Re: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Jiang, Guomin" <guomin.jiang@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wu, Hao A" <hao.a.wu@intel.com>, Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)
Date: Mon, 13 Jul 2020 02:54:57 +0000	[thread overview]
Message-ID: <SN6PR11MB3312D4F4E6CEB0E4A35BABFCB6600@SN6PR11MB3312.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20200709015645.336-2-guomin.jiang@intel.com>

Guomin,


> -----Original Message-----
> From: Jiang, Guomin <guomin.jiang@intel.com>
> Sent: Thursday, July 09, 2020 9:57 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A <hao.a.wu@intel.com>;
> Laszlo Ersek <lersek@redhat.com>
> Subject: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate
> temporary memory feature (CVE-2019-11098)
> 
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> The security researcher found that we can get control after NEM disable.
> 
> The reason is that the flash content reside in NEM at startup and the
> code will get the content from flash directly after disable NEM.
> 
> To avoid this vulnerability, the feature will copy the PEIMs from
> temporary memory to permanent memory and only execute the code in
> permanent memory.
> 
> The vulnerability is exist in physical platform and haven't report in
> virtual platform, so the virtual can disable the feature currently.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> Acked-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  MdeModulePkg/MdeModulePkg.dec | 7 +++++++
>  MdeModulePkg/MdeModulePkg.uni | 6 ++++++
>  2 files changed, 13 insertions(+)
> 
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index 843e963ad34b..16db17d0a873 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1220,6 +1220,13 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
>    # @Prompt Shadow Peim and PeiCore on boot
> 
> gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|
> 0x30001029
> 
> +  ## Enable the feature that evacuate temporary memory to permanent
> memory or not
> +  #  Set FALSE as default, if the developer need this feature to avoid this
> vulnerability, please
> +  #  enable it in dsc file.
> +  # TRUE - Evacuate temporary memory, the actions include copy memory,
> convert PPI pointers and so on.
> +  # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers
> and so on.

Missing @Prompt tag here. With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum
> es|FALSE|BOOLEAN|0x3000102A
> +
>    ## The mask is used to control memory profile behavior.<BR><BR>
>    #  BIT0 - Enable UEFI memory profile.<BR>
>    #  BIT1 - Enable SMRAM profile.<BR>
> diff --git a/MdeModulePkg/MdeModulePkg.uni
> b/MdeModulePkg/MdeModulePkg.uni
> index 2007e0596c4f..5235dee561ad 100644
> --- a/MdeModulePkg/MdeModulePkg.uni
> +++ b/MdeModulePkg/MdeModulePkg.uni
> @@ -214,6 +214,12 @@
>                                                                                         "TRUE  - Shadow PEIM on S3
> boot path after memory is ready.<BR>\n"
>                                                                                         "FALSE - Not shadow PEIM on
> S3 boot path after memory is ready.<BR>"
> 
> +#string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV
> olumes_HELP #language en-US "Enable the feature that evacuate temporary
> memory to permanent memory or not.<BR><BR>\n"
> +                                                                                                      "It will allocate page to
> save the temporary PEIMs resided in NEM(or CAR) to the permanent memory
> and change all pointers pointed to the NEM(or CAR) to permanent
> memory.<BR><BR>\n"
> +                                                                                                      "After then, there are
> no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be
> avoid.<BR><BR>\n"
> +
> +#string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV
> olumes_PROMPT #language en-US "Enable the feature that evacuate temporary
> memory to permanent memory or not"
> +
>  #string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT
> #language en-US "Default OEM ID for ACPI table creation"
> 
>  #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP
> #language en-US "Default OEM ID for ACPI table creation, its length must be 0x6
> bytes to follow ACPI specification."
> --
> 2.25.1.windows.1

next prev parent reply	other threads:[~2020-07-13  2:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-09  1:56 [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Guomin Jiang
2020-07-09  1:56 ` [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Guomin Jiang
2020-07-13  2:54   ` Wang, Jian J [this message]
2020-07-09  1:56 ` [PATCH v5 2/9] MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) Guomin Jiang
2020-07-09 10:50   ` [edk2-devel] " Laszlo Ersek
2020-07-13  6:38   ` Wang, Jian J
2020-07-22 22:43     ` Laszlo Ersek
2020-07-09  1:56 ` [PATCH v5 3/9] UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) Guomin Jiang
2020-07-09 11:04   ` [edk2-devel] " Laszlo Ersek
2020-07-09  1:56 ` [PATCH v5 4/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) Guomin Jiang
2020-07-09 11:01   ` [edk2-devel] " Laszlo Ersek
2020-07-13  6:56   ` Wang, Jian J
2020-07-09  1:56 ` [PATCH v5 5/9] MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-13  7:05   ` Wang, Jian J
2020-07-09  1:56 ` [PATCH v5 6/9] SecurityPkg/Tcg2Pei: Use " Guomin Jiang
2020-07-13  7:09   ` Wang, Jian J
2020-07-09  1:56 ` [PATCH v5 7/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Guomin Jiang
2020-07-13  7:47   ` [edk2-devel] " Wang, Jian J
2020-07-09  1:56 ` [PATCH v5 8/9] UefiCpuPkg: Correct some typos Guomin Jiang
2020-07-09 10:58   ` [edk2-devel] " Laszlo Ersek
2020-07-09  1:56 ` [PATCH v5 9/9] SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-13  7:49   ` Wang, Jian J
2020-07-10  5:46 ` [edk2-devel] [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098) Laszlo Ersek
2020-07-10  6:57   ` Guomin Jiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=SN6PR11MB3312D4F4E6CEB0E4A35BABFCB6600@SN6PR11MB3312.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox