> -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo > Ersek > Sent: Wednesday, September 26, 2018 4:57 AM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Kinney, Michael D; Zeng, Star; Yao, Jiewen; Dong, Eric; Gao, Liming > Subject: Re: [edk2] [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue > in SMI handlers > > On 09/25/18 22:51, Laszlo Ersek wrote: > > On 09/25/18 08:12, Hao Wu wrote: > >> V2 changes: > >> A. Rename the newly introduced BaseLib API to 'AsmLfence', and makes it > >> IA32/X64 specific. > >> > >> B. Add brief comments before calls of the AsmLfence() to state the > >> purpose. > >> > >> C. Refine the patch for Variable/RuntimeDxe driver and make the change > >> focus on the SMM code. > >> > >> V1 history: > >> The series aims to mitigate the Bounds Check Bypass (CVE-2017-5753) > issues > >> within SMI handlers. > >> > >> A more detailed explanation of the purpose of the series is under the > >> 'Bounds check bypass mitigation' section of the below link: > >> https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > >> > >> And the document at: > >> https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf > >> > >> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org> > >> Cc: Leif Lindholm <leif.lindh...@linaro.org> > >> Cc: Laszlo Ersek <ler...@redhat.com> > >> Cc: Jiewen Yao <jiewen....@intel.com> > >> Cc: Michael D Kinney <michael.d.kin...@intel.com> > >> Cc: Liming Gao <liming....@intel.com> > >> Cc: Star Zeng <star.z...@intel.com> > >> Cc: Eric Dong <eric.d...@intel.com> > >> > >> Hao Wu (5): > >> MdePkg/BaseLib: Add new AsmLfence API > >> MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check > bypass > >> MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass > >> MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass > >> UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass > >> > >> > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c | > 7 ++++ > >> > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf > | 1 + > >> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c > | 10 ++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c | > 31 ++++++++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c > | 30 ++++++++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/PrivilegePolymorphic.h > | 13 ++++++- > >> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | > >> 6 > ++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 1 + > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | > 18 ++++++++++ > >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | > 1 + > >> MdePkg/Include/Library/BaseLib.h | > >> 13 +++++++ > >> MdePkg/Library/BaseLib/BaseLib.inf | > >> 2 ++ > >> MdePkg/Library/BaseLib/Ia32/Lfence.nasm | > >> 37 > +++++++++++++++++++ > >> MdePkg/Library/BaseLib/X64/Lfence.nasm | > >> 38 > ++++++++++++++++++++ > >> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | > >> 5 > +++ > >> 15 files changed, 212 insertions(+), 1 deletion(-) > >> create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceDxe.c > >> create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/LoadFenceSmm.c > >> create mode 100644 MdePkg/Library/BaseLib/Ia32/Lfence.nasm > >> create mode 100644 MdePkg/Library/BaseLib/X64/Lfence.nasm > >> > > > > I regression-tested this series using: > > > > (1) roughly the Linux guest steps from > > <https://github.com/tianocore/tianocore.github.io/wiki/Testing-SMM-with- > QEMU,-KVM-and-libvirt#tests-to-perform-in-the-installed-guest-fedora-26- > guest>. > > > > > > Those steps cover all of the SMM variable driver, the SMM FTW driver, > > the SMM lockbox, and PiSmmCpuDxeSmm. > > > > (2) For briefly checking the runtime (non-SMM) variable driver, I booted > > Fedora guests on X64 OVMF and AARCH64 ArmVirtQemu, and invoked > > "efibootmgr -v". > > > > series > > Regression-tested-by: Laszlo Ersek <ler...@redhat.com> > > It's been a long day. I meant to describe another detail of the test > environment: > > Because of the regression reported at > <https://bugzilla.tianocore.org/show_bug.cgi?id=1207>, OVMF is currently > unbootable. Therefore I first applied my fix from > <https://bugzilla.tianocore.org/show_bug.cgi?id=1207#c2> on top of > current master (3cb0a311cb7e). I applied this series of yours for > regression testing on top of my fix.
Hi Laszlo, Really appreciate the help for the regression tests. I will document the those regression tests (also with the details) within the BZ trackers: https://bugzilla.tianocore.org/show_bug.cgi?id=1193 https://bugzilla.tianocore.org/show_bug.cgi?id=1194 Best Regards, Hao Wu > > Thanks > Laszlo > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel