From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web10.10991.1595385793682561013
 for <devel@edk2.groups.io>;
 Tue, 21 Jul 2020 19:43:13 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=Se07vVQT;
 spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: jian.j.wang@intel.com)
IronPort-SDR: 78eZqJw3Rn9Z6N446BlblGIN/JbmY+Mg0ZEf6vOKqqz/exKO50V65AsLPshCtEi0a/3lwDXEb2
 lDYPZebWL4+g==
X-IronPort-AV: E=McAfee;i="6000,8403,9689"; a="130344238"
X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; 
   d="scan'208";a="130344238"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jul 2020 19:43:11 -0700
IronPort-SDR: QAFWt+e6xPh43F3+K+EcuLqCgNgYu7YPAiQyHUE2rM2GFVXCRLUIz0Up1YYNrZs85Kll7lW3ZE
 9fk9Dd6fuEJg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; 
   d="scan'208";a="301810606"
Received: from orsmsx103.amr.corp.intel.com ([10.22.225.130])
  by orsmga002.jf.intel.com with ESMTP; 21 Jul 2020 19:43:11 -0700
Received: from ORSEDG002.ED.cps.intel.com (10.7.248.5) by
 ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Tue, 21 Jul 2020 19:43:11 -0700
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (104.47.45.51) by
 edgegateway.intel.com (134.134.137.101) with Microsoft SMTP Server (TLS) id
 14.3.439.0; Tue, 21 Jul 2020 19:43:11 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=bvfp7heWnQf7csTCJ7JzZKZw+RSp5IVNxfeqS5mchWDwDuo0LwKdo7knR3BK8Ir4hpFV6NjiFXUGID8friMpKK3d8K6GTNdLbpoFLgUp37oIyqFBq0Pw6EH3KSWThz5KUzKQ0fUkxJimsiezaU1mJYFYgJF8O+8DqFIA3vM1p18FH62TEYg5xgUbUTz3lxRnD2wzYjVw+T3SqKQX1oU4awL87ZptKEda36w/KclMnsRAD9FymcxQEgrijFPGMyKLxU12FEKESioHSBVKoVYgJqlbFyhL3652qdyVqNoUgHgehQmA2Jrlm5yL5EM/LL6dRz1q3O6/3uLTMRnUOlCN8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=qq+ELSASL7TVNnqT+yDyhMR3m4c3vycfMPWcKQHn63M=;
 b=PtSc3zAmJ3J4QcwD99kaRi2uKUwwkXV43EV7qRhQnSyjepE9SVkVIZz2srGwA/xkkDyPEa0ZTb8nl6HTmK2WhkGu/XBJbBCISh+XSDS2UH/vgLFfWPVFHKo3bA3fr8qwvKzI2To+b46Ik/DqAoqlP9UIZmm+P5jjdgoAnJdVacdJNZeIeZiZR/ThicJb5d1w6FUwmF3Xf3cb5EqiKunlGKe0X1T7KBdvZaMotkj1dVoqZ2YEOWJjJ6abqjIRo7kOXczbTjSxwsArhusOfC+W84s3AnwFwruwCTVZ9AxOWggMSAPLVnffVs/a1YJexkrHOMoJHlYaINhBDdgI4W0uhw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=qq+ELSASL7TVNnqT+yDyhMR3m4c3vycfMPWcKQHn63M=;
 b=Se07vVQT0tH3n4REYDrhd6DTYWMUaQ+O76Y4i97576i0U+BckO9G0XQoKYyf+DTWVLgtV+uHCjfYpYdwJao6G12wgWqMx9UVdPw51fsSZOzRso56mIg7hebROk94SpehPcplT7kJM+SG2kzziJPeFKbZGbWyGmC7TkqkYS64fNQ=
Received: from BYAPR11MB3303.namprd11.prod.outlook.com (2603:10b6:a03:18::15)
 by BYAPR11MB3350.namprd11.prod.outlook.com (2603:10b6:a03:1a::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.17; Wed, 22 Jul
 2020 02:43:10 +0000
Received: from BYAPR11MB3303.namprd11.prod.outlook.com
 ([fe80::fc2a:d66e:8c79:6ecd]) by BYAPR11MB3303.namprd11.prod.outlook.com
 ([fe80::fc2a:d66e:8c79:6ecd%7]) with mapi id 15.20.3195.025; Wed, 22 Jul 2020
 02:43:10 +0000
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Jiang, Guomin"
	<guomin.jiang@intel.com>
CC: Michael Kubacki <michael.a.kubacki@intel.com>, "Dong, Eric"
	<eric.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>, Laszlo Ersek
	<lersek@redhat.com>, "Kumar, Rahul1" <rahul1.kumar@intel.com>
Subject: Re: [edk2-devel] [PATCH v6 03/10] UefiCpuPkg/CpuMpPei: Add GDT migration support (CVE-2019-11098)
Thread-Topic: [edk2-devel] [PATCH v6 03/10] UefiCpuPkg/CpuMpPei: Add GDT
 migration support (CVE-2019-11098)
Thread-Index: AQHWXok/Cnf95BU2kkKSRhLvgkcW/qkS5pGg
Date: Wed, 22 Jul 2020 02:43:09 +0000
Message-ID: <BYAPR11MB330355E98143793AC369EAAAB6790@BYAPR11MB3303.namprd11.prod.outlook.com>
References: <20200720113022.675-1-guomin.jiang@intel.com>
 <20200720113022.675-4-guomin.jiang@intel.com>
In-Reply-To: <20200720113022.675-4-guomin.jiang@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYWVhZDM0YjUtOWRjZS00NmE4LWFmMGUtM2M0YjcyYjU5MDU4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiY1ZwZSswSjlkVkVZcktzKzB3OGIzVHhXYmlHR1wvMlJIV1g3YTBmT3Rhc1BYK3VkQXdSSDFQNldMSlVYRE9kK2QifQ==
dlp-reaction: no-action
dlp-version: 11.2.0.6
dlp-product: dlpe-windows
x-ctpclassification: CTP_NT
authentication-results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com;
x-originating-ip: [192.198.147.194]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c9ebe688-6cf0-4a89-6e88-08d82de8f8b8
x-ms-traffictypediagnostic: BYAPR11MB3350:
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB33501215AEC917C7EE124624B6790@BYAPR11MB3350.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0tp7Md6ozBc/ULWx4230Wk+JniIYD0qX1VFA86E9stdfc1qEvkZJ42X1UYf7krkLTtifBBtxlWlmsnJvzZKJRrPhwCs8Zf0EPAWsn0QTsJK6su3dX46k40Lp2n9ZXUFuopXF/GW9jQMNMTzrbZRyQzzzlhYta3/kiuvSCIw3ggXEM3v2WLq4oSiBIJmj6G9izCAotBq+H+wCx1ON714EUgCXBW6m35qQwoSXb+nzYDFO4RC/gGVoZrmt+o0NQ/xc7g/oUksEftX9tyHWvlygaXIfRqAEaKIR+/519XauO3SSrCkAMiT7LEZQ2TLCRN7+COw9lEDz28n1nCNiQLwbmfDzZK9dNosPQrWa5WmZjbWQxngUleVENCDdLOVb/yGUWVMJ9lbOCb92KxCYIsmC2A==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3303.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(6029001)(4636009)(346002)(376002)(136003)(396003)(39860400002)(366004)(71200400001)(64756008)(66556008)(66476007)(66446008)(5660300002)(86362001)(52536014)(19627235002)(66946007)(54906003)(76116006)(316002)(2906002)(6506007)(8936002)(966005)(33656002)(107886003)(9686003)(55016002)(4326008)(83380400001)(6636002)(7696005)(110136005)(8676002)(478600001)(186003)(53546011)(26005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: HXxhz0j+HMwwpkv44GbNSnaYifN5ywNopzN4Y5yhCP0+cK2xUg9Qh/AIkjxz8lWNCrl1f3BXc9DbLlGpSrxTTtPQyBlJm7rTC6tM1Qvs70J2UU8AktOsSVo6IXjScekaEkSDsxgl2suVP7xeq9wYkInMzpoz1bgXKlBOpUSmwqq54fnLp4PpGNgYAEdKZGMvqwo7BbhLwO0ter1jaIwdgw4sNFnUSs5NvXkVlZ4Pb7OZ2Ts0pCVSV7sI5n15H40kT3Ye2QScdb6x6+xDoAQvrhvIqK+HNgZDw7s/mpXTTGwLkHVpHKHOZUsS5SbLh+HqPeDbsvhQIqy0CQLQcUhttn/HqpO+XAmfFOqZWTB0XR6KvD3BdecS4DSMtkhAPjSnzgNwIaLfdXzGNqZYZ8UcMlJUELRHG9ZRFb6qmuqkYArZcP03k9DPf6iipxWlL4zNqCyXfPONfPX+DXq08Ri20GQpqT8Ayqt6tyX7z7Tm/bNULiX+bBJXw9GYpmWfHUrY
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3303.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c9ebe688-6cf0-4a89-6e88-08d82de8f8b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 02:43:09.9725
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jzjaSPaOmBgYIJNFWgXaQgXggBlYj0U2uQ2OjZ44FpXIvivH6UA/CzFfmUQio1FdqAPNcI4aDbj3IOtjn/qGGw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3350
Return-Path: jian.j.wang@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Monday, July 20, 2020 7:30 PM
> To: devel@edk2.groups.io
> Cc: Michael Kubacki <michael.a.kubacki@intel.com>; Dong, Eric
> <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v6 03/10] UefiCpuPkg/CpuMpPei: Add GDT
> migration support (CVE-2019-11098)
>=20
> From: Michael Kubacki <michael.a.kubacki@intel.com>
>=20
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614
>=20
> Moves the GDT to permanent memory in a memory discovered
> callback. This is done to ensure the GDT authenticated in
> pre-memory is not fetched from outside a verified location
> after the permanent memory transition.
