[edk2-devel] [PATCH 2/5] BaseTools: Generate multiple rules when multiple output files
From: Pierre Gondois
This patch modifies the Makefile generation not to stop
adding Makfile rules when the first final target is found.
E.g.:
If the following rules are described in build_rule.txt:
-[Rule1]: .X files generate .Y and .Z files;
-[Rule2]: .Z files generate .Z1 files.
Currently, if a File1.X file was part of the sources of a
module, only [Rule1] would be generated in the Makefile.
Indeed, there are no rules to apply to .Y files: .Y files
are a final target. However, there is still [Rule2] to
apply to .Z files.
This patch also adds a dependency between the first
ouput file of a rule and the other output files.
For instance, with the same example as above, File1.Y
and File1.Z are generated by the following rule:
File1.Y: File1.X
and the new dependency is:
File1.Z: File1.Y
This is necessary to keep a dependency order during the
execution of the Makefile. Indeed, .Y and .Z files are
generated by the execution of a common set of commands,
and without this rule, there is no explicit dependency
relation between them.
Signed-off-by: Pierre Gondois
Suggested-by: Tomas Pilar
---
The changes can be seen at:
https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5
Notes:
v1:
- Generate multiple rules when multiple output files
are specified in the build_rule.txt file. [Pierre]
v2:
- Use the "FileType" variable in the _ApplyBuildRule
function as it is in the current state. [Pierre]
v3:
- Adding Suggested-by [Pierre]
v4:
- No modification. Re-sending the patch with base64
encoding to conserve the right line endings. [Bob]
v5:
- No modification. [Pierre]
BaseTools/Source/Python/AutoGen/GenMake.py | 6
BaseTools/Source/Python/AutoGen/ModuleAutoGen.py | 38 +++-
2 files changed, 27 insertions(+), 17 deletions(-)
diff --git a/BaseTools/Source/Python/AutoGen/GenMake.py
b/BaseTools/Source/Python/AutoGen/GenMake.py
index
bbb3c29446f53fa7f2cb61a216a5b119f72c3fbc..0314d0ea34d99a014379e8d30c46ac0f0a7068ce
100755
--- a/BaseTools/Source/Python/AutoGen/GenMake.py
+++ b/BaseTools/Source/Python/AutoGen/GenMake.py
@@ -1054,6 +1054,12 @@ cleanlib:
TargetDict = {"target": self.PlaceMacro(T.Target.Path,
self.Macros), "cmd": "\n\t".join(T.Commands),"deps": Deps}
self.BuildTargetList.append(self._BUILD_TARGET_TEMPLATE.Replace(TargetDict))
+# Add a Makefile rule for targets generating multiple
files.
+# The main output is a prerequisite for the other output
files.
+for i in T.Outputs[1:]:
+AnnexeTargetDict = {"target": self.PlaceMacro(i.Path,
self.Macros), "cmd": "", "deps": self.PlaceMacro(T.Target.Path, self.Macros)}
+
self.BuildTargetList.append(self._BUILD_TARGET_TEMPLATE.Replace(AnnexeTargetDict))
+
def ParserCCodeFile(self, T, Type, CmdSumDict, CmdTargetDict, CmdCppDict,
DependencyDict):
if not CmdSumDict:
for item in self._AutoGenObject.Targets[Type]:
diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
index
aad591de65f086043d55aeea5661f59c53792e7c..dc8b1fe3d160cac2da7fc233e3aa0d92cb1e
100755
--- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
@@ -860,7 +860,8 @@ class ModuleAutoGen(AutoGen):
SubDirectory = os.path.join(self.OutputDir, File.SubDir)
if not os.path.exists(SubDirectory):
CreateDirectory(SubDirectory)
-LastTarget = None
+TargetList = set()
+FinalTargetName = set()
RuleChain = set()
SourceList = [File]
Index = 0
@@ -870,6 +871,9 @@ class ModuleAutoGen(AutoGen):
self.BuildOption
while Index < len(SourceList):
+# Reset the FileType if not the first iteration.
+if Index > 0:
+FileType = TAB_UNKNOWN_FILE
Source = SourceList[Index]
Index = Index + 1
@@ -886,29 +890,25 @@ class ModuleAutoGen(AutoGen):
elif Source.Ext in self.BuildRules:
RuleObject = self.BuildRules[Source.Ext]
else:
-# stop at no more rules
-if LastTarget:
-self._FinalBuildTargetList.add(LastTarget)
-break
+# No more rule to apply: Source is a final target.
+FinalTargetName.add(Source)
+continue
FileType = RuleObject.SourceFileType
self._FileTypes[FileType].add(Source)
# stop at STATIC_LIBRARY for library
if self.IsLibrary and FileType == TAB_STATIC_LIBRARY:
-if LastTarget:
-self._FinalBuildTargetList.add(LastTarget)
-break
+
[edk2-devel] [PATCH v5 1/5] BaseTools: PatchCheck: Exclude bash scripts from CRLF check
From: Pierre Gondois
Bash scripts require LF line endings to work.
PatchCheck.py checks that the files added in a patch have CRLF
line endings. It excludes files ending with the ".sh" extension
from this check.
Some bash script don't have a ".sh" extension. Most of them are
located in:
- BaseTools/BinWrappers/PosixLike/
- BaseTools/Bin/CYGWIN_NT-5.1-i686/
This patch excludes these folder plus BaseTools/BuildEnv from
this CRLF check.
Signed-off-by: Pierre Gondois
---
The changes can be seen at:
https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5
Notes:
v5:
- Exclude some directories/files having LF line
endings from the PatchCheck,py script. [Bob]
BaseTools/Scripts/PatchCheck.py | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/BaseTools/Scripts/PatchCheck.py b/BaseTools/Scripts/PatchCheck.py
index
106b434c750d71d8aa1658109f146dc066633c2c..e38cf61f93da50f77d4e1e2e37de5f6a08d25408
100755
--- a/BaseTools/Scripts/PatchCheck.py
+++ b/BaseTools/Scripts/PatchCheck.py
@@ -3,6 +3,7 @@
#
# Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
# Copyright (C) 2020, Red Hat, Inc.
+# Copyright (c) 2020, ARM Ltd. All rights reserved.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -384,9 +385,14 @@ class GitDiffCheck:
self.is_newfile = False
self.force_crlf = True
self.force_notabs = True
-if self.filename.endswith('.sh'):
+if self.filename.endswith('.sh') or \
+
self.filename.startswith('BaseTools/BinWrappers/PosixLike/') or \
+
self.filename.startswith('BaseTools/Bin/CYGWIN_NT-5.1-i686/') or \
+self.filename == 'BaseTools/BuildEnv':
#
# Do not enforce CR/LF line endings for linux shell
scripts.
+# Some linux shell scripts don't end with the ".sh"
extension,
+# they are identified by their path.
#
self.force_crlf = False
if self.filename == '.gitmodules':
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
[edk2-devel] [PATCH v5 5/5] BaseTools: Fix string concatenation
From: Pierre Gondois Using Python 3.7.2 on win32, when printing a FileBuildRule instance, the following error occurs: File "edk2\BaseTools\Source\Python\AutoGen\BuildEngine.py", line 177, in __str__ DestString = ", ".join(self.DestFileList) TypeError: sequence item 0: expected str instance, PathClass found This patch converts each PathClass element of the list to a string instance before concatenating them. Signed-off-by: Pierre Gondois --- The changes can be seen at: https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5 Notes: v2: - No v1 for this patch. Fix a __str__ method. [Pierre] v3: - No modification. [Pierre] v4: - No modification. Re-sending the patch with base64 encoding to conserve the right line endings. [Bob] v5: - No modification. [Pierre] BaseTools/Source/Python/AutoGen/BuildEngine.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BaseTools/Source/Python/AutoGen/BuildEngine.py b/BaseTools/Source/Python/AutoGen/BuildEngine.py index d602414ca41f37155c9c6d00eec54ea3918840c3..722fead75af6d60aa82365d999837cd5ac3299af 100644 --- a/BaseTools/Source/Python/AutoGen/BuildEngine.py +++ b/BaseTools/Source/Python/AutoGen/BuildEngine.py @@ -172,7 +172,7 @@ class FileBuildRule: def __str__(self): SourceString = "" SourceString += " %s %s %s" % (self.SourceFileType, " ".join(self.SourceFileExtList), self.ExtraSourceFileList) -DestString = ", ".join(self.DestFileList) +DestString = ", ".join([str(i) for i in self.DestFileList]) CommandString = "\n\t".join(self.CommandList) return "%s : %s\n\t%s" % (DestString, SourceString, CommandString) -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
[edk2-devel] [PATCH v5 3/5] BaseTools: Rename AmlToHex script to AmlToC
From: Pierre Gondois
The AmlToHex script and Posix/WindowsLike wrappers convert
an AML file to a .hex file, containing a C array storing
AML bytecode. This ".hex" file can then be included in a
C file, allowing to access the AML bytecode from this C
file.
The EDK2 build system doesn't allow to a depict dependency
orders between files of different languages. For instance,
in a module containing a ".c" file and a ".asl", the ".c"
file may or may not be built prior to the ".asl" file.
This prevents any inclusion of a generated ".hex" in a
".c" file since this later ".hex" file may or may not
have been created yet.
This patch renames the script as AmlToC. It is posted as
a separate patch to prevent git from seeing the renaming
as a deletion plus addition of a new file.
The ending line of the posix-like bin-wrapper script has
also been corrected.
This is a first step toward generating a C file containing
the AML bytecode from an ASL file. This C file will then
be handled by the EDK2 build system to generate an object
file.
Thus, no file inclusion will be required anymore. The C file
requiring the AML bytecode as a C array, and the ASL file,
will be compiled independently. The C array must be defined
as an external symbol. The linker is resolving the
reference to the C array symbol.
To summarize, the flow goes as:
-1. ASL file is compiled to AML;
-2. AML file is copied to a ".amli" intermediate file;
-3. EDK2 build system applies the rule relevant to ".amli"
files. This is, calling the "AmlToC" script, generating
a C file from the ".amli" file;
-4. EDK2 build system applies the rule relevant to C files.
This is creating an object file.
-5. EDK2 build system links the object file containing the
AML bytecode with the object file requiring it.
Signed-off-by: Pierre Gondois
Suggested-by: Tomas Pilar
---
The changes can be seen at:
https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5
Notes:
v1:
- Rename AmlToHex scripts to AmlToC, and change line
endings of the PosixLike bin-wrapper. [Pierre]
v2:
- No modification. [Pierre]
v3:
- Changed "Signed-off-by" to "Suggested-by". [Bob]
v4:
- No modification. Re-sending the patch with base64
encoding to conserve the right line endings. [Bob]
v5:
- No modification. [Pierre]
BaseTools/BinWrappers/PosixLike/{AmlToHex => AmlToC} | 28
++--
BaseTools/BinWrappers/WindowsLike/{AmlToHex.bat => AmlToC.bat} | 0
BaseTools/Source/Python/{AmlToHex/AmlToHex.py => AmlToC/AmlToC.py} | 0
3 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/BaseTools/BinWrappers/PosixLike/AmlToHex
b/BaseTools/BinWrappers/PosixLike/AmlToC
similarity index 97%
rename from BaseTools/BinWrappers/PosixLike/AmlToHex
rename to BaseTools/BinWrappers/PosixLike/AmlToC
index
9fb68299e4c67d1f332cd883fd348a896f1bdc50..1dd28e966288f6ea4fc52d42e2dc7b1f74226c23
100755
--- a/BaseTools/BinWrappers/PosixLike/AmlToHex
+++ b/BaseTools/BinWrappers/PosixLike/AmlToC
@@ -1,14 +1,14 @@
-#!/usr/bin/env bash
-#python `dirname $0`/RunToolFromSource.py `basename $0` $*
-
-# If a ${PYTHON_COMMAND} command is available, use it in preference to python
-if command -v ${PYTHON_COMMAND} >/dev/null 2>&1; then
-python_exe=${PYTHON_COMMAND}
-fi
-
-full_cmd=${BASH_SOURCE:-$0} # see http://mywiki.wooledge.org/BashFAQ/028 for a
discussion of why $0 is not a good choice here
-dir=$(dirname "$full_cmd")
-exe=$(basename "$full_cmd")
-
-export PYTHONPATH="$dir/../../Source/Python${PYTHONPATH:+:"$PYTHONPATH"}"
-exec "${python_exe:-python}" "$dir/../../Source/Python/$exe/$exe.py" "$@"
+#!/usr/bin/env bash
+#python `dirname $0`/RunToolFromSource.py `basename $0` $*
+
+# If a ${PYTHON_COMMAND} command is available, use it in preference to python
+if command -v ${PYTHON_COMMAND} >/dev/null 2>&1; then
+python_exe=${PYTHON_COMMAND}
+fi
+
+full_cmd=${BASH_SOURCE:-$0} # see http://mywiki.wooledge.org/BashFAQ/028 for a
discussion of why $0 is not a good choice here
+dir=$(dirname "$full_cmd")
+exe=$(basename "$full_cmd")
+
+export PYTHONPATH="$dir/../../Source/Python${PYTHONPATH:+:"$PYTHONPATH"}"
+exec "${python_exe:-python}" "$dir/../../Source/Python/$exe/$exe.py" "$@"
diff --git a/BaseTools/BinWrappers/WindowsLike/AmlToHex.bat
b/BaseTools/BinWrappers/WindowsLike/AmlToC.bat
similarity index 100%
rename from BaseTools/BinWrappers/WindowsLike/AmlToHex.bat
rename to BaseTools/BinWrappers/WindowsLike/AmlToC.bat
diff --git a/BaseTools/Source/Python/AmlToHex/AmlToHex.py
b/BaseTools/Source/Python/AmlToC/AmlToC.py
similarity index 100%
rename from BaseTools/Source/Python/AmlToHex/AmlToHex.py
rename to BaseTools/Source/Python/AmlToC/AmlToC.py
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
[edk2-devel] [PATCH v5 0/5] Compile AML bytecode array into OBJ file
Following the BZ at https://bugzilla.tianocore.org/show_bug.cgi?id=2425
This patch serie is a another way to solve the dependency
of C files over ASL files. With this new method, the
dependency is resolved at the linking stage.
The last method to solve this dependency was to add
the possibility to modify INF files to depict such a
dependency. This method was not accepted. The discussion
is available at https://edk2.groups.io/g/devel/topic/72655342#56658
The last patch modifying the INF specification and INF
parsing are available at:
https://edk2.groups.io/g/devel/topic/72655342#56658
https://edk2.groups.io/g/devel/topic/72656060#56662
Pierre Gondois (5):
BaseTools: PatchCheck: Exclude bash scripts from CRLF check
BaseTools: Generate multiple rules when multiple output files
BaseTools: Rename AmlToHex script to AmlToC
BaseTools: Compile AML bytecode arrays into .obj file
BaseTools: Fix string concatenation
BaseTools/BinWrappers/PosixLike/{AmlToHex => AmlToC} | 28 +++
BaseTools/BinWrappers/WindowsLike/{AmlToHex.bat => AmlToC.bat} | 0
BaseTools/Conf/build_rule.template | 15 +++-
BaseTools/Scripts/PatchCheck.py| 8 +-
BaseTools/Source/Python/{AmlToHex/AmlToHex.py => AmlToC/AmlToC.py} | 82
BaseTools/Source/Python/AutoGen/BuildEngine.py | 2 +-
BaseTools/Source/Python/AutoGen/GenMake.py | 6 ++
BaseTools/Source/Python/AutoGen/ModuleAutoGen.py | 38
+
8 files changed, 96 insertions(+), 83 deletions(-)
rename BaseTools/BinWrappers/PosixLike/{AmlToHex => AmlToC} (97%)
rename BaseTools/BinWrappers/WindowsLike/{AmlToHex.bat => AmlToC.bat} (100%)
rename BaseTools/Source/Python/{AmlToHex/AmlToHex.py => AmlToC/AmlToC.py} (52%)
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
[edk2-devel] [PATCH v5 4/5] BaseTools: Compile AML bytecode arrays into .obj file
From: Pierre Gondois
The AmlToHex script and Posix/WindowsLike wrappers convert
an AML file to a .hex file, containing a C array storing
AML bytecode. This ".hex" file can then be included in a
C file, allowing to access the AML bytecode from this C
file.
The EDK2 build system doesn't allow to a depict dependency
orders between files of different languages. For instance,
in a module containing a ".c" file and a ".asl", the ".c"
file may or may not be built prior to the ".asl" file.
This prevents any inclusion of a generated ".hex" in a
".c" file since this later ".hex" file may or may not
have been created yet.
This patch modifies the AmlToC script to generate a C file
instead of a ".hex" file.
It also adds the generation of an intermediate ".amli" file
when compiling an ASL file, and adds a rule to convert this
".amli" to a C file.
This allows to generate a C file containing the AML bytecode
from an ASL file. This C file will then be handled by the EDK2
build system to generate an object file.
Thus, no file inclusion will be required anymore. The C file
requiring the AML bytecode as a C array, and the ASL file,
will be compiled independently. The C array must be defined
as an external symbol. The linker is resolving the
reference to the C array symbol.
To summarize, the flow goes as:
-1. ASL file is compiled to AML;
-2. AML file is copied to a ".amli" intermediate file;
-3. EDK2 build system applies the rule relevant to ".amli"
files. This is, calling the "AmlToC" script, generating
a C file from the ".amli" file;
-4. EDK2 build system applies the rule relevant to C files.
This is creating an object file.
-5. EDK2 build system links the object file containing the
AML bytecode with the object file requiring it.
Signed-off-by: Pierre Gondois
Suggested-by: Tomas Pilar
---
The changes can be seen at:
https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5
Notes:
v1:
- Add a new rule to the build_rule.template file to
generate ".obj" files from .asl files, and modify
the AmlToC script accordingly. [Pierre]
v2:
- Restrict the rule to DXE_DRIVER. This allows to build
the OvmfPkg, which was not the case in v1. [Pierre]
v3:
- Changed "Signed-off-by" to "Suggested-by". [Bob]
v4:
- No modification. Re-sending the patch with base64
encoding to conserve the right line endings. [Bob]
v5:
- No modification. [Pierre]
BaseTools/Conf/build_rule.template | 15 +++-
BaseTools/Source/Python/AmlToC/AmlToC.py | 82
2 files changed, 47 insertions(+), 50 deletions(-)
diff --git a/BaseTools/Conf/build_rule.template
b/BaseTools/Conf/build_rule.template
index
0822b681fcd9f61c6508e6f93ffc31fa70fd7059..c034869915914936e28f64a6aadba08e0169da44
100755
--- a/BaseTools/Conf/build_rule.template
+++ b/BaseTools/Conf/build_rule.template
@@ -419,6 +419,7 @@
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.aml
+$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.amli
$(MAKE_FILE)
@@ -428,14 +429,24 @@
"$(ASLPP)" $(DEPS_FLAGS) $(ASLPP_FLAGS) $(INC) /I${s_path}
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.i >
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.iii
Trim --source-code -l -o $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.iii
"$(ASL)" $(ASL_FLAGS) $(ASL_OUTFLAGS)${dst}
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.
--AmlToHex $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.aml
+$(CP) $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.aml
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.amli
Trim --asl-file --asl-deps -o $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.i
-i $(INC_LIST) ${src}
"$(ASLPP)" $(DEPS_FLAGS) $(ASLPP_FLAGS) $(INC) -I${s_path}
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.i >
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.iii
Trim --source-code -l -o $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.iii
"$(ASL)" $(ASL_FLAGS) $(ASL_OUTFLAGS)${dst}
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.
--AmlToHex $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.aml
+$(CP) $(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.aml
$(OUTPUT_DIR)(+)${s_dir}(+)${s_base}.amli
+
+[Acpi-Machine-Language-File-to-C.DXE_DRIVER]
+
+?.amli
+
+
+${s_path}(+)${s_base}.c
+
+
+-AmlToC ${src}
[C-Code-File.AcpiTable]
diff --git a/BaseTools/Source/Python/AmlToC/AmlToC.py
b/BaseTools/Source/Python/AmlToC/AmlToC.py
index
643db2910e37acfdd80ac18d288c921320a79ce1..346de7159de702d860bbd809ddbe8175f1493cfb
100644
--- a/BaseTools/Source/Python/AmlToC/AmlToC.py
+++ b/BaseTools/Source/Python/AmlToC/AmlToC.py
@@ -1,9 +1,9 @@
## @file
#
-# Convert an AML file to a .hex file containing the AML bytecode stored in a
+# Convert an AML file to a .c file containing the AML bytecode stored in a
# C array.
-# By default, "Tables\Dsdt.aml" will generate "Tables\Dsdt.hex".
-#
Re: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule verification with secure boot keys
>> But if your customer indeed want it, you can add it to your customization >> code. Thanks. Yes, this is a behavior customer expects. This change just tries to provide a handy way to enroll initial keys. So the initial keys could be carried in the capsule itself. It also has "PcdFmpDeviceAllowSecureBootKeys" disabled by default, so it behaves the same as before. We'll try to use customization code instead as suggested. Thanks, Liming > -Original Message- > From: Jiang, Guomin > Sent: Tuesday, June 30, 2020 8:56 PM > To: Liming Sun ; devel@edk2.groups.io; Xu, Wei6 > ; Gao, Liming ; > Kinney, Michael D > Cc: Sean Brogan > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule verification > with secure boot keys > > I want to ask your one question: are you sure that every mother board which > deliver to customer will enable the secure boot mode? > > I just emphasize that I want to make sure that the device firmware come from > the device vendor. > > Thanks for your effort, the patch is good, I just think it is not suitable > for common solution. > > But if your customer indeed want it, you can add it to your customization > code. > > Thanks > Guomin > > > -Original Message- > > From: Liming Sun > > Sent: Tuesday, June 30, 2020 8:47 PM > > To: devel@edk2.groups.io; Jiang, Guomin ; Xu, > > Wei6 ; Gao, Liming ; Kinney, > > Michael D > > Cc: Sean Brogan > > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule > > verification with secure boot keys > > > > Thanks Guomin. > > > > I still have one question. Let's assume we're the device vendor and we let > > customer to enroll their keys. Once the keys are enrolled, the device will > > be > > in secure boot mode. Are you saying that the end user could "have the > > ability > > to enroll their DB without too many effort" even after the secure boot has > > been enabled already? > > > > Please correct me if I misunderstood it. > > > > - Liming > > > > > -Original Message- > > > From: devel@edk2.groups.io On Behalf Of > > Guomin > > > Jiang via groups.io > > > Sent: Tuesday, June 30, 2020 3:33 AM > > > To: devel@edk2.groups.io; Liming Sun ; Xu, Wei6 > > > ; Gao, Liming ; Kinney, > > > Michael D > > > Cc: Sean Brogan > > > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule > > > verification with secure boot keys > > > > > > Liming, > > > > > > The end user have the ability to enroll their DB without too many effort. > > > > > > And I think some end user also have the ability to get insecure firmware > > which not from the device vendor. > > > > > > I suggest that tell the device vendor that it is critical that set the > > PcdFmpDevicePkcs7CertBufferXdr rather than decrease the security. > > > > > > Best Regards > > > Guomin > > > > > > > -Original Message- > > > > From: devel@edk2.groups.io On Behalf Of > > > > Liming Sun > > > > Sent: Tuesday, June 30, 2020 11:33 AM > > > > To: Jiang, Guomin ; devel@edk2.groups.io; > > > > Xu, > > > > Wei6 ; Gao, Liming ; > > > > Kinney, Michael D > > > > Cc: Sean Brogan > > > > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule > > > > verification with secure boot keys > > > > > > > > Thanks Guomin for the comments! > > > > > > > > Below is the main scenario for the proposed change: > > > > > > > > - Device Manufacturer provides the devices with UEFI preinstalled in > > > > non- secure state and no hard-coded keys ( > > PcdFmpDevicePkcs7CertBufferXdr). > > > > > > > > - Customer (not End-User) enrolls their own keys in trusted > > > > environment before delivering to End User. > > > > This capsule approach can be used for large deployment without > > > > involving any private keys. > > > > > > > > Yes, I do agree that once it's delivered to End User it won't be > > > > considered secure. > > > > > > > > Thanks, > > > > Liming > > > > > > > > > -Original Message- > > > > > From: Jiang, Guomin > > > > > Sent: Sunday, June 28, 2020 11:18 PM > > > > > To: devel@edk2.groups.io; Liming Sun ; Xu, Wei6 > > > > > ; Gao, Liming ; Kinney, > > > > > Michael D > > > > > Cc: Sean Brogan > > > > > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule > > > > > verification with secure boot keys > > > > > > > > > > I think it have some vulnerability, the case as below. > > > > > > > > > > 1. Untrusted End User enroll the new DB key -> sign the untrusted > > > > > device firmware -> flash the untrusted device firmware -> the > > > > > system will > > > > become unsafe. > > > > > > > > > > I think the end user is untrusted and we need to make sure only > > > > > few person > > > > can have the privilege. > > > > > > > > > > Best Regards > > > > > Guomin > > > > > > > > > > > -Original Message- > > > > > > From: devel@edk2.groups.io On Behalf Of > > > > > > Liming Sun > > > > > > Sent: Saturday, June 20, 2020 1:48 AM > > > > > > To: Xu, Wei6 ; Gao, Liming > > > > > > ; Kinney, Michael D > > > > > > > > > > >
Re: [edk2-devel] [PATCH] FmpDevicePkg: Enhance capsule verification with secure boot keys
