Re: [edk2-devel] [Patch V2 1/5] MdeModulePkg: add MpService2Ppi field in SMM_S3_RESUME_STATE
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Tan, Dun
> Sent: Wednesday, September 06, 2023 11:22 AM
> To: devel@edk2.groups.io; Tan, Dun
> Cc: Ni, Ray ; Wang, Jian J ; Gao,
> Liming
> Subject: RE: [edk2-devel] [Patch V2 1/5] MdeModulePkg: add MpService2Ppi
> field in SMM_S3_RESUME_STATE
>
> Hi Jian and Liming,
>
> Could you please help to review this patch?
>
> Thanks,
> Dun
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of duntan
> Sent: Monday, August 21, 2023 10:10 AM
> To: devel@edk2.groups.io
> Cc: Ni, Ray ; Wang, Jian J ; Gao,
> Liming
> Subject: [edk2-devel] [Patch V2 1/5] MdeModulePkg: add MpService2Ppi field in
> SMM_S3_RESUME_STATE
>
> Add MpService2Ppi field in SMM_S3_RESUME_STATE of AcpiS3Context.h. It will
> be used to wakeup AP to do the CPU initialization during smm s3 boot flow in
> following patches.
> With this field, we can avoid sending InitSipiSipi to wakeup AP.
>
> Signed-off-by: Dun Tan
> Cc: Ray Ni
> Cc: Jian J Wang
> Cc: Liming Gao
> ---
> MdeModulePkg/Include/Guid/AcpiS3Context.h | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Include/Guid/AcpiS3Context.h
> b/MdeModulePkg/Include/Guid/AcpiS3Context.h
> index 645496d191..72d173c4fd 100644
> --- a/MdeModulePkg/Include/Guid/AcpiS3Context.h
> +++ b/MdeModulePkg/Include/Guid/AcpiS3Context.h
> @@ -1,7 +1,7 @@
> /** @file
>Definitions for data structures used in S3 resume.
>
> -Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2011 - 2023, Intel Corporation. All rights reserved.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -30,6 +30,7 @@ typedef struct {
>EFI_PHYSICAL_ADDRESSReturnContext1;
>EFI_PHYSICAL_ADDRESSReturnContext2;
>EFI_PHYSICAL_ADDRESSReturnStackPointer;
> + EFI_PHYSICAL_ADDRESSMpService2Ppi;
>EFI_PHYSICAL_ADDRESSSmst;
> } SMM_S3_RESUME_STATE;
>
> --
> 2.31.1.windows.1
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108399): https://edk2.groups.io/g/devel/message/108399
Mute This Topic: https://groups.io/mt/101186185/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch V6 02/14] MdeModulePkg: Remove other attribute protection in UnsetGuardPage
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of duntan
> Sent: Friday, June 09, 2023 5:16 PM
> To: devel@edk2.groups.io
> Cc: Gao, Liming ; Ni, Ray ;
> Wang, Jian J ; Ard Biesheuvel
>
> Subject: [edk2-devel] [Patch V6 02/14] MdeModulePkg: Remove other attribute
> protection in UnsetGuardPage
>
> In UnsetGuardPage(), before SmmReadyToLock, remove NX and RO
> memory attribute protection for guarded page since
> EfiConventionalMemory in SMRAM is RW and executable before
> SmmReadyToLock. If UnsetGuardPage() happens after SmmReadyToLock,
> then apply EFI_MEMORY_XP to the guarded page to make sure
> EfiConventionalMemory in SMRAM is NX since EfiConventionalMemory
> in SMRAM is marked as NX in PiSmmCpuDxe driver when SmmReadyToLock.
>
> Signed-off-by: Dun Tan
> Cc: Liming Gao
> Cc: Ray Ni
> Cc: Jian J Wang
> Cc: Ard Biesheuvel
> ---
> MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 16 +++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
> b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
> index 8f3bab6fee..25310122ca 100644
> --- a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
> +++ b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
> @@ -553,9 +553,23 @@ UnsetGuardPage (
> mSmmMemoryAttribute,
> BaseAddress,
> EFI_PAGE_SIZE,
> - EFI_MEMORY_RP
> +
> EFI_MEMORY_RP|EFI_MEMORY_RO|EFI_MEMORY_XP
> );
> ASSERT_EFI_ERROR (Status);
> +
> +if (gST == NULL) {
> + //
> + // Make sure EfiConventionalMemory is NX after SmmReadyToLock
> + //
> + Status = mSmmMemoryAttribute->SetMemoryAttributes (
> + mSmmMemoryAttribute,
> + BaseAddress,
> + EFI_PAGE_SIZE,
> + EFI_MEMORY_XP
> + );
> + ASSERT_EFI_ERROR (Status);
> +}
> +
> mOnGuarding = FALSE;
>}
> }
> --
> 2.31.1.windows.1
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106142): https://edk2.groups.io/g/devel/message/106142
Mute This Topic: https://groups.io/mt/99424820/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH] Maintainers.txt: update maintainer for CryptoPkg
Cc: Jiewen Yao [jyao1] Cc: Yi Li [liyi77] Cc: Xiaoyu Lu [xiaoyuxlu] Cc: Guomin Jiang [guominjia] Signed-off-by: Jian J Wang --- Maintainers.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Maintainers.txt b/Maintainers.txt index 42e40dced3..c645df397c 100644 --- a/Maintainers.txt +++ b/Maintainers.txt @@ -178,7 +178,7 @@ CryptoPkg F: CryptoPkg/ W: https://github.com/tianocore/tianocore.github.io/wiki/CryptoPkg M: Jiewen Yao [jyao1] -M: Jian J Wang [jwang36] +M: Yi Li [liyi77] R: Xiaoyu Lu [xiaoyuxlu] R: Guomin Jiang [guominjia] -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106139): https://edk2.groups.io/g/devel/message/106139 Mute This Topic: https://groups.io/mt/99564153/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 8/8] MdeModulePkg/SmmCore: Perf-log PlatformHookBefore/AfterSmmDispatch
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Ni, Ray > Sent: Tuesday, June 13, 2023 2:13 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Gao, Liming > ; Wu, Jiaxin > Subject: [PATCH V3 8/8] MdeModulePkg/SmmCore: Perf-log > PlatformHookBefore/AfterSmmDispatch > > Signed-off-by: Ray Ni > Cc: Jian J Wang > Cc: Liming Gao > Cc: Jiaxin Wu > --- > MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 4 > 1 file changed, 4 insertions(+) > > diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c > b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c > index 68af9ab81b..a8537829e3 100644 > --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c > +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c > @@ -692,7 +692,9 @@ SmmEntryPoint ( >// > >// Call platform hook before Smm Dispatch > >// > > + PERF_START (NULL, "PlatformHookBeforeSmmDispatch", NULL, 0, 0); > >PlatformHookBeforeSmmDispatch (); > > + PERF_END (NULL, "PlatformHookBeforeSmmDispatch", NULL, 0); > > > >// > >// Call memory management hook function > > @@ -769,7 +771,9 @@ SmmEntryPoint ( >// > >// Call platform hook after Smm Dispatch > >// > > + PERF_START (NULL, "PlatformHookAfterSmmDispatch", NULL, 0, 0); > >PlatformHookAfterSmmDispatch (); > > + PERF_END (NULL, "PlatformHookAfterSmmDispatch", NULL, 0) > > > >// > >// If a legacy boot has occurred, then make sure gSmmCorePrivate is not > accessed > > -- > 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106138): https://edk2.groups.io/g/devel/message/106138 Mute This Topic: https://groups.io/mt/99500191/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 6/8] MdeModulePkg/SmmCorePerformanceLib: Disable perf-logging at runtime
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Tuesday, June 13, 2023 2:13 PM
> To: devel@edk2.groups.io
> Cc: Wu, Jiaxin ; Bi, Dandan ; Gao,
> Liming ; Wang, Jian J ;
> Dong, Eric
> Subject: [PATCH V3 6/8] MdeModulePkg/SmmCorePerformanceLib: Disable
> perf-logging at runtime
>
> Because SMM perf-logging is migrated to non-SMRAM at ReadyToBoot
> by DxeCorePerformanceLib, the perf-logging after ExitBS is useless and
> impact the SMI latency at runtime.
> Hence the SmmCorePerformanceLib is updated to disable perf-logging
> after ExitBS.
>
> Cc: Jiaxin Wu
> Cc: Dandan Bi
> Cc: Liming Gao
> Cc: Jian J Wang
> Reviewed-by: Jiaxin Wu
> Reviewed-by: Eric Dong
> ---
> .../SmmCorePerformanceLib.c | 48 ++-
> .../SmmCorePerformanceLib.inf | 3 +-
> 2 files changed, 48 insertions(+), 3 deletions(-)
>
> diff --git
> a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.
> c
> b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.
> c
> index 3efe56e056..c566a298dd 100644
> ---
> a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.
> c
> +++
> b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.
> c
> @@ -16,7 +16,7 @@
>
>
> SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive
> untrusted input and do basic validation.
>
>
>
> -Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
>
> +Copyright (c) 2011 - 2023, Intel Corporation. All rights reserved.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
> @@ -48,6 +48,7 @@ SPIN_LOCK mSmmFpdtLock;
> PERFORMANCE_PROPERTY mPerformanceProperty;
>
> UINT32mCachedLength = 0;
>
> UINT32mBootRecordSize = 0;
>
> +BOOLEAN mPerformanceMeasurementEnabled;
>
>
>
> //
>
> // Interfaces for SMM PerformanceMeasurement Protocol.
>
> @@ -929,6 +930,36 @@ FpdtSmiHandler (
>return EFI_SUCCESS;
>
> }
>
>
>
> +/**
>
> + This is the Event call back function is triggered in SMM to notify the
> Library
>
> + the system is entering runtime phase.
>
> +
>
> + @param[in] Protocol Points to the protocol's unique identifier
>
> + @param[in] Interface Points to the interface instance
>
> + @param[in] Handle The handle on which the interface was installed
>
> +
>
> + @retval EFI_SUCCESS SmmAtRuntimeCallBack runs successfully
>
> + **/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +SmmCorePerformanceLibExitBootServicesCallback (
>
> + IN CONST EFI_GUID *Protocol,
>
> + IN VOID*Interface,
>
> + IN EFI_HANDLE Handle
>
> + )
>
> +{
>
> + //
>
> + // Disable performance measurement after ExitBootServices because
>
> + // 1. Performance measurement might impact SMI latency at runtime;
>
> + // 2. Performance log is copied to non SMRAM at ReadyToBoot so runtime
> performance
>
> + //log is not useful.
>
> + //
>
> + mPerformanceMeasurementEnabled = FALSE;
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
> +
>
> +
>
> /**
>
>SmmBase2 protocol notify callback function, when SMST and SMM memory
> service get initialized
>
>this function is callbacked to initialize the Smm Performance Lib
>
> @@ -948,6 +979,7 @@ InitializeSmmCorePerformanceLib (
>EFI_HANDLESmiHandle;
>
>EFI_STATUSStatus;
>
>PERFORMANCE_PROPERTY *PerformanceProperty;
>
> + VOID *Registration;
>
>
>
>//
>
>// Initialize spin lock
>
> @@ -987,6 +1019,16 @@ InitializeSmmCorePerformanceLib (
> Status = gBS->InstallConfigurationTable (,
> );
>
> ASSERT_EFI_ERROR (Status);
>
>}
>
> +
>
> + //
>
> + // Register callback function for ExitBootServices event.
>
> + //
>
> + Status = gSmst->SmmRegisterProtocolNotify (
>
> +,
>
> +SmmCorePerformanceLibExitBootServicesCallback,
>
> +
>
> +);
>
> + ASSERT_EFI_ERROR (Status);
>
> }
>
>
>
> /**
>
> @@ -1011,6 +1053,8 @@ SmmCorePerformanceLibConstructor (
>EFI_EVENT Event;
>
>VOID*Registration;
>
>
>
> + mPerformanceMeasurementEnabled = (BOOLEAN)((PcdGet8
> (PcdPerformanceLibraryPropertyMask) &
> PERFORMANCE_LIBRARY_P
Re: [edk2-devel] [PATCH V3 5/8] MdeModulePkg/SmmPerformanceLib: Disable perf-logging after ExitBS
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Tuesday, June 13, 2023 2:13 PM
> To: devel@edk2.groups.io
> Cc: Wu, Jiaxin ; Bi, Dandan ; Gao,
> Liming ; Wang, Jian J ;
> Dong, Eric
> Subject: [PATCH V3 5/8] MdeModulePkg/SmmPerformanceLib: Disable perf-
> logging after ExitBS
>
> Because SMM perf-logging is migrated to non-SMRAM at ReadyToBoot
> by DxeCorePerformanceLib, the perf-logging after ExitBS is useless and
> impact the SMI latency at runtime.
> Hence the SmmPerformanceLib is updated to disable perf-logging
> after ExitBS.
>
> Cc: Jiaxin Wu
> Cc: Dandan Bi
> Cc: Liming Gao
> Cc: Jian J Wang
> Reviewed-by: Jiaxin Wu
> Reviewed-by: Eric Dong
> ---
> .../SmmPerformanceLib/SmmPerformanceLib.c | 63 ++-
> .../SmmPerformanceLib/SmmPerformanceLib.inf | 4 ++
> 2 files changed, 66 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.c
> b/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.c
> index 623f8a978c..b9c33c0f64 100644
> --- a/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.c
> +++ b/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.c
> @@ -23,6 +23,36 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> // The cached SMM Performance Protocol and SMM PerformanceEx Protocol
> interface.
>
> EDKII_PERFORMANCE_MEASUREMENT_PROTOCOL
> *mPerformanceMeasurement = NULL;
>
> BOOLEAN mPerformanceMeasurementEnabled;
>
> +VOID
> *mPerformanceLibExitBootServicesRegistration;
>
> +
>
> +/**
>
> + This is the Event call back function is triggered in SMM to notify the
> Library
>
> + the system is entering runtime phase.
>
> +
>
> + @param[in] Protocol Points to the protocol's unique identifier
>
> + @param[in] Interface Points to the interface instance
>
> + @param[in] Handle The handle on which the interface was installed
>
> +
>
> + @retval EFI_SUCCESS SmmAtRuntimeCallBack runs successfully
>
> + **/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +SmmPerformanceLibExitBootServicesCallback (
>
> + IN CONST EFI_GUID *Protocol,
>
> + IN VOID*Interface,
>
> + IN EFI_HANDLE Handle
>
> + )
>
> +{
>
> + //
>
> + // Disable performance measurement after ExitBootServices because
>
> + // 1. Performance measurement might impact SMI latency at runtime;
>
> + // 2. Performance log is copied to non SMRAM at ReadyToBoot so runtime
> performance
>
> + //log is not useful.
>
> + //
>
> + mPerformanceMeasurementEnabled = FALSE;
>
> +
>
> + return EFI_SUCCESS;
>
> +}
>
>
>
> /**
>
>The constructor function initializes the Performance Measurement Enable
> flag
>
> @@ -40,9 +70,40 @@ SmmPerformanceLibConstructor (
>IN EFI_SYSTEM_TABLE *SystemTable
>
>)
>
> {
>
> + EFI_STATUS Status;
>
> +
>
>mPerformanceMeasurementEnabled = (BOOLEAN)((PcdGet8
> (PcdPerformanceLibraryPropertyMask) &
> PERFORMANCE_LIBRARY_PROPERTY_MEASUREMENT_ENABLED) != 0);
>
>
>
> - return EFI_SUCCESS;
>
> + Status = gSmst->SmmRegisterProtocolNotify (
>
> +,
>
> +SmmPerformanceLibExitBootServicesCallback,
>
> +
>
> +);
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +EFI_STATUS
>
> +EFIAPI
>
> +SmmPerformanceLibDestructor (
>
> + IN EFI_HANDLEImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> +
>
> + //
>
> + // Unregister SmmExitBootServices notification.
>
> + //
>
> + Status = gSmst->SmmRegisterProtocolNotify (
>
> +,
>
> +NULL,
>
> +
>
> +);
>
> + ASSERT_EFI_ERROR (Status);
>
> +
>
> + return Status;
>
> }
>
>
>
> /**
>
> diff --git
> a/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.inf
> b/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.inf
> index d79cd5c8da..002462f5ca 100644
> --- a/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.inf
> +++ b/MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.inf
> @@ -21,6 +21,7 @@
>LIBRARY_CLASS = PerformanceLib|DXE_SMM_DRIVER
>
>
&
Re: [edk2-devel] [PATCH V3 4/8] MdeModulePkg/SmmCore: Add perf-logging for SmmDriverDispatchHandler
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Tuesday, June 13, 2023 2:13 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Wu, Jiaxin ; Dong, Eric
>
> Subject: [PATCH V3 4/8] MdeModulePkg/SmmCore: Add perf-logging for
> SmmDriverDispatchHandler
>
> SmmDriverDispatchHandler is the routine that dispatches SMM drivers
> from FV. It's a time-consuming routine.
> Add perf-logging for this routine.
>
> Signed-off-by: Ray Ni
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Jiaxin Wu
> Reviewed-by: Jiaxin Wu
> Reviewed-by: Eric Dong
> ---
> MdeModulePkg/Core/PiSmmCore/Dispatcher.c | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/Dispatcher.c
> b/MdeModulePkg/Core/PiSmmCore/Dispatcher.c
> index f635565dd1..bb789e5890 100644
> --- a/MdeModulePkg/Core/PiSmmCore/Dispatcher.c
> +++ b/MdeModulePkg/Core/PiSmmCore/Dispatcher.c
> @@ -28,7 +28,7 @@
>Depex - Dependency Expression.
>
>
>
>Copyright (c) 2014, Hewlett-Packard Development Company, L.P.
>
> - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
>
> + Copyright (c) 2009 - 2023, Intel Corporation. All rights reserved.
>
>SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
> @@ -1322,6 +1322,8 @@ SmmDriverDispatchHandler (
> return EFI_NOT_FOUND;
>
>}
>
>
>
> + PERF_CALLBACK_BEGIN ();
>
> +
>
>for (HandleIndex = 0; HandleIndex < HandleCount; HandleIndex++) {
>
> FvHandle = HandleBuffer[HandleIndex];
>
>
>
> @@ -1511,6 +1513,7 @@ SmmDriverDispatchHandler (
> }
>
>}
>
>
>
> + PERF_CALLBACK_END ();
>
>return EFI_SUCCESS;
>
> }
>
>
>
> --
> 2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106135): https://edk2.groups.io/g/devel/message/106135
Mute This Topic: https://groups.io/mt/99500185/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V3 3/8] MdeModulePkg/SmmCore: Add perf-logging for time-consuming procedures
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Tuesday, June 13, 2023 2:13 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Wu, Jiaxin ; Dong, Eric
>
> Subject: [PATCH V3 3/8] MdeModulePkg/SmmCore: Add perf-logging for time-
> consuming procedures
>
> Following procedures are perf-logged:
> * SmmReadyToBootHandler
> * SmmReadyToLockHandler
> * SmmEndOfDxeHandler
> * SmmEntryPoint
> (It's the main routine run in BSP when SMI happens.)
> * SmiManage
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Jiaxin Wu
> Reviewed-by: Jiaxin Wu
> Reviewed-by: Eric Dong
> ---
> MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 15 ++-
> MdeModulePkg/Core/PiSmmCore/Smi.c | 6 ++
> 2 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> index 875c7c0258..68af9ab81b 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
> @@ -1,7 +1,7 @@
> /** @file
>
>SMM Core Main Entry Point
>
>
>
> - Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
>
> + Copyright (c) 2009 - 2023, Intel Corporation. All rights reserved.
>
>SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
> @@ -305,6 +305,8 @@ SmmReadyToBootHandler (
>EFI_STATUS Status;
>
>EFI_HANDLE SmmHandle;
>
>
>
> + PERF_CALLBACK_BEGIN ();
>
> +
>
>//
>
>// Install SMM Ready To Boot protocol.
>
>//
>
> @@ -318,6 +320,7 @@ SmmReadyToBootHandler (
>
>
>SmiHandlerUnRegister (DispatchHandle);
>
>
>
> + PERF_CALLBACK_END ();
>
>return Status;
>
> }
>
>
>
> @@ -352,6 +355,8 @@ SmmReadyToLockHandler (
>EFI_HANDLE SmmHandle;
>
>VOID*Interface;
>
>
>
> + PERF_CALLBACK_BEGIN ();
>
> +
>
>//
>
>// Unregister SMI Handlers that are no required after the SMM driver
> dispatch
> is stopped
>
>//
>
> @@ -408,6 +413,7 @@ SmmReadyToLockHandler (
>
>
>SmramProfileReadyToLock ();
>
>
>
> + PERF_CALLBACK_END ();
>
>return Status;
>
> }
>
>
>
> @@ -442,6 +448,8 @@ SmmEndOfDxeHandler (
>
>
>DEBUG ((DEBUG_INFO, "SmmEndOfDxeHandler\n"));
>
>
>
> + PERF_CALLBACK_BEGIN ();
>
> +
>
>//
>
>// Install SMM EndOfDxe protocol
>
>//
>
> @@ -479,6 +487,7 @@ SmmEndOfDxeHandler (
> }
>
>}
>
>
>
> + PERF_CALLBACK_END ();
>
>return EFI_SUCCESS;
>
> }
>
>
>
> @@ -669,6 +678,8 @@ SmmEntryPoint (
>VOID*CommunicationBuffer;
>
>UINTN BufferSize;
>
>
>
> + PERF_FUNCTION_BEGIN ();
>
> +
>
>//
>
>// Update SMST with contents of the SmmEntryContext structure
>
>//
>
> @@ -769,6 +780,8 @@ SmmEntryPoint (
> //
>
> gSmmCorePrivate->InSmm = FALSE;
>
>}
>
> +
>
> + PERF_FUNCTION_END ();
>
> }
>
>
>
> /**
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/Smi.c
> b/MdeModulePkg/Core/PiSmmCore/Smi.c
> index 6d13969979..2985f989c3 100644
> --- a/MdeModulePkg/Core/PiSmmCore/Smi.c
> +++ b/MdeModulePkg/Core/PiSmmCore/Smi.c
> @@ -109,6 +109,8 @@ SmiManage (
>BOOLEAN SuccessReturn;
>
>EFI_STATUS Status;
>
>
>
> + PERF_FUNCTION_BEGIN ();
>
> +
>
>Status= EFI_NOT_FOUND;
>
>SuccessReturn = FALSE;
>
>if (HandlerType == NULL) {
>
> @@ -125,6 +127,7 @@ SmiManage (
>//
>
>// There is no handler registered for this interrupt source
>
>//
>
> + PERF_FUNCTION_END ();
>
>return Status;
>
> }
>
>}
>
> @@ -148,6 +151,7 @@ SmiManage (
> // no additional handlers will be processed and EFI_INTERRUPT_PENDING
> will be returned.
>
> //
>
> if (HandlerType != NULL) {
>
> + PERF_FUNCTION_END ();
>
>return EFI_INTERRUPT_PENDING;
>
> }
>
>
>
> @@ -160,6 +164,7 @@ SmiManage (
> // additional handlers will be processed.
>
> //
>
> if (HandlerType != NULL) {
>
> + PERF_FUNCTION_END ();
>
>return EFI_SUCCESS;
>
> }
>
>
>
> @@ -194,6 +199,7 @@ SmiManage (
> Status = EFI_SUCCESS;
>
>}
>
>
>
> + PERF_FUNCTION_END ();
>
>return Status;
>
> }
>
>
>
> --
> 2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106134): https://edk2.groups.io/g/devel/message/106134
Mute This Topic: https://groups.io/mt/99500181/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch V2 3/8] MdeModulePkg: Add CpuPageTableLib required by DxeIpl in DSC
This will cause that MdeModulePkg depends on UefiCpuPkg. Please double check if there's any side effect introduced by breaking unidirectional dependency. Acked-by: Jian J Wang > -Original Message- > From: Tan, Dun > Sent: Friday, March 31, 2023 5:34 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Gao, Liming > ; Ni, Ray > Subject: [Patch V2 3/8] MdeModulePkg: Add CpuPageTableLib required by DxeIpl > in DSC > > Add CpuPageTableLib instance required by DxeIpl in > MdeModulePkg.dsc. > > Signed-off-by: Dun Tan > Cc: Jian J Wang > Cc: Liming Gao > Cc: Ray Ni > --- > MdeModulePkg/MdeModulePkg.dsc | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/MdeModulePkg/MdeModulePkg.dsc > b/MdeModulePkg/MdeModulePkg.dsc > index 1014598f31..d95acabe83 100644 > --- a/MdeModulePkg/MdeModulePkg.dsc > +++ b/MdeModulePkg/MdeModulePkg.dsc > @@ -2,7 +2,7 @@ > # EFI/PI Reference Module Package for All Architectures > # > # (C) Copyright 2014 Hewlett-Packard Development Company, L.P. > -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved. > +# Copyright (c) 2007 - 2023, Intel Corporation. All rights reserved. > # Copyright (c) Microsoft Corporation. > # Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved. > # > @@ -106,6 +106,7 @@ > > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > > VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVar > iableFlashInfoLib.inf > > IpmiCommandLib|MdeModulePkg/Library/BaseIpmiCommandLibNull/BaseIpmi > CommandLibNull.inf > + CpuPageTableLib|UefiCpuPkg/Library/CpuPageTableLib/CpuPageTableLib.inf > > [LibraryClasses.EBC.PEIM] >IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf > -- > 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102991): https://edk2.groups.io/g/devel/message/102991 Mute This Topic: https://groups.io/mt/97969854/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch V2 5/8] MdeModulePkg: Add UefiCpuPkg.dec to pass DependencyCheck
MdeModulePkg has never depended on UefiCpuPkg before. Please double check if there's any side effect introduced by this mutual dependency. Acked-by: Jian J Wang > -Original Message- > From: Tan, Dun > Sent: Friday, March 31, 2023 5:34 PM > To: devel@edk2.groups.io > Cc: Gao, Liming ; Ni, Ray ; > Wang, Jian J > Subject: [Patch V2 5/8] MdeModulePkg: Add UefiCpuPkg.dec to pass > DependencyCheck > > Add UefiCpuPkg/UefiCpuPkg.dec in MdeModulePkg.ci.yaml to pass > DependencyCheck since DxeIpl in MdeModulePkg needs to consume > CpuPageTableLib in UefiCpuPkg. > > Signed-off-by: Dun Tan > Cc: Liming Gao > Cc: Ray Ni > Cc: Jian J Wang > --- > MdeModulePkg/MdeModulePkg.ci.yaml | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/MdeModulePkg/MdeModulePkg.ci.yaml > b/MdeModulePkg/MdeModulePkg.ci.yaml > index f69989087b..d2616f4cdc 100644 > --- a/MdeModulePkg/MdeModulePkg.ci.yaml > +++ b/MdeModulePkg/MdeModulePkg.ci.yaml > @@ -2,7 +2,7 @@ > # CI configuration for MdeModulePkg > # > # Copyright (c) Microsoft Corporation > -# Copyright (c) 2020, Intel Corporation. All rights reserved. > +# Copyright (c) 2020 - 2023, Intel Corporation. All rights reserved. > # (C) Copyright 2021 Hewlett Packard Enterprise Development LP > # SPDX-License-Identifier: BSD-2-Clause-Patent > ## > @@ -51,7 +51,8 @@ > "MdePkg/MdePkg.dec", > "MdeModulePkg/MdeModulePkg.dec", > "StandaloneMmPkg/StandaloneMmPkg.dec", > -"ArmPkg/ArmPkg.dec" # this should be fixed by promoting an > abstraction > +"ArmPkg/ArmPkg.dec", # this should be fixed by promoting an > abstraction > +"UefiCpuPkg/UefiCpuPkg.dec" > ], > # For host based unit tests > "AcceptableDependencies-HOST_APPLICATION":[ > -- > 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102988): https://edk2.groups.io/g/devel/message/102988 Mute This Topic: https://groups.io/mt/97969862/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch 0/2] Add and use FirmwareVolumeShadowPpi
For the patch series, Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Kinney, Michael D > Sent: Wednesday, March 22, 2023 10:06 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Gao, Liming ; Patel, Umang > > Subject: [Patch 0/2] Add and use FirmwareVolumeShadowPpi > > Add FirmwareVolumeShadow PPI to shadow an FV to memory. > and use it to shadow FVs to memory. > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Liming Gao > Signed-off-by: Patel Umang > > Umang Patel (2): > MdeModulePkg/Include/Ppi: Add FirmwareVolumeShadowPpi > SecurityPkg/FvReportPei: Use FirmwareVolumeShadowPpi > > .../Include/Ppi/FirmwareVolumeShadowPpi.h | 61 +++ > MdeModulePkg/MdeModulePkg.dec | 3 + > SecurityPkg/FvReportPei/FvReportPei.c | 37 --- > SecurityPkg/FvReportPei/FvReportPei.h | 1 + > SecurityPkg/FvReportPei/FvReportPei.inf | 1 + > 5 files changed, 96 insertions(+), 7 deletions(-) > create mode 100644 > MdeModulePkg/Include/Ppi/FirmwareVolumeShadowPpi.h > > -- > 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101915): https://edk2.groups.io/g/devel/message/101915 Mute This Topic: https://groups.io/mt/97770066/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH] SecurityPkg: deprecate RpmcLib and VariableKeyLib
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 There's no real usage of these two libraries. They're deprecated. Cc: Jiewen Yao Cc: Michael D Kinney Cc: Nishant C Mistry Cc: Judah Vang Signed-off-by: Jian J Wang --- SecurityPkg/Include/Library/RpmcLib.h | 42 SecurityPkg/Include/Library/VariableKeyLib.h | 59 - SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 46 - .../Library/RpmcLibNull/RpmcLibNull.inf | 33 -- .../VariableKeyLibNull/VariableKeyLibNull.c | 66 --- .../VariableKeyLibNull/VariableKeyLibNull.inf | 33 -- SecurityPkg/SecurityPkg.dec | 8 --- SecurityPkg/SecurityPkg.dsc | 4 -- 8 files changed, 291 deletions(-) delete mode 100644 SecurityPkg/Include/Library/RpmcLib.h delete mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h delete mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c delete mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf delete mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c delete mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h deleted file mode 100644 index df4ba34ba8..00 --- a/SecurityPkg/Include/Library/RpmcLib.h +++ /dev/null @@ -1,42 +0,0 @@ -/** @file - Public definitions for the Replay Protected Monotonic Counter (RPMC) Library. - -Copyright (c) 2020, Intel Corporation. All rights reserved. -SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _RPMC_LIB_H_ -#define _RPMC_LIB_H_ - -#include - -/** - Requests the monotonic counter from the designated RPMC counter. - - @param[out] CounterValueA pointer to a buffer to store the RPMC value. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_DEVICE_ERRORA device error occurred while attempting to update the counter. - @retval EFI_UNSUPPORTED The operation is un-supported. -**/ -EFI_STATUS -EFIAPI -RequestMonotonicCounter ( - OUT UINT32 *CounterValue - ); - -/** - Increments the monotonic counter in the SPI flash device by 1. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_DEVICE_ERRORA device error occurred while attempting to update the counter. - @retval EFI_UNSUPPORTED The operation is un-supported. -**/ -EFI_STATUS -EFIAPI -IncrementMonotonicCounter ( - VOID - ); - -#endif diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h deleted file mode 100644 index 561ebad09d..00 --- a/SecurityPkg/Include/Library/VariableKeyLib.h +++ /dev/null @@ -1,59 +0,0 @@ -/** @file - Public definitions for Variable Key Library. - -Copyright (c) 2020, Intel Corporation. All rights reserved. -SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _VARIABLE_KEY_LIB_H_ -#define _VARIABLE_KEY_LIB_H_ - -#include - -/** - Retrieves the key for integrity and/or confidentiality of variables. - - @param[out] VariableKey A pointer to pointer for the variable key buffer. - @param[in,out] VariableKeySize The size in bytes of the variable key. - - @retval EFI_SUCCESS The variable key was returned. - @retval EFI_DEVICE_ERRORAn error occurred while attempting to get the variable key. - @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface. - @retval EFI_UNSUPPORTED The variable key is not supported in the current boot configuration. -**/ -EFI_STATUS -EFIAPI -GetVariableKey ( - OUT VOID **VariableKey, - IN OUT UINTN *VariableKeySize - ); - -/** - Regenerates the variable key. - - @retval EFI_SUCCESS The variable key was regenerated successfully. - @retval EFI_DEVICE_ERRORAn error occurred while attempting to regenerate the key. - @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface. - @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration. -**/ -EFI_STATUS -EFIAPI -RegenerateVariableKey ( - VOID - ); - -/** - Locks the regenerate key interface. - - @retval EFI_SUCCESS The key interface was locked successfully. - @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration. - @retval Others An error occurred while attempting to lock the key interface. -**/ -EFI_STATUS -EFIAPI -LockVariableKeyInterface ( - VOID - ); - -#endif diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c deleted file mode 100644 index 792e48250e..00 ---
Re: [edk2-devel] [PATCH v5 19/19] SecurityPkg: Add references to new *.inf files
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Vang, Judah > Sent: Sunday, November 06, 2022 3:35 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Yao, Jiewen ; > Mistry, Nishant C > Subject: [PATCH v5 19/19] SecurityPkg: Add references to new *.inf files > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > Add references to the different *ProtectedVariableLib.inf. > Also add references to VariableKeyLibNull.inf, > EncryptionVariableLibNull.inf, ProtectedVariableNull.inf. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Nishant C Mistry > Signed-off-by: Jian J Wang > Signed-off-by: Nishant C Mistry > Signed-off-by: Judah Vang > --- > SecurityPkg/SecurityPkg.dsc | 13 - > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index 6bf53c565882..3134b103ff53 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file > # Security Module Package for All Architectures. > # > -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. > +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. > # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP > # Copyright (c) 2022, Loongson Technology Corporation Limited. All rights > reserved. > # SPDX-License-Identifier: BSD-2-Clause-Patent > @@ -67,8 +67,11 @@ [LibraryClasses] > > TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib. > inf > > TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.i > nf > > ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSys > temLibNull.inf > + > + # These should be Null by default > > VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf >RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > + > EncryptionVariableLib|SecurityPkg/Library/EncryptionVariableLibNull/Encryption > VariableLibNull.inf > > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo > gRecordLib.inf > > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBoot > VariableLib.inf > @@ -261,9 +264,17 @@ [Components] ># ># Variable Confidentiality & Integrity ># > + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf > + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf > + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf > + > SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf > + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf > + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf > + >SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf >SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > > SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLib > VarPolicy.inf > + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf > ># ># Other > -- > 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96542): https://edk2.groups.io/g/devel/message/96542 Mute This Topic: https://groups.io/mt/94840835/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v5 17/19] SecurityPkg: Add EncryptionVariable lib with AES
Judah,
Just some typos found. See inline comments below starting with "[JianJW]".
With them addressed,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Xu, Min M ; Mistry, Nishant C
>
> Subject: [PATCH v5 17/19] SecurityPkg: Add EncryptionVariable lib with AES
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V3: Change AllocateZeroPool() with AllocatePages() and FreePool()
> with FreePages(). FreePool() is not supported in PEI phase so this was
> causing a memory leak. Reverse the order of the FreePages() call.
