From nobody Sun Feb 8 19:38:18 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+62195+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+62195+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1594176377; cv=none; d=zohomail.com; s=zohoarc; b=HGfN+aVzztftNLd6AbE4NLaQSNRBaOoQr6GRhEPdDBbl+8kXmidfCm6Lnrn6lDfHCwqr9QV83Qs8x1nuMTg9moJR2yN+25wIsUD7WhZIT5olH46anEuco8U2IiPPfg3XdN3d/DVKg3f+KnUCF6mU6i9vR444iYjlufyC6q1ZBuo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1594176377; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=kOMbNEE/yNyBtfAkIhg/l2/cGJZ7NiHnzm+KZQijIrg=; b=TGmffr5KyYBgu5+T83sivcnOncECHIyZTheugNCGtTaxgK61/ffHSf0YqB2bNYHlXfTOV0TQV+qQ1ORWFZAeBtnY9gBOV5eibwlsy+Ut3BJ5UJc4NbMOR8s5Na+WIt0VW4zKuGdENPrT7o7De/dcygGr6nDHMjmW1zRtSR/+m5g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+62195+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1594176376997503.1249702747266; Tue, 7 Jul 2020 19:46:16 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id NSFSYY1788612x6iatNr7qty; Tue, 07 Jul 2020 19:46:16 -0700 X-Received: from mga09.intel.com (mga09.intel.com []) by mx.groups.io with SMTP id smtpd.web10.2988.1594176375248160105 for ; Tue, 07 Jul 2020 19:46:15 -0700 IronPort-SDR: irENejVA5zc/YjbuX3cpS2a1NOvmM6ydLcK9wucNO7UVBi8tAbUEkJDgCw3OUaN+qafzURCTRz g869bh+dWVGQ== X-IronPort-AV: E=McAfee;i="6000,8403,9675"; a="149242152" X-IronPort-AV: E=Sophos;i="5.75,326,1589266800"; d="scan'208";a="149242152" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jul 2020 19:46:15 -0700 IronPort-SDR: rlLIKWsJu/lXK7l5ECjhnnhR7LsKRnXLj393sin27lrdjy3yzbRQhFq10BTOZBs25SZQhIJfMD Tyzl/gutuE3g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,326,1589266800"; d="scan'208";a="483271551" X-Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95]) by fmsmga006.fm.intel.com with ESMTP; 07 Jul 2020 19:46:14 -0700 From: "Guomin Jiang" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu Subject: [edk2-devel] [PATCH v3 01/11] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098) Date: Wed, 8 Jul 2020 10:45:58 +0800 Message-Id: <20200708024608.915-2-guomin.jiang@intel.com> In-Reply-To: <20200708024608.915-1-guomin.jiang@intel.com> References: <20200708024608.915-1-guomin.jiang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,guomin.jiang@intel.com X-Gm-Message-State: o7sUJOaFJqC7I4wn7XjiGIQIx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1594176376; bh=oBOz1pOp5u10xv5sbMWRdfpzLSifYLZfmttXr/n1Qrc=; h=Cc:Date:From:Reply-To:Subject:To; b=vLpjL5zkO+RFEB6taThUvnOjlNk8Q19kQOEa0vY3iWDRJt5Q7Ul2Zm1SwAz356FG89d eTUxl0OUU9N8/LIzLp3CLLgNzYJyOoHtN5dytt3zk2yYQRNtdv84CNEPFxUL94KgukpH0 eW6IitkpFQzPCIQjiBxVWoSRfv1yFAOtJDM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 The security researcher found that we can get control after NEM disable. The reason is that the flash content reside in NEM at startup and the code will get the content from flash directly after disable NEM. To avoid this vulnerability, the feature will copy the PEIMs from temporary memory to permanent memory and only execute the code in permanent memory. The vulnerability is exist in physical platform and haven't report in virtual platform, so the virtual can disable the feature currently. Cc: Jian J Wang Cc: Hao A Wu Signed-off-by: Guomin Jiang --- MdeModulePkg/MdeModulePkg.dec | 5 +++++ MdeModulePkg/MdeModulePkg.uni | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 843e963ad34b..8077f3d14c6e 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -1220,6 +1220,11 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Shadow Peim and PeiCore on boot gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x300010= 29 =20 + ## Enable the feature that evacuate temporary memory to permanent memory= or not + # TRUE - Evacuate temporary memory, the actions include copy memory, con= vert PPI pointers and so on. + # FALSE - Do nothing, for example, no copy memory, no convert PPI pointe= rs and so on. + gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|TRU= E|BOOLEAN|0x3000102A + ## The mask is used to control memory profile behavior.

# BIT0 - Enable UEFI memory profile.
# BIT1 - Enable SMRAM profile.
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index 2007e0596c4f..5235dee561ad 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -214,6 +214,12 @@ = "TRUE - Shadow PEIM on S3 boot path after memory is ready.\n" = "FALSE - Not shadow PEIM on S3 boot path after memory is ready= .
" =20 +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV= olumes_HELP #language en-US "Enable the feature that evacuate temporary mem= ory to permanent memory or not.

\n" + = "It will allocate page to save the temporary PE= IMs resided in NEM(or CAR) to the permanent memory and change all pointers = pointed to the NEM(or CAR) to permanent memory.

\n" + = "After then, there are no pointer pointed to NE= M(or CAR) and TOCTOU volnerability can be avoid.

\n" + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV= olumes_PROMPT #language en-US "Enable the feature that evacuate temporary m= emory to permanent memory or not" + #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT #la= nguage en-US "Default OEM ID for ACPI table creation" =20 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP #lang= uage en-US "Default OEM ID for ACPI table creation, its length must be 0x6 = bytes to follow ACPI specification." --=20 2.25.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#62195): https://edk2.groups.io/g/devel/message/62195 Mute This Topic: https://groups.io/mt/75369618/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-