OvmfPkg/IoMmuDxe: zero out pages before releasing them

Whenever we release the plaintext bounce buffer pages that were allocated
implicitly in Map() for BusMasterRead[64] and BusMasterWrite[64], we
restore the encryption mask on them. However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Similarly, whenever we release the plaintext common buffer pages that were
allocated explicitly in AllocateBuffer() for BusMasterCommonBuffer[64], we
restore the encryption mask on them.  However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
index 8c2c23356a..d899b0ab9e 100644
--- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
+++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
@@ -280,6 +280,10 @@ IoMmuUnmap (
              TRUE

              );

   ASSERT_EFI_ERROR(Status);

+  ZeroMem (

+    (VOID*)(UINTN)MapInfo->PlainTextAddress,

+    EFI_PAGES_TO_SIZE (MapInfo->NumberOfPages)

+    );

 

   //

   // Free the mapped buffer and the MAP_INFO structure.

@@ -414,6 +418,7 @@ IoMmuFreeBuffer (
              TRUE

              );

   ASSERT_EFI_ERROR(Status);

+  ZeroMem (HostAddress, EFI_PAGES_TO_SIZE (Pages));

 

   DEBUG ((

     DEBUG_VERBOSE,