>
> V1: Add encryption/decryption of protected variable functionality.
> Add functions to get/set cipher data of a protected variable.
> This is use for supporting confidentiality for protected
> variables.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Min Xu
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 ++
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 ++
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734
>
> 3 files changed, 826 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> new file mode 100644
> index ..7ece52f2fb58
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> @@ -0,0 +1,43 @@
> +## @file
> +# Provides variable encryption/decryption services.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = EncryptionVariableLib
> + FILE_GUID = 459E2CB0-AF4B-4415-B6A1-335E71FD8B85
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EncryptionVariable.c
> + EncryptionVariable.h
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> +
> +[Guids]
> + gEfiVariableGuid
> + gEfiAuthenticatedVariableGuid
> diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> new file mode 100644
> index ..f35f9f9e3ad7
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> @@ -0,0 +1,49 @@
> +/** @file
> + Definitions used by this library implementation.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef ENCRYPTION_VARIABLE_H_
> +#define ENCRYPTION_VARIABLE_H_
> +
> +#define ENC_KEY_SEPL":"
> +#define ENC_KEY_SEP_SIZE 2
> +#define ENC_KEY_NAME L"VAR_ENC_KEY"
> +#define ENC_KEY_NAME_SIZE 22
> +
> +#define ENC_KEY_SIZE(256/8)
> +#define ENC_BLOCK_SIZE AES_BLOCK_SIZE
> +#define ENC_IVEC_SIZE ENC_BLOCK_SIZE
> +
> +#define ENC_PADDING_BYTE 0x0F
> +
> +//
> +// PKCS#5 padding
> +//
> +// #define AES_CIPHER_DATA_SIZE(PlainDataSize)
> +// (AES_BLOCK_SIZE + (PlainDataSize)) & (~(AES_BLOCK_SIZE - 1))
> +//
> +#define AES_CIPHER_DATA_SIZE(PlainDataSize) ALIGN_VALUE (PlainDataSize,
> AES_BLOCK_SIZE)
> +
> +#define FREE_POOL(Address) \
> +if ((Address) != NULL) {\
> + FreePool (Address); \
> + (Address) = NULL; \
> +}
> +
> +#pragma pack(1)
> +
> +typedef struct {
> + UINT32DataType; // SYM_TYPE_AES
> + UINT32HeaderSize; // sizeof(VARIABLE_ENCRYPTION_HEADER)
> + UINT32PlainDataSize;// Plain data size
> + UINT32CipherDataSize; // Cipher data size
> + UINT8 KeyIvec[ENC_IVEC_SIZE];
> +} VARIABLE_ENCRYPTION_HEADER;
> +
> +#pragma pack()
> +
> +#endif // _ENCRYPTION_VARIABLE_H_
> diff --
Re: [edk2-devel] [PATCH v5 15/19] SecurityPkg: Add null encryption variable libs
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v5 15/19] SecurityPkg: Add null encryption variable libs
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Applied code review - Remove empty Guids section
> from .inf file. Update description in *.c. Remove *.uni file
> and reference to it.
>
> V1: Provide null ecryption variable libraries.
> These will be used by default for platforms that don't
> support protected variable encryption.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
> 34
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> | 92
>
> 2 files changed, 126 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> new file mode 100644
> index ..185b6f9bedf7
> --- /dev/null
> +++
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> @@ -0,0 +1,34 @@
> +## @file
> +# Provides NULL version of encryption variable services.
> +#
> +# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010005
> + BASE_NAME = EncryptionVariableLibNull
> + FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EncryptionVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + DebugLib
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> new file mode 100644
> index ..52ee8a7b5aae
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> @@ -0,0 +1,92 @@
> +/** @file
> + NULL implementation of EncryptionVariableLib.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +
> +#include
> +#include
> +
> +/**
> + Encrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Decrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +DecryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Get cipher information.
> +
> + Null version.
> +
> + @param[in] VarEncInfo Pointer to structure containing detailed
> +information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported interface.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetCipherDataInfo (
> + IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Set cipher information for a variable.
> +
> + Null version.
> +
> + @param[in] VarEncInfo Pointer to structure containing detailed
> +information about a variable.
> +
> + @retval EFI_UNSUPPORTED If this method is not supported.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SetCipherDataInfo (
> + IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96539): https://edk2.groups.io/g/devel/message/96539
Mute This Topic: https://groups.io/mt/94840831/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v5 11/19] SecurityPkg: Add new KeyService types and defines
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v5 11/19] SecurityPkg: Add new KeyService types and defines
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: revert copyright date change.
>
> V1: Add new KeyService types and defines.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
> 1 file changed, 57 insertions(+)
>
> diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
> b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> new file mode 100644
> index ..8cfec04f96e5
> --- /dev/null
> +++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> @@ -0,0 +1,57 @@
> +/** @file
> + Provides Key Services.
> +
> +Copyright (c) 2008 - 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +@par Specification Reference:
> +**/
> +
> +#ifndef PEI_KEY_SERVICE_PPI_H_
> +#define PEI_KEY_SERVICE_PPI_H_
> +///
> +/// KEY SERVICE PPI GUID
> +///
> +extern EFI_GUID gKeyServicePpiGuid;
> +
> +/**
> + Generate a new key from root key.
> +
> + @param[in] Salt Pointer to the salt(non-secret)
> value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[out] NewKey Pointer to buffer to receive new key.
> + @param[in] NewKeySize Size of new key bytes to generate.
> +
> + @retval EFI_SUCCESS The function completed successfully
> + @retval OTHER The function completed with failure.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *KEY_SERVICE_GEN_KEY)(
> + IN UINT8*Salt,
> + IN UINTNSaltSize,
> + OUT UINT8*NewKey,
> + IN UINTNNewKeySize
> + );
> +
> +#define KEY_SERVICE_PPI_REVISION 1
> +#define ROOT_KEY_LEN 64
> +#define SALT_SIZE_MIN_LEN 64
> +#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
> +
> +typedef struct {
> + UINT8RootKey[ROOT_KEY_LEN];
> + UINT8PreviousRootKey[ROOT_KEY_LEN];
> +} KEY_SERVICE_DATA;
> +
> +typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
> +
> +///
> +/// KEY SERVICE PPI
> +/// The interface functions are for Key Service in PEI Phase
> +///
> +struct _KEY_SERVICE_PPI {
> + KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
> +};
> +
> +#endif
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96538): https://edk2.groups.io/g/devel/message/96538
Mute This Topic: https://groups.io/mt/94840827/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v5 09/19] MdeModulePkg: Reference Null ProtectedVariableLib
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v5 09/19] MdeModulePkg: Reference Null ProtectedVariableLib
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V5: Add reference to new Protected Variable libs.
>
> V1: Make reference to new Null ProtectVariableLib.
> The null ProtectedVariableLib is used by default.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/MdeModulePkg.dsc | 20 +++-
> MdeModulePkg/Test/MdeModulePkgHostTest.dsc | 8
> 2 files changed, 27 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dsc
> b/MdeModulePkg/MdeModulePkg.dsc
> index 659482ab737f..65ec6d1e0918 100644
> --- a/MdeModulePkg/MdeModulePkg.dsc
> +++ b/MdeModulePkg/MdeModulePkg.dsc
> @@ -2,7 +2,7 @@
> # EFI/PI Reference Module Package for All Architectures
> #
> # (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
> -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
> +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
> # Copyright (c) Microsoft Corporation.
> #
> #SPDX-License-Identifier: BSD-2-Clause-Patent
> @@ -104,6 +104,7 @@ [LibraryClasses]
>
> VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Variab
> lePolicyHelperLib.inf
>
> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM
> emoryLibNull.inf
>
> VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVar
> iableFlashInfoLib.inf
> +
> ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/Protect
> edVariableLibNull.inf
>
> [LibraryClasses.EBC.PEIM]
>IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf
> @@ -318,6 +319,7 @@ [Components]
>
> MdeModulePkg/Library/PlatformBootManagerLibNull/PlatformBootManagerLi
> bNull.inf
>MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
>
> MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> +
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
>MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
>MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
>MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
> @@ -397,6 +399,7 @@ [Components]
>MdeModulePkg/Application/VariableInfo/VariableInfo.inf
>MdeModulePkg/Universal/FaultTolerantWritePei/FaultTolerantWritePei.inf
>MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> + MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
>MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
>MdeModulePkg/Universal/TimestampDxe/TimestampDxe.inf
>MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> @@ -461,6 +464,7 @@ [Components.IA32, Components.X64,
> Components.ARM, Components.AARCH64]
> !if $(TOOL_CHAIN_TAG) != "XCODE5"
>
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandalon
> eMm.inf
>MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> +
> MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandalone
> Mm.inf
> !endif
>
> [Components.IA32, Components.X64]
> @@ -475,13 +479,27 @@ [Components.IA32, Components.X64]
>NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
>NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
>}
> + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.inf {
> +
> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
> + }
>MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
>
>NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
>NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
>NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
>}
> +
> MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe
> .inf {
> +
> + NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
>
Re: [edk2-devel] [PATCH v5 06/19] MdeModulePkg: Add Null ProtectedVariable Library
Judah,
Just some typos. See inline comments starting with "[JianJW]".
With them addressed,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v5 06/19] MdeModulePkg: Add Null ProtectedVariable Library
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Applied code review comments - removed APIs that are not being
> used.
>
> V1: Add Null versions of the ProtectedVariable Library.
> This will be the default libraries for platforms that
> do not support ProtectedVariable.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
> | 34 ++
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
> 336
> 2 files changed, 370 insertions(+)
>
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> new file mode 100644
> index ..6a17191c4e1e
> --- /dev/null
> +++
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> @@ -0,0 +1,34 @@
> +## @file
> +# Provides null version of protected variable services.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = ProtectedVariableLibNull
> + FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
> + MODULE_TYPE= BASE
> + VERSION_STRING = 0.1
> + LIBRARY_CLASS = ProtectedVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + ProtectedVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> +
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> new file mode 100644
> index ..074559f84f52
> --- /dev/null
> +++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> @@ -0,0 +1,336 @@
> +/** @file
> + NULL version of ProtectedVariableLib used to disable protected variable
> services.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +#include
> +
> +#include
> +#include
> +#include
> +
> +/**
> +
> + Initialization for protected varibale services.
[JianJW] typo: " varibale" -> "variable"
> +
> + @param[in] ContextIn Pointer to variable service context needed by
> + protected variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibInitialize (
> + IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Prepare for variable update.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibWriteInit (
> + VOID
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Update a variable with protection provided by this library.
> +
> + @param[in,out] CurrVariableVariable to be updated. It's NULL if
> + adding a new variable.
> + @param[in] CurrVariableInDel In-delete-transiion copy of updating
> variable.
[JianJW] typo: " transiion" -> "transition"
> + @param[in,out] NewVariable Buffer of new variable data.
> + Buffer of "MetaDataHmacVar" and new
> + variable (encrypted).
> + @param[in,out] NewVariableSize Size of NewVariable.
> + Size of (encrypted) NewVariable and
> +
Re: [edk2-devel] [PATCH v5 04/19] MdeModulePkg: Add new include files
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Sunday, November 06, 2022 3:35 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v5 04/19] MdeModulePkg: Add new include files
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Updated with review comments for misspellings, mismatch
> function prototype, missing function header comments, incorrect
> function description.
>
> V1: Add EncryptionVariableLib.h for providing encryption and
> decryption services for protected variables.
> Add ProtectedVariableLib.h for providing integrity or
> variables.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
> MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607
>
> 2 files changed, 772 insertions(+)
>
> diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> new file mode 100644
> index ..68981f5aad6a
> --- /dev/null
> +++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> @@ -0,0 +1,165 @@
> +/** @file
> + Provides services to encrypt/decrypt variables.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef ENCRYPTION_VARIABLE_LIB_H_
> +#define ENCRYPTION_VARIABLE_LIB_H_
> +
> +#include
> +
> +#include
> +
> +#include
> +
> +#define ENC_TYPE_NULL 0
> +#define ENC_TYPE_AES TPM_ALG_AES
> +
> +typedef struct _VARIABLE_ENCRYPTION_FLAGS {
> + BOOLEANAuth;// Variable is authenticated or not
> + BOOLEANDecryptInPlace; // Do decryption in place
> + BOOLEANProtected; // Variable is protected or not
> +} VARIABLE_ENCRYPTION_FLAGS;
> +
> +typedef struct _VARIABLE_ENCRYPTION_INFO {
> + AUTH_VARIABLE_INFO Header;// Authenticated varabile
> header
> + VARIABLE_HEADER *Buffer; // Pointer to variable
> buffer
> + UINT64 StoreIndex;// Variable store index
> + VOID *PlainData;// Pointer to plain data
> + UINT32 PlainDataSize; // Size of plain data
> + VOID *CipherData; // Pointer to cipher data
> + UINT32 CipherDataSize;// Size of cipher data
> + UINT32 CipherHeaderSize; // Size of cipher header
> + UINT32 CipherDataType;// Type of cipher data
> + VOID *Key; // Pointer to
> encrypt/decrypt key
> + UINT32 KeySize; // Size of key
> + VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
> +} VARIABLE_ENCRYPTION_INFO;
> +
> +/**
> + Encrypt variable data.
> +
> + @param[in, out] VarInfo Pointer to structure containing detailed
> information about a variable.
> +
> + @retval EFI_SUCCESS Function successfully executed.
> + @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
> ProtectedVarLibContextOut == NULL.
> + @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
> + @retval EFI_UNSUPPORTED Unsupported to process encrypted
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
> + );
> +
> +/**
> + Decrypt variable data.
> +
> + If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
> + decrypted. Otherwise, assume the cipher data from variable data buffer,
> i.e.
> + VarEncInfo->Header.Data.
> +
> + If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
> + back in the same buffer as cipher buffer got above, after encryption
> header,
> + which helps to identify later if the data in buffer is decrypted or not.
> This
> + can avoid repeat decryption when accessing the same variable more than
> once.
> +
> + If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
> + passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
> + with its size.
> +
> + Note the VarEncInfo->PlainData is always pointing to the buffer address
> with
> + decrypted data without encryption header, and VarEncInfo->PlainDataSize is
> + always the size of origi
Re: [edk2-devel] [PATCH v5 07/19] MdeModulePkg: Add new Variable functionality
One more comment: For all header files, no need to remove the opening '_' of include guard macro. Protected variable code are now in different folder than original variable driver. They won't reference code from each other. Please add the opening '_' for those macros to confirm to edk2 coding convention. Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Wang, Jian > J > Sent: Monday, November 14, 2022 11:43 AM > To: Vang, Judah ; devel@edk2.groups.io > Cc: Gao, Liming ; Wu, Hao A > ; Mistry, Nishant C > Subject: Re: [edk2-devel] [PATCH v5 07/19] MdeModulePkg: Add new Variable > functionality > > Hi Judah, > > See my comments (starting with [JianJW]) inline below. > > > > -Original Message- > > From: Vang, Judah > > Sent: Sunday, November 06, 2022 3:35 PM > > To: devel@edk2.groups.io > > Cc: Wang, Jian J ; Gao, Liming > > ; Wu, Hao A ; Mistry, > > Nishant C > > Subject: [PATCH v5 07/19] MdeModulePkg: Add new Variable functionality > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > > > V5: Add PEI Variable Protection into a new directory and leave the > > existing PEI Variable unchanged. > > > > V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo() > > and SafeUint64ToUint32(). > > > > V1: Provide new APIs for retrieving variable information. > > Add new function stubs for retrieving Protected > > variable information. > > > > Cc: Jian J Wang > > Cc: Liming Gao > > Cc: Hao A Wu > > Cc: Nishant C Mistry > > Signed-off-by: Jian J Wang > > Signed-off-by: Nishant C Mistry > > Signed-off-by: Judah Vang > > Acked-by: Hao A Wu > > --- > > MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf | 79 ++ > > MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h | 225 > + > > MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h| 309 > > +++ > > MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h | 116 > +++ > > MdeModulePkg/Universal/Variable/Protected/Pei/Variable.c | 628 > > + > > MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.c| 941 > > > > MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.c | 307 > > +++ > > MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariable.uni | 16 + > > MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariableExtra.uni | 14 + > > 9 files changed, 2635 insertions(+) > > > > diff --git a/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > > b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > > new file mode 100644 > > index ..953a7c6b884f > > --- /dev/null > > +++ b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > > @@ -0,0 +1,79 @@ > > +## @file > > +# Implements ReadOnly Variable Services required by PEIM and installs PEI > > ReadOnly Varaiable2 PPI. > > [JianJW] typo: "Varaiable2" -> "Variable2" > > > +# > > +# This module implements ReadOnly Variable Services required by PEIM and > > installs PEI ReadOnly Varaiable2 PPI. > > [JianJW] typo: "Varaiable2" -> "Variable2" > > > +# > > +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. > > +# SPDX-License-Identifier: BSD-2-Clause-Patent > > +# > > +## > > + > > +[Defines] > > + INF_VERSION= 0x00010005 > > + BASE_NAME = PeiVariable > > + MODULE_UNI_FILE= PeiVariable.uni > > + FILE_GUID = 8D104D19-593B-4DDF-81CF-8168A9EDE9C7 > > + MODULE_TYPE= PEIM > > + VERSION_STRING = 1.0 > > + ENTRY_POINT= PeimInitializeVariableServices > > + > > +# > > +# The following information is for reference only and not required by the > build > > tools. > > +# > > +# VALID_ARCHITECTURES = IA32 X64 EBC > > +# > > + > > +[Sources] > > + Variable.c > > + Variable.h > > + VariableStore.c > > + VariableStore.h > > + VariableParsing.c > > + VariableParsing.h > > + > > +[Packages] > > + MdePkg/MdePkg.dec > > + MdeModulePkg/MdeModulePkg.dec > > + > > +[LibraryClasses] > > + BaseMemoryLib > > + PcdLib > > + HobLib > > + PeimEntryPoint > > + DebugLib > > + PeiServicesTablePo
Re: [edk2-devel] [PATCH v5 07/19] MdeModulePkg: Add new Variable functionality
Hi Judah, See my comments (starting with [JianJW]) inline below. > -Original Message- > From: Vang, Judah > Sent: Sunday, November 06, 2022 3:35 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Gao, Liming > ; Wu, Hao A ; Mistry, > Nishant C > Subject: [PATCH v5 07/19] MdeModulePkg: Add new Variable functionality > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > V5: Add PEI Variable Protection into a new directory and leave the > existing PEI Variable unchanged. > > V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo() > and SafeUint64ToUint32(). > > V1: Provide new APIs for retrieving variable information. > Add new function stubs for retrieving Protected > variable information. > > Cc: Jian J Wang > Cc: Liming Gao > Cc: Hao A Wu > Cc: Nishant C Mistry > Signed-off-by: Jian J Wang > Signed-off-by: Nishant C Mistry > Signed-off-by: Judah Vang > Acked-by: Hao A Wu > --- > MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf | 79 ++ > MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h | 225 > + > MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h| 309 > +++ > MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h | 116 +++ > MdeModulePkg/Universal/Variable/Protected/Pei/Variable.c | 628 > + > MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.c| 941 > > MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.c | 307 > +++ > MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariable.uni | 16 + > MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariableExtra.uni | 14 + > 9 files changed, 2635 insertions(+) > > diff --git a/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > new file mode 100644 > index ..953a7c6b884f > --- /dev/null > +++ b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf > @@ -0,0 +1,79 @@ > +## @file > +# Implements ReadOnly Variable Services required by PEIM and installs PEI > ReadOnly Varaiable2 PPI. [JianJW] typo: "Varaiable2" -> "Variable2" > +# > +# This module implements ReadOnly Variable Services required by PEIM and > installs PEI ReadOnly Varaiable2 PPI. [JianJW] typo: "Varaiable2" -> "Variable2" > +# > +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION= 0x00010005 > + BASE_NAME = PeiVariable > + MODULE_UNI_FILE= PeiVariable.uni > + FILE_GUID = 8D104D19-593B-4DDF-81CF-8168A9EDE9C7 > + MODULE_TYPE= PEIM > + VERSION_STRING = 1.0 > + ENTRY_POINT= PeimInitializeVariableServices > + > +# > +# The following information is for reference only and not required by the > build > tools. > +# > +# VALID_ARCHITECTURES = IA32 X64 EBC > +# > + > +[Sources] > + Variable.c > + Variable.h > + VariableStore.c > + VariableStore.h > + VariableParsing.c > + VariableParsing.h > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + > +[LibraryClasses] > + BaseMemoryLib > + PcdLib > + HobLib > + PeimEntryPoint > + DebugLib > + PeiServicesTablePointerLib > + PeiServicesLib > + SafeIntLib > + VariableFlashInfoLib > + ProtectedVariableLib > + > +[Guids] > + ## CONSUMES ## GUID # Variable store header > + ## SOMETIMES_CONSUMES ## HOB > + gEfiAuthenticatedVariableGuid > + ## SOMETIMES_CONSUMES ## GUID # Variable store header > + ## SOMETIMES_CONSUMES ## HOB > + gEfiVariableGuid > + ## SOMETIMES_PRODUCES ## HOB > + ## SOMETIMES_CONSUMES ## HOB > + gEfiVariableIndexTableGuid > + gEfiSystemNvDataFvGuid## SOMETIMES_CONSUMES ## GUID > + ## SOMETIMES_CONSUMES ## HOB > + ## CONSUMES ## GUID # Dependence > + gEdkiiFaultTolerantWriteGuid > + > +[Ppis] > + gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES > + gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES > + > +[Pcd] > + gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ## > SOMETIMES_CONSUMES > + > +[Depex] > + gEdkiiFaultTolerantWriteGuid > + > +# [BootMode] > +# RECOVERY_FULL ## SOMETIMES_CONSUMES > + > +[UserExtensions.TianoCore."ExtraFiles"] > + PeiVariableExtra.uni > diff --git
Re: [edk2-devel] [PATCH v4 07/28] MdeModulePkg: Add new Variable functionality
Sorry, please ignore this one. I should reply the one from v5.
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Wang, Jian
> J
> Sent: Monday, November 14, 2022 1:39 AM
> To: Vang, Judah ; devel@edk2.groups.io
> Cc: Gao, Liming ; Wu, Hao A
> ; Mistry, Nishant C
> Subject: Re: [edk2-devel] [PATCH v4 07/28] MdeModulePkg: Add new Variable
> functionality
>
> Hi Judah,
>
> See my comments (starting with [JianJW]) inline below.
>
> Regards,
> Jian
>
> > -Original Message-
> > From: Vang, Judah
> > Sent: Thursday, August 11, 2022 2:53 PM
> > To: devel@edk2.groups.io
> > Cc: Wang, Jian J ; Gao, Liming
> > ; Wu, Hao A ; Mistry,
> > Nishant C
> > Subject: [PATCH v4 07/28] MdeModulePkg: Add new Variable functionality
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
> >
> > V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
> > and SafeUint64ToUint32().
> >
> > V1: Provide new APIs for retrieving variable information.
> > Add new function stubs for retrieving Protected
> > variable information.
> >
> > Cc: Jian J Wang
> > Cc: Liming Gao
> > Cc: Hao A Wu
> > Cc: Nishant C Mistry
> > Signed-off-by: Jian J Wang
> > Signed-off-by: Nishant C Mistry
> > Signed-off-by: Judah Vang
> > Acked-by: Hao A Wu
> > ---
> > MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
> > MdeModulePkg/Universal/Variable/Pei/Variable.h| 80 +-
> > MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
> > MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 +++
> > MdeModulePkg/Universal/Variable/Pei/Variable.c| 890
> > +++---
> > MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941
> >
> > MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 307 +++
> > 7 files changed, 1893 insertions(+), 760 deletions(-)
> >
> > diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> > b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> > index 7264a24bdf71..0945b4dec435 100644
> > --- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> > +++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> > @@ -3,7 +3,7 @@
> > #
> > # This module implements ReadOnly Variable Services required by PEIM and
> > installs PEI ReadOnly Varaiable2 PPI.
> > #
> > -# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> > +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > #
> > ##
> > @@ -26,6 +26,10 @@ [Defines]
> > [Sources]
> >Variable.c
> >Variable.h
> > + VariableStore.c
> > + VariableStore.h
> > + VariableParsing.c
> > + VariableParsing.h
> >
> > [Packages]
> >MdePkg/MdePkg.dec
> > @@ -41,6 +45,7 @@ [LibraryClasses]
> >PeiServicesLib
> >SafeIntLib
> >VariableFlashInfoLib
> > + ProtectedVariableLib
> >
> > [Guids]
> >## CONSUMES ## GUID # Variable store header
> > @@ -58,7 +63,8 @@ [Guids]
> >gEdkiiFaultTolerantWriteGuid
> >
> > [Ppis]
> > - gEfiPeiReadOnlyVariable2PpiGuid ## PRODUCES
> > + gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
> > + gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
> >
> > [Pcd]
> >gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ##
> > SOMETIMES_CONSUMES
> > diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> > b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> > index 51effbf79987..8c79ff850b38 100644
> > --- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> > +++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> > @@ -2,7 +2,7 @@
> >The internal header file includes the common header files, defines
> >internal structure and functions used by PeiVariable module.
> >
> > -Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> > +Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> > SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > **/
> > @@ -22,11 +22,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #include
> > #include
> > #include
> > +#include
> >
> > #include
> > #include
> > #include
> > #include
> > +#include
> >
> > typedef enum {
> >VariableStoreTyp
Re: [edk2-devel] [PATCH v4 07/28] MdeModulePkg: Add new Variable functionality
Hi Judah,
See my comments (starting with [JianJW]) inline below.
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Wu, Hao A ; Mistry,
> Nishant C
> Subject: [PATCH v4 07/28] MdeModulePkg: Add new Variable functionality
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
> and SafeUint64ToUint32().
>
> V1: Provide new APIs for retrieving variable information.
> Add new function stubs for retrieving Protected
> variable information.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Hao A Wu
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> Acked-by: Hao A Wu
> ---
> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
> MdeModulePkg/Universal/Variable/Pei/Variable.h| 80 +-
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
> MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 +++
> MdeModulePkg/Universal/Variable/Pei/Variable.c| 890
> +++---
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941
>
> MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 307 +++
> 7 files changed, 1893 insertions(+), 760 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> index 7264a24bdf71..0945b4dec435 100644
> --- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> +++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> @@ -3,7 +3,7 @@
> #
> # This module implements ReadOnly Variable Services required by PEIM and
> installs PEI ReadOnly Varaiable2 PPI.
> #
> -# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -26,6 +26,10 @@ [Defines]
> [Sources]
>Variable.c
>Variable.h
> + VariableStore.c
> + VariableStore.h
> + VariableParsing.c
> + VariableParsing.h
>
> [Packages]
>MdePkg/MdePkg.dec
> @@ -41,6 +45,7 @@ [LibraryClasses]
>PeiServicesLib
>SafeIntLib
>VariableFlashInfoLib
> + ProtectedVariableLib
>
> [Guids]
>## CONSUMES ## GUID # Variable store header
> @@ -58,7 +63,8 @@ [Guids]
>gEdkiiFaultTolerantWriteGuid
>
> [Ppis]
> - gEfiPeiReadOnlyVariable2PpiGuid ## PRODUCES
> + gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
> + gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
>
> [Pcd]
>gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ##
> SOMETIMES_CONSUMES
> diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> index 51effbf79987..8c79ff850b38 100644
> --- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> +++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> @@ -2,7 +2,7 @@
>The internal header file includes the common header files, defines
>internal structure and functions used by PeiVariable module.
>
> -Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -22,11 +22,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include
> #include
> #include
> +#include
>
> #include
> #include
> #include
> #include
> +#include
>
> typedef enum {
>VariableStoreTypeHob,
> @@ -144,4 +146,80 @@ PeiGetNextVariableName (
>IN OUT EFI_GUID*VariableGuid
>);
>
> +/**
> + This service retrieves a variable's value using its name and GUID.
> +
> + Read the specified variable from the UEFI variable store. If the Data
> + buffer is too small to hold the contents of the variable, the error
> + EFI_BUFFER_TOO_SMALL is returned and DataSize is set to the required buffer
> + size to obtain the data.
> +
> + @param This A pointer to this instance of the
> EFI_PEI_READ_ONLY_VARIABLE2_PPI.
> + @param VariableName A pointer to a null-terminated string that
> is the
> variable's name.
> + @param VariableGuid A pointer to an EFI_GUID that is the
> variable's
> GUID. The combination of
> +VariableGuid and VariableName must be unique.
> + @param AttributesIf non-NULL, on
Re: [edk2-devel] [Patch 1/1] CryptoPkg/Test: Simplify BaseCryptLib host based unit tests
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Kinney, Michael D
> Sent: Saturday, October 29, 2022 3:01 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Lu, Xiaoyu1 ; Jiang, Guomin
> Subject: [Patch 1/1] CryptoPkg/Test: Simplify BaseCryptLib host based unit
> tests
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4130
>
> Remove TestBaseCryptLibHostAccel.inf and instead use FILE_GUID
> override in DSC file to run the same unit test INF against
> OpensslLibFull.inf and OpensslLibFullAccel.inf
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Xiaoyu Lu
> Cc: Guomin Jiang
> Signed-off-by: Michael D Kinney
> ---
> CryptoPkg/Test/CryptoPkgHostUnitTest.dsc | 10 +++-
> .../TestBaseCryptLibHostAccel.inf | 56 ---
> 2 files changed, 7 insertions(+), 59 deletions(-)
> delete mode 100644
> CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.inf
>
> diff --git a/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc
> b/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc
> index 369a1cb69939..3ed3e9b75d84 100644
> --- a/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc
> +++ b/CryptoPkg/Test/CryptoPkgHostUnitTest.dsc
> @@ -20,7 +20,6 @@ [Defines]
> !include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc
>
> [LibraryClasses]
> - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
>BaseCryptLib|CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
>
> MmServicesTableLib|MdePkg/Library/MmServicesTableLib/MmServicesTableLib
> .inf
>
> SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizati
> onLib.inf
> @@ -33,8 +32,13 @@ [Components]
>#
># Build HOST_APPLICATION that tests the SampleUnitTest
>#
> - CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf
> - CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.inf
> {
> + CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf {
> +
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
> + }
> + CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf {
> +
> + FILE_GUID = 3604CCB8-138C-488F-8045-18704F73E734
>
>OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf
>}
> diff --git
> a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.inf
> b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.inf
> deleted file mode 100644
> index 9d0fcfd3577c..
> ---
> a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.inf
> +++ /dev/null
> @@ -1,56 +0,0 @@
> -## @file
> -# Host-based UnitTest for BaseCryptLib
> -#
> -# Copyright (c) Microsoft Corporation.
> -# Copyright (c) 2022, Intel Corporation. All rights reserved.
> -# SPDX-License-Identifier: BSD-2-Clause-Patent
> -##
> -
> -[Defines]
> - INF_VERSION= 0x00010005
> - BASE_NAME = BaseCryptLibUnitTestHostAccel
> - FILE_GUID = B1AED64E-B53A-4D69-B0BA-60EEDAC47A6B
> - MODULE_TYPE= HOST_APPLICATION
> - VERSION_STRING = 1.0
> -
> -#
> -# The following information is for reference only and not required by the
> build
> tools.
> -#
> -# VALID_ARCHITECTURES = IA32 X64
> -#
> -
> -[Sources]
> - UnitTestMain.c
> - BaseCryptLibUnitTests.c
> - TestBaseCryptLib.h
> - HashTests.c
> - HmacTests.c
> - BlockCipherTests.c
> - RsaTests.c
> - RsaPkcs7Tests.c
> - Pkcs5Pbkdf2Tests.c
> - AuthenticodeTests.c
> - TSTests.c
> - DhTests.c
> - RandTests.c
> - Pkcs7EkuTests.c
> - OaepEncryptTests.c
> - RsaPssTests.c
> - ParallelhashTests.c
> - HkdfTests.c
> - AeadAesGcmTests.c
> - BnTests.c
> - EcTests.c
> - X509Tests.c
> -
> -[Packages]
> - MdePkg/MdePkg.dec
> - CryptoPkg/CryptoPkg.dec
> -
> -[LibraryClasses]
> - BaseLib
> - DebugLib
> - BaseCryptLib
> - UnitTestLib
> - MmServicesTableLib
> - SynchronizationLib
> --
> 2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95826): https://edk2.groups.io/g/devel/message/95826
Mute This Topic: https://groups.io/mt/94633928/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 19/28] SecurityPkg: Add references to new *.inf files
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Vang, Judah > Sent: Thursday, August 11, 2022 2:53 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Yao, Jiewen ; > Mistry, Nishant C > Subject: [PATCH v4 19/28] SecurityPkg: Add references to new *.inf files > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > Add references to the different *ProtectedVariableLib.inf. > Also add references to VariableKeyLibNull.inf, > EncryptionVariableLibNull.inf, ProtectedVariableNull.inf. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Nishant C Mistry > Signed-off-by: Jian J Wang > Signed-off-by: Nishant C Mistry > Signed-off-by: Judah Vang > --- > SecurityPkg/SecurityPkg.dsc | 13 - > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index f48187650f2f..f124084815cf 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file > # Security Module Package for All Architectures. > # > -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. > +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. > # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > @@ -66,8 +66,11 @@ [LibraryClasses] > > TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib. > inf > > TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.i > nf > > ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSys > temLibNull.inf > + > + # These should be Null by default > > VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf >RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > + > EncryptionVariableLib|SecurityPkg/Library/EncryptionVariableLibNull/Encryption > VariableLibNull.inf > > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo > gRecordLib.inf > > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBoot > VariableLib.inf > @@ -260,9 +263,17 @@ [Components] ># ># Variable Confidentiality & Integrity ># > + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf > + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf > + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf > + > SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf > + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf > + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf > + >SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf >SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > > SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLib > VarPolicy.inf > + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf > ># ># Other > -- > 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92608): https://edk2.groups.io/g/devel/message/92608 Mute This Topic: https://groups.io/mt/92953545/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 17/28] SecurityPkg: Add EncryptionVariable lib with AES
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Xu, Min M ; Mistry, Nishant C
>
> Subject: [PATCH v4 17/28] SecurityPkg: Add EncryptionVariable lib with AES
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V3: Change AllocateZeroPool() with AllocatePages() and FreePool()
> with FreePages(). FreePool() is not supported in PEI phase so this was
> causing a memory leak. Reverse the order of the FreePages() call.
>
> V1: Add encryption/decryption of protected variable functionality.
> Add functions to get/set cipher data of a protected variable.
