From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.11737.1594608904474073177 for ; Sun, 12 Jul 2020 19:55:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=HiPTJv+t; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jian.j.wang@intel.com) IronPort-SDR: Sgse3k3taP5R2/HL3EhrFPk02pQKr3WxwqaiklTx03X9OoihHHyK++jdld1DhFPghqTxWvQ2dL RFFPhveryvDQ== X-IronPort-AV: E=McAfee;i="6000,8403,9680"; a="128125025" X-IronPort-AV: E=Sophos;i="5.75,346,1589266800"; d="scan'208";a="128125025" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jul 2020 19:55:03 -0700 IronPort-SDR: oXNn1vJF5vXIwlsc+hMF0lXb4qYsuyAEhvbfc4bbgW3xWm8aubyer3Su1GBdGfRH6efB7Z8zIx A5QIVzmktxQg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,346,1589266800"; d="scan'208";a="459118825" Received: from orsmsx104.amr.corp.intel.com ([10.22.225.131]) by orsmga005.jf.intel.com with ESMTP; 12 Jul 2020 19:55:03 -0700 Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX104.amr.corp.intel.com (10.22.225.131) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 12 Jul 2020 19:55:02 -0700 Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 12 Jul 2020 19:55:02 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by orsmsx608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Sun, 12 Jul 2020 19:55:02 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.173) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 12 Jul 2020 19:54:59 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c3vI3K1q18NwnzROqdS7lac5IS7aiX+TasPNOkRc/aG3hWzD0WJS6lj6gnUKa5xeVzcFp36Nu+e7OQ6OoC2D/zFtlKrY7PYxi5jMJ0eQUt9DukULSIGMO0jyjdA9LI+l0fLg41cXLMvYccn5Nkl9cjrnJEfktWTb1ymBGyWw3tOBb6oLo1P/0me6sXEufWqYhJPozIz8TLcT9UkyXa/ZteY+Up0iXkEEp3o9RxD5N9RU0LyZdEqgfF6oNTh6w/fWJVFi2NmUflsRKhx8cSP9U+6Fc1Sko+Jc7VGvr+RANlwpj+DtnvIkw+MSNWWHP+ZTs9dFIbncAAZYD7dsJAOVjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VIPNqn4Uba6yJ5Jvwcvn7jY1JKPDf25KLsXHQsghoN4=; b=fynlbg1w5gtIrrw7/GXYEIQRUTIlniGJCcyWs6Ixr9Rhxg17suD8UpT9GXtdoQbaWXSmKcTqwAtC+rY0ODIdw13+ZAUTM/Vfmb5qitLwtHGWHOr1UwdA6ofAtzaYUHx1PKLs3GWIbfgQ0W1YAp2enyAMt5PZo4s15ys6XlYzGEhYqoQzm85/wTsCtQuZIv1INzq3QJ6XO6wy2OBdixobOtVRhrKd4Q2OEPMh/M+N5xp6s2XhZoZ7e0KGLfD425S23652UQ5AHnlqpQH0FQglvATVRcAzhyPvmWfGgdMB8i8rfeBGQVrE1tW1nna/oq++DiS7pzYvLAK4swOkxdqF7g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VIPNqn4Uba6yJ5Jvwcvn7jY1JKPDf25KLsXHQsghoN4=; b=HiPTJv+tq3VgN5zVLnHBbjUuj6/iciOzAOI+owFCnHu+jbwfFDcrV3g/m0GgHbl2+NEi82Leles/xt5+oRFMhnvlM+3B8kDfG33XQEoREiVSBl72eMsjIsEMR7xvetT2a67jlwRIC/59zZpp5Z4CstqmQqRP/1pDvoQ53dl5Q1c= Received: from SN6PR11MB3312.namprd11.prod.outlook.com (2603:10b6:805:c8::14) by SA0PR11MB4543.namprd11.prod.outlook.com (2603:10b6:806:99::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.22; Mon, 13 Jul 2020 02:54:58 +0000 Received: from SN6PR11MB3312.namprd11.prod.outlook.com ([fe80::31f6:24c6:99f0:33d2]) by SN6PR11MB3312.namprd11.prod.outlook.com ([fe80::31f6:24c6:99f0:33d2%6]) with mapi id 15.20.3174.025; Mon, 13 Jul 2020 02:54:58 +0000 From: "Wang, Jian J" To: "Jiang, Guomin" , "devel@edk2.groups.io" CC: "Wu, Hao A" , Laszlo Ersek Subject: Re: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Topic: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Thread-Index: AQHWVZQ/OXNc/tasJUKI4mzkF1ptLKkE1jnA Date: Mon, 13 Jul 2020 02:54:57 +0000 Message-ID: References: <20200709015645.336-1-guomin.jiang@intel.com> <20200709015645.336-2-guomin.jiang@intel.com> In-Reply-To: <20200709015645.336-2-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYWJmZDVlNTEtODhjYS00ZDI5LWFmMWQtYThlNmU3ZTVkYmMzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiQkFHM1gwbGxHcFVSZVFLQ0JzbUliaFphQVRySmIzKzM0VHYrNmxEeW9kMlNxbFpncU9IblZEV2d5UXd3VzI5SCJ9 dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows x-ctpclassification: CTP_NT authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: bc93c3e3-13b1-483c-e85a-08d826d820ed x-ms-traffictypediagnostic: SA0PR11MB4543: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Ji8wvy6ptG7OGqRrbsCK1CazOczsGHqvNvuwYbi4WQIbkzYE3CyqF2mKOFdD0UlXoGt6fFql9rBotOLUMaEeSLB0Wkg/VeCmiejWuhVN7JAtDC7Jz9EjbLDTYwQj2ROIQCftVoYU8ZTS8JKDSxI3KP/iwz8nziUH1jl9YmKEJLuVXnDqruiKQpHrrTxGXaMAbMab8FGdEaJe8PI59dP5cw0vnEYOnx2/zYmpbWc2+dyQTykOqDrushczj4WIvTs01fkEXtcm9NoI8tMJaQVL4O0NXyxmLQOmXr3pM7jfVOPmKzyRIdeVgWdgC+fONqcWx5AJUnMNsRDXBVgBLAXMF3CKWLM1+a8CSV8UDzA4+RLu+G07S6zjlpzZVj0A0x7zbImdw85UM6PLfrwl1LUDkg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR11MB3312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(376002)(346002)(39860400002)(396003)(366004)(136003)(33656002)(7696005)(478600001)(86362001)(2906002)(8676002)(55016002)(9686003)(186003)(71200400001)(26005)(8936002)(4326008)(53546011)(6506007)(52536014)(64756008)(66556008)(66446008)(66476007)(5660300002)(83380400001)(76116006)(54906003)(316002)(66946007)(110136005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: MioDcnSpTtYk8E9PpM92Uq+DhN8JEaqHi1R+az6R4BKeD2EjhqMviSIZaWc1FwtvS+rqTOv5CuXVr4mIHhFOhuo515wQjUYW9awTRGNmVly5xxMD5/HEqjXUA2xmRqowYdLb3SgvgAcG5d7RSgsScDl7vLNf6luB9jEAMLbtU3tZLN9Qi8+iKFHtbGV5REWnNGPLljt/JfLHSfhJo/nGZfHaIxwfQ1kVoER0IrLJtxhgSnaUwfbNnoIPkHSYQvzdrlnTWl4ospuLJLZwuNCnVBFvKKzt6v2Bte9jS+Ipuf7ic3FMMJ855rMpfJ4YEOO8pXMvNEDLsGt+Q+dSVpk6QcIMON665mUL5GbiO4Bf0H3R4a3oyXxHns9n9FKFiQbevELd98YupdZY8x9MMkgbQO3N92IuOXqnrbPOcskUNWOHhCTzvfnra41umvcHriQIxDJn1eaH/phl0wu/HrhKZmKvxhWKNhN81jCCi1hfN5QI5WI6MyoPSFsfRPKaaW72 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR11MB3312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bc93c3e3-13b1-483c-e85a-08d826d820ed X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2020 02:54:57.8150 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 7bsrN2h17U1Gsek4howsJJd0JAret+tWjGlYAC6bC8W7EqdeaPWHNULoDgVt92Offsy+mR85+iLQmQ2yxxKujg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4543 Return-Path: jian.j.wang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Guomin, > -----Original Message----- > From: Jiang, Guomin > Sent: Thursday, July 09, 2020 9:57 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A ; > Laszlo Ersek > Subject: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate > temporary memory feature (CVE-2019-11098) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 >=20 > The security researcher found that we can get control after NEM disable. >=20 > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. >=20 > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. >=20 > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. >=20 > Cc: Jian J Wang > Cc: Hao A Wu > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > --- > MdeModulePkg/MdeModulePkg.dec | 7 +++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 13 insertions(+) >=20 > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 843e963ad34b..16db17d0a873 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1220,6 +1220,13 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Shadow Peim and PeiCore on boot >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN| > 0x30001029 >=20 > + ## Enable the feature that evacuate temporary memory to permanent > memory or not > + # Set FALSE as default, if the developer need this feature to avoid t= his > vulnerability, please > + # enable it in dsc file. > + # TRUE - Evacuate temporary memory, the actions include copy memory, > convert PPI pointers and so on. > + # FALSE - Do nothing, for example, no copy memory, no convert PPI poin= ters > and so on. Missing @Prompt tag here. With it addressed, Reviewed-by: Jian J Wang Regards, Jian > + > gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum > es|FALSE|BOOLEAN|0x3000102A > + > ## The mask is used to control memory profile behavior.

> # BIT0 - Enable UEFI memory profile.
> # BIT1 - Enable SMRAM profile.
> diff --git a/MdeModulePkg/MdeModulePkg.uni > b/MdeModulePkg/MdeModulePkg.uni > index 2007e0596c4f..5235dee561ad 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -214,6 +214,12 @@ > = "TRUE - Shadow PEIM on S3 > boot path after memory is ready.
\n" > = "FALSE - Not shadow PEIM on > S3 boot path after memory is ready.
" >=20 > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_HELP #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not.

\n" > + = "It will allocate page to > save the temporary PEIMs resided in NEM(or CAR) to the permanent memory > and change all pointers pointed to the NEM(or CAR) to permanent > memory.

\n" > + = "After then, there are > no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be > avoid.

\n" > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_PROMPT #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not" > + > #string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT > #language en-US "Default OEM ID for ACPI table creation" >=20 > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP > #language en-US "Default OEM ID for ACPI table creation, its length must = be 0x6 > bytes to follow ACPI specification." > -- > 2.25.1.windows.1