subject:"\[edk2\] \[PATCH v2 0\/5\] \[CVE\-2017\-5753\] Bounds Check Bypass issue in SMI handlers"

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

2018-09-28 Thread Yao, Jiewen

Reviewed-by: jiewen@intel.com

> -Original Message-
> From: Wu, Hao A
> Sent: Tuesday, September 25, 2018 2:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Ard Biesheuvel
> ; Leif Lindholm ;
> Laszlo Ersek ; Yao, Jiewen ;
> Kinney, Michael D ; Gao, Liming
> ; Zeng, Star ; Dong, Eric
> 
> Subject: [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI
> handlers
> 
> V2 changes:
> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
>IA32/X64 specific.
> 
> B. Add brief comments before calls of the AsmLfence() to state the
>purpose.
> 
> C. Refine the patch for Variable/RuntimeDxe driver and make the change
>focus on the SMM code.
> 
> V1 history:
> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
> within SMI handlers.
> 
> A more detailed explanation of the purpose of the series is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmw
> are-speculative-execution-side-channel-mitigation
> 
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/defaul
> t/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
> 
> Cc: Ard Biesheuvel 
> Cc: Leif Lindholm 
> Cc: Laszlo Ersek 
> Cc: Jiewen Yao 
> Cc: Michael D Kinney 
> Cc: Liming Gao 
> Cc: Star Zeng 
> Cc: Eric Dong 
> 
> Hao Wu (5):
>   MdePkg/BaseLib: Add new AsmLfence API
>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check
> bypass
>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check
> bypass
> 
> 
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> |  7 
> 
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.in
> f |  1 +
>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
> | 10 ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
> | 31 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
> | 30 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h
> | 13 ++-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
> |  6 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> |  1 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
> | 18 ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
> |  1 +
>  MdePkg/Include/Library/BaseLib.h
> | 13 +++
>  MdePkg/Library/BaseLib/BaseLib.inf
> |  2 ++
>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm
> | 37 +++
>  MdePkg/Library/BaseLib/X64/Lfence.nasm
> | 38 
>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> |  5 +++
>  15 files changed, 212 insertions(+), 1 deletion(-)
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
> 
> --
> 2.12.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

2018-09-25 Thread Wu, Hao A

> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo
> Ersek
> Sent: Wednesday, September 26, 2018 4:57 AM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Kinney, Michael D; Zeng, Star; Yao, Jiewen; Dong, Eric; Gao, Liming
> Subject: Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue
> in SMI handlers
> 
> On 09/25/18 22:51, Laszlo Ersek wrote:
> > On 09/25/18 08:12, Hao Wu wrote:
> >> V2 changes:
> >> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
> >>IA32/X64 specific.
> >>
> >> B. Add brief comments before calls of the AsmLfence() to state the
> >>purpose.
> >>
> >> C. Refine the patch for Variable/RuntimeDxe driver and make the change
> >>focus on the SMM code.
> >>
> >> V1 history:
> >> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753)
> issues
> >> within SMI handlers.
> >>
> >> A more detailed explanation of the purpose of the series is under the
> >> 'Bounds check bypass mitigation' section of the below link:
> >> https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
> >>
> >> And the document at:
> >> https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-
> vulnerabilities.pdf
> >>
> >> Cc: Ard Biesheuvel 
> >> Cc: Leif Lindholm 
> >> Cc: Laszlo Ersek 
> >> Cc: Jiewen Yao 
> >> Cc: Michael D Kinney 
> >> Cc: Liming Gao 
> >> Cc: Star Zeng 
> >> Cc: Eric Dong 
> >>
> >> Hao Wu (5):
> >>   MdePkg/BaseLib: Add new AsmLfence API
> >>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check
> bypass
> >>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
> >>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
> >>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
> >>
> >>
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |
> 7 
> >>
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf
> |  1 +
> >>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
> | 10 ++
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c  |
> 31 
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
> | 30 
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h
> | 13 ++-
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c  |  
> >> 6
> 
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> |  1 +
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c   |
> 18 ++
> >>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf |
> 1 +
> >>  MdePkg/Include/Library/BaseLib.h   | 
> >> 13 +++
> >>  MdePkg/Library/BaseLib/BaseLib.inf |  
> >> 2 ++
> >>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm| 
> >> 37
> +++
> >>  MdePkg/Library/BaseLib/X64/Lfence.nasm | 
> >> 38
> 
> >>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c |  
> >> 5
> +++
> >>  15 files changed, 212 insertions(+), 1 deletion(-)
> >>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
> >>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
> >>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
> >>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
> >>
> >
> > I regression-tested this series using:
> >
> > (1) roughly the Linux guest steps from
> > <https://github.com/tianocore/tianocore.github.io/wiki/Testing-SMM-with-
> QEMU,-KVM-and-libvirt#tests-to-perform-in-the-installed-guest-fedora-26-
> guest>.
> >
> >
> > Those steps cover all of the SMM variable driver, the SMM FTW driver,
> > the SMM lockbox, and PiSmmCpuDxeSmm.
> >
> > (2) For briefly checking the runtime (non-SMM) variable driver, I booted
> > Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked
> > "efibootmgr -v

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

2018-09-25 Thread Laszlo Ersek

On 09/25/18 22:51, Laszlo Ersek wrote:
> On 09/25/18 08:12, Hao Wu wrote:
>> V2 changes:
>> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
>>IA32/X64 specific.
>>
>> B. Add brief comments before calls of the AsmLfence() to state the
>>purpose.
>>
>> C. Refine the patch for Variable/RuntimeDxe driver and make the change
>>focus on the SMM code.
>>
>> V1 history:
>> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
>> within SMI handlers.
>>
>> A more detailed explanation of the purpose of the series is under the
>> 'Bounds check bypass mitigation' section of the below link:
>> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
>>
>> And the document at:
>> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
>>
>> Cc: Ard Biesheuvel 
>> Cc: Leif Lindholm 
>> Cc: Laszlo Ersek 
>> Cc: Jiewen Yao 
>> Cc: Michael D Kinney 
>> Cc: Liming Gao 
>> Cc: Star Zeng 
>> Cc: Eric Dong 
>>
>> Hao Wu (5):
>>   MdePkg/BaseLib: Add new AsmLfence API
>>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
>>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
>>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
>>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
>>
>>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |  7 
>> 
>>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf |  1 
>> +
>>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 
>> ++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c  | 31 
>> 
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c  | 30 
>> 
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h  | 13 
>> ++-
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c  |  6 
>> 
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf  |  1 
>> +
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c   | 18 
>> ++
>>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf |  1 
>> +
>>  MdePkg/Include/Library/BaseLib.h   | 13 
>> +++
>>  MdePkg/Library/BaseLib/BaseLib.inf |  2 
>> ++
>>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm| 37 
>> +++
>>  MdePkg/Library/BaseLib/X64/Lfence.nasm | 38 
>> 
>>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c |  5 
>> +++
>>  15 files changed, 212 insertions(+), 1 deletion(-)
>>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
>>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
>>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
>>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
>>
> 
> I regression-tested this series using:
> 
> (1) roughly the Linux guest steps from
> .
> 
> 
> Those steps cover all of the SMM variable driver, the SMM FTW driver,
> the SMM lockbox, and PiSmmCpuDxeSmm.
> 
> (2) For briefly checking the runtime (non-SMM) variable driver, I booted
> Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked
> "efibootmgr -v".
> 
> series
> Regression-tested-by: Laszlo Ersek 

It's been a long day. I meant to describe another detail of the test
environment:

Because of the regression reported at
, OVMF is currently
unbootable. Therefore I first applied my fix from
 on top of
current master (3cb0a311cb7e). I applied this series of yours for
regression testing on top of my fix.

Thanks
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

2018-09-25 Thread Laszlo Ersek

On 09/25/18 08:12, Hao Wu wrote:
> V2 changes:
> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
>IA32/X64 specific.
> 
> B. Add brief comments before calls of the AsmLfence() to state the
>purpose.
> 
> C. Refine the patch for Variable/RuntimeDxe driver and make the change
>focus on the SMM code.
> 
> V1 history:
> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
> within SMI handlers.
> 
> A more detailed explanation of the purpose of the series is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
> 
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
> 
> Cc: Ard Biesheuvel 
> Cc: Leif Lindholm 
> Cc: Laszlo Ersek 
> Cc: Jiewen Yao 
> Cc: Michael D Kinney 
> Cc: Liming Gao 
> Cc: Star Zeng 
> Cc: Eric Dong 
> 
> Hao Wu (5):
>   MdePkg/BaseLib: Add new AsmLfence API
>   MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
>   MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
>   MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
>   UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
> 
>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |  7 
> 
>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf |  1 +
>  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 
> ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c  | 31 
> 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c  | 30 
> 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h  | 13 
> ++-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c  |  6 
> 
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf  |  1 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c   | 18 
> ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf |  1 +
>  MdePkg/Include/Library/BaseLib.h   | 13 
> +++
>  MdePkg/Library/BaseLib/BaseLib.inf |  2 
> ++
>  MdePkg/Library/BaseLib/Ia32/Lfence.nasm| 37 
> +++
>  MdePkg/Library/BaseLib/X64/Lfence.nasm | 38 
> 
>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c |  5 
> +++
>  15 files changed, 212 insertions(+), 1 deletion(-)
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
>  create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
>  create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm
> 

I regression-tested this series using:

(1) roughly the Linux guest steps from
.


Those steps cover all of the SMM variable driver, the SMM FTW driver,
the SMM lockbox, and PiSmmCpuDxeSmm.

(2) For briefly checking the runtime (non-SMM) variable driver, I booted
Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked
"efibootmgr -v".

series
Regression-tested-by: Laszlo Ersek 

Thanks,
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

2018-09-25 Thread Hao Wu

V2 changes:
A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it
   IA32/X64 specific.

B. Add brief comments before calls of the AsmLfence() to state the
   purpose.

C. Refine the patch for Variable/RuntimeDxe driver and make the change
   focus on the SMM code.

V1 history:
The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) issues
within SMI handlers.

A more detailed explanation of the purpose of the series is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Ard Biesheuvel 
Cc: Leif Lindholm 
Cc: Laszlo Ersek 
Cc: Jiewen Yao 
Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Star Zeng 
Cc: Eric Dong 

Hao Wu (5):
  MdePkg/BaseLib: Add new AsmLfence API
  MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
  MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass
  MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
  UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass

 MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c   |  7 

 MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf |  1 +
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 
++
 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c  | 31 

 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c  | 30 

 MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h  | 13 
++-
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c  |  6 

 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf  |  1 +
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c   | 18 
++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf |  1 +
 MdePkg/Include/Library/BaseLib.h   | 13 
+++
 MdePkg/Library/BaseLib/BaseLib.inf |  2 ++
 MdePkg/Library/BaseLib/Ia32/Lfence.nasm| 37 
+++
 MdePkg/Library/BaseLib/X64/Lfence.nasm | 38 

 UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c |  5 +++
 15 files changed, 212 insertions(+), 1 deletion(-)
 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c
 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c
 create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm
 create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm

-- 
2.12.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

[edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers

5 matches

Site Navigation

Mail list logo

Footer information