Re: [edk2-devel] [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.
Reviewed-by: Jiaxin Wu > -Original Message- > From: Xie, Yuanhao > Sent: Tuesday, May 7, 2024 2:09 PM > To: devel@edk2.groups.io > Cc: Liming Gao ; Wu, Jiaxin > ; Ni, Ray ; Xie, Yuanhao > > Subject: [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver. > > The Lockbox Driver allows sensitive data to be securely stored in a > designated area, thus protected against unauthorized access. > > This patch adds a Standalone MM Lockbox Driver with main modifications: > 1. Separating shared code between the Standalone MM driver and the > DXE MM Driver. > 2. Utilizing services from the SMM Services Table (gSmst) as opposed to > relying on Boot Services. > > Cc: Liming Gao > Cc: Jiaxin Wu > Cc: Ray Ni > > Signed-off-by: Yuanhao Xie > --- > MdeModulePkg/MdeModulePkg.dsc | > 1 + > > MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM > m.c| 84 > ++ > ++ > > MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM > m.inf | 56 > > > MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM > m.uni | 14 ++ > > MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM > mExtra.uni | 14 ++ > 5 files changed, 169 insertions(+) > > diff --git a/MdeModulePkg/MdeModulePkg.dsc > b/MdeModulePkg/MdeModulePkg.dsc > index 6bed9205ea..f0f02f180f 100644 > --- a/MdeModulePkg/MdeModulePkg.dsc > +++ b/MdeModulePkg/MdeModulePkg.dsc > @@ -500,6 +500,7 @@ > > MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCode > RouterSmm.inf > > MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCode > RouterStandaloneMm.inf >MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf > + > MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM > m.inf > > MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAlloc > ationProfileLib.inf > > MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemo > ryAllocationProfileLib.inf > > MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemo > ryAllocationLib.inf > diff --git > a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone > Mm.c > b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone > Mm.c > new file mode 100644 > index 00..503be7efa8 > --- /dev/null > +++ > b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone > Mm.c > @@ -0,0 +1,84 @@ > +/** @file > + LockBox MM driver. > + > +Copyright (c) 2024, Intel Corporation. All rights reserved. > + > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include > +#include > +#include > +#include > + > +#include "SmmLockBoxCommon.h" > + > +/** > + This function is an abstraction layer for implementation specific Mm buffer > validation routine. > + > + @param Buffer The buffer start address to be checked. > + @param Length The buffer length to be checked. > + > + @retval TRUE This buffer is valid per processor architecture and not > overlap > with SMRAM. > + @retval FALSE This buffer is not valid per processor architecture or > overlap > with SMRAM. > +**/ > +BOOLEAN > +IsBufferOutsideMmValid ( > + IN EFI_PHYSICAL_ADDRESS Buffer, > + IN UINT64Length > + ) > +{ > + return MmIsBufferOutsideMmValid (Buffer, Length); > +} > + > +/** > + Entry Point for LockBox MM driver. > + > + @param[in] ImageHandle Image handle of this driver. > + @param[in] SystemTable A Pointer to the EFI System Table. > + > + @retval EFI_SUCEESS > + @return Others Some error occurs. > +**/ > +EFI_STATUS > +EFIAPI > +SmmLockBoxStandaloneMmEntryPoint ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_MM_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + EFI_HANDLE DispatchHandle; > + VOID*Registration; > + > + // > + // Register LockBox communication handler > + // > + Status = gMmst->MmiHandlerRegister ( > +SmmLockBoxHandler, > +&gEfiSmmLockBoxCommunicationGuid, > +&DispatchHandle > +); > + ASSERT_EFI_ERROR (Status); > + > + // > + // Register SMM Ready To Lock Protocol notification > + // > + Status = gMmst->MmRegisterProtocolNotify ( > +&gEfiSmmReadyToLockProtocolGuid, > +SmmReadyToLockEventNotify, > +&Registration > +); > + ASSERT_EFI_ERROR (Status); > + return Status; > +} > diff --git > a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone > Mm.inf > b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone > Mm.inf > new file mode 100644 > index 00..544c87790c > --- /dev/null > +++ > b/MdeModulePkg/Universal/
Re: [edk2-devel] [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.
