Re: [edk2-devel] [PATCH v7 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)

["Laszlo Ersek" <lersek@redhat.com>]

On 07/22/20 10:36, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> The security researcher found that we can get control after NEM disable.
> 
> The reason is that the flash content reside in NEM at startup and the
> code will get the content from flash directly after disable NEM.
> 
> To avoid this vulnerability, the feature will copy the PEIMs from
> temporary memory to permanent memory and only execute the code in
> permanent memory.
> 
> The vulnerability is exist in physical platform and haven't report in
> virtual platform, so the virtual can disable the feature currently.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> Acked-by: Laszlo Ersek <lersek@redhat.com>
> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>  MdeModulePkg/MdeModulePkg.dec | 8 ++++++++
>  MdeModulePkg/MdeModulePkg.uni | 6 ++++++
>  2 files changed, 14 insertions(+)

Comparing this against v5 (which I last checked), my ACK stands.

Thanks
Laszlo