From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web12.29374.1595452793436096036 for ; Wed, 22 Jul 2020 14:19:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UcGHi7Ve; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595452792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2g3dmajWdeUuKwFLBFmjvF7ByQyYttIvQsCjeF9baK4=; b=UcGHi7VeDgyz/ktZBQPjC98e5i06/CvsD6sQbX8ZRvKqmWdRVuBCEgXe7UXBwzR4Eevk/R arxywo515sx7dHaoyHUp/1Wvl9lqpuh1WqmUDY+roVDav9dVwafhhgSoxEy2NdTnkOFR1I 6xXp+BpDO65uQ0b2H3ja5XLl8PQmado= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-162-Ib_qYGw5OquIMsP6mCR6pg-1; Wed, 22 Jul 2020 17:19:44 -0400 X-MC-Unique: Ib_qYGw5OquIMsP6mCR6pg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B9F3C8064B6; Wed, 22 Jul 2020 21:19:42 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-129.ams2.redhat.com [10.36.113.129]) by smtp.corp.redhat.com (Postfix) with ESMTP id B757760C05; Wed, 22 Jul 2020 21:19:41 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v7 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) To: devel@edk2.groups.io, guomin.jiang@intel.com Cc: Jian J Wang , Hao A Wu References: <20200722083657.739-1-guomin.jiang@intel.com> <20200722083657.739-2-guomin.jiang@intel.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 22 Jul 2020 23:19:40 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200722083657.739-2-guomin.jiang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/22/20 10:36, Guomin Jiang wrote: > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > The security researcher found that we can get control after NEM disable. > > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. > > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. > > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. > > Cc: Jian J Wang > Cc: Hao A Wu > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > Reviewed-by: Jian J Wang > --- > MdeModulePkg/MdeModulePkg.dec | 8 ++++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 14 insertions(+) Comparing this against v5 (which I last checked), my ACK stands. Thanks Laszlo