From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web12.10754.1595384784391495641 for ; Tue, 21 Jul 2020 19:26:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=TcaR98CD; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jian.j.wang@intel.com) IronPort-SDR: WQhW7Ffaq2IygTfMnfCnRhpdRB3a6BkVzK7692rQcktw1P5EeRsXCVJIVvnDJz3W/kExdzhkz6 MxU2cbxBeSmw== X-IronPort-AV: E=McAfee;i="6000,8403,9689"; a="147757751" X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="147757751" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jul 2020 19:26:22 -0700 IronPort-SDR: 7E0fpb+Y0SY704bhNwaxCQgEaBhlj2S3jjDHfFaaBWsIdy7XB2qqGQWbLUgSdvEfzox5UMIrW7 SXdn4rIR+5jA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="462294047" Received: from orsmsx109.amr.corp.intel.com ([10.22.240.7]) by orsmga005.jf.intel.com with ESMTP; 21 Jul 2020 19:26:21 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by ORSMSX109.amr.corp.intel.com (10.22.240.7) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 19:26:21 -0700 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.42) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 19:26:21 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OvUmCayhKDGFMpGdclBAnGijYNTlTpJG3car+IoKvNegFrwVg/C2RSicRAYc6V8vIxSPActdoAbDxjfAGlJPep3lovKzHJcvL87pucdrPj4cJ9P3DeDZS8oLhO5LHheHnLZffefnnIpIbLKSUHvMt5q+JmjsE7rOyv9qFu1IDZ/n6P0S7UyjnXsgcpSokJan/YB8WQ9EdY4k7sTtZfSxE+mIEgafSxlJ4htJCTgQmafBilCKnfmLZnZzDEMLJu0Z9+mpEeq0SzuGfE+sXi41x5jSItl0mFoQ9bNsgCfWInfX+QZaug0a6SKREq8uox3ifwGuSAzIUg4+iewZMShEow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VeMi2GUHqJ3G6jyesYHRnWmCjzdBzeDSBEfSMCN/r/A=; b=D96c8UBQEknYLTfkTO54e+ZjkAA0lUskXm2wIbKjP2FTltNheLa6TrBa1XIlMhPQWtdlUWLin2yGMewBboVfMoIasKjvABMBN/NQdVKDYamDEmsVg1CAKDSvIPPhZ7o8soo6DQk6iEhCi1TLNDUSI2XnfCok6X96KfpCir57V2sHY+afygUmwDriHBkck1Tmxf1wW/9fsxCxfqknoCHep7HwrXLPL83rWhz0ORig2iBYP9nZrbuJP7JZqvEPmtWL1lyLMfvXabZg+m96xdClDMFGCJYRt4I4ybWOEIdokJ+ceaSXK/mV066GwUw/2C0f61j2+w5jSikP97KOkdcsgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VeMi2GUHqJ3G6jyesYHRnWmCjzdBzeDSBEfSMCN/r/A=; b=TcaR98CDEOJOlGQ61zFZyD6zmYJ2oAclFA8nwDJfRQhK4nuGkwm0yxE5clEX077lY1AKruoCIIQME6D0MjOmS8FgAmxGNRB/Sz8GDcnmIOL7RHWaQZYbG0nfSOVOTFDlTaxtNoMihU7vIZLL/hLROcPAGFlXcX9SUinXrSaYCgE= Received: from BYAPR11MB3303.namprd11.prod.outlook.com (2603:10b6:a03:18::15) by BY5PR11MB4228.namprd11.prod.outlook.com (2603:10b6:a03:1bd::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.21; Wed, 22 Jul 2020 02:26:20 +0000 Received: from BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd]) by BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd%7]) with mapi id 15.20.3195.025; Wed, 22 Jul 2020 02:26:20 +0000 From: "Wang, Jian J" To: "devel@edk2.groups.io" , "Jiang, Guomin" CC: "Wu, Hao A" , Laszlo Ersek Subject: Re: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Topic: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Index: AQHWXolDQRbUH3yHCUqv7q8BH4hAtKkS31+A Date: Wed, 22 Jul 2020 02:26:20 +0000 Message-ID: References: <20200720113022.675-1-guomin.jiang@intel.com> <20200720113022.675-2-guomin.jiang@intel.com> In-Reply-To: <20200720113022.675-2-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNWY1NWFmYWQtYTRiMi00ZjIwLWFlNDctMjQwNTQwMzUzOTFhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiOUNtRkgwdHRwUkdWSVJ5OG9COGhWMCsrWWRiNEN6ZG9NalcxaFJWVzdlNXJVcWJmbldST0NFZXI1dkZ3T0tlVyJ9 dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows x-ctpclassification: CTP_NT authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d600bbd2-cd12-4299-2ff2-08d82de69ef4 x-ms-traffictypediagnostic: BY5PR11MB4228: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: WCXORH+t2QekgrhTaepgzWP+ZLCiYnCJgtsIARCPNk2bVJD9sqCl6ksQGKG4Q90dOh1akeW6HVuideHC62mMFNgvPxb1anKerlCU1trcZcXRB5L95eE8U+RWE75+o8dsRolO3KATH2poH42KB7Y8Ru5xH3XrvY3va9zGwhjp4jGuUfI+osWYGVCcWXgAKcu9lT6Nam/D6NrGYPO0dG9DFOvUVcQwl3NOSozyLe+/7hnAZs45MedKHaP7FHf6i/BnhFJz/WYsVuIxyOYrWIDJHCYyL/2VCTolnO4loHJcQFg3dJhXM7yl01MDGGhTZaJ32yu9jqYA5qI6/su2K3veDs52CsvmBgH7ZaxdTJQ25bvAIwC7XNFwF/DtBKAk4BA/XwEbvnhyoDDivI7iul3kqA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3303.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(39860400002)(136003)(366004)(346002)(376002)(2906002)(186003)(76116006)(71200400001)(66946007)(83380400001)(66556008)(52536014)(33656002)(64756008)(66476007)(5660300002)(66446008)(9686003)(966005)(55016002)(53546011)(478600001)(86362001)(6506007)(7696005)(8676002)(8936002)(316002)(54906003)(110136005)(26005)(6636002)(4326008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: gYUOHvD0j/Iv5ioCxeqeI2Gi5S3K7f1TU5xE0oy2rC1/A86zZL8yYa5JhSf847ZX/NN3SzYI0sAOj4FGQ0bVlqRb9oeZ5IoC1lvP6sp7n7JWsfRGy+UWYWffwb3VU83RwWZRno1YFS0DJw+/U9op5LU/GKiHLxh9dOTBGl0+T5ZPTkpk78spLZyF/sDdGUIrWH7vpt5z14qakZ0EH/KLq4NJjdgeTI9ocvuGpn76AXZSKBNZELu+0/KqLfhfOAO2C4LMDzixkHPijI+yYOyG8zpGca0D7BM+0xkaip+HW6KWawBweTg+fy7/4DlTyzUP8j4cyeWU/NvNImeZqqfq++jbAKQ6D4wINgkWNlXCbCj0Q/6r5X3UrbwgEKEedtb0+MVyoNI0AYwOZLtVF4MjoBMZBvw+GE4683EJFfLCts4dWQ1Bt8WF9AkalWJ6fs4LpoRL0jGBC+KJ7s3/50hWUjoF8vtk7B9MCn35w/lW+vjkf4WUop67M4kNZquyKNWf MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3303.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d600bbd2-cd12-4299-2ff2-08d82de69ef4 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 02:26:20.4037 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uHHFewV9Gw5Fs46cu92PTLMzZf1eCOomBaYqnezSuvBCXdumOr8UZNRT1j4CowQvg+63J3fpoIN9U6N69BBD0Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4228 Return-Path: jian.j.wang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Guomin, > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Monday, July 20, 2020 7:30 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A = ; > Laszlo Ersek > Subject: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to > control the evacuate temporary memory feature (CVE-2019-11098) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 >=20 > The security researcher found that we can get control after NEM disable. >=20 > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. >=20 > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. >=20 > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. >=20 > Cc: Jian J Wang > Cc: Hao A Wu > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > Reviewed-by: Jian J Wang > --- > MdeModulePkg/MdeModulePkg.dec | 8 ++++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 14 insertions(+) >=20 > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 843e963ad34b..e88f22756d7f 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1220,6 +1220,14 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Shadow Peim and PeiCore on boot >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN| > 0x30001029 >=20 > + ## Enable the feature that evacuate temporary memory to permanent > memory or not > + # Set FALSE as default, if the developer need this feature to avoid = this > vulnerability, please > + # enable it in dsc file. According to the code change in v6 (PeiMain.c), PcdShadowPeimOnBoot must n= ot be TRUE when this PCD is TRUE. Please also add description here. It's ok n= ot to send a v7 but please do include it before push. There's already r-b for th= is patch. Let's still keep it. Regards, Jian > + # TRUE - Evacuate temporary memory, the actions include copy memory, > convert PPI pointers and so on. > + # FALSE - Do nothing, for example, no copy memory, no convert PPI po= inters > and so on. > + # @Prompt Evacuate temporary memory to permanent memory > + > gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum > es|FALSE|BOOLEAN|0x3000102A > + > ## The mask is used to control memory profile behavior.

> # BIT0 - Enable UEFI memory profile.
> # BIT1 - Enable SMRAM profile.
> diff --git a/MdeModulePkg/MdeModulePkg.uni > b/MdeModulePkg/MdeModulePkg.uni > index 2007e0596c4f..5235dee561ad 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -214,6 +214,12 @@ > = "TRUE - Shadow PEIM on S3 > boot path after memory is ready.
\n" > = "FALSE - Not shadow PEIM on > S3 boot path after memory is ready.
" >=20 > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_HELP #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not.

\n" > + = "It will allocate page to > save the temporary PEIMs resided in NEM(or CAR) to the permanent memory > and change all pointers pointed to the NEM(or CAR) to permanent > memory.

\n" > + = "After then, there are > no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be > avoid.

\n" > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_PROMPT #language en-US "Enable the feature that evacuate temporar= y > memory to permanent memory or not" > + > #string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT > #language en-US "Default OEM ID for ACPI table creation" >=20 > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP > #language en-US "Default OEM ID for ACPI table creation, its length must= be 0x6 > bytes to follow ACPI specification." > -- > 2.25.1.windows.1 >=20 >=20 >=20