UefiCpuPkg/PiSmmCpu: Restrict access per PcdCpuSmmRestrictedMemoryAccess

Today's behavior is to always restrict access to non-SMRAM regardless
the value of PcdCpuSmmRestrictedMemoryAccess.

Because RAS components require to access all non-SMRAM memory, the
patch changes the code logic to honor PcdCpuSmmRestrictedMemoryAccess
so that only when the PCD is true, the restriction takes affect and
page table memory is also protected.

Because IA32 build doesn't reference this PCD, such restriction
always takes affect in IA32 build.

Signed-off-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
index 05fb455936f1d7487b39a853dc40d3db643a553a..f891a811126f6ecc84f11fde133e42d43cac3cf8 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c
@@ -336,3 +336,17 @@ RestoreCr2 (
 {\r
   return ;\r
 }\r
+\r
+/**\r
+  Return whether access to non-SMRAM is restricted.\r
+\r
+  @retval TRUE  Access to non-SMRAM is restricted.\r
+  @retval FALSE Access to non-SMRAM is not restricted.\r
+*/\r
+BOOLEAN\r
+IsRestrictedMemoryAccess (\r
+  VOID\r
+  )\r
+{\r
+  return TRUE;\r
+}\r

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
index 69a04dfb2311b65699ff51efffc643bd1ba4767d..723fd5042ff47f6ae36ccda21721338852e7ddeb 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
@@ -1431,15 +1431,17 @@ PerformRemainingTasks (
     //\r
     SetMemMapAttributes ();\r
 \r
-    //\r
-    // For outside SMRAM, we only map SMM communication buffer or MMIO.\r
-    //\r
-    SetUefiMemMapAttributes ();\r
+    if (IsRestrictedMemoryAccess ()) {\r
+      //\r
+      // For outside SMRAM, we only map SMM communication buffer or MMIO.\r
+      //\r
+      SetUefiMemMapAttributes ();\r
 \r
-    //\r
-    // Set page table itself to be read-only\r
-    //\r
-    SetPageTableAttributes ();\r
+      //\r
+      // Set page table itself to be read-only\r
+      //\r
+      SetPageTableAttributes ();\r
+    }\r
 \r
     //\r
     // Configure SMM Code Access Check feature if available.\r

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
index 8c29f1a5585c9305c79eb50185e4e39d376141fb..daf977f654b40c84ba2c9342ddc80e3ee9176707 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h
@@ -1450,4 +1450,15 @@ InitializeDataForMmMp (
   VOID\r
   );\r
 \r
+/**\r
+  Return whether access to non-SMRAM is restricted.\r
+\r
+  @retval TRUE  Access to non-SMRAM is restricted.\r
+  @retval FALSE Access to non-SMRAM is not restricted.\r
+*/\r
+BOOLEAN\r
+IsRestrictedMemoryAccess (\r
+  VOID\r
+  );\r
+\r
 #endif\r

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
index 7516f3505540ee09a8d909b5f85ee712bab27332..733d107efdbf3606d4411697cf1396aee3e19547 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
@@ -1252,3 +1252,17 @@ RestoreCr2 (
     AsmWriteCr2 (Cr2);\r
   }\r
 }\r
+\r
+/**\r
+  Return whether access to non-SMRAM is restricted.\r
+\r
+  @retval TRUE  Access to non-SMRAM is restricted.\r
+  @retval FALSE Access to non-SMRAM is not restricted.\r
+*/\r
+BOOLEAN\r
+IsRestrictedMemoryAccess (\r
+  VOID\r
+  )\r
+{\r
+  return mCpuSmmRestrictedMemoryAccess;\r
+}\r