From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id D9A5BD8065A for ; Thu, 9 Nov 2023 03:47:03 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Bi/U12YlVN8X3oPy5Tyibok+6+lUY9Qig/zkIgT0RyY=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type; s=20140610; t=1699501622; v=1; b=w7DX1iIcfPVDeY/v8C5FG6KXKAE/FxdRR9GElW13p9jZFaQH4szsBvFXePRWwZdSA5Smuo1z A5QR2qutW50zHV2OnvAIU90ArdgWZo6rb4QRmZDqof71jfgevzxaWXSagL29aUuJVzN93brnlBE JHti6H+SmWoDQvQhXhG+LjJY= X-Received: by 127.0.0.2 with SMTP id eJ9eYY7687511xiT8sZXxX29; Wed, 08 Nov 2023 19:47:02 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.114244.1699501621557649497 for ; Wed, 08 Nov 2023 19:47:01 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10888"; a="11463301" X-IronPort-AV: E=Sophos;i="6.03,288,1694761200"; d="scan'208,217";a="11463301" X-Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Nov 2023 19:46:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10888"; a="853962145" X-IronPort-AV: E=Sophos;i="6.03,288,1694761200"; d="scan'208,217";a="853962145" X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by FMSMGA003.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 08 Nov 2023 19:45:47 -0800 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Wed, 8 Nov 2023 19:45:47 -0800 X-Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34 via Frontend Transport; Wed, 8 Nov 2023 19:45:47 -0800 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.168) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.34; Wed, 8 Nov 2023 19:45:47 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E6p8d5/A8cX33hVa8XuclTXGdbqI1n/UgyJoCUO6g8rGMCr2yjmXm8fg2ZIL9lpUix/J0MxFZPBsZ3I+6U7KS69un/eqwCVry6teLrH15dFk8f5AzSJ7yOR73lNdQl66iiMVirx4n26+Uww4AwJMdBgvFKsDLFYAZi20i3cJwNd9iTq3BIl/dQ14gy2Gq+jSFrT/FQmtCKsIH9hZcwplysSdk9xkT1CsOc3n5J254Y7b8cCFDJJuUDcukh7+mpwOUe2aNnBRemxXFojP1yfxFg7pYP/DcA7Yppd0PALwjLWfHF4EmR+TYFP/UoV7vml1JbrG+GjI5Xydv6pYLz59zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uonrf6Oa2zWEPk4TCS2PyCvKlj+ISYd8iaLzASHLoJk=; b=BlKsrtkodizd1mB7FqQ5rfWD7AzNT94opl5oojhz6n+5X8AUkFZs0Hkt5DJM+rTqbsyIaQ2ZJQsjXEgb1NztAUPFBSeIJNzmlNLCOkM790ikkN2ff8Y3wn8Bsv3yF60TDbVMWVcZWLBfDRT8THs3pPhICyDA3DWeocmm+4n6p+0WlEXywDP+hZTO7DAGiuAf/t+uUOd94IocSLD0d0hW6lQtA/XarILHVPmXlX4KRIPTgJFx54Wc3R2LqHIlupVRD8MjWFu0NRBGAQgXeQFKvVUpYiFXJOmw5uR59sndQ9Gx1Km+DvvmBT2dc1leg6x4lPV7CRqXbIhzmZEnIETffg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com (2603:10b6:208:470::14) by SA3PR11MB8073.namprd11.prod.outlook.com (2603:10b6:806:301::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Thu, 9 Nov 2023 03:45:39 +0000 X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::b614:1f5e:8b0c:9858]) by MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::b614:1f5e:8b0c:9858%4]) with mapi id 15.20.6954.030; Thu, 9 Nov 2023 03:45:39 +0000 From: "Ni, Ray" To: "Wu, Jiaxin" , "devel@edk2.groups.io" CC: "Dong, Eric" , "Zeng, Star" , Gerd Hoffmann , "Kumar, Rahul R" , Laszlo Ersek Subject: Re: [edk2-devel] [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET enable Thread-Topic: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET enable Thread-Index: AQHaERk23cw9hjR/SEG9qdOc1uPhILBxXB5/ Date: Thu, 9 Nov 2023 03:45:38 +0000 Message-ID: References: <20231107012445.7808-1-jiaxin.wu@intel.com> In-Reply-To: <20231107012445.7808-1-jiaxin.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MN6PR11MB8244:EE_|SA3PR11MB8073:EE_ x-ms-office365-filtering-correlation-id: 6929a73e-6d1a-40ca-405b-08dbe0d656b8 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: 1rN+VIMJG7jyNPz1l5PotDkDeZwO4fXutgTdSw9VFstpgpAwD6ZAvY2vGVSY+2fqbpCr3AQeUA+fix2nt8gYLRbA/yhzIEpoQh3J1HTKeXs/QFLakk98OrA3axDtpD58ebdLrhKs38oDbvfQvbdLJEt1IAW6mJSSmrnLr+ZS2w9UMkQWoWvo1PALoqDxI2Pb6BLXHCYGtVGal13gai094VXPJE9d81zhUhn3KKTHGANgnO/FHzYpErjAdSjQ6nHJDa1JuZ9y9IFUlWgYcaq5v5LOiTZS9lrwSKBhBgnRGJR0bhSBMbKftbA6vQK0RZaxiMqY8UZHG95BUUK7Ra54b/4aDOlSN/4fxf1UY2XewGaMIbpzAQhzmRpJXQKx2X5WVml//9SA8va7iDeoM6XTbpKL9PYDXKjPUs1luROZoGQ0UteF7MeNs+XOQXl+2QJel811jliUbK7qf7TzO0qGTYIZYj9A9PGcuisKg5YmvhjugMh+hj0uiQJruBhs0EO2ytOBlNA9GmvsUKVmFZhU1lNijSXdh48v8evKepxTuiBWhK3XaLLfTF0fLUxnbatJ3Wz/N09kah455e0i3yHr16g0zNfNrjo5JWT5s51mGC4Zyzh0vVsSnhCOGOoyyPOg x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?fcCAN+alCImfsgca7vHgVjrx7zidjq4AA7cqKjqCI1Tm6xch9UOPwGiyz9M4?= =?us-ascii?Q?b5K7nTPPqJmzAup8RghennhhNEAlmh3Us/olyKCoOp0OZhIZojC2uJPVEwVp?= =?us-ascii?Q?kuJdEoWEKxb7rlWQKmEYChGR224dGgjHj79PDhLzInxSQHul/WRSkF+M/wjf?= =?us-ascii?Q?J917Hn/eDhPlqmElGYhE6FnJEZARkHbBi/MaFdvER1iG8gB81EPoleZ9G4M9?= =?us-ascii?Q?35y3FEKggOxJ2RoVKr9ffdA7AMvBBpR4urN5JVVGYjYmTuLiVYQlY4Pxiz9u?= =?us-ascii?Q?gvv2SXGbHlpcQlRdBg7hyxnkZKOpHBBrqFBCiBAny1uoJbmh0AXT6cjxtg0z?= =?us-ascii?Q?BiPhcqv2qk4T7rzaMPArjMRm068giMlDAXJ6T0rK52fukqQThm8lhYv/QyMR?