[edk2-devel] [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)

Guomin Jiang posted 9 patches 3 years, 8 months ago
Failed in applying to current master (apply log)
There is a newer version of this series
MdeModulePkg/MdeModulePkg.dec                 |  10 +
UefiCpuPkg/UefiCpuPkg.dec                     |   4 +
UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
MdeModulePkg/Core/Pei/PeiMain.inf             |   3 +
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 +
SecurityPkg/Tcg/TcgPei/TcgPei.inf             |   1 +
UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   4 +
UefiCpuPkg/SecCore/SecCore.inf                |   2 +
.../SecMigrationPei/SecMigrationPei.inf       |  67 +++
MdeModulePkg/Core/Pei/PeiMain.h               | 169 +++++++
MdeModulePkg/Include/Guid/MigratedFvInfo.h    |  22 +
UefiCpuPkg/CpuMpPei/CpuMpPei.h                |  14 +-
UefiCpuPkg/Include/Ppi/RepublishSecPpi.h      |  54 +++
.../CpuExceptionCommon.h                      |   4 +-
UefiCpuPkg/SecCore/SecMain.h                  |   1 +
UefiCpuPkg/SecMigrationPei/SecMigrationPei.h  | 154 +++++++
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 430 ++++++++++++++++++
MdeModulePkg/Core/Pei/Image/Image.c           | 115 +++++
MdeModulePkg/Core/Pei/Memory/MemoryServices.c |  82 ++++
MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |  24 +
MdeModulePkg/Core/Pei/Ppi/Ppi.c               | 287 ++++++++++++
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c             |  31 +-
SecurityPkg/Tcg/TcgPei/TcgPei.c               |  29 +-
UefiCpuPkg/CpuMpPei/CpuMpPei.c                |  37 ++
UefiCpuPkg/CpuMpPei/CpuPaging.c               |  42 +-
.../Ia32/ArchExceptionHandler.c               |   4 +-
.../SecPeiCpuException.c                      |   2 +-
.../X64/ArchExceptionHandler.c                |   4 +-
UefiCpuPkg/SecCore/SecMain.c                  |  26 +-
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c  | 381 ++++++++++++++++
MdeModulePkg/MdeModulePkg.uni                 |   6 +
.../SecMigrationPei/SecMigrationPei.uni       |  13 +
32 files changed, 2003 insertions(+), 21 deletions(-)
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni
[edk2-devel] [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)
Posted by Guomin Jiang 3 years, 8 months ago
The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
The issue occur when BootGuard measure IBB and access flash code after NEM disable.
the reason why we access the flash code is that we have some pointer to flash.
To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.

v2:
Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.

v3:
Remove changes which is not related with the feature and disable the feature in virtual platform.

v4:
Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei

v5:
Initialize local variable Shadow and return EFI_ABORTED when RepublishSecPpi not installed.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Debkumar De <debkumar.de@intel.com>
Cc: Harry Han <harry.han@intel.com>
Cc: Catharine West <catharine.west@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>

Guomin Jiang (6):
  MdeModulePkg: Add new PCD to control the evacuate temporary memory
    feature (CVE-2019-11098)
  MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU
    (CVE-2019-11098)
  UefiCpuPkg: Correct some typos.
  SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)

Michael Kubacki (3):
  MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support
    (CVE-2019-11098)
  UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)

 MdeModulePkg/MdeModulePkg.dec                 |  10 +
 UefiCpuPkg/UefiCpuPkg.dec                     |   4 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
 MdeModulePkg/Core/Pei/PeiMain.inf             |   3 +
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 +
 SecurityPkg/Tcg/TcgPei/TcgPei.inf             |   1 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   4 +
 UefiCpuPkg/SecCore/SecCore.inf                |   2 +
 .../SecMigrationPei/SecMigrationPei.inf       |  67 +++
 MdeModulePkg/Core/Pei/PeiMain.h               | 169 +++++++
 MdeModulePkg/Include/Guid/MigratedFvInfo.h    |  22 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.h                |  14 +-
 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h      |  54 +++
 .../CpuExceptionCommon.h                      |   4 +-
 UefiCpuPkg/SecCore/SecMain.h                  |   1 +
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h  | 154 +++++++
 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 430 ++++++++++++++++++
 MdeModulePkg/Core/Pei/Image/Image.c           | 115 +++++
 MdeModulePkg/Core/Pei/Memory/MemoryServices.c |  82 ++++
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |  24 +
 MdeModulePkg/Core/Pei/Ppi/Ppi.c               | 287 ++++++++++++
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c             |  31 +-
 SecurityPkg/Tcg/TcgPei/TcgPei.c               |  29 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.c                |  37 ++
 UefiCpuPkg/CpuMpPei/CpuPaging.c               |  42 +-
 .../Ia32/ArchExceptionHandler.c               |   4 +-
 .../SecPeiCpuException.c                      |   2 +-
 .../X64/ArchExceptionHandler.c                |   4 +-
 UefiCpuPkg/SecCore/SecMain.c                  |  26 +-
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c  | 381 ++++++++++++++++
 MdeModulePkg/MdeModulePkg.uni                 |   6 +
 .../SecMigrationPei/SecMigrationPei.uni       |  13 +
 32 files changed, 2003 insertions(+), 21 deletions(-)
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
 create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
 create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni

-- 
2.25.1.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#62265): https://edk2.groups.io/g/devel/message/62265
Mute This Topic: https://groups.io/mt/75390172/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)
Posted by Laszlo Ersek 3 years, 8 months ago
Guomin,

On 07/09/20 03:56, Guomin Jiang wrote:
> The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
> The issue occur when BootGuard measure IBB and access flash code after NEM disable.
> the reason why we access the flash code is that we have some pointer to flash.
> To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.
> 
> v2:
> Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.
> 
> v3:
> Remove changes which is not related with the feature and disable the feature in virtual platform.
> 
> v4:
> Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei
> 
> v5:
> Initialize local variable Shadow and return EFI_ABORTED when RepublishSecPpi not installed.

When you post a new version of a patch set to the list, and there is an
associated BZ ticket, please *always* (not just for this BZ) capture the
fact of posting the next version in a new BZ comment. Please record the
version of the patch series being posted, and also include a link to the
series blurb (patch 0), in the mailing list archive.

I did that for you, covering the first four versions (v1 throuogh v4) of
the series in comment 16 on TianoCore#1614:

  https://bugzilla.tianocore.org/show_bug.cgi?id=1614#c16

Please do the same (in a new BZ comment) for the current version (v5),
and please repeat the same for any further versions.

Again this applies to all BZs and all posted patches.

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#62330): https://edk2.groups.io/g/devel/message/62330
Mute This Topic: https://groups.io/mt/75390172/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v5 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)
Posted by Guomin Jiang 3 years, 8 months ago
I see it and will do it later.

I remind that everyone should pay attention to it as well.

Thanks.
> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Friday, July 10, 2020 1:47 PM
> To: devel@edk2.groups.io; Jiang, Guomin <guomin.jiang@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A
> <hao.a.wu@intel.com>; Bi, Dandan <dandan.bi@intel.com>; Gao, Liming
> <liming.gao@intel.com>; De, Debkumar <debkumar.de@intel.com>; Han,
> Harry <harry.han@intel.com>; West, Catharine <catharine.west@intel.com>;
> Dong, Eric <eric.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Justen,
> Jordan L <jordan.l.justen@intel.com>; Andrew Fish <afish@apple.com>; Ard
> Biesheuvel <ard.biesheuvel@arm.com>; Anthony Perard
> <anthony.perard@citrix.com>; Julien Grall <julien@xen.org>; Leif Lindholm
> <leif@nuviainc.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>
> Subject: Re: [edk2-devel] [PATCH v5 0/9] Add new feature that evacuate
> temporary to permanent memory (CVE-2019-11098)
> 
> Guomin,
> 
> On 07/09/20 03:56, Guomin Jiang wrote:
> > The TOCTOU vulnerability allow that the physical present person to replace
> the code with the normal BootGuard check and PCR0 value.
> > The issue occur when BootGuard measure IBB and access flash code after
> NEM disable.
> > the reason why we access the flash code is that we have some pointer to
> flash.
> > To avoid this vulnerability, we need to convert those pointers, the patch
> series do this work and make sure that no code will access flash address.
> >
> > v2:
> > Create gEdkiiMigratedFvInfoGuid HOB and add
> PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.
> >
> > v3:
> > Remove changes which is not related with the feature and disable the
> feature in virtual platform.
> >
> > v4:
> > Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei
> >
> > v5:
> > Initialize local variable Shadow and return EFI_ABORTED when
> RepublishSecPpi not installed.
> 
> When you post a new version of a patch set to the list, and there is an
> associated BZ ticket, please *always* (not just for this BZ) capture the fact of
> posting the next version in a new BZ comment. Please record the version of
> the patch series being posted, and also include a link to the series blurb
> (patch 0), in the mailing list archive.
> 
> I did that for you, covering the first four versions (v1 throuogh v4) of the
> series in comment 16 on TianoCore#1614:
> 
>   https://bugzilla.tianocore.org/show_bug.cgi?id=1614#c16
> 
> Please do the same (in a new BZ comment) for the current version (v5), and
> please repeat the same for any further versions.
> 
> Again this applies to all BZs and all posted patches.
> 
> Thanks
> Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#62334): https://edk2.groups.io/g/devel/message/62334
Mute This Topic: https://groups.io/mt/75390172/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-