Re: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to control the evacuate temporary memory feature (CVE-2019-11098)

Tue, 21 Jul 2020 19:27:25 -0700 

Guomin,


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Monday, July 20, 2020 7:30 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.w...@intel.com>; Wu, Hao A <hao.a...@intel.com>;
> Laszlo Ersek <ler...@redhat.com>
> Subject: [edk2-devel] [PATCH v6 01/10] MdeModulePkg: Add new PCD to
> control the evacuate temporary memory feature (CVE-2019-11098)
> 
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> The security researcher found that we can get control after NEM disable.
> 
> The reason is that the flash content reside in NEM at startup and the
> code will get the content from flash directly after disable NEM.
> 
> To avoid this vulnerability, the feature will copy the PEIMs from
> temporary memory to permanent memory and only execute the code in
> permanent memory.
> 
> The vulnerability is exist in physical platform and haven't report in
> virtual platform, so the virtual can disable the feature currently.
> 
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Hao A Wu <hao.a...@intel.com>
> Signed-off-by: Guomin Jiang <guomin.ji...@intel.com>
> Acked-by: Laszlo Ersek <ler...@redhat.com>
> Reviewed-by: Jian J Wang <jian.j.w...@intel.com>
> ---
>  MdeModulePkg/MdeModulePkg.dec | 8 ++++++++
>  MdeModulePkg/MdeModulePkg.uni | 6 ++++++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index 843e963ad34b..e88f22756d7f 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1220,6 +1220,14 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
>    # @Prompt Shadow Peim and PeiCore on boot
> 
> gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|
> 0x30001029
> 
> +  ## Enable the feature that evacuate temporary memory to permanent
> memory or not
> +  #  Set FALSE as default, if the developer need this feature to avoid this
> vulnerability, please
> +  #  enable it in dsc file.

According to the code change in v6 (PeiMain.c), PcdShadowPeimOnBoot must not
be TRUE when this PCD is TRUE. Please also add description here. It's ok not to
send a v7 but please do include it before push. There's already r-b for this 
patch.
Let's still keep it.

Regards,
Jian

> +  #  TRUE - Evacuate temporary memory, the actions include copy memory,
> convert PPI pointers and so on.
> +  #  FALSE - Do nothing, for example, no copy memory, no convert PPI pointers
> and so on.
> +  # @Prompt Evacuate temporary memory to permanent memory
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolum
> es|FALSE|BOOLEAN|0x3000102A
> +
>    ## The mask is used to control memory profile behavior.<BR><BR>
>    #  BIT0 - Enable UEFI memory profile.<BR>
>    #  BIT1 - Enable SMRAM profile.<BR>
> diff --git a/MdeModulePkg/MdeModulePkg.uni
> b/MdeModulePkg/MdeModulePkg.uni
> index 2007e0596c4f..5235dee561ad 100644
> --- a/MdeModulePkg/MdeModulePkg.uni
> +++ b/MdeModulePkg/MdeModulePkg.uni
> @@ -214,6 +214,12 @@
>                                                                               
>           "TRUE  - Shadow PEIM on S3
> boot path after memory is ready.<BR>\n"
>                                                                               
>           "FALSE - Not shadow PEIM on
> S3 boot path after memory is ready.<BR>"
> 
> +#string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV
> olumes_HELP #language en-US "Enable the feature that evacuate temporary
> memory to permanent memory or not.<BR><BR>\n"
> +                                                                             
>                          "It will allocate page to
> save the temporary PEIMs resided in NEM(or CAR) to the permanent memory
> and change all pointers pointed to the NEM(or CAR) to permanent
> memory.<BR><BR>\n"
> +                                                                             
>                          "After then, there are
> no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be
> avoid.<BR><BR>\n"
> +
> +#string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareV
> olumes_PROMPT #language en-US "Enable the feature that evacuate temporary
> memory to permanent memory or not"
> +
>  #string
> STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT
> #language en-US "Default OEM ID for ACPI table creation"
> 
>  #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP
> #language en-US "Default OEM ID for ACPI table creation, its length must be 
> 0x6
> bytes to follow ACPI specification."
> --
> 2.25.1.windows.1
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#63048): https://edk2.groups.io/g/devel/message/63048
Mute This Topic: https://groups.io/mt/75679700/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to