Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-07 Thread Laszlo Ersek 
On 09/05/20 15:50, Dong, Eric wrote:
> yes, I will close that Bugzilla. Thanks all for your feedback.
> 
> Thanks,
> Eric
> 
> From: Yao, Jiewen 
> Sent: Saturday, September 5, 2020 8:31 PM
> To: devel@edk2.groups.io; ler...@redhat.com; vanjeff_...@hotmail.com; Dong, 
> Eric ; Ni, Ray 
> Cc: Lou, Yun 
> Subject: RE: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
> 
> Thank you Laszlo.
> 
> Eric and I communicated with internal team. They understand that CPU is the 
> only owner of the CPU state (CR3/DGT/IDT) and MP_SERVICE_PROTOCOL. Then we 
> agree that the original test is invalid.
> 
> As conclusion, we can withdraw this patch and close the Bugzilla with "not a 
> defect". 
> 
> Thank you
> Yao Jiewen

Thank you both very much for solving this internally!
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65080): https://edk2.groups.io/g/devel/message/65080
Mute This Topic: https://groups.io/mt/76625321/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-05 Thread Dong, Eric 
yes, I will close that Bugzilla. Thanks all for your feedback.

Thanks,
Eric

From: Yao, Jiewen 
Sent: Saturday, September 5, 2020 8:31 PM
To: devel@edk2.groups.io; ler...@redhat.com; vanjeff_...@hotmail.com; Dong, 
Eric ; Ni, Ray 
Cc: Lou, Yun 
Subject: RE: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

Thank you Laszlo.

Eric and I communicated with internal team. They understand that CPU is the 
only owner of the CPU state (CR3/DGT/IDT) and MP_SERVICE_PROTOCOL. Then we 
agree that the original test is invalid.

As conclusion, we can withdraw this patch and close the Bugzilla with "not a 
defect". 

Thank you
Yao Jiewen

> -Original Message-
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
> mailto:devel@edk2.groups.io>> On Behalf Of Laszlo Ersek
> Sent: Friday, September 4, 2020 4:37 PM
> To: Yao, Jiewen mailto:jiewen@intel.com>>; 
> devel@edk2.groups.io<mailto:devel@edk2.groups.io>;
> vanjeff_...@hotmail.com<mailto:vanjeff_...@hotmail.com>; Dong, Eric 
> mailto:eric.d...@intel.com>>; Ni, Ray
> mailto:ray...@intel.com>>
> Cc: Lou, Yun mailto:yun....@intel.com>>
> Subject: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for
> CR3/GDT/IDT.
>
> On 09/04/20 10:06, Yao, Jiewen wrote:
> > When we say “validate”, we need get clear on what is the contract between
> caller and callee, and what is the expectation of the validation.
> >
> > For example, in this case, the validation is limited to 4G or not 4G. Why?
> > This function does not verify following, why?
> >
> >   1.  if the GDT table is valid.
> >   2.  if the IDT table is valid
> >   3.  if the exception handler is valid
> >   4.  if the timer handler still works
> >   5.  if the page table is valid
> >   6.  if the page table is 1:1 mapping
> >   7.  if the page table still enforce the expected protection, such as RO, 
> > NX
> >   8.  ……
>
> Yes, very good point; it has crossed my mind before too. The currently
> proposed checks verify the CR3 (but not the end of the root page
> directory). They also don't try to walk the whole forest of page tables
> and check every entry against 4GB (or, as you say, for 1:1 mapping). The
> check covers the GDT and the IDT, but not the GDT and IDT entries
> (segment granularity? direction of growth?)
>
> I'm OK with the proposed rudimentary checks because in my mind they are
> supposed to catch only one idiosyncratic UEFI application.
>
> > If an application creates a crazy state, CpuDxe may pass the validation with
> below 4G page table, but still fail to wake up APs.
>
> Yes, absolutely.
>
> >
> > If it is the app’s responsibility to ensure the system in good state, the
> validation is unnecessary.
> > If it is the CpuDxe’s responsibility to ensure the system in good state, the
> validation is insufficient.
>
> Agreed on both counts.
>
> I'm just under the impression that Eric has some internal use case that
> doesn't let him fix the application -- or maybe there's no time left for
> them for fixing the application.
>
> >
> > I think we should wait. I am working with Eric to collect the requirement on
> why test case is designed in this way.
>
> Sounds good, thanks!
>
> >
> > DebugAgentDxe is a good case. It is for debug purpose.
> > I believe there must be contract between CPU driver and DebugAgentDxe that
> which status DebugAgentDxe may modify and which state DebugAgentDxe may
> not.
> > It is DebugAgentDxe’s responsibility to ensure the new system state is 
> > correct
> and compatible with the CPU driver.
>
> Agreed 100%
>
> > With the contract, I don’t think CPU driver need validate the system state
> changed by DebugAgentDxe.
> > If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to
> run.
>
> Agreed again.
>
> Thanks
> Laszlo
>
>
> 

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65064): https://edk2.groups.io/g/devel/message/65064
Mute This Topic: https://groups.io/mt/76625321/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-05 Thread Yao, Jiewen 
Thank you Laszlo.

Eric and I communicated with internal team. They understand that CPU is the 
only owner of the CPU state (CR3/DGT/IDT) and MP_SERVICE_PROTOCOL. Then we 
agree that the original test is invalid.

As conclusion, we can withdraw this patch and close the Bugzilla with "not a 
defect". 

