OvmfPkg/IoMmuDxe: zero out pages before releasing them

Whenever we release the plaintext bounce buffer pages that were allocated
implicitly in Map() for BusMasterRead[64] and BusMasterWrite[64], we
restore the encryption mask on them. However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Similarly, whenever we release the plaintext common buffer pages that were
allocated explicitly in AllocateBuffer() for BusMasterCommonBuffer[64], we
restore the encryption mask on them.  However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>

diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
index 8c2c23356a4029113ab9738525ed9519aab32d99..d899b0ab9e4105a6f0d4168dcc4f5aad4958d568 100644 (file)
--- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
+++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
@@ -280,6 +280,10 @@ IoMmuUnmap (
              TRUE\r
              );\r
   ASSERT_EFI_ERROR(Status);\r
+  ZeroMem (\r
+    (VOID*)(UINTN)MapInfo->PlainTextAddress,\r
+    EFI_PAGES_TO_SIZE (MapInfo->NumberOfPages)\r
+    );\r
 \r
   //\r
   // Free the mapped buffer and the MAP_INFO structure.\r
@@ -414,6 +418,7 @@ IoMmuFreeBuffer (
              TRUE\r
              );\r
   ASSERT_EFI_ERROR(Status);\r
+  ZeroMem (HostAddress, EFI_PAGES_TO_SIZE (Pages));\r
 \r
   DEBUG ((\r
     DEBUG_VERBOSE,\r