Liming Sun, Can you explain why you cannot use PcdFmpDevicePkcs7CertBufferXdr for your use case? I want to understand the use case to see if that feature can be applied or if a minor enhancement to this feature can work. Using the UEFI Secure Boot DB for anything other than authentication of UEFI boot loaders is not recommended. Thanks, Mike > -Original Message- > From: devel@edk2.groups.io On > Behalf Of Liming Sun > Sent: Wednesday, July 1, 2020 9:27 AM > To: Jiang, Guomin ; > devel@edk2.groups.io; Xu, Wei6 ; Gao, > Liming ; Kinney, Michael D > > Cc: Sean Brogan > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg: Enhance > capsule verification with secure boot keys > > >> But if your customer indeed want it, you can add it > to your customization code. > Thanks. Yes, this is a behavior customer expects. This > change just tries to provide a handy way to enroll > initial keys. > So the initial keys could be carried in the capsule > itself. > It also has "PcdFmpDeviceAllowSecureBootKeys" disabled > by default, so it behaves the same as before. > > We'll try to use customization code instead as > suggested. > > Thanks, > Liming > > > -Original Message- > > From: Jiang, Guomin > > Sent: Tuesday, June 30, 2020 8:56 PM > > To: Liming Sun ; > devel@edk2.groups.io; Xu, Wei6 ; Gao, > Liming ; > > Kinney, Michael D > > Cc: Sean Brogan > > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg: > Enhance capsule verification with secure boot keys > > > > I want to ask your one question: are you sure that > every mother board which deliver to customer will enable > the secure boot mode? > > > > I just emphasize that I want to make sure that the > device firmware come from the device vendor. > > > > Thanks for your effort, the patch is good, I just > think it is not suitable for common solution. > > > > But if your customer indeed want it, you can add it to > your customization code. > > > > Thanks > > Guomin > > > > > -Original Message- > > > From: Liming Sun > > > Sent: Tuesday, June 30, 2020 8:47 PM > > > To: devel@edk2.groups.io; Jiang, Guomin > ; Xu, > > > Wei6 ; Gao, Liming > ; Kinney, > > > Michael D > > > Cc: Sean Brogan > > > Subject: RE: [edk2-devel] [PATCH] FmpDevicePkg: > Enhance capsule > > > verification with secure boot keys > > > > > > Thanks Guomin. > > > > > > I still have one question. Let's assume we're the > device vendor and we let > > > customer to enroll their keys. Once the keys are > enrolled, the device will be > > > in secure boot mode. Are you saying that the end > user could "have the ability > > > to enroll their DB without too many effort" even > after the secure boot has > > > been enabled already? > > > > > > Please correct me if I misunderstood it. > > > > > > - Liming > > > > > > > -Original Message- > > > > From: devel@edk2.groups.io > On Behalf Of > > > Guomin > > > > Jiang via groups.io > > > > Sent: Tuesday, June 30, 2020 3:33 AM > > > > To: devel@edk2.groups.io; Liming Sun > ; Xu, Wei6 > > > > ; Gao, Liming > ; Kinney, > > > > Michael D > > > > Cc: Sean Brogan > > > > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg: > Enhance capsule > > > > verification with secure boot keys > > > > > > > > Liming, > > > > > > > > The end user have the ability to enroll their DB > without too many effort. > > > > > > > > And I think some end user also have the ability to > get insecure firmware > > > which not from the device vendor. > > > > > > > > I suggest that tell the device vendor that it is > critical that set the > > > PcdFmpDevicePkcs7CertBufferXdr rather than decrease > the security. > > > > > > > > Best Regards > > > > Guomin > > > > > > > > > -Original Message- > > > > > From: devel@edk2.groups.io > On Behalf Of > > > > > Liming Sun > > > > > Sent: Tuesday, June 30, 2020 11:33 AM > > > > > To: Jiang, Guomin ; > devel@edk2.groups.io; > > > > > Xu, > > > > > Wei6 ; Gao, Liming > ; > > > > > Kinney, Michael D > > > > > Cc: Sean Brogan > > > > > Subject: Re: [edk2-devel] [PATCH] FmpDevicePkg: > Enhance capsule > > > > > verification with secure boot keys > > > > > > > > > > Thanks Guomin for the comments! > > > > > > > > > > Below is the main scenario for the proposed > change: > > > > > > > > > > - Device Manufacturer provides the devices with > UEFI preinstalled in > > > > > non- secure state and no hard-coded keys ( > > > PcdFmpDevicePkcs7CertBufferXdr). > > > > > > > > > > - Customer (not End-User) enrolls their own keys > in trusted > > > > > environment before delivering to End User. > > > > > This capsule approach can be used for large > deployment without > > > > > involving any private keys. > > > > > > > > > > Yes, I do agree that once it's delivered to End > User it won't be > > > > > considered secure. > > > > > > > > > > Thanks, > > > > > Liming > > > > > > > > > > > -Original Message- > > > > > > From: Jiang, Guomin > > > > > > Sent: Sunday, June 28, 2020 11:18 PM > > > > > > To: devel@edk2.groups.io;
[edk2-devel] [edk2-platforms][PATCH v1 1/1] IntelSiliconPkg.dsc: Add DxeAslUpdateLib to Components
From: Michael Kubacki REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2824 Adds DxeAslUpdateLib to the [Components] section so it is included in the package build. Cc: Rangasai V Chaganty Cc: Ray Ni Signed-off-by: Michael Kubacki --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc index f9958836917a..029b9156f6dd 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc @@ -2,6 +2,7 @@ # This package provides common open source Intel silicon modules. # # Copyright (c) 2017 - 2020, Intel Corporation. All rights reserved. +# Copyright (c) Microsoft Corporation. # #SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -87,6 +88,7 @@ [Components] IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.inf IntelSiliconPkg/Library/PeiDxeSmmBootMediaLib/PeiFirmwareBootMediaLib.inf IntelSiliconPkg/Library/PeiDxeSmmBootMediaLib/DxeSmmFirmwareBootMediaLib.inf + IntelSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpdateLib.inf [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES -- 2.25.1.vfs.1.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61920): https://edk2.groups.io/g/devel/message/61920 Mute This Topic: https://groups.io/mt/75241446/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3] MdePkg: Add Serial Terminal Device Type Guid
Add definition of EFI_SERIAL_TERMINAL_DEVICE_TYPE_GUID.
It was miseed in "Extend SERIAL_IO with DeviceTypeGuid" patch.
(UEFI 2.8, mantis 1832)
Signed-off-by: Oleksiy Yakovlev
---
MdePkg/Include/Protocol/SerialIo.h | 6 ++
MdePkg/MdePkg.dec | 3 +++
2 files changed, 9 insertions(+)
diff --git a/MdePkg/Include/Protocol/SerialIo.h
b/MdePkg/Include/Protocol/SerialIo.h
index e2e0c61..16a865b 100644
--- a/MdePkg/Include/Protocol/SerialIo.h
+++ b/MdePkg/Include/Protocol/SerialIo.h
@@ -17,6 +17,11 @@
0xBB25CF6F, 0xF1D4, 0x11D2, {0x9A, 0x0C, 0x00, 0x90, 0x27, 0x3F, 0xC1,
0xFD } \
}
+#define EFI_SERIAL_TERMINAL_DEVICE_TYPE_GUID \
+ { \
+0X6AD9A60F, 0X5815, 0X4C7C, { 0X8A, 0X10, 0X50, 0X53, 0XD2, 0XBF, 0X7A,
0X1B } \
+ }
+
///
/// Protocol GUID defined in EFI1.1.
///
@@ -299,5 +304,6 @@ struct _EFI_SERIAL_IO_PROTOCOL {
};
extern EFI_GUID gEfiSerialIoProtocolGuid;
+extern EFI_GUID gEfiSerialTerminalDeviceTypeGuid;
#endif
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index d03fc5b..682e61c 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -670,6 +670,9 @@
## Include/Guid/RtPropertiesTable.h
gEfiRtPropertiesTableGuid = { 0xeb66918a, 0x7eef, 0x402a, { 0x84, 0x2e,
0x93, 0x1d, 0x21, 0xc3, 0x8a, 0xe9 }}
+ ## Include/Protocol/SerilaIo.h
+ gEfiSerialTerminalDeviceTypeGuid = { 0x6AD9A60F, 0x5815, 0x4C7C, { 0x8A,
0x10, 0x50, 0x53, 0xD2, 0xBF, 0x7A, 0x1B }}
+
#
# GUID defined in PI1.0
#
--
2.9.0.windows.1
Please consider the environment before printing this email.
The information contained in this message may be confidential and proprietary
to American Megatrends (AMI). This communication is intended to be read only
by the individual or entity to whom it is addressed or by their designee. If
the reader of this message is not the intended recipient, you are on notice
that any distribution of this message, in any form, is strictly prohibited.
Please promptly notify the sender by reply e-mail or by telephone at
770-246-8600, and then delete or destroy all copies of the transmission.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61922): https://edk2.groups.io/g/devel/message/61922
Mute This Topic: https://groups.io/mt/75243813/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [RFC 2/5] EmbeddedPkg/PrePiLib: drop else if after return
Simplify FfsProcessSection logic by breaking the continuation of the
main loop as a new if statement that executes if the very first test
doesn't end up returning.
Signed-off-by: Leif Lindholm
---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c
b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index 90b5b002..fc40d8650be1 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -317,8 +317,9 @@ FfsProcessSection (
}
return EFI_SUCCESS;
-} else if ((Section->Type == EFI_SECTION_COMPRESSION) || (Section->Type ==
EFI_SECTION_GUID_DEFINED)) {
+}
+if ((Section->Type == EFI_SECTION_COMPRESSION) || (Section->Type ==
EFI_SECTION_GUID_DEFINED)) {
if (Section->Type == EFI_SECTION_COMPRESSION) {
if (IS_SECTION2 (Section)) {
CompressionSection2 = (EFI_COMPRESSION_SECTION2 *) Section;
--
2.20.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61925): https://edk2.groups.io/g/devel/message/61925
Mute This Topic: https://groups.io/mt/75244269/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [RFC 3/5] EmbeddedPkg/PrePiLib: refactor IS_SECTION2() handling
There are a bunch of IS_SECTION2() conditional statements in
FfsProcessSection, really breaking up the readability.
Add a set of static helper functions instead.
Signed-off-by: Leif Lindholm
---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 101 ---
1 file changed, 61 insertions(+), 40 deletions(-)
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c
b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index fc40d8650be1..a0672c084471 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -266,6 +266,57 @@ FindFileEx (
return EFI_NOT_FOUND;
}
+STATIC
+UINTN
+FfsSectionHeaderSize (
+ IN EFI_COMMON_SECTION_HEADER*Section
+ )
+{
+ if (IS_SECTION2 (Section)) {
+return sizeof (EFI_COMMON_SECTION_HEADER2);
+ }
+
+ return sizeof (EFI_COMMON_SECTION_HEADER);
+}
+
+STATIC
+UINTN
+FfsSectionLength (
+ IN EFI_COMMON_SECTION_HEADER*Section
+ )
+{
+ if (IS_SECTION2 (Section)) {
+return SECTION2_SIZE (Section);
+ }
+
+ return SECTION_SIZE (Section);
+}
+
+STATIC
+UINTN
+FfsSectionCompressionType (
+ IN EFI_COMMON_SECTION_HEADER *Section
+ )
+{
+ if (IS_SECTION2 (Section)) {
+return ((EFI_COMPRESSION_SECTION2 *)Section)->CompressionType;
+ }
+
+ return ((EFI_COMPRESSION_SECTION *)Section)->CompressionType;
+}
+
+STATIC
+UINTN
+FfsCompressionSectionHeaderSize (
+ IN EFI_COMMON_SECTION_HEADER *Section
+ )
+{
+ if (IS_SECTION2 (Section)) {
+return sizeof (EFI_COMPRESSION_SECTION2);
+ }
+
+ return sizeof (EFI_COMPRESSION_SECTION);
+}
/**
Go through the file to search SectionType section,
@@ -289,8 +340,6 @@ FfsProcessSection (
EFI_STATUS Status;
UINT32 SectionLength;
UINT32 ParsedLength;
- EFI_COMPRESSION_SECTION *CompressionSection;
- EFI_COMPRESSION_SECTION2*CompressionSection2;
UINT32 DstBufferSize;
VOID*ScratchBuffer;
UINT32 ScratchBufferSize;
@@ -310,39 +359,22 @@ FfsProcessSection (
}
if (Section->Type == SectionType) {
- if (IS_SECTION2 (Section)) {
-*OutputBuffer = (VOID *)((UINT8 *) Section + sizeof
(EFI_COMMON_SECTION_HEADER2));
- } else {
-*OutputBuffer = (VOID *)((UINT8 *) Section + sizeof
(EFI_COMMON_SECTION_HEADER));
- }
+ *OutputBuffer = (VOID *)((UINT8 *)Section + FfsSectionHeaderSize
(Section));
return EFI_SUCCESS;
}
if ((Section->Type == EFI_SECTION_COMPRESSION) || (Section->Type ==
EFI_SECTION_GUID_DEFINED)) {
if (Section->Type == EFI_SECTION_COMPRESSION) {
-if (IS_SECTION2 (Section)) {
- CompressionSection2 = (EFI_COMPRESSION_SECTION2 *) Section;
- SectionLength = SECTION2_SIZE (Section);
+SectionLength = FfsSectionLength (Section);
- if (CompressionSection2->CompressionType !=
EFI_STANDARD_COMPRESSION) {
-return EFI_UNSUPPORTED;
- }
-
- CompressedData = (CHAR8 *) ((EFI_COMPRESSION_SECTION2 *) Section +
1);
- CompressedDataLength = (UINT32) SectionLength - sizeof
(EFI_COMPRESSION_SECTION2);
-} else {
- CompressionSection = (EFI_COMPRESSION_SECTION *) Section;
- SectionLength = SECTION_SIZE (Section);
-
- if (CompressionSection->CompressionType != EFI_STANDARD_COMPRESSION)
{
-return EFI_UNSUPPORTED;
- }
-
- CompressedData = (CHAR8 *) ((EFI_COMPRESSION_SECTION *) Section + 1);
- CompressedDataLength = (UINT32) SectionLength - sizeof
(EFI_COMPRESSION_SECTION);
+if (FfsSectionCompressionType (Section) != EFI_STANDARD_COMPRESSION) {
+ return EFI_UNSUPPORTED;
}
+CompressedData = (VOID *)((UINTN)Section +
FfsCompressionSectionHeaderSize (Section));
+CompressedDataLength = SectionLength - FfsCompressionSectionHeaderSize
(Section);
+
Status = UefiDecompressGetInfo (
CompressedData,
CompressedDataLength,
@@ -383,19 +415,12 @@ FfsProcessSection (
// DstBuffer still is one section. Adjust DstBuffer offset, skip EFI
section header
// to make section data at page alignment.
//
- if (IS_SECTION2 (Section))
-DstBuffer = (UINT8 *)DstBuffer + EFI_PAGE_SIZE - sizeof
(EFI_COMMON_SECTION_HEADER2);
- else
-DstBuffer = (UINT8 *)DstBuffer + EFI_PAGE_SIZE - sizeof
(EFI_COMMON_SECTION_HEADER);
+ DstBuffer = (UINT8 *)DstBuffer + EFI_PAGE_SIZE - FfsSectionHeaderSize
(Section);
//
// Call decompress function
//
if (Section->Type == EFI_SECTION_COMPRESSION) {
-if (IS_SECTION2 (Section)) {
- CompressedData = (CHAR8 *) ((EFI_COMPRESSION_SECTION2 *) Section +
1);
-} else {
-
[edk2-devel] [RFC 0/5] EmbeddedPkg/PrePiLib: rework FfsProcessSection
https://bugzilla.tianocore.org/show_bug.cgi?id=2820 describes a build failure caused by misanalysis by the compiler, but the problematic code was pretty grotty, so here's an attempt at cleaning it up. This set can also be accessed at: https://github.com/leiflindholm/edk2/tree/embedded-fwvol-cleanup Note: this code is only build tested. Leif Lindholm (5): EmbeddedPkg/PrePiLib: style cleanup in FwVol.c EmbeddedPkg/PrePiLib: drop else if after return EmbeddedPkg/PrePiLib: refactor IS_SECTION2() handling EmbeddedPkg/PrePiLib: drop spurious re-init of CompressedData EmbeddedPkg/PrePiLib: break section extraction info into helper function EmbeddedPkg/Library/PrePiLib/FwVol.c | 214 --- 1 file changed, 125 insertions(+), 89 deletions(-) -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61923): https://edk2.groups.io/g/devel/message/61923 Mute This Topic: https://groups.io/mt/75244267/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [RFC 5/5] EmbeddedPkg/PrePiLib: break section extraction info into helper function
Create a new helper function FfsGetExtractionInfo, which handles figuring
out the buffer sizes needed for extracting UefiCompressed or
GuidedSection sections, and also hides away some of the differences
between the two, getting rid of a bunch of local variables.
Signed-off-by: Leif Lindholm
---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 90 +---
1 file changed, 55 insertions(+), 35 deletions(-)
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c
b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index 083bc27efead..d0f91efa77a1 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -318,6 +318,50 @@ FfsCompressionSectionHeaderSize (
return sizeof (EFI_COMPRESSION_SECTION);
}
+STATIC
+EFI_STATUS
+FfsGetExtractionInfo (
+ IN EFI_COMMON_SECTION_HEADER *Section,
+ OUT UINT32 *SectionLength,
+ IN OUT VOID**SrcBuffer,
+ OUT UINT32 *DstBufferSize,
+ OUT UINT32 *ScratchBufferSize
+ )
+{
+ EFI_STATUS Status;
+
+ if (Section->Type == EFI_SECTION_COMPRESSION) {
+*SectionLength = FfsSectionLength (Section);
+
+if (FfsSectionCompressionType (Section) != EFI_STANDARD_COMPRESSION) {
+ return EFI_UNSUPPORTED;
+}
+
+*SrcBuffer = (VOID *)((UINTN)Section + FfsCompressionSectionHeaderSize
(Section));
+Status = UefiDecompressGetInfo (
+ *SrcBuffer,
+ *SectionLength - FfsCompressionSectionHeaderSize (Section),
+ DstBufferSize,
+ ScratchBufferSize
+ );
+ } else if (Section->Type == EFI_SECTION_GUID_DEFINED) {
+UINT16 Ignored;
+
+*SrcBuffer = Section;
+
+Status = ExtractGuidedSectionGetInfo (
+ *SrcBuffer,
+ DstBufferSize,
+ ScratchBufferSize,
+ // SectionAttribute not used by this library
+ );
+ } else {
+Status = EFI_UNSUPPORTED;
+ }
+
+ return Status;
+}
+
/**
Go through the file to search SectionType section,
when meeting an encapsuled section.
@@ -344,15 +388,11 @@ FfsProcessSection (
VOID*ScratchBuffer;
UINT32 ScratchBufferSize;
VOID*DstBuffer;
- UINT16 SectionAttribute;
- UINT32 AuthenticationStatus;
- CHAR8 *CompressedData;
- UINTN CompressedDataLength;
-
+ VOID*SrcBuffer;
*OutputBuffer = NULL;
ParsedLength = 0;
- Status= EFI_NOT_FOUND;
+
while (ParsedLength < SectionSize) {
if (IS_SECTION2 (Section)) {
ASSERT (SECTION2_SIZE (Section) > 0x00FF);
@@ -364,32 +404,11 @@ FfsProcessSection (
return EFI_SUCCESS;
}
+SectionLength = FfsSectionLength (Section);
+
if ((Section->Type == EFI_SECTION_COMPRESSION) || (Section->Type ==
EFI_SECTION_GUID_DEFINED)) {
- if (Section->Type == EFI_SECTION_COMPRESSION) {
-SectionLength = FfsSectionLength (Section);
-
-if (FfsSectionCompressionType (Section) != EFI_STANDARD_COMPRESSION) {
- return EFI_UNSUPPORTED;
-}
-
-CompressedData = (VOID *)((UINTN)Section +
FfsCompressionSectionHeaderSize (Section));
-CompressedDataLength = SectionLength - FfsCompressionSectionHeaderSize
(Section);
-
-Status = UefiDecompressGetInfo (
- CompressedData,
- CompressedDataLength,
- ,
-
- );
- } else if (Section->Type == EFI_SECTION_GUID_DEFINED) {
-Status = ExtractGuidedSectionGetInfo (
- Section,
- ,
- ,
-
- );
- }
-
+ Status = FfsGetExtractionInfo (Section, , ,
+ , );
if (EFI_ERROR (Status)) {
//
// GetInfo failed
@@ -421,16 +440,18 @@ FfsProcessSection (
//
if (Section->Type == EFI_SECTION_COMPRESSION) {
Status = UefiDecompress (
- CompressedData,
+ SrcBuffer,
DstBuffer,
ScratchBuffer
);
} else if (Section->Type == EFI_SECTION_GUID_DEFINED) {
+UINT32 Ignored;
+
Status = ExtractGuidedSectionDecode (
- Section,
+ SrcBuffer,
,
ScratchBuffer,
-
+ // AuthenticationStatus not used by this library
);
}
@@ -450,7 +471,6 @@ FfsProcessSection (
}
}
-SectionLength = FfsSectionLength (Section);
//
// SectionLength is
[edk2-devel] [RFC 4/5] EmbeddedPkg/PrePiLib: drop spurious re-init of CompressedData
After the refactoring, it is very clear that CompressedData is
initialized twice, using exactly the same values. Drop the
second one.
Signed-off-by: Leif Lindholm
---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c
b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index a0672c084471..083bc27efead 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -420,8 +420,6 @@ FfsProcessSection (
// Call decompress function
//
if (Section->Type == EFI_SECTION_COMPRESSION) {
-CompressedData = (VOID *)((UINTN)Section +
FfsCompressionSectionHeaderSize (Section));
-
Status = UefiDecompress (
CompressedData,
DstBuffer,
--
2.20.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61927): https://edk2.groups.io/g/devel/message/61927
Mute This Topic: https://groups.io/mt/75244272/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [RFC 1/5] EmbeddedPkg/PrePiLib: style cleanup in FwVol.c
Move some curly brackets, change a couple of EFI_D_ to DEBUG_, and fix
some intentation.
Signed-off-by: Leif Lindholm
---
EmbeddedPkg/Library/PrePiLib/FwVol.c | 44 +---
1 file changed, 20 insertions(+), 24 deletions(-)
diff --git a/EmbeddedPkg/Library/PrePiLib/FwVol.c
b/EmbeddedPkg/Library/PrePiLib/FwVol.c
index 881506edddaf..90b5b002 100644
--- a/EmbeddedPkg/Library/PrePiLib/FwVol.c
+++ b/EmbeddedPkg/Library/PrePiLib/FwVol.c
@@ -361,7 +361,7 @@ FfsProcessSection (
//
// GetInfo failed
//
-DEBUG ((EFI_D_ERROR, "Decompress GetInfo Failed - %r\n", Status));
+DEBUG ((DEBUG_ERROR, "Decompress GetInfo Failed - %r\n", Status));
return EFI_NOT_FOUND;
}
//
@@ -392,38 +392,37 @@ FfsProcessSection (
if (Section->Type == EFI_SECTION_COMPRESSION) {
if (IS_SECTION2 (Section)) {
CompressedData = (CHAR8 *) ((EFI_COMPRESSION_SECTION2 *) Section +
1);
-}
-else {
+} else {
CompressedData = (CHAR8 *) ((EFI_COMPRESSION_SECTION *) Section + 1);
}
Status = UefiDecompress (
-CompressedData,
-DstBuffer,
-ScratchBuffer
-);
+ CompressedData,
+ DstBuffer,
+ ScratchBuffer
+ );
} else if (Section->Type == EFI_SECTION_GUID_DEFINED) {
Status = ExtractGuidedSectionDecode (
-Section,
-,
-ScratchBuffer,
-
-);
+ Section,
+ ,
+ ScratchBuffer,
+
+ );
}
if (EFI_ERROR (Status)) {
//
// Decompress failed
//
-DEBUG ((EFI_D_ERROR, "Decompress Failed - %r\n", Status));
+DEBUG ((DEBUG_ERROR, "Decompress Failed - %r\n", Status));
return EFI_NOT_FOUND;
} else {
return FfsProcessSection (
-SectionType,
-DstBuffer,
-DstBufferSize,
-OutputBuffer
-);
+ SectionType,
+ DstBuffer,
+ DstBufferSize,
+ OutputBuffer
+ );
}
}
@@ -756,17 +755,14 @@ FfsAnyFvFindFirstFile (
Instance= 0;
*FileHandle = NULL;
- while (1)
- {
+ while (1) {
Status = FfsFindNextVolume (Instance++, VolumeHandle);
-if (EFI_ERROR (Status))
-{
+if (EFI_ERROR (Status)) {
break;
}
Status = FfsFindNextFile (FileType, *VolumeHandle, FileHandle);
-if (!EFI_ERROR (Status))
-{
+if (!EFI_ERROR (Status)) {
break;
}
}
--
2.20.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61924): https://edk2.groups.io/g/devel/message/61924
Mute This Topic: https://groups.io/mt/75244268/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 09/16] MdePkg/MdePkg.ci.yaml: Add configuration for Ecc check
Reviewed-by: Liming Gao
-Original Message-
From: devel@edk2.groups.io On Behalf Of Zhang, Shenglei
Sent: 2020年7月1日 9:55
To: devel@edk2.groups.io
Cc: Kinney, Michael D ; Gao, Liming
Subject: [edk2-devel] [PATCH v6 09/16] MdePkg/MdePkg.ci.yaml: Add configuration
for Ecc check
Add configuration ExceptionList and IgnoreFiles for package config files. So
users can rely on this to ignore some Ecc issues.
Cc: Michael D Kinney
Cc: Liming Gao
Signed-off-by: Shenglei Zhang
---
MdePkg/MdePkg.ci.yaml | 11 +++
1 file changed, 11 insertions(+)
diff --git a/MdePkg/MdePkg.ci.yaml b/MdePkg/MdePkg.ci.yaml index
3268f1535499..b6d7c57de83c 100644
--- a/MdePkg/MdePkg.ci.yaml
+++ b/MdePkg/MdePkg.ci.yaml
@@ -2,9 +2,20 @@
# CI configuration for MdePkg
#
# Copyright (c) Microsoft Corporation
+# Copyright (c) 2020, Intel Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent ## {
+"EccCheck": {
+## Exception sample looks like below:
+## "ExceptionList": [
+## "", ""
+## ]
+"ExceptionList": [
+],
+"IgnoreFiles": [
+]
+},
## options defined ci/Plugin/CompilerPlugin
"CompilerPlugin": {
"DscPath": "MdePkg.dsc"
--
2.18.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61936): https://edk2.groups.io/g/devel/message/61936
Mute This Topic: https://groups.io/mt/75227236/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 15/16] UefiCpuPkg/UefiCpuPkg.ci.yaml: Add configuration for Ecc check
Reviewed-by: Eric Dong
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Zhang,
> Shenglei
> Sent: Wednesday, July 1, 2020 9:55 AM
> To: devel@edk2.groups.io
> Cc: Dong, Eric ; Ni, Ray ; Laszlo
> Ersek
> Subject: [edk2-devel] [PATCH v6 15/16] UefiCpuPkg/UefiCpuPkg.ci.yaml:
> Add configuration for Ecc check
>
> Add configuration ExceptionList and IgnoreFiles for package config files. So
> users can rely on this to ignore some Ecc issues.
