+/** @file\r
+ Instance of SMM memory check library.\r
+\r
+ SMM memory check library library implementation. This library consumes SMM_ACCESS2_PROTOCOL\r
+ to get SMRAM information. In order to use this library instance, the platform should produce\r
+ all SMRAM range via SMM_ACCESS2_PROTOCOL, including the range for firmware (like SMM Core\r
+ and SMM driver) and/or specific dedicated hardware.\r
+\r
+ Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>\r
+ This program and the accompanying materials\r
+ are licensed and made available under the terms and conditions of the BSD License\r
+ which accompanies this distribution. The full text of the license may be found at\r
+ http://opensource.org/licenses/bsd-license.php\r
+\r
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+\r
+#include <PiSmm.h>\r
+\r
+#include <Library/BaseLib.h>\r
+#include <Library/BaseMemoryLib.h>\r
+#include <Library/DebugLib.h>\r
+#include <Library/MemoryAllocationLib.h>\r
+#include <Library/UefiBootServicesTableLib.h>\r
+#include <Library/SmmServicesTableLib.h>\r
+#include <Library/HobLib.h>\r
+#include <Protocol/SmmAccess2.h>\r
+\r
+EFI_SMRAM_DESCRIPTOR *mSmmMemLibInternalSmramRanges;\r
+UINTN mSmmMemLibInternalSmramCount;\r
+\r
+//\r
+// Maximum support address used to check input buffer\r
+//\r
+EFI_PHYSICAL_ADDRESS mSmmMemLibInternalMaximumSupportAddress = 0;\r
+\r
+/**\r
+ Caculate and save the maximum support address.\r
+\r
+**/\r
+VOID\r
+SmmMemLibInternalCaculateMaximumSupportAddress (\r
+ VOID\r
+ )\r
+{\r
+ VOID *Hob;\r
+ UINT32 RegEax;\r
+ UINT8 PhysicalAddressBits;\r
+\r
+ //\r
+ // Get physical address bits supported.\r
+ //\r
+ Hob = GetFirstHob (EFI_HOB_TYPE_CPU);\r
+ if (Hob != NULL) {\r
+ PhysicalAddressBits = ((EFI_HOB_CPU *) Hob)->SizeOfMemorySpace;\r
+ } else {\r
+ AsmCpuid (0x80000000, &RegEax, NULL, NULL, NULL);\r
+ if (RegEax >= 0x80000008) {\r
+ AsmCpuid (0x80000008, &RegEax, NULL, NULL, NULL);\r
+ PhysicalAddressBits = (UINT8) RegEax;\r
+ } else {\r
+ PhysicalAddressBits = 36;\r
+ }\r
+ }\r
+ //\r
+ // IA-32e paging translates 48-bit linear addresses to 52-bit physical addresses.\r
+ //\r
+ ASSERT (PhysicalAddressBits <= 52);\r
+ if (PhysicalAddressBits > 48) {\r
+ PhysicalAddressBits = 48;\r
+ }\r
+ \r
+ //\r
+ // Save the maximum support address in one global variable \r
+ //\r
+ mSmmMemLibInternalMaximumSupportAddress = (EFI_PHYSICAL_ADDRESS)(UINTN)(LShiftU64 (1, PhysicalAddressBits) - 1);\r
+ DEBUG ((EFI_D_INFO, "mSmmMemLibInternalMaximumSupportAddress = 0x%lx\n", mSmmMemLibInternalMaximumSupportAddress));\r
+}\r
+\r
+/**\r
+ This function check if the buffer is valid per processor architecture and not overlap with SMRAM.\r
+\r
+ @param Buffer The buffer start address to be checked.\r
+ @param Length The buffer length to be checked.\r
+\r
+ @retval TRUE This buffer is valid per processor architecture and not overlap with SMRAM.\r
+ @retval FALSE This buffer is not valid per processor architecture or overlap with SMRAM.\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+SmmIsBufferOutsideSmmValid (\r
+ IN EFI_PHYSICAL_ADDRESS Buffer,\r
+ IN UINT64 Length\r
+ )\r
+{\r
+ UINTN Index;\r
+ \r
+ //\r
+ // Check override.\r
+ // NOTE: (B:0->L:4G) is invalid for IA32, but (B:1->L:4G-1)/(B:4G-1->L:1) is valid.\r
+ //\r
+ if ((Length > mSmmMemLibInternalMaximumSupportAddress) ||\r
+ (Buffer > mSmmMemLibInternalMaximumSupportAddress) ||\r
+ ((Length != 0) && (Buffer > (mSmmMemLibInternalMaximumSupportAddress - (Length - 1)))) ) {\r
+ //\r
+ // Overflow happen\r
+ //\r
+ DEBUG ((\r
+ EFI_D_ERROR,\r
+ "SmmIsBufferOutsideSmmValid: Overflow: Buffer (0x%lx) - Length (0x%lx), MaximumSupportAddress (0x%lx)\n",\r
+ Buffer,\r
+ Length,\r
+ mSmmMemLibInternalMaximumSupportAddress\r
+ ));\r
+ return FALSE;\r
+ }\r
+ \r
+ for (Index = 0; Index < mSmmMemLibInternalSmramCount; Index ++) {\r
+ if (((Buffer >= mSmmMemLibInternalSmramRanges[Index].CpuStart) && (Buffer < mSmmMemLibInternalSmramRanges[Index].CpuStart + mSmmMemLibInternalSmramRanges[Index].PhysicalSize)) ||\r
