From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+110845+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 3E91A740040
	for <rebecca@openfw.io>; Tue,  7 Nov 2023 12:01:15 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=W3SuVRnBfMm3hG6z/Yt1ng9PXQzaPiKBE8UoB+kwEI0=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1699358473; v=1;
 b=N8RD6+2Ifu4N+s4VZiffjXE/baUy9Irus0gZcG3kin6JAzueNIhkmNTt5vtnzDidu5qFkpgW
 DkVE/vEztz/Rte/EHiaHoejKkLY63csm7U4t7XxS3sCFsC18WptSF1upLKRYlirbCYCjbXUKGDV
 A81pRHJq7fJk9pTABr0kKBnU=
X-Received: by 127.0.0.2 with SMTP id E3kuYY7687511x02jmovmMzA; Tue, 07 Nov 2023 04:01:13 -0800
X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web11.8566.1699358472886387980
 for <devel@edk2.groups.io>;
 Tue, 07 Nov 2023 04:01:13 -0800
X-IronPort-AV: E=McAfee;i="6600,9927,10886"; a="368828964"
X-IronPort-AV: E=Sophos;i="6.03,283,1694761200"; 
   d="scan'208";a="368828964"
X-Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2023 04:01:12 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10886"; a="797656789"
X-IronPort-AV: E=Sophos;i="6.03,283,1694761200"; 
   d="scan'208";a="797656789"
X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16])
  by orsmga001.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 07 Nov 2023 04:01:12 -0800
X-Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by
 ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.34; Tue, 7 Nov 2023 04:01:11 -0800
X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.34; Tue, 7 Nov 2023 04:01:11 -0800
X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by
 orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.34 via Frontend Transport; Tue, 7 Nov 2023 04:01:11 -0800
X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.168)
 by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.34; Tue, 7 Nov 2023 04:01:10 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ixQAv7T/DgHpM7nsrgPUxCQXR/756dnhq3H3pbSVUWJ7QsRPnpT9Exs9n6y+5lB6JPPFlhIwDikmmOgG5NA4JGNT0n3OmIaYTPsF3TWHY7klI+iyf3pkoSFjaIITHfAwf7NHllUoEi9Y8fTg2wPCsQLN7S8vi+hHEFlAaYTPTkamvhtEaN0jaRFL1qQRJa08MBAW1d2mUg3M2/ws+pJp/PNBKPwvW/q6X/AY3n2lvs19IBnhg8cyLCuud7xsmjrmNvqBl5wrw9FtB2kDvbt7Tsl/gOKXomH2ecp7df8kEwQi16iq4uNhyY7bSkHiFxy/zlUJy0UvjkWByuTiD/FqWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=tatgWVC7Dxe15ZA0JqG9kslSlCXyeVV6/HN4KJtNqi8=;
 b=ZyH2Xc3gF/ajgcH270Jn+aAIr8CbqK3/LFCDoCHaETHdAMS7v7AXvL1C3ZreyobHfHI2sXJigOtpKbpdrNDtFApDfN/LY4OhQAlLfktRIHqhDov/NLUo6sLi9jJaEWvQzh+D0eJc0tdcVa8Lu4Rbueo47PREteQX/fvLTxMgEj3tTHuGfMHK8dn0yURQ19pmOEQ8thwVtYndgQSMMtPASMPxPMh4NGbEIIW5as83xVlva/y13pciJ+E+dI9FapH+Swzzygjtki5jUkvE9Ab2lYJVN3CzfmnNdDQuBKTnaS0sRGTRX48DVBWj79g5xN/asqZ4WdtuzOoJjNoRCFEmKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