> This is use for supporting confidentiality for protected
> variables.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Min Xu
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 ++
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 ++
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734
>
> 3 files changed, 826 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> new file mode 100644
> index ..7ece52f2fb58
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> @@ -0,0 +1,43 @@
> +## @file
> +# Provides variable encryption/decryption services.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = EncryptionVariableLib
> + FILE_GUID = 459E2CB0-AF4B-4415-B6A1-335E71FD8B85
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EncryptionVariable.c
> + EncryptionVariable.h
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> +
> +[Guids]
> + gEfiVariableGuid
> + gEfiAuthenticatedVariableGuid
> diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> new file mode 100644
> index ..f35f9f9e3ad7
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> @@ -0,0 +1,49 @@
> +/** @file
> + Definitions used by this library implementation.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef ENCRYPTION_VARIABLE_H_
> +#define ENCRYPTION_VARIABLE_H_
> +
> +#define ENC_KEY_SEPL":"
> +#define ENC_KEY_SEP_SIZE 2
> +#define ENC_KEY_NAME L"VAR_ENC_KEY"
> +#define ENC_KEY_NAME_SIZE 22
> +
> +#define ENC_KEY_SIZE(256/8)
> +#define ENC_BLOCK_SIZE AES_BLOCK_SIZE
> +#define ENC_IVEC_SIZE ENC_BLOCK_SIZE
> +
> +#define ENC_PADDING_BYTE 0x0F
> +
> +//
> +// PKCS#5 padding
> +//
> +// #define AES_CIPHER_DATA_SIZE(PlainDataSize)
> +// (AES_BLOCK_SIZE + (PlainDataSize)) & (~(AES_BLOCK_SIZE - 1))
> +//
> +#define AES_CIPHER_DATA_SIZE(PlainDataSize) ALIGN_VALUE (PlainDataSize,
> AES_BLOCK_SIZE)
> +
> +#define FREE_POOL(Address) \
> +if ((Address) != NULL) {\
> + FreePool (Address); \
> + (Address) = NULL; \
> +}
> +
> +#pragma pack(1)
> +
> +typedef struct {
> + UINT32DataType; // SYM_TYPE_AES
> + UINT32HeaderSize; // sizeof(VARIABLE_ENCRYPTION_HEADER)
> + UINT32PlainDataSize;// Plain data size
> + UINT32CipherDataSize; // Cipher data size
> + UINT8 KeyIvec[ENC_IVEC_SIZE];
> +} VARIABLE_ENCRYPTION_HEADER;
> +
> +#pragma pack()
> +
> +#endif // _ENCRYPTION_VARIABLE_H_
> diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
> b/SecurityPkg/Library/EncryptionVariab
Re: [edk2-devel] [PATCH v4 16/28] SecurityPkg: Add VariableKey library function
Judah,
This lib depends on a PPI. Then it cannot be a BASE lib. Please add module type
restriction like example below.
+ LIBRARY_CLASS = VariableKeyLib
=>
+ LIBRARY_CLASS = VariableKeyLib|PEIM
With this addressed,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v4 16/28] SecurityPkg: Add VariableKey library function
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Provide function that retrieves the key for protected
> variables.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36
> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59
>
> 2 files changed, 95 insertions(+)
>
> diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
> b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
> new file mode 100644
> index ..f62c80ce9943
> --- /dev/null
> +++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
> @@ -0,0 +1,36 @@
> +## @file
> +# Provides default implementation of VariableKeyLib.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = VariableKeyLib
> + FILE_GUID = 7DF5A0BA-1DBB-4E67-A9F7-9FCCB1F9D250
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = VariableKeyLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
> +#
> +
> +[Sources]
> + VariableKeyLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + DebugLib
> +
> +[PpiS]
> + gKeyServicePpiGuid ## CONSUMES
> +
> diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
> b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
> new file mode 100644
> index ..31b22782cb0c
> --- /dev/null
> +++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
> @@ -0,0 +1,59 @@
> +/** @file
> + VariableKeyLib implementation.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +
> +#include
> +#include
> +#include
> +
> +#include
> +
> +#define VAR_KEY_SALT L"Key for RPMC Variable"
> +#define VAR_KEY_SALT_SIZE sizeof (VAR_KEY_SALT)
> +
> +/**
> + Retrieves the key for integrity and/or confidentiality of variables.
> +
> + @param[out] VariableKey A pointer to pointer for the variable
> key
> buffer.
> + @param[in] VariableKeySize The size in bytes of the variable key.
> +
> + @retval EFI_SUCCESS The variable key was returned.
> + @retval EFI_DEVICE_ERRORAn error occurred while attempting
> to get
> the variable key.
> + @retval EFI_ACCESS_DENIED The function was invoked after
> locking
> the key interface.
> + @retval EFI_UNSUPPORTED The variable key is not supported in
> the
> current boot configuration.
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetVariableKey (
> + OUT VOID *VariableKey,
> + IN UINTN VariableKeySize
> + )
> +{
> + EFI_STATUS Status;
> + KEY_SERVICE_PPI *KeyService;
> +
> + Status = PeiServicesLocatePpi (
> + ,
> + 0,
> + NULL,
> + (void **)
> + );
> + if (EFI_ERROR (Status)) {
> +ASSERT_EFI_ERROR (Status);
> +return Status;
> + }
> +
> + Status = KeyService->GenerateKey (
> + (UINT8 *)VAR_KEY_SALT,
> + VAR_KEY_SALT_SIZE,
> + VariableKey,
> + VariableKeySize
> + );
> + return Status;
> +}
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92605): https://edk2.groups.io/g/devel/message/92605
Mute This Topic: https://groups.io/mt/92953542/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 15/28] SecurityPkg: Add null encryption variable libs
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v4 15/28] SecurityPkg: Add null encryption variable libs
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Applied code review - Remove empty Guids section
> from .inf file. Update description in *.c. Remove *.uni file
> and reference to it.
>
> V1: Provide null ecryption variable libraries.
> These will be used by default for platforms that don't
> support protected variable encryption.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
> 34
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> | 92
>
> 2 files changed, 126 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> new file mode 100644
> index ..185b6f9bedf7
> --- /dev/null
> +++
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> @@ -0,0 +1,34 @@
> +## @file
> +# Provides NULL version of encryption variable services.
> +#
> +# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010005
> + BASE_NAME = EncryptionVariableLibNull
> + FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EncryptionVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + DebugLib
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> new file mode 100644
> index ..52ee8a7b5aae
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> @@ -0,0 +1,92 @@
> +/** @file
> + NULL implementation of EncryptionVariableLib.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +
> +#include
> +#include
> +
> +/**
> + Encrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Decrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +DecryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Get cipher information.
> +
> + Null version.
> +
> + @param[in] VarEncInfo Pointer to structure containing detailed
> +information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported interface.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetCipherDataInfo (
> + IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Set cipher information for a variable.
> +
> + Null version.
> +
> + @param[in] VarEncInfo Pointer to structure containing detailed
> +information about a variable.
> +
> + @retval EFI_UNSUPPORTED If this method is not supported.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SetCipherDataInfo (
> + IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92604): https://edk2.groups.io/g/devel/message/92604
Mute This Topic: https://groups.io/mt/92953541/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 14/28] SecurityPkg: Fix GetVariableKey API
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v4 14/28] SecurityPkg: Fix GetVariableKey API
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Applied code review - function comments need to match
> function prototype.
>
> V1: Fix GetVariableKey API to match changes in header files.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> index a08def767b5f..2cf4b3cbf9f6 100644
> --- a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> +++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> @@ -1,7 +1,7 @@
> /** @file
>Null version of VariableKeyLib for build purpose. Don't use it in real
> product.
>
> -Copyright (c) 2020, Intel Corporation. All rights reserved.
> +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -12,7 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>Retrieves the key for integrity and/or confidentiality of variables.
>
>@param[out] VariableKey A pointer to pointer for the variable
> key
> buffer.
> - @param[in,out] VariableKeySize The size in bytes of the variable key.
> + @param[in] VariableKeySize The size in bytes of the variable key.
>
>@retval EFI_SUCCESS The variable key was returned.
>@retval EFI_DEVICE_ERRORAn error occurred while attempting
> to get
> the variable key.
> @@ -22,8 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> EFI_STATUS
> EFIAPI
> GetVariableKey (
> - OUT VOID **VariableKey,
> - IN OUT UINTN *VariableKeySize
> + OUT VOID *VariableKey,
> + IN UINTN VariableKeySize
>)
> {
>ASSERT (FALSE);
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92603): https://edk2.groups.io/g/devel/message/92603
Mute This Topic: https://groups.io/mt/92953540/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 12/28] SecurityPkg: Add new variable types and functions
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Vang, Judah > Sent: Thursday, August 11, 2022 2:53 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Yao, Jiewen ; > Mistry, Nishant C > Subject: [PATCH v4 12/28] SecurityPkg: Add new variable types and functions > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > Add new variable encryption/decryption function prototypes. > Add new variable digest structure. Add new Protected > variable function prototypes. Update RPMC APIs to Add > an index because there is could more than one counter. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Nishant C Mistry > Signed-off-by: Jian J Wang > Signed-off-by: Nishant C Mistry > Signed-off-by: Judah Vang > --- > SecurityPkg/Include/Library/RpmcLib.h| 15 +--- > SecurityPkg/Include/Library/VariableKeyLib.h | 37 +++- > 2 files changed, 16 insertions(+), 36 deletions(-) > > diff --git a/SecurityPkg/Include/Library/RpmcLib.h > b/SecurityPkg/Include/Library/RpmcLib.h > index df4ba34ba8cf..cb71dfcd7e4d 100644 > --- a/SecurityPkg/Include/Library/RpmcLib.h > +++ b/SecurityPkg/Include/Library/RpmcLib.h > @@ -1,19 +1,23 @@ > /** @file >Public definitions for the Replay Protected Monotonic Counter (RPMC) > Library. > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > > -#ifndef _RPMC_LIB_H_ > -#define _RPMC_LIB_H_ > +#ifndef RPMC_LIB_H_ > +#define RPMC_LIB_H_ > > #include > > +#define RPMC_COUNTER_1 0 > +#define RPMC_COUNTER_2 1 > + > /** >Requests the monotonic counter from the designated RPMC counter. > > + @param[in]CounterIndexThe RPMC index >@param[out] CounterValueA pointer to a buffer to store the > RPMC > value. > >@retval EFI_SUCCESS The operation completed successfully. > @@ -23,12 +27,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > EFI_STATUS > EFIAPI > RequestMonotonicCounter ( > + IN UINT8 CounterIndex, >OUT UINT32 *CounterValue >); > > /** >Increments the monotonic counter in the SPI flash device by 1. > > + @param[in]CounterIndexThe RPMC index > + >@retval EFI_SUCCESS The operation completed successfully. >@retval EFI_DEVICE_ERRORA device error occurred while > attempting > to update the counter. >@retval EFI_UNSUPPORTED The operation is un-supported. > @@ -36,7 +43,7 @@ RequestMonotonicCounter ( > EFI_STATUS > EFIAPI > IncrementMonotonicCounter ( > - VOID > + IN UINT8 CounterIndex >); > > #endif > diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h > b/SecurityPkg/Include/Library/VariableKeyLib.h > index 561ebad09da2..6076c4d4731b 100644 > --- a/SecurityPkg/Include/Library/VariableKeyLib.h > +++ b/SecurityPkg/Include/Library/VariableKeyLib.h > @@ -1,13 +1,13 @@ > /** @file >Public definitions for Variable Key Library. > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > > -#ifndef _VARIABLE_KEY_LIB_H_ > -#define _VARIABLE_KEY_LIB_H_ > +#ifndef VARIABLE_KEY_LIB_H_ > +#define VARIABLE_KEY_LIB_H_ > > #include > > @@ -25,35 +25,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > EFI_STATUS > EFIAPI > GetVariableKey ( > - OUT VOID **VariableKey, > - IN OUT UINTN *VariableKeySize > - ); > - > -/** > - Regenerates the variable key. > - > - @retval EFI_SUCCESS The variable key was regenerated > successfully. > - @retval EFI_DEVICE_ERRORAn error occurred while attempting to > regenerate the key. > - @retval EFI_ACCESS_DENIED The function was invoked after > locking > the key interface. > - @retval EFI_UNSUPPORTED Key regeneration is not supported in > the > current boot configuration. > -**/ > -EFI_STATUS > -EFIAPI > -RegenerateVariableKey ( > - VOID > - ); > - > -/** > - Locks the regenerate key interface. > - > - @retval EFI_SUCCESS The key interface was locked > successfully. > - @retval EFI_UNSUPPORTED Locking the key interface is not > supported > in the current boot configuration. > - @retval Others An error occurred while attempting > to lock the > key interface. >
Re: [edk2-devel] [PATCH v4 11/28] SecurityPkg: Add new KeyService types and defines
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v4 11/28] SecurityPkg: Add new KeyService types and defines
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: revert copyright date change.
>
> V1: Add new KeyService types and defines.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
> 1 file changed, 57 insertions(+)
>
> diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
> b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> new file mode 100644
> index ..8cfec04f96e5
> --- /dev/null
> +++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> @@ -0,0 +1,57 @@
> +/** @file
> + Provides Key Services.
> +
> +Copyright (c) 2008 - 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +@par Specification Reference:
> +**/
> +
> +#ifndef PEI_KEY_SERVICE_PPI_H_
> +#define PEI_KEY_SERVICE_PPI_H_
> +///
> +/// KEY SERVICE PPI GUID
> +///
> +extern EFI_GUID gKeyServicePpiGuid;
> +
> +/**
> + Generate a new key from root key.
> +
> + @param[in] Salt Pointer to the salt(non-secret)
> value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[out] NewKey Pointer to buffer to receive new key.
> + @param[in] NewKeySize Size of new key bytes to generate.
> +
> + @retval EFI_SUCCESS The function completed successfully
> + @retval OTHER The function completed with failure.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *KEY_SERVICE_GEN_KEY)(
> + IN UINT8*Salt,
> + IN UINTNSaltSize,
> + OUT UINT8*NewKey,
> + IN UINTNNewKeySize
> + );
> +
> +#define KEY_SERVICE_PPI_REVISION 1
> +#define ROOT_KEY_LEN 64
> +#define SALT_SIZE_MIN_LEN 64
> +#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
> +
> +typedef struct {
> + UINT8RootKey[ROOT_KEY_LEN];
> + UINT8PreviousRootKey[ROOT_KEY_LEN];
> +} KEY_SERVICE_DATA;
> +
> +typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
> +
> +///
> +/// KEY SERVICE PPI
> +/// The interface functions are for Key Service in PEI Phase
> +///
> +struct _KEY_SERVICE_PPI {
> + KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
> +};
> +
> +#endif
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92600): https://edk2.groups.io/g/devel/message/92600
Mute This Topic: https://groups.io/mt/92953536/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 04/28] MdeModulePkg: Add new include files
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v4 04/28] MdeModulePkg: Add new include files
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Updated with review comments for misspellings, mismatch
> function prototype, missing function header comments, incorrect
> function description.
>
> V1: Add EncryptionVariableLib.h for providing encryption and
> decryption services for protected variables.
> Add ProtectedVariableLib.h for providing integrity or
> variables.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
> MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607
>
> 2 files changed, 772 insertions(+)
>
> diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> new file mode 100644
> index ..68981f5aad6a
> --- /dev/null
> +++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> @@ -0,0 +1,165 @@
> +/** @file
> + Provides services to encrypt/decrypt variables.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef ENCRYPTION_VARIABLE_LIB_H_
> +#define ENCRYPTION_VARIABLE_LIB_H_
> +
> +#include
> +
> +#include
> +
> +#include
> +
> +#define ENC_TYPE_NULL 0
> +#define ENC_TYPE_AES TPM_ALG_AES
> +
> +typedef struct _VARIABLE_ENCRYPTION_FLAGS {
> + BOOLEANAuth;// Variable is authenticated or not
> + BOOLEANDecryptInPlace; // Do decryption in place
> + BOOLEANProtected; // Variable is protected or not
> +} VARIABLE_ENCRYPTION_FLAGS;
> +
> +typedef struct _VARIABLE_ENCRYPTION_INFO {
> + AUTH_VARIABLE_INFO Header;// Authenticated varabile
> header
> + VARIABLE_HEADER *Buffer; // Pointer to variable
> buffer
> + UINT64 StoreIndex;// Variable store index
> + VOID *PlainData;// Pointer to plain data
> + UINT32 PlainDataSize; // Size of plain data
> + VOID *CipherData; // Pointer to cipher data
> + UINT32 CipherDataSize;// Size of cipher data
> + UINT32 CipherHeaderSize; // Size of cipher header
> + UINT32 CipherDataType;// Type of cipher data
> + VOID *Key; // Pointer to
> encrypt/decrypt key
> + UINT32 KeySize; // Size of key
> + VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
> +} VARIABLE_ENCRYPTION_INFO;
> +
> +/**
> + Encrypt variable data.
> +
> + @param[in, out] VarInfo Pointer to structure containing detailed
> information about a variable.
> +
> + @retval EFI_SUCCESS Function successfully executed.
> + @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
> ProtectedVarLibContextOut == NULL.
> + @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
> + @retval EFI_UNSUPPORTED Unsupported to process encrypted
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
> + );
> +
> +/**
> + Decrypt variable data.
> +
> + If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
> + decrypted. Otherwise, assume the cipher data from variable data buffer,
> i.e.
> + VarEncInfo->Header.Data.
> +
> + If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
> + back in the same buffer as cipher buffer got above, after encryption
> header,
> + which helps to identify later if the data in buffer is decrypted or not.
> This
> + can avoid repeat decryption when accessing the same variable more than
> once.
> +
> + If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
> + passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
> + with its size.
> +
> + Note the VarEncInfo->PlainData is always pointing to the buffer address
> with
> + decrypted data without encryption header, and VarEncInfo->PlainDataSize is
> + always the size of origi
Re: [edk2-devel] [PATCH v4 06/28] MdeModulePkg: Add Null ProtectedVariable Library
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Thursday, August 11, 2022 2:53 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v4 06/28] MdeModulePkg: Add Null ProtectedVariable Library
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> V4: Applied code review comments - removed APIs that are not being
> used.
>
> V1: Add Null versions of the ProtectedVariable Library.
> This will be the default libraries for platforms that
> do not support ProtectedVariable.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
> | 34 ++
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
> 336
> 2 files changed, 370 insertions(+)
>
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> new file mode 100644
> index ..6a17191c4e1e
> --- /dev/null
> +++
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> @@ -0,0 +1,34 @@
> +## @file
> +# Provides null version of protected variable services.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = ProtectedVariableLibNull
> + FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
> + MODULE_TYPE= BASE
> + VERSION_STRING = 0.1
> + LIBRARY_CLASS = ProtectedVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + ProtectedVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> +
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> new file mode 100644
> index ..074559f84f52
> --- /dev/null
> +++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> @@ -0,0 +1,336 @@
> +/** @file
> + NULL version of ProtectedVariableLib used to disable protected variable
> services.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +#include
> +
> +#include
> +#include
> +#include
> +
> +/**
> +
> + Initialization for protected varibale services.
> +
> + @param[in] ContextIn Pointer to variable service context needed by
> + protected variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibInitialize (
> + IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Prepare for variable update.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibWriteInit (
> + VOID
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Update a variable with protection provided by this library.
> +
> + @param[in,out] CurrVariableVariable to be updated. It's NULL if
> + adding a new variable.
> + @param[in] CurrVariableInDel In-delete-transiion copy of updating
> variable.
> + @param[in,out] NewVariable Buffer of new variable data.
> + Buffer of "MetaDataHmacVar" and new
> + variable (encrypted).
> + @param[in,out] NewVariableSize Size of NewVariable.
> + Size of (encrypted) NewVariable and
> + "MetaDataHmacVar".
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibUpdate (
> + IN OUT VA
Re: [edk2-devel] [PATCH v3] MdeModulePkg/Include: Long debug string is truncated to 104 char
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Lai, Cosmo > Sent: Friday, July 15, 2022 9:43 AM > To: devel@edk2.groups.io > Cc: Lai, Cosmo ; Wang, Jian J ; > Gao, Liming ; Bi, Dandan > Subject: [PATCH v3] MdeModulePkg/Include: Long debug string is truncated to > 104 char > > From: Cosmo Lai > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3986 > > The EFI_STATUS_CODE_DATA_MAX_SIZE is defined as 200 in MdeModulePkg. > After reducing 96byte buffer for variable parameters it is limited to > only 104 char debug string. This is a non-necessary limitation. > It can be set to 0x200 to follow MAX_EXTENDED_DATA_SIZE (also 0x200) > which is used in ReportStatusCodeLib to support longer debug string. > > Cc: Jian J Wang > Cc: Liming Gao > Cc: Dandan Bi > > Signed-off-by: Cosmo Lai > --- > MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > b/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > index 16203452e4..2f408a5622 100644 > --- a/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > +++ b/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > @@ -21,7 +21,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > /// > /// The maximum size of an EFI_DEBUG_INFO structure. > /// > -#define EFI_STATUS_CODE_DATA_MAX_SIZE 200 > +#define EFI_STATUS_CODE_DATA_MAX_SIZE 0x200 > > /// > /// This structure contains the ErrorLevel passed into the DEBUG() macro, > followed > -- > 2.16.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91438): https://edk2.groups.io/g/devel/message/91438 Mute This Topic: https://groups.io/mt/92401813/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2] MdeModulePkg/Include: Long debug string is truncated to 104 char
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Cosmo Lai > Sent: Wednesday, July 13, 2022 3:26 PM > To: devel@edk2.groups.io > Cc: Lai, Cosmo > Subject: [edk2-devel] [PATCH v2] MdeModulePkg/Include: Long debug string is > truncated to 104 char > > From: Cosmo Lai > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3986 > > The EFI_STATUS_CODE_DATA_MAX_SIZE is defined as 200 in MdeModulePkg. > After reducing 96byte buffer for variable parameters it is limited to > only 104 char debug string. This is a non-necessary limitation. > It can be set to 0x200 to follow MAX_EXTENDED_DATA_SIZE (also 0x200) > which is used in ReportStatusCodeLib to support longer debug string. > > Signed-off-by: Cosmo Lai > --- > MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > b/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > index 16203452e4..2f408a5622 100644 > --- a/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > +++ b/MdeModulePkg/Include/Guid/StatusCodeDataTypeDebug.h > @@ -21,7 +21,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > /// > /// The maximum size of an EFI_DEBUG_INFO structure. > /// > -#define EFI_STATUS_CODE_DATA_MAX_SIZE 200 > +#define EFI_STATUS_CODE_DATA_MAX_SIZE 0x200 > > /// > /// This structure contains the ErrorLevel passed into the DEBUG() macro, > followed > -- > 2.16.2.windows.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91436): https://edk2.groups.io/g/devel/message/91436 Mute This Topic: https://groups.io/mt/92401812/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] DxeMain: Fix the bug that StackGuard is not enabled
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Friday, June 10, 2022 4:50 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
>
> Subject: [PATCH] DxeMain: Fix the bug that StackGuard is not enabled
>
> Commit e7abb94d1 removed InitializeCpuExceptionHandlersEx
> and updated DxeMain to call InitializeCpuExceptionHandlers
> for exception setup. But the old behavior that calls *Ex() sets
> up the stack guard as well. To match the old behavior,
> the patch calls InitializeSeparateExceptionStacks.
>
> Signed-off-by: Ray Ni
> Cc: Jian J Wang
> Cc: Liming Gao
> ---
> MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 8
> 1 file changed, 8 insertions(+)
>
> diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
> b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
> index 83f49d7c00..0a1f3d79e2 100644
> --- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
> +++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
> @@ -256,6 +256,14 @@ DxeMain (
>Status = InitializeCpuExceptionHandlers (VectorInfoList);
>
>ASSERT_EFI_ERROR (Status);
>
>
>
> + //
>
> + // Setup Stack Guard
>
> + //
>
> + if (PcdGetBool (PcdCpuStackGuard)) {
>
> +Status = InitializeSeparateExceptionStacks (NULL);
>
> +ASSERT_EFI_ERROR (Status);
>
> + }
>
> +
>
>//
>
>// Initialize Debug Agent to support source level debug in DXE phase
>
>//
>
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90456): https://edk2.groups.io/g/devel/message/90456
Mute This Topic: https://groups.io/mt/91664463/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code pages for DXE instance
I see. With its addressed,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ni, Ray
> Sent: Tuesday, May 24, 2022 4:02 PM
> To: Wang, Jian J ; devel@edk2.groups.io
> Cc: Dong, Eric
> Subject: Re: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code
> pages for DXE instance
>
> Jian,
> Ia32/ExceptionHandlerAsm.nasm is used by 32bit DxeCpuExceptionHandlerLib
> instance.
>
> I agree the commit message is not correct. The commit message says
> SEC still creates 32 entries but 32bit SEC creates 256 entries.
>
> I will update the commit message to align to code behavior.
>
> Thanks,
> Ray
>
>
> From: Wang, Jian J
> Sent: Monday, May 23, 2022 0:40
> To: devel@edk2.groups.io; Ni, Ray
> Cc: Dong, Eric
> Subject: RE: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code
> pages for DXE instance
>
> Ray,
>
> You changed "%rep 32" to "%rep 256" in Ia32/ExceptionHandlerAsm.nasm.
> According to my understanding and your comments, this should be done
> only to X64 code, right?
>
> Regards,
> Jian
>
> > -Original Message-
> > From: devel@edk2.groups.io On Behalf Of Ni, Ray
> > Sent: Friday, May 20, 2022 10:16 PM
> > To: devel@edk2.groups.io
> > Cc: Dong, Eric
> > Subject: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code pages
> > for DXE instance
> >
> > Today the DXE instance allocates code page and then copies the IDT
> > vectors to the allocated code page. Then it fixes up the vector number
> > in the IDT vector.
> >
> > But if we update the NASM file to generate 256 IDT vectors, there is
> > no need to do the copy and fix-up.
> >
> > A side effect is up to 4096 bytes (HOOKAFTER_STUB_SIZE * 256) is
> > used for 256 IDT vectors. While 32 IDT vectors only require 512 bytes.
> >
> > But considering the code logic simplification, 3.5K space is not a big
> > deal. SEC instance still generates 32 IDT vectors so no impact to SEC.
> > If 3.5K is too much a waste in PEI phase, we can enhance the code
> > further to generate 32 vectors for PEI.
> >
> > Signed-off-by: Ray Ni
> > Cc: Eric Dong
> > ---
> > .../CpuExceptionHandlerLib/DxeException.c | 22 ---
> > .../Ia32/ExceptionHandlerAsm.nasm | 4 ++--
> > .../X64/ExceptionHandlerAsm.nasm | 2 ++
> > .../X64/Xcode5ExceptionHandlerAsm.nasm| 9
> > 4 files changed, 9 insertions(+), 28 deletions(-)
> >
> > diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> > b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> > index 61f11e98f8..5083c4b8e8 100644
> > --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> > +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> > @@ -95,9 +95,6 @@ InitializeCpuInterruptHandlers (
> >IA32_DESCRIPTOR IdtDescriptor;
> >
> >UINTN IdtEntryCount;
> >
> >EXCEPTION_HANDLER_TEMPLATE_MAP TemplateMap;
> >
> > - UINTN Index;
> >
> > - UINTN InterruptEntry;
> >
> > - UINT8 *InterruptEntryCode;
> >
> >RESERVED_VECTORS_DATA *ReservedVectors;
> >
> >EFI_CPU_INTERRUPT_HANDLER *ExternalInterruptHandler;
> >
> >
> >
> > @@ -138,25 +135,6 @@ InitializeCpuInterruptHandlers (
> >AsmGetTemplateAddressMap ();
> >
> >ASSERT (TemplateMap.ExceptionStubHeaderSize <= HOOKAFTER_STUB_SIZE);
> >
> >
> >
> > - Status = gBS->AllocatePool (
> >
> > - EfiBootServicesCode,
> >
> > - TemplateMap.ExceptionStubHeaderSize * CPU_INTERRUPT_NUM,
> >
> > - (VOID **)
> >
> > - );
> >
> > - ASSERT (!EFI_ERROR (Status) && InterruptEntryCode != NULL);
> >
> > -
> >
> > - InterruptEntry = (UINTN)InterruptEntryCode;
> >
> > - for (Index = 0; Index < CPU_INTERRUPT_NUM; Index++) {
> >
> > -CopyMem (
> >
> > - (VOID *)InterruptEntry,
> >
> > - (VOID *)TemplateMap.ExceptionStart,
> >
> > - TemplateMap.ExceptionStubHeaderSize
> >
> > - );
> >
> > -AsmVectorNumFixup ((VOID *)InterruptEntry, (UINT8)Index, (VOID
> > *)TemplateMap.ExceptionStart);
> >
> > -InterruptEntry += TemplateMap.ExceptionStubH
Re: [edk2-devel] [PATCH 4/5] CpuException: Remove InitializeCpuInterruptHandlers
Another patch works for me. Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Ni, Ray > Sent: Tuesday, May 24, 2022 4:04 PM > To: Wang, Jian J ; devel@edk2.groups.io > Cc: Dong, Eric > Subject: Re: [edk2-devel] [PATCH 4/5] CpuException: Remove > InitializeCpuInterruptHandlers > > Jian, > I think we need discussion on where to put the common CPU_INTERRUPT_NUM > definition. > > Do you agree that we can leave that to another patch? > > ____ > From: Wang, Jian J > Sent: Monday, May 23, 2022 0:27 > To: devel@edk2.groups.io; Ni, Ray > Cc: Dong, Eric > Subject: RE: [edk2-devel] [PATCH 4/5] CpuException: Remove > InitializeCpuInterruptHandlers > > Hi Ray, > > Both CpuDxe.c and CpuExceptionCommon.h have CPU_INTERRUPT_NUM > defined. > I'd suggest to move it to a common place, such as BaseLib.h. I don't see any > issue > if they are defined to different value. It just gives me a feeling that it > might > cause > potential problems sometimes in the future. > > > Regards, > Jian > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of Ni, Ray > > Sent: Friday, May 20, 2022 10:16 PM > > To: devel@edk2.groups.io > > Cc: Dong, Eric > > Subject: [edk2-devel] [PATCH 4/5] CpuException: Remove > > InitializeCpuInterruptHandlers > > > > InitializeCpuExceptionHandlers() expects caller allocates IDT while > > InitializeCpuInterruptHandlers() allocates 256 IDT entries itself. > > > > InitializeCpuExceptionHandlers() fills max 32 IDT entries allocated > > by caller. If caller allocates 10 entries, the API just fills 10 IDT > > entries. > > > > The inconsistency between the two APIs makes code hard to > > unerstand and hard to share. > > > > Because there is only one caller (CpuDxe) for > > InitializeCpuInterruptHandler(), this patch updates CpuDxe driver > > to allocates 256 IDT entries then call > > InitializeCpuExceptionHandlers(). > > > > With this change, InitializeCpuInterruptHandlers() is removed > > completely. > > > > And InitializeCpuExceptionHandlers() fills max 32 entries for PEI > > and SMM instance, max 256 entries for DXE instance. > > Such behavior matches to the original one. > > > > Signed-off-by: Ray Ni > > Cc: Eric Dong > > --- > > .../Include/Library/CpuExceptionHandlerLib.h | 28 +-- > > .../CpuExceptionHandlerLibNull.c | 31 +-- > > UefiCpuPkg/CpuDxe/CpuDxe.c| 33 ++-- > > .../CpuExceptionHandlerLib/DxeException.c | 80 ++- > > .../CpuExceptionHandlerLib/PeiCpuException.c | 61 +- > > .../PeiDxeSmmCpuException.c | 19 ++--- > > .../SecPeiCpuException.c | 31 +-- > > .../CpuExceptionHandlerLib/SmmException.c | 35 ++-- > > 8 files changed, 56 insertions(+), 262 deletions(-) > > > > diff --git a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > > b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > > index 22a4408f9f..d4649bebe1 100644 > > --- a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > > +++ b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > > @@ -2,7 +2,7 @@ > >CPU Exception library provides the default CPU interrupt/exception > > handler. > > > >It also provides capability to register user interrupt/exception handler. > > > > > > > > - Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved. > > > > + Copyright (c) 2012 - 2022, Intel Corporation. All rights reserved. > > > >SPDX-License-Identifier: BSD-2-Clause-Patent > > > > > > > > **/ > > > > @@ -132,28 +132,6 @@ InitializeCpuExceptionHandlersEx ( > >IN CPU_EXCEPTION_INIT_DATA *InitData OPTIONAL > > > >); > > > > > > > > -/** > > > > - Initializes all CPU interrupt/exceptions entries and provides the default > > interrupt/exception handlers. > > > > - > > > > - Caller should try to get an array of interrupt and/or exception vectors > > that > are > > in use and need to > > > > - persist by EFI_VECTOR_HANDOFF_INFO defined in PI 1.3 specification. > > > > - If caller cannot get reserved vector list or it does not exists, set > > VectorInfo > to > > NULL. > > > > - If VectorInfo is not NULL, the exception vectors will be initialized per > > vecto
Re: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code pages for DXE instance
Ray,
You changed "%rep 32" to "%rep 256" in Ia32/ExceptionHandlerAsm.nasm.
According to my understanding and your comments, this should be done
only to X64 code, right?
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Ni, Ray
> Sent: Friday, May 20, 2022 10:16 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric
> Subject: [edk2-devel] [PATCH 1/5] CpuException: Avoid allocating code pages
> for DXE instance
>
> Today the DXE instance allocates code page and then copies the IDT
> vectors to the allocated code page. Then it fixes up the vector number
> in the IDT vector.
>
> But if we update the NASM file to generate 256 IDT vectors, there is
> no need to do the copy and fix-up.
>
> A side effect is up to 4096 bytes (HOOKAFTER_STUB_SIZE * 256) is
> used for 256 IDT vectors. While 32 IDT vectors only require 512 bytes.
>
> But considering the code logic simplification, 3.5K space is not a big
> deal. SEC instance still generates 32 IDT vectors so no impact to SEC.
> If 3.5K is too much a waste in PEI phase, we can enhance the code
> further to generate 32 vectors for PEI.
