From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web08.9196.1614581656769374110 for ; Sun, 28 Feb 2021 22:54:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=K5CYQzY0; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: ray.ni@intel.com) IronPort-SDR: D/BYP4Qh+vhOEsN6LbSv6jTIaBFp4o44pYe8dhy7VLNDv1wkIVQyF9ePXfxmcl+Pms1lpQU+fh YeiOH+eRVFdQ== X-IronPort-AV: E=McAfee;i="6000,8403,9909"; a="185697974" X-IronPort-AV: E=Sophos;i="5.81,214,1610438400"; d="scan'208";a="185697974" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2021 22:54:15 -0800 IronPort-SDR: i6CmiNOBKIVXj6GulzypEQ7kjsJ9kxguo6zncpA5aq9FhJsTzjL3Izqhe4crhXR1oZbFx6pmCq AqDIiWH7mwrg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,214,1610438400"; d="scan'208";a="504624226" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by fmsmga001.fm.intel.com with ESMTP; 28 Feb 2021 22:54:15 -0800 Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 28 Feb 2021 22:54:15 -0800 Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 28 Feb 2021 22:54:15 -0800 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Sun, 28 Feb 2021 22:54:15 -0800 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.176) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Sun, 28 Feb 2021 22:54:14 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PKHojJGwyCtmBjD+2Is245BO+z/Q8u5CyNsvDWQiTvVVYOPWTg9EHkqrI6r6qGFICbG0U3TSrcCjcQShiZDJbB+iKsgQcKJkHVNSwvxznMt4B0agWdhtIYhrtsn33wlDSxsjYjTH3O0GGAwzBjZ3fG4sRJwoqE8kjOLOHi4j6U6Kkci5340H2i3wXJ+nD9Mh58bMf5A73sUbFD0dOi9HMFXiw4bgkQJxf+J0GmSFScb98c1AOPia21dEH3wWDf2MnzbwXIKLy+WEBs3ZCOOKMwsOj68LcKBMw4zLg6/qLhxDF4he7X6sBI/FaHdkkKSA1O//IQwoKDAXTSWKu+elLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k9lCnAy1CZsSwgzvwf3rMlAjcZaI1E0kMgtPsPjCVQ=; b=I9OKQSHCxbGhMX1YWc3J9euC5cQXMT7xL47M6ikImOTLWYcVxxrBxwJdH8uizVyQ6hdjzUG77imGiPsJoR9VbJ5KCX/HAagA2liiFKaptE+UgQ4Vh+LlR8NXB7LuE1TTLpsHdk2oeL+C+Fxfzgv9l7fyV05BeqEZcrwLqYLJ60ZJrXqAEj1WwMGtIam7gumfVY7BVCjz6XGwR+qfeyeQ2Ir7FYPnAJZ7EMtGbmxl0moWW9wPM4zGEINHCU/YlZGgotp/eNMtP524+6k4HqLrajkMjCTWgIO/t6sQd0+8bReXCr8TnnzCCSevoAFiXJFnri5mF39LiYAzrmrRJV/hgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k9lCnAy1CZsSwgzvwf3rMlAjcZaI1E0kMgtPsPjCVQ=; b=K5CYQzY0jWZMJb49ZnZf3MQ0AOvtYs8WXrVw5xzK7S6vdhwIntvgN2JoYnPPbyQSC9lilw6NI1/qyjV9O52nzAnUgpPUAOWPzhFTR0pR2S5TD+kA6sNhWOZMo7h2Q3n7OzmiKva7OaYIA5Xz0kBzqbiJq2DElGHZ11kieyac9e8= Received: from CO1PR11MB4930.namprd11.prod.outlook.com (2603:10b6:303:9b::11) by MW3PR11MB4714.namprd11.prod.outlook.com (2603:10b6:303:5d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.23; Mon, 1 Mar 2021 06:54:13 +0000 Received: from CO1PR11MB4930.namprd11.prod.outlook.com ([fe80::8d64:91ed:c259:e95]) by CO1PR11MB4930.namprd11.prod.outlook.com ([fe80::8d64:91ed:c259:e95%7]) with mapi id 15.20.3890.028; Mon, 1 Mar 2021 06:54:13 +0000 From: "Ni, Ray" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Dong, Eric" , Laszlo Ersek , "Kumar, Rahul1" , "Yao, Jiewen" , "Feng, Roger" Subject: Re: [PATCH v6 2/3] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Topic: [PATCH v6 2/3] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy bit Thread-Index: AQHXDBYi20tHJbiPg0aCyQVfRbv9DaputwcA Date: Mon, 1 Mar 2021 06:54:13 +0000 Message-ID: References: <20210226080316.13724-1-w.sheng@intel.com> <20210226080316.13724-3-w.sheng@intel.com> In-Reply-To: <20210226080316.13724-3-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 42d4b065-92c8-4566-43bd-08d8dc7ed327 x-ms-traffictypediagnostic: MW3PR11MB4714: x-ms-exchange-minimumurldomainage: tianocore.org#6026 x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: MNfR9b14ysgtDeEuDJytKpssD567LfnjsnthiQs1anDhKab7eYow71xpNeqUlj518C9toFC2UxhnVKgLPYc+9Iz0ZbbF4yRFfOobTLVMSg+PXt1Ke/G8brKdZPtXyAWjZ+U4Bm6YCTJJ2vtIcl12zV/zlRKDcKRIVjiGEHa1HVAdn9q3ESACeFZCrYVg6tfNaG7y6VgFhSOwrl/YVOs7x2Wpfnm/uWzVf5xBzzr8ZU9Eu5yCi1q7EHBVrsW6XTRKLdjAfpdyPydGL3aOb3QCUTUM2Zi14z4Zcks9PdGQK63ybTsi1PytJ3gDTtR4bJ+hd8EDOuYvBQ5mE8Ndevf0jn00AQBGXOQ49rvgwGDOAvg5jQk6pl7Z0QSnyZCjS0DTf7FIfXGabs0OwjtPEOUGxo6m40VQG9tCVkF9Q1+pW0FC1asMqLVWbUwY51B04nNsJnaph/DGCMcuqmbt2rCmPHC2kU5lOW8BleZjvHvJwwlbe1F9YxsDdwGzuGDix9KqwsiRi4JvhcEb80FhuZ4xzlf7scSIrOUtYHmSEVQT33gV9PA8a0n8LfXLgOOvHF+nH1SeR1tphtsQTurprCNmShDRba/cZXrAdpQy2jFnqho= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4930.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(39860400002)(396003)(346002)(376002)(366004)(83380400001)(26005)(71200400001)(966005)(478600001)(186003)(2906002)(66946007)(54906003)(64756008)(66556008)(53546011)(8676002)(52536014)(66476007)(5660300002)(316002)(107886003)(6506007)(110136005)(9686003)(66446008)(8936002)(19627235002)(33656002)(55016002)(7696005)(4326008)(76116006)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?Z4lv8+vLJwsNvQr/xWB9wAvFtYRol5jB47GIkpRU2CCwEfiOieeDWtBdhIJo?= =?us-ascii?Q?zUV6oSMkQI4VGhLVoJvrC2vxilfTmirjVT+pNXmHJTLwuhdVpOkhNpuEvB6c?= =?us-ascii?Q?jMsgCqvV47GUX5/PidX8Wp+mym4Uucgk27RZ2Qy20xNd62NOrxfDPVlr8ntE?= =?us-ascii?Q?1pczKM0HjWeYCZ1xqT/7muIijORSsE7lqTK4aJJ9U1rEnbgAFigNVyZIzzes?= =?us-ascii?Q?WoTiwFkjmNIBUpNjdGaOgt5JmmFvxf3o9uqEXuDYuS3PpN0S4LULT7/iloO1?= =?us-ascii?Q?pyk6+iIRthJfGvz9J6ZmEfDPotKZyYbMQZegEQvpmtY/Nf01otOk6HDERGdu?= =?us-ascii?Q?+UUzUO4RdOuXgn47RvcbQVWEfR3KO2u7iODKW4JNpBuG3Rq3Ytq7kxo+2W+c?= =?us-ascii?Q?bgwSd0s0J99dWSHCug3cSD1cHtNORctqqaW1Cy89ITOccxCtNfgb2n2GnHlS?= =?us-ascii?Q?WskVcYvCnEPLcKh1JVZ8bn1MM/DpimIS9OM8rHdHcQiv0IUqiMlVt5JeM+Q8?= =?us-ascii?Q?eLgfYau1iiaJK15SnrEpJaQaOKnnElgPuhHR5o/Yfy/O8kLnt8m3GaFWu0eV?= =?us-ascii?Q?pYSbekMCTEzR8dGYtVb51R3fKo7DkfgznqUAzMAQyp6ko79k+qcKONFzRgS+?= =?us-ascii?Q?3PhHL5NOZMIRyP9BfPgqHqR6jDlU6echNQ3z1nU9ToChjlmaQXouzEFp4aAf?= =?us-ascii?Q?doYqWC/ehW6brUdVkQb8nVWySOQ0RbFc03M2BXclNwMo39wutzwOpxgqpOFg?= =?us-ascii?Q?0E23P9029vb83Y8kkMyijS1rNNOcBAvoJ8O5YEp2v+1px4nvQujkoUHL/+uG?= =?us-ascii?Q?C5L35LBv0K7RN2ZdoeOs7HgnIydsq6RZMWDkpJ3qwNRnsmXJXKU9iLYJfeNx?= =?us-ascii?Q?SjuClXDEH99JckiPb75WfreZ4nNYahpWOCG0QmftfyKSzBYN+EQbUDTgXQ9k?= =?us-ascii?Q?W2rKDw6e1RGpVAAXyLt/v9mBHzmu80C483UAkWWAdfluAB8YxljeEh9EoHW9?