>
> Cc: Eric Dong
> Cc: Ray Ni
> Cc: Laszlo Ersek
> Signed-off-by: Shenglei Zhang
> Acked-by: Ray Ni
> ---
> UefiCpuPkg/UefiCpuPkg.ci.yaml | 11 +++
> 1 file changed, 11 insertions(+)
>
> diff --git a/UefiCpuPkg/UefiCpuPkg.ci.yaml
> b/UefiCpuPkg/UefiCpuPkg.ci.yaml index 99e460a8b090..0e216344cd53
> 100644
> --- a/UefiCpuPkg/UefiCpuPkg.ci.yaml
> +++ b/UefiCpuPkg/UefiCpuPkg.ci.yaml
> @@ -2,9 +2,20 @@
> # CI configuration for UefiCpuPkg
> #
> # Copyright (c) Microsoft Corporation
> +# Copyright (c) 2020, Intel Corporation. All rights reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent ## {
> +"EccCheck": {
> +## Exception sample looks like below:
> +## "ExceptionList": [
> +## "", ""
> +## ]
> +"ExceptionList": [
> +],
> +"IgnoreFiles": [
> +]
> +},
> "CompilerPlugin": {
> "DscPath": "UefiCpuPkg.dsc"
> },
> --
> 2.18.0.windows.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61929): https://edk2.groups.io/g/devel/message/61929
Mute This Topic: https://groups.io/mt/75227246/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 01/16] pip-requirements.txt: Add Ecc required lib
Reviewed-by: Liming Gao -Original Message- From: Zhang, Shenglei Sent: 2020年7月1日 9:55 To: devel@edk2.groups.io Cc: Sean Brogan ; Bret Barkelew ; Kinney, Michael D ; Gao, Liming Subject: [PATCH v6 01/16] pip-requirements.txt: Add Ecc required lib antlr4-python3-runtime is a lib to support Ecc run with Py3.x. Cc: Sean Brogan Cc: Bret Barkelew Cc: Michael D Kinney Cc: Liming Gao Signed-off-by: Shenglei Zhang --- pip-requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/pip-requirements.txt b/pip-requirements.txt index 574dac43b1a6..0fecd37f2a83 100644 --- a/pip-requirements.txt +++ b/pip-requirements.txt @@ -14,3 +14,4 @@ edk2-pytool-library==0.10.* edk2-pytool-extensions~=0.13.3 +antlr4-python3-runtime==4.7.1 -- 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61935): https://edk2.groups.io/g/devel/message/61935 Mute This Topic: https://groups.io/mt/75227225/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
1 comment inline, please check.
Thanks,
Dandan
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Bret
> Barkelew
> Sent: Tuesday, June 23, 2020 2:41 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Wu, Hao A ;
> Gao, Liming
> Subject: [edk2-devel] [PATCH v6 04/14] MdeModulePkg: Define the
> VarCheckPolicyLib and SMM interface
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>
> VariablePolicy is an updated interface to
> replace VarLock and VarCheckProtocol.
>
> This is an instance of a VarCheckLib that is backed by the
> VariablePolicyLib business logic. It also publishes the SMM
> calling interface for messages from the DXE protocol.
>
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Liming Gao
> Cc: Bret Barkelew
> Signed-off-by: Bret Barkelew
> ---
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 320
>
> MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h| 54
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf | 42 +++
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni | 12 +
> MdeModulePkg/MdeModulePkg.dec| 4 +
> MdeModulePkg/MdeModulePkg.dsc| 2 +
> 6 files changed, 434 insertions(+)
>
> diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
> b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
> new file mode 100644
> index ..b64fc5f45332
> --- /dev/null
> +++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
> @@ -0,0 +1,320 @@
> +/** @file -- VarCheckPolicyLib.c
>
> +This is an instance of a VarCheck lib that leverages the business logic
> behind
1.[Dandan]: This should be a NULL class library, not an instance of VarCheck
Lib.
>
> +the VariablePolicy code to make its decisions.
>
> +
>
> +Copyright (c) Microsoft Corporation.
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#include
>
> +#include
>
> +#include
>
> +#include
>
> +#include
>
> +#include
>
> +#include
>
> +
>
> +#include
>
> +
>
> +#include
>
> +#include
>
> +
>
> +#include
>
> +
>
> +//
>
> +// As a VarCheck library, we're linked into the VariableServices
>
> +// and may not be able to call them indirectly. To get around this,
>
> +// use the internal GetVariable function to query the variable store.
>
> +//
>
> +EFI_STATUS
>
> +EFIAPI
>
> +VariableServiceGetVariable (
>
> + IN CHAR16*VariableName,
>
> + IN EFI_GUID *VendorGuid,
>
> + OUT UINT32*Attributes OPTIONAL,
>
> + IN OUT UINTN *DataSize,
>
> + OUT VOID *Data
>
> + );
>
> +
>
> +
>
> +/**
>
> + MM Communication Handler to recieve commands from the DXE protocol
> for
>
> + Variable Policies. This communication channel is used to register new
> policies
>
> + and poll and toggle the enforcement of variable policies.
>
> +
>
> + @param[in] DispatchHandle All parameters standard to MM
> communications convention.
>
> + @param[in] RegisterContext All parameters standard to MM
> communications convention.
>
> + @param[in,out] CommBuffer All parameters standard to MM
> communications convention.
>
> + @param[in,out] CommBufferSize All parameters standard to MM
> communications convention.
>
> +
>
> + @retval EFI_SUCCESS
>
> + @retval EFI_INVALID_PARAMETER CommBuffer or CommBufferSize is
> null pointer.
>
> + @retval EFI_INVALID_PARAMETER CommBuffer size is wrong.
>
> + @retval EFI_INVALID_PARAMETER Revision or signature don't match.
>
> +
>
> +**/
>
> +STATIC
>
> +EFI_STATUS
>
> +EFIAPI
>
> +VarCheckPolicyLibMmiHandler (
>
> + IN EFI_HANDLE DispatchHandle,
>
> + IN CONST VOID *RegisterContext,
>
> + IN OUT VOID *CommBuffer,
>
> + IN OUT UINTN*CommBufferSize
>
> + )
>
> +{
>
> + EFI_STATUSStatus;
>
> + EFI_STATUSSubCommandStatus;
>
> + VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader;
>
> + VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams;
>
> + VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParams;
>
> + UINT8 *DumpInputBuffer;
>
> + UINT8 *DumpOutputBuffer;
>
> + UINTN DumpTotalPages;
>
> + VARIABLE_POLICY_ENTRY *PolicyEntry;
>
> + UINTN ExpectedSize;
>
> + // Pagination Cache Variables
>
> + static UINT8 *PaginationCache = NULL;
>
> + static UINTN PaginationCacheSize = 0;
>
> +
Re: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices
1 comment inline, please check.
Thanks,
Dandan
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Bret
> Barkelew
> Sent: Tuesday, June 23, 2020 2:41 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Wu, Hao A ;
> Gao, Liming
> Subject: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect
> VariablePolicy business logic to VariableServices
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>
> VariablePolicy is an updated interface to
> replace VarLock and VarCheckProtocol.
>
> Add connective code to publish the VariablePolicy protocol
> and wire it to either the SMM communication interface
> or directly into the VariablePolicyLib business logic.
>
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Liming Gao
> Cc: Bret Barkelew
> Signed-off-by: Bret Barkelew
> ---
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53
> ++
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
> | 642
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.
> c | 14 +
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> | 2 +
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3
> +
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i
> nf | 10 +
> 6 files changed, 724 insertions(+)
>
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> index 7d2b6c8e1fad..d404d4763e54 100644
> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> @@ -5,18 +5,34 @@
> Copyright (C) 2013, Red Hat, Inc.
>
> Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
>
> (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>
> +Copyright (c) Microsoft Corporation.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
>
>
> #include "Variable.h"
>
>
>
> +#include
>
> +#include
>
> +
>
> +EFI_STATUS
>
> +EFIAPI
>
> +ProtocolIsVariablePolicyEnabled (
>
> + OUT BOOLEAN *State
>
> + );
>
> +
>
> EFI_HANDLE mHandle= NULL;
>
> EFI_EVENT mVirtualAddressChangeEvent = NULL;
>
> VOID*mFtwRegistration = NULL;
>
> VOID***mVarCheckAddressPointer = NULL;
>
> UINTN mVarCheckAddressPointerCount = 0;
>
> EDKII_VARIABLE_LOCK_PROTOCOLmVariableLock =
> { VariableLockRequestToLock };
>
> +EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol=
> { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION,
>
> +
> DisableVariablePolicy,
>
> +
> ProtocolIsVariablePolicyEnabled,
>
> +
> RegisterVariablePolicy,
>
> +
> DumpVariablePolicy,
>
> +
> LockVariablePolicy };
>
> EDKII_VAR_CHECK_PROTOCOLmVarCheck =
> { VarCheckRegisterSetVariableCheckHandler,
>
>
> VarCheckVariablePropertySet,
>
>
> VarCheckVariablePropertyGet };
>
> @@ -303,6 +319,8 @@ OnReadyToBoot (
> }
>
>}
>
>
>
> + ASSERT_EFI_ERROR (LockVariablePolicy ());
>
> +
>
>gBS->CloseEvent (Event);
>
> }
>
>
>
> @@ -466,6 +484,28 @@ FtwNotificationEvent (
> }
>
>
>
>
>
> +/**
>
> + This API function returns whether or not the policy engine is
>
> + currently being enforced.
>
> +
>
> + @param[out] State Pointer to a return value for whether the policy
> enforcement
>
> +is currently enabled.
>
> +
>
> + @retval EFI_SUCCESS
>
> + @retval OthersAn error has prevented this command from
> completing.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +ProtocolIsVariablePolicyEnabled (
>
> + OUT BOOLEAN *State
>
> + )
>
> +{
>
> + *State = IsVariablePolicyEnabled ();
>
> + return EFI_SUCCESS;
>
> +}
1. [Dandan]: I see other APIs in the VariablePolicyProtocol are using the APIs
in VariablePolicyLib directly, expect this one.
Could we make the IsVariablePolicyEnabled API aligned in protocol and Lib?
>
> +
>
> +
>
> /**
>
>Variable Driver main entry point. The Variable driver places the 4 EFI
>
>runtime services in the EFI System Table and installs arch protocols
>
> @@ -576,6 +616,19 @@ VariableServiceInitialize (
>);
>
>ASSERT_EFI_ERROR (Status);
>
>
>
> + // Register and initialize the
Re: [edk2-devel] [PATCH v6 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver
1 comment inline, please check.
Thanks,
Dandan
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Bret
> Barkelew
> Sent: Tuesday, June 23, 2020 2:41 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J ; Wu, Hao A ;
> Gao, Liming
> Subject: [edk2-devel] [PATCH v6 13/14] MdeModulePkg: Drop VarLock from
> RuntimeDxe variable driver
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>
> Now that everything should be moved to
> VariablePolicy, drop support for the
> deprecated VarLock SMI interface and
> associated functions from variable RuntimeDxe.
>
> Cc: Jian J Wang
> Cc: Hao A Wu
> Cc: Liming Gao
> Cc: Bret Barkelew
> Signed-off-by: Bret Barkelew
> ---
> MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c | 49 +-
>
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock
> .c | 71
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> | 1 +
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf| 1
> +
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> | 1 +
> 5 files changed, 75 insertions(+), 48 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> index f15219df5eb8..486d85b022e1 100644
> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> @@ -3,60 +3,13 @@
>and variable lock protocol based on VarCheckLib.
>
>
>
> Copyright (c) 2015, Intel Corporation. All rights reserved.
>
> +Copyright (c) Microsoft Corporation.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
>
>
> #include "Variable.h"
>
>
>
> -/**
>
> - Mark a variable that will become read-only after leaving the DXE phase of
> execution.
>
> - Write request coming from SMM environment through
> EFI_SMM_VARIABLE_PROTOCOL is allowed.
>
> -
>
> - @param[in] This The VARIABLE_LOCK_PROTOCOL instance.
>
> - @param[in] VariableName A pointer to the variable name that will be
> made read-only subsequently.
>
> - @param[in] VendorGuidA pointer to the vendor GUID that will be made
> read-only subsequently.
>
> -
>
> - @retval EFI_SUCCESS The variable specified by the VariableName
> and
> the VendorGuid was marked
>
> -as pending to be read-only.
>
> - @retval EFI_INVALID_PARAMETER VariableName or VendorGuid is NULL.
>
> -Or VariableName is an empty string.
>
> - @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID
> or EFI_EVENT_GROUP_READY_TO_BOOT has
>
> -already been signaled.
>
> - @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold
> the lock request.