+ ((mSmmMemLibInternalSmramRanges[Index].CpuStart >= Buffer) && (mSmmMemLibInternalSmramRanges[Index].CpuStart < Buffer + Length))) {\r
+ DEBUG ((\r
+ EFI_D_ERROR,\r
+ "SmmIsBufferOutsideSmmValid: Overlap: Buffer (0x%lx) - Length (0x%lx), ",\r
+ Buffer,\r
+ Length\r
+ ));\r
+ DEBUG ((\r
+ EFI_D_ERROR,\r
+ "CpuStart (0x%lx) - PhysicalSize (0x%lx)\n",\r
+ mSmmMemLibInternalSmramRanges[Index].CpuStart,\r
+ mSmmMemLibInternalSmramRanges[Index].PhysicalSize\r
+ ));\r
+ return FALSE;\r
+ }\r
+ }\r
+\r
+ return TRUE;\r
+}\r
+\r
+/**\r
+ Copies a source buffer (non-SMRAM) to a destination buffer (SMRAM).\r
+\r
+ This function copies a source buffer (non-SMRAM) to a destination buffer (SMRAM).\r
+ It checks if source buffer is valid per processor architecture and not overlap with SMRAM.\r
+ If the check passes, it copies memory and returns EFI_SUCCESS.\r
+ If the check fails, it return EFI_SECURITY_VIOLATION.\r
+ The implementation must be reentrant.\r
+\r
+ @param DestinationBuffer The pointer to the destination buffer of the memory copy.\r
+ @param SourceBuffer The pointer to the source buffer of the memory copy.\r
+ @param Length The number of bytes to copy from SourceBuffer to DestinationBuffer.\r
+\r
+ @retval EFI_SECURITY_VIOLATION The SourceBuffer is invalid per processor architecture or overlap with SMRAM.\r
+ @retval EFI_SUCCESS Memory is copied.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmCopyMemToSmram (\r
+ OUT VOID *DestinationBuffer,\r
+ IN CONST VOID *SourceBuffer,\r
+ IN UINTN Length\r
+ )\r
+{\r
+ if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)SourceBuffer, Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmCopyMemToSmram: Security Violation: Source (0x%x), Length (0x%x)\n", SourceBuffer, Length));\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
+ CopyMem (DestinationBuffer, SourceBuffer, Length);\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Copies a source buffer (SMRAM) to a destination buffer (NON-SMRAM).\r
+\r
+ This function copies a source buffer (non-SMRAM) to a destination buffer (SMRAM).\r
+ It checks if destination buffer is valid per processor architecture and not overlap with SMRAM.\r
+ If the check passes, it copies memory and returns EFI_SUCCESS.\r
+ If the check fails, it returns EFI_SECURITY_VIOLATION.\r
+ The implementation must be reentrant.\r
+ \r
+ @param DestinationBuffer The pointer to the destination buffer of the memory copy.\r
+ @param SourceBuffer The pointer to the source buffer of the memory copy.\r
+ @param Length The number of bytes to copy from SourceBuffer to DestinationBuffer.\r
+\r
+ @retval EFI_SECURITY_VIOLATION The DesinationBuffer is invalid per processor architecture or overlap with SMRAM.\r
+ @retval EFI_SUCCESS Memory is copied.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmCopyMemFromSmram (\r
+ OUT VOID *DestinationBuffer,\r
+ IN CONST VOID *SourceBuffer,\r
+ IN UINTN Length\r
+ )\r
+{\r
+ if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)DestinationBuffer, Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmCopyMemFromSmram: Security Violation: Destination (0x%x), Length (0x%x)\n", DestinationBuffer, Length));\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
+ CopyMem (DestinationBuffer, SourceBuffer, Length);\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Copies a source buffer (NON-SMRAM) to a destination buffer (NON-SMRAM).\r
+\r
+ This function copies a source buffer (non-SMRAM) to a destination buffer (SMRAM).\r
+ It checks if source buffer and destination buffer are valid per processor architecture and not overlap with SMRAM.\r
+ If the check passes, it copies memory and returns EFI_SUCCESS.\r
+ If the check fails, it returns EFI_SECURITY_VIOLATION.\r
+ The implementation must be reentrant, and it must handle the case where source buffer overlaps destination buffer.\r
+ \r
+ @param DestinationBuffer The pointer to the destination buffer of the memory copy.\r
+ @param SourceBuffer The pointer to the source buffer of the memory copy.\r
