Use SetMemoryProtectionsLib to set the memory protections for
the platform in both normal and PEI-less boot. The protections
set are equivalent to the PCD settings and the ability to set
NxForStack via QemuCfg is preserved. Once the transition to use
SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete
in the rest of EDK2, the mechanics of setting protections in
OvmfPkg will be updated and the memory protection PCDs will
be deleted.
Signed-off-by: Taylor Beebe <taylor.d.be...@gmail.com>
Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Jordan Justen <jordan.l.jus...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
---
OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 15 +++++++++++++--
OvmfPkg/PlatformPei/Platform.c | 15 +++++++++++++--
OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 3 +++
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 1632a2317718..cf645aad3246 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -14,10 +14,13 @@
#include <Protocol/DebugSupport.h>
#include <Library/TdxLib.h>
#include <IndustryStandard/Tdx.h>
+#include <Library/PcdLib.h>
#include <Library/PrePiLib.h>
#include <Library/PeilessStartupLib.h>
#include <Library/PlatformInitLib.h>
#include <Library/TdxHelperLib.h>
+#include <Library/SetMemoryProtectionsLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
#include <ConfidentialComputingGuestAttr.h>
#include <Guid/MemoryTypeInformation.h>
#include <OvmfPlatforms.h>
@@ -42,7 +45,9 @@ InitializePlatform (
EFI_HOB_PLATFORM_INFO *PlatformInfoHob
)
{
- VOID *VariableStore;
+ VOID *VariableStore;
+ DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
+ MM_MEMORY_PROTECTION_SETTINGS MmSettings;
DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
PlatformDebugDumpCmos ();
@@ -104,7 +109,13 @@ InitializePlatform (
PlatformMemMapInitialization (PlatformInfoHob);
- PlatformNoexecDxeInitialization (PlatformInfoHob);
+ DxeSettings =
DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+ MmSettings =
MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+ DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+ QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack",
&DxeSettings.StackExecutionProtectionEnabled);
+
+ SetDxeMemoryProtectionSettings (&DxeSettings,
DxeMemoryProtectionSettingsPcd);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
if (TdIsEnabled ()) {
PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index f5dc41c3a8c4..bcd8d3a1be14 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -38,6 +38,7 @@
#include <IndustryStandard/QemuCpuHotplug.h>
#include <Library/MemEncryptSevLib.h>
#include <OvmfPlatforms.h>
+#include <Library/SetMemoryProtectionsLib.h>
#include "Platform.h"
@@ -304,8 +305,10 @@ InitializePlatform (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_HOB_PLATFORM_INFO *PlatformInfoHob;
- EFI_STATUS Status;
+ EFI_HOB_PLATFORM_INFO *PlatformInfoHob;
+ EFI_STATUS Status;
+ DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
+ MM_MEMORY_PROTECTION_SETTINGS MmSettings;
DEBUG ((DEBUG_INFO, "Platform PEIM Loaded\n"));
PlatformInfoHob = BuildPlatformInfoHob ();
@@ -342,6 +345,14 @@ InitializePlatform (
PublishPeiMemory (PlatformInfoHob);
+ DxeSettings =
DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+ MmSettings =
MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+ DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+ QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack",
&DxeSettings.StackExecutionProtectionEnabled);
+
+ SetDxeMemoryProtectionSettings (&DxeSettings,
DxeMemoryProtectionSettingsPcd);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
+
PlatformQemuUc32BaseInitialization (PlatformInfoHob);
InitializeRamRegions (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 585d50463748..f0a8a5a56df4 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -56,6 +56,8 @@ [LibraryClasses]
PrePiLib
QemuFwCfgLib
PlatformInitLib
+ SetMemoryProtectionsLib
+ QemuFwCfgSimpleParserLib
[Guids]
gEfiHobMemoryAllocModuleGuid
@@ -81,6 +83,7 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ##
CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
CONSUMES
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 3934aeed9514..6b8442d12b2c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -65,6 +65,7 @@ [LibraryClasses]
PcdLib
CcExitLib
PlatformInitLib
+ SetMemoryProtectionsLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase
--
2.41.0.windows.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107865): https://edk2.groups.io/g/devel/message/107865
Mute This Topic: https://groups.io/mt/100830908/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