>
> -**/
>
> -EFI_STATUS
>
> -EFIAPI
>
> -VariableLockRequestToLock (
>
> - IN CONST EDKII_VARIABLE_LOCK_PROTOCOL *This,
>
> - IN CHAR16 *VariableName,
>
> - IN EFI_GUID *VendorGuid
>
> - )
>
> -{
>
> - EFI_STATUSStatus;
>
> - VAR_CHECK_VARIABLE_PROPERTY Property;
>
> -
>
> - AcquireLockOnlyAtBootTime (
> >VariableGlobal.VariableServicesLock);
>
> -
>
> - Status = VarCheckLibVariablePropertyGet (VariableName, VendorGuid,
> );
>
> - if (!EFI_ERROR (Status)) {
>
> -Property.Property |= VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY;
>
> - } else {
>
> -Property.Revision = VAR_CHECK_VARIABLE_PROPERTY_REVISION;
>
> -Property.Property = VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY;
>
> -Property.Attributes = 0;
>
> -Property.MinSize = 1;
>
> -Property.MaxSize = MAX_UINTN;
>
> - }
>
> - Status = VarCheckLibVariablePropertySet (VariableName, VendorGuid,
> );
>
> -
>
> - DEBUG ((EFI_D_INFO, "[Variable] Lock: %g:%s %r\n", VendorGuid,
> VariableName, Status));
>
> -
>
> - ReleaseLockOnlyAtBootTime (
> >VariableGlobal.VariableServicesLock);
>
> -
>
> - return Status;
>
> -}
>
> -
>
> /**
>
>Register SetVariable check handler.
>
>
>
> diff --git
> a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLo
> ck.c
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLo
> ck.c
> new file mode 100644
> index ..1f7f0b7ef06c
> --- /dev/null
> +++
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLo
> ck.c
> @@ -0,0 +1,71 @@
> +/** @file -- VariableLockRequstToLock.c
>
> +Temporary location of the RequestToLock shim code while
>
> +projects are moved to VariablePolicy. Should be removed when deprecated.
>
> +
>
> +Copyright (c) Microsoft Corporation.
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#include
>
> +
>
> +#include
>
> +#include
>
> +
>
> +#include
>
> +
>
> +#include
>
> +#include
>
> +#include
>
> +
>
> +
>
> +/**
>
> + DEPRECATED. THIS IS
Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature
Hi Bret, Thanks for the contribution. I have taken an overview of this patch series and have some small comments in the related patches, please check in sub-patch. I will review the patch series more in details and bring more comments back if have. Do you have a branch for these patches in GitHub? Which should be easy for review. Thanks, Dandan > -Original Message- > From: devel@edk2.groups.io On Behalf Of Bret > Barkelew > Sent: Tuesday, June 23, 2020 2:41 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Zhang, Chao B > ; Wang, Jian J ; Wu, Hao > A ; Gao, Liming ; Justen, > Jordan L ; Laszlo Ersek ; > Ard Biesheuvel ; Andrew Fish > ; Ni, Ray > Subject: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2522 > > The 14 patches in this series add the VariablePolicy feature to the core, > deprecate Edk2VarLock (while adding a compatibility layer to reduce code > churn), and integrate the VariablePolicy libraries and protocols into Variable > Services. > > Since the integration requires multiple changes, including adding libraries, a > protocol, an SMI communication handler, and VariableServices integration, > the patches are broken up by individual library additions and then a final > integration. Security-sensitive changes like bypassing Authenticated Variable > enforcement are also broken out into individual patches so that attention can > be called directly to them. > > Platform porting instructions are described in this wiki entry: > https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy- > Protocol---Enhanced-Method-for-Managing-Variables#platform-porting > > Discussion of the feature can be found in multiple places throughout the last > year on the RFC channel, staging branches, and in devel. > > Most recently, this subject was discussed in this thread: > https://edk2.groups.io/g/devel/message/53712 > (the code branches shared in that discussion are now out of date, but the > whitepapers and discussion are relevant). > > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Andrew Fish > Cc: Ray Ni > Cc: Bret Barkelew > Signed-off-by: Bret Barkelew > > v6 changes: > * Fix an issue with uninitialized Status in InitVariablePolicyLib() and > DeinitVariablePolicyLib() > * Fix GCC building in shell-based functional test > * Rebase on latest origin/master > > v5 changes: > * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.c > * Fix EFIAPI mismatches in the functional unittest > * Rebase on latest origin/master > > v4 changes: > * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from > platforms > * Rebase on master > * Migrate to new MmCommunicate2 protocol > * Fix an oversight in the default return value for > InitMmCommonCommBuffer > * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume variables > > V3 changes: > * Address all non-unittest issues with ECC > * Make additional style changes > * Include section name in hunk headers in "ini-style" files > * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable > driver > (now allocates its own buffer) > * Change names from VARIABLE_POLICY_PROTOCOL and > gVariablePolicyProtocolGuid > to EDKII_VARIABLE_POLICY_PROTOCOL and > gEdkiiVariablePolicyProtocolGuid > * Fix GCC warning about initializing externs > * Add UNI strings for new PCD > * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg > * Reorder patches according to Liming's feedback about adding to platforms > before changing variable driver > > V2 changes: > * Fixed implementation for RuntimeDxe > * Add PCD to block DisableVariablePolicy > * Fix the DumpVariablePolicy pagination in SMM > > Bret Barkelew (14): > MdeModulePkg: Define the VariablePolicy protocol interface > MdeModulePkg: Define the VariablePolicyLib > MdeModulePkg: Define the VariablePolicyHelperLib > MdeModulePkg: Define the VarCheckPolicyLib and SMM interface > OvmfPkg: Add VariablePolicy engine to OvmfPkg platform > EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform > ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform > UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform > MdeModulePkg: Connect VariablePolicy business logic to > VariableServices > MdeModulePkg: Allow VariablePolicy state to delete protected variables > SecurityPkg: Allow VariablePolicy state to delete authenticated > variables > MdeModulePkg: Change TCG MOR variables to use VariablePolicy > MdeModulePkg: Drop VarLock from RuntimeDxe variable driver > MdeModulePkg: Add a shell-based functional test for VariablePolicy > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > | 320 +++ > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > | 396 >
[edk2-devel] [PATCH v2 5/9] MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
When we allocate pool to save rebased the PEIMs, the address will change
randomly, therefore the hash will change and result PCR0 change as well.
To avoid this, we save the raw PEIMs and use it to calculate hash.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan Bi
Cc: Liming Gao
Cc: Debkumar De
Cc: Harry Han
Cc: Catharine West
Signed-off-by: Guomin Jiang
---
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 15 +
MdeModulePkg/Core/Pei/PeiMain.h | 1 +
MdeModulePkg/Core/Pei/PeiMain.inf | 1 +
MdeModulePkg/Include/Guid/MigratedFvInfo.h| 22 +++
MdeModulePkg/MdeModulePkg.dec | 3 +++
5 files changed, 42 insertions(+)
create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h
diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
index ef88b3423376..7e1ac38f35c8 100644
--- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
+++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
@@ -1223,10 +1223,12 @@ EvacuateTempRam (
EFI_FIRMWARE_VOLUME_HEADER*FvHeader;
EFI_FIRMWARE_VOLUME_HEADER*ChildFvHeader;
EFI_FIRMWARE_VOLUME_HEADER*MigratedFvHeader;
+ EFI_FIRMWARE_VOLUME_HEADER*RawDataFvHeader;
EFI_FIRMWARE_VOLUME_HEADER*MigratedChildFvHeader;
PEI_CORE_FV_HANDLEPeiCoreFvHandle;
EFI_PEI_CORE_FV_LOCATION_PPI *PeiCoreFvLocationPpi;
+ EDKII_MIGRATED_FV_INFOMigratedFvInfo;
ASSERT (Private->PeiMemoryInstalled);
@@ -1270,6 +1272,13 @@ EvacuateTempRam (
);
ASSERT_EFI_ERROR (Status);
+ Status = PeiServicesAllocatePages (
+ EfiBootServicesCode,
+ EFI_SIZE_TO_PAGES ((UINTN) FvHeader->FvLength),
+ (EFI_PHYSICAL_ADDRESS *)
+ );
+ ASSERT_EFI_ERROR (Status);
+
DEBUG ((
DEBUG_VERBOSE,
" Migrating FV[%d] from 0x%08X to 0x%08X\n",
@@ -1279,6 +1288,12 @@ EvacuateTempRam (
));
CopyMem (MigratedFvHeader, FvHeader, (UINTN) FvHeader->FvLength);
+ CopyMem (RawDataFvHeader, MigratedFvHeader, (UINTN) FvHeader->FvLength);
+ MigratedFvInfo.FvOrgBase = (UINT32) (UINTN) FvHeader;
+ MigratedFvInfo.FvNewBase = (UINT32) (UINTN) MigratedFvHeader;
+ MigratedFvInfo.FvDataBase = (UINT32) (UINTN) RawDataFvHeader;
+ MigratedFvInfo.FvLength = (UINT32) (UINTN) FvHeader->FvLength;
+ BuildGuidDataHob (, , sizeof
(MigratedFvInfo));
//
// Migrate any children for this FV now
diff --git a/MdeModulePkg/Core/Pei/PeiMain.h b/MdeModulePkg/Core/Pei/PeiMain.h
index b0101dba5e30..cbf74d5b9d9a 100644
--- a/MdeModulePkg/Core/Pei/PeiMain.h
+++ b/MdeModulePkg/Core/Pei/PeiMain.h
@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
///
/// It is an FFS type extension used for PeiFindFileEx. It indicates current
diff --git a/MdeModulePkg/Core/Pei/PeiMain.inf
b/MdeModulePkg/Core/Pei/PeiMain.inf
index 5ff14100a65f..c80d16b4efa6 100644
--- a/MdeModulePkg/Core/Pei/PeiMain.inf
+++ b/MdeModulePkg/Core/Pei/PeiMain.inf
@@ -77,6 +77,7 @@ [Guids]
## CONSUMES ## GUID # Used to compare with FV's file system GUID and
get the FV's file system format
gEfiFirmwareFileSystem3Guid
gStatusCodeCallbackGuid
+ gEdkiiMigratedFvInfoGuid ## SOMETIMES_PRODUCES ##
HOB
[Ppis]
gEfiPeiStatusCodePpiGuid ## SOMETIMES_CONSUMES #
PeiReportStatusService is not ready if this PPI doesn't exist
diff --git a/MdeModulePkg/Include/Guid/MigratedFvInfo.h
b/MdeModulePkg/Include/Guid/MigratedFvInfo.h
new file mode 100644
index ..061c17ed0e48
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/MigratedFvInfo.h
@@ -0,0 +1,22 @@
+/** @file
+ Migrated FV information
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __EDKII_MIGRATED_FV_INFO_GUID_H__
+#define __EDKII_MIGRATED_FV_INFO_GUID_H__
+
+typedef struct {
+ UINT32 FvOrgBase; // original FV address
+ UINT32 FvNewBase; // new FV address
+ UINT32 FvDataBase; // original FV data
+ UINT32 FvLength; // Fv Length
+} EDKII_MIGRATED_FV_INFO;
+
+extern EFI_GUID gEdkiiMigratedFvInfoGuid;
+
+#endif // #ifndef __EDKII_MIGRATED_FV_INFO_GUID_H__
+
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 843e963ad34b..5e25cbe98ada 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -389,6 +389,9 @@ [Guids]
## GUID indicates the capsule is to store Capsule On Disk file names.
gEdkiiCapsuleOnDiskNameGuid = { 0x98c80a4f, 0xe16b, 0x4d11, { 0x93, 0x9a,
0xab, 0xe5, 0x61, 0x26, 0x3, 0x30 } }
+ ## Include/Guid/MigratedFvInfo.h
+ gEdkiiMigratedFvInfoGuid = { 0xc1ab12f7, 0x74aa, 0x408d, { 0xa2, 0xf4, 0xc6,
0xce, 0xfd, 0x17,
[edk2-devel] [PATCH v2 1/9] MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098)
From: Michael Kubacki
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Introduces new changes to PeiCore to move the contents of temporary
RAM visible to the PeiCore to permanent memory. This expands on
pre-existing shadowing support in the PeiCore to perform the following
additional actions:
1. Migrate pointers in PPIs installed in PeiCore to the permanent
memory copy of PeiCore.
2. Copy all installed firmware volumes to permanent memory.
3. Relocate and fix up the PEIMs within the firmware volumes.
4. Convert all PPIs into the migrated firmware volume to the corresponding
PPI address in the permanent memory location.
This applies to PPIs and PEI notifications.
5. Convert all status code callbacks in the migrated firmware volume to
the corresponding address in the permanent memory location.
6. Update the FV HOB to the corresponding firmware volume in permanent
memory.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan Bi
Cc: Liming Gao
Cc: Debkumar De
Cc: Harry Han
Cc: Catharine West
Signed-off-by: Michael Kubacki
---
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 402 ++
MdeModulePkg/Core/Pei/Image/Image.c | 115 +
MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82
MdeModulePkg/Core/Pei/PeiMain.h | 168
MdeModulePkg/Core/Pei/PeiMain.inf | 1 +
MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 16 +
MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 +
7 files changed, 1071 insertions(+)
diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
index 4c2eac1384e8..ef88b3423376 100644
--- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
+++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
@@ -952,6 +952,408 @@ PeiCheckAndSwitchStack (
}
}
+/**
+ Migrate a PEIM from Temporary RAM to permanent memory.
+
+ @param PeimFileHandle Pointer to the FFS file header of the image.
+ @param MigratedFileHandle Pointer to the FFS file header of the migrated
image.
+
+ @retval EFI_SUCCESS Sucessfully migrated the PEIM to permanent
memory.
+
+**/
+EFI_STATUS
+EFIAPI
+MigratePeim (
+ IN EFI_PEI_FILE_HANDLE FileHandle,
+ IN EFI_PEI_FILE_HANDLE MigratedFileHandle
+ )
+{
+ EFI_STATUSStatus;
+ EFI_FFS_FILE_HEADER *FileHeader;
+ VOID *Pe32Data;
+ VOID *ImageAddress;
+ CHAR8 *AsciiString;
+ UINTN Index;
+
+ Status = EFI_SUCCESS;
+
+ FileHeader = (EFI_FFS_FILE_HEADER *) FileHandle;
+ ASSERT (!IS_FFS_FILE2 (FileHeader));
+
+ ImageAddress = NULL;
+ PeiGetPe32Data (MigratedFileHandle, );
+ if (ImageAddress != NULL) {
+AsciiString = PeCoffLoaderGetPdbPointer (ImageAddress);
+for (Index = 0; AsciiString[Index] != 0; Index++) {
+ if (AsciiString[Index] == '\\' || AsciiString[Index] == '/') {
+AsciiString = AsciiString + Index + 1;
+Index = 0;
+ } else if (AsciiString[Index] == '.') {
+AsciiString[Index] = 0;
+ }
+}
+DEBUG ((DEBUG_INFO, "%a", AsciiString));
+
+Pe32Data = (VOID *) ((UINTN) ImageAddress - (UINTN) MigratedFileHandle +
(UINTN) FileHandle);
+Status = LoadAndRelocatePeCoffImageInPlace (Pe32Data, ImageAddress);
+ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
+/**
+ Migrate Status Code Callback function pointers inside an FV from temporary
memory to permanent memory.
+
+ @param OrgFvHandle Address of FV Handle in temporary memory.
+ @param FvHandle Address of FV Handle in permanent memory.
+ @param FvSize Size of the FV.
+
+**/
+VOID
+ConvertStatusCodeCallbacks (
+ IN UINTN OrgFvHandle,
+ IN UINTN FvHandle,
+ IN UINTN FvSize
+ )
+{
+ EFI_PEI_HOB_POINTERSHob;
+ UINTN *NumberOfEntries;
+ UINTN *CallbackEntry;
+ UINTN Index;
+
+ Hob.Raw = GetFirstGuidHob ();
+ while (Hob.Raw != NULL) {
+NumberOfEntries = GET_GUID_HOB_DATA (Hob);
+CallbackEntry = NumberOfEntries + 1;
+for (Index = 0; Index < *NumberOfEntries; Index++) {
+ if (((VOID *) CallbackEntry[Index]) != NULL) {
+if ((CallbackEntry[Index] >= OrgFvHandle) && (CallbackEntry[Index] <
(OrgFvHandle + FvSize))) {
+ DEBUG ((DEBUG_INFO, "Migrating CallbackEntry[%d] from 0x%08X to ",
Index, CallbackEntry[Index]));
+ if (OrgFvHandle > FvHandle) {
+CallbackEntry[Index] = CallbackEntry[Index] - (OrgFvHandle -
FvHandle);
+ } else {
+CallbackEntry[Index] = CallbackEntry[Index] + (FvHandle -
OrgFvHandle);
+ }
+ DEBUG ((DEBUG_INFO, "0x%08X\n", CallbackEntry[Index]));
+}
+ }
+}
+Hob.Raw = GET_NEXT_HOB (Hob);
+Hob.Raw = GetNextGuidHob (, Hob.Raw);
+ }
+}
+
+/**
+ Migrates SEC modules in the given firmware volume.
[edk2-devel] [PATCH v2 4/9] MdeModulePkg/DxeIplPeim: Register for shadow on S3 shadowed boot (CVE-2019-11098)
From: Jian J Wang
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan Bi
Cc: Liming Gao
Signed-off-by: Jian J Wang
---
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 +++
MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
index 3f1702854660..4ab54594ed66 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
@@ -121,6 +121,9 @@ [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ##
SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
SOMETIMES_CONSUMES
+[Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnS3Boot ## CONSUMES
+
[Depex]
gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c
b/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c
index d48028cea0dd..9e1831c69819 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c
@@ -77,7 +77,7 @@ PeimInitializeDxeIpl (
BootMode = GetBootModeHob ();
- if (BootMode != BOOT_ON_S3_RESUME) {
+ if (BootMode != BOOT_ON_S3_RESUME || PcdGetBool (PcdShadowPeimOnS3Boot)) {
Status = PeiServicesRegisterForShadow (FileHandle);
if (Status == EFI_SUCCESS) {
//
--
2.25.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61945): https://edk2.groups.io/g/devel/message/61945
Mute This Topic: https://groups.io/mt/75252663/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 0/9] Migrate Pointer from flash to permanent memory (CVE-2019-11098)
The TOCTOU vulnerability allow that the physical present person to replace the code with the normal BootGuard check and PCR0 value. The issue occur when BootGuard measure IBB and access flash code after NEM disable. the reason why we access the flash code is that we have some pointer to flash. To avoid this vulnerability, we need to convert those pointers, the patch series do this work and make sure that no code will access flash address. Cc: Jian J Wang Cc: Hao A Wu Cc: Dandan Bi Cc: Liming Gao Cc: Debkumar De Cc: Harry Han Cc: Catharine West Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Cc: Jiewen Yao Cc: Chao Zhang Cc: Qi Zhang Guomin Jiang (5): MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098) MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature (CVE-2019-11098) UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Jian J Wang (1): MdeModulePkg/DxeIplPeim: Register for shadow on S3 shadowed boot (CVE-2019-11098) Michael Kubacki (3): MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 + MdeModulePkg/Core/DxeIplPeim/DxeLoad.c| 2 +- MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 417 ++ MdeModulePkg/Core/Pei/Image/Image.c | 115 + MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82 MdeModulePkg/Core/Pei/PeiMain.h | 169 +++ MdeModulePkg/Core/Pei/PeiMain.inf | 3 + MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 17 + MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 MdeModulePkg/Include/Guid/MigratedFvInfo.h| 22 + MdeModulePkg/MdeModulePkg.dec | 8 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 + UefiCpuPkg/CpuMpPei/CpuMpPei.c| 40 +- UefiCpuPkg/CpuMpPei/CpuMpPei.h| 13 + UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 + UefiCpuPkg/CpuMpPei/CpuPaging.c | 31 +- UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ .../Ia32/ArchExceptionHandler.c | 4 +- .../SecPeiCpuException.c | 2 +- UefiCpuPkg/SecCore/SecCore.inf| 2 + UefiCpuPkg/SecCore/SecMain.c | 26 +- UefiCpuPkg/SecCore/SecMain.h | 1 + UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 374 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 170 +++ .../SecMigrationPei/SecMigrationPei.inf | 68 +++ .../SecMigrationPei/SecMigrationPei.uni | 13 + UefiCpuPkg/UefiCpuPkg.dec | 4 + UefiCpuPkg/UefiCpuPkg.dsc | 1 + 29 files changed, 1947 insertions(+), 16 deletions(-) create mode 100644 MdeModulePkg/Include/Guid/MigratedFvInfo.h create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni -- 2.25.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61941): https://edk2.groups.io/g/devel/message/61941 Mute This Topic: https://groups.io/mt/75252659/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 3/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098)
From: Michael Kubacki
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Adds a PEIM that republishes structures produced in SEC. This
is done because SEC modules may not be shadowed in some platforms
due to space constraints or special alignment requirements. The
SecMigrationPei module locates interfaces that may be published in
SEC and reinstalls the interface with permanent memory addresses.
This is important if pre-memory address access is forbidden after
memory initialization and data such as a PPI descriptor, PPI GUID,
or PPI inteface reside in pre-memory.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Cc: Rahul Kumar
Cc: Debkumar De
Cc: Harry Han
Cc: Catharine West
Signed-off-by: Michael Kubacki
---
UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++
UefiCpuPkg/SecCore/SecCore.inf| 2 +
UefiCpuPkg/SecCore/SecMain.c | 26 +-
UefiCpuPkg/SecCore/SecMain.h | 1 +
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 372 ++
UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 170
.../SecMigrationPei/SecMigrationPei.inf | 64 +++
.../SecMigrationPei/SecMigrationPei.uni | 13 +
UefiCpuPkg/UefiCpuPkg.dec | 4 +
UefiCpuPkg/UefiCpuPkg.dsc | 1 +
10 files changed, 705 insertions(+), 2 deletions(-)
create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni
diff --git a/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
b/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
new file mode 100644
index ..6fb9f1b005b4
--- /dev/null
+++ b/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h
@@ -0,0 +1,54 @@
+/** @file
+ This file declares Sec Platform Information PPI.
+
+ This service is the primary handoff state into the PEI Foundation.
+ The Security (SEC) component creates the early, transitory memory
+ environment and also encapsulates knowledge of at least the
+ location of the Boot Firmware Volume (BFV).
+
+ Copyright (c) 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Revision Reference:
+ This PPI is introduced in PI Version 1.0.
+
+**/
+
+#ifndef __REPUBLISH_SEC_PPI_H__
+#define __REPUBLISH_SEC_PPI_H__
+
+#include
+
+#define REPUBLISH_SEC_PPI_PPI_GUID \
+ { \
+0x27a71b1e, 0x73ee, 0x43d6, { 0xac, 0xe3, 0x52, 0x1a, 0x2d, 0xc5, 0xd0,
0x92 } \
+ }
+
+typedef struct _REPUBLISH_SEC_PPI_PPI REPUBLISH_SEC_PPI_PPI;
+
+/**
+ This interface re-installs PPIs installed in SecCore from a post-memory PEIM.
+
+ This is to allow a platform that may not support relocation of SecCore to
update the PPI instance to a post-memory
+ copy from a PEIM that has been shadowed to permanent memory.
+
+ @retval EFI_SUCCESSThe SecCore PPIs were re-installed successfully.
+ @retval Others An error occurred re-installing the SecCore PPIs.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *REPUBLISH_SEC_PPI_REPUBLISH_SEC_PPIS)(
+ VOID
+ );
+
+///
+///
+///
+struct _REPUBLISH_SEC_PPI_PPI {
+ REPUBLISH_SEC_PPI_REPUBLISH_SEC_PPIS RepublishSecPpis;
+};
+
+extern EFI_GUID gRepublishSecPpiPpiGuid;
+
+#endif
diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf
index 0562820c95e0..545781d6b4b3 100644
--- a/UefiCpuPkg/SecCore/SecCore.inf
+++ b/UefiCpuPkg/SecCore/SecCore.inf
@@ -68,6 +68,8 @@ [Ppis]
## SOMETIMES_CONSUMES
gPeiSecPerformancePpiGuid
gEfiPeiCoreFvLocationPpiGuid
+ ## CONSUMES
+ gRepublishSecPpiPpiGuid
[Guids]
## SOMETIMES_PRODUCES ## HOB
diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c
index 5d5e7f17dced..155be49a6011 100644
--- a/UefiCpuPkg/SecCore/SecMain.c
+++ b/UefiCpuPkg/SecCore/SecMain.c
@@ -370,13 +370,35 @@ SecTemporaryRamDone (
VOID
)
{
- BOOLEAN State;
+ EFI_STATUSStatus;
+ EFI_STATUSStatus2;
+ UINTN Index;
+ BOOLEAN State;
+ EFI_PEI_PPI_DESCRIPTOR*PeiPpiDescriptor;
+ REPUBLISH_SEC_PPI_PPI *RepublishSecPpiPpi;
//
// Republish Sec Platform Information(2) PPI
//
RepublishSecPlatformInformationPpi ();
+ //
+ // Re-install SEC PPIs using a PEIM produced service if published
+ //
+ for (Index = 0, Status = EFI_SUCCESS; Status == EFI_SUCCESS; Index++) {
+Status = PeiServicesLocatePpi (
+ ,
+ Index,
+ ,
+ (VOID **)
+ );
+if (!EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Calling RepublishSecPpi instance %d.\n", Index));
+ Status2 = RepublishSecPpiPpi->RepublishSecPpis ();
+ ASSERT_EFI_ERROR (Status2);
+}
+ }
+
//
// Migrate DebugAgentContext.
//
@@ -385,7 +407,7
[edk2-devel] [PATCH v2 9/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
To avoid the TOCTOU, enable paging and set Not Present flag so when
access any code in the flash range, it will trigger #NP exception.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Cc: Rahul Kumar
Signed-off-by: Guomin Jiang
---
UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++
UefiCpuPkg/CpuMpPei/CpuPaging.c | 17 +++--
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
index caead3ce34d4..fd50b55f06cb 100644
--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
@@ -46,6 +46,9 @@ [LibraryClasses]
BaseMemoryLib
CpuLib
+[Guids]
+ gEdkiiMigratedFvInfoGuid ##
SOMETIMES_CONSUMES ## HOB
+
[Ppis]
gEfiPeiMpServicesPpiGuid ## PRODUCES
gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES
diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
index d0cbebf70bbf..af4069b42cdb 100644
--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
#include "CpuMpPei.h"
@@ -605,6 +606,8 @@ MemoryDiscoveredPpiNotifyCallback (
EFI_STATUS Status;
BOOLEAN InitStackGuard;
BOOLEAN InterruptState;
+ EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
+ EFI_PEI_HOB_POINTERS Hob;
InterruptState = SaveAndDisableInterrupts ();
Status = MigrateGdt ();
@@ -617,9 +620,9 @@ MemoryDiscoveredPpiNotifyCallback (
// the task switch (for the sake of stack switch).
