Reviewed-by: Eric Dong <[email protected]> > -----Original Message----- > From: Wu, Hao A > Sent: Friday, November 16, 2018 9:37 AM > To: [email protected] > Cc: Wu, Hao A <[email protected]>; Yao, Jiewen <[email protected]>; > Laszlo Ersek <[email protected]>; Kinney, Michael D > <[email protected]>; Dong, Eric <[email protected]> > Subject: [PATCH v1 1/1] UefiCpuPkg: [CVE-2017-5715] Stuff RSB before RSM > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1093 > > Return Stack Buffer (RSB) is used to predict the target of RET > instructions. When the RSB underflows, some processors may fall back to > using branch predictors. This might impact software using the retpoline > mitigation strategy on those processors. > > This commit will add RSB stuffing logic before returning from SMM (the RSM > instruction) to avoid interfering with non-SMM usage of the retpoline > technique. > > After the stuffing, RSB entries will contain a trap like: > > SpecTrap: > pause > lfence > jmp SpecTrap > > A more detailed explanation of the purpose of commit is under the > 'Branch target injection mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > This commit introduces a .INC file that contains the RSB logic and it can > be included by .ASM files. This file is placed at directory > 'UefiCpuPkg/Include/'. > > Cc: Jiewen Yao <[email protected]> > Cc: Laszlo Ersek <[email protected]> > Cc: Michael D Kinney <[email protected]> > Cc: Eric Dong <[email protected]> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <[email protected]> > --- > UefiCpuPkg/Include/StuffRsbAsm.inc | 60 ++++++++++++++++++++ > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm | 5 +- > UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm | 5 +- > 5 files changed, 76 insertions(+), 4 deletions(-) > > diff --git a/UefiCpuPkg/Include/StuffRsbAsm.inc > b/UefiCpuPkg/Include/StuffRsbAsm.inc > new file mode 100644 > index 0000000000..daaaaf36ad > --- /dev/null > +++ b/UefiCpuPkg/Include/StuffRsbAsm.inc > @@ -0,0 +1,60 @@ > +;------------------------------------------------------------------------------ > ; > +; Copyright (c) 2018, Intel Corporation. All rights reserved.<BR> > +; This program and the accompanying materials > +; are licensed and made available under the terms and conditions of the BSD > License > +; which accompanies this distribution. The full text of the license may be > found at > +; http://opensource.org/licenses/bsd-license.php. > +; > +; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" > BASIS, > +; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER > EXPRESS OR IMPLIED. > +; > +; Module Name: > +; > +; StuffRsbAsm.inc > +; > +; Abstract: > +; > +; This file provides macro definitions for stuffing the Return Stack Buffer > (RSB) > +; for .ASM files. > +; > +;------------------------------------------------------------------------------- > + > +RSB_STUFF_ENTRIES Equ 20h > + > +; > +; parameters: > +; @param 1: register to use as counter (e.g. IA32:eax, X64:rax) > +; @param 2: stack pointer to restore (IA32:esp, X64:rsp) > +; @param 3: the size of a stack frame (IA32:4, X64:8) > +; > +StuffRsb MACRO Reg, StackPointer, Size > + local Unroll1, Unroll2, SpecTrap1, SpecTrap2, StuffLoop > + mov Reg, RSB_STUFF_ENTRIES / 2 > +Unroll1: > + call Unroll2 > +SpecTrap1: > + pause > + lfence > + jmp SpecTrap1 > +Unroll2: > + call StuffLoop > +SpecTrap2: > + pause > + lfence > + jmp SpecTrap2 > +StuffLoop: > + dec Reg > + jnz Unroll1 > + add StackPointer, RSB_STUFF_ENTRIES * Size ; Restore the > stack > pointer > + ENDM > + > +; > +; RSB stuffing macros for IA32 and X64 > +; > +StuffRsb32 MACRO > + StuffRsb eax, esp, 4 > + ENDM > + > +StuffRsb64 MACRO > + StuffRsb rax, rsp, 8 > + ENDM > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > index ac1a9b48dd..ea906d6434 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.asm > @@ -1,5 +1,5 @@ > > ;------------------------------------------------------------------------------ > ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -22,6 +22,8 @@ > .model flat,C > .xmm > > +INCLUDE StuffRsbAsm.inc > + > DSC_OFFSET EQU 0fb00h > DSC_GDTPTR EQU 30h > DSC_GDTSIZ EQU 38h > @@ -169,6 +171,7 @@ _SmiHandler PROC > call eax > pop ecx > > + StuffRsb32 > rsm > _SmiHandler ENDP > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > index 9ba2aebe69..a606bde749 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.asm > @@ -1,5 +1,5 @@ > > ;------------------------------------------------------------------------------ > ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -22,6 +22,8 @@ > .xmm > .model flat,C > > +INCLUDE StuffRsbAsm.inc > + > SmmInitHandler PROTO C > > EXTERNDEF C gSmmCr0:DWORD > @@ -70,6 +72,7 @@ gSmmJmpAddr LABEL QWORD > DB 0bch ; mov esp, imm32 > gSmmInitStack DD ? > call SmmInitHandler > + StuffRsb32 > rsm > SmmStartup ENDP > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > index 094cf2c3da..a4063cb0dc 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.asm > @@ -1,5 +1,5 @@ > > ;------------------------------------------------------------------------------ > ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -18,6 +18,8 @@ > ; > > ;------------------------------------------------------------------------------- > > +INCLUDE StuffRsbAsm.inc > + > ; > ; Variables referenced by C code > ; > @@ -189,6 +191,7 @@ _SmiHandler: > DB 48h ; FXRSTOR64 > fxrstor [rsp] > > + StuffRsb64 > rsm > > gcSmiHandlerSize DW $ - _SmiEntryPoint > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > index 9182f0293a..2301a208d6 100644 > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.asm > @@ -1,5 +1,5 @@ > > ;------------------------------------------------------------------------------ > ; > -; Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> > +; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > ; This program and the accompanying materials > ; are licensed and made available under the terms and conditions of the BSD > License > ; which accompanies this distribution. The full text of the license may be > found at > @@ -18,6 +18,8 @@ > ; > > ;------------------------------------------------------------------------------- > > +INCLUDE StuffRsbAsm.inc > + > EXTERNDEF SmmInitHandler:PROC > EXTERNDEF gSmmCr0:DWORD > EXTERNDEF gSmmCr3:DWORD > @@ -88,6 +90,7 @@ gSmmInitStack DQ ? > movdqa xmm4, [rsp + 40h] > movdqa xmm5, [rsp + 50h] > > + StuffRsb64 > rsm > SmmStartup ENDP > > -- > 2.12.0.windows.1
_______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
