Hao Wu [Tue, 28 Feb 2017 06:18:53 +0000 (14:18 +0800)]
BaseTools/GenVtf & VolInfo: Fix build fail for 'snprintf' not defined
Function snprintf() is not supported in Visual Studio 2013 or older
version. The commit replaces the use of snprintf() with sprintf() to avoid
build failure for VS compilers.
This implements a DXE memory protection policy that ensures that regions
that don't require executable permissions are mapped with the non-exec
attribute set.
First of all, it iterates over all entries in the UEFI memory map, and
removes executable permissions according to the configured DXE memory
protection policy, as recorded in PcdDxeNxMemoryProtectionPolicy.
Secondly, it sets or clears the non-executable attribute when allocating
or freeing pages, both for page based or pool based allocations.
Note that this complements the image protection facility, which applies
strict permissions to BootServicesCode/RuntimeServicesCode regions when
the section alignment allows it. The memory protection configured by this
patch operates on non-code regions only.
Ard Biesheuvel [Thu, 23 Feb 2017 10:36:38 +0000 (10:36 +0000)]
MdeModulePkg: define PCD for DXE memory protection policy
Define a new fixed/patchable PCD that sets the DXE memory protection
policy: its primary use is to define which memory types should have
their executable permissions removed. Combined with the image protection
policy, this can be used to implement a strict W^X policy, i.e.. a policy
where no regions exist that are both executable and writable at the same
time.
Ard Biesheuvel [Fri, 24 Feb 2017 14:21:18 +0000 (14:21 +0000)]
MdeModulePkg/DxeCore: use separate lock for pool allocations
In preparation of adding memory permission attribute management to
the pool allocator, split off the locking of the pool metadata into
a separate lock. This is an improvement in itself, given that pool
allocations can only interfere with the page allocation bookkeeping
if pool pages are allocated or released. But it is also required to
ensure that the permission attribute management does not deadlock,
given that it may trigger page table splits leading to additional
page tables being allocated.
Ard Biesheuvel [Sun, 26 Feb 2017 16:45:24 +0000 (16:45 +0000)]
MdeModulePkg/EbcDxe: use EfiBootServicesCode memory for thunks
The EBC driver emits thunks for native to EBC calls, which are short
instructions sequences that bridge the gap between the native execution
environment and the EBC virtual machine.
Since these thunks are allocated using MemoryAllocationLib::AllocatePool(),
they are emitted into EfiBootServicesData regions, which does not reflect
the nature of these thunks accurately, and interferes with strict memory
protection policies that map data regions non-executable.
So instead, create a new helper EbcAllocatePoolForThunk() that invokes the
AllocatePool() boot service directly to allocate EfiBootServicesCode pool
memory explicitly, and wire up this helper for the various architecture
specific thunk generation routines.
Ard Biesheuvel [Thu, 23 Feb 2017 09:57:03 +0000 (09:57 +0000)]
MdeModulePkg/PeiCore: allocate BootServicesCode memory for PE/COFF images
Ensure that any memory allocated for PE/COFF images is identifiable as
a boot services code region, so that we know it requires its executable
permissions to be preserved when we tighten mapping permissions later on.
Ard Biesheuvel [Fri, 24 Feb 2017 09:58:38 +0000 (09:58 +0000)]
ArmPkg/CpuDxe: ignore attribute changes during SyncCacheConfig()
To prevent the initial MMU->GCD memory space map synchronization from
stripping permissions attributes [which we cannot use in the GCD memory
space map, unfortunately], implement the same approach as x86, and ignore
SetMemoryAttributes() calls during the time SyncCacheConfig() is in
progress. This is a horrible hack, but is currently the only way we can
implement strict permissions on arbitrary memory regions [as opposed to
PE/COFF text/data sections only]
Dandan Bi [Tue, 28 Feb 2017 08:04:13 +0000 (16:04 +0800)]