+ @param Length The number of bytes to copy from SourceBuffer to DestinationBuffer.\r
+\r
+ @retval EFI_SECURITY_VIOLATION The DesinationBuffer is invalid per processor architecture or overlap with SMRAM.\r
+ @retval EFI_SECURITY_VIOLATION The SourceBuffer is invalid per processor architecture or overlap with SMRAM.\r
+ @retval EFI_SUCCESS Memory is copied.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmCopyMem (\r
+ OUT VOID *DestinationBuffer,\r
+ IN CONST VOID *SourceBuffer,\r
+ IN UINTN Length\r
+ )\r
+{\r
+ if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)DestinationBuffer, Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmCopyMem: Security Violation: Destination (0x%x), Length (0x%x)\n", DestinationBuffer, Length));\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
+ if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)SourceBuffer, Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmCopyMem: Security Violation: Source (0x%x), Length (0x%x)\n", SourceBuffer, Length));\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
+ CopyMem (DestinationBuffer, SourceBuffer, Length);\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Fills a target buffer (NON-SMRAM) with a byte value.\r
+\r
+ This function fills a target buffer (non-SMRAM) with a byte value.\r
+ It checks if target buffer is valid per processor architecture and not overlap with SMRAM.\r
+ If the check passes, it fills memory and returns EFI_SUCCESS.\r
+ If the check fails, it returns EFI_SECURITY_VIOLATION.\r
+ \r
+ @param Buffer The memory to set.\r
+ @param Length The number of bytes to set.\r
+ @param Value The value with which to fill Length bytes of Buffer.\r
+ \r
+ @retval EFI_SECURITY_VIOLATION The Buffer is invalid per processor architecture or overlap with SMRAM.\r
+ @retval EFI_SUCCESS Memory is set.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmSetMem (\r
+ OUT VOID *Buffer,\r
+ IN UINTN Length,\r
+ IN UINT8 Value\r
+ )\r
+{\r
+ if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer, Length)) {\r
+ DEBUG ((EFI_D_ERROR, "SmmSetMem: Security Violation: Source (0x%x), Length (0x%x)\n", Buffer, Length));\r
+ return EFI_SECURITY_VIOLATION;\r
+ }\r
+ SetMem (Buffer, Length, Value);\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ The constructor function initializes the Smm Mem library\r
+\r
+ @param ImageHandle The firmware allocated handle for the EFI image.\r
+ @param SystemTable A pointer to the EFI System Table.\r
+\r
+ @retval EFI_SUCCESS The constructor always returns EFI_SUCCESS.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmMemLibConstructor (\r
+ IN EFI_HANDLE ImageHandle,\r
+ IN EFI_SYSTEM_TABLE *SystemTable\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;\r
+ UINTN Size;\r
+ \r
+ //\r
+ // Get SMRAM information\r
+ //\r
+ Status = gBS->LocateProtocol (&gEfiSmmAccess2ProtocolGuid, NULL, (VOID **)&SmmAccess);\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
+ Size = 0;\r
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, NULL);\r
+ ASSERT (Status == EFI_BUFFER_TOO_SMALL);\r
+\r
+ mSmmMemLibInternalSmramRanges = AllocatePool (Size);\r
+ ASSERT (mSmmMemLibInternalSmramRanges != NULL);\r
+\r
+ Status = SmmAccess->GetCapabilities (SmmAccess, &Size, mSmmMemLibInternalSmramRanges);\r
+ ASSERT_EFI_ERROR (Status);\r
+\r
+ mSmmMemLibInternalSmramCount = Size / sizeof (EFI_SMRAM_DESCRIPTOR);\r
+\r
+ //\r
+ // Caculate and save maximum support address\r
+ //\r
+ SmmMemLibInternalCaculateMaximumSupportAddress ();\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ The destructor function frees resource used in the Smm Mem library\r
+\r
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.\r
+ @param[in] SystemTable A pointer to the EFI System Table.\r
+\r
+ @retval EFI_SUCCESS The deconstructor always returns EFI_SUCCESS.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+SmmMemLibDestructor (\r
+ IN EFI_HANDLE ImageHandle,\r
+ IN EFI_SYSTEM_TABLE *SystemTable\r
+ )\r
+{\r
+ FreePool (mSmmMemLibInternalSmramRanges);\r
+\r
+ return EFI_SUCCESS;\r
+}\r