From: "Sheng Wei" <w.sheng@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Dong, Eric" <eric.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
"Kumar, Rahul1" <rahul1.kumar@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
"Liu, Zhiguang" <zhiguang.liu@intel.com>
Subject: Re: [PATCH] MdePkg/Include: Add CET instructions to Nasm.inc
Date: Fri, 29 Jan 2021 08:32:47 +0000 [thread overview]
Message-ID: <CY4PR11MB192855141697562544FE568AE1B99@CY4PR11MB1928.namprd11.prod.outlook.com> (raw)
In-Reply-To: <BY5PR11MB4166B5C8868695EA54E36D6B8CB99@BY5PR11MB4166.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 4666 bytes --]
Hi Jiewen, all,
The 2 patches are for fix #DF exception when enable CET shadow stack feature.
The file 0002-UefiCpuPkg-CpuExceptionHandlerLib-Clear-CET-shadow-s.patch is used to fix the #DF exception issue.
The file 0001-MdePkg-Include-Add-CET-instructions-to-Nasm.inc.patch is used to add the CET instruction which is used in patch 0002.
Some description about the issue and the fix:
If CET shadows stack feature enabled in SMM and stack switch is enabled.
When code execute from SMM handler to SMM exception, CPU will check SMM
exception shadow stack token busy bit if it is cleared or not.
If it is set, it will trigger #DF exception.
If it is not set, CPU will set the busy bit when enter SMM exception.
The busy bit should be cleared when return back form SMM exception to SMM
handler. Otherwise, keeping busy bit in set state will cause to trigger
#DF exception when enter SMM exception next time.
So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the
shadow stack token busy bit before RETF instruction in SMM exception.
Could you help to review and merge the patch?
Thank you
BR
Sheng Wei
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2021年1月29日 14:36
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Liu, Zhiguang <zhiguang.liu@intel.com>
> Subject: RE: [PATCH] MdePkg/Include: Add CET instructions to Nasm.inc
>
> Hi Wei
> Would you please send out the second patch to consume these instruction?
>
> As such people can have a full picture on what the issue is and what the
> solution is.
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Friday, January 29, 2021 10:35 AM
> > To: devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liming Gao
> > <gaoliming@byosoft.com.cn>; Liu, Zhiguang <zhiguang.liu@intel.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>
> > Subject: [PATCH] MdePkg/Include: Add CET instructions to Nasm.inc
> >
> > This is to add instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP_RAX in
> > Nasm, because these instructions are not supported yet.
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3192
> >
> > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > ---
> > MdePkg/Include/Ia32/Nasm.inc | 14 +++++++++++++-
> > MdePkg/Include/X64/Nasm.inc | 14 +++++++++++++-
> > 2 files changed, 26 insertions(+), 2 deletions(-)
> >
> > diff --git a/MdePkg/Include/Ia32/Nasm.inc
> > b/MdePkg/Include/Ia32/Nasm.inc index 31ce861f1e..9c1b7796ea 100644
> > --- a/MdePkg/Include/Ia32/Nasm.inc
> > +++ b/MdePkg/Include/Ia32/Nasm.inc
