Reviewed-by: Eric Dong <eric.d...@intel.com>
> -----Original Message----- > From: Ni, Ruiyu > Sent: Tuesday, November 13, 2018 3:43 PM > To: edk2-devel@lists.01.org; 'Andrew Fish (af...@apple.com)' > <af...@apple.com>; Leif Lindholm <leif.lindh...@linaro.org>; Kinney, > Michael D <michael.d.kin...@intel.com>; Laszlo Ersek <ler...@redhat.com> > Cc: Dong, Eric <eric.d...@intel.com> > Subject: RE: [edk2] [PATCH] UefiCpuPkg/CommonFeature: Always set > FEATURE_CONTROL.Lock > > All Tianocore stewards, > I'd like to include the below patch (a revert patch) in this stable tag > release. > > It's to fix a potential security hole when platform mis-configures the > PcdCpuFeaturesUserConfiguration. > > Thanks/Ray > > > -----Original Message----- > > From: edk2-devel <edk2-devel-boun...@lists.01.org> On Behalf Of Ruiyu > > Ni > > Sent: Tuesday, November 13, 2018 3:35 PM > > To: edk2-devel@lists.01.org > > Cc: Kinney, Michael D <michael.d.kin...@intel.com>; Laszlo Ersek > > <ler...@redhat.com>; Dong, Eric <eric.d...@intel.com> > > Subject: [edk2] [PATCH] UefiCpuPkg/CommonFeature: Always set > > FEATURE_CONTROL.Lock > > > > The patch reverts commit 1ed6498c4a0210204bf4b95cc0c0cd6623ad6a0b > > * UefiCpuPkg/CommonFeature: Skip locking when the feature is disabled > > > > FEATURE_CONTROL.Lock bit is controlled by feature > > CPU_FEATURE_LOCK_FEATURE_CONTROL_REGISTER. The commit 1ed649 > fixes a > > bug that when the feature is disabled, the Lock bit is cleared. > > But it's a security hole if the bit is cleared when booting OS. > > We can argue that platform needs to make sure the value of > > PcdCpuFeaturesUserConfiguration should be set properly to make sure > > feature CPU_FEATURE_LOCK_FEATURE_CONTROL_REGISTER is enabled. > > > > But it's better to guarantee this in the generic core code. > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Ruiyu Ni <ruiyu...@intel.com> > > Cc: Eric Dong <eric.d...@intel.com> > > Cc: Laszlo Ersek <ler...@redhat.com> > > Cc: Andrew Fish <af...@apple.com> > > Cc: Leif Lindholm <leif.lindh...@linaro.org> > > Cc: Michael D Kinney <michael.d.kin...@intel.com> > > --- > > UefiCpuPkg/Library/CpuCommonFeaturesLib/FeatureControl.c | 11 > > +-------- > > -- > > 1 file changed, 1 insertion(+), 10 deletions(-) > > > > diff --git a/UefiCpuPkg/Library/CpuCommonFeaturesLib/FeatureControl.c > > b/UefiCpuPkg/Library/CpuCommonFeaturesLib/FeatureControl.c > > index 631c836857..8c1eb5eb4f 100644 > > --- a/UefiCpuPkg/Library/CpuCommonFeaturesLib/FeatureControl.c > > +++ b/UefiCpuPkg/Library/CpuCommonFeaturesLib/FeatureControl.c > > @@ -1,7 +1,7 @@ > > /** @file > > Features in MSR_IA32_FEATURE_CONTROL register. > > > > - Copyright (c) 2017 - 2018, Intel Corporation. All rights > > reserved.<BR> > > + Copyright (c) 2017, Intel Corporation. All rights reserved.<BR> > > This program and the accompanying materials > > are licensed and made available under the terms and conditions of > > the BSD License > > which accompanies this distribution. The full text of the license > > may be found at @@ -184,15 +184,6 @@ > > LockFeatureControlRegisterInitialize ( { > > MSR_IA32_FEATURE_CONTROL_REGISTER *MsrRegister; > > > > - // > > - // When Lock Feature Control Register feature is disabled, > > - // just skip the MSR lock bit setting. > > - // The MSR lock bit is cleared by default and write-once in a boot. > > - // > > - if (!State) { > > - return RETURN_SUCCESS; > > - } > > - > > // > > // The scope of Lock bit in the MSR_IA32_FEATURE_CONTROL is core for > > // below processor type, only program MSR_IA32_FEATURE_CONTROL > for > > thread 0 in each > > -- > > 2.16.1.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel