From: "Dong, Eric" <eric.dong@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Subject: Re: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM
Date: Mon, 19 Nov 2018 02:00:05 +0000 [thread overview]
Message-ID: <ED077930C258884BBCB450DB737E662259D3E7C1@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <20181116013710.33800-2-hao.a.wu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
> -----Original Message-----
> From: Wu, Hao A
> Sent: Friday, November 16, 2018 9:37 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1093
>
> Return Stack Buffer (RSB) is used to predict the target of RET
> instructions. When the RSB underflows, some processors may fall back to
> using branch predictors. This might impact software using the retpoline
> mitigation strategy on those processors.
>
> This commit will add RSB stuffing logic before returning from SMM (the RSM
> instruction) to avoid interfering with non-SMM usage of the retpoline
> technique.
>
> After the stuffing, RSB entries will contain a trap like:
>
> SpecTrap:
> pause
> lfence
> jmp SpecTrap
>
> A more detailed explanation of the purpose of commit is under the
> 'Branch target injection mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
>
> This commit introduces a .INC file that contains the RSB logic and it can
> be included by .ASM files. This file is placed at directory
> 'UefiCpuPkg/Include/'.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
> UefiCpuPkg/Include/StuffRsbAsm.inc | 60 ++++++++++++++++++++
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm | 5 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm | 5 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm | 5 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm | 5 +-
> 5 files changed, 76 insertions(+), 4 deletions(-)
>
> diff --git a/UefiCpuPkg/Include/StuffRsbAsm.inc
> b/UefiCpuPkg/Include/StuffRsbAsm.inc
> new file mode 100644
> index 0000000000..daaaaf36ad
> --- /dev/null
> +++ b/UefiCpuPkg/Include/StuffRsbAsm.inc
> @@ -0,0 +1,60 @@
> +;------------------------------------------------------------------------------ ;
> +; Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
> +; This program and the accompanying materials
> +; are licensed and made available under the terms and conditions of the BSD
> License
> +; which accompanies this distribution. The full text of the license may be
> found at
> +; http://opensource.org/licenses/bsd-license.php.
> +;
> +; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +;
> +; Module Name:
> +;
> +; StuffRsbAsm.inc
> +;
> +; Abstract:
> +;
> +; This file provides macro definitions for stuffing the Return Stack Buffer
> (RSB)
> +; for .ASM files.
> +;
> +;-------------------------------------------------------------------------------
> +
> +RSB_STUFF_ENTRIES Equ 20h
> +
> +;
> +; parameters:
> +; @param 1: register to use as counter (e.g. IA32:eax, X64:rax)
> +; @param 2: stack pointer to restore (IA32:esp, X64:rsp)
> +; @param 3: the size of a stack frame (IA32:4, X64:8)
> +;
> +StuffRsb MACRO Reg, StackPointer, Size
> + local Unroll1, Unroll2, SpecTrap1, SpecTrap2, StuffLoop
> + mov Reg, RSB_STUFF_ENTRIES / 2
> +Unroll1:
> + call Unroll2
> +SpecTrap1:
> + pause
> + lfence
> + jmp SpecTrap1
> +Unroll2:
> + call StuffLoop
> +SpecTrap2:
> + pause
> + lfence
> + jmp SpecTrap2
> +StuffLoop:
> + dec Reg
> + jnz Unroll1
> + add StackPointer, RSB_STUFF_ENTRIES * Size ; Restore the stack
> pointer
> + ENDM
> +
> +;
> +; RSB stuffing macros for IA32 and X64
> +;
> +StuffRsb32 MACRO
> + StuffRsb eax, esp, 4
> + ENDM
> +
> +StuffRsb64 MACRO
> + StuffRsb rax, rsp, 8
> + ENDM
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> index ac1a9b48dd..ea906d6434 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> @@ -1,5 +1,5 @@
> ;------------------------------------------------------------------------------ ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> ; This program and the accompanying materials
> ; are licensed and made available under the terms and conditions of the BSD
> License
> ; which accompanies this distribution. The full text of the license may be
> found at
> @@ -22,6 +22,8 @@
> .model flat,C
> .xmm
>
> +INCLUDE StuffRsbAsm.inc
> +
> DSC_OFFSET EQU 0fb00h
> DSC_GDTPTR EQU 30h
> DSC_GDTSIZ EQU 38h
> @@ -169,6 +171,7 @@ _SmiHandler PROC
> call eax
> pop ecx
>
> + StuffRsb32
> rsm
> _SmiHandler ENDP
>
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> index 9ba2aebe69..a606bde749 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> @@ -1,5 +1,5 @@
> ;------------------------------------------------------------------------------ ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> ; This program and the accompanying materials
> ; are licensed and made available under the terms and conditions of the BSD
> License
> ; which accompanies this distribution. The full text of the license may be
> found at
> @@ -22,6 +22,8 @@
> .xmm
> .model flat,C
>
> +INCLUDE StuffRsbAsm.inc
> +
> SmmInitHandler PROTO C
>
> EXTERNDEF C gSmmCr0:DWORD
> @@ -70,6 +72,7 @@ gSmmJmpAddr LABEL QWORD
> DB 0bch ; mov esp, imm32
> gSmmInitStack DD ?
> call SmmInitHandler
> + StuffRsb32
> rsm
> SmmStartup ENDP
>
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> index 094cf2c3da..a4063cb0dc 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> @@ -1,5 +1,5 @@
> ;------------------------------------------------------------------------------ ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> ; This program and the accompanying materials
> ; are licensed and made available under the terms and conditions of the BSD
> License
> ; which accompanies this distribution. The full text of the license may be
> found at
> @@ -18,6 +18,8 @@
> ;
> ;-------------------------------------------------------------------------------
>
> +INCLUDE StuffRsbAsm.inc
> +
> ;
> ; Variables referenced by C code
> ;
> @@ -189,6 +191,7 @@ _SmiHandler:
> DB 48h ; FXRSTOR64
> fxrstor [rsp]
>
> + StuffRsb64
> rsm
>
> gcSmiHandlerSize DW $ - _SmiEntryPoint
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> index 9182f0293a..2301a208d6 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> @@ -1,5 +1,5 @@
> ;------------------------------------------------------------------------------ ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> ; This program and the accompanying materials
> ; are licensed and made available under the terms and conditions of the BSD
> License
> ; which accompanies this distribution. The full text of the license may be
> found at
> @@ -18,6 +18,8 @@
> ;
> ;-------------------------------------------------------------------------------
>
> +INCLUDE StuffRsbAsm.inc
> +
> EXTERNDEF SmmInitHandler:PROC
> EXTERNDEF gSmmCr0:DWORD
> EXTERNDEF gSmmCr3:DWORD
> @@ -88,6 +90,7 @@ gSmmInitStack DQ ?
> movdqa xmm4, [rsp + 40h]
> movdqa xmm5, [rsp + 50h]
>
> + StuffRsb64
> rsm
> SmmStartup ENDP
>
> --
> 2.12.0.windows.1
prev parent reply other threads:[~2018-11-19 2:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-16 1:37 [PATCH v1 0/1][UDK branches][CVE-2017-5715] Stuff RSB before RSM Hao Wu
2018-11-16 1:37 ` [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] " Hao Wu
2018-11-19 2:00 ` Dong, Eric [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ED077930C258884BBCB450DB737E662259D3E7C1@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox