SysCall: Made SMEP, SMAP, PAN optional features.

2025-04-07 19:45:07 +02:00 · 2024-09-02 12:19:00 +03:00 · 2024-09-02 12:19:00 +03:00 · 5b59ec5e07
commit 5b59ec5e07
parent 940a7e2074
4 changed files with 26 additions and 31 deletions
--- a/MdeModulePkg/Core/Dxe/SysCall/AARCH64/InitializeMsr.c
+++ b/MdeModulePkg/Core/Dxe/SysCall/AARCH64/InitializeMsr.c
@ -173,9 +173,6 @@ InitializeMsr (
    // Enable Privileged Access Never feature.
    //
    ArmSetPan ();
-  } else {
-    DEBUG ((DEBUG_ERROR, "Core: Failed to initialize MSRs for Ring3.\n"));
-    ASSERT (FALSE);
  }

  InitializeSysCallHandler ((VOID *)SysCallBootService);
@ -187,7 +184,9 @@ DisableSMAP (
  VOID
  )
 {
-  ArmClearPan ();
+  if (ArmHasPan ()) {
+    ArmClearPan ();
+  }
 }

 VOID
@ -196,7 +195,9 @@ EnableSMAP (
  VOID
  )
 {
-  ArmSetPan ();
+  if (ArmHasPan ()) {
+    ArmSetPan ();
+  }
 }

 EFI_STATUS
--- a/MdeModulePkg/Core/Dxe/SysCall/ARM/InitializeMsr.c
+++ b/MdeModulePkg/Core/Dxe/SysCall/ARM/InitializeMsr.c
@ -105,12 +105,6 @@ InitializeMsr (
    // Enable Privileged Access Never feature.
    //
    ArmSetPan ();
-  } else {
-    //
-    // TODO: Refactoring.
-    //
-    DEBUG ((DEBUG_ERROR, "Core: Failed to initialize MSRs for Ring3.\n"));
-    // ASSERT (FALSE);
  }

  InitializeSysCallHandler (SysCallBootService);
--- a/MdeModulePkg/Core/Dxe/SysCall/IA32/InitializeMsr.c
+++ b/MdeModulePkg/Core/Dxe/SysCall/IA32/InitializeMsr.c
@ -27,14 +27,9 @@ InitializeMsr (

  //
  // Forbid supervisor-mode accesses to any user-mode pages.
-  // SMEP and SMAP must be supported.
  //
  AsmCpuidEx (0x07, 0x0, NULL, &Ebx, NULL, NULL);
-  //
-  // SYSENTER and SYSEXIT must be also supported.
-  //
-  AsmCpuidEx (0x01, 0x0, NULL, NULL, NULL, &Edx);
-  if (((Ebx & BIT20) != 0) && ((Ebx & BIT7) != 0) && ((Edx & BIT11) != 0)) {
+  if (((Ebx & BIT20) != 0) && ((Ebx & BIT7) != 0)) {
    Cr4.UintN     = AsmReadCr4 ();
    Cr4.Bits.SMAP = 1;
    Cr4.Bits.SMEP = 1;
@ -43,9 +38,15 @@ InitializeMsr (
    Eflags.UintN   = AsmReadEflags ();
    Eflags.Bits.AC = 0;
    AsmWriteEflags (Eflags.UintN);
-  } else {
-    DEBUG ((DEBUG_ERROR, "Core: Failed to initialize MSRs for Ring3.\n"));
-    ASSERT (FALSE);
+  }
+
+  //
+  // SYSENTER and SYSEXIT must be supported.
+  //
+  AsmCpuidEx (0x01, 0x0, NULL, NULL, NULL, &Edx);
+  if ((Edx & BIT11) == 0) {
+    DEBUG ((DEBUG_ERROR, "Core: SYSENTER and SYSEXIT are not supported.\n"));
+    CpuDeadLoop ();
  }

  //
--- a/MdeModulePkg/Core/Dxe/SysCall/X64/InitializeMsr.c
+++ b/MdeModulePkg/Core/Dxe/SysCall/X64/InitializeMsr.c
@ -28,14 +28,9 @@ InitializeMsr (

  //
  // Forbid supervisor-mode accesses to any user-mode pages.
-  // SMEP and SMAP must be supported.
  //
  AsmCpuidEx (0x07, 0x0, NULL, &Ebx, NULL, NULL);
-  //
-  // SYSCALL and SYSRET must be also supported.
-  //
-  AsmCpuidEx (0x80000001, 0x0, NULL, NULL, NULL, &Edx);
-  if (((Ebx & BIT20) != 0) && ((Ebx & BIT7) != 0) && ((Edx & BIT11) != 0)) {
+  if (((Ebx & BIT20) != 0) && ((Ebx & BIT7) != 0)) {
    Cr4.UintN     = AsmReadCr4 ();
    Cr4.Bits.SMAP = 1;
    Cr4.Bits.SMEP = 1;
@ -44,15 +39,19 @@ InitializeMsr (
    Eflags.UintN   = AsmReadEflags ();
    Eflags.Bits.AC = 0;
    AsmWriteEflags (Eflags.UintN);
-    //
-    // Enable SYSCALL and SYSRET.
-    //
+  }
+
+  //
+  // Enable SYSCALL and SYSRET.
+  //
+  AsmCpuidEx (0x80000001, 0x0, NULL, NULL, NULL, &Edx);
+  if ((Edx & BIT11) != 0) {
    MsrEfer.Uint64   = AsmReadMsr64 (MSR_IA32_EFER);
    MsrEfer.Bits.SCE = 1;
    AsmWriteMsr64 (MSR_IA32_EFER, MsrEfer.Uint64);
  } else {
-    DEBUG ((DEBUG_ERROR, "Core: Failed to initialize MSRs for Ring3.\n"));
-    ASSERT (FALSE);
+    DEBUG ((DEBUG_ERROR, "Core: SYSCALL and SYSRET are not supported.\n"));
+    CpuDeadLoop ();
  }

  //