MdeModulePkg: Fix coding style issues
1. Make function comments align with the function.
2. Change the FILE_GUID value in SmmSmiHandlerProfileLib.inf
since it is duplicated with the FILE_GUID value in
SmiHandlerProfileLibNull.inf
3. Add missing PCD PROMPT&HELP string to uni file.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Dandan Bi [Mon, 27 Feb 2017 05:33:06 +0000 (13:33 +0800)]
MdeModulePkg/BMMUiLib: Replace same logic with API in UefiBootManagerLib
Use the API EfiBootManagerDeleteLoadOptionVariable in UefiBootManagerLib to
replace the same logic in function Var_DelBootOption/Var_DelDriverOption.
This can make code clean and prevent potential bugs.
Cc: Eric Dong <eric.dong@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com>
Qin Long [Mon, 27 Feb 2017 06:46:07 +0000 (14:46 +0800)]
CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2k
v2:
Re-generate the patch after the new OpensslLibCrypto instance.
OpenSSL 1.0.2k was released with several severity fixes at
26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
This removes the PCD PcdArmUncachedMemoryMask from ArmPkg, along with
any remaining references to it in various platform .DSC files. It is
no longer used now that we removed the virtual uncached pages protocol
and the associated DebugUncachedMemoryAllocationLib library instance.
The only observeable effect of having PcdPerformanceLibraryPropertyMask
set to 1 is that a EfiReservedMemory region of 4 pages is allocated right
below the 4 GB mark. This region is out of bounds for the OS, which means
it is not even allowed to map it, to avoid speculative loads from it.
On Linux, this may prevent the kernel from using a 1 GB block mapping for
this region, and instead it has to carve up the block as follows:
0xffffffff80000000-0xffffffffbe000000 992M PMD CON BLK
0xffffffffbe000000-0xffffffffbfe00000 30M PMD BLK
0xffffffffbfe00000-0xffffffffbfff0000 1984K PTE CON
0xffffffffbfff0000-0xffffffffbfffc000 48K PTE
where it would otherwise use a single 1 GB mapping (*), i.e.,
0xffffffff80000000-0xffffffffc0000000 1G PGD
To clarify, the latter is a single 8 byte entry in the top level page
table, whereas in the former case, we have two additional levels of
paging, requiring two extra 4 KB pages (on a 4 KB pagesize kernel).
The real cost, however, is the TLB footprint, which goes up from a
single entry to a number between 90 and 1020, depending on whether
contiguous hints are honoured by the hardware.
So let's remove PcdPerformanceLibraryPropertyMask until we find a reason
why we need it.
(*) provided that no other allocations were deliberately located right
below the 4 GB mark, and that we are running with more than 3 GB of
memory, in which case most allocations will be over 4 GB, given EDK2's
default top-down allocation policy.
Jiaxin Wu [Thu, 23 Feb 2017 05:28:57 +0000 (13:28 +0800)]
NetworkPkg/Ip6Dxe: Ignore duplicated DNS address check
Having duplicated DNS server IPs specified is not an ideal
configuration, but not an error condition. This patch is to
remove the duplicated DNS address check to allow the same DNS
address setting in SetData().
Cc: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com> Cc: Subramanian Sriram <sriram-s@hpe.com> Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Subramanian Sriram <sriram-s@hpe.com> Reviewed-by: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com> Tested-by: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com>
Jiaxin Wu [Thu, 23 Feb 2017 05:27:18 +0000 (13:27 +0800)]
MdeModulePkg/Ip4Dxe: Ignore duplicated DNS address check
Having duplicated DNS server IPs specified is not an ideal
configuration, but not an error condition. This patch is to
remove the duplicated DNS address check to allow the same DNS
address setting in SetData().
Cc: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com> Cc: Subramanian Sriram <sriram-s@hpe.com> Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Subramanian Sriram <sriram-s@hpe.com> Reviewed-by: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com> Tested-by: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com>
Ard Biesheuvel [Fri, 24 Feb 2017 17:51:04 +0000 (17:51 +0000)]
MdeModulePkg/DxeCore: base code protection on permission attributes
Instead of assuming that a PE/COFF section of type EFI_IMAGE_SCN_CNT_CODE
can always be mapped read-only, classify a section as a code section only
if it has the executable attribute set and the writable attribute cleared.
