From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web08.7047.1611908172653829130 for ; Fri, 29 Jan 2021 00:16:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=anhxmgxB; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: ray.ni@intel.com) IronPort-SDR: IiTBhcVDqus9NyyQ6sNjmWlUGmBkJ3vJOWDXuQRDry+E9CKdhKgYmPedsE9hBNvT2iVjWoXN3Q ov3EpKzxgXDw== X-IronPort-AV: E=McAfee;i="6000,8403,9878"; a="176879374" X-IronPort-AV: E=Sophos;i="5.79,384,1602572400"; d="scan'208";a="176879374" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jan 2021 00:16:10 -0800 IronPort-SDR: kGrINf8cJxuROYCftepdKNbe3q6wJ/GL87nmbKn+sQfGi2PJaxXEUT/S+81EbTlEM4KSyJwgtp GlIlOMaUkQnA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.79,384,1602572400"; d="scan'208";a="573958108" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by orsmga005.jf.intel.com with ESMTP; 29 Jan 2021 00:16:10 -0800 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 29 Jan 2021 00:16:09 -0800 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 29 Jan 2021 00:16:08 -0800 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Fri, 29 Jan 2021 00:16:08 -0800 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.43) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Fri, 29 Jan 2021 00:16:08 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Hj9XwJv6Z88AmqJootUppyx2A32co5uYCycor4JTU4yRg/+rPS3j3RbVaWqlre3Uh0/uPXdpJVGKdzptxQo7rbuHRcnkeVZUh3VT85kd7fvkV2t0PZyRcy+JQiSgWOYDWgolVkwrK60yimuzqJ+E7srf8ra5/80jw62TiuE/hCCijX/WaDf0rn/U1pH/kWiqQM3sD/1KiSF14LY8+bhkgYdFVaYbPvjHINX3+jKxk12AoWnSeKeaNwukyR4Bx2MMk074Xv8g8anf/fFO8xgQMvppqP+h6QVzKef+hstXEltbrVe4nh1rKEKnSxjfn9hUM3hr3SbzzCA6XKfmlX8u2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9bhsNwLU8DGOMf80Aru00lxrnZnRtWJv2IfHiz+DgPc=; b=HmlIhi+FgHq2Lx6nxiA2yK3ae8yJFoVB1kcW+O2kL5l0SXyAeQuOnrMLtktUpfnL+gRgaLSLLqO2VRAo7vQtsDAOK+m0siMpIgF2jGc1a3mjiXaCK2fCPl5e6njDjzRLqRbmi+0nVKw5xiNasG+RrcRAoEwNopHECRgALxCvs8MK2FjCsq1209bZUlTzvYwOXqEJDc19O1Srnl5wRSvZ2/07W2CjjrNbKdJsgD3LosxfVg/O5rrfsJ5JpNow70zU3CZgfsOFEEu858ikjAeQHbzpcejJBNXs1PZ3DbiDEpTHQeSMSZH271bTbKjBIVhNalzt79RIjcy7h3DNkAwUZw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9bhsNwLU8DGOMf80Aru00lxrnZnRtWJv2IfHiz+DgPc=; b=anhxmgxBsLnm/FGBoTpDSyZN8/u97Wu6tNJO30r30Bawrf76nKaXWmki6puz6fgV7KEmHISgGufpuodyGZMV2Yn5B8oR95JTvhAv7d0EVzWGePO6tL3akLP5c/Q0GWaQqxZMPReGNJxzYeaLRD8jGW66Piv9XpssICqoC4H0snU= Received: from CO1PR11MB4930.namprd11.prod.outlook.com (2603:10b6:303:9b::11) by CO1PR11MB4996.namprd11.prod.outlook.com (2603:10b6:303:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.19; Fri, 29 Jan 2021 08:16:07 +0000 Received: from CO1PR11MB4930.namprd11.prod.outlook.com ([fe80::8d64:91ed:c259:e95]) by CO1PR11MB4930.namprd11.prod.outlook.com ([fe80::8d64:91ed:c259:e95%6]) with mapi id 15.20.3805.021; Fri, 29 Jan 2021 08:16:07 +0000 From: "Ni, Ray" To: "Jiang, Guomin" , "devel@edk2.groups.io" CC: "Dong, Eric" , Laszlo Ersek , "Kumar, Rahul1" , "De, Debkumar" , "Han, Harry" , "West, Catharine" Subject: Re: [PATCH v2 1/1] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. (CVE-2019-11098) Thread-Topic: [PATCH v2 1/1] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to