X-Received: from MN0PR11MB6158.namprd11.prod.outlook.com (2603:10b6:208:3ca::18)
 by IA0PR11MB7839.namprd11.prod.outlook.com (2603:10b6:208:408::16) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Tue, 7 Nov
 2023 12:01:07 +0000
X-Received: from MN0PR11MB6158.namprd11.prod.outlook.com
 ([fe80::6e7f:8903:fdc6:9833]) by MN0PR11MB6158.namprd11.prod.outlook.com
 ([fe80::6e7f:8903:fdc6:9833%7]) with mapi id 15.20.6954.021; Tue, 7 Nov 2023
 12:01:07 +0000
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Wu, Jiaxin"
	<jiaxin.wu@intel.com>, "Gao, Liming" <gaoliming@byosoft.com.cn>, "Kinney,
 Michael D" <michael.d.kinney@intel.com>
CC: "Dong, Eric" <eric.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>, "Zeng,
 Star" <star.zeng@intel.com>, Gerd Hoffmann <kraxel@redhat.com>, "Kumar, Rahul
 R" <rahul.r.kumar@intel.com>, Laszlo Ersek <lersek@redhat.com>
Subject: Re: [edk2-devel] [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET enable
Thread-Topic: [edk2-devel] [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP
 Exception when CET enable
Thread-Index: AQHaERk/CaSbXVMLFk+0C79yc6Xd47BulkQg
Date: Tue, 7 Nov 2023 12:01:07 +0000
Message-ID: <MN0PR11MB6158F9C450FDFF0105911A4BFEA9A@MN0PR11MB6158.namprd11.prod.outlook.com>
References: <179532CD4E894831.20624@groups.io>
In-Reply-To: <179532CD4E894831.20624@groups.io>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN0PR11MB6158:EE_|IA0PR11MB7839:EE_
x-ms-office365-filtering-correlation-id: ea4ff32a-6a74-4fc3-d254-08dbdf8939a9
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam-message-info: WvFX3VL/KYB+hS379zmzyVtuLkj/1IpftmaE2A3OWq9mFAY+Zb8UOcSL2ZOq5Ks7xX6e25fpJjHUP27QnflnZaV1uSK/K9hgCjDVm7rrqpdb++twbMs7Z8owd6ZAsI8i9bT51/DhqZZHdqSVf/9tPApW0kpJsDivSv5QCkyPxekXwo9hTVTaW0bd+yK/iEN5cGtO0fQGydP77k/MndrMTMQVRiX2RVCYeBueDM+QG1QPhW3Afr9BgfbWWWL/Zma2lod9u+hM3FwH5RPavVp/eYpzv7Xt6WEMfO7M1YXuFmYaPMMzSNDcW4uudDQv0FOUtLnO35Jv5KoAB1P4O0oUJceFPx/Fslk1efH5TR0B6SQXGHUAjkxDIuJlUZvlbO+0jGjf+JFyn6JnlcI22Ryb/9VPpUPOOQOUTM/U6kRK5u8gBD7r0XtsBq+TU8HD/2+MYkcqDAOTxsk6hH2H6XpFluhrc5eoRmqCf8Oq7hF9HPnTFIjbr970J5Xc25c9BnUrv619Vr4eXdCqVEYDyc9fQBBGRQhEd8Ms4WIb5dlepjj52ZF229fz5sJSlDirM8PnozzOF7u5iWtqXsb9Sb80phNMgJr4JC6Qwrf9+ZNPiqqebeJHQ2lNar0KcUSjvzziFIQC9aAagGMYR9H2QQ88IA==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?8lt5QIQu48iymPV+EeRQs1BIgxpdPbzEVnshA22eBEeNQlJmZtcrYZWqKozf?=
 =?us-ascii?Q?bmrBIyzuzuPNF92ksWLosIzcSzcxKTqmXqr0ykgyE4rka6gBwjwpQw6Y3JjE?=
 =?us-ascii?Q?hTcwDL2LUmIMikq4hE9CBtIctT49lh8udqlW7tzErOr+5yvqVe8cr4oNNpYz?=
 =?us-ascii?Q?paWaTgheOOM0AZIk7VoTDG/UDT9tAVbVhPBgu8JUlXxQA+85AzkgDQLNoqtT?=
 =?us-ascii?Q?0PF1/VCsL6/CqQUqXXfu9/X6tmSn3YJi16cp6DHvDj4TCy/u7De9/9t++Z32?=
 =?us-ascii?Q?df616RCfsD8+F+XXb7sbmY3kCWyuxYQfMQTPkvAvsZM6fgrM/ndaijckskCK?=
 =?us-ascii?Q?WDUSnGK6hQn835Kf/AZEUpSMpuiBWbtSyP0r4Arvx1zK/HoVL1NcAxIX8eMG?=
 =?us-ascii?Q?eFjQG9V0tXHc/QnI/QnUzwr+hykuse0pK2gGWgO5Qk1UT5yHIYGikK5nNpRm?=
 =?us-ascii?Q?Gq1ib/4QOykt3E/dB+afYtAA/qZ3+EUJQdxlPgm1GILEaFH0c9pu3cCo3sfr?=
 =?us-ascii?Q?DuKcFYjX2lTfKRkoYV+9E7oX1XT85ZUYlAmfsH9xXA1tV3emnhkzyj3emqas?=
 =?us-ascii?Q?IaWDaxdR1XA/FNA3xe+OnA3AYrUg00+eS30fQTJrs8j9leT1T4QQdSpM+xxD?=
 =?us-ascii?Q?wRWOIKPyWqFGDqjXFT+4gev0QLfVteyPc/cdOZqzNL1GaADlfkEAcLU0nsZj?=
 =?us-ascii?Q?5rZEuba0Xo/VC0flf8JZ/L8YUQ6SIa6vmUL5atuL3jcxiyJVkmIrvBn3NQ0H?=
 =?us-ascii?Q?fs5MGdyVi8oHnr40MH7Mz+9g7g0uljUVsRLCwgn9qUtG6ufZr8sI0VdNAzhP?=
 =?us-ascii?Q?wteKU3yrX4ip0BJSoDPoa/zK0miAQRPGzv6dLkdl/zgL10osmQ9rggd7q9QR?=
 =?us-ascii?Q?pln+aGEmGw1hWmD2YpVj8wEpT0c/w0H3OR8iRSu/41PF4m8NvLGKsqOUTa+S?=
 =?us-ascii?Q?mpspxQilEtk2uRdHLreoD22q4ATe6PtvV33ggdmVe5HeARKhKcXRA28ZdExq?=
 =?us-ascii?Q?OP+q/TqxyFMow1z+ft+8xDd34KN28X4TPlunZSgiTIMMVonei/kOgU2VQxpx?=
 =?us-ascii?Q?Iu620wRfcXuqK9q1KloKxr5s2dTRrVJ/TQTYX4rHLvPWCMvIZBrU3mbHSHsW?=
 =?us-ascii?Q?oqCnrRZUqSwu9aBxV5mA49O9Umg3b+9UXwiUx8Ifxd6NLFToS/mgIS3lQvBv?=
 =?us-ascii?Q?mr4FEkp5Krjc78LXsQKSEOnTV4LgkLfeg05cPQUX8sZ+nBztJflXx2kzcWwT?=
 =?us-ascii?Q?5/3iByNBooZnf18tSEjyhfjsTCbhfhBvYUUx/C6XMoVWlrSDYuPE3Dhvh1BF?=
 =?us-ascii?Q?2k/DFZ0zJzpcsFN49qa/lNC+MGti8kLFUf+uKHKRLPxm1d6zJONCNtpQH7Lq?=
 =?us-ascii?Q?IRC2EAscJXfv1HtmH+iEJ6O4c9ppP7vOwQYnpYodlKI7qAN1JwsC9rF9BCjW?=
 =?us-ascii?Q?++ftgWhQ+PHY0lcluIsU4B80ktmLhZ7eJCNHR0FWmXTeIvu/XBlaPN8UJthY?=
 =?us-ascii?Q?TcKMMUBTfllK3huQqQ0aznJZRFLKHkCAg+cv9GGww+I6W8dYkQQgp5QrsYIH?=
 =?us-ascii?Q?aDSJDenrVBZCNewykuZ7XaNIJKY4L0PDWeKLU63p?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN0PR11MB6158.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ea4ff32a-6a74-4fc3-d254-08dbdf8939a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2023 12:01:07.3693
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3eG7eER9Mgn9UlAJwcsbzCUkNhTGrJf4wNtrMMZreowDvRFdpBLkfstFgRwpBV1Olfa7GJqAqKrUHtQSUmabxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB7839
X-OriginatorOrg: intel.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jiaxin.wu@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: b4dBsPPZqWBECd3azCxifR2Kx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=N8RD6+2I;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")

Hi Ray & Laszlo,

Any more comments to this?