>
> Signed-off-by: Ray Ni
> Cc: Eric Dong
> ---
> .../CpuExceptionHandlerLib/DxeException.c | 22 ---
> .../Ia32/ExceptionHandlerAsm.nasm | 4 ++--
> .../X64/ExceptionHandlerAsm.nasm | 2 ++
> .../X64/Xcode5ExceptionHandlerAsm.nasm| 9
> 4 files changed, 9 insertions(+), 28 deletions(-)
>
> diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> index 61f11e98f8..5083c4b8e8 100644
> --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> @@ -95,9 +95,6 @@ InitializeCpuInterruptHandlers (
>IA32_DESCRIPTOR IdtDescriptor;
>
>UINTN IdtEntryCount;
>
>EXCEPTION_HANDLER_TEMPLATE_MAP TemplateMap;
>
> - UINTN Index;
>
> - UINTN InterruptEntry;
>
> - UINT8 *InterruptEntryCode;
>
>RESERVED_VECTORS_DATA *ReservedVectors;
>
>EFI_CPU_INTERRUPT_HANDLER *ExternalInterruptHandler;
>
>
>
> @@ -138,25 +135,6 @@ InitializeCpuInterruptHandlers (
>AsmGetTemplateAddressMap ();
>
>ASSERT (TemplateMap.ExceptionStubHeaderSize <= HOOKAFTER_STUB_SIZE);
>
>
>
> - Status = gBS->AllocatePool (
>
> - EfiBootServicesCode,
>
> - TemplateMap.ExceptionStubHeaderSize * CPU_INTERRUPT_NUM,
>
> - (VOID **)
>
> - );
>
> - ASSERT (!EFI_ERROR (Status) && InterruptEntryCode != NULL);
>
> -
>
> - InterruptEntry = (UINTN)InterruptEntryCode;
>
> - for (Index = 0; Index < CPU_INTERRUPT_NUM; Index++) {
>
> -CopyMem (
>
> - (VOID *)InterruptEntry,
>
> - (VOID *)TemplateMap.ExceptionStart,
>
> - TemplateMap.ExceptionStubHeaderSize
>
> - );
>
> -AsmVectorNumFixup ((VOID *)InterruptEntry, (UINT8)Index, (VOID
> *)TemplateMap.ExceptionStart);
>
> -InterruptEntry += TemplateMap.ExceptionStubHeaderSize;
>
> - }
>
> -
>
> - TemplateMap.ExceptionStart = (UINTN)InterruptEntryCode;
>
>mExceptionHandlerData.IdtEntryCount= CPU_INTERRUPT_NUM;
>
>mExceptionHandlerData.ReservedVectors = ReservedVectors;
>
>mExceptionHandlerData.ExternalInterruptHandler = ExternalInterruptHandler;
>
> diff --git
> a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionHandlerAsm.nas
> m
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionHandlerAsm.nas
> m
> index 3fe9aed1e8..8ed2b8f455 100644
> ---
> a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionHandlerAsm.nas
> m
> +++
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionHandlerAsm.nas
> m
> @@ -33,7 +33,7 @@ ALIGN 8
> ;
>
> AsmIdtVectorBegin:
>
> %assign Vector 0
>
> -%rep 32
>
> +%rep 256
>
> pushbyte %[Vector];
>
> pusheax
>
> mov eax, ASM_PFX(CommonInterruptEntry)
>
> @@ -439,7 +439,7 @@ ASM_PFX(AsmGetTemplateAddressMap):
>
>
> mov ebx, dword [ebp + 0x8]
>
> mov dword [ebx], AsmIdtVectorBegin
>
> -mov dword [ebx + 0x4], (AsmIdtVectorEnd - AsmIdtVectorBegin) / 32
>
> +mov dword [ebx + 0x4], (AsmIdtVectorEnd - AsmIdtVectorBegin) / 256
>
> mov dword [ebx + 0x8], HookAfterStubBegin
>
>
>
> popad
>
> diff --git
> a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm
> index 9a806d1f86..aaf8d622e6 100644
> ---
> a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm
> +++
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm
> @@ -31,6 +31,8 @@ SECTION .text
>
>
> ALIGN 8
>
>
>
> +; Generate 32 IDT vectors.
>
Re: [edk2-devel] [PATCH 2/5] CpuException: Init global variables in-place
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Ni, Ray
> Sent: Friday, May 20, 2022 10:16 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric
> Subject: [edk2-devel] [PATCH 2/5] CpuException: Init global variables in-place
>
> Additionally removed two useless global variables:
> "SPIN_LOCK mDisplayMessageSpinLock" from SMM instance.
> "UINTN mEnabledInterruptNum" from DXE instance.
>
> Signed-off-by: Ray Ni
> Cc: Eric Dong
> ---
> .../Library/CpuExceptionHandlerLib/DxeException.c | 11 ++-
> .../Library/CpuExceptionHandlerLib/SmmException.c | 14 ++
> 2 files changed, 12 insertions(+), 13 deletions(-)
>
> diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> index 5083c4b8e8..da5b96d6c6 100644
> --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> @@ -16,9 +16,12 @@ CONST UINTN mDoFarReturnFlag = 0;
>
>
> RESERVED_VECTORS_DATA mReservedVectorsData[CPU_EXCEPTION_NUM];
>
> EFI_CPU_INTERRUPT_HANDLER
> mExternalInterruptHandlerTable[CPU_EXCEPTION_NUM];
>
> -UINTN mEnabledInterruptNum = 0;
>
> -
>
> -EXCEPTION_HANDLER_DATA mExceptionHandlerData;
>
> +EXCEPTION_HANDLER_DATA mExceptionHandlerData = {
>
> + 0, // To be fixed
>
> + 0, // To be fixed
>
> + mReservedVectorsData,
>
> + mExternalInterruptHandlerTable
>
> +};
>
>
>
> UINT8 mNewStack[CPU_STACK_SWITCH_EXCEPTION_NUMBER *
>
> CPU_KNOWN_GOOD_STACK_SIZE];
>
> @@ -62,8 +65,6 @@ InitializeCpuExceptionHandlers (
>IN EFI_VECTOR_HANDOFF_INFO *VectorInfo OPTIONAL
>
>)
>
> {
>
> - mExceptionHandlerData.ReservedVectors = mReservedVectorsData;
>
> - mExceptionHandlerData.ExternalInterruptHandler =
> mExternalInterruptHandlerTable;
>
>InitializeSpinLock ();
>
>return InitializeCpuExceptionHandlersWorker (VectorInfo,
> );
>
> }
>
> diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmException.c
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmException.c
> index 77ee74579f..9f0af4120a 100644
> --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmException.c
> +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmException.c
> @@ -11,14 +11,14 @@
>
>
> CONST UINTN mDoFarReturnFlag = 1;
>
>
>
> -//
>
> -// Spin lock for CPU information display
>
> -//
>
> -SPIN_LOCK mDisplayMessageSpinLock;
>
> -
>
> RESERVED_VECTORS_DATA mReservedVectorsData[CPU_EXCEPTION_NUM];
>
> EFI_CPU_INTERRUPT_HANDLER
> mExternalInterruptHandlerTable[CPU_EXCEPTION_NUM];
>
> -EXCEPTION_HANDLER_DATA mExceptionHandlerData;
>
> +EXCEPTION_HANDLER_DATA mExceptionHandlerData = {
>
> + 0, // To be fixed
>
> + 0, // To be fixed
>
> + mReservedVectorsData,
>
> + mExternalInterruptHandlerTable
>
> +};
>
>
>
> /**
>
>Common exception handler.
>
> @@ -58,8 +58,6 @@ InitializeCpuExceptionHandlers (
>IN EFI_VECTOR_HANDOFF_INFO *VectorInfo OPTIONAL
>
>)
>
> {
>
> - mExceptionHandlerData.ReservedVectors = mReservedVectorsData;
>
> - mExceptionHandlerData.ExternalInterruptHandler =
> mExternalInterruptHandlerTable;
>
>InitializeSpinLock ();
>
>return InitializeCpuExceptionHandlersWorker (VectorInfo,
> );
>
> }
>
> --
> 2.35.1.windows.2
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#89917): https://edk2.groups.io/g/devel/message/89917
> Mute This Topic: https://groups.io/mt/91231768/1768734
> Group Owner: devel+ow...@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jian.j.w...@intel.com]
> -=-=-=-=-=-=
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89941): https://edk2.groups.io/g/devel/message/89941
Mute This Topic: https://groups.io/mt/91231768/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 3/5] CpuException: Avoid allocating page but using global variables
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Ni, Ray
> Sent: Friday, May 20, 2022 10:16 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric
> Subject: [edk2-devel] [PATCH 3/5] CpuException: Avoid allocating page but
> using
> global variables
>
> Signed-off-by: Ray Ni
> Cc: Eric Dong
> ---
> .../CpuExceptionHandlerLib/DxeException.c | 24 ---
> 1 file changed, 5 insertions(+), 19 deletions(-)
>
> diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> index da5b96d6c6..f139131a7c 100644
> --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeException.c
> @@ -14,8 +14,8 @@
>
>
> CONST UINTN mDoFarReturnFlag = 0;
>
>
>
> -RESERVED_VECTORS_DATA mReservedVectorsData[CPU_EXCEPTION_NUM];
>
> -EFI_CPU_INTERRUPT_HANDLER
> mExternalInterruptHandlerTable[CPU_EXCEPTION_NUM];
>
> +RESERVED_VECTORS_DATA
> mReservedVectorsData[CPU_INTERRUPT_NUM];
>
> +EFI_CPU_INTERRUPT_HANDLER
> mExternalInterruptHandlerTable[CPU_INTERRUPT_NUM];
>
> EXCEPTION_HANDLER_DATA mExceptionHandlerData = {
>
>0, // To be fixed
>
>0, // To be fixed
>
> @@ -96,27 +96,15 @@ InitializeCpuInterruptHandlers (
>IA32_DESCRIPTOR IdtDescriptor;
>
>UINTN IdtEntryCount;
>
>EXCEPTION_HANDLER_TEMPLATE_MAP TemplateMap;
>
> - RESERVED_VECTORS_DATA *ReservedVectors;
>
> - EFI_CPU_INTERRUPT_HANDLER *ExternalInterruptHandler;
>
> -
>
> - Status = gBS->AllocatePool (
>
> - EfiBootServicesCode,
>
> - sizeof (RESERVED_VECTORS_DATA) * CPU_INTERRUPT_NUM,
>
> - (VOID **)
>
> - );
>
> - ASSERT (!EFI_ERROR (Status) && ReservedVectors != NULL);
>
> - SetMem ((VOID *)ReservedVectors, sizeof (RESERVED_VECTORS_DATA) *
> CPU_INTERRUPT_NUM, 0xff);
>
> +
>
> + SetMem ((VOID *)mReservedVectorsData, sizeof (RESERVED_VECTORS_DATA)
> * CPU_INTERRUPT_NUM, 0xff);
>
>if (VectorInfo != NULL) {
>
> -Status = ReadAndVerifyVectorInfo (VectorInfo, ReservedVectors,
> CPU_INTERRUPT_NUM);
>
> +Status = ReadAndVerifyVectorInfo (VectorInfo, mReservedVectorsData,
> CPU_INTERRUPT_NUM);
>
> if (EFI_ERROR (Status)) {
>
> - FreePool (ReservedVectors);
>
>return EFI_INVALID_PARAMETER;
>
> }
>
>}
>
>
>
> - ExternalInterruptHandler = AllocateZeroPool (sizeof
> (EFI_CPU_INTERRUPT_HANDLER) * CPU_INTERRUPT_NUM);
>
> - ASSERT (ExternalInterruptHandler != NULL);
>
> -
>
>//
>
>// Read IDT descriptor and calculate IDT size
>
>//
>
> @@ -137,8 +125,6 @@ InitializeCpuInterruptHandlers (
>ASSERT (TemplateMap.ExceptionStubHeaderSize <= HOOKAFTER_STUB_SIZE);
>
>
>
>mExceptionHandlerData.IdtEntryCount= CPU_INTERRUPT_NUM;
>
> - mExceptionHandlerData.ReservedVectors = ReservedVectors;
>
> - mExceptionHandlerData.ExternalInterruptHandler = ExternalInterruptHandler;
>
>InitializeSpinLock ();
>
>
>
>UpdateIdtTable (IdtTable, , );
>
> --
> 2.35.1.windows.2
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#89918): https://edk2.groups.io/g/devel/message/89918
> Mute This Topic: https://groups.io/mt/91231769/1768734
> Group Owner: devel+ow...@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jian.j.w...@intel.com]
> -=-=-=-=-=-=
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89940): https://edk2.groups.io/g/devel/message/89940
Mute This Topic: https://groups.io/mt/91231769/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 4/5] CpuException: Remove InitializeCpuInterruptHandlers
Hi Ray, Both CpuDxe.c and CpuExceptionCommon.h have CPU_INTERRUPT_NUM defined. I'd suggest to move it to a common place, such as BaseLib.h. I don't see any issue if they are defined to different value. It just gives me a feeling that it might cause potential problems sometimes in the future. Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Ni, Ray > Sent: Friday, May 20, 2022 10:16 PM > To: devel@edk2.groups.io > Cc: Dong, Eric > Subject: [edk2-devel] [PATCH 4/5] CpuException: Remove > InitializeCpuInterruptHandlers > > InitializeCpuExceptionHandlers() expects caller allocates IDT while > InitializeCpuInterruptHandlers() allocates 256 IDT entries itself. > > InitializeCpuExceptionHandlers() fills max 32 IDT entries allocated > by caller. If caller allocates 10 entries, the API just fills 10 IDT > entries. > > The inconsistency between the two APIs makes code hard to > unerstand and hard to share. > > Because there is only one caller (CpuDxe) for > InitializeCpuInterruptHandler(), this patch updates CpuDxe driver > to allocates 256 IDT entries then call > InitializeCpuExceptionHandlers(). > > With this change, InitializeCpuInterruptHandlers() is removed > completely. > > And InitializeCpuExceptionHandlers() fills max 32 entries for PEI > and SMM instance, max 256 entries for DXE instance. > Such behavior matches to the original one. > > Signed-off-by: Ray Ni > Cc: Eric Dong > --- > .../Include/Library/CpuExceptionHandlerLib.h | 28 +-- > .../CpuExceptionHandlerLibNull.c | 31 +-- > UefiCpuPkg/CpuDxe/CpuDxe.c| 33 ++-- > .../CpuExceptionHandlerLib/DxeException.c | 80 ++- > .../CpuExceptionHandlerLib/PeiCpuException.c | 61 +- > .../PeiDxeSmmCpuException.c | 19 ++--- > .../SecPeiCpuException.c | 31 +-- > .../CpuExceptionHandlerLib/SmmException.c | 35 ++-- > 8 files changed, 56 insertions(+), 262 deletions(-) > > diff --git a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > index 22a4408f9f..d4649bebe1 100644 > --- a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > +++ b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > @@ -2,7 +2,7 @@ >CPU Exception library provides the default CPU interrupt/exception handler. > >It also provides capability to register user interrupt/exception handler. > > > > - Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved. > > + Copyright (c) 2012 - 2022, Intel Corporation. All rights reserved. > >SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > @@ -132,28 +132,6 @@ InitializeCpuExceptionHandlersEx ( >IN CPU_EXCEPTION_INIT_DATA *InitData OPTIONAL > >); > > > > -/** > > - Initializes all CPU interrupt/exceptions entries and provides the default > interrupt/exception handlers. > > - > > - Caller should try to get an array of interrupt and/or exception vectors > that are > in use and need to > > - persist by EFI_VECTOR_HANDOFF_INFO defined in PI 1.3 specification. > > - If caller cannot get reserved vector list or it does not exists, set > VectorInfo to > NULL. > > - If VectorInfo is not NULL, the exception vectors will be initialized per > vector > attribute accordingly. > > - > > - @param[in] VectorInfoPointer to reserved vector list. > > - > > - @retval EFI_SUCCESS All CPU interrupt/exception entries have been > successfully initialized > > -with default interrupt/exception handlers. > > - @retval EFI_INVALID_PARAMETER VectorInfo includes the invalid content if > VectorInfo is not NULL. > > - @retval EFI_UNSUPPORTED This function is not supported. > > - > > -**/ > > -EFI_STATUS > > -EFIAPI > > -InitializeCpuInterruptHandlers ( > > - IN EFI_VECTOR_HANDOFF_INFO *VectorInfo OPTIONAL > > - ); > > - > > /** > >Registers a function to be called from the processor interrupt handler. > > > > @@ -161,8 +139,8 @@ InitializeCpuInterruptHandlers ( >interrupt or exception type specified by InterruptType. If > InterruptHandler is > NULL, then the > >handler for the processor interrupt or exception type specified by > InterruptType is uninstalled. > >The installed handler is called once for each processor interrupt or > exception. > > - NOTE: This function should be invoked after > InitializeCpuExceptionHandlers() > or > > - InitializeCpuInterruptHandlers() invoked, otherwise EFI_UNSUPPORTED > returned. > > + NOTE: This function should be invoked after > InitializeCpuExceptionHandlers() > is invoked, > > + otherwise EFI_UNSUPPORTED returned. > > > >@param[in] InterruptType Defines which interrupt or exception to hook. > >@param[in] InterruptHandler A pointer to a function of type > EFI_CPU_INTERRUPT_HANDLER that is called > > diff
Re: [edk2-devel] [PATCH 5/5] CpuException: Add InitializeSeparateExceptionStacks
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Ni, Ray > Sent: Friday, May 20, 2022 10:16 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Wang, Jian J > Subject: [PATCH 5/5] CpuException: Add InitializeSeparateExceptionStacks > > Today InitializeCpuExceptionHandlersEx is called from three modules: > 1. DxeCore (links to DxeCpuExceptionHandlerLib) > DxeCore expects it initializes the IDT entries as well as > assigning separate stacks for #DF and #PF. > 2. CpuMpPei (links to PeiCpuExceptionHandlerLib) >and CpuDxe (links to DxeCpuExceptionHandlerLib) > It's called for each thread for only assigning separate stacks for > #DF and #PF. The IDT entries initialization is skipped because > caller sets InitData->X64.InitDefaultHandlers to FALSE. > > Additionally, SecPeiCpuExceptionHandlerLib, SmmCpuExceptionHandlerLib > also implement such API and the behavior of the API is simply to initialize > IDT entries only. > > Because it mixes the IDT entries initialization and separate stacks > assignment for certain exception handlers together, in order to know > whether the function call only initializes IDT entries, or assigns stacks, > we need to check: > 1. value of InitData->X64.InitDefaultHandlers > 2. library instance > > This patch cleans up the code to separate the stack assignment to a new API: > InitializeSeparateExceptionStacks(). > > Only when caller calls the new API, the separate stacks are assigned. > With this change, the SecPei and Smm instance can return unsupported which > gives caller a very clear status. > > The old API InitializeCpuExceptionHandlersEx() is removed in this patch. > Because no platform module is consuming the old API, the impact is none. > > Signed-off-by: Ray Ni > Cc: Eric Dong > Cc: Jian J Wang > --- > MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 2 +- > .../Include/Library/CpuExceptionHandlerLib.h | 24 ++--- > .../CpuExceptionHandlerLibNull.c | 26 ++ > UefiCpuPkg/CpuDxe/CpuMp.c | 6 +- > UefiCpuPkg/CpuMpPei/CpuMpPei.c| 4 +- > .../CpuExceptionHandlerLib/DxeException.c | 91 ++- > .../CpuExceptionHandlerLib/PeiCpuException.c | 51 ++- > .../SecPeiCpuException.c | 27 ++ > .../CpuExceptionHandlerLib/SmmException.c | 27 ++ > 9 files changed, 74 insertions(+), 184 deletions(-) > > diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c > b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c > index 2c27fc0695..83f49d7c00 100644 > --- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c > +++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c > @@ -253,7 +253,7 @@ DxeMain ( > VectorInfoList = (EFI_VECTOR_HANDOFF_INFO *)(GET_GUID_HOB_DATA > (GuidHob)); > >} > > > > - Status = InitializeCpuExceptionHandlersEx (VectorInfoList, NULL); > > + Status = InitializeCpuExceptionHandlers (VectorInfoList); > >ASSERT_EFI_ERROR (Status); > > > >// > > diff --git a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > index d4649bebe1..9a495081f7 100644 > --- a/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > +++ b/MdeModulePkg/Include/Library/CpuExceptionHandlerLib.h > @@ -103,32 +103,20 @@ InitializeCpuExceptionHandlers ( >); > > > > /** > > - Initializes all CPU exceptions entries with optional extra initializations. > > + Setup separate stacks for certain exception handlers. > > > > - By default, this method should include all functionalities implemented by > > - InitializeCpuExceptionHandlers(), plus extra initialization works, if any. > > - This could be done by calling InitializeCpuExceptionHandlers() directly > > - in this method besides the extra works. > > + InitData is optional and processor arch dependent. > > > > - InitData is optional and its use and content are processor arch dependent. > > - The typical usage of it is to convey resources which have to be reserved > > - elsewhere and are necessary for the extra initializations of exception. > > + @param[in] InitData Pointer to data optional for information about > how > > +to assign stacks for certain exception handlers. > > > > - @param[in] VectorInfoPointer to reserved vector list. > > - @param[in] InitData Pointer to data optional for extra > initializations > > -of exception. > > - > > - @retval EFI_SUCCESS The exceptions have be
Re: [edk2-devel] [Patch v2 14/28] SecurityPkg: Add null encryption variable libs
Judah,
My comments below
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [Patch v2 14/28] SecurityPkg: Add null encryption variable libs
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Provide null ecryption variable libraries.
> These will be used by default for platforms that don't
> support protected variable encryption.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
> 38 +++
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> | 107
>
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni |
> 16 +++
> 3 files changed, 161 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> new file mode 100644
> index ..ff5631b336eb
> --- /dev/null
> +++
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> @@ -0,0 +1,38 @@
> +## @file
> +# Provides NULL version of encryption variable services.
> +#
> +# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010005
> + BASE_NAME = EncryptionVariableLibNull
> + MODULE_UNI_FILE= EncryptionVariableLib.uni
> + FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
> + MODULE_TYPE= BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EncryptionVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + DebugLib
> +
> +[Guids]
[JianJW]
No GUID consumed here. Suggest removing this section.
> +
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> new file mode 100644
> index ..58a4ae9f4282
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> @@ -0,0 +1,107 @@
> +/** @file
> + The common variable operation routines shared by DXE_RUNTIME variable
> + module and DXE_SMM variable module.
> +
> + Caution: This module requires additional review when modified.
> + This driver will have external input - variable data. They may be input in
> SMM
> mode.
> + This external input must be validated carefully to avoid security issue
> like
> + buffer overflow, integer overflow.
> +
> + VariableServiceGetNextVariableName () and
> VariableServiceQueryVariableInfo() are external API.
> + They need check input parameter.
> +
> + VariableServiceGetVariable() and VariableServiceSetVariable() are external
> API
> + to receive datasize and data buffer. The size should be checked carefully.
> +
> + VariableServiceSetVariable() should also check authenticate data to avoid
> buffer overflow,
> + integer overflow. It should also check attribute to avoid authentication
> bypass.
> +
[JianJW]
The file header comment seems irrelevant.
> +Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +
> +#include
> +#include
> +
> +/**
> + Encrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> + Decrypt variable data.
> +
> + Null version.
> +
> + @param[in, out] VarEncInfo Pointer to structure containing detailed
> + information about a varia
Re: [edk2-devel] [Patch v2 13/28] SecurityPkg: Fix GetVariableKey API
Judah,
My comments below
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [Patch v2 13/28] SecurityPkg: Fix GetVariableKey API
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Fix GetVariableKey API to match changes in header files.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> index a08def767b5f..cfbad54ba106 100644
> --- a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> +++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
> @@ -1,7 +1,7 @@
> /** @file
>Null version of VariableKeyLib for build purpose. Don't use it in real
> product.
>
> -Copyright (c) 2020, Intel Corporation. All rights reserved.
> +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -22,8 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> EFI_STATUS
> EFIAPI
> GetVariableKey (
> - OUT VOID **VariableKey,
> - IN OUT UINTN *VariableKeySize
> + OUT VOID *VariableKey,
> + IN UINTN VariableKeySize
[JianJW]
'OUT' is removed here but the parameter description in function comments
still declared as [in,out]. Please update the function comments in patch 12
as well.
Regards,
Jian
>)
> {
>ASSERT (FALSE);
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89936): https://edk2.groups.io/g/devel/message/89936
Mute This Topic: https://groups.io/mt/90781902/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 12/28] SecurityPkg: Add new variable types and functions
Judah, Patch 11 is a library instance of RpmcLib which relies on changes introduced in this patch (12). You need to put this patch before patch 11. Regards, Jian > -Original Message- > From: Vang, Judah > Sent: Saturday, April 30, 2022 2:04 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Yao, Jiewen ; > Mistry, Nishant C > Subject: [Patch v2 12/28] SecurityPkg: Add new variable types and functions > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > Add new variable encryption/decryption function prototypes. > Add new variable digest structure. Add new Protected > variable function prototypes. Update RPMC APIs to Add > an index because there is could more than one counter. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Nishant C Mistry > Signed-off-by: Jian J Wang > Signed-off-by: Nishant C Mistry > Signed-off-by: Judah Vang > --- > SecurityPkg/Include/Library/RpmcLib.h| 15 +--- > SecurityPkg/Include/Library/VariableKeyLib.h | 37 +++- > 2 files changed, 16 insertions(+), 36 deletions(-) > > diff --git a/SecurityPkg/Include/Library/RpmcLib.h > b/SecurityPkg/Include/Library/RpmcLib.h > index df4ba34ba8cf..cb71dfcd7e4d 100644 > --- a/SecurityPkg/Include/Library/RpmcLib.h > +++ b/SecurityPkg/Include/Library/RpmcLib.h > @@ -1,19 +1,23 @@ > /** @file >Public definitions for the Replay Protected Monotonic Counter (RPMC) > Library. > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > > -#ifndef _RPMC_LIB_H_ > -#define _RPMC_LIB_H_ > +#ifndef RPMC_LIB_H_ > +#define RPMC_LIB_H_ > > #include > > +#define RPMC_COUNTER_1 0 > +#define RPMC_COUNTER_2 1 > + > /** >Requests the monotonic counter from the designated RPMC counter. > > + @param[in]CounterIndexThe RPMC index >@param[out] CounterValueA pointer to a buffer to store the > RPMC > value. > >@retval EFI_SUCCESS The operation completed successfully. > @@ -23,12 +27,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > EFI_STATUS > EFIAPI > RequestMonotonicCounter ( > + IN UINT8 CounterIndex, >OUT UINT32 *CounterValue >); > > /** >Increments the monotonic counter in the SPI flash device by 1. > > + @param[in]CounterIndexThe RPMC index > + >@retval EFI_SUCCESS The operation completed successfully. >@retval EFI_DEVICE_ERRORA device error occurred while > attempting > to update the counter. >@retval EFI_UNSUPPORTED The operation is un-supported. > @@ -36,7 +43,7 @@ RequestMonotonicCounter ( > EFI_STATUS > EFIAPI > IncrementMonotonicCounter ( > - VOID > + IN UINT8 CounterIndex >); > > #endif > diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h > b/SecurityPkg/Include/Library/VariableKeyLib.h > index 561ebad09da2..6076c4d4731b 100644 > --- a/SecurityPkg/Include/Library/VariableKeyLib.h > +++ b/SecurityPkg/Include/Library/VariableKeyLib.h > @@ -1,13 +1,13 @@ > /** @file >Public definitions for Variable Key Library. > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > > -#ifndef _VARIABLE_KEY_LIB_H_ > -#define _VARIABLE_KEY_LIB_H_ > +#ifndef VARIABLE_KEY_LIB_H_ > +#define VARIABLE_KEY_LIB_H_ > > #include > > @@ -25,35 +25,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > EFI_STATUS > EFIAPI > GetVariableKey ( > - OUT VOID **VariableKey, > - IN OUT UINTN *VariableKeySize > - ); > - > -/** > - Regenerates the variable key. > - > - @retval EFI_SUCCESS The variable key was regenerated > successfully. > - @retval EFI_DEVICE_ERRORAn error occurred while attempting to > regenerate the key. > - @retval EFI_ACCESS_DENIED The function was invoked after > locking > the key interface. > - @retval EFI_UNSUPPORTED Key regeneration is not supported in > the > current boot configuration. > -**/ > -EFI_STATUS > -EFIAPI > -RegenerateVariableKey ( > - VOID > - ); > - > -/** > - Locks the regenerate key interface. > - > - @retval EFI_SUCCESS The key interface was locked > successfully. > - @retval EFI_UNSUPPORTED Locking the key interface is not > supported > in the current boot configuratio
Re: [edk2-devel] [Patch v2 11/28] SecurityPkg: Update RPMC APIs with index
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [Patch v2 11/28] SecurityPkg: Update RPMC APIs with index
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Update RPMC APIs with index parameter because sometimes
> there are more than 1 RPMC counter on the platform.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 ++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
> b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
> index 792e48250e5d..557aeb6abf09 100644
> --- a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
> +++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
> @@ -1,7 +1,7 @@
> /** @file
>NULL RpmcLib instance for build purpose.
>
> -Copyright (c) 2020, Intel Corporation. All rights reserved.
> +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> /**
>Requests the monotonic counter from the designated RPMC counter.
>
> + @param[in]CounterIndexThe RPMC index
>@param[out] CounterValueA pointer to a buffer to store the
> RPMC
> value.
>
>@retval EFI_SUCCESS The operation completed successfully.
> @@ -21,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> EFI_STATUS
> EFIAPI
> RequestMonotonicCounter (
> + IN UINT8 CounterIndex,
>OUT UINT32 *CounterValue
>)
> {
> @@ -31,6 +33,8 @@ RequestMonotonicCounter (
> /**
>Increments the monotonic counter in the SPI flash device by 1.
>
> + @param[in]CounterIndexThe RPMC index
> +
>@retval EFI_SUCCESS The operation completed successfully.
>@retval EFI_DEVICE_ERRORA device error occurred while
> attempting
> to update the counter.
>@retval EFI_UNSUPPORTED The operation is un-supported.
> @@ -38,7 +42,7 @@ RequestMonotonicCounter (
> EFI_STATUS
> EFIAPI
> IncrementMonotonicCounter (
> - VOID
> + IN UINT8 CounterIndex
>)
> {
>ASSERT (FALSE);
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89934): https://edk2.groups.io/g/devel/message/89934
Mute This Topic: https://groups.io/mt/90781897/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 10/28] SecurityPkg: Add new KeyService types and defines
Judah,
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [Patch v2 10/28] SecurityPkg: Add new KeyService types and defines
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add new KeyService types and defines.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
> 1 file changed, 57 insertions(+)
>
> diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
> b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> new file mode 100644
> index ..f126913d2d81
> --- /dev/null
> +++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
> @@ -0,0 +1,57 @@
> +/** @file
> + Provides Key Services.
> +
> +Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.
[JianJW]
2018 -> 2022
Regards,
Jian
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +@par Specification Reference:
> +**/
> +
> +#ifndef PEI_KEY_SERVICE_PPI_H_
> +#define PEI_KEY_SERVICE_PPI_H_
> +///
> +/// KEY SERVICE PPI GUID
> +///
> +extern EFI_GUID gKeyServicePpiGuid;
> +
> +/**
> + Generate a new key from root key.
> +
> + @param[in] Salt Pointer to the salt(non-secret)
> value.
> + @param[in] SaltSize Salt size in bytes.
> + @param[out] NewKey Pointer to buffer to receive new key.
> + @param[in] NewKeySize Size of new key bytes to generate.
> +
> + @retval EFI_SUCCESS The function completed successfully
> + @retval OTHER The function completed with failure.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *KEY_SERVICE_GEN_KEY)(
> + IN UINT8*Salt,
> + IN UINTNSaltSize,
> + OUT UINT8*NewKey,
> + IN UINTNNewKeySize
> + );
> +
> +#define KEY_SERVICE_PPI_REVISION 1
> +#define ROOT_KEY_LEN 64
> +#define SALT_SIZE_MIN_LEN 64
> +#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
> +
> +typedef struct {
> + UINT8RootKey[ROOT_KEY_LEN];
> + UINT8PreviousRootKey[ROOT_KEY_LEN];
> +} KEY_SERVICE_DATA;
> +
> +typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
> +
> +///
> +/// KEY SERVICE PPI
> +/// The interface functions are for Key Service in PEI Phase
> +///
> +struct _KEY_SERVICE_PPI {
> + KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
> +};
> +
> +#endif
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89933): https://edk2.groups.io/g/devel/message/89933
Mute This Topic: https://groups.io/mt/90781895/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 08/28] MdeModulePkg: Add new Variable functionality
Judah,
One general comment: please add variable store provision/recovery flow and
explanations in the readme.
See my other inline comments below.
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 08/28] MdeModulePkg: Add new Variable functionality
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Provide new APIs for retrieving variable information.
> Add new function stubs for retrieving Protected
> variable information.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
> MdeModulePkg/Universal/Variable/Pei/Variable.h| 80 +-
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
> MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 +++
> MdeModulePkg/Universal/Variable/Pei/Variable.c| 886
> +++---
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941
>
> MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 305 +++
> 7 files changed, 1891 insertions(+), 756 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> index 7cbdd2385e8f..af172126a011 100644
> --- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> +++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> @@ -3,7 +3,7 @@
> #
> # This module implements ReadOnly Variable Services required by PEIM and
> installs PEI ReadOnly Varaiable2 PPI.
> #
> -# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
> +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -26,6 +26,10 @@ [Defines]
> [Sources]
>Variable.c
>Variable.h
> + VariableStore.c
> + VariableStore.h
> + VariableParsing.c
> + VariableParsing.h
>
> [Packages]
>MdePkg/MdePkg.dec
> @@ -39,6 +43,7 @@ [LibraryClasses]
>DebugLib
>PeiServicesTablePointerLib
>PeiServicesLib
> + ProtectedVariableLib
>
> [Guids]
>## CONSUMES ## GUID # Variable store header
> @@ -56,7 +61,8 @@ [Guids]
>gEdkiiFaultTolerantWriteGuid
>
> [Ppis]
> - gEfiPeiReadOnlyVariable2PpiGuid ## PRODUCES
> + gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
> + gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
>
> [Pcd]
>gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase ##
> SOMETIMES_CONSUMES
> diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> index 7f9ad5bfc357..115426edd626 100644
> --- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
> +++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
> @@ -2,7 +2,7 @@
>The internal header file includes the common header files, defines
>internal structure and functions used by PeiVariable module.
>
> -Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -20,11 +20,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include
> #include
> #include
> +#include
>
> #include
> #include
> #include
> #include
> +#include
>
> typedef enum {
>VariableStoreTypeHob,
> @@ -142,4 +144,80 @@ PeiGetNextVariableName (
>IN OUT EFI_GUID*VariableGuid
>);
>
> +/**
> + This service retrieves a variable's value using its name and GUID.
> +
> + Read the specified variable from the UEFI variable store. If the Data
> + buffer is too small to hold the contents of the variable, the error
> + EFI_BUFFER_TOO_SMALL is returned and DataSize is set to the required buffer
> + size to obtain the data.
> +
> + @param This A pointer to this instance of the
> EFI_PEI_READ_ONLY_VARIABLE2_PPI.
> + @param VariableName A pointer to a null-terminated string that
> is the
> variable's name.
> + @param VariableGuid A pointer to an EFI_GUID that is the
> variable's
> GUID. The combination of
> +VariableGuid and VariableName must be unique.
> + @param AttributesIf non-NULL, on return, points to the
> variable's
> attributes.
> + @param DataSize O
Re: [edk2-devel] [Patch v2 07/28] MdeModulePkg: Add Null ProtectedVariable Library
Judah,
Following interface has no non-Null version implemented.
Consider removing them completely.
ProtectedVariableLibGetStore()
ProtectedVariableLibReclaim()
ProtectedVariableLibGetDataInfo()
ProtectedVariableLibGetNextEx()
ProtectedVariableLibGetNext ()
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 07/28] MdeModulePkg: Add Null ProtectedVariable Library
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add Null versions of the ProtectedVariable Library.
> This will be the default libraries for platforms that
> do not support ProtectedVariable.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
> | 34 ++
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
> 449
> 2 files changed, 483 insertions(+)
>
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> new file mode 100644
> index ..6a17191c4e1e
> --- /dev/null
> +++
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.in
> f
> @@ -0,0 +1,34 @@
> +## @file
> +# Provides null version of protected variable services.
> +#
> +# Copyright (c) 2022, Intel Corporation. All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x00010029
> + BASE_NAME = ProtectedVariableLibNull
> + FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
> + MODULE_TYPE= BASE
> + VERSION_STRING = 0.1
> + LIBRARY_CLASS = ProtectedVariableLib
> +
> +#
> +# The following information is for reference only and not required by the
> build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + ProtectedVariable.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> +
> diff --git
> a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> new file mode 100644
> index ..cc1e16c1a671
> --- /dev/null
> +++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> @@ -0,0 +1,449 @@
> +/** @file
> + NULL version of ProtectedVariableLib used to disable protected variable
> services.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include
> +#include
> +
> +#include
> +#include
> +#include
> +
> +/**
> +
> + Initialization for protected varibale services.
> +
> + @param[in] ContextIn Pointer to variable service context needed by
> + protected variable.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibInitialize (
> + IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Get a verified copy of NV variable storage.
> +
> + @param[out] VariableFvHeader Pointer to the header of whole NV
> firmware volume.
> + @param[out] VariableStoreHeader Pointer to the header of variable
> storage.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibGetStore (
> + OUT EFI_FIRMWARE_VOLUME_HEADER **VariableFvHeader,
> + OUT VARIABLE_STORE_HEADER **VariableStoreHeader
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Prepare for variable update.
> +
> + @retval EFI_UNSUPPORTED Unsupported to process protected
> variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +ProtectedVariableLibWriteInit (
> + VOID
> + )
> +{
> + return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +
> + Update a variable with protection provided by this library.
> +
> + @param[in,out] CurrVariableVariable to be updated. It's NULL if
> +
Re: [edk2-devel] [Patch v2 02/28] SecurityPkg: Add new GUIDs for
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [Patch v2 02/28] SecurityPkg: Add new GUIDs for
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> The gEdkiiProtectedVariableGlobalGuid HOB contains the global
> configuration data structure which is verified in PEI Phase.
> The gEdkiiMetaDataHmacVariableGuid is used for saving the
> meta data HMAC variable.
> The gEdkiiProtectedVariableContextGuid contains the Protected
> Variable context saved in PEI phase to be used later.
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/SecurityPkg.dec | 43 +++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 9f7a032d60d5..ea88908ea7d2 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and
> library
> classes)
> # and libraries instances, which are used for those features.
> #
> -# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
> # Copyright (c) Microsoft Corporation.
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> @@ -217,6 +217,18 @@ [Guids]
>## GUID used to specify section with default dbt content
>gDefaultdbtFileGuid= { 0x36c513ee, 0xa338, 0x4976, { 0xa0,
> 0xfb,
> 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
>
> + ## Include/Guid/ProtectedVariable.h
> + # {8EBF379A-F18E-4728-A410-00CF9A65BE91}
> + gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4,
> 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } }
> +
> + ## Include/Guid/ProtectedVariable.h
> + # {e3e890ad-5b67-466e-904f-94ca7e9376bb}
> + gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90,
> 0x4f, 0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}}
> +
> + ## Include/Guid/ProtectedVariable.h
> + # {a11a3652-875b-495a-b097-200917580b98}
> + gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0,
> 0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} }
> +
> [Ppis]
>## The PPI GUID for that TPM physical presence should be locked.
># Include/Ppi/LockPhysicalPresence.h
> @@ -242,6 +254,10 @@ [Ppis]
>## Include/Ppi/Tcg.h
>gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca,
> 0xc7, 0x17, 0x6c, 0xf1 } }
>
> + ## Key Service Ppi
> + # Include/Ppi/KeyServicePpi.h
> + gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1,
> 0x36, 0x93, 0x04, 0x27}}
> +
> #
> # [Error.gEfiSecurityPkgTokenSpaceGuid]
> # 0x8001 | Invalid value provided.
> @@ -325,6 +341,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x0
> 0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID
> *|0x00010032
>
> + ## Progress Code for variable integrity check result.
> + # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF])
> + # @Prompt Status Code for variable integiry check result
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x0107|U
> INT32|0x00010033
> +
> + ## Null-terminated Unicode string of the Platform Variable Name
> + # @Prompt known unprotected variable name
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010
> 034
> +
> + ## Guid name to identify Platform Variable Guid
> + # @Prompt known unprotected variable guid
> + gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00 }|VOID*|0x00010035
> +
> + ## Defines Protected Variable Integrity support.
> + # TRUE - Enable Protected Variable Integrity.
> + # FALSE - Disable Protected Variable Integrity.
> + # @Prompt Protected Variable Integrity support.
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEA
> N|0x00010036
> +
> + ## Defines Protected Variable Confidentiality support.
> + # TRUE - Enable Protected Variable Confidentiality.
> + # FALSE - Disable Protected Variable Confidentiality.
> + # @Prompt Protected Variable Integrity support.
> +
> gEfiSecurity
Re: [edk2-devel] [Patch v2 03/28] MdeModulePkg: Update AUTH_VARIABLE_INFO struct
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 03/28] MdeModulePkg: Update AUTH_VARIABLE_INFO struct
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Added NameSize and State to AUTH_VARIABLE_INFO struct.
> The size of the name and state is needed when creating
> the variable digest.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Include/Library/AuthVariableLib.h
> b/MdeModulePkg/Include/Library/AuthVariableLib.h
> index 37aceba699e6..32391bbf2b61 100644
> --- a/MdeModulePkg/Include/Library/AuthVariableLib.h
> +++ b/MdeModulePkg/Include/Library/AuthVariableLib.h
> @@ -1,7 +1,7 @@
> /** @file
>Provides services to initialize and process authenticated variables.
>
> -Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -25,9 +25,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> (OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData)))
>
> typedef struct {
> + UINTN NameSize;
>CHAR16 *VariableName;
>EFI_GUID*VendorGuid;
>UINT32 Attributes;
> + UINT8 State;
>UINTN DataSize;
>VOID*Data;
>UINT32 PubKeyIndex;
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89699): https://edk2.groups.io/g/devel/message/89699
Mute This Topic: https://groups.io/mt/90781888/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 01/28] MdeModulePkg: Add new GUID for Variable Store Info
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 01/28] MdeModulePkg: Add new GUID for Variable Store Info
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Discover if Variable Store Info HOB has been published
> by platform driver. It contains information in regards
> to HOB or NV Variable Store availability
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/MdeModulePkg.dec | 13 -
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index cf79292ec877..f39827e4eacd 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -4,7 +4,7 @@
> # and libraries instances, which are used for those modules.
> #
> # Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
> -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
> +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
> # Copyright (c) 2016, Linaro Ltd. All rights reserved.
> # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
> # Copyright (c) 2017, AMD Incorporated. All rights reserved.
> @@ -93,6 +93,14 @@ [LibraryClasses]
>#
>TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
>
> + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> + #
> + EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
> +
> + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> + #
> + ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
> +
>## @libraryclass Provides authenticated variable services.
>#
>AuthVariableLib|Include/Library/AuthVariableLib.h
> @@ -505,6 +513,9 @@ [Ppis]
>gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35, 0x4a5d,
> { 0xac,
> 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
>gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7, 0x4b75,
> { 0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
>
> + ## Include/Ppi/ReadOnlyVariable2.h
> + gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5, 0x4501,
> { 0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
> +
> [Protocols]
>## Load File protocol provides capability to load and unload EFI image into
> memory and execute it.
># Include/Protocol/LoadPe32Image.h
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89698): https://edk2.groups.io/g/devel/message/89698
Mute This Topic: https://groups.io/mt/90781884/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 04/28] MdeModulePkg: Add reference to new Ppi Guid
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 04/28] MdeModulePkg: Add reference to new Ppi Guid
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add reference to gEfiPeiVariableStoreDiscoveredPpiGuid which
> contains information whether variable store is available.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
> b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
> index 926c0bc82a43..c5a8470565bb 100644
> --- a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
> +++ b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
> @@ -2,7 +2,7 @@
>This file declares Read-only Variable Service2 PPI.
>This ppi permits read-only access to the UEFI variable store during the PEI
> phase.
>
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>@par Revision Reference:
> @@ -106,4 +106,6 @@ struct _EFI_PEI_READ_ONLY_VARIABLE2_PPI {
>
> extern EFI_GUID gEfiPeiReadOnlyVariable2PpiGuid;
>
> +extern EFI_GUID gEfiPeiVariableStoreDiscoveredPpiGuid;
> +
> #endif
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89697): https://edk2.groups.io/g/devel/message/89697
Mute This Topic: https://groups.io/mt/90781889/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 05/28] MdeModulePkg: Add new ProtectedVariable GUIDs
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 05/28] MdeModulePkg: Add new ProtectedVariable GUIDs
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> New ProtectVariable GUIDs for passing variable information
> from PEI phase to SMM phase.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Include/Guid/ProtectedVariable.h | 22
>
> 1 file changed, 22 insertions(+)
>
> diff --git a/MdeModulePkg/Include/Guid/ProtectedVariable.h
> b/MdeModulePkg/Include/Guid/ProtectedVariable.h
> new file mode 100644
> index ..0c6e19e0456b
> --- /dev/null
> +++ b/MdeModulePkg/Include/Guid/ProtectedVariable.h
> @@ -0,0 +1,22 @@
> +/** @file
> + The GUID definitions specific for protected variable services.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef PROTECTED_VARIABLE_H_
> +#define PROTECTED_VARIABLE_H_
> +
> +#define EDKII_PROTECTED_VARIABLE_GLOBAL_GUID \
> + { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4, 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe,
> 0x91 } }
> +
> +#define EDKII_METADATA_HMAC_VARIABLE_GUID \
> + { 0xb54cda50, 0xec54, 0x4b20, { 0x85, 0xb4, 0x57, 0xbf, 0x52, 0x98, 0x68,
> 0x3d } }
> +
> +extern EFI_GUID gEdkiiProtectedVariableGlobalGuid;
> +extern EFI_GUID gEdkiiMetaDataHmacVariableGuid;
> +extern EFI_GUID gEdkiiProtectedVariableContextGuid;
> +
> +#endif // __PROTECTED_VARIABLE_H__
> --
> 2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89696): https://edk2.groups.io/g/devel/message/89696
Mute This Topic: https://groups.io/mt/90781890/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch v2 06/28] MdeModulePkg: Add new include files
Hi Judah,
Please check my comments inlined below.
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [Patch v2 06/28] MdeModulePkg: Add new include files
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add EncryptionVariableLib.h for providing encryption and
> decryption services for protected variables.
> Add ProtectedVariableLib.h for providing integrity or
> variables.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Jian J Wang
> Signed-off-by: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 +
> MdeModulePkg/Include/Library/ProtectedVariableLib.h | 700
>
> 2 files changed, 865 insertions(+)
>
> diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> new file mode 100644
> index ..c7740e659dcf
> --- /dev/null
> +++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
> @@ -0,0 +1,165 @@
> +/** @file
> + Provides services to encrypt/decrypt variables.
> +
> +Copyright (c) 2022, Intel Corporation. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef ENCRYPTION_VARIABLE_LIB_H_
> +#define ENCRYPTION_VARIABLE_LIB_H_
> +
> +#include
> +
> +#include
> +
> +#include
> +
> +#define ENC_TYPE_NULL 0
> +#define ENC_TYPE_AES TPM_ALG_AES
> +
> +typedef struct _VARIABLE_ENCRYPTION_FLAGS {
> + BOOLEANAuth;// Variable is authenticated or not
> + BOOLEANDecryptInPlace; // Do decryption in place
> + BOOLEANProtected; // Variable is protected or not
> +} VARIABLE_ENCRYPTION_FLAGS;
> +
> +typedef struct _VARIABLE_ENCRYPTION_INFO {
> + AUTH_VARIABLE_INFO Header;// Authenticated varabile
> header
> + VARIABLE_HEADER *Buffer; // Pointer to variable
> buffer
> + UINT64 StoreIndex;// Variable store index
> + VOID *PlainData;// Pointer to plain data
> + UINT32 PlainDataSize; // Size of plain data
> + VOID *CipherData; // Pointer to cipher data
> + UINT32 CipherDataSize;// Size of cipher data
> + UINT32 CipherHeaderSize; // Size of cipher header
> + UINT32 CipherDataType;// Type of cipher data
> + VOID *Key; // Pointer to
> encrypt/decrypt key
> + UINT32 KeySize; // Size of key
> + VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
> +} VARIABLE_ENCRYPTION_INFO;
> +
> +/**
> + Encrypt variable data.
> +
> + @param[in, out] VarInfo Pointer to structure containing detailed
> information about a variable.
> +
> + @retval EFI_SUCCESS Function successfully executed.
> + @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
> ProtectedVarLibContextOut == NULL.
> + @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
> + @retval EFI_UNSUPPORTED Unsupported to process authenticated
> variable.
[JianJW] authenticated -> encrypted
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> + IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
> + );
> +
> +/**
> + Decrypt variable data.
> +
> + If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
> + decrypted. Otherwise, assume the cipher data from variable data buffer,
> i.e.
> + VarEncInfo->Header.Data.
> +
> + If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
> + back in the same buffer as cipher buffer got above, after encryption
> header,
> + which helps to identify later if the data in buffer is decrypted or not.
> This
> + can avoid repeat decryption when accessing the same variable more than
> once.
> +
> + If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
> + passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
> + with its size.
> +
> + Note the VarEncInfo->PlainData is always pointing to the buffer address
> with
> + decrypted data without encryption header, and VarEncInfo->PlainDataSize is
> + always the size of original variable data, if this function returned
> + successfully.
> +
> + @param[in, out] VarInfo Poi
Re: [edk2-devel] [PATCH] Bug 3898 - S3 Resume result in executing garbage address
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of cbduggap > Sent: Monday, April 25, 2022 12:39 PM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH] Bug 3898 - S3 Resume result in executing garbage > address > > In Release Build, Trying to execute ppi Function even after > Locate ppi failed. > > Signed-off-by: cbduggap > --- > MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c > b/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c > index 2c19f1a507..d7f02df5f5 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c > +++ b/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c > @@ -288,6 +288,7 @@ DxeLoadCore ( > EFI_ERROR_CODE | EFI_ERROR_MAJOR, > > (EFI_SOFTWARE_PEI_MODULE | > EFI_SW_PEI_EC_S3_RESUME_PPI_NOT_FOUND) > > ); > > + CpuDeadLoop (); > > } > > > > ASSERT_EFI_ERROR (Status); > > -- > 2.36.0.windows.1 > > > > -=-=-=-=-=-= > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#89252): https://edk2.groups.io/g/devel/message/89252 > Mute This Topic: https://groups.io/mt/90678471/1768734 > Group Owner: devel+ow...@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub [jian.j.w...@intel.com] > -=-=-=-=-=-= > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89325): https://edk2.groups.io/g/devel/message/89325 Mute This Topic: https://groups.io/mt/90678471/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers
It looks good to me. Thanks for fixing it.
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Kun Qin
> Sent: Wednesday, March 16, 2022 12:00 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Dong, Eric ; Ni,
> Ray ; Wang, Jian J ; Gao, Liming
>
> Subject: [edk2-devel] [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect
> memory guarded with pool headers
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488
>
> Current free pool routine from PiSmmCore will inspect memory guard status
> for target buffer without considering pool headers. This could lead to
> `IsMemoryGuarded` function to return incorrect results.
>
> In that sense, allocating a 0 sized pool could cause an allocated buffer
> directly points into a guard page, which is legal. However, trying to
> free this pool will cause the routine changed in this commit to read XP
> pages, which leads to page fault.
>
> This change will inspect memory guarded with pool headers. This can avoid
> errors when a pool content happens to be on a page boundary.
>
> Cc: Jiewen Yao
> Cc: Eric Dong
> Cc: Ray Ni
> Cc: Jian J Wang
> Cc: Liming Gao
>
> Signed-off-by: Kun Qin
> ---
> MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +-
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c
> b/MdeModulePkg/Core/PiSmmCore/Pool.c
> index 96ebe811c669..e1ff40a8ea55 100644
> --- a/MdeModulePkg/Core/PiSmmCore/Pool.c
> +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c
> @@ -382,11 +382,6 @@ SmmInternalFreePool (
> return EFI_INVALID_PARAMETER;
>}
>
> - MemoryGuarded = IsHeapGuardEnabled () &&
> - IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer);
> - HasPoolTail = !(MemoryGuarded &&
> - ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
> -
>FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1);
>ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE);
>ASSERT (!FreePoolHdr->Header.Available);
> @@ -394,6 +389,11 @@ SmmInternalFreePool (
> return EFI_INVALID_PARAMETER;
>}
>
> + MemoryGuarded = IsHeapGuardEnabled () &&
> + IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr);
> + HasPoolTail = !(MemoryGuarded &&
> + ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
> +
>if (HasPoolTail) {
> PoolTail = HEAD_TO_TAIL (>Header);
> ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE);
> --
> 2.35.1.windows.2
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89209): https://edk2.groups.io/g/devel/message/89209
Mute This Topic: https://groups.io/mt/89815350/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] MdeModulePkg/dec: update the PcdCpuStackGuard property
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Chen, Gang C
> Sent: Friday, April 08, 2022 11:52 AM
> To: devel@edk2.groups.io
> Cc: Jiang, Guomin ; Bi, Dandan
> ; Zhang, Di ; Wang, Jian J
> ; Gao, Liming ; Dong, Eric
> ; Ni, Ray
> Subject: [PATCH] MdeModulePkg/dec: update the PcdCpuStackGuard property
>
> Update the PcdCpuStackGuard from PcdsFixedAtBuild to PcdsDynamicEx.
>
> Meanwhile, remove the duplicate check for PcdCpuStackGuard for
> some limitation, which has been checked at the entry of
> InitializeMpExceptionStackSwitchHandlers.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3897
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: devel@edk2.groups.io
> Cc: Eric Dong
> Cc: Ray Ni
>
> Signed-off-by: Gang Chen
> ---
> MdeModulePkg/MdeModulePkg.dec | 14 +++---
> .../CpuExceptionHandlerLib/PeiCpuException.c | 2 +-
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index 463e889e9a..72e7e2eced 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1070,13 +1070,6 @@
># @Prompt The Heap Guard feature mask
>
> gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask|0x0|UINT8|0
> x30001054
>
> - ## Indicates if UEFI Stack Guard will be enabled.
> - # If enabled, stack overflow in UEFI can be caught, preventing chaotic
> consequences.
> - # TRUE - UEFI Stack Guard will be enabled.
> - # FALSE - UEFI Stack Guard will be disabled.
> - # @Prompt Enable UEFI Stack Guard.
> -
> gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard|FALSE|BOOLEAN|0x30
> 001055
> -
> [PcdsFixedAtBuild, PcdsPatchableInModule]
>## Dynamic type PCD can be registered callback function for Pcd setting
> action.
># PcdMaxPeiPcdCallBackNumberPerPcdEntry indicates the maximum number
> of callback function
> @@ -2079,6 +2072,13 @@
># @Prompt Enable PCIe Resizable BAR Capability support.
>
> gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport|FALSE|BOOLE
> AN|0x1024
>
> + ## Indicates if UEFI Stack Guard will be enabled.
> + # If enabled, stack overflow in UEFI can be caught, preventing chaotic
> consequences.
> + # TRUE - UEFI Stack Guard will be enabled.
> + # FALSE - UEFI Stack Guard will be disabled.
> + # @Prompt Enable UEFI Stack Guard.
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard|FALSE|BOOLEAN|0x00
> 010025
> +
> [PcdsPatchableInModule]
>## Specify memory size with page number for PEI code when
># Loading Module at Fixed Address feature is enabled.
> diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuException.c
> b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuException.c
> index 687fc4177f..bcd4175ffa 100644
> --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuException.c
> +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuException.c
> @@ -254,7 +254,7 @@ InitializeCpuExceptionHandlersEx (
> //
> // Initializing stack switch is only necessary for Stack Guard
> functionality.
> //
> -if (PcdGetBool (PcdCpuStackGuard) && (InitData != NULL)) {
> +if (InitData != NULL) {
>Status = ArchSetupExceptionStack (InitData);
> }
>}
> --
> 2.35.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#88689): https://edk2.groups.io/g/devel/message/88689
Mute This Topic: https://groups.io/mt/90341216/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] 回复: [PATCH v1 01/28] MdeModulePkg: Add a new GUID
Hi Judah,
You could update the readme in edk2-staging or your own forked branch.
Here's an example in edk2-staging repo:
https://github.com/tianocore/edk2-staging/tree/ProtectedVariable/libs
BTW, I didn't find the cover letter patch (the file with name starting with
).
Please don't skip it and use it to give summary description for the whole patch
series.
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of gaoliming
> Sent: Monday, March 28, 2022 4:55 PM
> To: Vang, Judah ; devel@edk2.groups.io
> Cc: Wang, Jian J ; Mistry, Nishant C
>
> Subject: [edk2-devel] 回复: [PATCH v1 01/28] MdeModulePkg: Add a new GUID
>
> Judah:
> Is there the detail information or wiki about the code design and usage
> for this feature?
>
> Thanks
> Liming
> > -邮件原件-
> > 发件人: Judah Vang
> > 发送时间: 2022年3月26日 6:03
> > 收件人: devel@edk2.groups.io
> > 抄送: Jian J Wang ; Liming Gao
> > ; Nishant C Mistry
> > 主题: [PATCH v1 01/28] MdeModulePkg: Add a new GUID
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
> >
> > Add a new Variable Store Guid.
> >
> > Cc: Jian J Wang
> > Cc: Liming Gao
> > Cc: Nishant C Mistry
> > Signed-off-by: Judah Vang
> > ---
> > MdeModulePkg/MdeModulePkg.dec | 13 -
> > 1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdeModulePkg/MdeModulePkg.dec
> > b/MdeModulePkg/MdeModulePkg.dec
> > index 40601c95832b..681607db0da6 100644
> > --- a/MdeModulePkg/MdeModulePkg.dec
> > +++ b/MdeModulePkg/MdeModulePkg.dec
> > @@ -4,7 +4,7 @@
> > # and libraries instances, which are used for those modules.
> > #
> > # Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
> > -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
> > +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
> > # Copyright (c) 2016, Linaro Ltd. All rights reserved.
> > # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development
> > LP
> > # Copyright (c) 2017, AMD Incorporated. All rights reserved.
> > @@ -93,6 +93,14 @@ [LibraryClasses]
> >#
> >TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
> >
> > + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> > + #
> > + EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
> > +
> > + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> > + #
> > + ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
> > +
> >## @libraryclass Provides authenticated variable services.
> >#
> >AuthVariableLib|Include/Library/AuthVariableLib.h
> > @@ -505,6 +513,9 @@ [Ppis]
> >gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35,
> > 0x4a5d, { 0xac, 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
> >gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7,
> > 0x4b75, { 0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
> >
> > + ## Include/Ppi/ReadOnlyVariable2.h
> > + gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5,
> > 0x4501, { 0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
> > +
> > [Protocols]
> >## Load File protocol provides capability to load and unload EFI image
> into
> > memory and execute it.
> ># Include/Protocol/LoadPe32Image.h
> > --
> > 2.26.2.windows.1
>
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#88153): https://edk2.groups.io/g/devel/message/88153
Mute This Topic: https://groups.io/mt/90080359/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 02/28] SecurityPkg: Add new GUIDs
Hi Judah,
The commit message is too simple to be useful for reviewers and developers.
Other patches have the same issue. Please add more descriptions to explain
the changes made in each patch (why and how).
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, March 26, 2022 7:21 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Yao, Jiewen ;
> Mistry, Nishant C
> Subject: [PATCH v1 02/28] SecurityPkg: Add new GUIDs
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add new GUIDs
>
> Cc: Jian J Wang
> Cc: Jiewen Yao
> Cc: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> SecurityPkg/SecurityPkg.dec | 43 +++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 9f7a032d60d5..ea88908ea7d2 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and
> library
> classes)
> # and libraries instances, which are used for those features.
> #
> -# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
> # Copyright (c) Microsoft Corporation.
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> @@ -217,6 +217,18 @@ [Guids]
>## GUID used to specify section with default dbt content
>gDefaultdbtFileGuid= { 0x36c513ee, 0xa338, 0x4976, { 0xa0,
> 0xfb,
> 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
>
> + ## Include/Guid/ProtectedVariable.h
> + # {8EBF379A-F18E-4728-A410-00CF9A65BE91}
> + gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4,
> 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } }
> +
> + ## Include/Guid/ProtectedVariable.h
> + # {e3e890ad-5b67-466e-904f-94ca7e9376bb}
> + gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90,
> 0x4f, 0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}}
> +
> + ## Include/Guid/ProtectedVariable.h
> + # {a11a3652-875b-495a-b097-200917580b98}
> + gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0,
> 0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} }
> +
> [Ppis]
>## The PPI GUID for that TPM physical presence should be locked.
># Include/Ppi/LockPhysicalPresence.h
> @@ -242,6 +254,10 @@ [Ppis]
>## Include/Ppi/Tcg.h
>gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca,
> 0xc7, 0x17, 0x6c, 0xf1 } }
>
> + ## Key Service Ppi
> + # Include/Ppi/KeyServicePpi.h
> + gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1,
> 0x36, 0x93, 0x04, 0x27}}
> +
> #
> # [Error.gEfiSecurityPkgTokenSpaceGuid]
> # 0x8001 | Invalid value provided.
> @@ -325,6 +341,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x0
> 0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID
> *|0x00010032
>
> + ## Progress Code for variable integrity check result.
> + # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF])
> + # @Prompt Status Code for variable integiry check result
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x0107|U
> INT32|0x00010033
> +
> + ## Null-terminated Unicode string of the Platform Variable Name
> + # @Prompt known unprotected variable name
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010
> 034
> +
> + ## Guid name to identify Platform Variable Guid
> + # @Prompt known unprotected variable guid
> + gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00 }|VOID*|0x00010035
> +
> + ## Defines Protected Variable Integrity support.
> + # TRUE - Enable Protected Variable Integrity.
> + # FALSE - Disable Protected Variable Integrity.
> + # @Prompt Protected Variable Integrity support.
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEA
> N|0x00010036
> +
> + ## Defines Protected Variable Confidentiality support.
> + # TRUE - Enable Protected Variable Confidentiality.
> + # FALSE - Disable Protected Variable Confidentiality.
> + # @Prompt Protected Variable Integrity support.
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableConfidentiality|FALSE|BO
> OLEAN|0x00010037
> +
> [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>## Image verification policy for OptionRom. O
Re: [edk2-devel] [PATCH v1 01/28] MdeModulePkg: Add a new GUID
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Vang, Judah
> Sent: Saturday, March 26, 2022 6:03 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Gao, Liming
> ; Mistry, Nishant C
> Subject: [PATCH v1 01/28] MdeModulePkg: Add a new GUID
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> Add a new Variable Store Guid.
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Nishant C Mistry
> Signed-off-by: Judah Vang
> ---
> MdeModulePkg/MdeModulePkg.dec | 13 -
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index 40601c95832b..681607db0da6 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -4,7 +4,7 @@
> # and libraries instances, which are used for those modules.
> #
> # Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
> -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
> +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
> # Copyright (c) 2016, Linaro Ltd. All rights reserved.
> # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
> # Copyright (c) 2017, AMD Incorporated. All rights reserved.
> @@ -93,6 +93,14 @@ [LibraryClasses]
>#
>TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
>
> + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> + #
> + EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
> +
> + ## @libraryclass Provides interfaces to encrypt/decrypt variable.
> + #
> + ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
> +
>## @libraryclass Provides authenticated variable services.
>#
>AuthVariableLib|Include/Library/AuthVariableLib.h
> @@ -505,6 +513,9 @@ [Ppis]
>gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35, 0x4a5d,
> { 0xac,
> 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
>gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7, 0x4b75,
> { 0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
>
> + ## Include/Ppi/ReadOnlyVariable2.h
> + gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5, 0x4501,
> { 0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
> +
> [Protocols]
>## Load File protocol provides capability to load and unload EFI image into
> memory and execute it.
># Include/Protocol/LoadPe32Image.h
> --
> 2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#88146): https://edk2.groups.io/g/devel/message/88146
Mute This Topic: https://groups.io/mt/90033942/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V8 35/47] MdeModulePkg: Skip setting IA32_ERER.NXE if it has already been set
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Xu, Min M
> Sent: Saturday, March 12, 2022 9:54 AM
> To: devel@edk2.groups.io
> Cc: Xu, Min M ; Wang, Jian J ;
> Wu, Hao A ; Brijesh Singh ;
> Aktas, Erdem ; James Bottomley
> ; Yao, Jiewen ; Tom Lendacky
> ; Gerd Hoffmann
> Subject: [PATCH V8 35/47] MdeModulePkg: Skip setting IA32_ERER.NXE if it has
> already been set
>
> RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
>
> If IA32_ERER.NXE has already been set, skip setting it again.
>
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Brijesh Singh
> Cc: Erdem Aktas
> Cc: James Bottomley
> Cc: Jiewen Yao
> Cc: Tom Lendacky
> Cc: Gerd Hoffmann
> Acked-by: Gerd Hoffmann
> Signed-off-by: Min Xu
> ---
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 8 +---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> index 0700f310b203..bb426d0d0a6f 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> @@ -179,9 +179,11 @@ EnableExecuteDisableBit (
> {
>UINT64 MsrRegisters;
>
> - MsrRegisters = AsmReadMsr64 (0xC080);
> - MsrRegisters |= BIT11;
> - AsmWriteMsr64 (0xC080, MsrRegisters);
> + MsrRegisters = AsmReadMsr64 (0xC080);
> + if ((MsrRegisters & BIT11) == 0) {
> +MsrRegisters |= BIT11;
> +AsmWriteMsr64 (0xC080, MsrRegisters);
> + }
> }
>
> /**
> --
> 2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#87562): https://edk2.groups.io/g/devel/message/87562
Mute This Topic: https://groups.io/mt/89725436/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V8 36/47] MdeModulePkg: Add PcdTdxSharedBitMask
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Xu, Min M > Sent: Saturday, March 12, 2022 9:54 AM > To: devel@edk2.groups.io > Cc: Xu, Min M ; Wang, Jian J ; > Wu, Hao A ; Brijesh Singh ; > Aktas, Erdem ; James Bottomley > ; Yao, Jiewen ; Tom Lendacky > ; Gerd Hoffmann > Subject: [PATCH V8 36/47] MdeModulePkg: Add PcdTdxSharedBitMask > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 > > Guest Physical Address (GPA) space in Td guest is divided into private > and shared sub-spaces, determined by the SHARED bit of GPA. This PCD > holds the shared bit mask. Its default value is 0 and it will be set > in PlatformPei driver if it is of Td guest. > > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Tom Lendacky > Cc: Gerd Hoffmann > Acked-by: Gerd Hoffmann > Signed-off-by: Min Xu > --- > MdeModulePkg/MdeModulePkg.dec | 4 > OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++ > OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ > OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ > OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ > OvmfPkg/OvmfPkgIa32.dsc| 3 +++ > OvmfPkg/OvmfPkgIa32X64.dsc | 1 + > OvmfPkg/OvmfPkgX64.dsc | 3 +++ > OvmfPkg/OvmfXen.dsc| 3 +++ > 9 files changed, 26 insertions(+) > > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 463e889e9a68..1a2425974f44 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -2079,6 +2079,10 @@ ># @Prompt Enable PCIe Resizable BAR Capability support. > > gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport|FALSE|BOOLE > AN|0x1024 > > + ## This PCD holds the shared bit mask for page table entries when Tdx is > enabled. > + # @Prompt The shared bit mask when Intel Tdx is enabled. > + > gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0|UINT64|0x100 > 00025 > + > [PcdsPatchableInModule] >## Specify memory size with page number for PEI code when ># Loading Module at Fixed Address feature is enabled. > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc > b/OvmfPkg/AmdSev/AmdSevX64.dsc > index c173a72134f4..dda98aa43bdb 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -558,6 +558,9 @@ ># Set memory encryption mask > > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask| > 0x0 > > + # Set Tdx shared bit mask > + gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0 > + ># Set SEV-ES defaults >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 > diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc > index 656e407473bb..0daae82d6705 100644 > --- a/OvmfPkg/Bhyve/BhyveX64.dsc > +++ b/OvmfPkg/Bhyve/BhyveX64.dsc > @@ -550,6 +550,9 @@ ># Set memory encryption mask > > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask| > 0x0 > > + # Set Tdx shared bit mask > + gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0 > + >gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 > ># MdeModulePkg resolution sets up the system display resolution > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc > b/OvmfPkg/CloudHv/CloudHvX64.dsc > index c307f1cc7550..1732f281b435 100644 > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc > @@ -603,6 +603,9 @@ ># Set memory encryption mask > > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask| > 0x0 > > + # Set Tdx shared bit mask > + gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0 > + ># Set SEV-ES defaults >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc > b/OvmfPkg/Microvm/MicrovmX64.dsc > index 0eac0c02c630..cde90f523520 100644 > --- a/OvmfPkg/Microvm/MicrovmX64.dsc > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc > @@ -592,6 +592,9 @@ ># Set memory encryption mask > > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask| > 0x0 > > + # Set Tdx shared bit mask > + gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0 > + ># Set SEV-ES defaults >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 >gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 8f02dca63869..01a26c234a88 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -618,6 +618,9 @@ ># Set memory encryption mask > > gEfiMdeModulePkgTok
Re: [edk2-devel] [PATCH V7 25/37] MdeModulePkg: EFER should not be changed in TDX
Ok for me.
Regards,
Jian
> -Original Message-
> From: Xu, Min M
> Sent: Friday, March 04, 2022 8:19 AM
> To: Wang, Jian J ; devel@edk2.groups.io
> Cc: Wu, Hao A ; Brijesh Singh ;
> Aktas, Erdem ; James Bottomley
> ; Yao, Jiewen ; Tom Lendacky
> ; Gerd Hoffmann
> Subject: RE: [PATCH V7 25/37] MdeModulePkg: EFER should not be changed in
> TDX
>
> On March 3, 2022 11:12 AM, Wang Jian wrote:
> >
> > Hi Min,
> >
> > I think the PCD should not be dynamic. Dynamic PCD is used for those
> > features which can be changed at boot time. But, for Intel processor, it
> > should always stay as FALSE. So there's no need to make it dynamic.
> > FixedAtBuild should be fine.
> >
> I realize this PCD is not necessary. According to [TDX] Sec 10.1.5,
> IA32_EFER.NXE is initialized to 1. So in the function EnableExecuteDisableBit
> @
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c, we can check if BIT11
> is set before calling AsmWriteMsr64. It looks like:
> VOID EnableExecuteDisableBit ( VOID )
> {
> UINT64 MsrRegisters;
>
> MsrRegisters = AsmReadMsr64 (0xC080);
> if ((MsrRegisters & BIT11) == 0) {
> MsrRegisters |= BIT11;
> AsmWriteMsr64 (0xC080, MsrRegisters);
> }
> }
>
> [TDX]
> https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-
> module-1.0-public-spec-v0.931.pdf
>
> Thanks
> Min
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#87272): https://edk2.groups.io/g/devel/message/87272
Mute This Topic: https://groups.io/mt/89446174/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V7 26/37] MdeModulePkg: Add PcdTdxSharedBitMask
Hi Min, Similar to patch 25, I don't see the needs to make this PCD dynamic only. Do you have any strong reasons? If not sure, maybe it'd be better to put it under following section. [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] Regards, Jian > -Original Message- > From: Xu, Min M > Sent: Monday, February 28, 2022 3:21 PM > To: devel@edk2.groups.io > Cc: Xu, Min M ; Wang, Jian J ; > Wu, Hao A ; Brijesh Singh ; > Aktas, Erdem ; James Bottomley > ; Yao, Jiewen ; Tom Lendacky > ; Gerd Hoffmann > Subject: [PATCH V7 26/37] MdeModulePkg: Add PcdTdxSharedBitMask > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 > > Guest Physical Address (GPA) space in Td guest is divided into private > and shared sub-spaces, determined by the SHARED bit of GPA. This PCD > holds the shared bit mask. Its default value is 0 and it will be set > in PlatformPei driver if it is of Td guest. > > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Tom Lendacky > Cc: Gerd Hoffmann > Acked-by: Gerd Hoffmann > Signed-off-by: Min Xu > --- > MdeModulePkg/MdeModulePkg.dec | 4 > 1 file changed, 4 insertions(+) > > diff --git a/MdeModulePkg/MdeModulePkg.dec > b/MdeModulePkg/MdeModulePkg.dec > index 453f2a74b11d..e90a7f38708c 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -2143,6 +2143,10 @@ ># @Prompt The flag which indicates if IA32_EFER is allowed to be changed. > > gEfiMdeModulePkgTokenSpaceGuid.PcdIa32EferChangeAllowed|TRUE|BOOLEA > N|0x00030009 > > + ## This PCD holds the shared bit mask for page table entries when Tdx is > enabled. > + # @Prompt The shared bit mask when Intel Tdx is enabled. > + > gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0|UINT64|0x000 > 3000a > + > [PcdsDynamicEx] >## This dynamic PCD enables the default variable setting. ># Its value is the default store ID value. The default value is zero as > Standard > default. > -- > 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#87245): https://edk2.groups.io/g/devel/message/87245 Mute This Topic: https://groups.io/mt/89446176/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V7 25/37] MdeModulePkg: EFER should not be changed in TDX
Hi Min,
I think the PCD should not be dynamic. Dynamic PCD is used for those features
which can be changed at boot time. But, for Intel processor, it should always
stay as FALSE. So there's no need to make it dynamic. FixedAtBuild should be
fine.
Regards,
Jian
> -Original Message-
> From: Xu, Min M
> Sent: Monday, February 28, 2022 3:21 PM
> To: devel@edk2.groups.io
> Cc: Xu, Min M ; Wang, Jian J ;
> Wu, Hao A ; Brijesh Singh ;
> Aktas, Erdem ; James Bottomley
> ; Yao, Jiewen ; Tom Lendacky
> ; Gerd Hoffmann
> Subject: [PATCH V7 25/37] MdeModulePkg: EFER should not be changed in TDX
>
> RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
>
> In TDX IA32_ERER is RO to host VMM. It could not be changed.
> PcdIa32EferChangeAllowed is added in MdeModulePkg.dec and it is
> to be set to FALSE in Tdx guest.
>
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Brijesh Singh
> Cc: Erdem Aktas
> Cc: James Bottomley
> Cc: Jiewen Yao
> Cc: Tom Lendacky
> Cc: Gerd Hoffmann
> Acked-by: Gerd Hoffmann
> Signed-off-by: Min Xu
> ---
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 1 +
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 7 +++
> MdeModulePkg/MdeModulePkg.dec| 5 +
> 3 files changed, 13 insertions(+)
>
> diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> index 19b8a4c8aefa..106b679b6bd0 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> @@ -117,6 +117,7 @@
>gEfiMdeModulePkgTokenSpaceGuid.PcdUse5LevelPageTable ##
> SOMETIMES_CONSUMES
>gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase##
> CONSUMES
>gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize##
> CONSUMES
> + gEfiMdeModulePkgTokenSpaceGuid.PcdIa32EferChangeAllowed ##
> CONSUMES
>
> [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
>gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
> SOMETIMES_CONSUMES
> diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> index 0700f310b203..5c647c74e773 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> @@ -159,6 +159,13 @@ IsEnableNonExecNeeded (
> return FALSE;
>}
>
> + //
> + // Intel TDX sets this flag to FALSE.
> + //
> + if (!PcdGetBool (PcdIa32EferChangeAllowed)) {
> +return FALSE;
> + }
> +
>//
>// XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is
> set.
>// Features controlled by Following PCDs need this feature to be enabled.
> diff --git a/MdeModulePkg/MdeModulePkg.dec
> b/MdeModulePkg/MdeModulePkg.dec
> index 463e889e9a68..453f2a74b11d 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -2138,6 +2138,11 @@
># @Prompt GHCB Pool Size
>gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0|UINT64|0x00030008
>
> + ## This dynamic PCD indicates if IA32_EFER can be changed. The default
> value
> is TRUE but in
> + # Intel TDX change of IA32_EFER is not allowed.
> + # @Prompt The flag which indicates if IA32_EFER is allowed to be changed.
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdIa32EferChangeAllowed|TRUE|BOOLEA
> N|0x00030009
> +
> [PcdsDynamicEx]
>## This dynamic PCD enables the default variable setting.
># Its value is the default store ID value. The default value is zero as
> Standard
> default.
> --
> 2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#87244): https://edk2.groups.io/g/devel/message/87244
Mute This Topic: https://groups.io/mt/89446174/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel][PATCH] edk2/MdeModulePkg/Debuglib: Add Standalone MM support
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Jiang, Xiaolu > Sent: Friday, February 25, 2022 9:56 AM > To: devel@edk2.groups.io > Cc: Jiang, Xiaolu ; Wang, Jian J > ; Gao, Liming > Subject: [edk2-devel][PATCH] edk2/MdeModulePkg/Debuglib: Add Standalone > MM support > > https://bugzilla.tianocore.org/show_bug.cgi?id=3844 > > This change added Standalone MM instance of DebugLib. > > Cc: Jian J Wang > Cc: Liming Gao > > Signed-off-by: Xiaolu.Jiang > --- > .../PeiDxeDebugLibReportStatusCode.inf| 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git > a/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > b/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > index b52fc5686a..c7b75de38a 100644 > --- > a/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > +++ > b/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > @@ -2,7 +2,7 @@ > # Debug Library based on report status code library > > # > > # Debug Library for PEIMs and DXE drivers that sends debug messages to > ReportStatusCode > > -# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved. > > +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. > > # > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > # > > @@ -16,7 +16,7 @@ >FILE_GUID = bda39d3a-451b-4350-8266-81ab10fa0523 > >MODULE_TYPE= PEIM > >VERSION_STRING = 1.0 > > - LIBRARY_CLASS = DebugLib|DXE_CORE DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER SMM_CORE PEIM SEC PEI_CORE > UEFI_APPLICATION UEFI_DRIVER > > + LIBRARY_CLASS = DebugLib|DXE_CORE DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER SMM_CORE PEIM SEC PEI_CORE > UEFI_APPLICATION UEFI_DRIVER MM_STANDALONE > > > > # > > # The following information is for reference only and not required by the > build > tools. > > -- > 2.30.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#87116): https://edk2.groups.io/g/devel/message/87116 Mute This Topic: https://groups.io/mt/89317370/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] edk2/MdeModulePkg/Debuglib: Add Standalone MM support
Please update the copyright year to 2022 (line 5). With it addressed, Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Xiaolu.Jiang > Sent: Tuesday, February 22, 2022 10:21 PM > To: devel@edk2.groups.io > Cc: Jiang, Xiaolu ; Wang, Jian J > ; Gao, Liming > Subject: [edk2-devel] [PATCH] edk2/MdeModulePkg/Debuglib: Add Standalone > MM support > > https://bugzilla.tianocore.org/show_bug.cgi?id=3844 > > This change added Standalone MM instance of DebugLib. > > Cc: Jian J Wang > Cc: Liming Gao > > Signed-off-by: Xiaolu.Jiang > --- > .../PeiDxeDebugLibReportStatusCode.inf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > a/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > b/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > index b52fc5686a..72456084ff 100644 > --- > a/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > +++ > b/MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibR > eportStatusCode.inf > @@ -16,7 +16,7 @@ >FILE_GUID = bda39d3a-451b-4350-8266-81ab10fa0523 > >MODULE_TYPE= PEIM > >VERSION_STRING = 1.0 > > - LIBRARY_CLASS = DebugLib|DXE_CORE DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER SMM_CORE PEIM SEC PEI_CORE > UEFI_APPLICATION UEFI_DRIVER > > + LIBRARY_CLASS = DebugLib|DXE_CORE DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER SMM_CORE PEIM SEC PEI_CORE > UEFI_APPLICATION UEFI_DRIVER MM_STANDALONE > > > > # > > # The following information is for reference only and not required by the > build > tools. > > -- > 2.30.2.windows.1 > > > > -=-=-=-=-=-= > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#86858): https://edk2.groups.io/g/devel/message/86858 > Mute This Topic: https://groups.io/mt/89317370/1768734 > Group Owner: devel+ow...@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub [jian.j.w...@intel.com] > -=-=-=-=-=-= > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86975): https://edk2.groups.io/g/devel/message/86975 Mute This Topic: https://groups.io/mt/89317370/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended Hard Freeze Update #4
For CryptoPkg, SecurityPkg and SignedCapsulePkg,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Michael D
> Kinney
> Sent: Monday, December 06, 2021 9:18 AM
> To: Michael Kubacki ; devel@edk2.groups.io;
> maciej.rab...@linux.intel.com; Michael Kubacki
> ; Andrew Fish (af...@apple.com)
> ; Leif Lindholm ; Kinney, Michael D
>
> Subject: Re: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended
> Hard Freeze Update #4
>
> Hello EDK II Maintainers,
>
> A detailed evaluation of the DEBUG_CODE() formatting issue has been
> completed.
> The reason DEBUG_CODE() is a challenge is that this looks like a macro from a
> C parsing perspective, but the EDK II usage places C statements or blocks of
> C code as the parameter to this macro.
>
> There are actually 2 methods available to mark a statement or a block of code
> to be included when the DEBUG_PROPERTY_DEBUG_CODE_ENABLED bit is
> enabled in
> PcdDebugPropertyMask. One is DEBUG_CODE() and the other is to mark the
> beginning
> and end of a code block with DEBUG_CODE_BEGIN() and DEBUG_CODE_END().
> In fact,
> DEBUG_CODE() is implemented using DEBUG_CODE_BEGIN() and
> DEBUG_CODE_END() macros.
>
> #define DEBUG_CODE(Expression) \
> DEBUG_CODE_BEGIN (); \
> Expression\
> DEBUG_CODE_END ()
>
> A complete review for the use of these DEBUG_CODE macros was performed on
> the
> edk2 repo. Uncrustify performs good formatting for code blocks between
> DEBUG_CODE_BEGIN() and DEBUG_CODE_END(). This is because these look
> like simple
> macros calls with no parameters and the lines of C code between these 2
> macros
> is formatted correctly.
>
> The uncrustify formatting issues are only present with the use of
> DEBUG_CODE().
> Simple use cases of DEBUG_CODE(Expression) where Expression is a single C
> statement also look correct. A medium complexity use case where Expression is
> a code block of simple statements or even some local variables and simple
> statements also look correct. It is only complex code blocks that use C
> statements such as if/for/while/case that include the use of braces {} does
> uncrustify perform incorrect formatting.
>
> The recommended solution to this issue is to convert the use of DEBUG_CODE()
> to DEBUG_CODE_BEGIN() / DEBUG_CODE_END() for cases where the
> Expression
> passed to DEBUG_CODE() is the complex use case that contains statements that
> use braces {}. There are 57 instances of this pattern across 40 files in the
> edk2 repo.
>
> I have posted a branch with these additional patches:
>
>
> https://github.com/mdkinney/edk2/tree/Bug_3737_3760_3739_ApplyUncrustif
> yChanges_V7
>
> I have performed CompareBuild tests with this revised patch series with
> the DEBUG_CODE changes. It passes 100% showing no binary differences.
>
> https://github.com/mdkinney/edk2/actions/runs/1542454606
>
> I have opened a PR to run this patch series through EDK II CI. It also passes
> 100%.
>
> https://github.com/tianocore/edk2/pull/2236
>
> The summary of changes made since the V6 review are:
>
> 1) Change uncrustify configuration assignment alignment threshold to 0
>
> align_assign_thresh = 0
>
> 2) Replace ", OPTIONAL" with " OPTIONAL,"
>
> 3) Replace DEBUG_CODE(Expression) with
>
>DEBUG_CODE_BEGIN();
>Expression
>DEBUG_CODE_END()
>
>if Expression is complex and contains braces {}.
>
> 4) No changes to uncrustify tool required.
>
> Please review the differences between the following 2 branches and provide
> feedback or a Series Reviewed-by if you agree with these additional changes.
>
>
> https://github.com/mdkinney/edk2/tree/Bug_3737_3760_3739_ApplyUncrustif
> yChanges_V6
>
> https://github.com/mdkinney/edk2/tree/Bug_3737_3760_3739_ApplyUncrustif
> yChanges_V7
>
> The goal is to complete the review and get the uncrustify change committed
> tomorrow so the extended hard freeze can be lifted.
>
> Thanks,
>
> Mike
>
> > -Original Message-
> > From: Kinney, Michael D
> > Sent: Thursday, December 2, 2021 6:23 PM
> > To: Michael Kubacki ; devel@edk2.groups.io;
> maciej.rab...@linux.intel.com; Michael Kubacki
> > ; Andrew Fish (af...@apple.com)
> ; Leif Lindholm ;
> > Kinney, Michael D
> > Subject: RE: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended
> Hard Freeze Update #4
> >
> > Hello EDK II Maintainers,
> >
> > I have entered BZ 3760 to make the use of the OPTIONAL keyword style
> consistent for all of edk2 repo
> > and to be compatible with uncrustify.
> >
> > I have posted the following V6 branch that does the EFI_D_* to DEBUG_*
> changes, the OPTIONAL keyword
> > style changes, and the uncrustify changes with the one configuration change
> for assignment alignment.
> >
> >
> https://github.com/mdkinney/edk2/tree/Bug_3737_3760_3739_ApplyUncrustif
> yChanges_V6
> >
> > Please provide
Re: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended Hard Freeze Update #4
For SignedCapulePkg, Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Michael D > Kinney > Sent: Wednesday, December 01, 2021 6:34 AM > To: devel@edk2.groups.io; Kinney, Michael D ; > Michael Kubacki ; Andrew Fish > (af...@apple.com) ; Leif Lindholm > Subject: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended Hard > Freeze Update #4 > > Hello, > > Thank you for your patience during this extended hard freeze. > > Just one more step to go. There has been a delay in the review of > the patch series with the uncrustify source changes. PR(6). This > patch series was not sent out as patch review email because of its > very large size. It only contains source style changes and the > CompareBuild tool and GitHub action has shown there are no binary > differences introduced with these source style changes. > > If you are a package maintainer, then please review the following > branch/PR for your package contents and review the EDK II CI results > and BuildCompare results. I do not expect a line by line review > because we already had time to provide feedback on the source style > performed by uncrustify. Instead, a Reviewed-by for your package > indicates that you have reviewed the EDK II CI results and CompareBuild > tool functionality and results and you accept the source style > changes to your package. > >* > https://github.com/mdkinney/edk2/tree/Bug_3737_3739_ApplyUncrustifyChan > ges_V5 >* https://github.com/tianocore/edk2/pull/2229 >* https://github.com/mdkinney/edk2/actions/runs/1521618836 > > Additional details on this update below. > > Thank you, > > Mike > > > Changes from Update #3 > > * Pushed PR (5) > * Added link to PR(6). EDK II CI Status is PASS. Build Compare PASS. > * Waiting for review of PR (6) > * Review of PR (7) completed and waiting for review of PR (6) > > > Changes from Update #2 > > * Changed order of PRs swapping (4) and (5). The PR that activates > increases the max CI agent job time is independent of all the other > PRs and its review is complete, so it can be committed now. > * Pushed PRs (1), (2), (3), (4). > * Waiting for review to complete for PRs (5) and (6) > * Reviews complete for PR (7) > * Identifies steps using git filter-branch to apply uncrustify changes to a > code review patch series that was generated before the uncrustify changes > avoiding manual merge. > * Identified steps using git filter-repo to generate an alternate history of > the edk2 repo with uncrustify changes applied on every commit. This may > be useful when evaluating changes to files using tools like git blame > without the large uncrustify patch series. > --- > > Changes from Update #1 > > * Changed order of PRs swapping (6) and (7). The PR that activates > EDK II CI check UncrustifyCheck has to be last because it unconditionally > checks all C/H files in all packages. Not just files that have been > modified like some of the other checkers. > * Updated link to the branch with the UncrustifyCheck plugin that has been > updated with a one line change and Reviewed-by and Tested-by tags. > > https://github.com/mdkinney/edk2/tree/Bug_3748_add_uncrustify_ci_plugin_v > 6 > * Reviews complete for (1), (2), (3), (5), and (7) > --- > > Michael Kubacki and I have prepared the patches required to apply the > uncrustify changes and enable EDK II CI to check all submitted > patches have been run through uncrustify. > > We have verified through the CompareBuild GitHub Action that the > format changes performed by uncrustify have no functional changes. > All of the OBJ, LIB, DLL, EFI, FFS, FV, and FD files match 100% > across 70 VS2019/GCC5 builds of all package/platform DSC files in > the edk2 repo. > > The hard freeze will be extended after the edk2-stable202111 tag until > all uncrustify related changes are committed. We do not expect this > to take more than a few days. Do not push any PRs until the hard > freeze is lifted. > > The changes are broken up into 7 patch series/PRs. The PRs are ordered > so they can be submitted using the normal submission process and EDK II > CI will pass for each one. Details are listed below. > > Uncrustify 73.0.3 for EDK II > = > * Sources: https://dev.azure.com/projectmu/_git/Uncrustify > * Documentation: > https://dev.azure.com/projectmu/Uncrustify/_wiki/wikis/Uncrustify.wiki/1/Proj > ect-Mu-(EDK-II)-Fork-Readme > * Download: >
Re: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended Hard Freeze Update #4
For SecurityPkg and CryptoPkg, Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Michael D > Kinney > Sent: Wednesday, December 01, 2021 6:34 AM > To: devel@edk2.groups.io; Kinney, Michael D ; > Michael Kubacki ; Andrew Fish > (af...@apple.com) ; Leif Lindholm > Subject: [edk2-devel] Uncrustify Conversion Detailed Plan and Extended Hard > Freeze Update #4 > > Hello, > > Thank you for your patience during this extended hard freeze. > > Just one more step to go. There has been a delay in the review of > the patch series with the uncrustify source changes. PR(6). This > patch series was not sent out as patch review email because of its > very large size. It only contains source style changes and the > CompareBuild tool and GitHub action has shown there are no binary > differences introduced with these source style changes. > > If you are a package maintainer, then please review the following > branch/PR for your package contents and review the EDK II CI results > and BuildCompare results. I do not expect a line by line review > because we already had time to provide feedback on the source style > performed by uncrustify. Instead, a Reviewed-by for your package > indicates that you have reviewed the EDK II CI results and CompareBuild > tool functionality and results and you accept the source style > changes to your package. > >* > https://github.com/mdkinney/edk2/tree/Bug_3737_3739_ApplyUncrustifyChan > ges_V5 >* https://github.com/tianocore/edk2/pull/2229 >* https://github.com/mdkinney/edk2/actions/runs/1521618836 > > Additional details on this update below. > > Thank you, > > Mike > > > Changes from Update #3 > > * Pushed PR (5) > * Added link to PR(6). EDK II CI Status is PASS. Build Compare PASS. > * Waiting for review of PR (6) > * Review of PR (7) completed and waiting for review of PR (6) > > > Changes from Update #2 > > * Changed order of PRs swapping (4) and (5). The PR that activates > increases the max CI agent job time is independent of all the other > PRs and its review is complete, so it can be committed now. > * Pushed PRs (1), (2), (3), (4). > * Waiting for review to complete for PRs (5) and (6) > * Reviews complete for PR (7) > * Identifies steps using git filter-branch to apply uncrustify changes to a > code review patch series that was generated before the uncrustify changes > avoiding manual merge. > * Identified steps using git filter-repo to generate an alternate history of > the edk2 repo with uncrustify changes applied on every commit. This may > be useful when evaluating changes to files using tools like git blame > without the large uncrustify patch series. > --- > > Changes from Update #1 > > * Changed order of PRs swapping (6) and (7). The PR that activates > EDK II CI check UncrustifyCheck has to be last because it unconditionally > checks all C/H files in all packages. Not just files that have been > modified like some of the other checkers. > * Updated link to the branch with the UncrustifyCheck plugin that has been > updated with a one line change and Reviewed-by and Tested-by tags. > > https://github.com/mdkinney/edk2/tree/Bug_3748_add_uncrustify_ci_plugin_v > 6 > * Reviews complete for (1), (2), (3), (5), and (7) > --- > > Michael Kubacki and I have prepared the patches required to apply the > uncrustify changes and enable EDK II CI to check all submitted > patches have been run through uncrustify. > > We have verified through the CompareBuild GitHub Action that the > format changes performed by uncrustify have no functional changes. > All of the OBJ, LIB, DLL, EFI, FFS, FV, and FD files match 100% > across 70 VS2019/GCC5 builds of all package/platform DSC files in > the edk2 repo. > > The hard freeze will be extended after the edk2-stable202111 tag until > all uncrustify related changes are committed. We do not expect this > to take more than a few days. Do not push any PRs until the hard > freeze is lifted. > > The changes are broken up into 7 patch series/PRs. The PRs are ordered > so they can be submitted using the normal submission process and EDK II > CI will pass for each one. Details are listed below. > > Uncrustify 73.0.3 for EDK II > = > * Sources: https://dev.azure.com/projectmu/_git/Uncrustify > * Documentation: > https://dev.azure.com/projectmu/Uncrustify/_wiki/wikis/Uncrustify.wiki/1/Proj > ect-Mu-(EDK-II)-Fork-Readme > * Download: >
Re: [edk2-devel] [Patch 04/12] CryptoPkg: Update YAML to ignore specific ECC files/errors
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Kinney, Michael D
> Sent: Wednesday, November 24, 2021 5:21 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Lu, XiaoyuX ; Jiang, Guomin ;
> Sean Brogan ; Bret Barkelew
> ; Liming Gao ;
> Michael Kubacki
> Subject: [Patch 04/12] CryptoPkg: Update YAML to ignore specific ECC
> files/errors
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3749
>
> Update package YAML files to ignore ECC errors that are
> already present. These issues must be fixed in the future,
> but should not block source code changes for these known
> issues.
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Xiaoyu Lu
> Cc: Guomin Jiang
> Cc: Sean Brogan
> Cc: Bret Barkelew
> Cc: Liming Gao
> Cc: Michael Kubacki
> Signed-off-by: Michael D Kinney
> ---
> CryptoPkg/CryptoPkg.ci.yaml | 10 +++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
> index 1448299073de..eeb388ae71c5 100644
> --- a/CryptoPkg/CryptoPkg.ci.yaml
> +++ b/CryptoPkg/CryptoPkg.ci.yaml
> @@ -19,6 +19,9 @@
> ## "", ""
> ## ]
> "ExceptionList": [
> +"8001", "IsLeap",
> +"8001", "OBJ_get0_data",
> +"8001", "OBJ_length"
> ],
> ## Both file path and directory path are accepted.
> "IgnoreFiles": [
> @@ -26,14 +29,15 @@
> # The unit testing folder is not to be checked
> "Test/UnitTest",
> # This has OpenSSL interfaces that aren't UEFI spec compliant
> -"Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c",
> +"Library/BaseCryptLib/SysCall",
> # This has OpenSSL interfaces that aren't UEFI spec compliant
> "Library/OpensslLib/rand_pool.c",
> # This has OpenSSL interfaces that aren't UEFI spec compliant
> "Library/Include/CrtLibSupport.h",
> # These directories contain auto-generated OpenSSL content
> -"Library/OpensslLib/X64",
> -"Library/OpensslLib/X64Gcc"
> +"Library/OpensslLib",
> +"Library/IntrinsicLib",
> +"Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c"
> ]
> },
> "CompilerPlugin": {
> --
> 2.32.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84121): https://edk2.groups.io/g/devel/message/84121
Mute This Topic: https://groups.io/mt/87268738/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel][PATCH v4] MdeModulePkg/DxeCapsuleLibFmp: Use new Variable Lock interface
Just a format issue (see inline comment). With it addressed,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Yang Jie
> Sent: Friday, October 29, 2021 11:10 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Jiang, Guomin
> ; gaolim...@byosoft.com.cn; Yang, Jie
>
> Subject: [edk2-devel][PATCH v4] MdeModulePkg/DxeCapsuleLibFmp: Use new
> Variable Lock interface
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3699
> The code in MdeModulePkg\Library\DxeCapsuleLibFmp call the deprecated
> interface VariableLockRequestToLock.c. So I changed the code in
> FmpDevicePkg using RegisterBasicVariablePolicy, instead of the
> deprecated interface.
>
> Signed-off-by: Yang Jie
> Cc: Guomin Jiang
> Cc: Liming Gao
> Cc: Jian J Wang
> ---
> .../DxeCapsuleLibFmp/DxeCapsuleLib.inf| 5 +-
> .../DxeCapsuleLibFmp/DxeCapsuleReportLib.c| 87 +--
> 2 files changed, 62 insertions(+), 30 deletions(-)
>
> diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
> b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
> index 05de4299fb..9212c81d68 100644
> --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
> +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
> @@ -3,7 +3,7 @@
> #
>
> # Capsule library instance for DXE_DRIVER module types.
>
> #
>
> -# Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
>
> +# Copyright (c) 2016 - 2021, Intel Corporation. All rights reserved.
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> ##
>
> @@ -51,6 +51,7 @@
>DisplayUpdateProgressLib
>
>FileHandleLib
>
>UefiBootManagerLib
>
> + VariablePolicyHelperLib
>
>
>
> [Pcd]
>
>gEfiMdeModulePkgTokenSpaceGuid.PcdCapsuleMax
> ##
> CONSUMES
>
> @@ -71,11 +72,11 @@
> [Protocols]
>
>gEsrtManagementProtocolGuid ## CONSUMES
>
>gEfiFirmwareManagementProtocolGuid## CONSUMES
>
> - gEdkiiVariableLockProtocolGuid## SOMETIMES_CONSUMES
>
>gEdkiiFirmwareManagementProgressProtocolGuid ##
> SOMETIMES_CONSUMES
>
>gEfiSimpleFileSystemProtocolGuid ## SOMETIMES_CONSUMES
>
>gEfiBlockIoProtocolGuid ## CONSUMES
>
>gEfiDiskIoProtocolGuid## CONSUMES
>
> + gEdkiiVariablePolicyProtocolGuid ## CONSUMES
>
>
>
> [Guids]
>
>gEfiFmpCapsuleGuid ## SOMETIMES_CONSUMES ## GUID
>
> diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c
> b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c
> index 0ec5f20676..d90f131879 100644
> --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c
> +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleReportLib.c
> @@ -1,14 +1,13 @@
> /** @file
>
>DXE capsule report related function.
>
>
>
> - Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
>
> + Copyright (c) 2016 - 2021, Intel Corporation. All rights reserved.
>
>SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
>
>
> #include
>
> #include
>
> -#include
>
> #include
>
> #include
>
> #include
>
> @@ -26,6 +25,7 @@
> #include
>
> #include
>
> #include
>
> +#include
>
>
>
> #include
>
>
>
> @@ -94,6 +94,39 @@ GetNewCapsuleResultIndex (
>return CurrentIndex + 1;
>
> }
>
>
>
> +/**
>
> + Lock Variable by variable policy
>
> +
>
> + @param[in] VariableGuid The Guid of the variable to be locked
>
> + @param[in] VariableName The name of the variable to be locked
>
> + @param[in] VariablePolicy The pointer of variable lock policy
>
> +**/
>
> +VOID LockVaraible (
>
> +IN CONST EFI_GUID VariableGuid,
>
> +IN CHAR16 *VariableName,
>
> +IN EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy
>
The alignment in above lines are not correct (four spaces, should be two spaces
here).
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> +
>
> + // Set the policies to protect the target variables
>
> + Status = RegisterBasicVariablePolicy (VariablePolicy,
>
> +,
>
> +VariableName,
>
> +
Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor V
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Jiang, Guomin
> Sent: Friday, October 15, 2021 12:31 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J
> Subject: [PATCH v2 1/1] SecurityPkg/FvReportPei: Remove the ASSERT to allow
> neither M nor V
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2673
>
> M mean that Measured Boot, V mean that Verified Boot.
>
> The FvReport do below:
> 1. Do nothing if neither M nor V
> 2. Allocate pages to save the firmware volume and use it to install
>firmware info Ppi
> 3. Install PreHashFv Ppi if the FV need measurement.
> 4. Verify the Hash if the FV need verification
>
> Notes:
> 1. The component is used to verify the FV or measure the FV
> 2. Copy action is just for security purpose but not main purpose.
> 3. If you use this component, Doesn't need to copy in other compoent
>which result time consumption.
>
> Signed-off-by: Guomin Jiang
> Cc: Jiewen Yao
> Cc: Jian J Wang
> ---
> SecurityPkg/FvReportPei/FvReportPei.c | 8 +---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/FvReportPei/FvReportPei.c
> b/SecurityPkg/FvReportPei/FvReportPei.c
> index 9f3ebd8ed174..6dce3298e3a2 100644
> --- a/SecurityPkg/FvReportPei/FvReportPei.c
> +++ b/SecurityPkg/FvReportPei/FvReportPei.c
> @@ -150,10 +150,12 @@ VerifyHashedFv (
>FvHashValue = HashValue;
>for (FvIndex = 0; FvIndex < FvNumber; ++FvIndex) {
> //
> -// FV must be meant for verified boot and/or measured boot.
> +// Not meant for verified boot and/or measured boot?
> //
> -ASSERT ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) != 0 ||
> -(FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) != 0);
> +if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) == 0 &&
> + (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) == 0) {
> + continue;
> +}
>
> //
> // Skip any FV not meant for current boot mode.
> --
> 2.30.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82799): https://edk2.groups.io/g/devel/message/82799
Mute This Topic: https://groups.io/mt/86332350/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 1/3] MdeModulePkg/SortLib: Add QuickSort function on BaseLib
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Kuo, IanX
> Sent: Monday, October 18, 2021 12:21 PM
> To: devel@edk2.groups.io
> Cc: Chan, Amy ; Ni, Ray ; Kuo, IanX
> ; Wang, Jian J ; Liming Gao
>
> Subject: [PATCH v6 1/3] MdeModulePkg/SortLib: Add QuickSort function on
> BaseLib
>
> From: IanX Kuo
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3675
>
> Use QuickSort instead of QuickSortWorker
>
> Cc: Ray Ni
> Cc: Jian J Wang
> Cc: Liming Gao
> Signed-off-by: IanX Kuo
> ---
> .../Library/BaseSortLib/BaseSortLib.c | 115 +
> .../Library/UefiSortLib/UefiSortLib.c | 116 +-
> 2 files changed, 8 insertions(+), 223 deletions(-)
>
> diff --git a/MdeModulePkg/Library/BaseSortLib/BaseSortLib.c
> b/MdeModulePkg/Library/BaseSortLib/BaseSortLib.c
> index a12c7bc0ec..0903943ee4 100644
> --- a/MdeModulePkg/Library/BaseSortLib/BaseSortLib.c
> +++ b/MdeModulePkg/Library/BaseSortLib/BaseSortLib.c
> @@ -1,7 +1,7 @@
> /** @file
>
>Library used for sorting routines.
>
>
>
> - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
>
> + Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
>
>SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
> @@ -13,114 +13,6 @@
> #include
>
> #include
>
>
>
> -/**
>
> - Worker function for QuickSorting. This function is identical to
> PerformQuickSort,
>
> - except that is uses the pre-allocated buffer so the in place sorting does
> not
> need to
>
> - allocate and free buffers constantly.
>
> -
>
> - Each element must be equal sized.
>
> -
>
> - if BufferToSort is NULL, then ASSERT.
>
> - if CompareFunction is NULL, then ASSERT.
>
> - if Buffer is NULL, then ASSERT.
>
> -
>
> - if Count is < 2 then perform no action.
>
> - if Size is < 1 then perform no action.
>
> -
>
> - @param[in, out] BufferToSort on call a Buffer of (possibly sorted)
> elements
>
> - on return a buffer of sorted elements
>
> - @param[in] Count the number of elements in the buffer to sort
>
> - @param[in] ElementSize Size of an element in bytes
>
> - @param[in] CompareFunction The function to call to perform the
> comparison
>
> - of any 2 elements
>
> - @param[in] Buffer Buffer of size ElementSize for use in
> swapping
>
> -**/
>
> -VOID
>
> -EFIAPI
>
> -QuickSortWorker (
>
> - IN OUT VOID *BufferToSort,
>
> - IN CONST UINTNCount,
>
> - IN CONST UINTNElementSize,
>
> - IN SORT_COMPARE CompareFunction,
>
> - IN VOID *Buffer
>
> - )
>
> -{
>
> - VOID*Pivot;
>
> - UINTN LoopCount;
>
> - UINTN NextSwapLocation;
>
> -
>
> - ASSERT(BufferToSort != NULL);
>
> - ASSERT(CompareFunction != NULL);
>
> - ASSERT(Buffer != NULL);
>
> -
>
> - if ( Count < 2
>
> -|| ElementSize < 1
>
> - ){
>
> -return;
>
> - }
>
> -
>
> - NextSwapLocation = 0;
>
> -
>
> - //
>
> - // pick a pivot (we choose last element)
>
> - //
>
> - Pivot = ((UINT8*)BufferToSort+((Count-1)*ElementSize));
>
> -
>
> - //
>
> - // Now get the pivot such that all on "left" are below it
>
> - // and everything "right" are above it
>
> - //
>
> - for ( LoopCount = 0
>
> - ; LoopCount < Count -1
>
> - ; LoopCount++
>
> - ){
>
> -//
>
> -// if the element is less than the pivot
>
> -//
>
> -if
> (CompareFunction((VOID*)((UINT8*)BufferToSort+((LoopCount)*ElementSize)),
> Pivot) <= 0){
>
> - //
>
> - // swap
>
> - //
>
> - CopyMem (Buffer, (UINT8*)BufferToSort+(NextSwapLocation*ElementSize),
> ElementSize);
>
> - CopyMem ((UINT8*)BufferToSort+(NextSwapLocation*ElementSize),
> (UINT8*)BufferToSort+((LoopCount)*ElementSize), ElementSize);
>
> - CopyMem ((UINT8*)BufferToSort+((LoopCount)*ElementSize), Buffer,
> ElementSize);
>
> -
>
> - //
>
> - // increment NextSwapLocation
>
> - //
>
> - NextSwapLocation++;
>
> -}
>
> - }
>
> -
Re: [edk2-devel] [PATCH v3] MdeModulePkg/Core/Dxe: Acquire a lock when iterating gHandleList
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Ma, Hua
> Sent: Wednesday, October 13, 2021 3:45 PM
> To: devel@edk2.groups.io
> Cc: Ma, Hua ; Wang, Jian J ;
> Liming Gao ; Bi, Dandan ;
> Ni, Ray
> Subject: [PATCH v3] MdeModulePkg/Core/Dxe: Acquire a lock when iterating
> gHandleList
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3680
>
> This patch fixes the following issue:
>
> The global variable gHandleList is a linked list.
> This list is locked when a entry is added or removed from the list,
> but there is no lock when iterating this list in function
> CoreValidateHandle().
> It can lead to "Handle.c (76): CR has Bad Signature" assertion if the
> iterated entry in the list is just removed by other task during iterating.
>
> Currently some caller functions of CoreValidateHandle() have
> CoreAcquireProtocolLock(), but some caller functions of
> CoreValidateHandle() do not CoreAcquireProtocolLock().
> Add CoreAcquireProtocolLock() always when CoreValidateHandle() is called,
> Also, A lock check is added in the CoreValidateHandle().
>
> v3 changes:
> - keep ASSERT_LOCKED() in CoreValidateHandle()
> - Call CoreAcquireProtocolLock() before any calling of
> CoreValidateHandle() and CoreReleaseProtocolLock() afterwards
> - Update the commit message
>
> v2 changes:
> - Add lock check and comments in CoreGetProtocolInterface() before
> calling CoreValidateHandle()
> - Update the comments in CoreValidateHandle() header file
>
> v1: https://edk2.groups.io/g/devel/topic/86233569
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Dandan Bi
> Cc: Ray Ni
> Signed-off-by: Hua Ma
> ---
> MdeModulePkg/Core/Dxe/Hand/DriverSupport.c | 16 +
> MdeModulePkg/Core/Dxe/Hand/Handle.c| 75 --
> MdeModulePkg/Core/Dxe/Hand/Handle.h| 1 +
> MdeModulePkg/Core/Dxe/Hand/Notify.c| 13 ++--
> 4 files changed, 64 insertions(+), 41 deletions(-)
>
> diff --git a/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> b/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> index feabf12faf..12a202417c 100644
> --- a/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> +++ b/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> @@ -68,7 +68,12 @@ CoreConnectController (
>//
>// Make sure ControllerHandle is valid
>//
> + CoreAcquireProtocolLock ();
> +
>Status = CoreValidateHandle (ControllerHandle);
> +
> + CoreReleaseProtocolLock ();
> +
>if (EFI_ERROR (Status)) {
> return Status;
>}
> @@ -268,7 +273,12 @@ AddSortedDriverBindingProtocol (
>//
>// Make sure the DriverBindingHandle is valid
>//
> + CoreAcquireProtocolLock ();
> +
>Status = CoreValidateHandle (DriverBindingHandle);
> +
> + CoreReleaseProtocolLock ();
> +
>if (EFI_ERROR (Status)) {
> return;
>}
> @@ -746,8 +756,11 @@ CoreDisconnectController (
>//
>// Make sure ControllerHandle is valid
>//
> + CoreAcquireProtocolLock ();
> +
>Status = CoreValidateHandle (ControllerHandle);
>if (EFI_ERROR (Status)) {
> +CoreReleaseProtocolLock ();
> return Status;
>}
>
> @@ -757,10 +770,13 @@ CoreDisconnectController (
>if (ChildHandle != NULL) {
> Status = CoreValidateHandle (ChildHandle);
> if (EFI_ERROR (Status)) {
> + CoreReleaseProtocolLock ();
>return Status;
> }
>}
>
> + CoreReleaseProtocolLock ();
> +
>Handle = ControllerHandle;
>
>//
> diff --git a/MdeModulePkg/Core/Dxe/Hand/Handle.c
> b/MdeModulePkg/Core/Dxe/Hand/Handle.c
> index 6eccb41ecb..92979281b7 100644
> --- a/MdeModulePkg/Core/Dxe/Hand/Handle.c
> +++ b/MdeModulePkg/Core/Dxe/Hand/Handle.c
> @@ -53,6 +53,7 @@ CoreReleaseProtocolLock (
>
> /**
>Check whether a handle is a valid EFI_HANDLE
> + The gProtocolDatabaseLock must be owned
>
>@param UserHandle The handle to check
>
> @@ -72,6 +73,8 @@ CoreValidateHandle (
> return EFI_INVALID_PARAMETER;
>}
>
> + ASSERT_LOCKED();
> +
>for (Link = gHandleList.BackLink; Link != Link =
> Link->BackLink) {
> Handle = CR (Link, IHANDLE, AllHandles, EFI_HANDLE_SIGNATURE);
> if (Handle == (IHANDLE *) UserHandle) {
> @@ -720,19 +723,19 @@ CoreUninstallProtocolInterface (
> return EFI_INVALID_PARAMETER;
>}
>
> + //
> + // Lock the protocol database
> + //
> + CoreAcquireProtocolLock ();
> +
>//
>// Check that UserHandle is a valid handle
>//
>Status = CoreValidateHandle (UserHandle);
>if (EFI_ERROR (Status)) {
> -return Status;
> +
Re: [edk2-devel] [PATCH v2] MdeModulePkg/Core/Dxe: Acquire a lock when iterating gHandleList
Hi Hua,
It looks a bit odd to me to add 'IsLocked' parameter and acquire lock
inside CoreValidateHandle() if it's FALSE. Maybe we can keep the
function prototype as-is but do something like below:
a) Just keep ASSERT_LOCKED() in CoreValidateHandle()
b) Call CoreAcquireProtocolLock() before any calling of CoreValidateHandle()
and CoreReleaseProtocolLock() afterwards.
Actually, CoreAcquireProtocolLock() is always called wherever
CoreValidateHandle()
is called. The problem is that, in many cases, CoreAcquireProtocolLock() is
called
after CoreValidateHandle(). We can simply move the calling of
CoreAcquireProtocolLock()
before CoreValidateHandle() to fix this problem.
For those cases CoreAcquireProtocolLock() is not called at all, just simply add
it.
Regards,
Jian
> -Original Message-
> From: Ma, Hua
> Sent: Tuesday, October 12, 2021 4:34 PM
> To: devel@edk2.groups.io
> Cc: Ma, Hua ; Wang, Jian J ;
> Liming Gao ; Bi, Dandan ;
> Ni, Ray
> Subject: [PATCH v2] MdeModulePkg/Core/Dxe: Acquire a lock when iterating
> gHandleList
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3680
>
> This patch fixes the following issue:
>
> The global variable gHandleList is a linked list.
> This list is locked when a entry is added or removed from the list,
> but there is no lock when iterating this list in function
> CoreValidateHandle().
> It can lead to "Handle.c (76): CR has Bad Signature" assertion if the
> iterated entry in the list is just removed by other task during iterating.
> Locking the list when iterating can fix this issue.
>
> v2 changes:
> - Add lock check and comments in CoreGetProtocolInterface() before
> calling CoreValidateHandle()
> - Update the comments in CoreValidateHandle() header file
>
> v1: https://edk2.groups.io/g/devel/topic/86233569
>
> Cc: Jian J Wang
> Cc: Liming Gao
> Cc: Dandan Bi
> Cc: Ray Ni
> Signed-off-by: Hua Ma
> ---
> MdeModulePkg/Core/Dxe/Hand/DriverSupport.c | 10 ++--
> MdeModulePkg/Core/Dxe/Hand/Handle.c| 56 +++---
> MdeModulePkg/Core/Dxe/Hand/Handle.h| 5 +-
> MdeModulePkg/Core/Dxe/Hand/Notify.c| 2 +-
> 4 files changed, 50 insertions(+), 23 deletions(-)
>
> diff --git a/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> b/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> index feabf12faf..eb8a765d2c 100644
> --- a/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> +++ b/MdeModulePkg/Core/Dxe/Hand/DriverSupport.c
> @@ -68,7 +68,7 @@ CoreConnectController (
>//
>// Make sure ControllerHandle is valid
>//
> - Status = CoreValidateHandle (ControllerHandle);
> + Status = CoreValidateHandle (ControllerHandle, FALSE);
>if (EFI_ERROR (Status)) {
> return Status;
>}
> @@ -154,7 +154,7 @@ CoreConnectController (
> //
> // Make sure the DriverBindingHandle is valid
> //
> -Status = CoreValidateHandle (ControllerHandle);
> +Status = CoreValidateHandle (ControllerHandle, TRUE);
> if (EFI_ERROR (Status)) {
>//
>// Release the protocol lock on the handle database
> @@ -268,7 +268,7 @@ AddSortedDriverBindingProtocol (
>//
>// Make sure the DriverBindingHandle is valid
>//
> - Status = CoreValidateHandle (DriverBindingHandle);
> + Status = CoreValidateHandle (DriverBindingHandle, FALSE);
>if (EFI_ERROR (Status)) {
> return;
>}
> @@ -746,7 +746,7 @@ CoreDisconnectController (
>//
>// Make sure ControllerHandle is valid
>//
> - Status = CoreValidateHandle (ControllerHandle);
> + Status = CoreValidateHandle (ControllerHandle, FALSE);
>if (EFI_ERROR (Status)) {
> return Status;
>}
> @@ -755,7 +755,7 @@ CoreDisconnectController (
>// Make sure ChildHandle is valid if it is not NULL
>//
>if (ChildHandle != NULL) {
> -Status = CoreValidateHandle (ChildHandle);
> +Status = CoreValidateHandle (ChildHandle, FALSE);
> if (EFI_ERROR (Status)) {
>return Status;
> }
> diff --git a/MdeModulePkg/Core/Dxe/Hand/Handle.c
> b/MdeModulePkg/Core/Dxe/Hand/Handle.c
> index 6eccb41ecb..46f67d3d6a 100644
> --- a/MdeModulePkg/Core/Dxe/Hand/Handle.c
> +++ b/MdeModulePkg/Core/Dxe/Hand/Handle.c
> @@ -55,31 +55,46 @@ CoreReleaseProtocolLock (
>Check whether a handle is a valid EFI_HANDLE
>
>@param UserHandle The handle to check
> + @param IsLocked The protocol lock is acquried or not
>
>@retval EFI_INVALID_PARAMETER The handle is NULL or not a valid
> EFI_HANDLE.
> + @retval EFI_NOT_FOUND The handle is not found in the handle
> database.
>@retval EFI_SUCCESSThe handle is valid EFI_HAN
Re: [edk2-devel] [PATCH V2 1/1] SecurityPkg: Add debug log for indicating IBB verified OBB successfully
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Yang, Longlong
> Sent: Friday, September 17, 2021 10:51 AM
> To: devel@edk2.groups.io
> Cc: Yang, Longlong ; Yao, Jiewen
> ; Wang, Jian J ; Xu, Min M
> ; Zhang, Qi1
> Subject: [PATCH V2 1/1] SecurityPkg: Add debug log for indicating IBB verified
> OBB successfully
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3615
>
> Debug message should be added for indicating IBB is successfully verifying
> the OBB.
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Min M Xu
> Cc: Qi Zhang
> Signed-off-by: Longlong Yang
> ---
> SecurityPkg/FvReportPei/FvReportPei.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/SecurityPkg/FvReportPei/FvReportPei.c
> b/SecurityPkg/FvReportPei/FvReportPei.c
> index e82413e090c0..9f3ebd8ed174 100644
> --- a/SecurityPkg/FvReportPei/FvReportPei.c
> +++ b/SecurityPkg/FvReportPei/FvReportPei.c
> @@ -344,6 +344,8 @@ CheckStoredHashFv (
> StoredHashFvPpi->FvNumber, BootMode);
> if (!EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_INFO, "OBB verification passed (%r)\r\n", Status));
> +
>//
>// Report the FVs to PEI core and/or DXE core.
>//
> --
> 2.31.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80838): https://edk2.groups.io/g/devel/message/80838
Mute This Topic: https://groups.io/mt/85668220/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] MdeModulePkg PCD: FSP NotifyPhase APIs caused 100ms delay
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Yeh, GregX
> Sent: Monday, August 09, 2021 10:28 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Wu, Hao A ;
> Bi, Dandan ; Liming Gao
> Subject: [PATCH] MdeModulePkg PCD: FSP NotifyPhase APIs caused 100ms delay
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=3525
>
> After PciSegmentLib using Dynamic PCD for Pcie base address such
> long delay found in FSP. The root cause is some of the PCD service
> PPIs not shadowed to memory and flash cache may have been disabled
> in NotifyPhase stage. Solution is to shadow all PCD service PPIs
> to memory.
>
> Signed-off-by: GregX Yeh
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Dandan Bi
> Cc: Liming Gao
> ---
> MdeModulePkg/Universal/PCD/Pei/Pcd.c | 71
> +++-
> 1 file changed, 70 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Universal/PCD/Pei/Pcd.c
> b/MdeModulePkg/Universal/PCD/Pei/Pcd.c
> index 9c6346924f..f31e0be35f 100644
> --- a/MdeModulePkg/Universal/PCD/Pei/Pcd.c
> +++ b/MdeModulePkg/Universal/PCD/Pei/Pcd.c
> @@ -1,7 +1,7 @@
> /** @file
>
>All Pcd Ppi services are implemented here.
>
>
>
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
>
> +Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.
>
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> @@ -339,6 +339,75 @@ PcdPeimInit (
> {
>
>EFI_STATUS Status;
>
>
>
> + Status = PeiServicesRegisterForShadow (FileHandle);
>
> + if (Status == EFI_ALREADY_STARTED) {
>
> +//
>
> +// This is now starting in memory, the second time starting.
>
> +//
>
> +EFI_PEI_PPI_DESCRIPTOR *OldPpiList;
>
> +EFI_PEI_PPI_DESCRIPTOR *OldPpiList2;
>
> +VOID *Ppi;
>
> +VOID *Ppi2;
>
> +
>
> +OldPpiList = NULL;
>
> +Status = PeiServicesLocatePpi (
>
> + ,
>
> + 0,
>
> + ,
>
> +
>
> + );
>
> +ASSERT_EFI_ERROR (Status);
>
> +
>
> +if (OldPpiList != NULL) {
>
> + Status = PeiServicesReInstallPpi (OldPpiList, [0]);
>
> + ASSERT_EFI_ERROR (Status);
>
> +}
>
> +
>
> +OldPpiList2 = NULL;
>
> +Status = PeiServicesLocatePpi (
>
> + ,
>
> + 0,
>
> + ,
>
> +
>
> + );
>
> +ASSERT_EFI_ERROR (Status);
>
> +
>
> +if (OldPpiList2 != NULL) {
>
> + Status = PeiServicesReInstallPpi (OldPpiList2, [0]);
>
> + ASSERT_EFI_ERROR (Status);
>
> +}
>
> +
>
> +OldPpiList = NULL;
>
> +Status = PeiServicesLocatePpi (
>
> + ,
>
> + 0,
>
> + ,
>
> +
>
> + );
>
> +ASSERT_EFI_ERROR (Status);
>
> +
>
> +if (OldPpiList != NULL) {
>
> + Status = PeiServicesReInstallPpi (OldPpiList, [1]);
>
> + ASSERT_EFI_ERROR (Status);
>
> +}
>
> +
>
> +OldPpiList2 = NULL;
>
> +Status = PeiServicesLocatePpi (
>
> + ,
>
> + 0,
>
> + ,
>
> +
>
> + );
>
> +ASSERT_EFI_ERROR (Status);
>
> +
>
> +if (OldPpiList2 != NULL) {
>
> + Status = PeiServicesReInstallPpi (OldPpiList2, [1]);
>
> + ASSERT_EFI_ERROR (Status);
>
> +}
>
> +
>
> +return Status;
>
> + }
>
> +
>
>BuildPcdDatabase (FileHandle);
>
>
>
>//
>
> --
> 2.32.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79091): https://edk2.groups.io/g/devel/message/79091
Mute This Topic: https://groups.io/mt/84760812/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [RFC] MemoryProtectionLib for Dynamic Memory Guard Settings
Thanks for the RFC. I'm not object to this idea. The only concern from me is the potential security holes introduced by the changes. According to your description, it allows 3rd party software to violate memory protection policy. I'd like to see more explanations on how to avoid it to be exploited. +Jiewen, what's current process to evaluate the security threat? Regards, Jian > -Original Message- > From: Taylor Beebe > Sent: Friday, July 23, 2021 8:33 AM > To: devel@edk2.groups.io > Cc: spbro...@outlook.com; Dong, Eric ; Ni, Ray > ; Kumar, Rahul1 ; > mikub...@linux.microsoft.com; Wang, Jian J ; Wu, > Hao A ; Bi, Dandan ; > gaolim...@byosoft.com.cn; Dong, Guo ; Ma, Maurice > ; You, Benjamin > Subject: [RFC] MemoryProtectionLib for Dynamic Memory Guard Settings > > Current memory protection settings rely on FixedAtBuild PCD values > (minus PcdSetNxForStack). Because of this, the memory protection > configuration interface is fixed in nature. Cases arise in which memory > protections might need to be adjusted between boots (if platform design > allows) to avoid disabling a system. For example, platforms might choose > to allow the user to control their protection policies such as allow > execution of critical 3rd party software that might violate memory > protections. > > This RFC seeks your feedback regarding introducing an interface that > allows dynamic configuration of memory protection settings. > > I would like to propose two options: > 1. Describing the memory protection setting configuration in a HOB that > is produced by the platform. > 2. Introducing a library class (e.g. MemoryProtectionLib) that allows > abstraction of the memory protection setting configuration data source. > > In addition, I would like to know if the memory protection FixedAtBuild > PCDs currently in MdeModulePkg can be removed so we can move the > configuration interface entirely to an option above. > > In any case, I would like the settings to be visible to environments > such as Standalone MM where dynamic PCDs are not accessible. > > I am seeking your feedback on this proposal in preparation for sending > an edk2 patch series. > > -- > Taylor Beebe > Software Engineer @ Microsoft -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78331): https://edk2.groups.io/g/devel/message/78331 Mute This Topic: https://groups.io/mt/84392478/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCHV2] CryptoPkg/BaseCryptLib: Enabled CryptSha512 for Smm/Runtime drivers
Pushed at eba32695ee6979137c86c3d20d0711d49d5c3ba8 Regards, Jian > -Original Message- > From: Yao, Jiewen > Sent: Thursday, June 24, 2021 10:06 AM > To: devel@edk2.groups.io; gaolim...@byosoft.com.cn; Xue, Shengfeng > ; Wang, Jian J > Cc: Xue, ShengfengX > Subject: RE: [edk2-devel] [PATCHV2] CryptoPkg/BaseCryptLib: Enabled > CryptSha512 for Smm/Runtime drivers > > Ah. Yes. I think so. > > Hi Jian > Can you help on that? > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of gaoliming > > Sent: Thursday, June 24, 2021 9:30 AM > > To: devel@edk2.groups.io; Yao, Jiewen ; Xue, > > Shengfeng ; Wang, Jian J > > > > Cc: Xue, ShengfengX > > Subject: 回复: [edk2-devel] [PATCHV2] CryptoPkg/BaseCryptLib: Enabled > > CryptSha512 for Smm/Runtime drivers > > > > So far, there is no objection for this patch. How about merge it? > > > > Thanks > > Liming > > > -邮件原件----- > > > 发件人: devel@edk2.groups.io 代表 Yao, Jiewen > > > 发送时间: 2021年6月9日 11:08 > > > 收件人: Xue, Shengfeng ; > > > devel@edk2.groups.io; Wang, Jian J > > > 抄送: Xue, ShengfengX > > > 主题: Re: [edk2-devel] [PATCHV2] CryptoPkg/BaseCryptLib: Enabled > > > CryptSha512 for Smm/Runtime drivers > > > > > > Thank you! Shengfeng > > > > > > Reviewed-by: Jiewen Yao > > > > > > I recommend to wait for *1 week*, to see if anyone has concern on size > > > change. > > > > > > Thank you > > > Yao Jiewen > > > > > > > > > > -Original Message- > > > > From: xueshengfeng > > > > Sent: Tuesday, June 8, 2021 12:31 PM > > > > To: devel@edk2.groups.io; Yao, Jiewen ; Wang, > > > Jian J > > > > > > > > Cc: Xue, ShengfengX > > > > Subject: [PATCHV2] CryptoPkg/BaseCryptLib: Enabled CryptSha512 for > > > > Smm/Runtime drivers > > > > > > > > Intel Platform utility Syscfg/sysfwupdt will trigger SMI > > > > to enter BIOS interface. then BIOS invoke EncodePassword > > > > in SMM mode to check password. > > > > it's need sha384(in CryptSha512.c) in SMM mode. > > > > > > > > the origin SmmCryptLib.lib size is 1389KB, > > > > after changed, the size is 1391KB. > > > > > > > > the origin RuntimeCryptLib.lib size is 911KB, > > > > after changed,the size is 913KB. > > > > > > > > in SmmCryptLib.inf and RuntimeCryptLib.inf, > > > > change CryptSha512NULL.c to CryptSha512.c. > > > > > > > > https://bugzilla.tianocore.org/show_bug.cgi?id=3423 > > > > > > > > Signed-off-by: xueshengfeng > > > > --- > > > > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 6 +++--- > > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 4 ++-- > > > > 2 files changed, 5 insertions(+), 5 deletions(-) > > > > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > > > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > > > index 3d3a6fb94a..fdbb6edfd2 100644 > > > > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > > > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > > > @@ -11,8 +11,8 @@ > > > > # functions, PKCS#7 SignedData sign functions, Diffie-Hellman > > functions, > > > and > > > > # authenticode signature verification functions are not supported in > > this > > > > instance. > > > > # > > > > -# Copyright (c) 2009 - 2020, Intel Corporation. All rights > > reserved. > > > > -# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All > > > rights > > > > reserved. > > > > +# Copyright (c) 2009 - 2021, Intel Corporation. All rights > > reserved. > > > > +# Copyright (c) 2021, Hewlett Packard Enterprise Development LP. All > > > rights > > > > reserved. > > > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > > > # > > > > ## > > > > @@ -39,7 +39,7 @@ > > > >Hash/CryptSha1.c > > > >Hash/CryptSha256.c > > > >Hash/CryptSm3.c > > > > - Hash/CryptSha512Null.c > > > > + Hash/CryptSha512.c > > > >Hmac/CryptHmacSha256.c > > > >Kdf/CryptHkdf.c > > > >Cipher/CryptAes.c > > > > diff
Re: [edk2-devel] [PATCH] SecurityPkg: TcgStorageOpalLib: Initialize SupportedAttributes parameter.
Acked-by: Jian J Wang > -Original Message- > From: Kuo, Scottie > Sent: Tuesday, June 01, 2021 5:26 PM > To: Yao, Jiewen ; devel@edk2.groups.io; Wang, Jian J > > Cc: Zhang, Qi1 ; Kumar, Rahul1 > ; Chu, Maggie > Subject: RE: [PATCH] SecurityPkg: TcgStorageOpalLib: Initialize > SupportedAttributes parameter. > > Hi, @Wang, Jian J > Please help to review the patch. Thanks > > Best regards, > Scottie > > -Original Message- > From: Yao, Jiewen > Sent: Thursday, May 27, 2021 6:32 PM > To: Kuo, Scottie ; devel@edk2.groups.io > Cc: Zhang, Qi1 ; Kumar, Rahul1 > ; Chu, Maggie ; Wang, Jian > J > Subject: RE: [PATCH] SecurityPkg: TcgStorageOpalLib: Initialize > SupportedAttributes parameter. > > Reviewed-by: Jiewen Yao > > Hi Scottie > Please remember to add Wang, Jian J as reviewer too. > > Thank you > Yao Jiewen > > > -Original Message- > > From: Kuo, Scottie > > Sent: Monday, May 24, 2021 2:41 PM > > To: devel@edk2.groups.io > > Cc: Kuo, Scottie ; Zhang, Qi1 > > ; Kumar, Rahul1 ; Yao, > > Jiewen ; Chu, Maggie > > Subject: [PATCH] SecurityPkg: TcgStorageOpalLib: Initialize > > SupportedAttributes parameter. > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3408 > > > > The value of SupportedAttributes in OpalGetSupportedAttributesInfo () > > is left undetermined, if the caller doesn't initialize it. > > Initialize it in the function entry. > > > > Signed-off-by: Scottie Kuo > > Cc: Qi Zhang > > Cc: Rahul Kumar > > Cc: Jiewen Yao > > Cc: Maggie Chu > > --- > > SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git > > a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c > > b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c > > index b58597e61f..c840590e8e 100644 > > --- a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c > > +++ b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c > > @@ -1,7 +1,7 @@ > > /** @file > >Public API for Opal Core library. > > > > -Copyright (c) 2016 - 2018, Intel Corporation. All rights > > reserved. > > +Copyright (c) 2016 - 2021, Intel Corporation. All rights > > +reserved. > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > @@ -1647,6 +1647,7 @@ OpalGetSupportedAttributesInfo( > >NULL_CHECK(OpalBaseComId); > > > >ZeroMem(Buffer, BUFFER_SIZE); > > + ZeroMem(SupportedAttributes, sizeof(OPAL_DISK_SUPPORT_ATTRIBUTE)); > >ASSERT(sizeof(Buffer) >= sizeof(TCG_SUPPORTED_SECURITY_PROTOCOLS)); > > > >// > > -- > > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76503): https://edk2.groups.io/g/devel/message/76503 Mute This Topic: https://groups.io/mt/83121358/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 3/3] CryptoPkg/BaseCryptLib: Fix possible uninitialized use
Ard, Patch 1&2 haven't got r-b. I'm not sure we can merge patch 3 separately. Regards, Jian > -Original Message- > From: Ard Biesheuvel > Sent: Tuesday, May 18, 2021 3:27 PM > To: edk2-devel-groups-io ; Liming Gao (Byosoft address) > > Cc: ser...@posteo.net; Yao, Jiewen ; Wang, Jian J > ; Lu, XiaoyuX ; Jiang, Guomin > > Subject: Re: [edk2-devel] [PATCH v1 3/3] CryptoPkg/BaseCryptLib: Fix possible > uninitialized use > > Please merge this fix asap. Our CI is broken because of it, and we are > in the soft freeze so we need the CI up and running to catch potential > issues before the release. > > Thanks, > Ard. > > On Tue, 18 May 2021 at 02:59, gaoliming wrote: > > > > Sergei: > > Yes. GCC49 is LTO disable GCC tool chain. GCC5 is LTO enable tool chain. > > They both work on the different GCC version, such as gcc5, gcc6.. > > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90844 mentions > > -ffat-lto-objects option that can trig the warning with LTO option. Do you > > try it? > > > > If this option works, we can update GCC5 tool chain definition in > > tools_def.txt, then this issue can be detected in CI GCC5 build. > > > > Thanks > > Liming > > > -邮件原件----- > > > 发件人: devel@edk2.groups.io 代表 Sergei > > > Dmitrouk > > > 发送时间: 2021年5月15日 21:01 > > > 收件人: devel@edk2.groups.io; jiewen@intel.com > > > 抄送: Wang, Jian J ; Lu, XiaoyuX > > > ; Jiang, Guomin > > > 主题: Re: [edk2-devel] [PATCH v1 3/3] CryptoPkg/BaseCryptLib: Fix possible > > > uninitialized use > > > > > > Hello Jiewen, > > > > > > I get the error only for GCC49 and not for GCC5 toolchain. CI uses GCC5. > > > > > > So I compared build commands and this seems to depend on LTO. Adding > > > `-flto` > > > impedes compiler's ability to detect such simple issues. > > > > > > I've found relevant bug report, there is even fix suggestion from last > > month: > > > > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90844 > > > > > > Regards, > > > Sergei > > > > > > On Sat, May 15, 2021 at 12:30:44AM +, Yao, Jiewen wrote: > > > > Hi Sergei > > > > Thank you very much for the fix. > > > > Reviewed-by: Jiewen Yao > > > > > > > > I am a little surprised why it is not caught before. It is an obvious > > logic issue. > > > > > > > > Do you think we can do anything on CI, to catch it during pre-check-in > > in the > > > future? > > > > I just feel it is burden to make it post-check-in fix. > > > > > > > > > > > > Thank you > > > > Yao Jiewen > > > > > > > > > -Original Message- > > > > > From: Sergei Dmitrouk > > > > > Sent: Friday, May 14, 2021 8:17 PM > > > > > To: devel@edk2.groups.io > > > > > Cc: Yao, Jiewen ; Wang, Jian J > > > ; > > > > > Lu, XiaoyuX ; Jiang, Guomin > > > > > > > > Subject: [PATCH v1 3/3] CryptoPkg/BaseCryptLib: Fix possible > > uninitialized > > > use > > > > > > > > > > `Result` can be used uninitialized in both functions after following > > > > > either first or second `goto` statement. > > > > > > > > > > Cc: Jiewen Yao > > > > > Cc: Jian J Wang > > > > > Cc: Xiaoyu Lu > > > > > Cc: Guomin Jiang > > > > > Signed-off-by: Sergei Dmitrouk > > > > > --- > > > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c | 1 + > > > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c | 1 + > > > > > 2 files changed, 2 insertions(+) > > > > > > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c > > > > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c > > > > > index 4009d37d5f91..0b2960f06c4c 100644 > > > > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c > > > > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c > > > > > @@ -82,6 +82,7 @@ RsaPssVerify ( > > > > >EVP_PKEY_CTX *KeyCtx; > > > > >CONST EVP_MD *HashAlg; > > > > > > > > > > + Result = FALSE; > > > > >EvpRsaKey = NULL; > > > > >EvpVerifyCtx = NULL; > > > > >KeyCtx = NULL; > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c > > > > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c > > > > > index b66b6f7296ad..ece765f9ae0a 100644 > > > > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c > > > > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c > > > > > @@ -97,6 +97,7 @@ RsaPssSign ( > > > > >EVP_PKEY_CTX *KeyCtx; > > > > >CONST EVP_MD *HashAlg; > > > > > > > > > > + Result = FALSE; > > > > >EvpRsaKey = NULL; > > > > >EvpVerifyCtx = NULL; > > > > >KeyCtx = NULL; > > > > > -- > > > > > 2.17.6 > > > > > > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75241): https://edk2.groups.io/g/devel/message/75241 Mute This Topic: https://groups.io/mt/82906677/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify support
Pushed at 22ac5cc9d9db34056f7c97e994fd9def683ebb2e
Regards,
Jian
> -Original Message-
> From: Yao, Jiewen
> Sent: Wednesday, May 05, 2021 10:09 AM
> To: Agrawal, Sachin ; devel@edk2.groups.io
> Cc: Wang, Jian J ; Lu, XiaoyuX ;
> Jiang, Guomin
> Subject: RE: [PATCH v3 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify
> support
>
> Reviewed-by: Jiewen Yao
>
> > -Original Message-
> > From: Agrawal, Sachin
> > Sent: Wednesday, May 5, 2021 1:55 AM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen ; Wang, Jian J
> ;
> > Lu, XiaoyuX ; Jiang, Guomin
> ;
> > Agrawal, Sachin
> > Subject: [PATCH v3 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify support
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3314
> >
> > This patch uses Openssl's EVP API's to perform RSASSA-PSS verification
> > of a binary blob.
> >
> > Cc: Jiewen Yao
> > Cc: Jian J Wang
> > Cc: Xiaoyu Lu
> > Cc: Guomin Jiang
> >
> > Signed-off-by: Sachin Agrawal
> > ---
> >
> > Notes:
> > v3:
> > - Fixed gcc compilation error [CI System]
> >
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c|
> > 146
> > +++
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c|
> > 46 +
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c|
> > 169
> > +
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c|
> > 60
> ++
> > CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c|
> > 46 +
> > CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c|
> > 60
> > ++
> > CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c |
> > 66
> > +++
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/BaseCryptLibUnitTests.c |
> > 1
> +
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPssTests.c |
> > 191
> >
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaTests.c|
> > 2 +
> > CryptoPkg/Include/Library/BaseCryptLib.h |
> > 74
> > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf|
> > 2 +
> > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf |
> > 2 +
> > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |
> > 2 +
> > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf |
> > 2 +
> > CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf|
> > 2 +
> > CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf|
> > 2 +
> > CryptoPkg/Private/Protocol/Crypto.h|
> > 78
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLib.h|
> > 3 +
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHost.inf |
> > 1
> +
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibShell.inf |
> > 1
> +
> > 21 files changed, 956 insertions(+)
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> > new file mode 100644
> > index ..af7cdafa4c47
> > --- /dev/null
> > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> > @@ -0,0 +1,146 @@
> > +/** @file
> > + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL.
> > +
> > + This file implements following APIs which provide basic capabilities for
> > RSA:
> > + 1) RsaPssVerify
> > +
> > +Copyright (c) 2021, Intel Corporation. All rights reserved.
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include "InternalCryptLib.h"
> > +
> > +#include
> > +#include
> > +#include
> > +#include
> > +
> > +
> > +/**
> > + Retrieve a pointer to EVP message digest object.
> > +
> > + @param[in] DigestLen Length of the message digest.