TempRamDone. (CVE-2019-11098) Thread-Index: AQHW9hT2I6P9t5LD6kajQ/n47wiZJao+QcYw Date: Fri, 29 Jan 2021 08:16:07 +0000 Message-ID: References: <20210129080044.1366-1-guomin.jiang@intel.com> In-Reply-To: <20210129080044.1366-1-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-reaction: no-action dlp-product: dlpe-windows authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.198] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e62de9f3-64d2-4efa-8d77-08d8c42e2125 x-ms-traffictypediagnostic: CO1PR11MB4996: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4125; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 4rPchzix96frmmHCj5YQeuI18mcbvHF10I2cJyQcbHXAMpuPPaoCQ2v+AjTc1wsq+vD+/9jZ852hZwScHfJsD5GqBd9Acnv0tHk7U2A1tm2Sf27WNznJ6SIpVEItnsojBXtgn0425eMiAUEfo0tDdOVjww6d5800ShvFgkiTWgJKCCcXTPbqlScCmjTZl6WQ5QruYlMX3iB3MMKctCFNsoMntdhHGn43neNoZQmMFuL/HwmMKChCBJVw9ividswvTFzuu9y6xjR8wCOG6NCl7cbGVE4RLOZWdJS0FdBgF5PT6pEkpn2J1OwuNmjQdvMD7cWnbm3MziifGFRqw+A2UU6FKL/U3Aqn753+7NUEacEIQXV4z3tjLPnXUO/vN04g7V7m+V/5c8AKPImtUsD5fQuTbWmqeBiZgAiEWRMbkImh45+kzBJ9acE4MLeVhS+nv2pvz689z0pBXYxlmC1Yp4JzSQ2ebj9B+2mqgDkbwZlowDm8H9nFsrDIhZ5/fsNd2OEplpZuY9yDpa46UG0xu/UOpoz8UA9PaoMbeTJCv/2+5PN91bWXmfCfnaWt4o8EbPx0AQU9bvEoVRkNgUabB56HGnH5mMxY5CCTcYJnPeA= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4930.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(478600001)(66446008)(64756008)(66556008)(66476007)(4326008)(107886003)(66946007)(83380400001)(9686003)(52536014)(55016002)(966005)(71200400001)(76116006)(5660300002)(53546011)(6506007)(186003)(26005)(2906002)(33656002)(8676002)(8936002)(86362001)(110136005)(54906003)(316002)(7696005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?SucHi2BQEruiKXnjEYirW7wOUJdBuyQmO4JPSL9MWFk9Uf9XxEqVNfYrZ5hN?= =?us-ascii?Q?9dhkg9LwkTy5zo6vSDhwR0mXG1W8J+shtwKc0isN0QoCj81Lmb9XNSzJB3Nr?= =?us-ascii?Q?P/guDjLJ499kLn/9baejX/XOJphvmTG/Msprp+Wssxy8PT3aZfE8gP3TJxbK?= =?us-ascii?Q?PrvtWq0XaqIW5Obza+4GRZCJRuCBjFz4MiHFKyreYbS7KmS9XyRY+B60nmb8?= =?us-ascii?Q?cNgq/AcKoM8kMSXgRQEk2buVHgSf6cevBxje1TAzjcvotpCmScICKJ3ID5T8?= =?us-ascii?Q?6atCAuFbUtH/XSPkuPNMULmX1mAznIl3mIibfNYJaeKPN3wSwAUJZNcIwM6r?= =?us-ascii?Q?x8+4EpMwilpL6Nj2iDnRdGtRyY8qWSZrk22bompxxu+DvwBDfcb0isEyIEDE?= =?us-ascii?Q?BNsJCZE/6t5lzlX3JZzz/Xci+ysCId9Xg0YwUrJaVBxF8g9mxedHJacG+mF1?= =?us-ascii?Q?+NQ2Vsg+1K5tM/p55x+gCLTgCs/KatJKPadbnEa7eXPVnOmzlBYKnSoJQrPz?= =?us-ascii?Q?zusv9KQoEVZ7uhhETIaHAXwJwo4h9pznDepNIhuCTpcu1zYZrsGk/C/kGFQg?= =?us-ascii?Q?8k3jncB8eMOcHzOu5JzyuPlditxI6hi/JN7M/3qak3kTPrzYPjQhSgzMbqK7?= =?us-ascii?Q?+Gg2jTX49MufFQcDeW9P446ZlMN/RIzfGj36Zj0w2V7jz6H3mqQ4TDLTZA83?= =?us-ascii?Q?oM2sg6NusHkQZSr4t0bNn3aLwvpDUkEaNheLoom6BNq1NE9QFCrAkvO8ZHpm?= =?us-ascii?Q?O+03Hb4gZCmaI1JgZbJqXJeywFXoJXgn+mLCkAjWGc8/YPo4/gP/4svclmyM?= =?us-ascii?Q?UfIpETAquCA9rImXSvqA8sQzGS0PHKy3BlZvK8C7NLlSYd0AQX5cmwYmN4wL?= =?us-ascii?Q?pxQjstDNLhg0ZuZQpyQQdG5ywc2WIaNicDgt8dsyRE5NrGUFMmUMyW5i+2IQ?= =?us-ascii?Q?/MNJ1BZCOIalFWf/f95DBCa5qgdqQ17So3v0ul7xJMWdxR8Z3VVHpzEetGSU?= =?us-ascii?Q?4hSAGqrJ1yGhQPPZ9x66VFCa2KUDoqJ69swYHfv87mcNlDOcYUFzh+Tyr+wu?= =?us-ascii?Q?rdGvv0o5?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4930.