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu,
> Jiaxin
> Sent: Tuesday, November 7, 2023 9:25 AM
> To: devel@edk2.groups.io
> Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Zeng, S=
tar
> <star.zeng@intel.com>; Gerd Hoffmann <kraxel@redhat.com>; Kumar, Rahul R
> <rahul.r.kumar@intel.com>; Laszlo Ersek <lersek@redhat.com>
> Subject: [edk2-devel] [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP
> Exception when CET enable
>=20
> Root cause:
> 1. Before DisableReadonlyPageWriteProtect() is called, the return
> address (#1) is pushed in shadow stack.
> 2. CET is disabled.
> 3. DisableReadonlyPageWriteProtect() returns to #1.
> 4. Page table is modified.
> 5. EnableReadonlyPageWriteProtect() is called, but the return
> address (#2) is not pushed in shadow stack.
> 6. CET is enabled.
> 7. EnableReadonlyPageWriteProtect() returns to #2.
> #CP exception happens because the actual return address (#2)
> doesn't match the return address stored in shadow stack (#1).
>=20
> Analysis:
> Shadow stack will stop update after CET disable (DisableCet() in
> DisableReadOnlyPageWriteProtect), but normal smi stack will be
> continue updated with the function called and return
> (DisableReadOnlyPageWriteProtect & EnableReadOnlyPageWriteProtect),
> thus leading stack mismatch after CET re-enabled (EnableCet() in
> EnableReadOnlyPageWriteProtect).
>=20
> According SDM Vol 3, 6.15-Control Protection Exception:
> Normal smi stack and shadow stack must be matched when CET enable,
> otherwise CP Exception will happen, which is caused by a near RET
> instruction.
>=20
> CET is disabled in DisableCet(), while can be enabled in
> EnableCet(). This way won't cause the problem because they are
> implemented in a way that return address of DisableCet() is
> poped out from shadow stack (Incsspq performs a pop to increases
> the shadow stack) and EnableCet() doesn't use "RET" but "JMP" to
> return to caller. So calling EnableCet() and DisableCet() doesn't
> have the same issue as calling DisableReadonlyPageWriteProtect()
> and EnableReadonlyPageWriteProtect().
>=20
> With above root cause & analysis, define below 2 macros instead of
> functions for WP & CET operation:
> WRITE_UNPROTECT_RO_PAGES (Wp, Cet)
> WRITE_PROTECT_RO_PAGES (Wp, Cet)
> Because DisableCet() & EnableCet() must be in the same function
> to avoid shadow stack and normal SMI stack mismatch.
>=20
> Note: WRITE_UNPROTECT_RO_PAGES () must be called pair with
> WRITE_PROTECT_RO_PAGES () in same function.
>=20
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Zeng Star <star.zeng@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
> ---
>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h         | 59
> +++++++++++++----
>  UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 73
> +++++++++-------------
>  UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c             |  7 ++-
>  3 files changed, 81 insertions(+), 58 deletions(-)
>=20
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> index 654935dc76..20ada465c2 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> @@ -1551,29 +1551,64 @@ VOID
>  SmmWaitForApArrival (
>    VOID
>    );
>=20
>  /**
> -  Disable Write Protect on pages marked as read-only if Cr0.Bits.WP is 1=
.
> +  Write unprotect read-only pages if Cr0.Bits.WP is 1.
> +
> +  @param[out]  WriteProtect      If Cr0.Bits.WP is enabled.
>=20
> -  @param[out]  WpEnabled      If Cr0.WP is enabled.
> -  @param[out]  CetEnabled     If CET is enabled.
>  **/
>  VOID
> -DisableReadOnlyPageWriteProtect (
> -  OUT BOOLEAN  *WpEnabled,
> -  OUT BOOLEAN  *CetEnabled
> +SmmWriteUnprotectReadOnlyPage (
> +  OUT BOOLEAN  *WriteProtect
>    );
>=20
>  /**
> -  Enable Write Protect on pages marked as read-only.
> +  Write protect read-only pages.