Reviewed-by: Ray Ni Thanks, Ray From: Xie, Yuanhao Sent: Tuesday, May 7, 2024 14:09 To: devel@edk2.groups.io Cc: Liming Gao ; Wu, Jiaxin ; Ni, Ray ; Xie, Yuanhao Subject: [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver. The Lockbox Driver allows sensitive data to be securely stored in a designated area, thus protected against unauthorized access. This patch adds a Standalone MM Lockbox Driver with main modifications: 1. Separating shared code between the Standalone MM driver and the DXE MM Driver. 2. Utilizing services from the SMM Services Table (gSmst) as opposed to relying on Boot Services. Cc: Liming Gao Cc: Jiaxin Wu Cc: Ray Ni Signed-off-by: Yuanhao Xie --- MdeModulePkg/MdeModulePkg.dsc | 1 + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c| 84 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf | 56 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni | 14 ++ MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni | 14 ++ 5 files changed, 169 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 6bed9205ea..f0f02f180f 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -500,6 +500,7 @@ MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterSmm.inf MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterStandaloneMm.inf MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c new file mode 100644 index 00..503be7efa8 --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c @@ -0,0 +1,84 @@ +/** @file + LockBox MM driver. + +Copyright (c) 2024, Intel Corporation. All rights reserved. + +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "SmmLockBoxCommon.h" + +/** + This function is an abstraction layer for implementation specific Mm buffer validation routine. + + @param Buffer The buffer start address to be checked. + @param Length The buffer length to be checked. + + @retval TRUE This buffer is valid per processor architecture and not overlap with SMRAM. + @retval FALSE This buffer is not valid per processor architecture or overlap with SMRAM. +**/ +BOOLEAN +IsBufferOutsideMmValid ( + IN EFI_PHYSICAL_ADDRESS Buffer, + IN UINT64Length + ) +{ + return MmIsBufferOutsideMmValid (Buffer, Length); +} + +/** + Entry Point for LockBox MM driver. + + @param[in] ImageHandle Image handle of this driver. + @param[in] SystemTable A Pointer to the EFI System Table. + + @retval EFI_SUCEESS + @return Others Some error occurs. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxStandaloneMmEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_MM_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DispatchHandle; + VOID*Registration; + + // + // Register LockBox communication handler + // + Status = gMmst->MmiHandlerRegister ( +SmmLockBoxHandler, +&gEfiSmmLockBoxCommunicationGuid, +&DispatchHandle +); + ASSERT_EFI_ERROR (Status); + + // + // Register SMM Ready To Lock Protocol notification + // + Status = gMmst->MmRegisterProtocolNotify ( +&gEfiSmmReadyToLockProtocolGuid, +SmmReadyToLockEventNotify, +&Registration +); + ASSERT_EFI_ERROR (Status); + return Status; +} diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf new file mode 100644 index 00..544c87790c --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf @@ -0,0 +1,56 @@ +## @file +# LockBox MM driver. +# +# Copyright (c) 2024, Intel Corporation. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION= 0x00010005 + BASE_NAME = SmmLockBoxStandalo
[edk2-devel] [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.
The Lockbox Driver allows sensitive data to be securely stored in a designated area, thus protected against unauthorized access. This patch adds a Standalone MM Lockbox Driver with main modifications: 1. Separating shared code between the Standalone MM driver and the DXE MM Driver. 2. Utilizing services from the SMM Services Table (gSmst) as opposed to relying on Boot Services. Cc: Liming Gao Cc: Jiaxin Wu Cc: Ray Ni Signed-off-by: Yuanhao Xie --- MdeModulePkg/MdeModulePkg.dsc | 1 + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c| 84 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf | 56 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni | 14 ++ MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni | 14 ++ 5 files changed, 169 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 6bed9205ea..f0f02f180f 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -500,6 +500,7 @@ MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterSmm.inf MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterStandaloneMm.inf MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c new file mode 100644 index 00..503be7efa8 --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c @@ -0,0 +1,84 @@ +/** @file + LockBox MM driver. + +Copyright (c) 2024, Intel Corporation. All rights reserved. + +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "SmmLockBoxCommon.h" + +/** + This function is an abstraction layer for implementation specific Mm buffer validation routine. + + @param Buffer The buffer start address to be checked. + @param Length The buffer length to be checked. + + @retval TRUE This buffer is valid per processor architecture and not overlap with SMRAM. + @retval FALSE This buffer is not valid per processor architecture or overlap with SMRAM. +**/ +BOOLEAN +IsBufferOutsideMmValid ( + IN EFI_PHYSICAL_ADDRESS Buffer, + IN UINT64Length + ) +{ + return MmIsBufferOutsideMmValid (Buffer, Length); +} + +/** + Entry Point for LockBox MM driver. + + @param[in] ImageHandle Image handle of this driver. + @param[in] SystemTable A Pointer to the EFI System Table. + + @retval EFI_SUCEESS + @return Others Some error occurs. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxStandaloneMmEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_MM_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DispatchHandle; + VOID*Registration; + + // + // Register LockBox communication handler + // + Status = gMmst->MmiHandlerRegister ( +SmmLockBoxHandler, +&gEfiSmmLockBoxCommunicationGuid, +&DispatchHandle +); + ASSERT_EFI_ERROR (Status); + + // + // Register SMM Ready To Lock Protocol notification + // + Status = gMmst->MmRegisterProtocolNotify ( +&gEfiSmmReadyToLockProtocolGuid, +SmmReadyToLockEventNotify, +&Registration +); + ASSERT_EFI_ERROR (Status); + return Status; +} diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf new file mode 100644 index 00..544c87790c --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf @@ -0,0 +1,56 @@ +## @file +# LockBox MM driver. +# +# Copyright (c) 2024, Intel Corporation. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION= 0x00010005 + BASE_NAME = SmmLockBoxStandaloneMm + MODULE_UNI_FILE= SmmLockBoxStandaloneMm.uni + FILE_GUID = a83a87a0-8a3e-482d-86c8-84a139f6ded0 + MODULE_TYPE= MM_STANDALONE + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x00