BaseLib: Add Shadow Stack Support for X86.

Jiewen Yao Thu, 21 Feb 2019 20:17:09 -0800

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1521


This patch adds SSP - shadow stack pointer to JumpBuffer.
It will be used for the platform that enabled CET/ShadowStack.

Cc: Michael D Kinney <michael.d.kin...@intel.com>
Cc: Liming Gao <liming....@intel.com>
Cc: Eric Dong <eric.d...@intel.com>
Cc: Ray Ni <ray...@intel.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Yao Jiewen <jiewen....@intel.com>
---
 MdePkg/Include/Library/BaseLib.h          |  2 ++
 MdePkg/Library/BaseLib/Ia32/LongJump.nasm | 18 +++++++++++++++++-
 MdePkg/Library/BaseLib/Ia32/SetJump.nasm  | 17 ++++++++++++++++-
 MdePkg/Library/BaseLib/X64/LongJump.nasm  | 20 +++++++++++++++++++-
 MdePkg/Library/BaseLib/X64/SetJump.nasm   | 17 ++++++++++++++++-
 5 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h
index 9c42f82a7d..616ba2e95b 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -31,6 +31,7 @@ typedef struct {
   UINT32                            Ebp;
   UINT32                            Esp;
   UINT32                            Eip;
+  UINT32                            Ssp;
 } BASE_LIBRARY_JUMP_BUFFER;
 
 #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 4
@@ -54,6 +55,7 @@ typedef struct {
   UINT64                            Rip;
   UINT64                            MxCsr;
   UINT8                             XmmBuffer[160]; ///< XMM6-XMM15.
+  UINT64                            Ssp;
 } BASE_LIBRARY_JUMP_BUFFER;
 
 #define BASE_LIBRARY_JUMP_BUFFER_ALIGNMENT 8
diff --git a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm 
b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
index 7ef03462ee..e0f98c195e 100644
--- a/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
+++ b/MdePkg/Library/BaseLib/Ia32/LongJump.nasm
@@ -1,6 +1,6 @@
 ;------------------------------------------------------------------------------
 ;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 ; This program and the accompanying materials
 ; are licensed and made available under the terms and conditions of the BSD 
License
 ; which accompanies this distribution.  The full text of the license may be 
found at
@@ -31,6 +31,22 @@
 ;------------------------------------------------------------------------------
 global ASM_PFX(InternalLongJump)
 ASM_PFX(InternalLongJump):
+
+    mov     eax, cr4
+    bt      eax, 23                ; check if CET is enabled
+    jnc     CetDone
+
+    mov     edx, [esp + 4]         ; edx = JumpBuffer
+    mov     edx, [edx + 24]        ; edx = target SSP
+    DB      0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX
+    sub     edx, eax               ; eax = delta
+    mov     eax, edx               ; eax = delta
+
+    shr     eax, 2                 ; eax = delta/sizeof(UINT32)
+    DB      0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX
+
+CetDone:
+
     pop     eax                         ; skip return address
     pop     edx                         ; edx <- JumpBuffer
     pop     eax                         ; eax <- Value
diff --git a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm 
b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
index 6d3a5a25bb..51e0d5351c 100644
--- a/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
+++ b/MdePkg/Library/BaseLib/Ia32/SetJump.nasm
@@ -1,6 +1,6 @@
 ;------------------------------------------------------------------------------
 ;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 ; This program and the accompanying materials
 ; are licensed and made available under the terms and conditions of the BSD 
License
 ; which accompanies this distribution.  The full text of the license may be 
found at
@@ -37,6 +37,21 @@ ASM_PFX(SetJump):
     pop     ecx
     pop     ecx                         ; ecx <- return address
     mov     edx, [esp]
+
+    xor     eax, eax
+    mov     [edx + 24], eax        ; save 0 to SSP
+
+    mov     eax, cr4
+    bt      eax, 23                ; check if CET is enabled
+    jnc     CetDone
+
+    mov     eax, 1
+    DB      0xF3, 0x0F, 0xAE, 0xE8 ; INCSSP EAX to read original SSP
+    DB      0xF3, 0x0F, 0x1E, 0xC8 ; READSSP EAX
+    mov     [edx + 0x24], eax      ; save SSP
+
+CetDone:
+
     mov     [edx], ebx
     mov     [edx + 4], esi
     mov     [edx + 8], edi
diff --git a/MdePkg/Library/BaseLib/X64/LongJump.nasm 
b/MdePkg/Library/BaseLib/X64/LongJump.nasm
index 3bac27469e..5f3f07da07 100644
--- a/MdePkg/Library/BaseLib/X64/LongJump.nasm
+++ b/MdePkg/Library/BaseLib/X64/LongJump.nasm
@@ -1,6 +1,6 @@
 ;------------------------------------------------------------------------------
 ;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 ; This program and the accompanying materials
 ; are licensed and made available under the terms and conditions of the BSD 
License
 ; which accompanies this distribution.  The full text of the license may be 
found at
@@ -32,6 +32,24 @@
 ;------------------------------------------------------------------------------
 global ASM_PFX(InternalLongJump)
 ASM_PFX(InternalLongJump):
+
+    mov     rax, cr4
+    bt      eax, 23                      ; check if CET is enabled
+    jnc     CetDone
+
+    push    rdx                          ; save rdx
+
+    mov     rdx, [rcx + 0xF8]            ; rdx = target SSP
+    DB      0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX
+    sub     rdx, rax                     ; rdx = delta
+    mov     rax, rdx                     ; rax = delta
+
+    shr     rax, 3                       ; rax = delta/sizeof(UINT64)
+    DB      0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX
+
+    pop     rdx                          ; restore rdx
+CetDone:
+
     mov     rbx, [rcx]
     mov     rsp, [rcx + 8]
     mov     rbp, [rcx + 0x10]
diff --git a/MdePkg/Library/BaseLib/X64/SetJump.nasm 
b/MdePkg/Library/BaseLib/X64/SetJump.nasm
index b1d0ff7121..6ec6a3f39e 100644
--- a/MdePkg/Library/BaseLib/X64/SetJump.nasm
+++ b/MdePkg/Library/BaseLib/X64/SetJump.nasm
@@ -1,6 +1,6 @@
 ;------------------------------------------------------------------------------
 ;
-; Copyright (c) 2006, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 ; This program and the accompanying materials
 ; are licensed and made available under the terms and conditions of the BSD 
License
 ; which accompanies this distribution.  The full text of the license may be 
found at
@@ -39,6 +39,21 @@ ASM_PFX(SetJump):
     add     rsp, 0x20
     pop     rcx
     pop     rdx
+
+    xor     rax, rax
+    mov     [rcx + 0xF8], rax            ; save 0 to SSP
+
+    mov     rax, cr4
+    bt      eax, 23                      ; check if CET is enabled
+    jnc     CetDone
+
+    mov     rax, 1
+    DB      0xF3, 0x48, 0x0F, 0xAE, 0xE8 ; INCSSP RAX to read original SSP
+    DB      0xF3, 0x48, 0x0F, 0x1E, 0xC8 ; READSSP RAX
+    mov     [rcx + 0xF8], rax            ; save SSP
+
+CetDone:
+
     mov     [rcx], rbx
     mov     [rcx + 8], rsp
     mov     [rcx + 0x10], rbp
-- 
2.19.2.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH 1/3] MdePkg/BaseLib: Add Shadow Stack Support for X86.

Reply via email to