proxmox-mirrors/mirror_edk2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_edk2 synced 2025-11-04 02:40:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0df5056012
mirror_edk2/UefiCpuPkg/Library/SmmCpuFeaturesLib/Ia32/SmiException.nasm
Hao Wu 0df5056012 UefiCpuPkg/SmmCpuFeaturesLib: [CVE-2017-5715] Stuff RSB before RSM 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1093

Return Stack Buffer (RSB) is used to predict the target of RET
instructions. When the RSB underflows, some processors may fall back to
using branch predictors. This might impact software using the retpoline
mitigation strategy on those processors.

This commit will add RSB stuffing logic before returning from SMM (the RSM
instruction) to avoid interfering with non-SMM usage of the retpoline
technique.

After the stuffing, RSB entries will contain a trap like:

@SpecTrap:
    pause
    lfence
    jmp     @SpecTrap

A more detailed explanation of the purpose of commit is under the
'Branch target injection mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

Please note that this commit requires further actions (BZ 1091) to remove
the duplicated 'StuffRsb.inc' files and merge them into one under a
UefiCpuPkg package-level directory (such as UefiCpuPkg/Include/).

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1091

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-08-21 16:11:15 +08:00

180 lines
5.2 KiB
NASM
Raw Blame History

;------------------------------------------------------------------------------ ;
; Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
; This program and the accompanying materials
; are licensed and made available under the terms and conditions of the BSD License
; which accompanies this distribution. The full text of the license may be found at
; http://opensource.org/licenses/bsd-license.php.
;
; THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
; WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
;
; Module Name:
;
; SmiException.nasm
;
; Abstract:
;
; Exception handlers used in SM mode
;
;-------------------------------------------------------------------------------
%include "StuffRsb.inc"
global ASM_PFX(gcStmPsd)
extern ASM_PFX(SmmStmExceptionHandler)
extern ASM_PFX(SmmStmSetup)
extern ASM_PFX(SmmStmTeardown)
extern ASM_PFX(gStmXdSupported)
extern ASM_PFX(gStmSmiHandlerIdtr)
%define MSR_IA32_MISC_ENABLE 0x1A0
%define MSR_EFER 0xc0000080
%define MSR_EFER_XD 0x800
CODE_SEL equ 0x08
DATA_SEL equ 0x20
TSS_SEL equ 0x40
SECTION .data
ASM_PFX(gcStmPsd):
DB 'TXTPSSIG'
DW PSD_SIZE
DW 1 ; Version
DD 0 ; LocalApicId
DB 0x05 ; Cr4Pse;Cr4Pae;Intel64Mode;ExecutionDisableOutsideSmrr
DB 0 ; BIOS to STM
DB 0 ; STM to BIOS
DB 0
DW CODE_SEL
DW DATA_SEL
DW DATA_SEL
DW DATA_SEL
DW TSS_SEL
DW 0
DQ 0 ; SmmCr3
DD ASM_PFX(OnStmSetup)
DD 0
DD ASM_PFX(OnStmTeardown)
DD 0
DQ 0 ; SmmSmiHandlerRip - SMM guest entrypoint
DQ 0 ; SmmSmiHandlerRsp
DQ 0
DD 0
DD 0x80010100 ; RequiredStmSmmRevId
DD ASM_PFX(OnException)
DD 0
DQ 0 ; ExceptionStack
DW DATA_SEL
DW 0x01F ; ExceptionFilter
DD 0
DD 0
DD 0
DQ 0 ; BiosHwResourceRequirementsPtr
DQ 0 ; AcpiRsdp
DB 0 ; PhysicalAddressBits
PSD_SIZE equ $ - ASM_PFX(gcStmPsd)
SECTION .text
;------------------------------------------------------------------------------
; SMM Exception handlers
;------------------------------------------------------------------------------
global ASM_PFX(OnException)
ASM_PFX(OnException):
mov ecx, esp
push ecx
call ASM_PFX(SmmStmExceptionHandler)
add esp, 4
mov ebx, eax
mov eax, 4
vmcall
jmp $
global ASM_PFX(OnStmSetup)
ASM_PFX(OnStmSetup):
;
; Check XD disable bit
;
xor esi, esi
mov eax, ASM_PFX(gStmXdSupported)
mov al, [eax]
cmp al, 0
jz @StmXdDone1
mov ecx, MSR_IA32_MISC_ENABLE
rdmsr
mov esi, edx ; save MSR_IA32_MISC_ENABLE[63-32]
test edx, BIT2 ; MSR_IA32_MISC_ENABLE[34]
jz .51
and dx, 0xFFFB ; clear XD Disable bit if it is set
wrmsr
.51:
mov ecx, MSR_EFER
rdmsr
or ax, MSR_EFER_XD ; enable NXE
wrmsr
@StmXdDone1:
push esi
call ASM_PFX(SmmStmSetup)
mov eax, ASM_PFX(gStmXdSupported)
mov al, [eax]
cmp al, 0
jz .71
pop edx ; get saved MSR_IA32_MISC_ENABLE[63-32]
test edx, BIT2
jz .71
mov ecx, MSR_IA32_MISC_ENABLE
rdmsr
or dx, BIT2 ; set XD Disable bit if it was set before entering into SMM
wrmsr
.71:
StuffRsb32
rsm
global ASM_PFX(OnStmTeardown)
ASM_PFX(OnStmTeardown):
;
; Check XD disable bit
;
xor esi, esi
mov eax, ASM_PFX(gStmXdSupported)
mov al, [eax]
cmp al, 0
jz @StmXdDone2
mov ecx, MSR_IA32_MISC_ENABLE
rdmsr
mov esi, edx ; save MSR_IA32_MISC_ENABLE[63-32]
test edx, BIT2 ; MSR_IA32_MISC_ENABLE[34]
jz .52
and dx, 0xFFFB ; clear XD Disable bit if it is set
wrmsr
.52:
mov ecx, MSR_EFER
rdmsr
or ax, MSR_EFER_XD ; enable NXE
wrmsr
@StmXdDone2:
push esi
call ASM_PFX(SmmStmTeardown)
mov eax, ASM_PFX(gStmXdSupported)
mov al, [eax]
cmp al, 0
jz .72
pop edx ; get saved MSR_IA32_MISC_ENABLE[63-32]
test edx, BIT2
jz .72
mov ecx, MSR_IA32_MISC_ENABLE
rdmsr
or dx, BIT2 ; set XD Disable bit if it was set before entering into SMM
wrmsr
.72:
StuffRsb32
rsm
Reference in New Issue View Git Blame Copy Permalink