Skip to content

Compilation fails with smm #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jirislaby opened this issue Nov 26, 2019 · 1 comment
Open

Compilation fails with smm #1

jirislaby opened this issue Nov 26, 2019 · 1 comment

Comments

@jirislaby
Copy link

With the current patchset, OVMF build fails for the ovmf-x86_64-smm flavor (which is by default built in SUSE). The errors are like:

OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c:14:10: fatal error: Library/VmgExitLib.h: No such file or directory
#include <Library/VmgExitLib.h>
         ^~~~~~~~~~~~~~~~~~~~~~
...
build.py...
 : error F002: Failed to build module
       OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf [X64, GCC5, DEBUG]

Another one is:

/tmp/cc7KG5f7.ltrans0.ltrans.o: In function `CommonExceptionHandlerWorker':
UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiDxeSmmCpuException.c:95: undefined reference to `DoVcException'

It seems to be expected as e.g. UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf does not include any of the implementations of DoVcException. So is SMM ignored in this submission?
@tlendacky
Copy link
Collaborator

tlendacky commented Dec 2, 2019 via email

@jirislaby jirislaby changed the title Compilarion fails with smm Compilation fails with smm Dec 4, 2019
tlendacky pushed a commit that referenced this issue Aug 13, 2020
@niruiyu @mergify
UefiCpuPkg/MtrrLibUnitTest: Change to use static array for CI test
65904cd 
The unit test app supports running in 3 mode:
1. MtrrLibUnitTest generate-random-numbers
     <path to MtrrLib/UnitTest/RandomNumber.c> <random-number count>
   It generates random numbers and writes to RandomNumber.c.

2. MtrrLibUnitTest [<iterations>]
   It tests MtrrLib APIs using configurations generated from static
   numbers generated by mode #1.
   This is the default execution mode running in CI environment.

3. MtrrLibUnitTest <iterations> random
   It tests MtrrLib APIs using configurations generated from random
   numbers.
   This is what developers can use to test MtrrLib for regressions.

Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ming Shao <ming.shao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
tlendacky pushed a commit that referenced this issue Jan 26, 2024
@jiaxinwu @mergify
UefiCpuPkg/PiSmmCpuDxeSmm: Fix CP Exception when CET enable
589f2e4 
Root cause:
1. Before DisableReadonlyPageWriteProtect() is called, the return
address (#1) is pushed in shadow stack.
2. CET is disabled.
3. DisableReadonlyPageWriteProtect() returns to #1.
4. Page table is modified.
5. EnableReadonlyPageWriteProtect() is called, but the return
address (#2) is not pushed in shadow stack.
6. CET is enabled.
7. EnableReadonlyPageWriteProtect() returns to #2.
#CP exception happens because the actual return address (#2)
doesn't match the return address stored in shadow stack (#1).

Analysis:
Shadow stack will stop update after CET disable (DisableCet() in
DisableReadOnlyPageWriteProtect), but normal smi stack will be
continue updated with the function called and return
(DisableReadOnlyPageWriteProtect & EnableReadOnlyPageWriteProtect),
thus leading stack mismatch after CET re-enabled (EnableCet() in
EnableReadOnlyPageWriteProtect).

According SDM Vol 3, 6.15-Control Protection Exception:
Normal smi stack and shadow stack must be matched when CET enable,
otherwise CP Exception will happen, which is caused by a near RET
instruction.

CET is disabled in DisableCet(), while can be enabled in
EnableCet(). This way won't cause the problem because they are
implemented in a way that return address of DisableCet() is
poped out from shadow stack (Incsspq performs a pop to increases
the shadow stack) and EnableCet() doesn't use "RET" but "JMP" to
return to caller. So calling EnableCet() and DisableCet() doesn't
have the same issue as calling DisableReadonlyPageWriteProtect()
and EnableReadonlyPageWriteProtect().

With above root cause & analysis, define below 2 macros instead of
functions for WP & CET operation:
WRITE_UNPROTECT_RO_PAGES (Wp, Cet)
WRITE_PROTECT_RO_PAGES (Wp, Cet)
Because DisableCet() & EnableCet() must be in the same function
to avoid shadow stack and normal SMI stack mismatch.

Note: WRITE_UNPROTECT_RO_PAGES () must be called pair with
WRITE_PROTECT_RO_PAGES () in same function.

Change-Id: I4e126697efcd8dbfb4887da034d8691bfca969e3
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zeng Star <star.zeng@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
mdroth pushed a commit that referenced this issue Mar 29, 2024
@mergify
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
1dbb10c 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534

Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Change Overview:

Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.

>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
>  IN  UINT16  IaType,
>  IN  UINT8   *Option,
>  IN  UINT32  OptionLen,
>  OUT UINT8   **IaInnerOpt,
>  OUT UINT16  *IaInnerLen
>  );
>

Lots of code cleanup to improve code readability.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
mdroth pushed a commit that referenced this issue Mar 19, 2025
@jiaxinwu @mergify
UefiCpuPkg/PiSmmCpuDxeSmm: Clarification for BSP & APs Sync Flow
2351165 
This patch does not impact functionality. It aims to clarify the
synchronization flow between the BSP and APs to enhance code
readability and understanding:

Steps #6 and #11 are the basic synchronization requirements for all
cases.

Steps #1 is additional requirements if the MmCpuSyncModeTradition
mode is selected.

Steps #1, #2, #3, #4, #5, #7, #8, #9, and #10 are additional
requirements if the system needs to configure the MTRR.

Steps #9 and #10 are additional requirements if the system needs to
support the mSmmDebugAgentSupport.

Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
mdroth pushed a commit that referenced this issue Mar 19, 2025
@jiaxinwu @mergify
UefiCpuPkg/PiSmmCpuDxeSmm: Consume SmmCpuPlatformHookBeforeMmiHandler…
fcd9570 
… func

This patch is for PiSmmCpuDxeSmm driver to add one round wait/release sync
for BSP and AP to perform the SMM CPU Platform Hook before executing MMI
Handler: SmmCpuPlatformHookBeforeMmiHandler (). With the function, SMM CPU
driver can perform the platform specific items after one round BSP and AP
sync (to make sure all APs in SMI) and before the MMI handlers.

After the change, steps #1 and #2 are additional requirements if the
MmCpuSyncModeTradition mode is selected.

Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jirislaby @tlendacky