From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Wed, 31 Jul 2019 17:08:30 -0700 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EE80444FB1; Thu, 1 Aug 2019 00:08:29 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-110.ams2.redhat.com [10.36.116.110]) by smtp.corp.redhat.com (Postfix) with ESMTP id ACD2F5D6B2; Thu, 1 Aug 2019 00:08:28 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 2/2] UefiCpuPkg/PiSmmCpu: PcdCpuSmmAccessOut controls SMM access-out policy From: "Laszlo Ersek" To: ray.ni@intel.com, Jiewen Yao Cc: devel@edk2.groups.io, Eric Dong , Jian J Wang References: <20190731163852.191708-1-ray.ni@intel.com> <20190731163852.191708-3-ray.ni@intel.com> <50b073a1-bf04-4b8a-e267-2af933d34c5c@redhat.com> <9158c339-5af7-0d12-fbe9-c5c01499e54e@redhat.com> Message-ID: Date: Thu, 1 Aug 2019 02:08:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <9158c339-5af7-0d12-fbe9-c5c01499e54e@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 01 Aug 2019 00:08:30 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 08/01/19 01:46, Laszlo Ersek wrote: > So ultimately, I would argue for the following patch series: > > - patch#1: Revert commit c60d36b4, and explain why, in the commit > message. > > - patch#2: Introduce the new PCD, also mentioning MMIO. > > - Patch#3: modify *all* of the following functions, internally, to > return immediately, if "mSmmAccessOut" is TRUE: > > - GetUefiMemoryMap() > - SetUefiMemMapAttributes() > - IsSmmCommBufferForbiddenAddress() > > Basically, the new PCD should short-circuit all three functions > declared in "PiSmmCpuDxeSmm.h" by commit d2fc7711136a. Sigh, why is this so friggin complicated. The functions added by commit d2fc7711136a were extended with the following commits, later: * ac6613db4697 ("UefiCpuPkg/PiSmmCpu: Check for untested memory in GCD", 2018-07-26) The commit message says, "It treats GCD untested memory as invalid SMM communication buffer". * 8a2e1a9d54ee ("UefiCpuPkg/PiSmmCpu: Check EFI_RUNTIME_RO in UEFI mem attrib table.", 2018-07-26) The commit message says, "It treats the UEFI runtime page with EFI_MEMORY_RO attribute as invalid SMM communication buffer. Both of these commits come from the patch series [edk2] [PATCH 0/6] Check untested memory and EFI_MEMORY_RO http://mid.mail-archive.com/20180720052626.24932-1-hao.a.wu@intel.com https://lists.01.org/pipermail/edk2-devel/2018-July/027326.html And now the question becomes: when a platform permits "access-out", does it also enable access to untested memory, and EFI_MEMORY_RO? (a) If the answer is yes, then short-circuiting the three functions that I listed, on (mSmmAccessOut == TRUE), *immediately* after entering them, is correct. (b) If the answer is no -- that is, access-out should *continue* preventing access to untested memory, and EFI_MEMORY_RO -- then we cannot completely short-circuit the functions that I listed. Instead, we can only short-circuit those parts that work with the "mUefiMemoryMap" variable. The current description of the PCD suggests that (b) is the right approach. Thanks, Laszlo