Smbase.c

Go to the documentation of this file.

 
#include <Base.h>                             // BASE_1MB
#include <Library/BaseLib.h>                  // CpuPause()
#include <Library/BaseMemoryLib.h>            // CopyMem()
#include <Library/DebugLib.h>                 // DEBUG()
#include <Library/LocalApicLib.h>             // SendInitSipiSipi()
#include <Library/SynchronizationLib.h>       // InterlockedCompareExchange64()
#include <Register/Intel/SmramSaveStateMap.h> // SMM_DEFAULT_SMBASE
 
#include "FirstSmiHandlerContext.h"           // FIRST_SMI_HANDLER_CONTEXT
 
#include "Smbase.h"
 
extern CONST UINT8   mPostSmmPen[];
extern CONST UINT16  mPostSmmPenSize;
extern CONST UINT8   mFirstSmiHandler[];
extern CONST UINT16  mFirstSmiHandlerSize;
 
EFI_STATUS
SmbaseAllocatePostSmmPen (
  OUT UINT32                   *PenAddress,
  IN  CONST EFI_BOOT_SERVICES  *BootServices
  )
{
  EFI_STATUS            Status;
  EFI_PHYSICAL_ADDRESS  Address;
 
  //
  // The pen code must fit in one page, and the last byte must remain free for
  // signaling the SMM Monarch.
  //
  if (mPostSmmPenSize >= EFI_PAGE_SIZE) {
    Status = EFI_BAD_BUFFER_SIZE;
    DEBUG ((
      DEBUG_ERROR,
      "%a: mPostSmmPenSize=%u: %r\n",
      __func__,
      mPostSmmPenSize,
      Status
      ));
    return Status;
  }
 
  Address = BASE_1MB - 1;
  Status  = BootServices->AllocatePages (
                            AllocateMaxAddress,
                            EfiReservedMemoryType,
                            1,
                            &Address
                            );
  if (EFI_ERROR (Status)) {
    DEBUG ((DEBUG_ERROR, "%a: AllocatePages(): %r\n", __func__, Status));
    return Status;
  }
 
  DEBUG ((DEBUG_INFO, "%a: Post-SMM Pen at 0x%Lx\n", __func__, Address));
  *PenAddress = (UINT32)Address;
  return EFI_SUCCESS;
}
 
VOID
SmbaseReinstallPostSmmPen (
  IN UINT32  PenAddress
  )
{
  CopyMem ((VOID *)(UINTN)PenAddress, mPostSmmPen, mPostSmmPenSize);
}
 
VOID
SmbaseReleasePostSmmPen (
  IN UINT32                   PenAddress,
  IN CONST EFI_BOOT_SERVICES  *BootServices
  )
{
  BootServices->FreePages (PenAddress, 1);
}
 
VOID
SmbaseInstallFirstSmiHandler (
  VOID
  )
{
  FIRST_SMI_HANDLER_CONTEXT  *Context;
 
  CopyMem (
    (VOID *)(UINTN)(SMM_DEFAULT_SMBASE + SMM_HANDLER_OFFSET),
    mFirstSmiHandler,
    mFirstSmiHandlerSize
    );
 
  Context             = (VOID *)(UINTN)SMM_DEFAULT_SMBASE;
  Context->ApicIdGate = MAX_UINT64;
}
 
EFI_STATUS
SmbaseRelocate (
  IN APIC_ID  ApicId,
  IN UINTN    Smbase,
  IN UINT32   PenAddress
  )
{
  EFI_STATUS                          Status;
  volatile UINT8                      *SmmVacated;
  volatile FIRST_SMI_HANDLER_CONTEXT  *Context;
  UINT64                              ExchangeResult;
 
  if (Smbase > MAX_UINT32) {
    Status = EFI_INVALID_PARAMETER;
    DEBUG ((
      DEBUG_ERROR,
      "%a: ApicId=" FMT_APIC_ID " Smbase=0x%Lx: %r\n",
      __func__,
      ApicId,
      (UINT64)Smbase,
      Status
      ));
    return Status;
  }
 
  SmmVacated = (UINT8 *)(UINTN)PenAddress + (EFI_PAGE_SIZE - 1);
  Context    = (VOID *)(UINTN)SMM_DEFAULT_SMBASE;
 
  //
  // Clear AboutToLeaveSmm, so we notice when the hot-added CPU is just about
  // to reach RSM, and we can proceed to polling the last byte of the reserved
  // page (which could be attacked by the OS).
  //
  Context->AboutToLeaveSmm = 0;
 
  //
  // Clear the last byte of the reserved page, so we notice when the hot-added
  // CPU checks back in from the pen.
  //
  *SmmVacated = 0;
 
  //
  // Boot the hot-added CPU.
  //
  // There are 2*2 cases to consider:
  //
  // (1) The CPU was hot-added before the SMI was broadcast.
  //
  // (1.1) The OS is benign.
  //
  //       The hot-added CPU is in RESET state, with the broadcast SMI pending
  //       for it. The directed SMI below will be ignored (it's idempotent),
  //       and the INIT-SIPI-SIPI will launch the CPU directly into SMM.
  //
  // (1.2) The OS is malicious.
  //
  //       The hot-added CPU has been booted, by the OS. Thus, the hot-added
  //       CPU is spinning on the APIC ID gate. In that case, both the SMI and
  //       the INIT-SIPI-SIPI below will be ignored.
  //
  // (2) The CPU was hot-added after the SMI was broadcast.
  //
  // (2.1) The OS is benign.
  //
  //       The hot-added CPU is in RESET state, with no SMI pending for it. The
  //       directed SMI will latch the SMI for the CPU. Then the INIT-SIPI-SIPI
  //       will launch the CPU into SMM.
  //
  // (2.2) The OS is malicious.
  //
  //       The hot-added CPU is executing OS code. The directed SMI will pull
  //       the hot-added CPU into SMM, where it will start spinning on the APIC
  //       ID gate. The INIT-SIPI-SIPI will be ignored.
  //
  SendSmiIpi (ApicId);
  SendInitSipiSipi (ApicId, PenAddress);
 
  //
  // Expose the desired new SMBASE value to the hot-added CPU.
  //
  Context->NewSmbase = (UINT32)Smbase;
 
  //
  // Un-gate SMBASE relocation for the hot-added CPU whose APIC ID is ApicId.
  //
  ExchangeResult = InterlockedCompareExchange64 (
                     &Context->ApicIdGate,
                     MAX_UINT64,
                     ApicId
                     );
  if (ExchangeResult != MAX_UINT64) {
    Status = EFI_PROTOCOL_ERROR;
    DEBUG ((
      DEBUG_ERROR,
      "%a: ApicId=" FMT_APIC_ID " ApicIdGate=0x%Lx: %r\n",
      __func__,
      ApicId,
      ExchangeResult,
      Status
      ));
    return Status;
  }
 
  //
  // Wait until the hot-added CPU is just about to execute RSM.
  //
  while (Context->AboutToLeaveSmm == 0) {
    CpuPause ();
  }
 
  //
  // Now wait until the hot-added CPU reports back from the pen (or the OS
  // attacks the last byte of the reserved page).
  //
  while (*SmmVacated == 0) {
    CpuPause ();
  }
 
  Status = EFI_SUCCESS;
  return Status;
}