From nobody Wed Jan 15 12:51:08 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=intel.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1533865453006229.25219635976862; Thu, 9 Aug 2018 18:44:13 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 5F33E210E8D71; Thu, 9 Aug 2018 18:44:07 -0700 (PDT) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1DA4D21B02822 for ; Thu, 9 Aug 2018 18:44:06 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Aug 2018 18:44:06 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19]) by fmsmga002.fm.intel.com with ESMTP; 09 Aug 2018 18:43:59 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,217,1531810800"; d="scan'208";a="75363396" From: Hao Wu To: edk2-devel@lists.01.org Date: Fri, 10 Aug 2018 09:43:47 +0800 Message-Id: <20180810014348.32036-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20180810014348.32036-1-hao.a.wu@intel.com> References: <20180810014348.32036-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 1/2] UefiCpuPkg/SmmCpuFeaturesLib: Add RSB stuffing before rsm instruction X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Laszlo Ersek , Jiewen Yao , Eric Dong MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RDMRC_1 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" System Management Interrupt (SMI) handlers can leave the Return Stack Buffer (RSB) in a state that application program or operating-system does not expect. In order to avoid RSB underflow on return from SMI, this commit will add RSB stuffing logic before instruction 'rsm'. After the stuffing, RSB entries will contain a trap like: @SpecTrap: pause lfence jmp @SpecTrap to keep the speculative execution within control. Cc: Jiewen Yao Cc: Eric Dong Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiEntry.nasm | 20 +++++++++ UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm | 44 +++++++++= +++++++++-- UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiEntry.nasm | 20 +++++++++ UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiException.nasm | 42 +++++++++= +++++++++- 4 files changed, 121 insertions(+), 5 deletions(-) diff --git a/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiEntry.nasm b/Uefi= CpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiEntry.nasm index 057ec6d105..c14a5b2789 100644 --- a/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiEntry.nasm +++ b/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiEntry.nasm @@ -37,6 +37,8 @@ %define PROTECT_MODE_DS 0x20 %define TSS_SEGMENT 0x40 =20 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) extern ASM_PFX(CpuSmmDebugEntry) @@ -206,6 +208,24 @@ CommonHandler: wrmsr =20 .7: + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec eax + jnz @Unroll1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + rsm =20 =20 diff --git a/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm b/= UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm index 93dc3005b7..410af08ac3 100644 --- a/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm +++ b/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm @@ -1,5 +1,5 @@ ;-------------------------------------------------------------------------= ----- ; -; Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
; This program and the accompanying materials ; are licensed and made available under the terms and conditions of the BS= D License ; which accompanies this distribution. The full text of the license may b= e found at @@ -30,6 +30,8 @@ extern ASM_PFX(gStmSmiHandlerIdtr) %define MSR_EFER 0xc0000080 %define MSR_EFER_XD 0x800 =20 +%define RSB_STUFF_ENTRIES 0x20 + CODE_SEL equ 0x08 DATA_SEL equ 0x20 TSS_SEL equ 0x40 @@ -130,7 +132,25 @@ ASM_PFX(OnStmSetup): wrmsr =20 .71: - rsm + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1_1: + call @Unroll2_1 +@SpecTrap1_1: + pause + lfence + jmp @SpecTrap1_1 +@Unroll2_1: + call @StuffLoop_1 +@SpecTrap2_1: + pause + lfence + jmp @SpecTrap2_1 +@StuffLoop_1: + dec eax + jnz @Unroll1_1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + + rsm =20 global ASM_PFX(OnStmTeardown) ASM_PFX(OnStmTeardown): @@ -172,4 +192,22 @@ ASM_PFX(OnStmTeardown): wrmsr =20 .72: - rsm + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1_2: + call @Unroll2_2 +@SpecTrap1_2: + pause + lfence + jmp @SpecTrap1_2 +@Unroll2_2: + call @StuffLoop_2 +@SpecTrap2_2: + pause + lfence + jmp @SpecTrap2_2 +@StuffLoop_2: + dec eax + jnz @Unroll1_2 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + + rsm diff --git a/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiEntry.nasm b/UefiC= puPkg/Library/SmmCpuFeaturesLib/X64/SmiEntry.nasm index 90a9fd489b..0ac2318287 100644 --- a/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiEntry.nasm +++ b/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiEntry.nasm @@ -48,6 +48,8 @@ %define TSS_SEGMENT 0x40 %define GDT_SIZE 0x50 =20 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(gStmSmiHandlerIdtr) extern ASM_PFX(CpuSmmDebugEntry) @@ -221,6 +223,24 @@ CommonHandler: wrmsr =20 .1: + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec rax + jnz @Unroll1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + rsm =20 _StmSmiHandler: diff --git a/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiException.nasm b/U= efiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiException.nasm index b0ab87b0d4..53230ecf30 100644 --- a/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiException.nasm +++ b/UefiCpuPkg/Library/SmmCpuFeaturesLib/X64/SmiException.nasm @@ -30,6 +30,8 @@ extern ASM_PFX(gStmSmiHandlerIdtr) %define MSR_EFER 0xc0000080 %define MSR_EFER_XD 0x800 =20 +%define RSB_STUFF_ENTRIES 0x20 + CODE_SEL equ 0x38 DATA_SEL equ 0x20 TR_SEL equ 0x40 @@ -131,7 +133,25 @@ ASM_PFX(OnStmSetup): wrmsr =20 .11: - rsm + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1_1: + call @Unroll2_1 +@SpecTrap1_1: + pause + lfence + jmp @SpecTrap1_1 +@Unroll2_1: + call @StuffLoop_1 +@SpecTrap2_1: + pause + lfence + jmp @SpecTrap2_1 +@StuffLoop_1: + dec rax + jnz @Unroll1_1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + + rsm =20 global ASM_PFX(OnStmTeardown) ASM_PFX(OnStmTeardown): @@ -175,4 +195,22 @@ ASM_PFX(OnStmTeardown): wrmsr =20 .12: - rsm + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1_2: + call @Unroll2_2 +@SpecTrap1_2: + pause + lfence + jmp @SpecTrap1_2 +@Unroll2_2: + call @StuffLoop_2 +@SpecTrap2_2: + pause + lfence + jmp @SpecTrap2_2 +@StuffLoop_2: + dec rax + jnz @Unroll1_2 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + + rsm --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Wed Jan 15 12:51:08 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=intel.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1533865449919430.57253211965474; Thu, 9 Aug 2018 18:44:09 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 2F8E2210C4DB1; Thu, 9 Aug 2018 18:44:07 -0700 (PDT) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E6B6E210D83E0 for ; Thu, 9 Aug 2018 18:44:05 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Aug 2018 18:44:06 -0700 Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19]) by fmsmga002.fm.intel.com with ESMTP; 09 Aug 2018 18:44:01 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,217,1531810800"; d="scan'208";a="75363399" From: Hao Wu To: edk2-devel@lists.01.org Date: Fri, 10 Aug 2018 09:43:48 +0800 Message-Id: <20180810014348.32036-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20180810014348.32036-1-hao.a.wu@intel.com> References: <20180810014348.32036-1-hao.a.wu@intel.com> Subject: [edk2] [PATCH 2/2] UefiCpuPkg/PiSmmCpuDxeSmm: Add RSB stuffing before rsm instruction X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hao Wu , Laszlo Ersek , Jiewen Yao , Eric Dong MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RDMRC_1 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" System Management Interrupt (SMI) handlers can leave the Return Stack Buffer (RSB) in a state that application program or operating-system does not expect. In order to avoid RSB underflow on return from SMI, this commit will add RSB stuffing logic before instruction 'rsm'. After the stuffing, RSB entries will contain a trap like: @SpecTrap: pause lfence jmp @SpecTrap to keep the speculative execution within control. Cc: Jiewen Yao Cc: Eric Dong Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm | 20 +++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm | 21 ++++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 20 +++++++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm | 20 +++++++++++++++++++ 4 files changed, 81 insertions(+) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm b/UefiCpuPkg/PiSm= mCpuDxeSmm/Ia32/SmiEntry.nasm index 509e7a0a66..e5875353a1 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm @@ -37,6 +37,8 @@ %define PROTECT_MODE_DS 0x20 %define TSS_SEGMENT 0x40 =20 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard)) extern ASM_PFX(CpuSmmDebugEntry) @@ -204,6 +206,24 @@ ASM_PFX(SmiHandler): wrmsr =20 .7: + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec eax + jnz @Unroll1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + rsm =20 ASM_PFX(gcSmiHandlerSize): DW $ - _SmiEntryPoint diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm b/UefiCpuPkg/PiSmm= CpuDxeSmm/Ia32/SmmInit.nasm index 5ff3cd2e73..fd559d25cd 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm @@ -33,6 +33,8 @@ global ASM_PFX(gcSmmInitTemplate) %define PROTECT_MODE_CS 0x8 %define PROTECT_MODE_DS 0x20 =20 +%define RSB_STUFF_ENTRIES 0x20 + SECTION .text =20 ASM_PFX(gcSmiInitGdtr): @@ -75,6 +77,25 @@ BITS 32 mov esp, strict dword 0 ; source operand will be patched ASM_PFX(gPatchSmmInitStack): call ASM_PFX(SmmInitHandler) + + mov eax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec eax + jnz @Unroll1 + add esp, RSB_STUFF_ENTRIES * 4 ; Restore the stack pointer + rsm =20 BITS 16 diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmm= CpuDxeSmm/X64/SmiEntry.nasm index 97c7b01d0d..b955fa1cf1 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm @@ -48,6 +48,8 @@ %define TSS_SEGMENT 0x40 %define GDT_SIZE 0x50 =20 +%define RSB_STUFF_ENTRIES 0x20 + extern ASM_PFX(SmiRendezvous) extern ASM_PFX(gSmiHandlerIdtr) extern ASM_PFX(CpuSmmDebugEntry) @@ -217,6 +219,24 @@ _SmiHandler: wrmsr =20 .1: + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec rax + jnz @Unroll1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + rsm =20 ASM_PFX(gcSmiHandlerSize) DW $ - _SmiEntryPoint diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm b/UefiCpuPkg/PiSmmC= puDxeSmm/X64/SmmInit.nasm index 0b0c3f28e5..bff14e809b 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm @@ -34,6 +34,8 @@ global ASM_PFX(gPatchSmmRelocationOriginalAddressPtr32) =20 %define LONG_MODE_CS 0x38 =20 +%define RSB_STUFF_ENTRIES 0x20 + DEFAULT REL SECTION .text =20 @@ -101,6 +103,24 @@ ASM_PFX(gPatchSmmInitStack): movdqa xmm4, [rsp + 0x40] movdqa xmm5, [rsp + 0x50] =20 + mov rax, RSB_STUFF_ENTRIES / 2 +@Unroll1: + call @Unroll2 +@SpecTrap1: + pause + lfence + jmp @SpecTrap1 +@Unroll2: + call @StuffLoop +@SpecTrap2: + pause + lfence + jmp @SpecTrap2 +@StuffLoop: + dec rax + jnz @Unroll1 + add rsp, RSB_STUFF_ENTRIES * 8 ; Restore the stack pointer + rsm =20 BITS 16 --=20 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel