From nobody Thu Apr 18 11:05:43 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
	dmarc=fail(p=none dis=none)  header.from=intel.com
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1533865449919430.57253211965474;
 Thu, 9 Aug 2018 18:44:09 -0700 (PDT)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 2F8E2210C4DB1;
	Thu,  9 Aug 2018 18:44:07 -0700 (PDT)
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id E6B6E210D83E0
 for <edk2-devel@lists.01.org>; Thu,  9 Aug 2018 18:44:05 -0700 (PDT)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 09 Aug 2018 18:44:06 -0700
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19])
 by fmsmga002.fm.intel.com with ESMTP; 09 Aug 2018 18:44:01 -0700
X-Original-To: edk2-devel@lists.01.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.65; helo=mga03.intel.com;
 envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,217,1531810800"; d="scan'208";a="75363399"
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Date: Fri, 10 Aug 2018 09:43:48 +0800
Message-Id: <20180810014348.32036-3-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
In-Reply-To: <20180810014348.32036-1-hao.a.wu@intel.com>
References: <20180810014348.32036-1-hao.a.wu@intel.com>
Subject: [edk2] [PATCH 2/2] UefiCpuPkg/PiSmmCpuDxeSmm: Add RSB stuffing
 before rsm instruction
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Hao Wu <hao.a.wu@intel.com>, Laszlo Ersek <lersek@redhat.com>,
 Jiewen Yao <jiewen.yao@intel.com>, Eric Dong <eric.dong@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RDMRC_1  RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

System Management Interrupt (SMI) handlers can leave the Return Stack
Buffer (RSB) in a state that application program or operating-system does
not expect.

In order to avoid RSB underflow on return from SMI, this commit will add
RSB stuffing logic before instruction 'rsm'.

After the stuffing, RSB entries will contain a trap like:

@SpecTrap:
    pause
    lfence
    jmp     @SpecTrap

to keep the speculative execution within control.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm | 20 +++++++++++++++++++
 UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm  | 21 ++++++++++++++++++++
 UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm  | 20 +++++++++++++++++++
 UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm   | 20 +++++++++++++++++++
 4 files changed, 81 insertions(+)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm b/UefiCpuPkg/PiSm=
mCpuDxeSmm/Ia32/SmiEntry.nasm
index 509e7a0a66..e5875353a1 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmiEntry.nasm
@@ -37,6 +37,8 @@
 %define PROTECT_MODE_DS 0x20
 %define TSS_SEGMENT 0x40
=20
+%define RSB_STUFF_ENTRIES 0x20
+
 extern ASM_PFX(SmiRendezvous)
 extern ASM_PFX(FeaturePcdGet (PcdCpuSmmStackGuard))
 extern ASM_PFX(CpuSmmDebugEntry)
@@ -204,6 +206,24 @@ ASM_PFX(SmiHandler):
     wrmsr
=20
 .7:
+    mov     eax, RSB_STUFF_ENTRIES / 2
+@Unroll1:
+    call    @Unroll2
+@SpecTrap1:
+    pause
+    lfence
+    jmp     @SpecTrap1
+@Unroll2:
+    call    @StuffLoop
+@SpecTrap2:
+    pause
+    lfence
+    jmp     @SpecTrap2
+@StuffLoop:
+    dec     eax
+    jnz     @Unroll1
+    add     esp, RSB_STUFF_ENTRIES * 4     ; Restore the stack pointer
+
     rsm
=20
 ASM_PFX(gcSmiHandlerSize): DW $ - _SmiEntryPoint
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm b/UefiCpuPkg/PiSmm=
CpuDxeSmm/Ia32/SmmInit.nasm
index 5ff3cd2e73..fd559d25cd 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/SmmInit.nasm
@@ -33,6 +33,8 @@ global ASM_PFX(gcSmmInitTemplate)
 %define PROTECT_MODE_CS 0x8
 %define PROTECT_MODE_DS 0x20
=20
+%define RSB_STUFF_ENTRIES 0x20
+
     SECTION .text
=20
 ASM_PFX(gcSmiInitGdtr):
@@ -75,6 +77,25 @@ BITS 32
     mov     esp, strict dword 0         ; source operand will be patched
 ASM_PFX(gPatchSmmInitStack):
     call    ASM_PFX(SmmInitHandler)
+
+    mov     eax, RSB_STUFF_ENTRIES / 2
+@Unroll1:
+    call    @Unroll2
+@SpecTrap1:
+    pause
+    lfence
+    jmp     @SpecTrap1
+@Unroll2:
+    call    @StuffLoop
+@SpecTrap2:
+    pause
+    lfence
+    jmp     @SpecTrap2
+@StuffLoop:
+    dec     eax
+    jnz     @Unroll1
+    add     esp, RSB_STUFF_ENTRIES * 4     ; Restore the stack pointer
+
     rsm
=20
 BITS 16
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmm=
CpuDxeSmm/X64/SmiEntry.nasm
index 97c7b01d0d..b955fa1cf1 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
@@ -48,6 +48,8 @@
 %define TSS_SEGMENT 0x40
 %define GDT_SIZE 0x50
=20
+%define RSB_STUFF_ENTRIES 0x20
+
 extern ASM_PFX(SmiRendezvous)
 extern ASM_PFX(gSmiHandlerIdtr)
 extern ASM_PFX(CpuSmmDebugEntry)
@@ -217,6 +219,24 @@ _SmiHandler:
     wrmsr
=20
 .1:
+    mov     rax, RSB_STUFF_ENTRIES / 2
+@Unroll1:
+    call    @Unroll2
+@SpecTrap1:
+    pause
+    lfence
+    jmp     @SpecTrap1
+@Unroll2:
+    call    @StuffLoop
+@SpecTrap2:
+    pause
+    lfence
+    jmp     @SpecTrap2
+@StuffLoop:
+    dec     rax
+    jnz     @Unroll1
+    add     rsp, RSB_STUFF_ENTRIES * 8     ; Restore the stack pointer
+
     rsm
=20
 ASM_PFX(gcSmiHandlerSize)    DW      $ - _SmiEntryPoint
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm b/UefiCpuPkg/PiSmmC=
puDxeSmm/X64/SmmInit.nasm
index 0b0c3f28e5..bff14e809b 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmInit.nasm
@@ -34,6 +34,8 @@ global ASM_PFX(gPatchSmmRelocationOriginalAddressPtr32)
=20
 %define LONG_MODE_CS 0x38
=20
+%define RSB_STUFF_ENTRIES 0x20
+
     DEFAULT REL
     SECTION .text
=20
@@ -101,6 +103,24 @@ ASM_PFX(gPatchSmmInitStack):
     movdqa  xmm4, [rsp + 0x40]
     movdqa  xmm5, [rsp + 0x50]
=20
+    mov     rax, RSB_STUFF_ENTRIES / 2
+@Unroll1:
+    call    @Unroll2
+@SpecTrap1:
+    pause
+    lfence
+    jmp     @SpecTrap1
+@Unroll2:
+    call    @StuffLoop
+@SpecTrap2:
+    pause
+    lfence
+    jmp     @SpecTrap2
+@StuffLoop:
+    dec     rax
+    jnz     @Unroll1
+    add     rsp, RSB_STUFF_ENTRIES * 8     ; Restore the stack pointer
+
     rsm
=20
 BITS 16
--=20
2.12.0.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel