From nobody Mon Feb 9 19:53:49 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+72229+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+72229+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1614326756; cv=none; d=zohomail.com; s=zohoarc; b=Et6NJKJ+5ZPlMMEFSaT0tKd6UW821GEIQa9TwEhDxeQjYU3QH3YlMVd6eLfK/JvnUVd6tndea6Dn8QKdunuBkwyC2CVew5qXAu//rBmJ7RA+RHupzPDpswlmCsEfPmRo0znf6Z6eGGOnIr1B98iTb18PASrtKdiWccctd1cgFp0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614326756; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To; bh=vNE5GPKxDOg0pv6ABTqo960eLHq/xVZZH84/pgf1QSI=; b=H1PIOAgxXMuW0aPtjZjLttGBMsNaZJ6MsJy2ouKraP5hw0B4OyzomPfi122PfTk0haFDbZ6fw4l9P+rKPSUfkX7yQHhtkr4X0D1LtZzpRL5Jm3b5PSZJvHDp8xOhE4MvJXrUlgojw0Dhk+siPJ6joZe8dwKQy0WDHq1SfvTBkz8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+72229+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1614326756285942.3599121067826; Fri, 26 Feb 2021 00:05:56 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 0sCBYY1788612xiM3JqvQ0Py; Fri, 26 Feb 2021 00:05:55 -0800 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.6447.1614326755444585474 for ; Fri, 26 Feb 2021 00:05:55 -0800 IronPort-SDR: 5wfodSMoHWvdee/DGpduwQXP3iG7mxRfJDQK5vhLyN4WmxgIUtHLaHLcVEuy7WqD2TsaSUxezB CDjoOofSGaqQ== X-IronPort-AV: E=McAfee;i="6000,8403,9906"; a="185933764" X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="185933764" X-Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 00:05:54 -0800 IronPort-SDR: RRGhoLjzIrUDIV7EgBycHN+gMtZL5fxA1sgF0Kbel9R7Eyf+dR0EokiE+Qha0lhL+mBFJMGoIT jvhrD8WVq2zw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,207,1610438400"; d="scan'208";a="434256769" X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.35]) by fmsmga002.fm.intel.com with ESMTP; 26 Feb 2021 00:05:22 -0800 From: "Sheng Wei" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar , Jiewen Yao , Roger Feng Subject: [edk2-devel] [PATCH v6 3/3] UefiCpuPkg/PiSmmCpuDxeSmm: Fix SMM stack offset is not correct Date: Fri, 26 Feb 2021 16:03:16 +0800 Message-Id: <20210226080316.13724-4-w.sheng@intel.com> In-Reply-To: <20210226080316.13724-1-w.sheng@intel.com> References: <20210226080316.13724-1-w.sheng@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,w.sheng@intel.com X-Gm-Message-State: mP0M8fiYtF5MgTZrK1mXb3L9x1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1614326755; bh=m+XvOZGCZ14qtxncyZo2iqJ8yh4VsBTAr+Fm9gK0/Bg=; h=Cc:Date:From:Reply-To:Subject:To; b=qQR2t25MKSmkOqPO47YXFlDSgfWaiUqBewZHmZpWx3pQSYOQm//K/0VoR1SnoYSEuCV lmRCWsePipbPnNcz2umUc+d2MrK7g4jBuU45LC4HzvQsj8yJUHkXl9nTlPfHEQbiegEK9 4SDnS/zHIv0fCHLHIFrExRds3JeG9cYb6Pw= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" In function InitGdt(), SmiPFHandler() and Gen4GPageTable(), it uses CpuIndex * mSmmStackSize to get the SMM stack address offset for multi processor. It misses the SMM Shadow Stack Size. Each processor will use mSmmStackSize + mSmmShadowStackSize in the memory. It should use CpuIndex * (mSmmStackSize + mSmmShadowStackSize) to get this SMM stack address offset. If mSmmShadowStackSize > 0 and multi processor enabled, it will get the wrong offset value. CET shadow stack feature will set the value of mSmmShadowStackSize. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3237 Signed-off-by: Sheng Wei Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Cc: Jiewen Yao Cc: Roger Feng Reviewed-by: Jiewen Yao Reviewed-by: Ray Ni --- UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 6 ++++-- UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 4 +++- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxe= Smm/MpService.c index 4bcd217917..6227b2428a 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c @@ -23,6 +23,8 @@ SPIN_LOCK *mPFLock =3D = NULL; SMM_CPU_SYNC_MODE mCpuSmmSyncMode; BOOLEAN mMachineCheckSupported =3D FAL= SE; =20 +extern UINTN mSmmShadowStackSize; + /** Performs an atomic compare exchange operation to get semaphore. The compare exchange operation must be performed using @@ -920,7 +922,7 @@ Gen4GPageTable ( // Add two more pages for known good stack and stack guard page, // then find the lower 2MB aligned address. // - High2MBoundary =3D (mSmmStackArrayEnd - mSmmStackSize + EFI_PAGE_SIZE = * 2) & ~(SIZE_2MB-1); + High2MBoundary =3D (mSmmStackArrayEnd - mSmmStackSize - mSmmShadowStac= kSize + EFI_PAGE_SIZE * 2) & ~(SIZE_2MB-1); PagesNeeded =3D ((High2MBoundary - Low2MBoundary) / SIZE_2MB) + 1; } // @@ -971,7 +973,7 @@ Gen4GPageTable ( // Mark the guard page as non-present // Pte[Index] =3D PageAddress | mAddressEncMask; - GuardPage +=3D mSmmStackSize; + GuardPage +=3D (mSmmStackSize + mSmmShadowStackSize); if (GuardPage > mSmmStackArrayEnd) { GuardPage =3D 0; } diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c b/UefiCpuPkg/PiSmmCpuD= xeSmm/X64/PageTbl.c index cdc1fcefc5..07e7ea70de 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c @@ -13,6 +13,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define PAGE_TABLE_PAGES 8 #define ACC_MAX_BIT BIT3 =20 +extern UINTN mSmmShadowStackSize; + LIST_ENTRY mPagePool =3D INITIALIZE_LIST_HEAD_VAR= IABLE (mPagePool); BOOLEAN m1GPageTableSupport =3D FALSE; BOOLEAN mCpuSmmRestrictedMemoryAccess; @@ -1037,7 +1039,7 @@ SmiPFHandler ( (PFAddress < (mCpuHotPlugData.SmrrBase + mCpuHotPlugData.SmrrSize)))= { DumpCpuContext (InterruptType, SystemContext); CpuIndex =3D GetCpuIndex (); - GuardPageAddress =3D (mSmmStackArrayBase + EFI_PAGE_SIZE + CpuIndex * = mSmmStackSize); + GuardPageAddress =3D (mSmmStackArrayBase + EFI_PAGE_SIZE + CpuIndex * = (mSmmStackSize + mSmmShadowStackSize)); if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && (PFAddress >=3D GuardPageAddress) && (PFAddress < (GuardPageAddress + EFI_PAGE_SIZE))) { diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c b/UefiCpuPkg/PiSm= mCpuDxeSmm/X64/SmmFuncsArch.c index 7ef3b1d488..661c1ba294 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c @@ -93,7 +93,7 @@ InitGdt ( // // Setup top of known good stack as IST1 for each processor. // - *(UINTN *)(TssBase + TSS_X64_IST1_OFFSET) =3D (mSmmStackArrayBase + = EFI_PAGE_SIZE + Index * mSmmStackSize); + *(UINTN *)(TssBase + TSS_X64_IST1_OFFSET) =3D (mSmmStackArrayBase + = EFI_PAGE_SIZE + Index * (mSmmStackSize + mSmmShadowStackSize)); } } =20 --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#72229): https://edk2.groups.io/g/devel/message/72229 Mute This Topic: https://groups.io/mt/80922789/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-