From nobody Tue Feb 10 19:14:24 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+105900+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+105900+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1686191330; cv=none; d=zohomail.com; s=zohoarc; b=WcrIWT2isqwqE8zEguvP6GeQ5UhcK2E5lWkPmKe1bXMb70YG6iK1khEkc1BWwtrukJ8fnOBxRDCRD4o5QsS4MDp1zE/8zgGhN6y7a2545QTUYaNaRySeOgh63+4yIVrlbaFW67ST6HU/4LzNIFgz6bAJtVH+0HK6h9vzfOljCC4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1686191330; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=llIqyAmSEx166TZktKJiYUJ5Tfnltiyat7jxgmCDEVw=; b=aM4ISTaObIY2sfcoHD5iqnU59C6ZjEjnLZZZLHqEW4FFxMAfjylKYMRKIZyHonETjbhWYOxShqPolo9oXSjm7uySGmDy/4wVzPd3NlPSDBCi5HMfhSGImVBsPqeWBihYBBLch35lRcrhddfU4LJv7Ttrq7hITAk9rMyz+phRQTM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+105900+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1686191330571677.9900121874207; Wed, 7 Jun 2023 19:28:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id c06GYY1788612x36axKliWG9; Wed, 07 Jun 2023 19:28:50 -0700 X-Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web11.379.1686191316401101708 for ; Wed, 07 Jun 2023 19:28:44 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10734"; a="357184288" X-IronPort-AV: E=Sophos;i="6.00,225,1681196400"; d="scan'208";a="357184288" X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jun 2023 19:28:44 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10734"; a="774877811" X-IronPort-AV: E=Sophos;i="6.00,225,1681196400"; d="scan'208";a="774877811" X-Received: from shwdeopenlab702.ccr.corp.intel.com ([10.239.55.158]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jun 2023 19:28:42 -0700 From: "duntan" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Rahul Kumar , Gerd Hoffmann Subject: [edk2-devel] [Patch V5 07/14] UefiCpuPkg/PiSmmCpuDxeSmm: Clear CR0.WP before modify page table Date: Thu, 8 Jun 2023 10:27:35 +0800 Message-Id: <20230608022742.1292-8-dun.tan@intel.com> In-Reply-To: <20230608022742.1292-1-dun.tan@intel.com> References: <20230608022742.1292-1-dun.tan@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dun.tan@intel.com X-Gm-Message-State: Vi8naBMwZXdNc0TezCyFBrrIx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1686191330; bh=69hVHKNTfyH2eUHpmJgHmwJT8agoCRsZwls2cQTFNdM=; h=Cc:Date:From:Reply-To:Subject:To; b=Zs/QjR/r/TKiryvQy70Adk8BmeFAf+8034TWy/C+ADKiQYa9UlD+13QwHe02HkGwhLY aQKMbM5sGZKDsvtrkaKu88t7O5S6R7CCUo3zEnOSfJ1FUsXm/87dECZA2gIKkJ7Anr1z6 0FhCy3mx5SkgOwNLy4oGAuh1FUDdGs6qx4s= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1686191330872100002 Content-Type: text/plain; charset="utf-8" Clear CR0.WP before modify smm page table. Currently, there is an assumption that smm pagetable is always RW before ReadyToLock. However, when AMD SEV is enabled, FvbServicesSmm driver calls MemEncryptSevClearMmioPageEncMask to clear AddressEncMask bit in smm page table for this range: [PcdOvmfFdBaseAddress,PcdOvmfFdBaseAddress+PcdOvmfFirmwareFdSize] If page slpit happens in this process, new memory for smm page table is allocated. Then the newly allocated page table memory is marked as RO in smm page table in this FvbServicesSmm driver, which may lead to PF if smm code doesn't clear CR0.WP before modify smm page table when ReadyToLock. Signed-off-by: Dun Tan Cc: Eric Dong Reviewed-by: Ray Ni Cc: Rahul Kumar Cc: Gerd Hoffmann --- UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 11 +++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c b/UefiCpuPk= g/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c index d35058ed00..4ee99d06d7 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c @@ -1033,6 +1033,8 @@ SetMemMapAttributes ( IA32_MAP_ENTRY *Map; UINTN Count; UINT64 MemoryAttribute; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; =20 SmmGetSystemConfigurationTable (&gEdkiiPiSmmMemoryAttributesTableGuid, (= VOID **)&MemoryAttributesTable); if (MemoryAttributesTable =3D=3D NULL) { @@ -1075,6 +1077,8 @@ SetMemMapAttributes ( =20 ASSERT_RETURN_ERROR (Status); =20 + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + MemoryMap =3D MemoryMapStart; for (Index =3D 0; Index < MemoryMapEntryCount; Index++) { DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory Entry - 0x%lx, 0x%x\n", M= emoryMap->PhysicalStart, MemoryMap->NumberOfPages)); @@ -1103,6 +1107,7 @@ SetMemMapAttributes ( MemoryMap =3D NEXT_MEMORY_DESCRIPTOR (MemoryMap, DescriptorSize); } =20 + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); FreePool (Map); =20 PatchSmmSaveStateMap (); @@ -1409,9 +1414,13 @@ SetUefiMemMapAttributes ( UINTN MemoryMapEntryCount; UINTN Index; EFI_MEMORY_DESCRIPTOR *Entry; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; =20 DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n")); =20 + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); + if (mUefiMemoryMap !=3D NULL) { MemoryMapEntryCount =3D mUefiMemoryMapSize/mUefiDescriptorSize; MemoryMap =3D mUefiMemoryMap; @@ -1490,6 +1499,8 @@ SetUefiMemMapAttributes ( } } =20 + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + // // Do not free mUefiMemoryAttributesTable, it will be checked in IsSmmCo= mmBufferForbiddenAddress(). // diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDx= eSmm/SmmProfile.c index 1b0b6673e1..5625ba0cac 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c @@ -574,6 +574,8 @@ InitPaging ( BOOLEAN Nx; IA32_CR4 Cr4; BOOLEAN Enable5LevelPaging; + BOOLEAN WpEnabled; + BOOLEAN CetEnabled; =20 Cr4.UintN =3D AsmReadCr4 (); Enable5LevelPaging =3D (BOOLEAN)(Cr4.Bits.LA57 =3D=3D 1); @@ -620,6 +622,7 @@ InitPaging ( NumberOfPdptEntries =3D 4; } =20 + DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled); // // Go through page table and change 2MB-page into 4KB-page. // @@ -800,6 +803,8 @@ InitPaging ( } // end for PML4 } // end for PML5 =20 + EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled); + // // Flush TLB // --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#105900): https://edk2.groups.io/g/devel/message/105900 Mute This Topic: https://groups.io/mt/99399231/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-