This adheres more closely to the PE/COFF spec, and avoids issues with
Linux OS loaders that may consist of a single read/write/execute section.
Laszlo Ersek [Thu, 23 Feb 2017 20:46:06 +0000 (21:46 +0100)]
OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
The OpensslLibCrypto library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature.
Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.
Cc: Gary Lin <glin@suse.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Gary Lin <glin@suse.com>
Laszlo Ersek [Thu, 23 Feb 2017 20:42:06 +0000 (21:42 +0100)]
ArmVirtPkg: resolve OpensslLib to OpensslLibCrypto
The OpensslLibCrypto library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature. It would not be
sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
don't even enable plaintext HTTP booting for the time being.
Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use.
then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".
Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).
This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.
"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.
"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.
"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
Laszlo Ersek [Thu, 23 Feb 2017 18:47:35 +0000 (19:47 +0100)]
CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00
Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".
However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".
Refresh these files, completing commit 32387e0081db.
I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Lin <glin@suse.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Qin Long <qin.long@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
Enable the new DXE image protection for all image, i.e., FV images but
also external images that originate from disk or the network, such as
OS loaders.
This complements work that is underway on the arm64/Linux kernel side,
to emit the OS loader with 4 KB section alignment, and a suitable split
between code and data.
Ard Biesheuvel [Thu, 23 Feb 2017 18:30:51 +0000 (18:30 +0000)]
BaseTools: GCC: move most AutoGen.obj contents back to .data section
The generated AutoGen.c files mostly contain read-only data, but due to
lacking annotations, all of it is emitted into the .data section by the
compiler.
Given that GUIDs are UEFI's gaffer tape, having writable GUIDs is a
security hazard, and this was the main rationale for putting AutoGen.obj
in the .text section. However, as it turns out, patchable PCDs are emitted
there as well, which can legally be modified at runtime.
So update the wildcard pattern to only match g...Guid sections, and move
everything else back to .data (Note that this relies on -fdata-sections,
without that option, everything is emitted into .data)
Ard Biesheuvel [Thu, 23 Feb 2017 14:43:49 +0000 (14:43 +0000)]
ArmPkg/CpuDxe: remove VirtualUncachedPages protocol and implementation
Virtual uncached pages are simply pages that are aliased using mismatched
attributes, which is not allowed by the ARM architecture. So remove the
protocol and its implementation.
Ard Biesheuvel [Thu, 23 Feb 2017 14:38:32 +0000 (14:38 +0000)]
ArmPkg: remove DebugUncachedMemoryAllocationLib
The debug implementation of the UncachedMemoryAllocationLib library
class relies on the creation of an uncached alias of a memory range,
while keeping the original cached mapping, but with read-only attributes
to trap inadvertent write accesses.
This is not a terribly good idea, given that the ARM architecture does
not allow mismatched attributes, and so creating them deliberately is
not something we should encourage by doing it in reference code.
So remove the library, and replace all references to it with a reference
to the non-debug version (unless the platform does not require a resolution
for it in the first place, in which case all UncachedMemoryAllocationLib
references can be removed altogether).
Star Zeng [Wed, 8 Jun 2016 07:23:24 +0000 (00:23 -0700)]
ShellPkg UefiDpLib: Remove TimerLib dependency
Current UefiDpLib implementation depends on TimerLib,
as different platforms may implement and use their
own TimerLib, it makes the dp command needs to be built
by platform. The TimerLib dependency can be removed by
using performance property configuration table to make
UefiDpLib to be generic.