= =?us-ascii?Q?QEnVIVfMxQvaxlvFY1xM5zDqs7uGnp9T7vXr7OZZAmIYIw8yn1CldJqIAdGD?= =?us-ascii?Q?recsaWPhE8rsjZ5mK/ADijKaupxwkNcdQD/skoefMjXBe06uFm8bKnR0oAf/?= =?us-ascii?Q?wTlMmoGx1cqRKIize2dxSjsKyafRd/7nkzN7E+dPFVTCTxqi5tKhptAUBY6X?= =?us-ascii?Q?6GjCLnE0wONOIagWN395HrPpCdASCfI7LHfqk4D+RTIBG7L9vPdpSjVTLhJo?= =?us-ascii?Q?IoQB0PapfUgDK6QD109ZsQztKxNV711Hx3dSY82UjABIjjfrtm9+JQ6PlCX4?= =?us-ascii?Q?nELWRBTedEnc6LUwVJFt7XjaP9rYx1dHJNOMLdIky/l4l8e6Vw4/OvjeqL7f?= =?us-ascii?Q?cwE4sKhmCHgitXcJdaonTUsIN3e6iXyabo9/ZZ+SVCtzGNRrnIPBE5Q276wj?= =?us-ascii?Q?7PMTV0PdnvFTOqhRnpO4NuOOYo/UL2uTxL+ngxNboBHQUiJ4T9veKDsypHrT?= =?us-ascii?Q?sa59DOIvOTbGAqBOsiCdjzMSV9S4whVcNjkMUUL6O6h6YpfAnVs2npnzZ3wf?= =?us-ascii?Q?uEqzB9FxJfC9lSpacd0yBU0Cv+NvcH0Vuooz6qSNbEIpEQByn5EcQg620kTF?= =?us-ascii?Q?9kQz1S2j4goJXBHmH38UHvuj0KrZ3MvsqX0ZmCb3r3kuPWunwILNbZZ7UFMz?= =?us-ascii?Q?fTKQIjNTMLsFe2VfotUBEdx6zrJ5bYC3YwC7o4o1LuGLjfMaQzTcd9Ji7/t7?= =?us-ascii?Q?tTfrwDE0TeXiOYjp3+dUQOpWp9UN6G5/UR4xQ8NhA4Hoqv2BXAZ3RGKnhoOG?= =?us-ascii?Q?7KLuh5M4MKoBc8AtLqfEvoR8QHq6zs970PL1bXciI1pLoqcJno/Pv6xuQNxW?= =?us-ascii?Q?My8HhDtX3gGvUalbBtROKEJ1qBQfAJXCwCKfOnFmbi9ooo8NLD2T4vbyxlRJ?= =?us-ascii?Q?FQ3oAAYLZiBrTwGP9J6sKNYXAMZyJUnGoz9+e2bLYnuusU6sOpA3sbNpH+b2?= =?us-ascii?Q?b6UDofI80/dO0u1Xv4aqSd7IbF2TZrS4YA2Kf0NM7t9GUNBLEsCLojTk5RdE?= =?us-ascii?Q?p6yKrrxYEgQAoFZ0LQqnU2ebbdb7YTNtTozs8FHrkG99uzFeduKjrlXoyaFl?= =?us-ascii?Q?gMwvyMec52UkXcHZJ2XkUje4xSmBJsCLtRcrxyDc5I+JrPvjThpLiXPdj7Pk?= =?us-ascii?Q?56BrxHYLGbz/SJiHRYo=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN6PR11MB8244.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6929a73e-6d1a-40ca-405b-08dbe0d656b8 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 03:45:38.5013 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: vdGuP54zr6Y/hVflruOUDROasjQ994N8nij6UChq+/qvfSde80odmmk0um6F01LsCimLTZJp+QY0A0GMwBl7/w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8073 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: FPUBDs47gOwoOt1G3T1pssXdx7686176AA= Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MN6PR11MB82441D340EC0A34AA9A61D2B8CAFAMN6PR11MB8244namp_" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=w7DX1iIc; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") --_000_MN6PR11MB82441D340EC0A34AA9A61D2B8CAFAMN6PR11MB8244namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ray Ni Thanks, Ray ________________________________ From: Wu, Jiaxin Sent: Tuesday, November 7, 2023 9:24 AM To: devel@edk2.groups.io Cc: Dong, Eric ; Ni, Ray ; Zeng, Sta= r ; Gerd Hoffmann ; Kumar, Rahul R = ; Laszlo Ersek Subject: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET en= able Root cause: 1. Before DisableReadonlyPageWriteProtect() is called, the return address (#1) is pushed in shadow stack. 2. CET is disabled. 3. DisableReadonlyPageWriteProtect() returns to #1. 4. Page table is modified. 5. EnableReadonlyPageWriteProtect() is called, but the return address (#2) is not pushed in shadow stack. 6. CET is enabled. 7. EnableReadonlyPageWriteProtect() returns to #2. #CP exception happens because the actual return address (#2) doesn't match the return address stored in shadow stack (#1). Analysis: Shadow stack will stop update after CET disable (DisableCet() in DisableReadOnlyPageWriteProtect), but normal smi stack will be continue updated with the function called and return (DisableReadOnlyPageWriteProtect & EnableReadOnlyPageWriteProtect), thus leading stack mismatch after CET re-enabled (EnableCet() in EnableReadOnlyPageWriteProtect). According SDM Vol 3, 6.15-Control Protection Exception: Normal smi stack and shadow stack must be matched when CET enable, otherwise CP Exception will happen, which is caused by a near RET instruction. CET is disabled in DisableCet(), while can be enabled in EnableCet(). This way won't cause the problem because they are implemented in a way that return address of DisableCet() is poped out from shadow stack (Incsspq performs a pop to increases the shadow stack) and EnableCet() doesn't use "RET" but "JMP" to return to caller. So calling EnableCet() and DisableCet() doesn't have the same issue as calling DisableReadonlyPageWriteProtect() and EnableReadonlyPageWriteProtect(). With above root cause & analysis, define below 2 macros instead of functions for WP & CET operation: WRITE_UNPROTECT_RO_PAGES (Wp, Cet) WRITE_PROTECT_RO_PAGES (Wp, Cet) Because DisableCet() & EnableCet() must be in the same function to avoid shadow stack and normal SMI stack mismatch. Note: WRITE_UNPROTECT_RO_PAGES () must be called pair with WRITE_PROTECT_RO_PAGES () in same function. Cc: Eric Dong Cc: Ray Ni Cc: Zeng Star Cc: Gerd Hoffmann Cc: Rahul Kumar Cc: Laszlo Ersek Signed-off-by: Jiaxin Wu --- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 