edk2.git - Cross-platform firmware development environment

	Commit message (Collapse)	Author	Age	Files	Lines
*	SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypassUDK2015	Hao Wu	2018-11-21	1	-1/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 Speculative execution is used by processor to avoid having to wait for data to arrive from memory, or for previous operations to finish, the processor may speculate as to what will be executed. If the speculation is incorrect, the speculatively executed instructions might leave hints such as which memory locations have been brought into cache. Malicious actors can use the bounds check bypass method (code gadgets with controlled external inputs) to infer data values that have been used in speculative operations to reveal secrets which should not otherwise be accessed. This commit will focus on the SMI handler(s) registered within the OpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds check bypass issue. For SMI handler SmmOpalPasswordHandler(): Under "case SMM_FUNCTION_SET_OPAL_PASSWORD:", '&DeviceBuffer->OpalDevicePath' can points to a potential cross boundary access of the 'CommBuffer' (controlled external inputs) during speculative execution. This cross boundary access pointer is later passed as parameter 'DevicePath' into function OpalSavePasswordToSmm(). Within function OpalSavePasswordToSmm(), 'DevicePathLen' is an access to the content in 'DevicePath' and can be inferred by code: "CompareMem (&List->OpalDevicePath, DevicePath, DevicePathLen)". One can observe which part of the content within either '&List->OpalDevicePath' or 'DevicePath' was brought into cache to possibly reveal the value of 'DevicePathLen'. Hence, this commit adds a AsmLfence() after the boundary/range checks of 'CommBuffer' to prevent the speculative execution. A more detailed explanation of the purpose of commit is under the 'Bounds check bypass mitigation' section of the below link: https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation And the document at: https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf Cc: Star Zeng <star.zeng@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com>
*	SecurityPkg OpalPasswordSupportLib: Add check to avoid potential buffer ↵	Eric Dong	2018-08-01	1	-17/+38
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	overflow. Current code not check the CommunicationBuffer size before use it. Attacker can read beyond the end of the (untrusted) commbuffer into controlled memory. Attacker can get access outside of valid SMM memory regions. This patch add check before use it. bugz: https://bugzilla.tianocore.org/show_bug.cgi?id=198 Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Wu Hao <hao.a.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> (cherry picked from commit 87acb6e298e718250dd8b741b6888a3a54c7cb5a)
*	SecurityPkg-Opal(1): Use fixed SMM communication buffer in OPAL password lib.	Eric Dong	2016-07-06	1	-3/+29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This patch enhance OPAL password lib SMM communication by using fixed SMM communication buffer. Update OPAL password lib to consume EDKII_PI_SMM_COMMUNICATION_REGION_TABLE as fixed communication buffer for SMM communication. This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS requirement. Cc: Eric Dong <eric.dong@intel.com> Cc: Feng Tian <feng.tian@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com> (cherry picked from commit 83681c74f07978adbb621a467fe391ae901e2515)
*	SecurityPkg OpalPasswordSupportLib: Fixed gcc build failure.	Eric Dong	2016-07-04	1	-0/+1
\| \| \| \| \| \| \|	Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com> (cherry picked from commit 56a44df26b9eb56370312e105ab24c59849b2834)
*	SecurityPkg: OpalPasswordSupportLib: Add Opal password support library.	Eric Dong	2016-07-04	1	-0/+754
	APIs used to support opal password solution to trig opal command. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com> (cherry picked from commit 1cf00fbdb36fd2f350d92530007483b8831d4340)