Cc: Andrew Fish <afish@apple.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Cinnamon Shia <cinnamon.shia@hpe.com> Cc: Jaben Carsey <jaben.carsey@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Andrew Fish <afish@apple.com> Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Star Zeng [Wed, 8 Jun 2016 07:30:22 +0000 (00:30 -0700)]
PerformancePkg Dp_App: Remove TimerLib dependency
Current Dp_App implementation depends on TimerLib,
as different platforms may implement and use their
own TimerLib, it makes the dp application needs to
be built by platform. The TimerLib dependency can
be removed by using performance property configuration
table to make Dp_App to be generic.
Cc: Andrew Fish <afish@apple.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Cinnamon Shia <cinnamon.shia@hpe.com> Cc: Jaben Carsey <jaben.carsey@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Andrew Fish <afish@apple.com> Reviewed-by: Jaben Carsey <jaben.carsey@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Zhang Lubo [Fri, 17 Feb 2017 06:43:41 +0000 (14:43 +0800)]
NetworkPkg:Add scriptable configuration to iSCSI driver by leveraging x-UEFI.
v2:
Add error handling if can not create Attempts in driver entry point.
Since we support to define a macro be a PCD value, we enhance our code
by modifying the structure in IFR_NVDATA. This effect code logic mainly
in Creating Keywords,Convert IFR NvData To AttemptConfigData ByKeyword and
reverse function.
Fix typo errors and sync based on the latest code.
Enable iSCSI keywords configuration based on x-UEFI
name space. we introduce new PCD to control the attempt
numbers which will be created in non activated state, besides
the Attempt name is changed to READ_ONLY attribute in UI.
We can invoke KEYWORD HANDLER Protocol to configure
the related keywords.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Zhang Lubo <lubo.zhang@intel.com> Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Wu Jiaxin jiaxin.wu@intel.com
Yonghong Zhu [Wed, 22 Feb 2017 15:38:01 +0000 (23:38 +0800)]
BaseTools: Fix the regression issue caused by commit dc4c77
In the last commit dc4c77, the _GetHeaderInfo will be called more than
once, which cause the self._ConstructorList.append(Value) append some
duplicate value.
Enable the hardware stack alignment check, as mandated by the UEFI spec.
This ensures that the stack pointer is 16 byte aligned at each instance
where it is used as the base address in a load/store operation.
Ard Biesheuvel [Wed, 22 Feb 2017 09:38:18 +0000 (09:38 +0000)]
ArmPlatformPkg/ArmPlatformStackLib: use callee preserved registers
The entry code in ArmPlatformStackSet () is a 1:1 transliteration of the
ARM version, which uses the callee preserved registers r3 - r7 (*) to
preserve the function arguments and the link register across a call to
ArmPlatformIsPrimaryCore ().
However, x3 - x7 are not callee preserved on AARCH64, and so we should use
registers >= x19 instead. While we're at it, drop an unnecessary preserve
of the link register, and simplify/deobfuscate the calculation of the
secondary stack position.
(*) Note that r3 is not actually a callee saved register even on ARM.
Jiewen Yao [Sun, 22 Jan 2017 11:28:13 +0000 (03:28 -0800)]
BaseTool/Script: Add SmiHandleProfile OS tool to get symbol.
This tool accepts the input XML file generated by SmiHandlerProfile
application and convert the RVA address to be a user readable
symbol.
It also converts the GUID to be a user readable string.
Cc: Yonghong Zhu <yonghong.zhu@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
1) SmmCore maintains the root SMI handler and NULL SMI handler
database.
2) SmmCore consumes PcdSmiHandlerProfilePropertyMask to decide
if SmmCore need support SMI handler profile.
If SMI handler profile is supported, the SmmCore installs
SMI handler profile protocol and SMI handler profile
communication handler.
3) SMI handler profile protocol will record the hardware SMI
handler profile registered by SmmChildDispatcher.
4) SMI handler profile communication handler will return all
SMI handler profile info (NULL SMI handler, GUID SMI handler,
and hardware SMI handler)
Cc: Feng Tian <feng.tian@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
This header file defines:
1) An SMI handler profile protocol. So that SmmChildDispatch
module can register the hardware SMI handler information.