59 +++++++++++++---- UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 73 +++++++++---------= ---- UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 7 ++- 3 files changed, 81 insertions(+), 58 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmC= puDxeSmm/PiSmmCpuDxeSmm.h index 654935dc76..20ada465c2 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h @@ -1551,29 +1551,64 @@ VOID SmmWaitForApArrival ( VOID ); /** - Disable Write Protect on pages marked as read-only if Cr0.Bits.WP is 1. + Write unprotect read-only pages if Cr0.Bits.WP is 1. + + @param[out] WriteProtect If Cr0.Bits.WP is enabled. - @param[out] WpEnabled If Cr0.WP is enabled. - @param[out] CetEnabled If CET is enabled. **/ VOID -DisableReadOnlyPageWriteProtect ( - OUT BOOLEAN *WpEnabled, - OUT BOOLEAN *CetEnabled +SmmWriteUnprotectReadOnlyPage ( + OUT BOOLEAN *WriteProtect ); /** - Enable Write Protect on pages marked as read-only. + Write protect read-only pages. + + @param[in] WriteProtect If Cr0.Bits.WP should be enabled. - @param[out] WpEnabled If Cr0.WP should be enabled. - @param[out] CetEnabled If CET should be enabled. **/ VOID -EnableReadOnlyPageWriteProtect ( - BOOLEAN WpEnabled, - BOOLEAN CetEnabled +SmmWriteProtectReadOnlyPage ( + IN BOOLEAN WriteProtect ); +/// +/// Define macros to encapsulate the write unprotect/protect +/// read-only pages. +/// Below pieces of logic are defined as macros and not functions +/// because "CET" feature disable & enable must be in the same +/// function to avoid shadow stack and normal SMI stack mismatch, +/// thus WRITE_UNPROTECT_RO_PAGES () must be called pair with +/// WRITE_PROTECT_RO_PAGES () in same function. +/// +/// @param[in,out] Wp A BOOLEAN variable local to the containing +/// function, carrying write protection status from +/// WRITE_UNPROTECT_RO_PAGES() to +/// WRITE_PROTECT_RO_PAGES(). +/// +/// @param[in,out] Cet A BOOLEAN variable local to the containing +/// function, carrying control flow integrity +/// enforcement status from +/// WRITE_UNPROTECT_RO_PAGES() to +/// WRITE_PROTECT_RO_PAGES(). +/// +#define WRITE_UNPROTECT_RO_PAGES(Wp, Cet) \ + do { \ + Cet =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0); \ + if (Cet) { \ + DisableCet (); \ + } \ + SmmWriteUnprotectReadOnlyPage (&Wp); \ + } while (FALSE) + +#define WRITE_PROTECT_RO_PAGES(Wp, Cet) \ + do { \ + SmmWriteProtectReadOnlyPage (Wp); \ + if (Cet) { \ + EnableCet (); \ + } \ + } while (FALSE) + #endif diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c b/UefiCpuPk= g/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c index 6f49866615..3d445df213 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c @@ -39,64 +39,47 @@ PAGE_TABLE_POOL *mPageTablePool =3D NULL; // If memory used by SMM page table has been mareked as ReadOnly. // BOOLEAN mIsReadOnlyPageTable =3D FALSE; /** - Disable Write Protect on pages marked as read-only if Cr0.Bits.WP is 1. + Write unprotect read-only pages if Cr0.Bits.WP is 1. + + @param[out] WriteProtect If Cr0.Bits.WP is enabled. - @param[out] WpEnabled If Cr0.WP is enabled. - @param[out] CetEnabled If CET is enabled. **/ VOID -DisableReadOnlyPageWriteProtect ( - OUT BOOLEAN *WpEnabled, - OUT BOOLEAN *CetEnabled +SmmWriteUnprotectReadOnlyPage ( + OUT BOOLEAN *WriteProtect ) { IA32_CR0 Cr0; - *CetEnabled =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0) ? TRUE : FALSE= ; - Cr0.UintN =3D AsmReadCr0 (); - *WpEnabled =3D (Cr0.Bits.WP !=3D 0) ? TRUE : FALSE; - if (*WpEnabled) { - if (*CetEnabled) { - // - // CET must be disabled if WP is disabled. Disable CET before cleari= ng CR0.WP. - // - DisableCet (); - } - + Cr0.UintN =3D AsmReadCr0 (); + *WriteProtect =3D (Cr0.Bits.WP !=3D 0); + if (*WriteProtect) { Cr0.Bits.WP =3D 0; AsmWriteCr0 (Cr0.UintN); } } /** - Enable Write Protect on pages marked as read-only. + Write protect read-only pages. + + @param[in] WriteProtect If Cr0.Bits.WP should be enabled. - @param[out] WpEnabled If Cr0.WP should be enabled. - @param[out] CetEnabled If CET should be enabled. **/ VOID -EnableReadOnlyPageWriteProtect ( - BOOLEAN WpEnabled, - BOOLEAN CetEnabled +SmmWriteProtectReadOnlyPage ( + IN BOOLEAN WriteProtect ) { IA32_CR0 Cr0; - if (WpEnabled) { + if (WriteProtect) { Cr0.UintN =3D AsmReadCr0 (); Cr0.Bits.WP =3D 1; AsmWriteCr0 (Cr0.UintN); - - if (CetEnabled) { - // - // re-enable CET. - // - EnableCet (); - } } } /** Initialize a buffer pool for page table use only. @@ -119,11 +102,11 @@ BOOLEAN InitializePageTablePool ( IN UINTN PoolPages ) { VOID *Buffer; - BOOLEAN WpEnabled; + BOOLEAN WriteProtect; BOOLEAN CetEnabled; // // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one pag= e for // header. @@ -157,13 +140,15 @@ InitializePageTablePool ( // // If page table memory has been marked as RO, mark the new pool pages a= s read-only. // if (mIsReadOnlyPageTable) { - DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); + SmmSetMemoryAttributes ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer, EFI_PAGES= _TO_SIZE (PoolPages), EFI_MEMORY_RO); - EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + + WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled); } return TRUE; } @@ -1009,11 +994,11 @@ SetMemMapAttributes ( UINTN PageTable; EFI_STATUS Status; IA32_MAP_ENTRY *Map; UINTN Count; UINT64 MemoryAttribute; - BOOLEAN WpEnabled; + BOOLEAN WriteProtect; BOOLEAN CetEnabled; SmmGetSystemConfigurationTable (&gEdkiiPiSmmMemoryAttributesTableGuid, (= VOID **)&MemoryAttributesTable); if (MemoryAttributesTable =3D=3D NULL) { DEBUG ((DEBUG_INFO, "MemoryAttributesTable - NULL\n")); @@ -1055,11 +1040,11 @@ SetMemMapAttributes ( Status =3D PageTableParse (PageTable, mPagingMode, Map, &Count); } ASSERT_RETURN_ERROR (Status); - DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); MemoryMap =3D MemoryMapStart; for (Index =3D 0; Index < MemoryMapEntryCount; Index++) { DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory Entry - 0x%lx, 0x%x\n", M= emoryMap->PhysicalStart, MemoryMap->NumberOfPages)); if (MemoryMap->Type =3D=3D EfiRuntimeServicesCode) { @@ -1085,11 +1070,12 @@ SetMemMapAttributes ( ); MemoryMap =3D NEXT_MEMORY_DESCRIPTOR (MemoryMap, DescriptorSize); } - EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled); + FreePool (Map); PatchSmmSaveStateMap (); PatchGdtIdtMap (); @@ -1392,18 +1378,18 @@ SetUefiMemMapAttributes ( EFI_STATUS Status; EFI_MEMORY_DESCRIPTOR *MemoryMap; UINTN MemoryMapEntryCount; UINTN Index; EFI_MEMORY_DESCRIPTOR *Entry; - BOOLEAN WpEnabled; + BOOLEAN WriteProtect; BOOLEAN CetEnabled; PERF_FUNCTION_BEGIN (); DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n")); - DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); if (mUefiMemoryMap !=3D NULL) { MemoryMapEntryCount =3D mUefiMemoryMapSize/mUefiDescriptorSize; MemoryMap =3D mUefiMemoryMap; for (Index =3D 0; Index < MemoryMapEntryCount; Index++) { @@ -1479,11 +1465,11 @@ SetUefiMemMapAttributes ( Entry =3D NEXT_MEMORY_DESCRIPTOR (Entry, mUefiMemoryAttributesTable-= >DescriptorSize); } } - EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled); // // Do not free mUefiMemoryAttributesTable, it will be checked in IsSmmCo= mmBufferForbiddenAddress(). // @@ -1870,11 +1856,11 @@ IfReadOnlyPageTableNeeded ( VOID SetPageTableAttributes ( VOID ) { - BOOLEAN WpEnabled; + BOOLEAN WriteProtect; BOOLEAN CetEnabled; if (!IfReadOnlyPageTableNeeded ()) { return; } @@ -1884,20 +1870,21 @@ SetPageTableAttributes ( // // Disable write protection, because we need mark page table to be write= protected. // We need *write* page table memory, to mark itself to be *read only*. // - DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); // Set memory used by page table as Read Only. DEBUG ((DEBUG_INFO, "Start...\n")); EnablePageTableProtection (); // // Enable write protection, after page table attribute updated. // - EnableReadOnlyPageWriteProtect (TRUE, CetEnabled); + WRITE_PROTECT_RO_PAGES (TRUE, CetEnabled); + mIsReadOnlyPageTable =3D TRUE; // // Flush TLB after mark all page table pool as read only. // diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDx= eSmm/SmmProfile.c index 7ac3c66f91..8142d3ceac 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c @@ -592,11 +592,11 @@ InitPaging ( UINT64 Base; UINT64 Length; UINT64 Limit; UINT64 PreviousAddress; UINT64 MemoryAttrMask; - BOOLEAN WpEnabled; + BOOLEAN WriteProtect; BOOLEAN CetEnabled; PERF_FUNCTION_BEGIN (); PageTable =3D AsmReadCr3 (); @@ -604,11 +604,12 @@ InitPaging ( Limit =3D BASE_4GB; } else { Limit =3D (IsRestrictedMemoryAccess ()) ? LShiftU64 (1, mPhysicalAddre= ssBits) : BASE_4GB; } - DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); + // // [0, 4k] may be non-present. // PreviousAddress =3D ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BI= T1) !=3D 0) ? BASE_4KB : 0; @@ -670,11 +671,11 @@ InitPaging ( // Status =3D ConvertMemoryPageAttributes (PageTable, mPagingMode, Previo= usAddress, Limit - PreviousAddress, MemoryAttrMask, TRUE, NULL); ASSERT_RETURN_ERROR (Status); } - EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled); // // Flush TLB // CpuFlushTlb (); -- 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110946): https://edk2.groups.io/g/devel/message/110946 Mute This Topic: https://groups.io/mt/102434876/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --_000_MN6PR11MB82441D340EC0A34AA9A61D2B8CAFAMN6PR11MB8244namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Reviewed-by: Ray Ni <ray.ni@intel.com>

