--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package edk2/2020.11-2
- From: dann frazier <dannf@dannf.org>
- Date: Thu, 19 Aug 2021 11:09:16 -0600
- Message-id: <162939295607.963054.7485107125387478250.reportbug@xps13.dannf>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fixes a security issue, CVE-2019-11098.
[ Impact ]
The builds we provide shouldn't be impacted by this vulnerability,
at least not as described by the researchers. However, there maybe
other implications - this is purely cautionary.
[ Tests ]
The built-in autopkgtests (actually the newer ones from unstable that are
more complete than the ones in bullseye).
$ ./debian/tests/shell.py
test_aavmf (__main__.BootToShellTest) ... ok
test_aavmf32 (__main__.BootToShellTest) ... ok
test_ovmf32_4m_secboot (__main__.BootToShellTest) ... ok
test_ovmf_4m (__main__.BootToShellTest) ... ok
test_ovmf_4m_ms (__main__.BootToShellTest) ... ok
test_ovmf_4m_secboot (__main__.BootToShellTest) ... ok
test_ovmf_ms (__main__.BootToShellTest) ... ok
test_ovmf_pc (__main__.BootToShellTest) ... ok
test_ovmf_q35 (__main__.BootToShellTest) ... ok
test_ovmf_secboot (__main__.BootToShellTest) ... ok
----------------------------------------------------------------------
Ran 10 tests in 53.821s
OK
[ Risks ]
The most likely issue is that we introduce a regression that causes
some VMs to fail to boot.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A cherry pick from upstream that avoids reading GDT from flash.
diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog
--- edk2-2020.11/debian/changelog 2020-12-15 11:42:37.000000000 -0700
+++ edk2-2020.11/debian/changelog 2021-08-18 16:57:56.000000000 -0600
@@ -1,3 +1,9 @@
+edk2 (2020.11-2+deb11u1) bullseye; urgency=medium
+
+ * Address Boot Guard TOCTOU vulnerability (CVE-2019-11098) (Closes: #991495)
+
+ -- dann frazier <dannf@debian.org> Wed, 18 Aug 2021 16:57:56 -0600
+
edk2 (2020.11-2) unstable; urgency=medium
* autopkgtest: Add allow-stderr to Restrictions to fix failure.
diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series
--- edk2-2020.11/debian/patches/series 2020-12-15 11:42:37.000000000 -0700
+++ edk2-2020.11/debian/patches/series 2021-08-18 16:57:56.000000000 -0600
@@ -3,3 +3,4 @@
ovmf-vars-generator-Pass-OEM-Strings-to-the-guest.patch
ovmf-vars-generator-ignore-qemu-warnings.patch
ovmf-vars-generator-no-defaults.patch
+UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
diff -Nru edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
--- edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch 2021-08-18 16:57:56.000000000 -0600
@@ -0,0 +1,189 @@
+From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001
+From: Guomin Jiang <guomin.jiang@intel.com>
+Date: Wed, 13 Jan 2021 18:08:09 +0800
+Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to
+ TempRamDone. (CVE-2019-11098)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160
+
+The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1
+after TempRamDone
+
+So move the action to TempRamDone event to avoid reading GDT from flash.
+
+Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Rahul Kumar <rahul1.kumar@intel.com>
+Cc: Debkumar De <debkumar.de@intel.com>
+Cc: Harry Han <harry.han@intel.com>
+Cc: Catharine West <catharine.west@intel.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991495
+Origin: upstream, https://github.com/tianocore/edk2/commit/f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac
+Last-Updated: 2021-07-26
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+index 40729a09b9..3c1bad6470 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+@@ -429,43 +429,6 @@ GetGdtr (
+ AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
+ }
+
+-/**
+- Migrates the Global Descriptor Table (GDT) to permanent memory.
+-
+- @retval EFI_SUCCESS The GDT was migrated successfully.
+- @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
+-
+-**/
+-EFI_STATUS
+-MigrateGdt (
+- VOID
+- )
+-{
+- EFI_STATUS Status;
+- UINTN GdtBufferSize;
+- IA32_DESCRIPTOR Gdtr;
+- VOID *GdtBuffer;
+-
+- AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
+- GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
+-
+- Status = PeiServicesAllocatePool (
+- GdtBufferSize,
+- &GdtBuffer
+- );
+- ASSERT (GdtBuffer != NULL);
+- if (EFI_ERROR (Status)) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+- GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
+- CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+- Gdtr.Base = (UINTN) GdtBuffer;
+- AsmWriteGdtr (&Gdtr);
+-
+- return EFI_SUCCESS;
+-}
+-
+ /**
+ Initializes CPU exceptions handlers for the sake of stack switch requirement.
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+index ba829d816e..7444bdb968 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+@@ -67,7 +67,6 @@
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize ## SOMETIMES_CONSUMES
+- gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [Depex]
+ TRUE
+diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+index 50ad4277af..3e261d6657 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
++++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback (
+ {
+ EFI_STATUS Status;
+ BOOLEAN InitStackGuard;
+- BOOLEAN InterruptState;
+ EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
+ EFI_PEI_HOB_POINTERS Hob;
+
+- if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+- InterruptState = SaveAndDisableInterrupts ();
+- Status = MigrateGdt ();
+- ASSERT_EFI_ERROR (Status);
+- SetInterruptState (InterruptState);
+- }
+-
+ //
+ // Paging must be setup first. Otherwise the exception TSS setup during MP
+ // initialization later will not contain paging information and then fail
+diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf
+index 545781d6b4..ded83beb52 100644
+--- a/UefiCpuPkg/SecCore/SecCore.inf
++++ b/UefiCpuPkg/SecCore/SecCore.inf
+@@ -77,6 +77,7 @@
+
+ [Pcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES
++ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [UserExtensions.TianoCore."ExtraFiles"]
+ SecCoreExtra.uni
+diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c
+index 155be49a60..2416c4ce56 100644
+--- a/UefiCpuPkg/SecCore/SecMain.c
++++ b/UefiCpuPkg/SecCore/SecMain.c
+@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInformationPpi[] = {
+ }
+ };
+
++/**
++ Migrates the Global Descriptor Table (GDT) to permanent memory.
++
++ @retval EFI_SUCCESS The GDT was migrated successfully.
++ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
++
++**/
++EFI_STATUS
++MigrateGdt (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINTN GdtBufferSize;
++ IA32_DESCRIPTOR Gdtr;
++ VOID *GdtBuffer;
++
++ AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
++ GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
++
++ Status = PeiServicesAllocatePool (
++ GdtBufferSize,
++ &GdtBuffer
++ );
++ ASSERT (GdtBuffer != NULL);
++ if (EFI_ERROR (Status)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
++ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
++ CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
++ Gdtr.Base = (UINTN) GdtBuffer;
++ AsmWriteGdtr (&Gdtr);
++
++ return EFI_SUCCESS;
++}
++
+ //
+ // These are IDT entries pointing to 10:FFFFFFE4h.
+ //
+@@ -409,6 +446,14 @@ SecTemporaryRamDone (
+ //
+ State = SaveAndDisableInterrupts ();
+
++ //
++ // Migrate GDT before NEM near down
++ //
++ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
++ Status = MigrateGdt ();
++ ASSERT_EFI_ERROR (Status);
++ }
++
+ //
+ // Disable Temporary RAM after Stack and Heap have been migrated at this point.
+ //
+--
+2.32.0
+
--- End Message ---