> > @@ -1,6 +1,6 @@
> >
> > ;---------------------------------------------------------------------
> > ---------
> > ;
> > -; Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > +; Copyright (c) 2019 - 2021, Intel Corporation. All rights
> > +reserved.<BR>
> > ; SPDX-License-Identifier: BSD-2-Clause-Patent ; ; Abstract:
> > @@ -20,3 +20,15 @@
> > %macro INCSSP_EAX 0
> > DB 0xF3, 0x0F, 0xAE, 0xE8
> > %endmacro
> > +
> > +%macro SAVEPREVSSP 0
> > + DB 0xF3, 0x0F, 0x01, 0xEA
> > +%endmacro
> > +
> > +%macro CLRSSBSY_EAX 0
> > + DB 0x67, 0xF3, 0x0F, 0xAE, 0x30
> > +%endmacro
> > +
> > +%macro RSTORSSP_EAX 0
> > + DB 0x67, 0xF3, 0x0F, 0x01, 0x28
> > +%endmacro
> > diff --git a/MdePkg/Include/X64/Nasm.inc
> b/MdePkg/Include/X64/Nasm.inc
> > index 42412735ea..c5189982bb 100644
> > --- a/MdePkg/Include/X64/Nasm.inc
> > +++ b/MdePkg/Include/X64/Nasm.inc
> > @@ -1,6 +1,6 @@
> >
> > ;---------------------------------------------------------------------
> > ---------
> > ;
> > -; Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > +; Copyright (c) 2019 - 2021, Intel Corporation. All rights
> > +reserved.<BR>
> > ; SPDX-License-Identifier: BSD-2-Clause-Patent ; ; Abstract:
> > @@ -20,3 +20,15 @@
> > %macro INCSSP_RAX 0
> > DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8
> > %endmacro
> > +
> > +%macro SAVEPREVSSP 0
> > + DB 0xF3, 0x0F, 0x01, 0xEA
> > +%endmacro
> > +
> > +%macro CLRSSBSY_RAX 0
> > + DB 0xF3, 0x0F, 0xAE, 0x30
> > +%endmacro
> > +
> > +%macro RSTORSSP_RAX 0
> > + DB 0xF3, 0x0F, 0x01, 0x28
> > +%endmacro
> > --
> > 2.16.2.windows.1
[-- Attachment #2: 0000-cover-letter.patch --]
[-- Type: application/octet-stream, Size: 2046 bytes --]
From d1099ae09e6bfeac086ee974edbee7a5c4a34905 Mon Sep 17 00:00:00 2001
From: Sheng Wei <w.sheng@intel.com>
Date: Fri, 29 Jan 2021 15:25:11 +0800
Subject: [PATCH 0/2] Fix #DF issue when enable CET shadow stack feature.
If CET shadows stack feature enabled in SMM and stack switch is enabled.
When code execute from SMM handler to SMM exception, CPU will check SMM
exception shadow stack token busy bit if it is cleared or not.
If it is set, it will trigger #DF exception.
If it is not set, CPU will set the busy bit when enter SMM exception.
The busy bit should be cleared when return back form SMM exception to SMM
handler. Otherwise, keeping busy bit in set state will cause to trigger
#DF exception when enter SMM exception next time.
So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the
shadow stack token busy bit before RETF instruction in SMM exception.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3192
Signed-off-by: Sheng Wei <w.sheng@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Sheng Wei (2):
MdePkg/Include: Add CET instructions to Nasm.inc
UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack token busy
bit
MdePkg/Include/Ia32/Nasm.inc | 14 ++++++++++-
MdePkg/Include/X64/Nasm.inc | 14 ++++++++++-
.../DxeCpuExceptionHandlerLib.inf | 3 +++
.../PeiCpuExceptionHandlerLib.inf | 3 +++
.../SecPeiCpuExceptionHandlerLib.inf | 4 ++++
.../SmmCpuExceptionHandlerLib.inf | 3 +++
.../X64/Xcode5ExceptionHandlerAsm.nasm | 28 +++++++++++++++++++++-