Thanks,
Ray
From: Wu, Jiaxin <jiaxin= .wu@intel.com>
Sent: Tuesday, November 7, 2023 9:24 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel= .com>; Zeng, Star <star.zeng@intel.com>; Gerd Hoffmann <kraxel@= redhat.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>; Laszlo Erse= k <lersek@redhat.com>
Subject: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when= CET enable
 
Root cause:
1. Before DisableReadonlyPageWriteProtect() is called, the return
address (#1) is pushed in shadow stack.
2. CET is disabled.
3. DisableReadonlyPageWriteProtect() returns to #1.
4. Page table is modified.
5. EnableReadonlyPageWriteProtect() is called, but the return
address (#2) is not pushed in shadow stack.
6. CET is enabled.
7. EnableReadonlyPageWriteProtect() returns to #2.
#CP exception happens because the actual return address (#2)
doesn't match the return address stored in shadow stack (#1).

Analysis:
Shadow stack will stop update after CET disable (DisableCet() in
DisableReadOnlyPageWriteProtect), but normal smi stack will be
continue updated with the function called and return
(DisableReadOnlyPageWriteProtect & EnableReadOnlyPageWriteProtect),
thus leading stack mismatch after CET re-enabled (EnableCet() in
EnableReadOnlyPageWriteProtect).

