sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
6acd6781ba4f2bc0d397ed7b1f1115b9569634b1
system76-edk2/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf
Hao Wu 5cb3ae7a54 MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.

For SMI handler SmmFaultTolerantWriteHandler():

Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a
potential cross boundary access of the 'CommBuffer' (controlled external
inputs) during speculative execution. This cross boundary access is later
passed as parameter 'Length' into function FtwWrite().

Within function FtwWrite(), the value of 'Length' can be inferred by code:
"CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which part
of the content within 'Buffer' was brought into cache to possibly reveal
the value of 'Length'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit cb54cd2463)
2018-11-14 09:09:57 +08:00

100 lines
3.4 KiB
INI
Raw Blame History

## @file
# Fault Tolerant Write Smm Driver.
#
# This driver installs SMM Fault Tolerant Write (FTW) protocol, which provides fault
# tolerant write capability in SMM environment for block devices. Its implementation
# depends on the full functionality SMM FVB protocol that support read, write/erase
# flash access.
#
# Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = SmmFaultTolerantWriteDxe
MODULE_UNI_FILE = SmmFaultTolerantWriteDxe.uni
FILE_GUID = 470CB248-E8AC-473c-BB4F-81069A1FE6FD
MODULE_TYPE = DXE_SMM_DRIVER
VERSION_STRING = 1.0
PI_SPECIFICATION_VERSION = 0x0001000A
ENTRY_POINT = SmmFaultTolerantWriteInitialize
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64
#
[Sources]
FtwMisc.c
UpdateWorkingBlock.c
FaultTolerantWrite.c
FaultTolerantWriteSmm.c
FaultTolerantWrite.h
FaultTolerantWriteSmmCommon.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
[LibraryClasses]
SmmServicesTableLib
MemoryAllocationLib
BaseMemoryLib
UefiDriverEntryPoint
DebugLib
UefiLib
PcdLib
ReportStatusCodeLib
SmmMemLib
BaseLib
[Guids]
#
# Signature in EFI_FAULT_TOLERANT_WORKING_BLOCK_HEADER
#
## CONSUMES ## GUID
## PRODUCES ## GUID
gEdkiiWorkingBlockSignatureGuid
[Protocols]
gEfiSmmSwapAddressRangeProtocolGuid | gEfiMdeModulePkgTokenSpaceGuid.PcdFullFtwServiceEnable ## SOMETIMES_CONSUMES
## NOTIFY
## CONSUMES
gEfiSmmFirmwareVolumeBlockProtocolGuid
## PRODUCES
## UNDEFINED # SmiHandlerRegister
gEfiSmmFaultTolerantWriteProtocolGuid
gEfiSmmEndOfDxeProtocolGuid ## CONSUMES
[FeaturePcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFullFtwServiceEnable ## CONSUMES
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64 ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64 ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize ## CONSUMES
#
# gBS->CalculateCrc32() is consumed in EntryPoint.
# PI spec said: When the DXE Foundation is notified that the EFI_RUNTIME_ARCH_PROTOCOL
# has been installed, then the Boot Service CalculateCrc32() is available.
# So add gEfiRuntimeArchProtocolGuid Depex here.
#
[Depex]
gEfiSmmFirmwareVolumeBlockProtocolGuid AND gEfiRuntimeArchProtocolGuid
[UserExtensions.TianoCore."ExtraFiles"]
SmmFaultTolerantWriteDxeExtra.uni
Reference in New Issue View Git Blame Copy Permalink