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e62de9f3-64d2-4efa-8d77-08d8c42e2125 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2021 08:16:07.5070 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: n94XEwgo3ygd7yMXF5ORWCdod/LEQ9Vw8Fw1bfv1oDjdF883TfDDe2+bviYAmuljw73zJcBHCVIAm/IPW2xmnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4996 Return-Path: ray.ni@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ray Ni > -----Original Message----- > From: Guomin Jiang > Sent: Friday, January 29, 2021 4:01 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo = Ersek ; Kumar, Rahul1 > ; De, Debkumar ; Han, Harr= y ; West, Catharine > > Subject: [PATCH v2 1/1] UefiCpuPkg: Move MigrateGdt from DiscoverMemory t= o TempRamDone. (CVE-2019-11098) >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3160 >=20 > The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83d= b1 > after TempRamDone >=20 > So move the action to TempRamDone event to avoid reading GDT from flash. >=20 > Signed-off-by: Guomin Jiang > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Debkumar De > Cc: Harry Han > Cc: Catharine West > --- > UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 - > UefiCpuPkg/SecCore/SecCore.inf | 1 + > UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 -------------------------- > UefiCpuPkg/CpuMpPei/CpuPaging.c | 8 ------ > UefiCpuPkg/SecCore/SecMain.c | 45 ++++++++++++++++++++++++++++++++ > 5 files changed, 46 insertions(+), 46 deletions(-) >=20 > diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMp= Pei.inf > index 7e511325d8b8..fd50b55f06cb 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > @@ -66,7 +66,6 @@ [Pcd] > gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList = ## SOMETIMES_CONSUMES > gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize = ## SOMETIMES_CONSUMES > gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize = ## SOMETIMES_CONSUMES > - gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes = ## CONSUMES >=20 > [Depex] > TRUE > diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.= inf > index 545781d6b4b3..ded83beb5272 100644 > --- a/UefiCpuPkg/SecCore/SecCore.inf > +++ b/UefiCpuPkg/SecCore/SecCore.inf > @@ -77,6 +77,7 @@ [Guids] >=20 > [Pcd] > gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES > + gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes = ## CONSUMES >=20 > [UserExtensions.TianoCore."ExtraFiles"] > SecCoreExtra.uni > diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPe= i.c > index d07540cf7471..07ccbe7c6a91 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c > +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c > @@ -429,43 +429,6 @@ GetGdtr ( > AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer); > } >=20 > -/** > - Migrates the Global Descriptor Table (GDT) to permanent memory. > - > - @retval EFI_SUCCESS The GDT was migrated successfully. > - @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to l= ack of available memory. > - > -**/ > -EFI_STATUS > -MigrateGdt ( > - VOID > - ) > -{ > - EFI_STATUS Status; > - UINTN GdtBufferSize; > - IA32_DESCRIPTOR Gdtr; > - VOID *GdtBuffer; > - > - AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); > - GdtBufferSize =3D sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1= ; > - > - Status =3D PeiServicesAllocatePool ( > - GdtBufferSize, > - &GdtBuffer > - ); > - ASSERT (GdtBuffer !