>=20
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Signed-off-by: Michael Kubacki <michael.a.kubacki@intel.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  UefiCpuPkg/CpuMpPei/CpuMpPei.inf |  1 +
>  UefiCpuPkg/CpuMpPei/CpuMpPei.h   | 12 +++++++++++
>  UefiCpuPkg/CpuMpPei/CpuMpPei.c   | 37
> ++++++++++++++++++++++++++++++++
>  UefiCpuPkg/CpuMpPei/CpuPaging.c  | 12 +++++++++--
>  4 files changed, 60 insertions(+), 2 deletions(-)
>=20
> diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> index caead3ce34d4..f4d11b861f77 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> @@ -63,6 +63,7 @@ [Pcd]
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList             =
 ##
> SOMETIMES_CONSUMES
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize                   =
 ##
> SOMETIMES_CONSUMES
>    gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize                          =
 ##
> SOMETIMES_CONSUMES
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum
> es  ## CONSUMES
>=20
>  [Depex]
>    TRUE
> diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.h
> b/UefiCpuPkg/CpuMpPei/CpuMpPei.h
> index 7d5c527d6006..309478cbe14c 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.h
> +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.h
> @@ -397,6 +397,18 @@ SecPlatformInformation2 (
>       OUT EFI_SEC_PLATFORM_INFORMATION_RECORD2
> *PlatformInformationRecord2
>    );
>=20
> +/**
> +  Migrates the Global Descriptor Table (GDT) to permanent memory.
> +
> +  @retval   EFI_SUCCESS           The GDT was migrated successfully.
> +  @retval   EFI_OUT_OF_RESOURCES  The GDT could not be migrated due to
> lack of available memory.
> +
> +**/
> +EFI_STATUS
> +MigrateGdt (
> +  VOID
> +  );
> +
>  /**
>    Initializes MP and exceptions handlers.
>=20
> diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
> b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
> index 07ccbe7c6a91..d07540cf7471 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
> +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
> @@ -429,6 +429,43 @@ GetGdtr (
>    AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
>  }
>=20
> +/**
> +  Migrates the Global Descriptor Table (GDT) to permanent memory.
> +
> +  @retval   EFI_SUCCESS           The GDT was migrated successfully.
> +  @retval   EFI_OUT_OF_RESOURCES  The GDT could not be migrated due to
> lack of available memory.
> +
> +**/
> +EFI_STATUS
> +MigrateGdt (
> +  VOID
> +  )
> +{
> +  EFI_STATUS          Status;
> +  UINTN               GdtBufferSize;
> +  IA32_DESCRIPTOR     Gdtr;
> +  VOID                *GdtBuffer;
> +
> +  AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
> +  GdtBufferSize =3D sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + =
1;
> +
> +  Status =3D  PeiServicesAllocatePool (
> +              GdtBufferSize,
> +              &GdtBuffer
> +              );
> +  ASSERT (GdtBuffer !=3D NULL);
> +  if (EFI_ERROR (Status)) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  GdtBuffer =3D ALIGN_POINTER (GdtBuffer, sizeof
> (IA32_SEGMENT_DESCRIPTOR));
> +  CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
> +  Gdtr.Base =3D (UINTN) GdtBuffer;
> +  AsmWriteGdtr (&Gdtr);
> +
> +  return EFI_SUCCESS;
> +}
> +
>  /**
>    Initializes CPU exceptions handlers for the sake of stack switch requ=
irement.
>=20
> diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c
> b/UefiCpuPkg/CpuMpPei/CpuPaging.c
> index a462e7ee1e38..3bf0574b34c6 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
> +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
> @@ -602,8 +602,16 @@ MemoryDiscoveredPpiNotifyCallback (
>    IN VOID                       *Ppi
>    )
>  {
> -  EFI_STATUS      Status;
> -  BOOLEAN         InitStackGuard;
> +  EFI_STATUS  Status;
> +  BOOLEAN     InitStackGuard;
> +  BOOLEAN     InterruptState;
> +
> +  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
> +    InterruptState =3D SaveAndDisableInterrupts ();
> +    Status =3D MigrateGdt ();
> +    ASSERT_EFI_ERROR (Status);
> +    SetInterruptState (InterruptState);
> +  }
>=20
>    //
>    // Paging must be setup first. Otherwise the exception TSS setup duri=
ng MP
> --
> 2.25.1.windows.1
>=20
>=20
>=20