2) The SMI handler profile communication buffer. So that
a shell application can use SMM communication to get the
SMI handler profile info.
Cc: Feng Tian <feng.tian@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Jeff Fan [Mon, 20 Feb 2017 08:17:05 +0000 (16:17 +0800)]
UefiCpuPkg/CpuDxe: Fix hard code actual TimerPeriod value
Current CpuGetTimerValue() implementation return hard code TimerPeriod value. We
could calculate the actual TimerPeriod value over period of time (100us) at the
first time invoking CpuGetTimerValue() and save the TimerPeriod value into one
global variable to avoid delay at the next CpuGetTimerValue() invoking.
Jeff Fan [Tue, 21 Feb 2017 02:35:47 +0000 (10:35 +0800)]
UefiCpuPkg/CpuDxe: Add Local APIC memory mapped space in GCD
Local APIC memory mapped space should be added into GCD and be allocated.
Otherwise, UEFI firmware cannot get correct memory map for it. For example,
SMM profile feature needs to get the completed MMIO map to protect them.
v2:
Consume AddMemoryMappedIoSpace() to handle the case that Local APIC
memory space has already been added before.
Jiewen Yao [Sat, 14 Jan 2017 07:04:10 +0000 (23:04 -0800)]
MdeModulePkg/DxeCore: Add UEFI image protection.
If the UEFI image is page aligned, the image code section is set to read
only and the image data section is set to non-executable.
1) This policy is applied for all UEFI image including boot service driver,
runtime driver or application.
2) This policy is applied only if the UEFI image meets the page alignment
requirement.
3) This policy is applied only if the Source UEFI image matches the
PcdImageProtectionPolicy definition.
4) This policy is not applied to the non-PE image region.
The DxeCore calls CpuArchProtocol->SetMemoryAttributes() to protect
the image. If the CpuArch protocol is not installed yet, the DxeCore
enqueues the protection request. Once the CpuArch is installed, the
DxeCore dequeues the protection request and applies policy.
Once the image is unloaded, the protection is removed automatically.
The UEFI runtime image protection is teared down at ExitBootServices(),
the runtime image code relocation need write code segment at
SetVirtualAddressMap(). We cannot assume OS/Loader has taken over
page table at that time.
NOTE: It is per-requisite that code section and data section
should not be not merged. That is same criteria for SMM/runtime driver.
We are not able to detect during BIOS boot, because
we can only get LINK warning below:
"LINK : warning LNK4254: section '.data' (C0000040) merged into
'.text' (60000020) with different attributes"
But final attribute in PE code section is same.
Cc: Star Zeng <star.zeng@intel.com> Cc: Feng Tian <feng.tian@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jeff Fan <jeff.fan@intel.com> Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Jiewen Yao [Sat, 14 Jan 2017 07:40:20 +0000 (15:40 +0800)]
UefiCpuPkg/CpuDxe: Add memory attribute setting.
Add memory attribute setting in CpuArch protocol.
Previous SetMemoryAttributes() API only supports cache attribute setting.
This patch updated SetMemoryAttributes() API to support memory attribute
setting by updating CPU page table.
Cc: Jeff Fan <jeff.fan@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jeff Fan <jeff.fan@intel.com>
Yonghong Zhu [Mon, 20 Feb 2017 10:49:32 +0000 (18:49 +0800)]
BaseTools: add error check for Macro usage in the INF file
Use of MACRO statements in the EDK II INF files is limited to local
usage only; global or external macros are not permitted. This patch
add the check for not defined macros.
Laszlo Ersek [Tue, 21 Feb 2017 13:43:00 +0000 (14:43 +0100)]
OvmfPkg/QemuFwCfg: introduce FW_CFG_IO_DMA_ADDRESS, adapt the package
Introduce the FW_CFG_IO_DMA_ADDRESS macro for IO Ports 0x514 and 0x518
(most significant and least significant halves of the DMA Address
Register, respectively), and update all references in OvmfPkg.
