From d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38 Mon Sep 17 00:00:00 2001
From: John Mathews <john.mathews@intel.com>
Date: Fri, 30 May 2025 11:06:49 -0700
Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
 SMM entry

Mitigates CVE-2025-3770

Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
has been reloaded.

Signed-off-by: John Mathews <john.mathews@intel.com>
---
 UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
index 644366ba19..6e1cd45c04 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
@@ -113,7 +113,7 @@ ProtFlatMode:
     mov eax, strict dword 0               ; source operand will be patched
 ASM_PFX(gPatchSmiCr3):
     mov     cr3, rax
-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
+    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
 
     mov     cl, strict byte 0            ; source operand will be patched
 ASM_PFX(gPatch5LevelPagingNeeded):
@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
     mov     ax, [rbx + DSC_SS]
     mov     ss, eax
 
+    mov     rax, cr4                    ; enable MCE
+    bts     rax, 6
+    mov     cr4, rax
+
     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
 
 ; enable CET if supported