PiSmmCpu: Restrict access per PcdCpuSmmRestrictedMemoryAccess

Dong, Eric Mon, 26 Aug 2019 18:44:35 -0700

Reviewed-by: Eric Dong <eric.d...@intel.com>

> -----Original Message-----
> From: Ni, Ray
> Sent: Monday, August 26, 2019 6:45 AM
> To: devel@edk2.groups.io
> Cc: Dong, Eric <eric.d...@intel.com>; Yao, Jiewen <jiewen....@intel.com>;
> Laszlo Ersek <ler...@redhat.com>
> Subject: [PATCH 3/5] UefiCpuPkg/PiSmmCpu: Restrict access per
> PcdCpuSmmRestrictedMemoryAccess
> 
> Today's behavior is to always restrict access to non-SMRAM regardless the
> value of PcdCpuSmmRestrictedMemoryAccess.
> 
> Because RAS components require to access all non-SMRAM memory, the
> patch changes the code logic to honor PcdCpuSmmRestrictedMemoryAccess
> so that only when the PCD is true, the restriction takes affect and page table
> memory is also protected.
> 
> Because IA32 build doesn't reference this PCD, such restriction always takes
> affect in IA32 build.
> 
> Signed-off-by: Ray Ni <ray...@intel.com>
> Cc: Eric Dong <eric.d...@intel.com>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Laszlo Ersek <ler...@redhat.com>
> ---
>  UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c   | 14 ++++++++++++++
>  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 18 ++++++++++--------
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 11 +++++++++++
>  UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c    | 14 ++++++++++++++
>  4 files changed, 49 insertions(+), 8 deletions(-)
> 
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
> index 05fb455936..f891a81112 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
> @@ -336,3 +336,17 @@ RestoreCr2 (
>  {
>    return ;
>  }
> +
> +/**
> +  Return whether access to non-SMRAM is restricted.
> +
> +  @retval TRUE  Access to non-SMRAM is restricted.
> +  @retval FALSE Access to non-SMRAM is not restricted.
> +*/
> +BOOLEAN
> +IsRestrictedMemoryAccess (
> +  VOID
> +  )
> +{
> +  return TRUE;
> +}
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> index 69a04dfb23..723fd5042f 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> @@ -1431,15 +1431,17 @@ PerformRemainingTasks (
>      //
>      SetMemMapAttributes ();
> 
> -    //
> -    // For outside SMRAM, we only map SMM communication buffer or MMIO.
> -    //
> -    SetUefiMemMapAttributes ();
> +    if (IsRestrictedMemoryAccess ()) {
> +      //
> +      // For outside SMRAM, we only map SMM communication buffer or MMIO.
> +      //
> +      SetUefiMemMapAttributes ();
> 
> -    //
> -    // Set page table itself to be read-only
> -    //
> -    SetPageTableAttributes ();
> +      //
> +      // Set page table itself to be read-only
> +      //
> +      SetPageTableAttributes ();
> +    }
> 
>      //
>      // Configure SMM Code Access Check feature if available.
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> index 8c29f1a558..daf977f654 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
> @@ -1450,4 +1450,15 @@ InitializeDataForMmMp (
>    VOID
>    );
> 
> +/**
> +  Return whether access to non-SMRAM is restricted.
> +
> +  @retval TRUE  Access to non-SMRAM is restricted.
> +  @retval FALSE Access to non-SMRAM is not restricted.
> +*/
> +BOOLEAN
> +IsRestrictedMemoryAccess (
> +  VOID
> +  );
> +
>  #endif
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> index 7516f35055..733d107efd 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> @@ -1252,3 +1252,17 @@ RestoreCr2 (
>      AsmWriteCr2 (Cr2);
>    }
>  }
> +
> +/**
> +  Return whether access to non-SMRAM is restricted.
> +
> +  @retval TRUE  Access to non-SMRAM is restricted.
> +  @retval FALSE Access to non-SMRAM is not restricted.
> +*/
> +BOOLEAN
> +IsRestrictedMemoryAccess (
> +  VOID
> +  )
> +{
> +  return mCpuSmmRestrictedMemoryAccess; }
> --
> 2.21.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#46397): https://edk2.groups.io/g/devel/message/46397
Mute This Topic: https://groups.io/mt/33027103/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 3/5] UefiCpuPkg/PiSmmCpu: Restrict access per PcdCpuSmmRestrictedMemoryAccess

Reply via email to