.../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++++
8 files changed, 70 insertions(+), 3 deletions(-)
--
2.16.2.windows.1
[-- Attachment #3: 0001-MdePkg-Include-Add-CET-instructions-to-Nasm.inc.patch --]
[-- Type: application/octet-stream, Size: 2415 bytes --]
From d27044daf924c1ceb98d61edde57f5e3a11a1164 Mon Sep 17 00:00:00 2001
From: Sheng Wei <w.sheng@intel.com>
Date: Tue, 26 Jan 2021 16:54:15 +0800
Subject: [PATCH 1/2] MdePkg/Include: Add CET instructions to Nasm.inc
This is to add instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP_RAX in Nasm,
because these instructions are not supported yet.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3192
Signed-off-by: Sheng Wei <w.sheng@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
---
MdePkg/Include/Ia32/Nasm.inc | 14 +++++++++++++-
MdePkg/Include/X64/Nasm.inc | 14 +++++++++++++-
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/MdePkg/Include/Ia32/Nasm.inc b/MdePkg/Include/Ia32/Nasm.inc
index 31ce861f1e..9c1b7796ea 100644
--- a/MdePkg/Include/Ia32/Nasm.inc
+++ b/MdePkg/Include/Ia32/Nasm.inc
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.<BR>
; SPDX-License-Identifier: BSD-2-Clause-Patent
;
; Abstract:
@@ -20,3 +20,15 @@
%macro INCSSP_EAX 0
DB 0xF3, 0x0F, 0xAE, 0xE8
%endmacro
+
+%macro SAVEPREVSSP 0
+ DB 0xF3, 0x0F, 0x01, 0xEA
+%endmacro
+
+%macro CLRSSBSY_EAX 0
+ DB 0x67, 0xF3, 0x0F, 0xAE, 0x30
+%endmacro
+
+%macro RSTORSSP_EAX 0
+ DB 0x67, 0xF3, 0x0F, 0x01, 0x28
+%endmacro
diff --git a/MdePkg/Include/X64/Nasm.inc b/MdePkg/Include/X64/Nasm.inc
index 42412735ea..c5189982bb 100644
--- a/MdePkg/Include/X64/Nasm.inc
+++ b/MdePkg/Include/X64/Nasm.inc
@@ -1,6 +1,6 @@
;------------------------------------------------------------------------------
;
-; Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.<BR>
; SPDX-License-Identifier: BSD-2-Clause-Patent
;
; Abstract:
@@ -20,3 +20,15 @@
%macro INCSSP_RAX 0
DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8
%endmacro
+
+%macro SAVEPREVSSP 0
+ DB 0xF3, 0x0F, 0x01, 0xEA
+%endmacro
+
+%macro CLRSSBSY_RAX 0
+ DB 0xF3, 0x0F, 0xAE, 0x30
+%endmacro
+
+%macro RSTORSSP_RAX 0
+ DB 0xF3, 0x0F, 0x01, 0x28
+%endmacro
--
2.16.2.windows.1
[-- Attachment #4: 0002-UefiCpuPkg-CpuExceptionHandlerLib-Clear-CET-shadow-s.patch --]
[-- Type: application/octet-stream, Size: 6464 bytes --]
From d1099ae09e6bfeac086ee974edbee7a5c4a34905 Mon Sep 17 00:00:00 2001
From: Sheng Wei <w.sheng@intel.com>
Date: Tue, 26 Jan 2021 17:00:58 +0800
Subject: [PATCH 2/2] UefiCpuPkg/CpuExceptionHandlerLib: Clear CET shadow stack
token busy bit
If CET shadows stack feature enabled in SMM and stack switch is enabled.
When code execute from SMM handler to SMM exception, CPU will check SMM
exception shadow stack token busy bit if it is cleared or not.
If it is set, it will trigger #DF exception.
If it is not set, CPU will set the busy bit when enter SMM exception.
The busy bit should be cleared when return back form SMM exception to SMM
handler. Otherwise, keeping busy bit in set state will cause to trigger
#DF exception when enter SMM exception next time.
So, we use instruction SAVEPREVSSP, CLRSSBSY and RSTORSSP to clear the
shadow stack token busy bit before RETF instruction in SMM exception.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3192
Signed-off-by: Sheng Wei <w.sheng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
---
.../DxeCpuExceptionHandlerLib.inf | 3 +++
.../PeiCpuExceptionHandlerLib.inf | 3 +++
.../SecPeiCpuExceptionHandlerLib.inf | 4 ++++
.../SmmCpuExceptionHandlerLib.inf | 3 +++
.../X64/Xcode5ExceptionHandlerAsm.nasm | 28 +++++++++++++++++++++-
.../Xcode5SecPeiCpuExceptionHandlerLib.inf | 4 ++++
6 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
index 07b34c92a8..e7a81bebdb 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
@@ -43,6 +43,9 @@
gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList
gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize
+[FeaturePcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## CONSUMES
+
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
index feae7b3e06..cf5bfe4083 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
@@ -57,3 +57,6 @@
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard # CONSUMES
+[FeaturePcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## CONSUMES
+
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
index 967cb61ba6..8ae4feae62 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
@@ -49,3 +49,7 @@
LocalApicLib
PeCoffGetEntryPointLib
VmgExitLib
+
+[FeaturePcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## CONSUMES
+
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
index 4cdb11c04e..5c3d1f7cfd 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
@@ -53,3 +53,6 @@
DebugLib
VmgExitLib
+[FeaturePcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## CONSUMES
+
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAsm.nasm b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAsm.nasm
index 26cae56cc5..13fd147f11 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAsm.nasm
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAsm.nasm
@@ -1,5 +1,5 @@
;------------------------------------------------------------------------------ ;
-; Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2012 - 2021, Intel Corporation. All rights reserved.<BR>
; SPDX-License-Identifier: BSD-2-Clause-Patent
;
; Module Name:
@@ -13,6 +13,7 @@
; Notes:
;
;------------------------------------------------------------------------------
+%include "Nasm.inc"
;
; CommonExceptionHandler()
@@ -23,6 +24,7 @@
extern ASM_PFX(mErrorCodeFlag) ; Error code flags for exceptions
extern ASM_PFX(mDoFarReturnFlag) ; Do far return flag
extern ASM_PFX(CommonExceptionHandler)
+extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))
SECTION .data
@@ -371,6 +373,30 @@ DoReturn:
push qword [rax + 0x18] ; save EFLAGS in new location
mov rax, [rax] ; restore rax
popfq ; restore EFLAGS
+
+ push rax
+ cmp byte [dword ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))], 0
+ jz CetDone
+ mov rax, cr4
+ and rax, 0x800000 ; check if CET is enabled
+ jz CetDone
+ push rbx
+ mov rax, 0x04
+ INCSSP_RAX
+ SAVEPREVSSP
+ READSSP_RAX
+ mov rbx, rax
+ sub rax, 0x10
+ CLRSSBSY_RAX
+ mov rax, rbx
+ sub rax, 0x30
+ RSTORSSP_RAX
+ mov rax, 0x01
+ INCSSP_RAX
+ pop rbx
+CetDone:
+ pop rax
+
DB 0x48 ; prefix to composite "retq" with next "retf"
retf ; far return
DoIret:
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
index 743c2aa766..a15f125d5b 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
@@ -54,3 +54,7 @@
LocalApicLib
PeCoffGetEntryPointLib
VmgExitLib
+
+[FeaturePcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard ## CONSUMES
+
--
2.16.2.windows.1
next prev parent reply other threads:[~2021-01-29 8:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-29 2:34 [PATCH] MdePkg/Include: Add CET instructions to Nasm.inc Sheng Wei
2021-01-29 6:35 ` Yao, Jiewen
2021-01-29 8:32 ` Sheng Wei [this message]
2021-01-29 9:20 ` Yao, Jiewen
2021-01-29 17:22 ` Michael D Kinney
2021-01-29 19:03 ` Bret Barkelew
2021-02-02 2:43 ` 回复: " gaoliming
2021-02-02 3:38 ` Sheng Wei
2021-02-02 3:50 ` 回复: " gaoliming
2021-02-02 15:23 ` [edk2-devel] " Michael D Kinney
2021-02-02 15:21 ` Michael D Kinney
2021-02-02 16:01 ` Laszlo Ersek
2021-02-03 0:06 ` Sheng Wei
2021-02-03 2:01 ` 回复: " gaoliming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR11MB192855141697562544FE568AE1B99@CY4PR11MB1928.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox