From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120])
 by mx.groups.io with SMTP id smtpd.web12.10950.1593785135038818700
 for <devel@edk2.groups.io>;
 Fri, 03 Jul 2020 07:05:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WwhBPv+0;
 spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1593785134;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=O6VUnv62yWhTeJbAUxmDy+z0qA0bEqdVRd2xfnzAFzI=;
	b=WwhBPv+0Pz2RkLNB5T2hZMu2gjtJH8T2eISE+jMS3OJseJxRpBauVUXvNFayz4pY1b2AGp
	XAMcnvgXBQE11ajTbLHDCFNYnnK9kiCdTIE9+G9ItQz7fvsuF0WuqxBPJ0wpLMKiFzDXjP
	yiX1wIBrkN0YIhqbB4vn5gQ+vGFu8c8=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-261-G5SIIToINee7wodi4gPCZg-1; Fri, 03 Jul 2020 10:05:30 -0400
X-MC-Unique: G5SIIToINee7wodi4gPCZg-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 034B9107ACF3;
	Fri,  3 Jul 2020 14:05:29 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-238.ams2.redhat.com [10.36.114.238])
	by smtp.corp.redhat.com (Postfix) with ESMTP id E43D05885;
	Fri,  3 Jul 2020 14:05:27 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v2 8/9] UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098)
To: devel@edk2.groups.io, guomin.jiang@intel.com
Cc: Eric Dong <eric.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
 Rahul Kumar <rahul1.kumar@intel.com>
References: <20200702051525.1102-1-guomin.jiang@intel.com>
 <20200702051525.1102-9-guomin.jiang@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <e5d23d34-f39a-4a8c-12a2-f5a7c1c44492@redhat.com>
Date: Fri, 3 Jul 2020 16:05:27 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20200702051525.1102-9-guomin.jiang@intel.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 07/02/20 07:15, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> SecMigrationPei create RepublishSecPpi, if the TOCTOU switch is off,
> the Ppi is meaningless, so relate it with TOCTOU switch to avoid
> producing useless PPI.
> 
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
>  UefiCpuPkg/SecMigrationPei/SecMigrationPei.c   | 8 +++++---
>  UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf | 4 ++++
>  2 files changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
> index f96013b09b21..ab8066e8e0de 100644
> --- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
> +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
> @@ -363,10 +363,12 @@ SecMigrationPeiInitialize (
>    IN CONST EFI_PEI_SERVICES  **PeiServices
>    )
>  {
> -  EFI_STATUS  Status;
> +  EFI_STATUS  Status = EFI_SUCCESS;
>  
> -  Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
> -  ASSERT_EFI_ERROR (Status);
> +  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
> +    Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
> +    ASSERT_EFI_ERROR (Status);
> +  }
>  
>    return Status;
>  }
> diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
> index e29c04710941..8edbd3aa23a9 100644
> --- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
> +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
> @@ -60,5 +60,9 @@ [Ppis]
>    ## SOMETIMES_PRODUCES
>    gEfiSecPlatformInformation2PpiGuid
>  
> +[Pcd]
> +  ## CONSUMES
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes
> +
>  [Depex]
>    TRUE
> 

(1) This patch should be squashed into:

"UefiCpuPkg/SecMigrationPei: Add initial PEIM"

Thanks.
Laszlo