projects / mirror_edk2.git / blame
| Commit | Line | Data |
|---|---|---|
| 63c89da2 LE |
1 | ;------------------------------------------------------------------------------\r |
| 2 | ; @file\r | |
| 3 | ; Pen any hot-added CPU in a 16-bit, real mode HLT loop, after it leaves SMM by\r | |
| 4 | ; executing the RSM instruction.\r | |
| 5 | ;\r | |
| 6 | ; Copyright (c) 2020, Red Hat, Inc.\r | |
| 7 | ;\r | |
| 8 | ; SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
| 9 | ;\r | |
| 10 | ; The routine implemented here is stored into normal RAM, under 1MB, at the\r | |
| 11 | ; beginning of a page that is allocated as EfiReservedMemoryType. On any\r | |
| 12 | ; hot-added CPU, it is executed after *at least* the first RSM (i.e., after\r | |
| 13 | ; SMBASE relocation).\r | |
| 14 | ;\r | |
| 15 | ; The first execution of this code occurs as follows:\r | |
| 16 | ;\r | |
| 17 | ; - The hot-added CPU is in RESET state.\r | |
| 18 | ;\r | |
| 19 | ; - The ACPI CPU hotplug event handler triggers a broadcast SMI, from the OS.\r | |
| 20 | ;\r | |
| 21 | ; - Existent CPUs (BSP and APs) enter SMM.\r | |
| 22 | ;\r | |
| 23 | ; - The hot-added CPU remains in RESET state, but an SMI is pending for it now.\r | |
| 24 | ; (See "SYSTEM MANAGEMENT INTERRUPT (SMI)" in the Intel SDM.)\r | |
| 25 | ;\r | |
| 26 | ; - In SMM, pre-existent CPUs that are not elected SMM Monarch, keep themselves\r | |
| 27 | ; busy with their wait loops.\r | |
| 28 | ;\r | |
| 29 | ; - From the root MMI handler, the SMM Monarch:\r | |
| 30 | ;\r | |
| 31 | ; - places this routine in the reserved page,\r | |
| 32 | ;\r | |
| 33 | ; - clears the "about to leave SMM" byte in SMRAM,\r | |
| 34 | ;\r | |
| 35 | ; - clears the last byte of the reserved page,\r | |
| 36 | ;\r | |
| 37 | ; - sends an INIT-SIPI-SIPI sequence to the hot-added CPU,\r | |
| 38 | ;\r | |
| 39 | ; - un-gates the default SMI handler by APIC ID.\r | |
| 40 | ;\r | |
| 41 | ; - The startup vector in the SIPI that is sent by the SMM Monarch points to\r | |
| 42 | ; this code; i.e., to the reserved page. (Example: 0x9_F000.)\r | |
| 43 | ;\r | |
| 44 | ; - The SMM Monarch starts polling the "about to leave SMM" byte in SMRAM.\r | |
| 45 | ;\r | |
| 46 | ; - The hot-added CPU boots, and immediately enters SMM due to the pending SMI.\r | |
| 47 | ; It starts executing the default SMI handler.\r | |
| 48 | ;\r | |
| 49 | ; - Importantly, the SMRAM Save State Map captures the following information,\r | |
| 50 | ; when the hot-added CPU enters SMM:\r | |
| 51 | ;\r | |
| 52 | ; - CS selector: assumes the 16 most significant bits of the 20-bit (i.e.,\r | |
| 53 | ; below 1MB) startup vector from the SIPI. (Example: 0x9F00.)\r | |
| 54 | ;\r | |
| 55 | ; - CS attributes: Accessed, Readable, User (S=1), CodeSegment (bit#11),\r | |
| 56 | ; Present.\r | |
| 57 | ;\r | |
| 58 | ; - CS limit: 0xFFFF.\r | |
| 59 | ;\r | |
| 60 | ; - CS base: the CS selector value shifted left by 4 bits. That is, the CS\r | |
| 61 | ; base equals the SIPI startup vector. (Example: 0x9_F000.)\r | |
| 62 | ;\r | |
| 63 | ; - IP: the least significant 4 bits from the SIPI startup vector. Because\r | |
| 64 | ; the routine is page-aligned, these bits are zero (hence IP is zero).\r | |
| 65 | ;\r | |
| 66 | ; - ES, SS, DS, FS, GS selectors: 0.\r | |
| 67 | ;\r | |
| 68 | ; - ES, SS, DS, FS, GS attributes: same as the CS attributes, minus\r | |
| 69 | ; CodeSegment (bit#11).\r | |
| 70 | ;\r | |
| 71 | ; - ES, SS, DS, FS, GS limits: 0xFFFF.\r | |
| 72 | ;\r | |
| 73 | ; - ES, SS, DS, FS, GS bases: 0.\r | |
| 74 | ;\r | |
| 75 | ; - The hot-added CPU sets its new SMBASE value in the SMRAM Save State Map.\r | |
| 76 | ;\r | |
| 77 | ; - The hot-added CPU sets the "about to leave SMM" byte in SMRAM, then\r | |