= =?us-ascii?Q?xliqGplteLREGopzDkRGMUv6t9/Zz+aL23cV92bu4gE1hB+fpJQehu2hUeZl?= =?us-ascii?Q?lugWWEdQ/XGyaxNA05uySWIFWaciXysqeBMieVHrsLhkZN8qx8pIYzGzlj6z?= =?us-ascii?Q?onucBGnyx90dpDXLgJDOhX8CWyXNrHO0VxDLzoJgRLZb6PNkF/Jjr5XK9Ypn?= =?us-ascii?Q?MJ6/GhYxOXqdgYjaplUIVD17iIBhCtflycZqHHKYqOVgSMHQG+iT5icVEdh3?= =?us-ascii?Q?yYMyknXYfBybI7YSq+AE4e6nSZ7bGTBAkLSe5/9Dsi9XmHg58vPaEC6JI5LS?= =?us-ascii?Q?IX01JMiUySCAQMjppZ1ic1uJ?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4930.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 42d4b065-92c8-4566-43bd-08d8dc7ed327 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2021 06:54:13.8156 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: G3HjMLSwxtD4M1uI24oZ47n4ckNgWktmGmwpthuamYChkk1gfgNFJ/DEx1AZ7yMMHaA5aWfAkrKk93rsDed2bQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4714 Return-Path: ray.ni@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ray Ni > -----Original Message----- > From: Sheng, W > Sent: Friday, February 26, 2021 4:03 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo > Ersek ; Kumar, Rahul1 ; Yao, > Jiewen ; Feng, Roger > Subject: [PATCH v6 2/3] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET > shadow stack token busy bit >=20 > If CET shadows stack feature enabled in SMM and stack switch is enabled. > When code execute from SMM handler to SMM exception, CPU will check > SMM > exception shadow stack token busy bit if it is cleared or not. > If it is set, it will trigger #DF exception. > If it is not set, CPU will set the busy bit when enter SMM exception. > So, the busy bit should be cleared when return back form SMM exception to > SMM handler. Otherwise, keeping busy bit 1 will cause to trigger #DF > exception when enter SMM exception next time. > So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the > shadow stack token busy bit before RETF instruction in SMM exception. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3192 >=20 > Signed-off-by: Sheng Wei > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Jiewen Yao > Cc: Roger Feng > Reviewed-by: Jiewen Yao > --- > .../DxeCpuExceptionHandlerLib.inf | 3 ++ > .../PeiCpuExceptionHandlerLib.inf | 3 ++ > .../SecPeiCpuExceptionHandlerLib.inf | 4 ++ > .../SmmCpuExceptionHandlerLib.inf | 3 ++ > .../X64/Xcode5ExceptionHandlerAsm.nasm | 46 > +++++++++++++++++++++- > .../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++ > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 15 ++++++- > 7 files changed, 75 insertions(+), 3 deletions(-) >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib. > inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib > .inf > index 07b34c92a8..e7a81bebdb 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib. > inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib > .inf > @@ -43,6 +43,9 @@ > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > [Packages] > MdePkg/MdePkg.dec > MdeModulePkg/MdeModulePkg.dec > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.i > nf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.i > nf > index feae7b3e06..cf5bfe4083 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.i > nf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.i > nf > @@ -57,3 +57,6 @@ > [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > Lib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > Lib.inf > index 967cb61ba6..8ae4feae62 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > Lib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandler > Lib.inf > @@ -49,3 +49,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > b.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > b.inf > index ea5b10b5c8..c9f20da058 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > b.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLi > b.inf > @@ -53,3 +53,6 @@ > DebugLib > VmgExitLib >=20 > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > rAsm.nasm > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > rAsm.nasm > index 26cae56cc5..ebe0eec874 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > rAsm.nasm > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandle > rAsm.nasm > @@ -13,6 +13,7 @@ > ; Notes: > ; > ;-----------------------------------------------------------------------= ------- > +%include "Nasm.inc" >=20 > ; > ; CommonExceptionHandler() > @@ -23,6 +24,7 @@ > extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions > extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag > extern ASM_PFX(CommonExceptionHandler) > +extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) >=20 > SECTION .data >=20 > @@ -371,8 +373,48 @@ DoReturn: > push qword [rax + 0x18] ; save EFLAGS in new location > mov rax, [rax] ; restore rax > popfq ; restore EFLAGS > - DB 0x48 ; prefix to composite "retq" with next "r= etf" > - retf ; far return > + > + ; The follow algorithm is used for clear shadow stack token busy bit= . > + ; The comment is based on the sample shadow stack. > + ; The sample shadow stack layout : > + ; Address | Context > + ; +-------------------------+ > + ; 0xFD0 | FREE | it is 0xFD8|0x02|(LMA & CS.L),= after > SAVEPREVSSP. > + ; +-------------------------+ > + ; 0xFD8 | Prev SSP | > + ; +-------------------------+ > + ; 0xFE0 | RIP | > + ; +-------------------------+ > + ; 0xFE8 | CS | > + ; +-------------------------+ > + ; 0xFF0 | 0xFF0 | BUSY | BUSY flag cleared after CLRSSB= SY > + ; +-------------------------+ > + ; 0xFF8 | 0xFD8|0x02|(LMA & CS.L) | > + ; +-------------------------+ > + ; Instructions for Intel Control Flow Enforcement Technology (CET) a= re > supported since NASM version 2.15.01. > + push rax ; SSP should be 0xFD8 at this point > + cmp byte [dword ASM_PFX(FeaturePcdGet > (PcdCpuSmmStackGuard))], 0 > + jz CetDone > + mov rax, cr4 > + and rax, 0x800000 ; check if CET is enabled > + jz CetDone > + mov rax, 0x04 ; advance past cs:lip:prevssp;supervisor= shadow > stack token > + INCSSP_RAX ; After this SSP should be 0xFF8 > + SAVEPREVSSP ; now the shadow stack restore token wil= l be > created at 0xFD0 > + READSSP_RAX ; Read new SSP, SSP should be 0x1000 > + push rax > + sub rax, 0x10 > + CLRSSBSY_RAX ; Clear token at 0xFF0, SSP should be 0 = after this > + sub rax, 0x20 > + RSTORSSP_RAX ; Restore to token at 0xFD0, new SSP wil= l be 0xFD0 > + pop rax > + mov rax, 0x01 ; Pop off the new save token created > + INCSSP_RAX ; SSP should be 0xFD8 now > +CetDone: > + pop rax ; restore rax > + > + DB 0x48 ; prefix to composite "retq" with next "= retf" > + retf ; far return > DoIret: > iretq >=20 > diff --git > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > HandlerLib.inf > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > HandlerLib.inf > index 743c2aa766..a15f125d5b 100644 > --- > a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > HandlerLib.inf > +++ > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuException > HandlerLib.inf > @@ -54,3 +54,7 @@ > LocalApicLib > PeCoffGetEntryPointLib > VmgExitLib > + > +[FeaturePcd] > + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## > CONSUMES > + > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > index 28f8e8e133..7ef3b1d488 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c > @@ -173,6 +173,7 @@ InitShadowStack ( > { > UINTN SmmShadowStackSize; > UINT64 *InterruptSspTable; > + UINT32 InterruptSsp; >=20 > if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) !=3D 0) && > mCetSupported) { > SmmShadowStackSize =3D EFI_PAGES_TO_SIZE (EFI_SIZE_TO_PAGES > (PcdGet32 (PcdCpuSmmShadowStackSize))); > @@ -191,7 +192,19 @@ InitShadowStack ( > ASSERT (mSmmInterruptSspTables !=3D 0); > DEBUG ((DEBUG_INFO, "mSmmInterruptSspTables - 0x%x\n", > mSmmInterruptSspTables)); > } > - mCetInterruptSsp =3D (UINT32)((UINTN)ShadowStack + > EFI_PAGES_TO_SIZE(1) - sizeof(UINT64)); > + > + // > + // The highest address on the stack (0xFF8) is a save-previous-ssp= token > pointing to a location that is 40 bytes away - 0xFD0. > + // The supervisor shadow stack token is just above it at address 0= xFF0. > This is where the interrupt SSP table points. > + // So when an interrupt of exception occurs, we can use > SAVESSP/RESTORESSP/CLEARSSBUSY for the supervisor shadow stack, > + // due to the reason the RETF in SMM exception handler cannot clea= r > the BUSY flag with same CPL. > + // (only IRET or RETF with different CPL can clear BUSY flag) > + // Please refer to UefiCpuPkg/Library/CpuExceptionHandlerLib/X64 f= or > the full stack frame at runtime. > + // > + InterruptSsp =3D (UINT32)((UINTN)ShadowStack + EFI_PAGES_TO_SIZE(1= ) > - sizeof(UINT64)); > + *(UINT32 *)(UINTN)InterruptSsp =3D (InterruptSsp - sizeof(UINT64) = * 4) | > 0x2; > + mCetInterruptSsp =3D InterruptSsp - sizeof(UINT64); > + > mCetInterruptSspTable =3D (UINT32)(UINTN)(mSmmInterruptSspTables + > sizeof(UINT64) * 8 * CpuIndex); > InterruptSspTable =3D (UINT64 *)(UINTN)mCetInterruptSspTable; > InterruptSspTable[1] =3D mCetInterruptSsp; > -- > 2.16.2.windows.1