From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <eric.dong@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.115; helo=mga14.intel.com;
 envelope-from=eric.dong@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 399BA21191F5A
 for <edk2-devel@lists.01.org>; Sun, 18 Nov 2018 18:00:11 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 18 Nov 2018 18:00:10 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,250,1539673200"; d="scan'208";a="92180939"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201])
 by orsmga006.jf.intel.com with ESMTP; 18 Nov 2018 18:00:10 -0800
Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by
 FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Sun, 18 Nov 2018 18:00:09 -0800
Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by
 fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Sun, 18 Nov 2018 18:00:09 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.84]) by
 SHSMSX152.ccr.corp.intel.com ([169.254.6.214]) with mapi id 14.03.0415.000;
 Mon, 19 Nov 2018 10:00:06 +0800
From: "Dong, Eric" <eric.dong@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, Laszlo Ersek <lersek@redhat.com>,
 "Kinney, Michael D" <michael.d.kinney@intel.com>
Thread-Topic: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM
Thread-Index: AQHUfUzqhRLuYDOv6kCA0WuF4UbgQ6VWXIBQ
Date: Mon, 19 Nov 2018 02:00:05 +0000
Message-ID: <ED077930C258884BBCB450DB737E662259D3E7C1@shsmsx102.ccr.corp.intel.com>
References: <20181116013710.33800-1-hao.a.wu@intel.com>
 <20181116013710.33800-2-hao.a.wu@intel.com>
In-Reply-To: <20181116013710.33800-2-hao.a.wu@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 02:00:11 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Eric Dong <eric.dong@intel.com>

> -----Original Message-----
> From: Wu, Hao A
> Sent: Friday, November 16, 2018 9:37 AM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1093
>=20
> Return Stack Buffer (RSB) is used to predict the target of RET
> instructions. When the RSB underflows, some processors may fall back to
> using branch predictors. This might impact software using the retpoline
> mitigation strategy on those processors.
>=20
> This commit will add RSB stuffing logic before returning from SMM (the RS=
M
> instruction) to avoid interfering with non-SMM usage of the retpoline
> technique.
>=20
> After the stuffing, RSB entries will contain a trap like:
>=20
> SpecTrap:
>     pause
>     lfence
>     jmp     SpecTrap
>=20
> A more detailed explanation of the purpose of commit is under the
> 'Branch target injection mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
>=20
> This commit introduces a .INC file that contains the RSB logic and it can
> be included by .ASM files. This file is placed at directory
> 'UefiCpuPkg/Include/'.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  UefiCpuPkg/Include/StuffRsbAsm.inc          | 60 ++++++++++++++++++++
>  UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm |  5 +-
>  UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm  |  5 +-
>  UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm  |  5 +-
>  UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm   |  5 +-
>  5 files changed, 76 insertions(+), 4 deletions(-)
>=20
> diff --git a/UefiCpuPkg/Include/StuffRsbAsm.inc
> b/UefiCpuPkg/Include/StuffRsbAsm.inc
> new file mode 100644
> index 0000000000..daaaaf36ad
> --- /dev/null
> +++ b/UefiCpuPkg/Include/StuffRsbAsm.inc
> @@ -0,0 +1,60 @@
> +;-----------------------------------------------------------------------=
------- ;
> +; Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>
> +; This program and the accompanying materials
> +; are licensed and made available under the terms and conditions of the =
BSD
> License
> +; which accompanies this distribution.  The full text of the license may=
 be
> found at
> +; http://opensource.org/licenses/bsd-license.php.
> +;
> +; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> BASIS,
> +; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> EXPRESS OR IMPLIED.
> +;
> +; Module Name:
> +;
> +;   StuffRsbAsm.inc
> +;
> +; Abstract:
> +;
> +;   This file provides macro definitions for stuffing the Return Stack B=
uffer
> (RSB)
> +;   for .ASM files.
