Hi Guomin, I'd suggest that you add a section to describe clearly the required steps to enable this feature in a platform. I just noticed that SecMigrationPei.inf is not mentioned for doing this.
Regards, Jian > -----Original Message----- > From: Jiang, Guomin <guomin.ji...@intel.com> > Sent: Tuesday, August 11, 2020 1:32 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.w...@intel.com>; Gao, Liming <liming....@intel.com> > Subject: [edk2-wiki][PATCH v2] Update the Boot Guard TOCTOU wiki page. > > The Boot Guard TOCTOU have been migrated into edk2/master. > Update the document to meet the change. > > Signed-off-by: Guomin Jiang <guomin.ji...@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Liming Gao <liming....@intel.com> > Reviewed-by: Jian J Wang <jian.j.w...@intel.com> > --- > Boot-Guard-TOCTOU-Vulnerability-Mitigation.md | 28 ++++++------------- > 1 file changed, 8 insertions(+), 20 deletions(-) > > diff --git a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md b/Boot-Guard- > TOCTOU-Vulnerability-Mitigation.md > index e59c7b1..64b9d66 100644 > --- a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md > +++ b/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md > @@ -45,32 +45,20 @@ references must be updated. In this mitigation, the > process of performing these > The changes described in this mitigation are intended to simply integrate > into > firmware solutions. For the changes to > function as intended, the platform firmware implementation should follow > these guidelines. > > -The changes are currently being staged in the following EDK II fork for > additional validation before being > -sent to the EDK II mailing list: > https://github.com/makubacki/edk2/tree/btg_toctou_mitigation_staging > - > -The changes should not be considered final or production ready until they are > reviewed and pushed onto edk2/master. > - > -1. Always ensure PcdShadowPeimOnBoot and PcdShadowPeimOnS3Boot > - (if platform supports S3) are set to TRUE if Boot Guard is > - enabled and V=1 or M=1. > -2. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE. > -3. Ensure that all PEIMs are relocatable. Relocation tables should > +1. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE > + if Boot Guard is enabled and V=1 or M=1. > +2. Ensure that all PEIMs are relocatable. Relocation tables should > not be stripped. > -4. If an Intel® Firmware Support Package (FSP) binary solution is > +3. If an Intel® Firmware Support Package (FSP) binary solution is > used, the binary must have these mitigation changes integrated. > -5. Avoid maintaining pointers to pre-memory addresses inside embedded > +4. Avoid maintaining pointers to pre-memory addresses inside embedded > structures or other non-standard structures that the automatic > migration code introduced in this change cannot identify. > -6. Migrate the FIT table based on platform requirements for FIT > +5. Migrate the FIT table based on platform requirements for FIT > access in post-memory. > > -**Very Important** > - > -7. Enable paging after memory initialization and mark the IBB range > - as Not Present (NP). > - > - This will cause a page fault on access to the IBB region. This CR2 > register can > be used to identify the address > - accessed and the IP. > +Notes: IBB will be set Not Present, you will see a page fault if any code > access > to the IBB region after migration. > + the address where the code access can be identified in the CR2 > register. > > # High-Level Migration Required > Resources that must be migrated can be categorized as code or data. > -- > 2.25.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#63978): https://edk2.groups.io/g/devel/message/63978 Mute This Topic: https://groups.io/mt/76120928/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
