75 lines
4.1 KiB
Diff
75 lines
4.1 KiB
Diff
From 1facb8fdef6389f390b66da6d8304f54cc93104a Mon Sep 17 00:00:00 2001
|
|
From: Guomin Jiang <guomin.jiang@intel.com>
|
|
Date: Wed, 8 Jul 2020 09:33:46 +0800
|
|
Subject: [PATCH] MdeModulePkg: Add new PCD to control the evacuate temporary
|
|
memory feature (CVE-2019-11098)
|
|
|
|
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
|
|
|
|
The security researcher found that we can get control after NEM disable.
|
|
|
|
The reason is that the flash content reside in NEM at startup and the
|
|
code will get the content from flash directly after disable NEM.
|
|
|
|
To avoid this vulnerability, the feature will copy the PEIMs from
|
|
temporary memory to permanent memory and only execute the code in
|
|
permanent memory.
|
|
|
|
The vulnerability is exist in physical platform and haven't report in
|
|
virtual platform, so the virtual can disable the feature currently.
|
|
|
|
When enable the PcdMigrateTemporaryRamFirmwareVolumes, always shadow
|
|
all PEIMs no matter the condition of PcdShadowPeimOnBoot or
|
|
PcdShadowPeimOnS3Boot.
|
|
|
|
Cc: Jian J Wang <jian.j.wang@intel.com>
|
|
Cc: Hao A Wu <hao.a.wu@intel.com>
|
|
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
|
|
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
|
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
---
|
|
MdeModulePkg/MdeModulePkg.dec | 9 +++++++++
|
|
MdeModulePkg/MdeModulePkg.uni | 6 ++++++
|
|
2 files changed, 15 insertions(+)
|
|
|
|
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
|
|
index 843e963ad3..45874e9c82 100644
|
|
--- a/MdeModulePkg/MdeModulePkg.dec
|
|
+++ b/MdeModulePkg/MdeModulePkg.dec
|
|
@@ -1220,6 +1220,15 @@
|
|
# @Prompt Shadow Peim and PeiCore on boot
|
|
gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
|
|
|
|
+ ## Enable the feature that evacuate temporary memory to permanent memory or not<BR><BR>
|
|
+ # Set FALSE as default, if the developer need this feature to avoid this vulnerability, please
|
|
+ # enable it to shadow all PEIMs no matter the behavior controled by PcdShadowPeimOnBoot or
|
|
+ # PcdShadowPeimOnS3Boot<BR>
|
|
+ # TRUE - Evacuate temporary memory, the actions include copy memory, convert PPI pointers and so on.<BR>
|
|
+ # FALSE - Do nothing, for example, no copy memory, no convert PPI pointers and so on.<BR>
|
|
+ # @Prompt Evacuate temporary memory to permanent memory
|
|
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|FALSE|BOOLEAN|0x3000102A
|
|
+
|
|
## The mask is used to control memory profile behavior.<BR><BR>
|
|
# BIT0 - Enable UEFI memory profile.<BR>
|
|
# BIT1 - Enable SMRAM profile.<BR>
|
|
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
|
|
index 2007e0596c..5235dee561 100644
|
|
--- a/MdeModulePkg/MdeModulePkg.uni
|
|
+++ b/MdeModulePkg/MdeModulePkg.uni
|
|
@@ -214,6 +214,12 @@
|
|
"TRUE - Shadow PEIM on S3 boot path after memory is ready.<BR>\n"
|
|
"FALSE - Not shadow PEIM on S3 boot path after memory is ready.<BR>"
|
|
|
|
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_HELP #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not.<BR><BR>\n"
|
|
+ "It will allocate page to save the temporary PEIMs resided in NEM(or CAR) to the permanent memory and change all pointers pointed to the NEM(or CAR) to permanent memory.<BR><BR>\n"
|
|
+ "After then, there are no pointer pointed to NEM(or CAR) and TOCTOU volnerability can be avoid.<BR><BR>\n"
|
|
+
|
|
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdMigrateTemporaryRamFirmwareVolumes_PROMPT #language en-US "Enable the feature that evacuate temporary memory to permanent memory or not"
|
|
+
|
|
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_PROMPT #language en-US "Default OEM ID for ACPI table creation"
|
|
|
|
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiDefaultOemId_HELP #language en-US "Default OEM ID for ACPI table creation, its length must be 0x6 bytes to follow ACPI specification."
|
|
--
|
|
2.27.0
|
|
|