Guomin,
> -----Original Message----- > From: Jiang, Guomin <guomin.ji...@intel.com> > Sent: Thursday, July 09, 2020 9:57 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.w...@intel.com>; Wu, Hao A <hao.a...@intel.com>; > Laszlo Ersek <ler...@redhat.com> > Subject: [PATCH v5 1/9] MdeModulePkg: Add new PCD to control the evacuate > temporary memory feature (CVE-2019-11098) > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > The security researcher found that we can get control after NEM disable. > > The reason is that the flash content reside in NEM at startup and the > code will get the content from flash directly after disable NEM. > > To avoid this vulnerability, the feature will copy the PEIMs from > temporary memory to permanent memory and only execute the code in > permanent memory. > > The vulnerability is exist in physical platform and haven't report in > virtual platform, so the virtual can disable the feature currently. > > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Hao A Wu <hao.a...@intel.com> > Signed-off-by: Guomin Jiang <guomin.ji...@intel.com> > Acked-by: Laszlo Ersek <ler...@redhat.com> > --- > MdeModulePkg/MdeModulePkg.dec | 7 +++++++ > MdeModulePkg/MdeModulePkg.uni | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 843e963ad34b..16db17d0a873 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1220,6 +1220,13 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Shadow Peim and PeiCore on boot > > gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN| > 0x30001029 > > + ## Enable the feature that evacuate temporary memory to permanent > memory or not > + # Set FALSE as default, if the developer need this feature to avoid this > vulnerability, please > + # enable it in dsc file. > + # TRUE - Evacuate temporary memory, the actions include copy memory, > convert PPI pointers and so on. > + # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers > and so on. Missing @Prompt tag here. With it addressed, Reviewed-by: Jian J Wang <jian.j.w...@intel.com> Regards, Jian > + > gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum > es|FALSE|BOOLEAN|0x3000102A > + > ## The mask is used to control memory profile behavior.<BR><BR> > # BIT0 - Enable UEFI memory profile.<BR> > # BIT1 - Enable SMRAM profile.<BR> > diff --git a/MdeModulePkg/MdeModulePkg.uni > b/MdeModulePkg/MdeModulePkg.uni > index 2007e0596c4f..5235dee561ad 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -214,6 +214,12 @@ > > "TRUE - Shadow PEIM on S3 > boot path after memory is ready.<BR>\n" > > "FALSE - Not shadow PEIM on > S3 boot path after memory is ready.<BR>" > > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_HELP #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not.<BR><BR>\n" > + > "It will allocate page to > save the temporary PEIMs resided in NEM(or CAR) to the permanent memory > and change all pointers pointed to the NEM(or CAR) to permanent > memory.<BR><BR>\n" > + > "After then, there are > no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be > avoid.<BR><BR>\n" > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV > olumes_PROMPT #language en-US "Enable the feature that evacuate temporary > memory to permanent memory or not" > + > #string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT > #language en-US "Default OEM ID for ACPI table creation" > > #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP > #language en-US "Default OEM ID for ACPI table creation, its length must be > 0x6 > bytes to follow ACPI specification." > -- > 2.25.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#62387): https://edk2.groups.io/g/devel/message/62387 Mute This Topic: https://groups.io/mt/75390173/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
