On S3 path, we may transfer to long mode (if DXE is long mode) to restore CPU contexts with CR3 = SmmS3Cr3 (in SMM). AP will execute hlt-loop after CPU contexts restoration. Once one NMI or SMI happens, APs may exit from hlt state and execute the instruction after HLT instruction. If APs are running on long mode, page table is required to fetch the instruction. However, CR3 pointer to page table in SMM. APs will crash.
This fix is to disable long mode on APs and transfer to 32bit protected mode to execute hlt-loop. Then CR3 and page table will no longer be required. https://bugzilla.tianocore.org/show_bug.cgi?id=216 Reported-by: Laszlo Ersek <ler...@redhat.com> Analyzed-by: Paolo Bonzini <pbonz...@redhat.com> Analyzed-by: Laszlo Ersek <ler...@redhat.com> Cc: Laszlo Ersek <ler...@redhat.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Michael D Kinney <michael.d.kin...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jeff Fan <jeff....@intel.com> --- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 42 ++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c index bd465c7..62338b7 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c @@ -70,6 +70,37 @@ InitGdt ( } /** + Get Protected mode code segment from current GDT table. + + @return Protected mode code segment value. +**/ +UINT16 +GetProtectedModeCS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTN GdtEntryCount; + UINT16 Index; + + Index = (UINT16) -1; + AsmReadGdtr (&GdtrDesc); + GdtEntryCount = (GdtrDesc.Limit + 1) / sizeof (IA32_SEGMENT_DESCRIPTOR); + GdtEntry = (IA32_SEGMENT_DESCRIPTOR *) GdtrDesc.Base; + for (Index = 0; Index < GdtEntryCount; Index++) { + if (GdtEntry->Bits.L == 0) { + if (GdtEntry->Bits.Type > 8 && GdtEntry->Bits.L == 0) { + break; + } + } + GdtEntry++; + } + ASSERT (Index != -1); + return Index * 8; +} + +/** Transfer AP to safe hlt-loop after it finished restore CPU features on S3 patch. @param[in] ApHltLoopCode The 32-bit address of the safe hlt-loop function. @@ -82,11 +113,12 @@ TransferApToSafeState ( IN UINT32 TopOfStack ) { - SwitchStack ( - (SWITCH_STACK_ENTRY_POINT) (UINTN) ApHltLoopCode, - NULL, - NULL, - (VOID *) (UINTN) TopOfStack + AsmDisablePaging64 ( + GetProtectedModeCS (), + (UINT32) (UINTN) ApHltLoopCode, + 0, + 0, + TopOfStack ); // // It should never reach here -- 2.9.3.windows.2 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