> +;
> +;-----------------------------------------------------------------------=
--------
> +
> +RSB_STUFF_ENTRIES    Equ    20h
> +
> +;
> +; parameters:
> +; @param 1: register to use as counter (e.g. IA32:eax, X64:rax)
> +; @param 2: stack pointer to restore   (IA32:esp, X64:rsp)
> +; @param 3: the size of a stack frame  (IA32:4, X64:8)
> +;
> +StuffRsb     MACRO   Reg, StackPointer, Size
> +             local   Unroll1, Unroll2, SpecTrap1, SpecTrap2, StuffLoop
> +             mov     Reg, RSB_STUFF_ENTRIES / 2
> +Unroll1:
> +             call    Unroll2
> +SpecTrap1:
> +             pause
> +             lfence
> +             jmp     SpecTrap1
> +Unroll2:
> +             call    StuffLoop
> +SpecTrap2:
> +             pause
> +             lfence
> +             jmp     SpecTrap2
> +StuffLoop:
> +             dec     Reg
> +             jnz     Unroll1
> +             add     StackPointer, RSB_STUFF_ENTRIES * Size ; Restore th=
e stack
> pointer
> +             ENDM
> +
> +;
> +; RSB stuffing macros for IA32 and X64
> +;
> +StuffRsb32   MACRO
> +             StuffRsb    eax, esp, 4
> +             ENDM
> +
> +StuffRsb64   MACRO
> +             StuffRsb    rax, rsp, 8
> +             ENDM
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> index ac1a9b48dd..ea906d6434 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm
> @@ -1,5 +1,5 @@
>  ;-----------------------------------------------------------------------=
------- ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>  ; This program and the accompanying materials
>  ; are licensed and made available under the terms and conditions of the =
BSD
> License
>  ; which accompanies this distribution.  The full text of the license may=
 be
> found at
> @@ -22,6 +22,8 @@
>      .model  flat,C
>      .xmm
>=20
> +INCLUDE    StuffRsbAsm.inc
> +
>  DSC_OFFSET    EQU     0fb00h
>  DSC_GDTPTR    EQU     30h
>  DSC_GDTSIZ    EQU     38h
> @@ -169,6 +171,7 @@ _SmiHandler PROC
>      call    eax
>      pop     ecx
>=20
> +    StuffRsb32
>      rsm
>  _SmiHandler ENDP
>=20
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> index 9ba2aebe69..a606bde749 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm
> @@ -1,5 +1,5 @@
>  ;-----------------------------------------------------------------------=
------- ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>  ; This program and the accompanying materials
>  ; are licensed and made available under the terms and conditions of the =
BSD
> License
>  ; which accompanies this distribution.  The full text of the license may=
 be
> found at
> @@ -22,6 +22,8 @@
>      .xmm
>      .model  flat,C
>=20
> +INCLUDE    StuffRsbAsm.inc
> +
>  SmmInitHandler  PROTO   C
>=20
>  EXTERNDEF   C   gSmmCr0:DWORD
> @@ -70,6 +72,7 @@ gSmmJmpAddr LABEL   QWORD
>      DB      0bch                        ; mov esp, imm32
>  gSmmInitStack  DD ?
>      call    SmmInitHandler
> +    StuffRsb32
>      rsm
>  SmmStartup  ENDP
>=20
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> index 094cf2c3da..a4063cb0dc 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm
> @@ -1,5 +1,5 @@
>  ;-----------------------------------------------------------------------=
------- ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>  ; This program and the accompanying materials
>  ; are licensed and made available under the terms and conditions of the =
BSD
> License
>  ; which accompanies this distribution.  The full text of the license may=
 be
> found at
> @@ -18,6 +18,8 @@
>  ;
>  ;-----------------------------------------------------------------------=
--------
>=20
> +INCLUDE    StuffRsbAsm.inc
> +
>  ;
>  ; Variables referenced by C code
>  ;
> @@ -189,6 +191,7 @@ _SmiHandler:
>      DB      48h                         ; FXRSTOR64
>      fxrstor [rsp]
>=20
> +    StuffRsb64
>      rsm
>=20
>  gcSmiHandlerSize    DW      $ - _SmiEntryPoint
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> index 9182f0293a..2301a208d6 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm
> @@ -1,5 +1,5 @@
>  ;-----------------------------------------------------------------------=
------- ;
> -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
> +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>  ; This program and the accompanying materials
>  ; are licensed and made available under the terms and conditions of the =
BSD
> License
>  ; which accompanies this distribution.  The full text of the license may=
 be
> found at
> @@ -18,6 +18,8 @@
>  ;
>  ;-----------------------------------------------------------------------=
--------
>=20
> +INCLUDE    StuffRsbAsm.inc
> +
>  EXTERNDEF   SmmInitHandler:PROC
>  EXTERNDEF   gSmmCr0:DWORD
>  EXTERNDEF   gSmmCr3:DWORD
> @@ -88,6 +90,7 @@ gSmmInitStack   DQ      ?
>      movdqa  xmm4, [rsp + 40h]
>      movdqa  xmm5, [rsp + 50h]
>=20
> +    StuffRsb64
>      rsm
>  SmmStartup  ENDP
>=20
> --
> 2.12.0.windows.1