> > +
> > +**/
> > +STATIC
> > +const
> > +EVP_MD*
> > +GetEvpMD (
> > + IN UINT16 DigestLen
> > + )
> > +{
> > + switch (DigestLen){
> > +case SHA256_DIGEST_SIZE:
> > + return EVP_sha256();
> > + break;
> > +case SHA384_DIGEST_S
Re: [edk2-devel] [Patch v2 2/4] CryptoPkg/Library/Include: Allow CPU specific defines to be predefined
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Kinney, Michael D > Sent: Wednesday, April 14, 2021 11:28 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Lu, XiaoyuX ; Jiang, Guomin ; > Andrew Fish ; Abner Chang > Subject: [Patch v2 2/4] CryptoPkg/Library/Include: Allow CPU specific defines > to > be predefined > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3308 > > The EDK II Build Specifications do not restrict the set of > CPU architectures that can be supported. Remove places in > the EDK II that assume a fixed set of CPU architectures. > > Update SIXTY_FOUR_BIT and THIRTY_TWO_BIT defines in the > CryptoPkg to allow one of them to be predefined on the EDK II > build command line using /D flag or in DSC file [BuildOptions] > sections. > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Guomin Jiang > Cc: Andrew Fish > Cc: Abner Chang > Signed-off-by: Michael D Kinney > --- > CryptoPkg/Library/Include/CrtLibSupport.h | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h > b/CryptoPkg/Library/Include/CrtLibSupport.h > index 7a82f1d40633..b1dff03bdc0c 100644 > --- a/CryptoPkg/Library/Include/CrtLibSupport.h > +++ b/CryptoPkg/Library/Include/CrtLibSupport.h > @@ -2,7 +2,7 @@ >Root include file of C runtime library to support building the third-party >cryptographic library. > > -Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved. > +Copyright (c) 2010 - 2021, Intel Corporation. All rights reserved. > Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights > reserved. > SPDX-License-Identifier: BSD-2-Clause-Patent > > @@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > #define CONFIG_HEADER_BN_H > > +#if !defined(SIXTY_FOUR_BIT) && !defined (THIRTY_TWO_BIT) > #if defined(MDE_CPU_X64) || defined(MDE_CPU_AARCH64) || > defined(MDE_CPU_IA64) || defined(MDE_CPU_RISCV64) > // > // With GCC we would normally use SIXTY_FOUR_BIT_LONG, but MSVC needs > @@ -56,6 +57,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #else > #error Unknown target architecture > #endif > +#endif > > // > // Map all va_ elements to VA_xxx defined in MdePkg/Include/Base.h > -- > 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74114): https://edk2.groups.io/g/devel/message/74114 Mute This Topic: https://groups.io/mt/82083398/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/FvReportPei: remove redundant sizeof
Yes, it's a typo. Thanks for fixing it. Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Yao, Jiewen > Sent: Wednesday, April 14, 2021 9:56 AM > To: devel@edk2.groups.io; xiewen...@huawei.com; Wang, Jian J > ; ler...@redhat.com > Cc: songdongku...@huawei.com > Subject: RE: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/FvReportPei: remove > redundant sizeof > > It seems typo. I will let Jian to double confirm. > > Acked-by: Jiewen Yao > > > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of wenyi,xie > > via groups.io > > Sent: Wednesday, April 14, 2021 9:44 AM > > To: devel@edk2.groups.io; Yao, Jiewen ; Wang, Jian J > > ; ler...@redhat.com > > Cc: songdongku...@huawei.com; xiewen...@huawei.com > > Subject: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/FvReportPei: remove > > redundant sizeof > > > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id= > > > > In function InstallPreHashFvPpi, when calculating the size > > of struct HASH_INFO,sizeof is used twice. This bug does > > not lead to buffer overflow, "sizeof (HASH_INFO)" is 4, > > whereas "sizeof (sizeof (HASH_INFO))" is 4 or 8. > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Laszlo Ersek > > Signed-off-by: Wenyi Xie > > Reviewed-by: Laszlo Ersek > > --- > > SecurityPkg/FvReportPei/FvReportPei.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/SecurityPkg/FvReportPei/FvReportPei.c > > b/SecurityPkg/FvReportPei/FvReportPei.c > > index d709760ea3ce..e82413e090c0 100644 > > --- a/SecurityPkg/FvReportPei/FvReportPei.c > > +++ b/SecurityPkg/FvReportPei/FvReportPei.c > > @@ -67,7 +67,7 @@ InstallPreHashFvPpi ( > >HASH_INFO *HashInfo; > > > >PpiSize = sizeof (EDKII_PEI_FIRMWARE_VOLUME_INFO_PREHASHED_FV_PPI) > > -+ sizeof (sizeof (HASH_INFO)) > > ++ sizeof (HASH_INFO) > > + HashSize; > > > >PreHashedFvPpi = AllocatePool (PpiSize); > > -- > > 2.20.1.windows.1 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74077): https://edk2.groups.io/g/devel/message/74077 Mute This Topic: https://groups.io/mt/82081793/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Tcg2Smm: Initialize local Status variable
Pushed @ 54211ab10fcd8532b49f4024ebdb601a8eb07e3e
Regards,
Jian
> -Original Message-
> From: Michael Kubacki
> Sent: Tuesday, April 13, 2021 1:54 AM
> To: devel@edk2.groups.io; ler...@redhat.com
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Zhang, Qi1 ; Kumar, Rahul1 ;
> Kun Qin
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Tcg2Smm: Initialize local
> Status variable
>
> Hi Laszlo and SecurityPkg maintainers,
>
> This is a relatively straightforward patch. Please let me know if
> anything else is needed for you to submit it.
>
> Thanks,
> Michael
>
> On 4/7/2021 9:06 AM, Laszlo Ersek wrote:
> > On 04/06/21 20:12, mikub...@linux.microsoft.com wrote:
> >> From: Michael Kubacki
> >>
> >> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3277
> >>
> >> Initializes the Status variable in TcgMmReadyToLock().
> >>
> >> Fixes a Clang build failure:
> >> Tcg2Smm.c - SecurityPkg\Tcg\Tcg2Smm\Tcg2Smm.c:254:7: error:
> >> variable 'Status' is used uninitialized whenever 'if'
> >> condition is false [-Werror,-Wsometimes-uninitialized]
> >>
> >> Initializing this variable is required to address a practical
> >> scenario in which the return value of TcgMmReadyToLock() is
> >> undefined based on conditional evaluation in the function.
> >>
> >> Cc: Jiewen Yao
> >> Cc: Jian J Wang
> >> Cc: Qi Zhang
> >> Cc: Rahul Kumar
> >> Cc: Kun Qin
> >> Signed-off-by: Michael Kubacki
> >> Reviewed-by: Jiewen Yao
> >> ---
> >>
> >> Notes:
> >> V2 change:
> >>
> >> Clarify in commit message that the issue reported by Clang is not
> >> solely a false positive.
> >>
> >> SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> >> index 589c08794bcf..f49eccb0bdf4 100644
> >> --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> >> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> >> @@ -253,6 +253,8 @@ TcgMmReadyToLock (
> >> {
> >> EFI_STATUS Status;
> >>
> >> + Status = EFI_SUCCESS;
> >> +
> >> if (mReadyToLockHandle != NULL) {
> >> Status = gMmst->MmiHandlerUnRegister (mReadyToLockHandle);
> >> mReadyToLockHandle = NULL;
> >>
> >
> > Awesome, thanks!
> >
> > I've also managed to look at the code now.
> >
> > Reviewed-by: Laszlo Ersek
> >
> > Thanks
> > Laszlo
> >
> >
> >
> >
> >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74004): https://edk2.groups.io/g/devel/message/74004
Mute This Topic: https://groups.io/mt/81896951/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1j
Hi Liu Wei,
Thanks for upgrading the openssl lib. Please fix the line ending issue. It's
required
by edk2 coding style that the line ending must Windows style.
Regards,
Jian
> -Original Message-
> From: Liu, WeiX C
> Sent: Thursday, March 18, 2021 1:51 PM
> To: devel@edk2.groups.io
> Cc: Liu, WeiX C ; Wang, Jian J
> Subject: [PATCH] CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1j
>
> From: Liu Wei
>
> Update openssl from 1.1.1g to 1.1.1j. Current OpenSSL version
> 1.1.1g contains the vulnerabilities of CVE-2021-23841 and
> CVE-2021-23840. The related vulnerable API EVP_DecryptUpdate
> are used in drivers.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3266
>
> Besides, the opensslconf.h automatically generated in UNIX
> format by process_files.pl.
>
> Cc: Jian J Wang
> Signed-off-by: Liu Wei
> ---
> CryptoPkg/Library/Include/openssl/opensslconf.h | 7 ++-
> CryptoPkg/Library/OpensslLib/openssl| 2 +-
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 3a2544e..f9a73e9 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -2,7 +2,7 @@
> * WARNING: do not edit!
>
> * Generated from include/openssl/opensslconf.h.in
>
> *
>
> - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
>
> + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
>
> *
>
> * Licensed under the OpenSSL license (the "License"). You may not use
>
> * this file except in compliance with the License. You can obtain a copy
>
> @@ -268,6 +268,11 @@ extern "C" {
> # undef DECLARE_DEPRECATED
>
> # define DECLARE_DEPRECATED(f)f __attribute__ ((deprecated));
>
> # endif
>
> +# elif defined(__SUNPRO_C)
>
> +# if (__SUNPRO_C >= 0x5130)
>
> +# undef DECLARE_DEPRECATED
>
> +# define DECLARE_DEPRECATED(f)f __attribute__ ((deprecated));
>
> +# endif
>
> # endif
>
> #endif
>
>
>
> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> b/CryptoPkg/Library/OpensslLib/openssl
> index e2e09d9..52c587d 16
> --- a/CryptoPkg/Library/OpensslLib/openssl
> +++ b/CryptoPkg/Library/OpensslLib/openssl
> @@ -1 +1 @@
> -Subproject commit e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72
> +Subproject commit 52c587d60be67c337364b830dd3fdc15404a2f04
> --
> 2.7.4
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#73006): https://edk2.groups.io/g/devel/message/73006
Mute This Topic: https://groups.io/mt/81423270/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature
Bret, If someone has given same comments as below, please just ignore them. Sorry for the late feedback. Patch 09: LockVariablePolicy () is called inside a debug macro. In release build it will be replaced with empty. If this is really what you want, please add comments in code to explain your purpose. ASSERT_EFI_ERROR (LockVariablePolicy ()); Patch 13: The file name VariableLockRequstToLock.c has a typo 'Requst' -> 'Request' Patch 02, 03, 04, 09, 12, 13, 14 have many inconsistent coding style, especially the spaces in function/macro calling. For example, AllocatePool( NewSize );vsDumpVariablePolicy (NULL, ); Please refer to "EDK II C Coding Standards Specification" ch5.2.2 "Horizontal Spacing" for details. With above addressed (for patch 01-04, 09-14), Acked-by: Jian J Wang > -Original Message- > From: devel@edk2.groups.io On Behalf Of Bret > Barkelew > Sent: Friday, August 28, 2020 1:51 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Chao Zhang > ; Wang, Jian J ; Wu, Hao A > ; Gao, Liming ; Justen, Jordan L > ; Laszlo Ersek ; Ard Biesheuvel > ; Andrew Fish ; Ni, Ray > > Subject: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature > > The 14 patches in this series add the VariablePolicy feature to the core, > deprecate Edk2VarLock (while adding a compatibility layer to reduce code > churn), and integrate the VariablePolicy libraries and protocols into > Variable Services. > > Since the integration requires multiple changes, including adding libraries, > a protocol, an SMI communication handler, and VariableServices integration, > the patches are broken up by individual library additions and then a final > integration. Security-sensitive changes like bypassing Authenticated > Variable enforcement are also broken out into individual patches so that > attention can be called directly to them. > > Platform porting instructions are described in this wiki entry: > https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol- > --Enhanced-Method-for-Managing-Variables#platform-porting > > Discussion of the feature can be found in multiple places throughout > the last year on the RFC channel, staging branches, and in devel. > > Most recently, this subject was discussed in this thread: > https://edk2.groups.io/g/devel/message/53712 > (the code branches shared in that discussion are now out of date, but the > whitepapers and discussion are relevant). > > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Andrew Fish > Cc: Ray Ni > Cc: Bret Barkelew > Signed-off-by: Bret Barkelew > > v7 changes: > * Address comments from Dandan about security of the MM handler > * Add readme > * Fix bug around hex characters in BOOT, etc > * Add additional testing for hex characters > * Add additional testing for authenticated variables > > v6 changes: > * Fix an issue with uninitialized Status in InitVariablePolicyLib() and > DeinitVariablePolicyLib() > * Fix GCC building in shell-based functional test > * Rebase on latest origin/master > > v5 changes: > * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.c > * Fix EFIAPI mismatches in the functional unittest > * Rebase on latest origin/master > > v4 changes: > * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from > platforms > * Rebase on master > * Migrate to new MmCommunicate2 protocol > * Fix an oversight in the default return value for InitMmCommonCommBuffer > * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume variables > > V3 changes: > * Address all non-unittest issues with ECC > * Make additional style changes > * Include section name in hunk headers in "ini-style" files > * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable driver > (now allocates its own buffer) > * Change names from VARIABLE_POLICY_PROTOCOL and > gVariablePolicyProtocolGuid > to EDKII_VARIABLE_POLICY_PROTOCOL and gEdkiiVariablePolicyProtocolGuid > * Fix GCC warning about initializing externs > * Add UNI strings for new PCD > * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg > * Reorder patches according to Liming's feedback about adding to platforms > before changing variable driver > > V2 changes: > * Fixed implementation for RuntimeDxe > * Add PCD to block DisableVariablePolicy > * Fix the DumpVariablePolicy pagination in SMM > > > Bret Barkelew (14): > MdeModulePkg: Define the VariablePolicy protocol interface > MdeModulePkg: Define the VariablePolicyLib > MdeModulePkg: Define the Variabl
Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature
Hi Bret, Sorry to hear the Seattle's situation. I've been there for several times and love the city very much. Hope everything goes back normal soon. And sorry for slow response. This patch series have been delegated to Dandan to review by Liming. She has completed security review from Intel perspective, and given back comments to you. It seems that you forgot to include her in the CC-list. Sorry I didn't notice it and told her to do review in time. She'll give comments ASAP. Since MdeModulePkg is a huge package, I cannot do detail review for each patch for this package. And we have already modules reviewers designated . I think, usually, they should do the detailed review first. The package maintainer will do gate-keeper works as the last step. Correct me if any misunderstanding here. Removed Chao from cc-list (his email is not valid) and added Dandan in loop. Regards, Jian From: Bret Barkelew Sent: Friday, September 11, 2020 11:18 PM To: devel@edk2.groups.io; b...@corthon.com; Wang, Jian J Cc: Yao, Jiewen ; Zhang, Chao B ; Wang, Jian J ; Wu, Hao A ; Gao, Liming ; Justen, Jordan L ; Laszlo Ersek ; Ard Biesheuvel ; Andrew Fish ; Ni, Ray Subject: RE: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature 11 Days to go. I will single out an email every day... Jian, today is your day. How's it going? Life good? Yeah, I know. Things are crazy here, too. Seattle is covered in smoke. You know what would brighten things up, though? A nice "reviewed by". - Bret From: Bret Barkelew via groups.io<mailto:bret.barkelew=microsoft@groups.io> Sent: Tuesday, September 8, 2020 3:20 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; b...@corthon.com<mailto:b...@corthon.com> Cc: Yao, Jiewen<mailto:jiewen@intel.com>; Zhang, Chao B<mailto:chao.b.zh...@intel.com>; Wang, Jian J<mailto:jian.j.w...@intel.com>; Wu, Hao A<mailto:hao.a...@intel.com>; liming.gao<mailto:liming@intel.com>; Justen, Jordan L<mailto:jordan.l.jus...@intel.com>; Laszlo Ersek<mailto:ler...@redhat.com>; Ard Biesheuvel<mailto:ard.biesheu...@arm.com>; Andrew Fish<mailto:af...@apple.com>; Ni, Ray<mailto:ray...@intel.com>; liming.gao<mailto:liming@intel.com> Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature Now that 2008 is labelled and everyone can take a breather... I still need reviews on the following patches (v7)... Patch(es) 01, 02, 03,06,09,10,11,12,13,14 As such, the following email addresses may or may not be subscribed to CatFacts(tm) within the next 14 days if I get no responses: Cc: Jian J Wang mailto:jian.j.w...@intel.com>> Cc: Hao A Wu mailto:hao.a...@intel.com>> Cc: Liming Gao mailto:liming@intel.com>> Cc: Jordan Justen mailto:jordan.l.jus...@intel.com>> Cc: Andrew Fish mailto:af...@apple.com>> Cc: Ray Ni mailto:ray...@intel.com>> Cc: Jiewen Yao mailto:jiewen@intel.com>> Cc: Chao Zhang mailto:chao.b.zh...@intel.com>> May God have mercy on your inboxes. - Bret -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#65215): https://edk2.groups.io/g/devel/message/65215 Mute This Topic: https://groups.io/mt/75057702/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on MACRO
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Gao, Zhichao
> Sent: Monday, August 31, 2020 1:13 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Xu, Min M ; Zhang, Qi1
> Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on
> MACRO
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2943
>
> Disable SHA1 base on the MACRO DISABLE_SHA1_DEPRECATED_INTERFACES.
> SHA1 is deprecated function and the MACRO is used to remove the whole
> implementation of the SHA1. For the platforms that do not need SHA1
> for security, the MACRO should works for DxeImageVerificationLib as
> well.
>
> Signed-off-by: Zhichao Gao
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Min Xu
> Cc: Qi Zhang
> ---
> .../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b08fe24e85..7871220140 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -59,7 +59,11 @@ UINT8 mHashOidValue[] = {
>};
>
> HASH_TABLE mHash[] = {
> +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
>{ L"SHA1", 20, [0], 5, Sha1GetContextSize, Sha1Init,
> Sha1Update, Sha1Final },
> +#else
> + { L"SHA1", 20, [0], 5, NULL, NULL,
> NULL,
> NULL },
> +#endif
>{ L"SHA224", 28, [5], 9, NULL, NULL,
> NULL,
> NULL },
>{ L"SHA256", 32, [14], 9, Sha256GetContextSize, Sha256Init,
> Sha256Update, Sha256Final},
>{ L"SHA384", 48, [23], 9, Sha384GetContextSize, Sha384Init,
> Sha384Update, Sha384Final},
> @@ -315,10 +319,12 @@ HashPeImage (
>ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
>
>switch (HashAlg) {
> +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
>case HASHALG_SHA1:
> mImageDigestSize = SHA1_DIGEST_SIZE;
> mCertType= gEfiCertSha1Guid;
> break;
> +#endif
>
>case HASHALG_SHA256:
> mImageDigestSize = SHA256_DIGEST_SIZE;
> --
> 2.21.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65070): https://edk2.groups.io/g/devel/message/65070
Mute This Topic: https://groups.io/mt/76528676/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3] MdeModulePkg/Library: add PEIM and SEC module type to TpmMeasurementLibNull
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Zhang, Qi1 > Sent: Tuesday, September 01, 2020 3:26 PM > To: devel@edk2.groups.io > Cc: Zhang, Qi1 ; Wang, Jian J ; > Wu, Hao A ; Yao, Jiewen ; > Laszlo Ersek > Subject: [PATCH v3] MdeModulePkg/Library: add PEIM and SEC module type to > TpmMeasurementLibNull > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2940 > > Signed-off-by: Qi Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Jiewen Yao > Reviewed-by: Laszlo Ersek > --- > .../Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > index 61abcfa2ec..c3be447d40 100644 > --- > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > +++ > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > @@ -12,7 +12,7 @@ >FILE_GUID = 6DFD6E9F-9278-48D8-8F45-B6CFF2C2B69C > >MODULE_TYPE= UEFI_DRIVER > >VERSION_STRING = 1.0 > > - LIBRARY_CLASS = TpmMeasurementLib|DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > > + LIBRARY_CLASS = TpmMeasurementLib|SEC PEIM DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > >MODULE_UNI_FILE= TpmMeasurementLibNull.uni > > > > # > > -- > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64963): https://edk2.groups.io/g/devel/message/64963 Mute This Topic: https://groups.io/mt/76551779/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] MdeModulePkg/Library: change TpmMeasurementLibNull to BASE library.
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: Zhang, Qi1 > Sent: Friday, August 28, 2020 2:15 PM > To: devel@edk2.groups.io > Cc: Zhang, Qi1 ; Wang, Jian J ; > Wu, Hao A ; Yao, Jiewen > Subject: [PATCH] MdeModulePkg/Library: change TpmMeasurementLibNull to > BASE library. > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2940 > > TpmMeasurementLib includes DxeTpmMeasurementLib and > PeiTpmMeasurementLib. > So need to change TpmMeasurementLibNull to BASE library to avoid build > error in some platform. > > Signed-off-by: Qi Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Jiewen Yao > --- > .../Library/TpmMeasurementLibNull/TpmMeasurementLibNull.c | 4 +++- > .../Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf | 6 +++--- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.c > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.c > index b9c5b68de8..ee3be62fc6 100644 > --- > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.c > +++ > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.c > @@ -1,11 +1,13 @@ > /** @file > >This library is used by other modules to measure data to TPM. > > > > -Copyright (c) 2015, Intel Corporation. All rights reserved. > > +Copyright (c) 2015-2020, Intel Corporation. All rights reserved. > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > > > +#include > > + > > /** > >Tpm measure and log data, and extend the measurement result into a specific > PCR. > > > > diff --git > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > index 61abcfa2ec..1db2c0d6a7 100644 > --- > a/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > +++ > b/MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.in > f > @@ -1,7 +1,7 @@ > ## @file > > # Provides NULL TPM measurement function. > > # > > -# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved. > > +# Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved. > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > # > > ## > > @@ -10,9 +10,9 @@ >INF_VERSION= 0x00010005 > >BASE_NAME = TpmMeasurementLibNull > >FILE_GUID = 6DFD6E9F-9278-48D8-8F45-B6CFF2C2B69C > > - MODULE_TYPE= UEFI_DRIVER > > + MODULE_TYPE= BASE > >VERSION_STRING = 1.0 > > - LIBRARY_CLASS = TpmMeasurementLib|DXE_DRIVER > DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > > + LIBRARY_CLASS = TpmMeasurementLib > >MODULE_UNI_FILE= TpmMeasurementLibNull.uni > > > > # > > -- > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64792): https://edk2.groups.io/g/devel/message/64792 Mute This Topic: https://groups.io/mt/76468437/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch] SecurityPkg/OpalPassword: Fix spelling mistake
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Michael D > Kinney > Sent: Saturday, August 01, 2020 9:21 AM > To: devel@edk2.groups.io > Cc: Zhang, Qi1 ; Kumar, Rahul1 > > Subject: [edk2-devel] [Patch] SecurityPkg/OpalPassword: Fix spelling mistake > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2346 > > Cc: Qi Zhang > Cc: Rahul Kumar > Signed-off-by: Michael D Kinney > --- > SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c > b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c > index 211e75537a..0ab71a3665 100644 > --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c > +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c > @@ -548,7 +548,7 @@ HiiConfirmDataRemovalAction ( > Unicode, > L" System should not be powered off until action completion ", > L" ", > -L" Press 'Y/y' to continue, press 'N/n' to cancal ", > +L" Press 'Y/y' to continue, press 'N/n' to cancel ", > NULL > ); >} while ( > -- > 2.21.0.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64392): https://edk2.groups.io/g/devel/message/64392 Mute This Topic: https://groups.io/mt/75919457/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch 5/6] SecurityPkg: Fix spelling mistake for occurred
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Michael D > Kinney > Sent: Saturday, August 01, 2020 9:05 AM > To: devel@edk2.groups.io > Cc: Zhang, Qi1 ; Kumar, Rahul1 > > Subject: [edk2-devel] [Patch 5/6] SecurityPkg: Fix spelling mistake for > occurred > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2361 > > Cc: Qi Zhang > Cc: Rahul Kumar > Signed-off-by: Michael D Kinney > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 36b87e16d5..b08fe24e85 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1465,7 +1465,7 @@ IsAllowedByDb ( > >// >// Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'. > - // If any other errors occured, no need to check 'db' but just return > + // If any other errors occurred, no need to check 'db' but just return >// not-allowed-by-db (FALSE) to avoid bypass. >// >DbxDataSize = 0; > -- > 2.21.0.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64391): https://edk2.groups.io/g/devel/message/64391 Mute This Topic: https://groups.io/mt/75919240/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH] CryptoPkg/BaseCryptLib: add crypto algorithms needed by variable protection
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Crypto algorithms, hkdf-sha256/hmac-sha256/aes, are needed to verify integrity of variable data, derive hmac and encryption keys, and encrypt/decrypt varible. Replacing null version source code with real implementations makes sure we can enable full functionalities of protected variable later. Cc: Xiaoyu Lu Cc: Jiewen Yao Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 4 ++-- CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index c836c257f8..af87c14a8b 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,8 +43,8 @@ Hash/CryptSha512.c Hmac/CryptHmacMd5Null.c Hmac/CryptHmacSha1Null.c - Hmac/CryptHmacSha256Null.c - Kdf/CryptHkdfNull.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c Cipher/CryptAesNull.c Cipher/CryptTdesNull.c Cipher/CryptArc4Null.c diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf index e5b8ececc1..d20a48cd8a 100644 --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf @@ -43,9 +43,9 @@ Hash/CryptSha512Null.c Hmac/CryptHmacMd5Null.c Hmac/CryptHmacSha1Null.c - Hmac/CryptHmacSha256Null.c - Kdf/CryptHkdfNull.c - Cipher/CryptAesNull.c + Hmac/CryptHmacSha256.c + Kdf/CryptHkdf.c + Cipher/CryptAes.c Cipher/CryptTdesNull.c Cipher/CryptArc4Null.c Pk/CryptRsaBasic.c -- 2.24.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64347): https://edk2.groups.io/g/devel/message/64347 Mute This Topic: https://groups.io/mt/76258273/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
Laszlo, My apologies for the slow response. I'm not the original reporter but just the BZ submitter. And I didn't do deep analysis to this issue. The issues was reported from one internal team. Add John in loop to see if he knows more about it or not. My superficial understanding on such issue is that, if there's "potential" issue in theory and hard to reproduce, it's still worthy of using an alternative way to replace the original implementation with no "potential" issue at all. Maybe we don't have to prove old way is something wrong but must prove that the new way is really safe. Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Laszlo Ersek > Sent: Tuesday, August 18, 2020 12:53 AM > To: Yao, Jiewen ; devel@edk2.groups.io; > xiewen...@huawei.com; Wang, Jian J > Cc: huangmin...@huawei.com; songdongku...@huawei.com > Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1] > SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset > > Hi Jiewen, > > On 08/14/20 10:53, Yao, Jiewen wrote: > >> To Jiewen, > >> Sorry, I don't have environment to reproduce the issue. > > > > Please help me understand, if you don’t have environment to reproduce the > issue, how do you guarantee that your patch does fix the problem and we don’t > have any other vulnerabilities? > > The original bug report in > <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously > lacking. It does not go into detail about the alleged integer overflow. > It does not quote the code, does not explain the control flow, does not > identify the exact edk2 commit at which the vulnerability exists. > > The bug report also does not offer a reproducer. > > Additionally, the exact statement that the bug report does make, namely > > it's possible to overflow Offset back to 0 causing an endless loop > > is wrong (as far as I can tell anyway). It is not "OffSet" that can be > overflowed to zero, but the *addend* that is added to OffSet can be > overflowed to zero. Therefore the infinite loop will arise because > OffSet remains stuck at its present value, and not because OffSet will > be re-set to zero. > > For the reasons, we can only speculate as to what the actual problem is, > unless Jian decides to join the discussion and clarifies what he had in > mind originally. > > My understanding (or even "reconstruction") of the vulnerability is > described above, and in the patches that I proposed. > > We can write a patch based on code analysis. It's possible to identify > integer overflows based on code analysis, and it's possible to verify > the correctness of fixes by code review. Obviously testing is always > good, but many times, constructing reproducers for such issues that were > found by code review, is difficult and time consuming. We can say that > we don't fix vulnerabilities without reproducers, or we can say that we > make an effort to fix them even if all we have is code analysis (and not > a reproducer). > > So the above paragraph concerns "correctness". Regarding "completeness", > I guarantee you that this patch does not fix *all* problems related to > PE parsing. (See the other BZ tickets.) It does fix *one* issue with PE > parsing. We can say that we try to fix such issues gradually (give > different CVE numbers to different issues, and address them one at a > time), or we can say that we rewrite PE parsing from the ground up. > (BTW: I have seriously attempted that in the past, and I gave up, > because the PE format is FUBAR.) > > In summary: > > - the problem statement is unclear, > > - it seems like there is indeed an integer overflow problem in the > SecDataDir parsing loop, but it's uncertain whether the bug reporter had > exactly that in mind > > - PE parsing is guaranteed to have other vulnerabilities elsewhere in > edk2, but I'm currently unaware of other such issues in > DxeImageVerificationLib specifically > > - even if there are other such problems (in DxeImageVerificationLib or > elswehere), fixing this bug that we know about is likely worthwhile > > - for many such bugs, constructing a reproducer is difficult and time > consuming; code analysis, and *regression-testing* are frequently the > only tools we have. That doesn't mean we should ignore this class of bugs. > > (Fixing integer overflows retro-actively is more difficult than writing > overflow-free code in the first place, but that ship has sailed; so we > can only fight these bugs incrementally now, unless we can rewrite PE > parsing with a new data structure from the ground up. Again I tried that > and gave up, because the spec is not public, and what
Re: [edk2-devel] [edk2-wiki][PATCH v3] Update the Boot Guard TOCTOU wiki page.
Reviewed-by: Jian J Wang Regards, Jian > -Original Message- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Wednesday, August 12, 2020 3:21 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Gao, Liming > Subject: [edk2-devel] [edk2-wiki][PATCH v3] Update the Boot Guard TOCTOU > wiki page. > > The Boot Guard TOCTOU have been migrated into edk2/master. > Update the document to meet the change. > > Signed-off-by: Guomin Jiang > Cc: Jian J Wang > Cc: Liming Gao > --- > Boot-Guard-TOCTOU-Vulnerability-Mitigation.md | 30 +++ > 1 file changed, 10 insertions(+), 20 deletions(-) > > diff --git a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md b/Boot-Guard- > TOCTOU-Vulnerability-Mitigation.md > index e59c7b1..3fce589 100644 > --- a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md > +++ b/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md > @@ -45,32 +45,22 @@ references must be updated. In this mitigation, the > process of performing these > The changes described in this mitigation are intended to simply integrate > into > firmware solutions. For the changes to > function as intended, the platform firmware implementation should follow > these guidelines. > > -The changes are currently being staged in the following EDK II fork for > additional validation before being > -sent to the EDK II mailing list: > https://github.com/makubacki/edk2/tree/btg_toctou_mitigation_staging > - > -The changes should not be considered final or production ready until they are > reviewed and pushed onto edk2/master. > - > -1. Always ensure PcdShadowPeimOnBoot and PcdShadowPeimOnS3Boot > - (if platform supports S3) are set to TRUE if Boot Guard is > - enabled and V=1 or M=1. > -2. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE. > -3. Ensure that all PEIMs are relocatable. Relocation tables should > +1. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE > + if Boot Guard is enabled and V=1 or M=1. > +2. Ensure that all PEIMs are relocatable. Relocation tables should > not be stripped. > -4. If an Intel Firmware Support Package (FSP) binary solution is > +3. If an Intel Firmware Support Package (FSP) binary solution is > used, the binary must have these mitigation changes integrated. > -5. Avoid maintaining pointers to pre-memory addresses inside embedded > +4. Avoid maintaining pointers to pre-memory addresses inside embedded > structures or other non-standard structures that the automatic > migration code introduced in this change cannot identify. > -6. Migrate the FIT table based on platform requirements for FIT > +5. Migrate the FIT table based on platform requirements for FIT > access in post-memory. > +6. Add the SecMigrationPei.inf component to migrate the pointer from > + the SEC phase. > > -**Very Important** > - > -7. Enable paging after memory initialization and mark the IBB range > - as Not Present (NP). > - > - This will cause a page fault on access to the IBB region. This CR2 > register can > be used to identify the address > - accessed and the IP. > +Notes: IBB will be set Not Present, you will see a page fault if any code > access > to the IBB region after migration. > + the address where the code access can be identified in the CR2 > register. > > # High-Level Migration Required > Resources that must be migrated can be categorized as code or data. > -- > 2.25.1.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64343): https://edk2.groups.io/g/devel/message/64343 Mute This Topic: https://groups.io/mt/76142970/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3 0/8] Need add a FSP binary measurement
For the whole series,
Reviewed-by: Jian J Wang
Regards,
Jian
> -Original Message-
> From: Zhang, Qi1
> Sent: Friday, August 14, 2020 2:32 PM
> To: devel@edk2.groups.io
> Cc: Zhang, Qi1 ; Yao, Jiewen ;
> Wang, Jian J ; Wu, Hao A ; Chiu,
> Chasel ; Desimone, Nathaniel L
> ; Zeng, Star
> Subject: [PATCH v3 0/8] Need add a FSP binary measurement
>
> v3 change:
> add a new lib FvEventLogRecordLib for gerneric code.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2376
>
> The EDKII BIOS calls FSP API in FSP Wrapper Pkg.
> This FSP code need to be measured into TPM.
>
> We need add a generic module in FSP Wrapper Pkg code to measure:
> 1) FSP-T, FSP-M, FSP-S in API mode.
> 2) FSP-T in Dispatch-mode. The FSP-M and FSP-S will be reported
>as standard FV and they will be measured by TCG-PEI.
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Chasel Chiu
> Cc: Nate DeSimone
> Cc: Star Zeng
> Cc: Qi Zhang
>
> Jiewen Yao (4):
> IntelFsp2WrapperPkg/FspMeasurementLib: Add header file.
> IntelFsp2WrapperPkg/FspMeasurementLib: Add BaseFspMeasurementLib.
> IntelFsp2WraperPkg/Fsp{m|s}WrapperPeim: Add FspBin measurement.
> IntelFsp2Wrapper/dsc: Add FspTpmMeasurementLib and
> PcdFspMeasurementConfig.
>
> Qi Zhang (4):
> SecurityPkg/FvEventLogRecordLib: add new lib for firmware measurement
> SecurityPkg/dsc: add FvEventLogRecordLib
> SecurityPkg/Tcg2: handle PRE HASH and LOG ONLY
> IntelFsp2WrapperPkg/dsc: add HashLib, Tpm2CommandLib and Tpm2DeviceLib
>
> .../FspmWrapperPeim/FspmWrapperPeim.c | 90 ++-
> .../FspmWrapperPeim/FspmWrapperPeim.inf | 20 +-
> .../FspsWrapperPeim/FspsWrapperPeim.c | 86 +-
> .../FspsWrapperPeim/FspsWrapperPeim.inf | 27 +-
> .../Include/Library/FspMeasurementLib.h | 39 +++
> IntelFsp2WrapperPkg/IntelFsp2WrapperPkg.dec | 17 ++
> IntelFsp2WrapperPkg/IntelFsp2WrapperPkg.dsc | 10 +-
> .../BaseFspMeasurementLib.inf | 54
> .../BaseFspMeasurementLib/FspMeasurementLib.c | 248 ++
> .../Include/Library/FvEventLogRecordLib.h | 97 +++
> SecurityPkg/Include/Ppi/Tcg.h | 5 +
> .../FvEventLogRecordLib/FvEventLogRecordLib.c | 197 ++
> .../FvEventLogRecordLib.inf | 40 +++
> .../FvEventLogRecordLib.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 3 +
> SecurityPkg/SecurityPkg.dsc | 2 +
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 12 +-
> 17 files changed, 939 insertions(+), 25 deletions(-)
> create mode 100644
> IntelFsp2WrapperPkg/Include/Library/FspMeasurementLib.h
> create mode 100644
> IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/BaseFspMeasurementLi
> b.inf
> create mode 100644
> IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/FspMeasurementLib.c
> create mode 100644 SecurityPkg/Include/Library/FvEventLogRecordLib.h
> create mode 100644
> SecurityPkg/Library/FvEventLogRecordLib/FvEventLogRecordLib.c
> create mode 100644
> SecurityPkg/Library/FvEventLogRecordLib/FvEventLogRecordLib.inf
> create mode 100644
> SecurityPkg/Library/FvEventLogRecordLib/FvEventLogRecordLib.uni
>
> --
> 2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64342): https://edk2.groups.io/g/devel/message/64342
Mute This Topic: https://groups.io/mt/76183465/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