=3D NULL); > - if (EFI_ERROR (Status)) { > - return EFI_OUT_OF_RESOURCES; > - } > - > - GdtBuffer =3D ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTO= R)); > - CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); > - Gdtr.Base =3D (UINTN) GdtBuffer; > - AsmWriteGdtr (&Gdtr); > - > - return EFI_SUCCESS; > -} > - > /** > Initializes CPU exceptions handlers for the sake of stack switch requi= rement. >=20 > diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPag= ing.c > index 50ad4277af79..3e261d6657b3 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c > +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c > @@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback ( > { > EFI_STATUS Status; > BOOLEAN InitStackGuard; > - BOOLEAN InterruptState; > EDKII_MIGRATED_FV_INFO *MigratedFvInfo; > EFI_PEI_HOB_POINTERS Hob; >=20 > - if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > - InterruptState =3D SaveAndDisableInterrupts (); > - Status =3D MigrateGdt (); > - ASSERT_EFI_ERROR (Status); > - SetInterruptState (InterruptState); > - } > - > // > // Paging must be setup first. Otherwise the exception TSS setup durin= g MP > // initialization later will not contain paging information and then f= ail > diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c > index 155be49a6011..2416c4ce56b2 100644 > --- a/UefiCpuPkg/SecCore/SecMain.c > +++ b/UefiCpuPkg/SecCore/SecMain.c > @@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInfor= mationPpi[] =3D { > } > }; >=20 > +/** > + Migrates the Global Descriptor Table (GDT) to permanent memory. > + > + @retval EFI_SUCCESS The GDT was migrated successfully. > + @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to l= ack of available memory. > + > +**/ > +EFI_STATUS > +MigrateGdt ( > + VOID > + ) > +{ > + EFI_STATUS Status; > + UINTN GdtBufferSize; > + IA32_DESCRIPTOR Gdtr; > + VOID *GdtBuffer; > + > + AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); > + GdtBufferSize =3D sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1= ; > + > + Status =3D PeiServicesAllocatePool ( > + GdtBufferSize, > + &GdtBuffer > + ); > + ASSERT (GdtBuffer !=3D NULL); > + if (EFI_ERROR (Status)) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + GdtBuffer =3D ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTO= R)); > + CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); > + Gdtr.Base =3D (UINTN) GdtBuffer; > + AsmWriteGdtr (&Gdtr); > + > + return EFI_SUCCESS; > +} > + > // > // These are IDT entries pointing to 10:FFFFFFE4h. > // > @@ -409,6 +446,14 @@ SecTemporaryRamDone ( > // > State =3D SaveAndDisableInterrupts (); >=20 > + // > + // Migrate GDT before NEM near down > + // > + if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > + Status =3D MigrateGdt (); > + ASSERT_EFI_ERROR (Status); > + } > + > // > // Disable Temporary RAM after Stack and Heap have been migrated at th= is point. > // > -- > 2.25.1.windows.1