| 78 | ; executes the RSM instruction immediately after, leaving SMM.\r | |
| 79 | ;\r | |
| 80 | ; - The SMM Monarch notices that the "about to leave SMM" byte in SMRAM has\r | |
| 81 | ; been set, and starts polling the last byte in the reserved page.\r | |
| 82 | ;\r | |
| 83 | ; - The hot-added CPU jumps ("returns") to the code below (in the reserved\r | |
| 84 | ; page), according to the register state listed in the SMRAM Save State Map.\r | |
| 85 | ;\r | |
| 86 | ; - The hot-added CPU sets the last byte of the reserved page, then halts\r | |
| 87 | ; itself.\r | |
| 88 | ;\r | |
| 89 | ; - The SMM Monarch notices that the hot-added CPU is done with SMBASE\r | |
| 90 | ; relocation.\r | |
| 91 | ;\r | |
| 92 | ; Note that, if the OS is malicious and sends INIT-SIPI-SIPI to the hot-added\r | |
| 93 | ; CPU before allowing the ACPI CPU hotplug event handler to trigger a broadcast\r | |
| 94 | ; SMI, then said broadcast SMI will yank the hot-added CPU directly into SMM,\r | |
| 95 | ; without becoming pending for it (as the hot-added CPU is no longer in RESET\r | |
| 96 | ; state). This is OK, because:\r | |
| 97 | ;\r | |
| 98 | ; - The default SMI handler copes with this, as it is gated by APIC ID. The\r | |
| 99 | ; hot-added CPU won't start the actual SMBASE relocation until the SMM\r | |
| 100 | ; Monarch lets it.\r | |
| 101 | ;\r | |
| 102 | ; - The INIT-SIPI-SIPI sequence that the SMM Monarch sends to the hot-added CPU\r | |
| 103 | ; will be ignored in this sate (it won't even be latched). See "SMI HANDLER\r | |
| 104 | ; EXECUTION ENVIRONMENT" in the Intel SDM: "INIT operations are inhibited\r | |
| 105 | ; when the processor enters SMM".\r | |
| 106 | ;\r | |
| 107 | ; - When the hot-added CPU (e.g., CPU#1) executes the RSM (having relocated\r | |
| 108 | ; SMBASE), it returns to the OS. The OS can use CPU#1 to attack the last byte\r | |
| 109 | ; of the reserved page, while another CPU (e.g., CPU#2) is relocating SMBASE,\r | |
| 110 | ; in order to trick the SMM Monarch (e.g., CPU#0) to open the APIC ID gate\r | |
| 111 | ; for yet another CPU (e.g., CPU#3). However, the SMM Monarch won't look at\r | |
| 112 | ; the last byte of the reserved page, until CPU#2 sets the "about to leave\r | |
| 113 | ; SMM" byte in SMRAM. This leaves a very small window (just one instruction's\r | |
| 114 | ; worth before the RSM) for CPU#3 to "catch up" with CPU#2, and overwrite\r | |
| 115 | ; CPU#2's SMBASE with its own.\r | |
| 116 | ;\r | |
| 117 | ; In other words, we do not / need not prevent a malicious OS from booting the\r | |
| 118 | ; hot-added CPU early; instead we provide benign OSes with a pen for hot-added\r | |
| 119 | ; CPUs.\r | |
| 120 | ;------------------------------------------------------------------------------\r | |
| 121 | \r | |
| 122 | SECTION .data\r | |
| 123 | BITS 16\r | |
| 124 | \r | |
| 125 | GLOBAL ASM_PFX (mPostSmmPen) ; UINT8[]\r | |
| 126 | GLOBAL ASM_PFX (mPostSmmPenSize) ; UINT16\r | |
| 127 | \r | |
| 128 | ASM_PFX (mPostSmmPen):\r | |
| 129 | ;\r | |
| 130 | ; Point DS at the same reserved page.\r | |
| 131 | ;\r | |
| 132 | mov ax, cs\r | |
| 133 | mov ds, ax\r | |
| 134 | \r | |
| 135 | ;\r | |
| 136 | ; Inform the SMM Monarch that we're done with SMBASE relocation, by setting\r | |
| 137 | ; the last byte in the reserved page.\r | |
| 138 | ;\r | |
| 139 | mov byte [ds : word 0xFFF], 1\r | |
| 140 | \r | |
| 141 | ;\r | |
| 142 | ; Halt now, until we get woken by another SMI, or (more likely) the OS\r | |
| 143 | ; reboots us with another INIT-SIPI-SIPI.\r | |
| 144 | ;\r | |
| 145 | HltLoop:\r | |
| 146 | cli\r | |
| 147 | hlt\r | |
| 148 | jmp HltLoop\r | |
| 149 | \r | |
| 150 | ASM_PFX (mPostSmmPenSize):\r | |
| 151 | dw $ - ASM_PFX (mPostSmmPen)\r |