Topics

[PATCH v2 8/9] UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098)

Guomin Jiang
 

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

SecMigrationPei create RepublishSecPpi, if the TOCTOU switch is off,
the Ppi is meaningless, so relate it with TOCTOU switch to avoid
producing useless PPI.

Cc: Eric Dong <eric.dong@...>
Cc: Ray Ni <ray.ni@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Rahul Kumar <rahul1.kumar@...>
Signed-off-by: Guomin Jiang <guomin.jiang@...>
---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 8 +++++---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf | 4 ++++
2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
index f96013b09b21..ab8066e8e0de 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
@@ -363,10 +363,12 @@ SecMigrationPeiInitialize (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_STATUS Status;
+ EFI_STATUS Status = EFI_SUCCESS;

- Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
- ASSERT_EFI_ERROR (Status);
+ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+ Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
+ ASSERT_EFI_ERROR (Status);
+ }

return Status;
}
diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
index e29c04710941..8edbd3aa23a9 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
@@ -60,5 +60,9 @@ [Ppis]
## SOMETIMES_PRODUCES
gEfiSecPlatformInformation2PpiGuid

+[Pcd]
+ ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes
+
[Depex]
TRUE
--
2.25.1.windows.1

Laszlo Ersek
 

On 07/02/20 07:15, Guomin Jiang wrote:
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

SecMigrationPei create RepublishSecPpi, if the TOCTOU switch is off,
the Ppi is meaningless, so relate it with TOCTOU switch to avoid
producing useless PPI.

Cc: Eric Dong <eric.dong@...>
Cc: Ray Ni <ray.ni@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Rahul Kumar <rahul1.kumar@...>
Signed-off-by: Guomin Jiang <guomin.jiang@...>
---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 8 +++++---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf | 4 ++++
2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
index f96013b09b21..ab8066e8e0de 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
@@ -363,10 +363,12 @@ SecMigrationPeiInitialize (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_STATUS Status;
+ EFI_STATUS Status = EFI_SUCCESS;

- Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
- ASSERT_EFI_ERROR (Status);
+ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+ Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor);
+ ASSERT_EFI_ERROR (Status);
+ }

return Status;
}
diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
index e29c04710941..8edbd3aa23a9 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
@@ -60,5 +60,9 @@ [Ppis]
## SOMETIMES_PRODUCES
gEfiSecPlatformInformation2PpiGuid

+[Pcd]
+ ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes
+
[Depex]
TRUE
(1) This patch should be squashed into:

"UefiCpuPkg/SecMigrationPei: Add initial PEIM"

Thanks.
Laszlo