The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
The issue occur when BootGuard measure IBB and access flash code after NEM disable.
The reason why we access the flash code is that we have some pointer to flash.
To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.

v2:
Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.

v3:
Remove changes which is not related with the feature and disable the feature in virtual platform.

v4:
Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei

v5:
Initialize local variable Shadow and return EFI_ABORTED when RepublishSecPpi not installed.

v6:
Avoid redundant shadow PEIM when enable Migrated PCD.

v7:
Change patch 10/10 to enhance the logic.

v8:
Drop the patch#10 added in v6 and v7, the optimization will be considered future.

Guomin Jiang (6):
  MdeModulePkg: Add new PCD to control the evacuate temporary memory
    feature (CVE-2019-11098)
  MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU
    (CVE-2019-11098)
  UefiCpuPkg: Correct some typos.
  SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)

Michael Kubacki (3):
  MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Add GDT migration support (CVE-2019-11098)
  UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)

 MdeModulePkg/MdeModulePkg.dec                 |  12 +
 UefiCpuPkg/UefiCpuPkg.dec                     |   3 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
 MdeModulePkg/Core/Pei/PeiMain.inf             |   3 +
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 +
 SecurityPkg/Tcg/TcgPei/TcgPei.inf             |   1 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   4 +
 UefiCpuPkg/SecCore/SecCore.inf                |   2 +
 .../SecMigrationPei/SecMigrationPei.inf       |  68 +++
 MdeModulePkg/Core/Pei/PeiMain.h               | 170 +++++++
 MdeModulePkg/Include/Guid/MigratedFvInfo.h    |  22 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.h                |  14 +-
 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h      |  54 +++
 .../CpuExceptionCommon.h                      |   4 +-
 UefiCpuPkg/SecCore/SecMain.h                  |   1 +
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h  | 158 +++++++
 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 445 +++++++++++++++++-
 MdeModulePkg/Core/Pei/Image/Image.c           | 130 ++++-
 MdeModulePkg/Core/Pei/Memory/MemoryServices.c |  82 ++++
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |  22 +-
 MdeModulePkg/Core/Pei/Ppi/Ppi.c               | 286 +++++++++++
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c             |  31 +-
 SecurityPkg/Tcg/TcgPei/TcgPei.c               |  29 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.c                |  37 ++
 UefiCpuPkg/CpuMpPei/CpuPaging.c               |  42 +-
 .../Ia32/ArchExceptionHandler.c               |   4 +-
 .../SecPeiCpuException.c                      |   2 +-
 .../X64/ArchExceptionHandler.c                |   4 +-
 UefiCpuPkg/SecCore/SecMain.c                  |  26 +-
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c  | 385 +++++++++++++++
 MdeModulePkg/MdeModulePkg.uni                 |   6 +
 .../SecMigrationPei/SecMigrationPei.uni       |  13 +
 32 files changed, 2032 insertions(+), 30 deletions(-)
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
 create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
 create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni

-- 
2.25.1.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#63232): https://edk2.groups.io/g/devel/message/63232
Mute This Topic: https://groups.io/mt/75763374/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Reviewed-by: Liming Gao <liming.gao@intel.com> for this patch set. 

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang
Sent: 2020年7月24日 17:55
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH v8 0/9] Add new feature that evacuate temporary to permanent memory (CVE-2019-11098)

The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value.
The issue occur when BootGuard measure IBB and access flash code after NEM disable.
The reason why we access the flash code is that we have some pointer to flash.
To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address.

v2:
Create gEdkiiMigratedFvInfoGuid HOB and add PcdMigrateTemporaryRamFirmwareVolumes to control whole feature.

v3:
Remove changes which is not related with the feature and disable the feature in virtual platform.

v4:
Disable the feature as default, Copy the Tcg2Pei behavior to TcgPei

v5:
Initialize local variable Shadow and return EFI_ABORTED when RepublishSecPpi not installed.

v6:
Avoid redundant shadow PEIM when enable Migrated PCD.

v7:
Change patch 10/10 to enhance the logic.

v8:
Drop the patch#10 added in v6 and v7, the optimization will be considered future.

Guomin Jiang (6):
  MdeModulePkg: Add new PCD to control the evacuate temporary memory
    feature (CVE-2019-11098)
  MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU
    (CVE-2019-11098)
  UefiCpuPkg: Correct some typos.
  SecurityPkg/TcgPei: Use Migrated FV Info Hob for calculating hash
    (CVE-2019-11098)

Michael Kubacki (3):
  MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore
    (CVE-2019-11098)
  UefiCpuPkg/CpuMpPei: Add GDT migration support (CVE-2019-11098)
  UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)

 MdeModulePkg/MdeModulePkg.dec                 |  12 +
 UefiCpuPkg/UefiCpuPkg.dec                     |   3 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
 MdeModulePkg/Core/Pei/PeiMain.inf             |   3 +
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 +
 SecurityPkg/Tcg/TcgPei/TcgPei.inf             |   1 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   4 +
 UefiCpuPkg/SecCore/SecCore.inf                |   2 +
 .../SecMigrationPei/SecMigrationPei.inf       |  68 +++
 MdeModulePkg/Core/Pei/PeiMain.h               | 170 +++++++
 MdeModulePkg/Include/Guid/MigratedFvInfo.h    |  22 +
 UefiCpuPkg/CpuMpPei/CpuMpPei.h                |  14 +-
 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h      |  54 +++
 .../CpuExceptionCommon.h                      |   4 +-
 UefiCpuPkg/SecCore/SecMain.h                  |   1 +
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h  | 158 +++++++  MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 445 +++++++++++++++++-
 MdeModulePkg/Core/Pei/Image/Image.c           | 130 ++++-
 MdeModulePkg/Core/Pei/Memory/MemoryServices.c |  82 ++++
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |  22 +-
 MdeModulePkg/Core/Pei/Ppi/Ppi.c               | 286 +++++++++++
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c             |  31 +-
 SecurityPkg/Tcg/TcgPei/TcgPei.c               |  29 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.c                |  37 ++
 UefiCpuPkg/CpuMpPei/CpuPaging.c               |  42 +-
 .../Ia32/ArchExceptionHandler.c               |   4 +-
 .../SecPeiCpuException.c                      |   2 +-
 .../X64/ArchExceptionHandler.c                |   4 +-
 UefiCpuPkg/SecCore/SecMain.c                  |  26 +-
 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c  | 385 +++++++++++++++
 MdeModulePkg/MdeModulePkg.uni                 |   6 +
 .../SecMigrationPei/SecMigrationPei.uni       |  13 +
 32 files changed, 2032 insertions(+), 30 deletions(-)  create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
 create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
 create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
 create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni

--
2.25.1.windows.1





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#63283): https://edk2.groups.io/g/devel/message/63283
Mute This Topic: https://groups.io/mt/75763374/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-