According SDM Vol 3, 6.15-Control Protection Exception:
Normal smi stack and shadow stack must be matched when CET enable,
otherwise CP Exception will happen, which is caused by a near RET
instruction.

CET is disabled in DisableCet(), while can be enabled in
EnableCet(). This way won't cause the problem because they are
implemented in a way that return address of DisableCet() is
poped out from shadow stack (Incsspq performs a pop to increases
the shadow stack) and EnableCet() doesn't use "RET" but "JMP= " to
return to caller. So calling EnableCet() and DisableCet() doesn't
have the same issue as calling DisableReadonlyPageWriteProtect()
and EnableReadonlyPageWriteProtect().

With above root cause & analysis, define below 2 macros instead of
functions for WP & CET operation:
WRITE_UNPROTECT_RO_PAGES (Wp, Cet)
WRITE_PROTECT_RO_PAGES (Wp, Cet)
Because DisableCet() & EnableCet() must be in the same function
to avoid shadow stack and normal SMI stack mismatch.

Note: WRITE_UNPROTECT_RO_PAGES () must be called pair with
WRITE_PROTECT_RO_PAGES () in same function.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zeng Star <star.zeng@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
---
 UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h    &nb= sp;    | 59 +++++++++++++----
 UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 73 +++++++++----= ---------
 UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c     &= nbsp;       |  7 ++-
 3 files changed, 81 insertions(+), 58 deletions(-)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmC= puDxeSmm/PiSmmCpuDxeSmm.h
index 654935dc76..20ada465c2 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
@@ -1551,29 +1551,64 @@ VOID
 SmmWaitForApArrival (
   VOID
   );
 
 /**
-  Disable Write Protect on pages marked as read-only if Cr0.Bits.WP i= s 1.
+  Write unprotect read-only pages if Cr0.Bits.WP is 1.
+
+  @param[out]  WriteProtect      If Cr0= .Bits.WP is enabled.
 
-  @param[out]  WpEnabled      If Cr0.WP= is enabled.
-  @param[out]  CetEnabled     If CET is enab= led.
 **/
 VOID
-DisableReadOnlyPageWriteProtect (
-  OUT BOOLEAN  *WpEnabled,
-  OUT BOOLEAN  *CetEnabled
+SmmWriteUnprotectReadOnlyPage (
+  OUT BOOLEAN  *WriteProtect
   );
 
 /**
-  Enable Write Protect on pages marked as read-only.
+  Write protect read-only pages.
+
+  @param[in]  WriteProtect      If Cr0.= Bits.WP should be enabled.
 
-  @param[out]  WpEnabled      If Cr0.WP= should be enabled.
-  @param[out]  CetEnabled     If CET should = be enabled.
 **/
 VOID
-EnableReadOnlyPageWriteProtect (
-  BOOLEAN  WpEnabled,
-  BOOLEAN  CetEnabled
+SmmWriteProtectReadOnlyPage (
+  IN  BOOLEAN  WriteProtect
   );
 
+///
+/// Define macros to encapsulate the write unprotect/protect
+/// read-only pages.
+/// Below pieces of logic are defined as macros and not functions
+/// because "CET" feature disable & enable must be in the sa= me
+/// function to avoid shadow stack and normal SMI stack mismatch,
+/// thus WRITE_UNPROTECT_RO_PAGES () must be called pair with
+/// WRITE_PROTECT_RO_PAGES () in same function.
+///
+/// @param[in,out] Wp   A BOOLEAN variable local to the containi= ng
+///            = ;         function, carrying write = protection status from
+///            = ;         WRITE_UNPROTECT_RO_PAGES(= ) to
+///            = ;         WRITE_PROTECT_RO_PAGES().=
+///
+/// @param[in,out] Cet  A BOOLEAN variable local to the containing +///            = ;         function, carrying contro= l flow integrity
+///            = ;         enforcement status from +///            = ;         WRITE_UNPROTECT_RO_PAGES(= ) to
+///            = ;         WRITE_PROTECT_RO_PAGES().=
+///
+#define WRITE_UNPROTECT_RO_PAGES(Wp, Cet) \
+  do { \
+    Cet =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0); = \
+    if (Cet) { \
+      DisableCet (); \
+    } \
+    SmmWriteUnprotectReadOnlyPage (&Wp); \
+  } while (FALSE)
+
+#define WRITE_PROTECT_RO_PAGES(Wp, Cet) \
+  do { \
+    SmmWriteProtectReadOnlyPage (Wp); \
+    if (Cet) { \
+      EnableCet (); \
+    } \
+  } while (FALSE)
+
 #endif
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c b/UefiCpuPk= g/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
index 6f49866615..3d445df213 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
@@ -39,64 +39,47 @@ PAGE_TABLE_POOL  *mPageTablePool =3D NULL;
 // If memory used by SMM page table has been mareked as ReadOnly.
 //
 BOOLEAN  mIsReadOnlyPageTable =3D FALSE;
 
 /**
-  Disable Write Protect on pages marked as read-only if Cr0.Bits.WP i= s 1.
+  Write unprotect read-only pages if Cr0.Bits.WP is 1.
+
+  @param[out]  WriteProtect      If Cr0= .Bits.WP is enabled.
 