Cc: Jordan Justen <jordan.l.justen@intel.com> Suggested-by: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Laszlo Ersek [Tue, 21 Feb 2017 12:56:48 +0000 (13:56 +0100)]
OvmfPkg/AcpiPlatformDxe: update PointerValue comments in "BootScript.c"
Commit df73df138d9d ("OvmfPkg/AcpiPlatformDxe: replay
QEMU_LOADER_WRITE_POINTER commands at S3", 2017-02-09) added
"BootScript.c" with such comments on the PointerValue field of
CONDENSED_WRITE_POINTER, and on the corresponding PointerValue parameter
of SaveCondensedWritePointerToS3Context(), that did not consider the
then-latest update of the QEMU_LOADER_WRITE_POINTER structure. (Namely,
the introduction of the PointeeOffset field.)
The code is fine as-is -- ProcessCmdWritePointer() already calls
SaveCondensedWritePointerToS3Context() correctly, and "BootScript.c"
itself is indifferent to the exact values --, but the comments in
"BootScript.c" should match reality too. Update them.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Laszlo Ersek [Tue, 21 Feb 2017 12:30:48 +0000 (13:30 +0100)]
OvmfPkg/AcpiPlatformDxe: drop double right shift in ADD/WRITE POINTER cmds
The Count parameter of RShiftU64() must be strictly smaller than 64.
ProcessCmdAddPointer() and ProcessCmdWritePointer() currently ensure this
by "cleverly" breaking the last bit of a potentially 8-byte right shift
out to a separate operation.
Instead, exclude the Count==64 case explicitly (in which case the
preexistent outer RShiftU64() would return 0), and keep only the inner
RShiftU64(), with the direct Count however.
This is not a functional change, just style improvement.
Cc: Jordan Justen <jordan.l.justen@intel.com> Suggested-by: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Jeff Fan [Tue, 21 Feb 2017 03:29:45 +0000 (11:29 +0800)]
UefiCpuPkg/ExceptionHandlerAsm.S: Fix code length issue with GCC 5.4
X64\ExceptionHandlerAsm.S define MARCO to set up 32 IDT entries header.
It assume GCC compiler will generate the same code length on the following
instrction for each IDT entry.
jmp ASM_PFX(CommonInterruptEntry)
It works with GCC 4.x. However, GCC 5.4 will generate different code size of IDT
entry code per the offset value from CommonInterruptEntry address. We should use
DB to make sure each IDT entry header has the same size whatever compiler
version.
.ASM and .nasm used the different solution and do not have this issue.
Ard Biesheuvel [Wed, 15 Feb 2017 17:11:56 +0000 (17:11 +0000)]
ArmPkg/ArmMmuLib: AARCH64: add support for modifying only permissions
Since the new DXE page protection for PE/COFF images may invoke
EFI_CPU_ARCH_PROTOCOL.SetMemoryAttributes() with only permission
attributes set, add support for this in the AARCH64 MMU code.
Move the EFI_MEMORY_CACHETYPE_MASK macro to a shared location between
CpuDxe and ArmMmuLib so we don't have to introduce yet another
definition.
Ard Biesheuvel [Wed, 15 Feb 2017 17:11:55 +0000 (17:11 +0000)]
ArmPkg/CpuDxe: ARM: ignore page table updates that only change permissions
Currently, we have not implemented support on 32-bit ARM for managing
permission bits in the page tables. Since the new DXE page protection
for PE/COFF images may invoke EFI_CPU_ARCH_PROTOCOL.SetMemoryAttributes()
with only permission attributes set, let's simply ignore those for now.
Ard Biesheuvel [Wed, 15 Feb 2017 17:11:54 +0000 (17:11 +0000)]
ArmPkg/CpuDxe: translate invalid memory types in EfiAttributeToArmAttribute
The single user of EfiAttributeToArmAttribute () is the protocol
method EFI_CPU_ARCH_PROTOCOL.SetMemoryAttributes(), which uses the
return value to compare against the ARM attributes of an existing mapping,
to infer whether it is actually necessary to change anything, or whether
the requested update is redundant. This saves some cache and TLB
maintenance on 32-bit ARM systems that use uncached translation tables.
However, EFI_CPU_ARCH_PROTOCOL.SetMemoryAttributes() may be invoked with
only permission bits set, in which case the implied requested action is to
update the permissions of the region without modifying the cacheability
attributes. This is currently not possible, because
EfiAttributeToArmAttribute () ASSERT()s [on AArch64] on Attributes arguments
that lack a cacheability bit.
So let's simply return TT_ATTR_INDX_MASK (AArch64) or
TT_DESCRIPTOR_SECTION_TYPE_FAULT (ARM) in these cases (or'ed with the
appropriate permission bits). This way, the return value is equally
suitable for checking whether the attributes need to be modified, but
in a way that accommodates the use without a cacheability bit set.
Jiewen Yao [Thu, 9 Feb 2017 07:20:30 +0000 (23:20 -0800)]
ArmPkg/CpuDxe: Correct EFI_MEMORY_RO usage
Current Arm CpuDxe driver uses EFI_MEMORY_WP for write protection,
according to UEFI spec, we should use EFI_MEMORY_RO for write protection.
The EFI_MEMORY_WP is the cache attribute instead of memory attribute.
Laszlo Ersek [Thu, 9 Feb 2017 16:32:40 +0000 (17:32 +0100)]
OvmfPkg/AcpiPlatformDxe: replay QEMU_LOADER_WRITE_POINTER commands at S3
Ultimately, each QEMU_LOADER_WRITE_POINTER command creates a guest memory
reference in some QEMU device. When the virtual machine is reset, the
device willfully forgets the guest address, since the guest memory is
wholly invalidated during platform reset.
... Unless the reset is part of S3 resume. Then the guest memory is
preserved intact, and the firmware must reprogram those devices with the
original guest memory allocation addresses.
This patch accumulates the fw_cfg select, skip and write operations of
ProcessCmdWritePointer() in a validated / condensed form, and turns them
into an ACPI S3 Boot Script fragment at the very end of
InstallQemuFwCfgTables().
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=359
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Laszlo Ersek [Wed, 8 Feb 2017 20:53:02 +0000 (21:53 +0100)]
OvmfPkg/AcpiPlatformDxe: implement the QEMU_LOADER_WRITE_POINTER command
The QEMU_LOADER_WRITE_POINTER command instructs the firmware to write the
address of a field within a previously allocated/downloaded fw_cfg blob
into another (writeable) fw_cfg file at a specific offset.
Put differently, QEMU_LOADER_WRITE_POINTER propagates, to QEMU, the
address that QEMU_LOADER_ALLOCATE placed the designated fw_cfg blob at, as
adjusted for the given field inside the allocated blob.
The implementation is similar to that of QEMU_LOADER_ADD_POINTER. Since
here we "patch" a pointer object in "fw_cfg file space", not guest memory
space, we utilize the QemuFwCfgSkipBytes() and QemuFwCfgWriteBytes() APIs
completed in commit range 465663e9f128..7fcb73541299.
An interesting aspect is that QEMU_LOADER_WRITE_POINTER creates a
host-level reference to a guest memory location. Therefore, if we fail to
process the linker/loader script for any reason, we have to clear out
those references first, before we release the guest memory allocations in
response to the error.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=359
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Laszlo Ersek [Wed, 8 Feb 2017 13:25:01 +0000 (14:25 +0100)]
OvmfPkg/AcpiPlatformDxe: prepare for QEMU_LOADER_WRITE_POINTER definitions
No functional changes in this patch, just prepare the grounds with some
reformatting (trailing comma after the last enumeration constant,
horizontal whitespace insertion) so that the next patch can be cleaner.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=359
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Dandan Bi [Thu, 16 Feb 2017 10:30:20 +0000 (18:30 +0800)]
MdeModulePkg/BMMUiLib: Remove old useless data before new save action
There exits the case that when saving changes in form A,
the old saved data in form B are not cleaned, will be saved
again with the new save. Thus incorrect UI behavior will be
shown. This patch is to remove some useless data.
