Re: [edk2-devel] [Patch V4 08/15] UefiCpuPkg/PiSmmCpuDxeSmm: Clear CR0.WP before modify page table

[Ni, Ray]

Reviewed-by: Ray Ni <ray...@intel.com>

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of duntan
> Sent: Tuesday, May 16, 2023 5:59 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric <eric.d...@intel.com>; Ni, Ray <ray...@intel.com>; Kumar, Rahul
> R <rahul.r.ku...@intel.com>; Gerd Hoffmann <kra...@redhat.com>
> Subject: [edk2-devel] [Patch V4 08/15] UefiCpuPkg/PiSmmCpuDxeSmm: Clear
> CR0.WP before modify page table
> 
> Clear CR0.WP before modify smm page table. Currently, there is
> an assumption that smm pagetable is always RW before ReadyToLock.
> However, when AMD SEV is enabled, FvbServicesSmm driver calls
> MemEncryptSevClearMmioPageEncMask to clear AddressEncMask bit
> in smm page table for this range:
> [PcdOvmfFdBaseAddress,PcdOvmfFdBaseAddress+PcdOvmfFirmwareFdSize]
> If page slpit happens in this process, new memory for smm page
> table is allocated. Then the newly allocated page table memory
> is marked as RO in smm page table in this FvbServicesSmm driver,
> which may lead to PF if smm code doesn't clear CR0.WP before
> modify smm page table when ReadyToLock.
> 
> Signed-off-by: Dun Tan <dun....@intel.com>
> Cc: Eric Dong <eric.d...@intel.com>
> Cc: Ray Ni <ray...@intel.com>
> Cc: Rahul Kumar <rahul1.ku...@intel.com>
> Cc: Gerd Hoffmann <kra...@redhat.com>
> ---
>  UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 11
> +++++++++++
>  UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c             |  5 +++++
>  2 files changed, 16 insertions(+)
> 
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> index 4b512edf68..ef0ba9a355 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> @@ -1036,6 +1036,8 @@ SetMemMapAttributes (
>    IA32_MAP_ENTRY                        *Map;
>    UINTN                                 Count;
>    UINT64                                MemoryAttribute;
> +  BOOLEAN                               WpEnabled;
> +  BOOLEAN                               CetEnabled;
> 
>    SmmGetSystemConfigurationTable (&gEdkiiPiSmmMemoryAttributesTableGuid,
> (VOID **)&MemoryAttributesTable);
>    if (MemoryAttributesTable == NULL) {
> @@ -1078,6 +1080,8 @@ SetMemMapAttributes (
> 
>    ASSERT_RETURN_ERROR (Status);
> 
> +  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +
>    MemoryMap = MemoryMapStart;
>    for (Index = 0; Index < MemoryMapEntryCount; Index++) {
>      DEBUG ((DEBUG_VERBOSE, "SetAttribute: Memory Entry - 0x%lx, 0x%x\n",
> MemoryMap->PhysicalStart, MemoryMap->NumberOfPages));
> @@ -1105,6 +1109,7 @@ SetMemMapAttributes (
>      MemoryMap = NEXT_MEMORY_DESCRIPTOR (MemoryMap, DescriptorSize);
>    }
> 
> +  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
>    FreePool (Map);
> 
>    PatchSmmSaveStateMap ();
> @@ -1411,9 +1416,13 @@ SetUefiMemMapAttributes (
>    UINTN                  MemoryMapEntryCount;
>    UINTN                  Index;
>    EFI_MEMORY_DESCRIPTOR  *Entry;
> +  BOOLEAN                WpEnabled;
> +  BOOLEAN                CetEnabled;
> 
>    DEBUG ((DEBUG_INFO, "SetUefiMemMapAttributes\n"));
> 
> +  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
> +
>    if (mUefiMemoryMap != NULL) {
>      MemoryMapEntryCount = mUefiMemoryMapSize/mUefiDescriptorSize;
>      MemoryMap           = mUefiMemoryMap;
> @@ -1492,6 +1501,8 @@ SetUefiMemMapAttributes (
>      }
>    }
> 
> +  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +
>    //
>    // Do not free mUefiMemoryAttributesTable, it will be checked in
> IsSmmCommBufferForbiddenAddress().
>    //
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> index 1b0b6673e1..5625ba0cac 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
> @@ -574,6 +574,8 @@ InitPaging (
>    BOOLEAN   Nx;
>    IA32_CR4  Cr4;
>    BOOLEAN   Enable5LevelPaging;
> +  BOOLEAN   WpEnabled;
> +  BOOLEAN   CetEnabled;
> 
>    Cr4.UintN          = AsmReadCr4 ();
>    Enable5LevelPaging = (BOOLEAN)(Cr4.Bits.LA57 == 1);
> @@ -620,6 +622,7 @@ InitPaging (
>      NumberOfPdptEntries = 4;
>    }
> 
> +  DisableReadOnlyPageWriteProtect (&WpEnabled, &CetEnabled);
>    //
>    // Go through page table and change 2MB-page into 4KB-page.
>    //
> @@ -800,6 +803,8 @@ InitPaging (
>      } // end for PML4
>    } // end for PML5
> 
> +  EnableReadOnlyPageWriteProtect (WpEnabled, CetEnabled);
> +
>    //
>    // Flush TLB
>    //
> --
> 2.31.1.windows.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#105619): https://edk2.groups.io/g/devel/message/105619
Mute This Topic: https://groups.io/mt/98922934/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: 
https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-