> +
> +  @param[in]  WriteProtect      If Cr0.Bits.WP should be enabled.
>=20
> -  @param[out]  WpEnabled      If Cr0.WP should be enabled.
> -  @param[out]  CetEnabled     If CET should be enabled.
>  **/
>  VOID
> -EnableReadOnlyPageWriteProtect (
> -  BOOLEAN  WpEnabled,
> -  BOOLEAN  CetEnabled
> +SmmWriteProtectReadOnlyPage (
> +  IN  BOOLEAN  WriteProtect
>    );
>=20
> +///
> +/// Define macros to encapsulate the write unprotect/protect
> +/// read-only pages.
> +/// Below pieces of logic are defined as macros and not functions
> +/// because "CET" feature disable & enable must be in the same
> +/// function to avoid shadow stack and normal SMI stack mismatch,
> +/// thus WRITE_UNPROTECT_RO_PAGES () must be called pair with
> +/// WRITE_PROTECT_RO_PAGES () in same function.
> +///
> +/// @param[in,out] Wp   A BOOLEAN variable local to the containing
> +///                     function, carrying write protection status from
> +///                     WRITE_UNPROTECT_RO_PAGES() to
> +///                     WRITE_PROTECT_RO_PAGES().
> +///
> +/// @param[in,out] Cet  A BOOLEAN variable local to the containing
> +///                     function, carrying control flow integrity
> +///                     enforcement status from
> +///                     WRITE_UNPROTECT_RO_PAGES() to
> +///                     WRITE_PROTECT_RO_PAGES().
> +///
> +#define WRITE_UNPROTECT_RO_PAGES(Wp, Cet) \
> +  do { \
> +    Cet =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0); \
> +    if (Cet) { \
> +      DisableCet (); \
> +    } \
> +    SmmWriteUnprotectReadOnlyPage (&Wp); \
> +  } while (FALSE)
> +
> +#define WRITE_PROTECT_RO_PAGES(Wp, Cet) \
> +  do { \
> +    SmmWriteProtectReadOnlyPage (Wp); \
> +    if (Cet) { \
> +      EnableCet (); \
> +    } \
> +  } while (FALSE)
> +
>  #endif
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> index 6f49866615..3d445df213 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> @@ -39,64 +39,47 @@ PAGE_TABLE_POOL  *mPageTablePool =3D NULL;
>  // If memory used by SMM page table has been mareked as ReadOnly.
>  //
>  BOOLEAN  mIsReadOnlyPageTable =3D FALSE;
>=20
>  /**
> -  Disable Write Protect on pages marked as read-only if Cr0.Bits.WP is 1=
.
> +  Write unprotect read-only pages if Cr0.Bits.WP is 1.
> +
> +  @param[out]  WriteProtect      If Cr0.Bits.WP is enabled.
>=20
> -  @param[out]  WpEnabled      If Cr0.WP is enabled.
> -  @param[out]  CetEnabled     If CET is enabled.
>  **/
>  VOID
> -DisableReadOnlyPageWriteProtect (
> -  OUT BOOLEAN  *WpEnabled,
> -  OUT BOOLEAN  *CetEnabled
> +SmmWriteUnprotectReadOnlyPage (
> +  OUT BOOLEAN  *WriteProtect
>    )
>  {
>    IA32_CR0  Cr0;
>=20
> -  *CetEnabled =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0) ? TRUE : FAL=
SE;
> -  Cr0.UintN   =3D AsmReadCr0 ();
> -  *WpEnabled  =3D (Cr0.Bits.WP !=3D 0) ? TRUE : FALSE;
> -  if (*WpEnabled) {
> -    if (*CetEnabled) {
> -      //
> -      // CET must be disabled if WP is disabled. Disable CET before clea=
ring
> CR0.WP.
> -      //
> -      DisableCet ();
> -    }
> -
> +  Cr0.UintN     =3D AsmReadCr0 ();
> +  *WriteProtect =3D (Cr0.Bits.WP !=3D 0);
> +  if (*WriteProtect) {
>      Cr0.Bits.WP =3D 0;
>      AsmWriteCr0 (Cr0.UintN);
>    }
>  }
>=20
>  /**
> -  Enable Write Protect on pages marked as read-only.
> +  Write protect read-only pages.
> +
> +  @param[in]  WriteProtect      If Cr0.Bits.WP should be enabled.
>=20
> -  @param[out]  WpEnabled      If Cr0.WP should be enabled.
> -  @param[out]  CetEnabled     If CET should be enabled.
>  **/
>  VOID
> -EnableReadOnlyPageWriteProtect (
> -  BOOLEAN  WpEnabled,
> -  BOOLEAN  CetEnabled
> +SmmWriteProtectReadOnlyPage (
> +  IN  BOOLEAN  WriteProtect
>    )
>  {
>    IA32_CR0  Cr0;
>=20
> -  if (WpEnabled) {
> +  if (WriteProtect) {
>      Cr0.UintN   =3D AsmReadCr0 ();
>      Cr0.Bits.WP =3D 1;
>      AsmWriteCr0 (Cr0.UintN);
> -
> -    if (CetEnabled) {
> -      //
> -      // re-enable CET.
> -      //
> -      EnableCet ();
> -    }
>    }
>  }
>=20
>  /**
>    Initialize a buffer pool for page table use only.
> @@ -119,11 +102,11 @@ BOOLEAN
>  InitializePageTablePool (
>    IN UINTN  PoolPages
>    )
>  {
>    VOID     *Buffer;
> -  BOOLEAN  WpEnabled;
> +  BOOLEAN  WriteProtect;
>    BOOLEAN  CetEnabled;
>=20
>    //
>    // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one
> page for
>    // header.
> @@ -157,13 +140,15 @@ InitializePageTablePool (
>=20
>    //
>    // If page table memory has been marked as RO, mark the new pool pages=
 as
> read-only.
>    //
>    if (mIsReadOnlyPageTable) {
> -    DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +    WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
> +
>      SmmSetMemoryAttributes ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer,
> EFI_PAGES_TO_SIZE (PoolPages), EFI_MEMORY_RO);
> -    EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +
> +    WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
>    }
>=20
>    return TRUE;
>  }
>=20
> @@ -1009,11 +994,11 @@ SetMemMapAttributes (
>    UINTN                                 PageTable;
>    EFI_STATUS                            Status;
>    IA32_MAP_ENTRY                        *Map;
>    UINTN                                 Count;
>    UINT64                                MemoryAttribute;
> -  BOOLEAN                               WpEnabled;
> +  BOOLEAN                               WriteProtect;
>    BOOLEAN                               CetEnabled;
>=20
>    SmmGetSystemConfigurationTable
> (&gEdkiiPiSmmMemoryAttributesTableGuid, (VOID
> **)&MemoryAttributesTable);
>    if (MemoryAttributesTable =3D=3D NULL) {
>      DEBUG ((DEBUG_INFO, "MemoryAttributesTable - NULL\n"));
> @@ -1055,11 +1040,11 @@ SetMemMapAttributes (
>      Status =3D PageTableParse (PageTable, mPagingMode, Map, &Count);
>    }
>=20
>    ASSERT_RETURN_ERROR (Status);
>=20
> -  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
>=20
>    MemoryMap =3D MemoryMapStart;
>    for (Index =3D 0; Index < MemoryMapEntryCount; Index++) {
>      DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory Entry - 0x%lx, 0x%x\n",
> MemoryMap->PhysicalStart, MemoryMap->NumberOfPages));
>      if (MemoryMap->Type =3D=3D EfiRuntimeServicesCode) {
> @@ -1085,11 +1070,12 @@ SetMemMapAttributes (
>        );
>=20
>      MemoryMap =3D NEXT_MEMORY_DESCRIPTOR (MemoryMap,
> DescriptorSize);
>    }
>=20
> -  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
> +
>    FreePool (Map);
>=20
>    PatchSmmSaveStateMap ();
>    PatchGdtIdtMap ();
>=20
> @@ -1392,18 +1378,18 @@ SetUefiMemMapAttributes (
>    EFI_STATUS             Status;
>    EFI_MEMORY_DESCRIPTOR  *MemoryMap;
>    UINTN                  MemoryMapEntryCount;
>    UINTN                  Index;
>    EFI_MEMORY_DESCRIPTOR  *Entry;
> -  BOOLEAN                WpEnabled;
> +  BOOLEAN                WriteProtect;
>    BOOLEAN                CetEnabled;
>=20
>    PERF_FUNCTION_BEGIN ();
>=20
>    DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n"));
>=20
> -  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
>=20
>    if (mUefiMemoryMap !=3D NULL) {
>      MemoryMapEntryCount =3D mUefiMemoryMapSize/mUefiDescriptorSize;
>      MemoryMap           =3D mUefiMemoryMap;
>      for (Index =3D 0; Index < MemoryMapEntryCount; Index++) {
> @@ -1479,11 +1465,11 @@ SetUefiMemMapAttributes (
>=20
>        Entry =3D NEXT_MEMORY_DESCRIPTOR (Entry,
> mUefiMemoryAttributesTable->DescriptorSize);
>      }
>    }
>=20
> -  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
>=20
>    //
>    // Do not free mUefiMemoryAttributesTable, it will be checked in
> IsSmmCommBufferForbiddenAddress().