Thank you
Yao Jiewen

> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Laszlo Ersek
> Sent: Friday, September 4, 2020 4:37 PM
> To: Yao, Jiewen ; devel@edk2.groups.io;
> vanjeff_...@hotmail.com; Dong, Eric ; Ni, Ray
> 
> Cc: Lou, Yun 
> Subject: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for
> CR3/GDT/IDT.
> 
> On 09/04/20 10:06, Yao, Jiewen wrote:
> > When we say “validate”, we need get clear on what is the contract between
> caller and callee, and what is the expectation of the validation.
> >
> > For example, in this case, the validation is limited to 4G or not 4G. Why?
> > This function does not verify following, why?
> >
> >   1.  if the GDT table is valid.
> >   2.  if the IDT table is valid
> >   3.  if the exception handler is valid
> >   4.  if the timer handler still works
> >   5.  if the page table is valid
> >   6.  if the page table is 1:1 mapping
> >   7.  if the page table still enforce the expected protection, such as RO, 
> > NX
> >   8.  ……
> 
> Yes, very good point; it has crossed my mind before too. The currently
> proposed checks verify the CR3 (but not the end of the root page
> directory). They also don't try to walk the whole forest of page tables
> and check every entry against 4GB (or, as you say, for 1:1 mapping). The
> check covers the GDT and the IDT, but not the GDT and IDT entries
> (segment granularity? direction of growth?)
> 
> I'm OK with the proposed rudimentary checks because in my mind they are
> supposed to catch only one idiosyncratic UEFI application.
> 
> > If an application creates a crazy state, CpuDxe may pass the validation with
> below 4G page table, but still fail to wake up APs.
> 
> Yes, absolutely.
> 
> >
> > If it is the app’s responsibility to ensure the system in good state, the
> validation is unnecessary.
> > If it is the CpuDxe’s responsibility to ensure the system in good state, the
> validation is insufficient.
> 
> Agreed on both counts.
> 
> I'm just under the impression that Eric has some internal use case that
> doesn't let him fix the application -- or maybe there's no time left for
> them for fixing the application.
> 
> >
> > I think we should wait. I am working with Eric to collect the requirement on
> why test case is designed in this way.
> 
> Sounds good, thanks!
> 
> >
> > DebugAgentDxe is a good case. It is for debug purpose.
> > I believe there must be contract between CPU driver and DebugAgentDxe that
> which status DebugAgentDxe may modify and which state DebugAgentDxe may
> not.
> > It is DebugAgentDxe’s responsibility to ensure the new system state is 
> > correct
> and compatible with the CPU driver.
> 
> Agreed 100%
> 
> > With the contract, I don’t think CPU driver need validate the system state
> changed by DebugAgentDxe.
> > If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to
> run.
> 
> Agreed again.
> 
> Thanks
> Laszlo
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65063): https://edk2.groups.io/g/devel/message/65063
Mute This Topic: https://groups.io/mt/76625321/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Laszlo Ersek 
On 09/04/20 13:48, Yao, Jiewen wrote:
> Jeff
> I think the CR3 should be managed by the CPU driver. And it should NOT be 
> changed by other module during post phase without a clear contract.
> 
> Since CPU driver managed the value (or DebugAgent managing it under 
> contract), it should *always* be valid. I don’t see the value to check the 
> value managed by the module itself, and return EFI_UNSUPPORTED.
> 
> If CPU driver sets CR3 above 4G and sync it to AP, then it is a bug.
> We should fix the CPU driver or MP Library to *make it always work*.
> 
> There are multiple options. For example, the CPU driver can always set a 
> dedicate CR3/GDT/IDT for AP (below 4G). Then no matter BSP state is changed, 
> we can always wake up AP correctly with a pre-defined state. Syncing BSP 
> state to AP just an implementation choice, it is not absolute necessary.
> 
> In a system boot, the ability to wake up AP is very important. Especially 
> when the BIOS transfers the state to OS, the BSP need wake up AP to put AP in 
> a good state, such as protected mode with paging disabled. Without doing 
> that, we may get random system crash during boot.
> 
> If we really really want to do some check to ensure AP state is good, I would 
> rather to prepare a dedicated known good state for AP and always use this 
> known good state for AP wakeup.
> Giving up and returning UNSUPPORTED is definitely NOT my preference.

Should we audit the various AllocatePageTableMemory() function
implementations in edk2?

Or is there more stuff we need to look at?

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65054): https://edk2.groups.io/g/devel/message/65054
Mute This Topic: https://groups.io/mt/76625679/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Yao, Jiewen 
Jeff
I think the CR3 should be managed by the CPU driver. And it should NOT be 
changed by other module during post phase without a clear contract.

Since CPU driver managed the value (or DebugAgent managing it under contract), 
it should *always* be valid. I don’t see the value to check the value managed 
by the module itself, and return EFI_UNSUPPORTED.

If CPU driver sets CR3 above 4G and sync it to AP, then it is a bug.
We should fix the CPU driver or MP Library to *make it always work*.

There are multiple options. For example, the CPU driver can always set a 
dedicate CR3/GDT/IDT for AP (below 4G). Then no matter BSP state is changed, we 
can always wake up AP correctly with a pre-defined state. Syncing BSP state to 
AP just an implementation choice, it is not absolute necessary.

In a system boot, the ability to wake up AP is very important. Especially when 
the BIOS transfers the state to OS, the BSP need wake up AP to put AP in a good 
state, such as protected mode with paging disabled. Without doing that, we may 
get random system crash during boot.

If we really really want to do some check to ensure AP state is good, I would 
rather to prepare a dedicated known good state for AP and always use this known 
good state for AP wakeup.
Giving up and returning UNSUPPORTED is definitely NOT my preference.


Thank you
Yao Jiewen







From: devel@edk2.groups.io  On Behalf Of Fan Jeff
Sent: Friday, September 4, 2020 7:17 PM
To: vanjeff_...@hotmail.com; Yao, Jiewen ; 
devel@edk2.groups.io; ler...@redhat.com; Dong, Eric ; Ni, 
Ray 
Cc: Lou, Yun 
Subject: Re: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check 
for CR3/GDT/IDT.

Jiewen,

Maybe my word "valid during post phase" confused you. My point is that those 
values maybe changed during post phase.

So, if their spaces above 4GB are not legal, i agree not to do anything. If 
legal, then we need to something.

Jeff



在 Fan Jeff mailto:vanjeff_...@hotmail.com>>,2020年9月4日 
下午4:44写道:
Jiewen,

I don’t think AP need to validate everyting. BSP should make sure CR3/GDT/IDT 
corrently firstly.  Othersize, everything does not make sense.

For CR3 case, if we assume CR3 above 4GB space is legal for BSP (If there are 
any limitation on it, please corrent me) but the current CPU AP wakeup method 
does not allow CR3 above 4GB space, this maybe the CPU driver’s bug or 
implementation limitation.

The key is that CR3 above 4GB is legal or not.
If we think this is bug, we need to enhance CPU driver to fix it.
If we think this is one limiation, we need to validate the CR3 value and tell 
the caller.

Jeff

发件人: Yao, Jiewen<mailto:jiewen@intel.com>
发送时间: 2020年9月4日 16:07
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
vanjeff_...@hotmail.com<mailto:vanjeff_...@hotmail.com>; Laszlo 
Ersek<mailto:ler...@redhat.com>; Dong, Eric<mailto:eric.d...@intel.com>; Ni, 
Ray<mailto:ray...@intel.com>
抄送: Lou, Yun<mailto:yun@intel.com>
主题: RE: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

When we say “validate”, we need get clear on what is the contract between 
caller and callee, and what is the expectation of the validation.

For example, in this case, the validation is limited to 4G or not 4G. Why?
This function does not verify following, why?

  1.  if the GDT table is valid.
  2.  if the IDT table is valid
  3.  if the exception handler is valid
  4.  if the timer handler still works
  5.  if the page table is valid
  6.  if the page table is 1:1 mapping
  7.  if the page table still enforce the expected protection, such as RO, NX
  8.  ……

If an application creates a crazy state, CpuDxe may pass the validation with 
below 4G page table, but still fail to wake up APs.

If it is the app’s responsibility to ensure the system in good state, the 
validation is unnecessary.
If it is the CpuDxe’s responsibility to ensure the system in good state, the 
validation is insufficient.

I think we should wait. I am working with Eric to collect the requirement on 
why test case is designed in this way.

DebugAgentDxe is a good case. It is for debug purpose.
I believe there must be contract between CPU driver and DebugAgentDxe that 
which status DebugAgentDxe may modify and which state DebugAgentDxe may not.
It is DebugAgentDxe’s responsibility to ensure the new system state is correct 
and compatible with the CPU driver.
With the contract, I don’t think CPU driver need validate the system state 
changed by DebugAgentDxe.
If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to run.




From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
mailto:devel@edk2.groups.io>> On Behalf Of Fan Jeff
Sent: Friday, September 4, 2020 3:32 PM
To: Laszlo Ersek mailto:ler...@redhat.com>>; 
devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Dong, Eric 
mailto:eric.d...@intel.com>>; Ni, Ray 
mailto:ray...@intel.com>>
Cc: Lou, Yun mailt

Re: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Fan Jeff 
Jiewen,

Maybe my word "valid during post phase" confused you. My point is that those values maybe changed during post phase.

So, if their spaces above 4GB are not legal, i agree not to do anything. If legal, then we need to something.

Jeff



在 Fan Jeff ,2020年9月4日 下午4:44写道:


Jiewen,
 
I don’t think AP need to validate everyting. BSP should make sure CR3/GDT/IDT corrently firstly.  Othersize, everything does not make sense.
 
For CR3 case, if we assume CR3 above 4GB space is legal for BSP (If there are any limitation on it, please corrent me) but the current CPU AP wakeup method does not allow CR3 above 4GB space, this maybe the CPU driver’s
 bug or implementation limitation. 
 
The key is that CR3 above 4GB is legal or not.
If we think this is bug, we need to enhance CPU driver to fix it.
If we think this is one limiation, we need to validate the CR3 value and tell the caller.
 
Jeff

 

发件人: 
Yao, Jiewen
发送时间: 2020年9月4日 16:07
收件人: devel@edk2.groups.io;
vanjeff_...@hotmail.com; 
Laszlo Ersek; Dong, Eric; 
Ni, Ray
抄送: Lou, Yun
主题: RE: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

 
When we say “validate”, we need get clear on what is the contract between caller and callee, and what is the expectation of the validation.
 
For example, in this case, the validation is limited to 4G or not 4G. Why?
This function does not verify following, why?

if the GDT table is valid.
if the IDT table is validif the exception handler is validif the timer handler still worksif the page table is validif the page table is 1:1 mappingif the page table still enforce the expected protection, such as RO, NX……
 
If an application creates a crazy state, CpuDxe may pass the validation with below 4G page table, but still fail to wake up APs.
 
If it is the app’s responsibility to ensure the system in good state, the validation is unnecessary.
If it is the CpuDxe’s responsibility to ensure the system in good state, the validation is insufficient.
 
I think we should wait. I am working with Eric to collect the requirement on why test case is designed in this way.
 
DebugAgentDxe is a good case. It is for debug purpose.
I believe there must be contract between CPU driver and DebugAgentDxe that which status DebugAgentDxe may modify and which state DebugAgentDxe may not.
It is DebugAgentDxe’s responsibility to ensure the new system state is correct and compatible with the CPU driver.
With the contract, I don’t think CPU driver need validate the system state changed by DebugAgentDxe.
If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to run.
 
 
 
 


From: devel@edk2.groups.io 
On Behalf Of Fan Jeff
Sent: Friday, September 4, 2020 3:32 PM
To: Laszlo Ersek ; devel@edk2.groups.io; Dong, Eric ; Ni, Ray 
Cc: Lou, Yun 
Subject: 回复:
回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.


 
Laszlo,
 
Why sync the BSP’s CR3/GDT/IDT values for AP when AP wakes up instead of using old cached BSP’s CR3/GDT/IDT values when CPU driver initiallly dispatched is that we CANNOT
 assume original values are still valid during POST phase.
 
On this senario, BSP’s CR3/GDT/IDT are just like input parameters for one function. Validating them are necessary.
 
For example, DebugAgentDxe driver may be loaded in UEFI shell to setup source level debugging enviroment of EDKII debugger tools.  It may setup new IDT space.
 
Jeff
 

发件人: Laszlo Ersek
发送时间: 2020年9月4日 14:58
收件人: Fan Jeff;
devel@edk2.groups.io; 
eric.d...@intel.com; Ni, Ray
抄送: Lou, Yun
主题: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

 
On 09/04/20 04:18, Fan Jeff wrote:
> Laszlo & Eric,
> 
> Introducing one new PCD to handle such rare test case is too heavy. I think We could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

I disagree.

What the UEFI application does (interfere with GDT / IDT / CR3
placement) is invalid. It changes system properties under the feet of
platform DXE drivers. UEFI applications are supposed to be written
against public protocols and services in the UEFI spec (and maybe in the
PI spec).

If this application is a test application that purposely massages
low-level system properties, that's fine; but then, if we change core
edk2 components to be somewhat compatible with this application, then we
should make sure that platforms that do not care about this specific use
case do not suffer a performance hit or a code complexity hit.

What I could accept, under your proposal, is the following: add three
ASSERT()s to FillExchangeInfoData(), where we fetch the IDTR / GDTR /
CR3 anyway. This would be fine because it only expresses existing
assumptions / requirements.

However, my understanding is that this would not solve Eric's problem.
The system would hang -- in DEBUG / NOOPT builds -- or crash -- in a
RELEASE build

回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Fan Jeff 
Jiewen,

I don’t think AP need to validate everyting. BSP should make sure CR3/GDT/IDT 
corrently firstly.  Othersize, everything does not make sense.

For CR3 case, if we assume CR3 above 4GB space is legal for BSP (If there are 
any limitation on it, please corrent me) but the current CPU AP wakeup method 
does not allow CR3 above 4GB space, this maybe the CPU driver’s bug or 
implementation limitation.

The key is that CR3 above 4GB is legal or not.
If we think this is bug, we need to enhance CPU driver to fix it.
If we think this is one limiation, we need to validate the CR3 value and tell 
the caller.

Jeff

发件人: Yao, Jiewen<mailto:jiewen@intel.com>
发送时间: 2020年9月4日 16:07
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
vanjeff_...@hotmail.com<mailto:vanjeff_...@hotmail.com>; Laszlo 
Ersek<mailto:ler...@redhat.com>; Dong, Eric<mailto:eric.d...@intel.com>; Ni, 
Ray<mailto:ray...@intel.com>
抄送: Lou, Yun<mailto:yun....@intel.com>
主题: RE: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

When we say “validate”, we need get clear on what is the contract between 
caller and callee, and what is the expectation of the validation.

For example, in this case, the validation is limited to 4G or not 4G. Why?
This function does not verify following, why?

  1.  if the GDT table is valid.
  2.  if the IDT table is valid
  3.  if the exception handler is valid
  4.  if the timer handler still works
  5.  if the page table is valid
  6.  if the page table is 1:1 mapping
  7.  if the page table still enforce the expected protection, such as RO, NX
  8.  ……

If an application creates a crazy state, CpuDxe may pass the validation with 
below 4G page table, but still fail to wake up APs.

If it is the app’s responsibility to ensure the system in good state, the 
validation is unnecessary.
If it is the CpuDxe’s responsibility to ensure the system in good state, the 
validation is insufficient.

I think we should wait. I am working with Eric to collect the requirement on 
why test case is designed in this way.

DebugAgentDxe is a good case. It is for debug purpose.
I believe there must be contract between CPU driver and DebugAgentDxe that 
which status DebugAgentDxe may modify and which state DebugAgentDxe may not.
It is DebugAgentDxe’s responsibility to ensure the new system state is correct 
and compatible with the CPU driver.
With the contract, I don’t think CPU driver need validate the system state 
changed by DebugAgentDxe.
If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to run.




From: devel@edk2.groups.io  On Behalf Of Fan Jeff
Sent: Friday, September 4, 2020 3:32 PM
To: Laszlo Ersek ; devel@edk2.groups.io; Dong, Eric 
; Ni, Ray 
Cc: Lou, Yun 
Subject: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

Laszlo,

Why sync the BSP’s CR3/GDT/IDT values for AP when AP wakes up instead of using 
old cached BSP’s CR3/GDT/IDT values when CPU driver initiallly dispatched is 
that we CANNOT assume original values are still valid during POST phase.

On this senario, BSP’s CR3/GDT/IDT are just like input parameters for one 
function. Validating them are necessary.

For example, DebugAgentDxe driver may be loaded in UEFI shell to setup source 
level debugging enviroment of EDKII debugger tools.  It may setup new IDT space.

Jeff

发件人: Laszlo Ersek<mailto:ler...@redhat.com>
发送时间: 2020年9月4日 14:58
收件人: Fan Jeff<mailto:vanjeff_...@hotmail.com>; 
devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
eric.d...@intel.com<mailto:eric.d...@intel.com>; Ni, 
Ray<mailto:ray...@intel.com>
抄送: Lou, Yun<mailto:yun....@intel.com>
主题: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

On 09/04/20 04:18, Fan Jeff wrote:
> Laszlo & Eric,
>
> Introducing one new PCD to handle such rare test case is too heavy. I think 
> We could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

I disagree.

What the UEFI application does (interfere with GDT / IDT / CR3
placement) is invalid. It changes system properties under the feet of
platform DXE drivers. UEFI applications are supposed to be written
against public protocols and services in the UEFI spec (and maybe in the
PI spec).

If this application is a test application that purposely massages
low-level system properties, that's fine; but then, if we change core
edk2 components to be somewhat compatible with this application, then we
should make sure that platforms that do not care about this specific use
case do not suffer a performance hit or a code complexity hit.

What I could accept, under your proposal, is the following: add three
ASSERT()s to FillExchangeInfoData(), where we fetch the IDTR / GDTR /
CR3 anyway. This would be fine because it only expresses existing
assumptions / requirements.

However, my understanding is that this would not solve Eric's problem.
Th

Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Laszlo Ersek 
On 09/04/20 10:06, Yao, Jiewen wrote:
> When we say “validate”, we need get clear on what is the contract between 
> caller and callee, and what is the expectation of the validation.
> 
> For example, in this case, the validation is limited to 4G or not 4G. Why?
> This function does not verify following, why?
> 
>   1.  if the GDT table is valid.
>   2.  if the IDT table is valid
>   3.  if the exception handler is valid
>   4.  if the timer handler still works
>   5.  if the page table is valid
>   6.  if the page table is 1:1 mapping
>   7.  if the page table still enforce the expected protection, such as RO, NX
>   8.  ……

Yes, very good point; it has crossed my mind before too. The currently
proposed checks verify the CR3 (but not the end of the root page
directory). They also don't try to walk the whole forest of page tables
and check every entry against 4GB (or, as you say, for 1:1 mapping). The
check covers the GDT and the IDT, but not the GDT and IDT entries
(segment granularity? direction of growth?)

I'm OK with the proposed rudimentary checks because in my mind they are
supposed to catch only one idiosyncratic UEFI application.

> If an application creates a crazy state, CpuDxe may pass the validation with 
> below 4G page table, but still fail to wake up APs.

Yes, absolutely.

> 
> If it is the app’s responsibility to ensure the system in good state, the 
> validation is unnecessary.
> If it is the CpuDxe’s responsibility to ensure the system in good state, the 
> validation is insufficient.

Agreed on both counts.

I'm just under the impression that Eric has some internal use case that
doesn't let him fix the application -- or maybe there's no time left for
them for fixing the application.

> 
> I think we should wait. I am working with Eric to collect the requirement on 
> why test case is designed in this way.

Sounds good, thanks!

> 
> DebugAgentDxe is a good case. It is for debug purpose.
> I believe there must be contract between CPU driver and DebugAgentDxe that 
> which status DebugAgentDxe may modify and which state DebugAgentDxe may not.
> It is DebugAgentDxe’s responsibility to ensure the new system state is 
> correct and compatible with the CPU driver.

Agreed 100%

> With the contract, I don’t think CPU driver need validate the system state 
> changed by DebugAgentDxe.
> If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to run.

Agreed again.

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65046): https://edk2.groups.io/g/devel/message/65046
Mute This Topic: https://groups.io/mt/76625321/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Laszlo Ersek 
On 09/04/20 09:32, Fan Jeff wrote:
> Laszlo,
>
> Why sync the BSP's CR3/GDT/IDT values for AP when AP wakes up instead
> of using old cached BSP's CR3/GDT/IDT values when CPU driver
> initiallly dispatched is that we CANNOT assume original values are
> still valid during POST phase.
>
> On this senario, BSP's CR3/GDT/IDT are just like input parameters for
> one function. Validating them are necessary.
>
> For example, DebugAgentDxe driver may be loaded in UEFI shell to setup
> source level debugging enviroment of EDKII debugger tools.  It may
> setup new IDT space.

Then DebugAgentDxe should be changed to allocate the new IDT in the
32-bit address space.

I don't think it's acceptable that loading DebugAgentDxe from the UEFI
shell may or may not render the MP services protocol unusable. What if
the programmer wants to debug something related to MP services? "I've
loaded DebugAgentDxe, but now I cannot start the payload I want to
debug."

As far as I can see,
"SourceLevelDebugPkg/Library/DebugAgent/DxeDebugAgent/DxeDebugAgentLib.c"
uses the static variable "mIdtEntryTable" as IDT. I think it should be
possible to replace "mIdtEntryTable" with a dynamically allocated
object. The allocation should be restricted to 32-bit. It should be
possible to perform the allocation very early (perhaps in the library
constructor).

Again, I'm OK with adding ASSERT()s to FillExchangeInfoData(). If IDT /
GDT / CR3 are out of 32-bit address space, then that's a programming
error, or a platform misconfiguration. It's not something we should try
to dynamically recover from.

The MP services protocol implementation may not expect that the
CR3/GDT/IDT remain unchanged on the BSP during the DXE/BDS phases, but
it does expect them to remain under 4GB.

- A UEFI driver or app must not break this assumption at all, because a
  UEFI driver or app has no business messing with these artifacts.

- Whereas a DXE driver (such as DebugAgentDxe), exactly because it is
  part of the platform firmware, is expected to collaborate with CpuDxe
  / MpInitLib, and to satisfy the invariants.

Thanks,
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65044): https://edk2.groups.io/g/devel/message/65044
Mute This Topic: https://groups.io/mt/76625078/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Yao, Jiewen 
When we say “validate”, we need get clear on what is the contract between 
caller and callee, and what is the expectation of the validation.

For example, in this case, the validation is limited to 4G or not 4G. Why?
This function does not verify following, why?

  1.  if the GDT table is valid.
  2.  if the IDT table is valid
  3.  if the exception handler is valid
  4.  if the timer handler still works
  5.  if the page table is valid
  6.  if the page table is 1:1 mapping
  7.  if the page table still enforce the expected protection, such as RO, NX
  8.  ……

If an application creates a crazy state, CpuDxe may pass the validation with 
below 4G page table, but still fail to wake up APs.

If it is the app’s responsibility to ensure the system in good state, the 
validation is unnecessary.
If it is the CpuDxe’s responsibility to ensure the system in good state, the 
validation is insufficient.

I think we should wait. I am working with Eric to collect the requirement on 
why test case is designed in this way.

DebugAgentDxe is a good case. It is for debug purpose.
I believe there must be contract between CPU driver and DebugAgentDxe that 
which status DebugAgentDxe may modify and which state DebugAgentDxe may not.
It is DebugAgentDxe’s responsibility to ensure the new system state is correct 
and compatible with the CPU driver.
With the contract, I don’t think CPU driver need validate the system state 
changed by DebugAgentDxe.
If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to run.




From: devel@edk2.groups.io  On Behalf Of Fan Jeff
Sent: Friday, September 4, 2020 3:32 PM
To: Laszlo Ersek ; devel@edk2.groups.io; Dong, Eric 
; Ni, Ray 
Cc: Lou, Yun 
Subject: 回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

Laszlo,

Why sync the BSP’s CR3/GDT/IDT values for AP when AP wakes up instead of using 
old cached BSP’s CR3/GDT/IDT values when CPU driver initiallly dispatched is 
that we CANNOT assume original values are still valid during POST phase.

On this senario, BSP’s CR3/GDT/IDT are just like input parameters for one 
function. Validating them are necessary.

For example, DebugAgentDxe driver may be loaded in UEFI shell to setup source 
level debugging enviroment of EDKII debugger tools.  It may setup new IDT space.

Jeff

发件人: Laszlo Ersek<mailto:ler...@redhat.com>
发送时间: 2020年9月4日 14:58
收件人: Fan Jeff<mailto:vanjeff_...@hotmail.com>; 
devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
eric.d...@intel.com<mailto:eric.d...@intel.com>; Ni, 
Ray<mailto:ray...@intel.com>
抄送: Lou, Yun<mailto:yun....@intel.com>
主题: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

On 09/04/20 04:18, Fan Jeff wrote:
> Laszlo & Eric,
>
> Introducing one new PCD to handle such rare test case is too heavy. I think 
> We could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

I disagree.

What the UEFI application does (interfere with GDT / IDT / CR3
placement) is invalid. It changes system properties under the feet of
platform DXE drivers. UEFI applications are supposed to be written
against public protocols and services in the UEFI spec (and maybe in the
PI spec).

If this application is a test application that purposely massages
low-level system properties, that's fine; but then, if we change core
edk2 components to be somewhat compatible with this application, then we
should make sure that platforms that do not care about this specific use
case do not suffer a performance hit or a code complexity hit.

What I could accept, under your proposal, is the following: add three
ASSERT()s to FillExchangeInfoData(), where we fetch the IDTR / GDTR /
CR3 anyway. This would be fine because it only expresses existing
assumptions / requirements.

However, my understanding is that this would not solve Eric's problem.
The system would hang -- in DEBUG / NOOPT builds -- or crash -- in a
RELEASE build -- just the same as before.

Now, *if* FillExchangeInfoData() is currently *wrong* to have these
32-bit assumptions, because edk2 modules themselves can break those
assumptions (without the custom UEFI application), then we have a more
serious problem. But for that problem, just "checking and rejecting" is
not a sufficient solution, regardless of how and where we check and reject.

Thanks
Laszlo




>
> Jeff
>
> 发件人: Dong, Eric<mailto:eric.d...@intel.com>
> 发送时间: 2020年9月4日 10:01
> 收件人: Ni, Ray<mailto:ray...@intel.com>; 
> devel@edk2.groups.io<mailto:devel@edk2.groups.io<mailto:devel@edk2.groups.io%3cmailto:devel@edk2.groups.io>>;
>  ler...@redhat.com<mailto:ler...@redhat.com>
> 抄送: Lou, Yun<mailto:yun@intel.com>
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
>
> I guess Laszlo think this check is not always needed, just used for this 
> special shell applicatio

回复: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Fan Jeff 
Laszlo,

Why sync the BSP’s CR3/GDT/IDT values for AP when AP wakes up instead of using 
old cached BSP’s CR3/GDT/IDT values when CPU driver initiallly dispatched is 
that we CANNOT assume original values are still valid during POST phase.

On this senario, BSP’s CR3/GDT/IDT are just like input parameters for one 
function. Validating them are necessary.

For example, DebugAgentDxe driver may be loaded in UEFI shell to setup source 
level debugging enviroment of EDKII debugger tools.  It may setup new IDT space.

Jeff

发件人: Laszlo Ersek<mailto:ler...@redhat.com>
发送时间: 2020年9月4日 14:58
收件人: Fan Jeff<mailto:vanjeff_...@hotmail.com>; 
devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
eric.d...@intel.com<mailto:eric.d...@intel.com>; Ni, 
Ray<mailto:ray...@intel.com>
抄送: Lou, Yun<mailto:yun....@intel.com>
主题: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

On 09/04/20 04:18, Fan Jeff wrote:
> Laszlo & Eric,
>
> Introducing one new PCD to handle such rare test case is too heavy. I think 
> We could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

I disagree.

What the UEFI application does (interfere with GDT / IDT / CR3
placement) is invalid. It changes system properties under the feet of
platform DXE drivers. UEFI applications are supposed to be written
against public protocols and services in the UEFI spec (and maybe in the
PI spec).

If this application is a test application that purposely massages
low-level system properties, that's fine; but then, if we change core
edk2 components to be somewhat compatible with this application, then we
should make sure that platforms that do not care about this specific use
case do not suffer a performance hit or a code complexity hit.

What I could accept, under your proposal, is the following: add three
ASSERT()s to FillExchangeInfoData(), where we fetch the IDTR / GDTR /
CR3 anyway. This would be fine because it only expresses existing
assumptions / requirements.

However, my understanding is that this would not solve Eric's problem.
The system would hang -- in DEBUG / NOOPT builds -- or crash -- in a
RELEASE build -- just the same as before.

Now, *if* FillExchangeInfoData() is currently *wrong* to have these
32-bit assumptions, because edk2 modules themselves can break those
assumptions (without the custom UEFI application), then we have a more
serious problem. But for that problem, just "checking and rejecting" is
not a sufficient solution, regardless of how and where we check and reject.

Thanks
Laszlo




>
> Jeff
>
> 发件人: Dong, Eric<mailto:eric.d...@intel.com>
> 发送时间: 2020年9月4日 10:01
> 收件人: Ni, Ray<mailto:ray...@intel.com>; 
> devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
> ler...@redhat.com<mailto:ler...@redhat.com>
> 抄送: Lou, Yun<mailto:yun@intel.com>
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
>
> I guess Laszlo think this check is not always needed, just used for this 
> special shell application case. He wants to use default FALSE to always 
> ignore this check and make code logic clear.
>
> Thanks,
> Eric
>
> From: Ni, Ray 
> Sent: Friday, September 4, 2020 9:34 AM
> To: devel@edk2.groups.io; ler...@redhat.com; Dong, Eric 
> Cc: Lou, Yun 
> Subject: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
>
> Why do we need a new PCD to control such check? Under what circumstance the 
> PCD is false?
> We may need to move such check out of MpLib.c. Because when bps runs at 32bit 
> mode, AP doesn’t need to switch to long mode, such check is not needed and 
> also always passes.
>
> We should not assume PEI runs at 32 bit mode.
>
>
> 发件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
> mailto:devel@edk2.groups.io>> 代表 Laszlo Ersek 
> mailto:ler...@redhat.com>>
> 发送时间: Friday, September 4, 2020 3:55:47 AM
> 收件人: Dong, Eric mailto:eric.d...@intel.com>>; 
> devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
> mailto:devel@edk2.groups.io>>
> 抄送: Ni, Ray mailto:ray...@intel.com>>
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
>
> On 09/03/20 21:00, Laszlo Ersek wrote:
>
>> (10) More importantly, ValidCR3GdtIdtCheck() should not be called in the
>> Worker functions for StartupAllAPs, StartupThisAP, SwitchBSP, and
>> EnableDisableAP, in "UefiCpuPkg/Library/MpInitLib/MpLib.c".
>>
>> Instead, the calls should be made in the DXE instance of the library
>> ("UefiCpuPkg/Library/MpInitLib/DxeMpLib.c"), at the very top of the
>> functions:
>>
>> - MpInitLibStartupAllAPs
>> - MpInitLibStartupThisAP
>> - MpInitLibSwitchBSP
>> - MpInitLi

Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-04 Thread Laszlo Ersek 
On 09/04/20 04:18, Fan Jeff wrote:
> Laszlo & Eric,
> 
> Introducing one new PCD to handle such rare test case is too heavy. I think 
> We could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

I disagree.

What the UEFI application does (interfere with GDT / IDT / CR3
placement) is invalid. It changes system properties under the feet of
platform DXE drivers. UEFI applications are supposed to be written
against public protocols and services in the UEFI spec (and maybe in the
PI spec).

If this application is a test application that purposely massages
low-level system properties, that's fine; but then, if we change core
edk2 components to be somewhat compatible with this application, then we
should make sure that platforms that do not care about this specific use
case do not suffer a performance hit or a code complexity hit.

What I could accept, under your proposal, is the following: add three
ASSERT()s to FillExchangeInfoData(), where we fetch the IDTR / GDTR /
CR3 anyway. This would be fine because it only expresses existing
assumptions / requirements.

However, my understanding is that this would not solve Eric's problem.
The system would hang -- in DEBUG / NOOPT builds -- or crash -- in a
RELEASE build -- just the same as before.

Now, *if* FillExchangeInfoData() is currently *wrong* to have these
32-bit assumptions, because edk2 modules themselves can break those
assumptions (without the custom UEFI application), then we have a more
serious problem. But for that problem, just "checking and rejecting" is
not a sufficient solution, regardless of how and where we check and reject.

Thanks
Laszlo




> 
> Jeff
> 
> 发件人: Dong, Eric
> 发送时间: 2020年9月4日 10:01
> 收件人: Ni, Ray; 
> devel@edk2.groups.io; 
> ler...@redhat.com
> 抄送: Lou, Yun
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
> 
> I guess Laszlo think this check is not always needed, just used for this 
> special shell application case. He wants to use default FALSE to always 
> ignore this check and make code logic clear.
> 
> Thanks,
> Eric
> 
> From: Ni, Ray 
> Sent: Friday, September 4, 2020 9:34 AM
> To: devel@edk2.groups.io; ler...@redhat.com; Dong, Eric 
> Cc: Lou, Yun 
> Subject: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
> 
> Why do we need a new PCD to control such check? Under what circumstance the 
> PCD is false?
> We may need to move such check out of MpLib.c. Because when bps runs at 32bit 
> mode, AP doesn’t need to switch to long mode, such check is not needed and 
> also always passes.
> 
> We should not assume PEI runs at 32 bit mode.
> 
> 
> 发件人: devel@edk2.groups.io 
> mailto:devel@edk2.groups.io>> 代表 Laszlo Ersek 
> mailto:ler...@redhat.com>>
> 发送时间: Friday, September 4, 2020 3:55:47 AM
> 收件人: Dong, Eric mailto:eric.d...@intel.com>>; 
> devel@edk2.groups.io 
> mailto:devel@edk2.groups.io>>
> 抄送: Ni, Ray mailto:ray...@intel.com>>
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
> CR3/GDT/IDT.
> 
> On 09/03/20 21:00, Laszlo Ersek wrote:
> 
>> (10) More importantly, ValidCR3GdtIdtCheck() should not be called in the
>> Worker functions for StartupAllAPs, StartupThisAP, SwitchBSP, and
>> EnableDisableAP, in "UefiCpuPkg/Library/MpInitLib/MpLib.c".
>>
>> Instead, the calls should be made in the DXE instance of the library
>> ("UefiCpuPkg/Library/MpInitLib/DxeMpLib.c"), at the very top of the
>> functions:
>>
>> - MpInitLibStartupAllAPs
>> - MpInitLibStartupThisAP
>> - MpInitLibSwitchBSP
>> - MpInitLibEnableDisableAP
>>
>> Here's why:
>>
>> (a) The symptom does not affect the PEI phase -- by the time the UEFI
>> application is executed, the PEI phase has ended; there's no need to
>> modify the PEI instance of the library.
>>
>> (b) The currently proposed failure exits are too late. For example, in
>> the SwitchBSPWorker() function, by the time we exit, we have called
>> DisableApicTimerInterrupt(), SaveAndDisableInterrupts(), and
>> DisableLvtInterrupts() -- and the error path does not restore the
>> original environment.
>>
>> (c) According to the PI spec (v1.7), the StartupAllAPs(),
>> StartupThisAP(), SwitchBSP(), EnableDisableAP() member functions of
>> EFI_MP_SERVICES_PROTOCOL may only be called on the (current) BSP.
>> Because of this, it is OK to call ValidCR3GdtIdtCheck() as the very
>> first action in the above-listed DxeMpLib functions.
>>
>> (Assuming the protocol members are called from an AP, and consequently
>> we check CR3 / GDTR / IDTR on the AP (and not on the BSP), that's the
>> *caller's* fault, per spec!)
> 
> This means we can move the ValidCr3GdtIdtCheck() function to
> "DxeMpLib.c", and it is not necessary to modify "MpLib.h".
> 
> Thanks
> Laszlo
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all

回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

2020-09-03 Thread Fan Jeff 
Laszlo & Eric,

Introducing one new PCD to handle such rare test case is too heavy. I think We 
could do validating CR3/GDT/IDT space < 4GB address always in MpInitLib.

Jeff

发件人: Dong, Eric
发送时间: 2020年9月4日 10:01
收件人: Ni, Ray; 
devel@edk2.groups.io; 
ler...@redhat.com
抄送: Lou, Yun
主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

I guess Laszlo think this check is not always needed, just used for this 
special shell application case. He wants to use default FALSE to always ignore 
this check and make code logic clear.

Thanks,
Eric

From: Ni, Ray 
Sent: Friday, September 4, 2020 9:34 AM
To: devel@edk2.groups.io; ler...@redhat.com; Dong, Eric 
Cc: Lou, Yun 
Subject: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for 
CR3/GDT/IDT.

Why do we need a new PCD to control such check? Under what circumstance the PCD 
is false?
We may need to move such check out of MpLib.c. Because when bps runs at 32bit 
mode, AP doesn’t need to switch to long mode, such check is not needed and also 
always passes.

We should not assume PEI runs at 32 bit mode.


发件人: devel@edk2.groups.io 
mailto:devel@edk2.groups.io>> 代表 Laszlo Ersek 
mailto:ler...@redhat.com>>
发送时间: Friday, September 4, 2020 3:55:47 AM
收件人: Dong, Eric mailto:eric.d...@intel.com>>; 
devel@edk2.groups.io 
mailto:devel@edk2.groups.io>>
抄送: Ni, Ray mailto:ray...@intel.com>>
主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

On 09/03/20 21:00, Laszlo Ersek wrote:

> (10) More importantly, ValidCR3GdtIdtCheck() should not be called in the
> Worker functions for StartupAllAPs, StartupThisAP, SwitchBSP, and
> EnableDisableAP, in "UefiCpuPkg/Library/MpInitLib/MpLib.c".
>
> Instead, the calls should be made in the DXE instance of the library
> ("UefiCpuPkg/Library/MpInitLib/DxeMpLib.c"), at the very top of the
> functions:
>
> - MpInitLibStartupAllAPs
> - MpInitLibStartupThisAP
> - MpInitLibSwitchBSP
> - MpInitLibEnableDisableAP
>
> Here's why:
>
> (a) The symptom does not affect the PEI phase -- by the time the UEFI
> application is executed, the PEI phase has ended; there's no need to
> modify the PEI instance of the library.
>
> (b) The currently proposed failure exits are too late. For example, in
> the SwitchBSPWorker() function, by the time we exit, we have called
> DisableApicTimerInterrupt(), SaveAndDisableInterrupts(), and
> DisableLvtInterrupts() -- and the error path does not restore the
> original environment.
>
> (c) According to the PI spec (v1.7), the StartupAllAPs(),
> StartupThisAP(), SwitchBSP(), EnableDisableAP() member functions of
> EFI_MP_SERVICES_PROTOCOL may only be called on the (current) BSP.
> Because of this, it is OK to call ValidCR3GdtIdtCheck() as the very
> first action in the above-listed DxeMpLib functions.
>
> (Assuming the protocol members are called from an AP, and consequently
> we check CR3 / GDTR / IDTR on the AP (and not on the BSP), that's the
> *caller's* fault, per spec!)

This means we can move the ValidCr3GdtIdtCheck() function to
"DxeMpLib.c", and it is not necessary to modify "MpLib.h".

Thanks
Laszlo




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65029): https://edk2.groups.io/g/devel/message/65029
Mute This Topic: https://groups.io/mt/76623548/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-