Dandan Bi [Mon, 20 Feb 2017 02:20:08 +0000 (10:20 +0800)]
MdeModulePkg/HiiDatabase: clean the value before setting default string
For string op-code, the default string may not reach the
maximum size, so when generating <AltResp> string, we should
clean the value before setting the default string.
Dandan Bi [Thu, 9 Feb 2017 13:17:34 +0000 (21:17 +0800)]
MdeMoudlePkg/DisplayEngine: Fix incorrect index used in array "InputText"
When set value to the array "InputText", the index was used incorrectly.
And the array "InputText" is not initialized. These will cause some value
in the array is random, so it will be shown incorrectly sometimes.
This patch is to fix this issue.
Add the following 2 APIs:
UnicodeValueToStringS
AsciiValueToStringS
These safe version APIs are used to enhance their counterpart (APIs
without trailing 'S' in function names).
They perform checks to the input parameters and will return relative
status to reflect the check result.
Return RETURN_INVALID_PARAMETER when:
1). The input Buffer is NULL.
2). The input BufferSize is greater than (PcdMaximumUnicodeStringLength *
sizeof (CHAR16) + 1) for UnicodeValueToStringS or greater than
PcdMaximumAsciiStringLength for AsciiValueToStringS.
3). The input Flags is not set properly.
4). The input Width is not smaller than MAXIMUM_VALUE_CHARACTERS.
Return RETURN_BUFFER_TOO_SMALL when:
1). The input BufferSize cannot hold the converted value.
These APIs in the MdeModulePkg/DxePrintLibPrint2Protocol instance
follow the same rules with MdePkg/BasePrintLib.
Hao Wu [Wed, 8 Feb 2017 03:20:37 +0000 (11:20 +0800)]
MdeModulePkg: Add the EFI_PRINT2S_PROTOCOL
Add the EFI_PRINT2S_PROTOCOL as a safe version of the EFI_PRINT2_PROTOCOL,
the EFI_PRINT2S_PROTOCOL replaces the following 2 services in
EFI_PRINT2_PROTOCOL:
UNICODE_VALUE_TO_STRING
ASCII_VALUE_TO_STRING
The 2 new services perform checks to the input parameters and will return
relative status to reflect the check result.
Return RETURN_INVALID_PARAMETER when:
1). The input Buffer is NULL.
2). The input BufferSize is greater than (PcdMaximumUnicodeStringLength *
sizeof (CHAR16) + 1) for UnicodeValueToStringS or greater than
PcdMaximumAsciiStringLength for AsciiValueToStringS.
3). The input Flags is not set properly.
4). The input Width is not smaller than MAXIMUM_VALUE_CHARACTERS.
Return RETURN_BUFFER_TOO_SMALL when:
1). The input BufferSize cannot hold the converted value.
Add the following 2 APIs:
UnicodeValueToStringS
AsciiValueToStringS
These safe version APIs are used to enhance their counterpart (APIs
without trailing 'S' in function names).
They perform checks to the input parameters and will return relative
status to reflect the check result.
Return RETURN_INVALID_PARAMETER when:
1). The input Buffer is NULL.
2). The input BufferSize is greater than (PcdMaximumUnicodeStringLength *
sizeof (CHAR16) + 1) for UnicodeValueToStringS or greater than
PcdMaximumAsciiStringLength for AsciiValueToStringS.
3). The input Flags is not set properly.
4). The input Width is not smaller than MAXIMUM_VALUE_CHARACTERS.
Return RETURN_BUFFER_TOO_SMALL when:
1). The input BufferSize cannot hold the converted value.