>    //
>=20
> @@ -1870,11 +1856,11 @@ IfReadOnlyPageTableNeeded (
>  VOID
>  SetPageTableAttributes (
>    VOID
>    )
>  {
> -  BOOLEAN  WpEnabled;
> +  BOOLEAN  WriteProtect;
>    BOOLEAN  CetEnabled;
>=20
>    if (!IfReadOnlyPageTableNeeded ()) {
>      return;
>    }
> @@ -1884,20 +1870,21 @@ SetPageTableAttributes (
>=20
>    //
>    // Disable write protection, because we need mark page table to be wri=
te
> protected.
>    // We need *write* page table memory, to mark itself to be *read only*=
.
>    //
> -  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
>=20
>    // Set memory used by page table as Read Only.
>    DEBUG ((DEBUG_INFO, "Start...\n"));
>    EnablePageTableProtection ();
>=20
>    //
>    // Enable write protection, after page table attribute updated.
>    //
> -  EnableReadOnlyPageWriteProtect (TRUE, CetEnabled);
> +  WRITE_PROTECT_RO_PAGES (TRUE, CetEnabled);
> +
>    mIsReadOnlyPageTable =3D TRUE;
>=20
>    //
>    // Flush TLB after mark all page table pool as read only.
>    //
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> index 7ac3c66f91..8142d3ceac 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> @@ -592,11 +592,11 @@ InitPaging (
>    UINT64         Base;
>    UINT64         Length;
>    UINT64         Limit;
>    UINT64         PreviousAddress;
>    UINT64         MemoryAttrMask;
> -  BOOLEAN        WpEnabled;
> +  BOOLEAN        WriteProtect;
>    BOOLEAN        CetEnabled;
>=20
>    PERF_FUNCTION_BEGIN ();
>=20
>    PageTable =3D AsmReadCr3 ();
> @@ -604,11 +604,12 @@ InitPaging (
>      Limit =3D BASE_4GB;
>    } else {
>      Limit =3D (IsRestrictedMemoryAccess ()) ? LShiftU64 (1,
> mPhysicalAddressBits) : BASE_4GB;
>    }
>=20
> -  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
> +
>    //
>    // [0, 4k] may be non-present.
>    //
>    PreviousAddress =3D ((PcdGet8 (PcdNullPointerDetectionPropertyMask) &
> BIT1) !=3D 0) ? BASE_4KB : 0;
>=20
> @@ -670,11 +671,11 @@ InitPaging (
>      //
>      Status =3D ConvertMemoryPageAttributes (PageTable, mPagingMode,
> PreviousAddress, Limit - PreviousAddress, MemoryAttrMask, TRUE, NULL);
>      ASSERT_RETURN_ERROR (Status);
>    }
>=20
> -  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
>=20
>    //
>    // Flush TLB
>    //
>    CpuFlushTlb ();
> --
> 2.16.2.windows.1
>=20
>=20
>=20
>=20
>=20



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110845): https://edk2.groups.io/g/devel/message/110845
Mute This Topic: https://groups.io/mt/102434876/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-