-  @param[out]  WpEnabled      If Cr0.WP= is enabled.
-  @param[out]  CetEnabled     If CET is enab= led.
 **/
 VOID
-DisableReadOnlyPageWriteProtect (
-  OUT BOOLEAN  *WpEnabled,
-  OUT BOOLEAN  *CetEnabled
+SmmWriteUnprotectReadOnlyPage (
+  OUT BOOLEAN  *WriteProtect
   )
 {
   IA32_CR0  Cr0;
 
-  *CetEnabled =3D ((AsmReadCr4 () & CR4_CET_ENABLE) !=3D 0) ? TRU= E : FALSE;
-  Cr0.UintN   =3D AsmReadCr0 ();
-  *WpEnabled  =3D (Cr0.Bits.WP !=3D 0) ? TRUE : FALSE;
-  if (*WpEnabled) {
-    if (*CetEnabled) {
-      //
-      // CET must be disabled if WP is disabled. = Disable CET before clearing CR0.WP.
-      //
-      DisableCet ();
-    }
-
+  Cr0.UintN     =3D AsmReadCr0 ();
+  *WriteProtect =3D (Cr0.Bits.WP !=3D 0);
+  if (*WriteProtect) {
     Cr0.Bits.WP =3D 0;
     AsmWriteCr0 (Cr0.UintN);
   }
 }
 
 /**
-  Enable Write Protect on pages marked as read-only.
+  Write protect read-only pages.
+
+  @param[in]  WriteProtect      If Cr0.= Bits.WP should be enabled.
 
-  @param[out]  WpEnabled      If Cr0.WP= should be enabled.
-  @param[out]  CetEnabled     If CET should = be enabled.
 **/
 VOID
-EnableReadOnlyPageWriteProtect (
-  BOOLEAN  WpEnabled,
-  BOOLEAN  CetEnabled
+SmmWriteProtectReadOnlyPage (
+  IN  BOOLEAN  WriteProtect
   )
 {
   IA32_CR0  Cr0;
 
-  if (WpEnabled) {
+  if (WriteProtect) {
     Cr0.UintN   =3D AsmReadCr0 ();
     Cr0.Bits.WP =3D 1;
     AsmWriteCr0 (Cr0.UintN);
-
-    if (CetEnabled) {
-      //
-      // re-enable CET.
-      //
-      EnableCet ();
-    }
   }
 }
 
 /**
   Initialize a buffer pool for page table use only.
@@ -119,11 +102,11 @@ BOOLEAN
 InitializePageTablePool (
   IN UINTN  PoolPages
   )
 {
   VOID     *Buffer;
-  BOOLEAN  WpEnabled;
+  BOOLEAN  WriteProtect;
   BOOLEAN  CetEnabled;
 
   //
   // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, includi= ng one page for
   // header.
@@ -157,13 +140,15 @@ InitializePageTablePool (
 
   //
   // If page table memory has been marked as RO, mark the new po= ol pages as read-only.
   //
   if (mIsReadOnlyPageTable) {
-    DisableReadOnlyPageWriteProtect (&WpEnabled, &C= etEnabled);
+    WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled); +
     SmmSetMemoryAttributes ((EFI_PHYSICAL_ADDRESS)(UIN= TN)Buffer, EFI_PAGES_TO_SIZE (PoolPages), EFI_MEMORY_RO);
-    EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);=
+
+    WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
   }
 
   return TRUE;
 }
 
@@ -1009,11 +994,11 @@ SetMemMapAttributes (
   UINTN         &nb= sp;            =            PageTable;
   EFI_STATUS        &nbs= p;            &= nbsp;      Status;
   IA32_MAP_ENTRY        =             &nb= sp;   *Map;
   UINTN         &nb= sp;            =            Count;
   UINT64         &n= bsp;            = ;          MemoryAttribute; -  BOOLEAN          =             &nb= sp;        WpEnabled;
+  BOOLEAN          =             &nb= sp;        WriteProtect;
   BOOLEAN         &= nbsp;           &nbs= p;         CetEnabled;
 
   SmmGetSystemConfigurationTable (&gEdkiiPiSmmMemoryAttribut= esTableGuid, (VOID **)&MemoryAttributesTable);
   if (MemoryAttributesTable =3D=3D NULL) {
     DEBUG ((DEBUG_INFO, "MemoryAttributesTable - = NULL\n"));
@@ -1055,11 +1040,11 @@ SetMemMapAttributes (
     Status =3D PageTableParse (PageTable, mPagingMode,= Map, &Count);
   }
 
   ASSERT_RETURN_ERROR (Status);
 
-  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);<= br> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
 
   MemoryMap =3D MemoryMapStart;
   for (Index =3D 0; Index < MemoryMapEntryCount; Index++) {      DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory = Entry - 0x%lx, 0x%x\n", MemoryMap->PhysicalStart, MemoryMap->Num= berOfPages));
     if (MemoryMap->Type =3D=3D EfiRuntimeServicesCo= de) {
@@ -1085,11 +1070,12 @@ SetMemMapAttributes (
       );
 
     MemoryMap =3D NEXT_MEMORY_DESCRIPTOR (MemoryMap, D= escriptorSize);
   }
 
-  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
+  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
+
   FreePool (Map);
 
   PatchSmmSaveStateMap ();
   PatchGdtIdtMap ();
 
@@ -1392,18 +1378,18 @@ SetUefiMemMapAttributes (
   EFI_STATUS        &nbs= p;    Status;
   EFI_MEMORY_DESCRIPTOR  *MemoryMap;
   UINTN         &nb= sp;        MemoryMapEntryCount;
   UINTN         &nb= sp;        Index;
   EFI_MEMORY_DESCRIPTOR  *Entry;
-  BOOLEAN          =       WpEnabled;
+  BOOLEAN          =       WriteProtect;
   BOOLEAN         &= nbsp;      CetEnabled;
 
   PERF_FUNCTION_BEGIN ();
 
   DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n"));  
-  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);<= br> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
 
   if (mUefiMemoryMap !=3D NULL) {
     MemoryMapEntryCount =3D mUefiMemoryMapSize/mUefiDe= scriptorSize;
     MemoryMap       = ;    =3D mUefiMemoryMap;
     for (Index =3D 0; Index < MemoryMapEntryCount; = Index++) {
@@ -1479,11 +1465,11 @@ SetUefiMemMapAttributes (
 
       Entry =3D NEXT_MEMORY_DESCRIPTOR (Entr= y, mUefiMemoryAttributesTable->DescriptorSize);
     }
   }
 
-  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
+  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
 
   //
   // Do not free mUefiMemoryAttributesTable, it will be checked = in IsSmmCommBufferForbiddenAddress().
   //
 
@@ -1870,11 +1856,11 @@ IfReadOnlyPageTableNeeded (
 VOID
 SetPageTableAttributes (
   VOID
   )
 {
-  BOOLEAN  WpEnabled;
+  BOOLEAN  WriteProtect;
   BOOLEAN  CetEnabled;
 
   if (!IfReadOnlyPageTableNeeded ()) {
     return;
   }
@@ -1884,20 +1870,21 @@ SetPageTableAttributes (
 
   //
   // Disable write protection, because we need mark page table t= o be write protected.
   // We need *write* page table memory, to mark itself to be *re= ad only*.
   //
-  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);<= br> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
 
   // Set memory used by page table as Read Only.
   DEBUG ((DEBUG_INFO, "Start...\n"));
   EnablePageTableProtection ();
 
   //
   // Enable write protection, after page table attribute updated= .
   //
-  EnableReadOnlyPageWriteProtect (TRUE, CetEnabled);
+  WRITE_PROTECT_RO_PAGES (TRUE, CetEnabled);
+
   mIsReadOnlyPageTable =3D TRUE;
 
   //
   // Flush TLB after mark all page table pool as read only.
   //
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDx= eSmm/SmmProfile.c
index 7ac3c66f91..8142d3ceac 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
@@ -592,11 +592,11 @@ InitPaging (
   UINT64         Base;    UINT64         Length;=
   UINT64         Limit;<= br>    UINT64         Previou= sAddress;
   UINT64         MemoryA= ttrMask;
-  BOOLEAN        WpEnabled;
+  BOOLEAN        WriteProtect;
   BOOLEAN        CetEnabled;<= br>  
   PERF_FUNCTION_BEGIN ();
 
   PageTable =3D AsmReadCr3 ();
@@ -604,11 +604,12 @@ InitPaging (
     Limit =3D BASE_4GB;
   } else {
     Limit =3D (IsRestrictedMemoryAccess ()) ? LShiftU6= 4 (1, mPhysicalAddressBits) : BASE_4GB;
   }
 
-  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);<= br> +  WRITE_UNPROTECT_RO_PAGES (WriteProtect, CetEnabled);
+
   //
   // [0, 4k] may be non-present.
   //
   PreviousAddress =3D ((PcdGet8 (PcdNullPointerDetectionProperty= Mask) & BIT1) !=3D 0) ? BASE_4KB : 0;
 
@@ -670,11 +671,11 @@ InitPaging (
     //
     Status =3D ConvertMemoryPageAttributes (PageTable,= mPagingMode, PreviousAddress, Limit - PreviousAddress, MemoryAttrMask, TRU= E, NULL);
     ASSERT_RETURN_ERROR (Status);
   }
 
-  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
+  WRITE_PROTECT_RO_PAGES (WriteProtect, CetEnabled);
 
   //
   // Flush TLB
   //
   CpuFlushTlb ();
--
2.16.2.windows.1

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#110946) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--_000_MN6PR11MB82441D340EC0A34AA9A61D2B8CAFAMN6PR11MB8244namp_--