ehXITd8AAoj+PcDbzlLLGq+dCYn9Jc/JSVCFpoAloNHv3C3TX7XtCA8fk0Mb93dj67rdUqjUJyQH04tWCe0tDGAtvOHVyLdEq6AOhVnraYAlal96Y+3dy5CE+oh8DKWpCtggWY500PRbSUJCIcnVXaUFzgy9RH2Q/QzGObMlb9GATeOooI2W4e+Ks+yQlMvYkZGRT1htvy+fzXdGqM0mnffUSkz+MguBCGggMGVh8RWAHZUK7wp21CxlkdvuI7wVcx0PXi2bVJeO3Ymfjy/o2fAkd8T9Fi MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3303.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d24a08b-0534-4237-29c3-08d82de8dce5 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 02:42:23.2694 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LmJwaFJEaWux8UUy3nssLoS8UbBWzSlluv7+KoWdlQTPXMcfWF8YIpdHvsYGfU5RXY1oGBXMm8Q/a9xcvWcjJQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3350 Return-Path: jian.j.wang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang Regards, Jian > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Monday, July 20, 2020 7:30 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A = ; > Laszlo Ersek > Subject: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to > control the evacuate temporary memory feature (CVE-2019-11098) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 >=20 > The security researcher found that we can get control after NEM disable. >=20 > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. >=20 > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. >=20 > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. >=20 > Cc: Jian J Wang > Cc: Hao A Wu > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > Reviewed-by: Jian J Wang > --- > MdeModulePkg/MdeModulePkg.dec | 8 ++++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 14 insertions(+) >=20 > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 843e963ad34b..e88f22756d7f 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1220,6 +1220,14 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Shadow Peim and PeiCore on boot >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN| > 0x30001029 >=20 > + ## Enable the feature that evacuate temporary memory to permanent > memory or not > + # Set FALSE as default, if the developer need this feature to avoid = this > vulnerability, please > + # enable it in dsc file. > + # TRUE - Evacuate temporary memory, the actions include copy memory, > convert PPI pointers and so on. > + # FALSE - Do nothing, for example, no copy memory, no convert PPI po= inters > and so on. > + # @Prompt Evacuate temporary memory to permanent memory > + > gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum > es|FALSE|BOOLEAN|0x3000102A > + > ## The mask is used to control memory profile behavior.

> # BIT0 - Enable UEFI memory profile.
> # BIT1 - Enable SMRAM profile.
> diff --git a/MdeModulePkg/MdeModulePkg.uni > b/MdeModulePkg/MdeModulePkg.uni > index 2007e0596c4f..5235dee561ad 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -214,6 +214,12 @@ > = "TRUE - Shadow PEIM on S3 > boot path after memory is ready.
\n" > = "FALSE - Not shadow PEIM on > S3 boot path after memory is ready.
" >=20 > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_HELP #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not.

\n" > + = "It will allocate page to > save the temporary PEIMs resided in NEM(or CAR) to the permanent memory > and change all pointers pointed to the NEM(or CAR) to permanent > memory.

\n" > + = "After then, there are > no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be > avoid.

\n" > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_PROMPT #language en-US "Enable the feature that evacuate temporar= y > memory to permanent memory or not" > + > #string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT > #language en-US "Default OEM ID for ACPI table creation" >=20 > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP > #language en-US "Default OEM ID for ACPI table creation, its length must= be 0x6 > bytes to follow ACPI specification." > -- > 2.25.1.windows.1 >=20 >=20 >=20