//
InitStackGuard = FALSE;
- if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) {
+ if (IsIa32PaeSupported ()) {
EnablePaging ();
-InitStackGuard = TRUE;
+InitStackGuard = PcdGetBool (PcdCpuStackGuard);
}
Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);
@@ -629,6 +632,16 @@ MemoryDiscoveredPpiNotifyCallback (
SetupStackGuardPage ();
}
+ Hob.Raw = GetFirstGuidHob ();
+ while (Hob.Raw != NULL) {
+MigratedFvInfo = GET_GUID_HOB_DATA (Hob);
+ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase,
MigratedFvInfo->FvLength, 0);
+
+Hob.Raw = GET_NEXT_HOB (Hob);
+Hob.Raw = GetNextGuidHob (, Hob.Raw);
+ }
+ CpuFlushTlb ();
+
return Status;
}
--
2.25.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61950): https://edk2.groups.io/g/devel/message/61950
Mute This Topic: https://groups.io/mt/75252669/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 6/9] SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash (CVE-2019-11098)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
When we allocate pool to save rebased the PEIMs, the address will change
randomly, therefore the hash will change and result PCR0 change as well.
To avoid this, we save the raw PEIMs and use it to calculate hash.
The Tcg2Pei calculate the hash and it use the Migrated FV Info.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Chao Zhang
Cc: Qi Zhang
Cc: Rahul Kumar
Signed-off-by: Guomin Jiang
---
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 ++---
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 4852d8690617..651a60c1f0e2 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -21,6 +21,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
#include
#include
@@ -536,6 +537,10 @@ MeasureFvImage (
EDKII_PEI_FIRMWARE_VOLUME_INFO_PREHASHED_FV_PPI *PrehashedFvPpi;
HASH_INFO *PreHashInfo;
UINT32HashAlgoMask;
+ EFI_PHYSICAL_ADDRESS FvOrgBase;
+ EFI_PHYSICAL_ADDRESS FvDataBase;
+ EFI_PEI_HOB_POINTERS Hob;
+ EDKII_MIGRATED_FV_INFO*MigratedFvInfo;
//
// Check Excluded FV list
@@ -621,6 +626,26 @@ MeasureFvImage (
Instance++;
} while (!EFI_ERROR(Status));
+ //
+ // Search the matched migration FV info
+ //
+ FvOrgBase = FvBase;
+ FvDataBase = FvBase;
+ Hob.Raw = GetFirstGuidHob ();
+ while (Hob.Raw != NULL) {
+MigratedFvInfo = GET_GUID_HOB_DATA (Hob);
+if ((MigratedFvInfo->FvNewBase == (UINT32) FvBase) &&
(MigratedFvInfo->FvLength == (UINT32) FvLength)) {
+ //
+ // Found the migrated FV info
+ //
+ FvOrgBase = (EFI_PHYSICAL_ADDRESS) (UINTN) MigratedFvInfo->FvOrgBase;
+ FvDataBase = (EFI_PHYSICAL_ADDRESS) (UINTN) MigratedFvInfo->FvDataBase;
+ break;
+}
+Hob.Raw = GET_NEXT_HOB (Hob);
+Hob.Raw = GetNextGuidHob (, Hob.Raw);
+ }
+
//
// Init the log event for FV measurement
//
@@ -631,13 +656,13 @@ MeasureFvImage (
if (FvName != NULL) {
AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription,
sizeof(FvBlob2.BlobDescription), "Fv(%g)", FvName);
}
-FvBlob2.BlobBase = FvBase;
+FvBlob2.BlobBase = FvOrgBase;
FvBlob2.BlobLength= FvLength;
TcgEventHdr.EventType = EV_EFI_PLATFORM_FIRMWARE_BLOB2;
TcgEventHdr.EventSize = sizeof (FvBlob2);
EventData =
} else {
-FvBlob.BlobBase = FvBase;
+FvBlob.BlobBase = FvOrgBase;
FvBlob.BlobLength = FvLength;
TcgEventHdr.PCRIndex = 0;
TcgEventHdr.EventType = EV_EFI_PLATFORM_FIRMWARE_BLOB;
@@ -672,7 +697,7 @@ MeasureFvImage (
//
Status = HashLogExtendEvent (
0,
- (UINT8*) (UINTN) FvBase, // HashData
+ (UINT8*) (UINTN) FvDataBase, // HashData
(UINTN) FvLength,// HashDataLen
,// EventHdr
EventData// EventData
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 3d361e8859e7..367df21eedaf 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -63,6 +63,7 @@ [Guids]
gTcgEvent2EntryHobGuid ##
PRODUCES ## HOB
gEfiTpmDeviceInstanceNoneGuid##
SOMETIMES_PRODUCES ## GUID # TPM device identifier
gEfiTpmDeviceInstanceTpm12Guid ##
SOMETIMES_PRODUCES ## GUID # TPM device identifier
+ gEdkiiMigratedFvInfoGuid ##
SOMETIMES_CONSUMES ## HOB
[Ppis]
gEfiPeiFirmwareVolumeInfoPpiGuid ##
SOMETIMES_CONSUMES ## NOTIFY
--
2.25.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61947): https://edk2.groups.io/g/devel/message/61947
Mute This Topic: https://groups.io/mt/75252665/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 2/9] UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098)
From: Michael Kubacki
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Moves the GDT and IDT to permanent memory in a memory discovered
callback. This is done to ensure the GDT and IDT authenticated in
pre-memory is not fetched from outside a verified location after
the permanent memory transition.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Cc: Rahul Kumar
Signed-off-by: Michael Kubacki
---
UefiCpuPkg/CpuMpPei/CpuMpPei.c| 40 ++-
UefiCpuPkg/CpuMpPei/CpuMpPei.h| 13 ++
UefiCpuPkg/CpuMpPei/CpuPaging.c | 14 +--
.../Ia32/ArchExceptionHandler.c | 4 +-
.../SecPeiCpuException.c | 2 +-
5 files changed, 65 insertions(+), 8 deletions(-)
diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
index 07ccbe7c6a91..2d6f1bc98851 100644
--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
@@ -429,6 +429,44 @@ GetGdtr (
AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
}
+/**
+ Migrates the Global Descriptor Table (GDT) to permanent memory.
+
+ @retval EFI_SUCCESS The GDT was migrated successfully.
+ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of
available memory.
+
+**/
+EFI_STATUS
+EFIAPI
+MigrateGdt (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINTN GdtBufferSize;
+ IA32_DESCRIPTOR Gdtr;
+ UINT8 *GdtBuffer;
+
+ AsmReadGdtr ((IA32_DESCRIPTOR *) );
+ GdtBufferSize = sizeof (IA32_TSS_DESCRIPTOR) + Gdtr.Limit + 1;
+
+ Status = PeiServicesAllocatePool (
+ GdtBufferSize,
+ (VOID **)
+ );
+ ASSERT (GdtBuffer != NULL);
+ if (EFI_ERROR (Status)) {
+return EFI_OUT_OF_RESOURCES;
+ }
+
+ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_TSS_DESCRIPTOR));
+ CopyMem ((VOID *) (UINTN) GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+ Gdtr.Base = (UINT32)(UINTN) GdtBuffer;
+ AsmWriteGdtr ();
+
+ return EFI_SUCCESS;
+}
+
/**
Initializes CPU exceptions handlers for the sake of stack switch requirement.
@@ -644,7 +682,7 @@ InitializeCpuMpWorker (
,
0,
NULL,
- (VOID **)
+ (VOID **)
);
if (Status == EFI_SUCCESS) {
VectorInfo = VectorHandoffInfoPpi->Info;
diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.h b/UefiCpuPkg/CpuMpPei/CpuMpPei.h
index 7d5c527d6006..5dc956409594 100644
--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.h
+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.h
@@ -397,6 +397,19 @@ SecPlatformInformation2 (
OUT EFI_SEC_PLATFORM_INFORMATION_RECORD2 *PlatformInformationRecord2
);
+/**
+ Migrates the Global Descriptor Table (GDT) to permanent memory.
+
+ @retval EFI_SUCCESS The GDT was migrated successfully.
+ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of
available memory.
+
+**/
+EFI_STATUS
+EFIAPI
+MigrateGdt (
+ VOID
+ );
+
/**
Initializes MP and exceptions handlers.
diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
index a462e7ee1e38..d0cbebf70bbf 100644
--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
@@ -152,7 +152,7 @@ GetPhysicalAddressWidth (
Get the type of top level page table.
@retval Page512G PML4 paging.
- @retval Page1GPAE paing.
+ @retval Page1GPAE paging.
**/
PAGE_ATTRIBUTE
@@ -582,7 +582,7 @@ SetupStackGuardPage (
}
/**
- Enabl/setup stack guard for each processor if PcdCpuStackGuard is set to
TRUE.
+ Enable/setup stack guard for each processor if PcdCpuStackGuard is set to
TRUE.
Doing this in the memory-discovered callback is to make sure the Stack Guard
feature to cover as most PEI code as possible.
@@ -602,8 +602,14 @@ MemoryDiscoveredPpiNotifyCallback (
IN VOID *Ppi
)
{
- EFI_STATUS Status;
- BOOLEAN InitStackGuard;
+ EFI_STATUS Status;
+ BOOLEAN InitStackGuard;
+ BOOLEAN InterruptState;
+
+ InterruptState = SaveAndDisableInterrupts ();
+ Status = MigrateGdt ();
+ ASSERT_EFI_ERROR (Status);
+ SetInterruptState (InterruptState);
//
// Paging must be setup first. Otherwise the exception TSS setup during MP
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
index 1aafb7dac139..903449e0daa9 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
@@ -18,8 +18,8 @@
**/
VOID
ArchUpdateIdtEntry (
- IN IA32_IDT_GATE_DESCRIPTOR*IdtEntry,
- IN UINTN InterruptHandler
+ OUT IA32_IDT_GATE_DESCRIPTOR*IdtEntry,
+ IN UINTN InterruptHandler
)
{
IdtEntry->Bits.OffsetLow = (UINT16)(UINTN)InterruptHandler;
diff --git
[edk2-devel] [PATCH v2 7/9] MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature (CVE-2019-11098)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Add total switch to enable or disable TOCTOU feature, the vulnerability is
critical, so the switch is on normally but if you can disable it according
to your needs.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan Bi
Cc: Liming Gao
Cc: Debkumar De
Cc: Harry Han
Cc: Catharine West
Signed-off-by: Guomin Jiang
---
MdeModulePkg/Core/Pei/PeiMain.inf | 1 +
MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 5 +++--
MdeModulePkg/MdeModulePkg.dec | 5 +
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/MdeModulePkg/Core/Pei/PeiMain.inf
b/MdeModulePkg/Core/Pei/PeiMain.inf
index c80d16b4efa6..0cf357371a16 100644
--- a/MdeModulePkg/Core/Pei/PeiMain.inf
+++ b/MdeModulePkg/Core/Pei/PeiMain.inf
@@ -111,6 +111,7 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnS3Boot ##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack##
CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ##
CONSUMES
# [BootMode]
# S3_RESUME ## SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
index 802cd239e2eb..bc78c3f8ad59 100644
--- a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
+++ b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c
@@ -419,8 +419,9 @@ PeiCore (
}
} else {
if (
- (!(PrivateData.HobList.HandoffInformationTable->BootMode ==
BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
- ((PrivateData.HobList.HandoffInformationTable->BootMode ==
BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))
+ ((!(PrivateData.HobList.HandoffInformationTable->BootMode ==
BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnBoot)) ||
+ ((PrivateData.HobList.HandoffInformationTable->BootMode ==
BOOT_ON_S3_RESUME) && PcdGetBool (PcdShadowPeimOnS3Boot))) &&
+ PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)
) {
DEBUG ((DEBUG_VERBOSE, "PPI lists before temporary RAM evacuation:\n"));
DumpPpiList ();
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 5e25cbe98ada..0a5a167f3e8b 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -1223,6 +1223,11 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
# @Prompt Shadow Peim and PeiCore on boot
gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot|TRUE|BOOLEAN|0x30001029
+ ## Indicate if to evacuate from temporary to permanent memory.
+ # TRUE - Evacuate from temporary memory
+ # FALSE - Keep the original behavior
+
gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes|TRUE|BOOLEAN|0x3000102A
+
## The mask is used to control memory profile behavior.
# BIT0 - Enable UEFI memory profile.
# BIT1 - Enable SMRAM profile.
--
2.25.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61948): https://edk2.groups.io/g/devel/message/61948
Mute This Topic: https://groups.io/mt/75252666/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/9] Migrate Pointer from flash to permanent memory (CVE-2019-11098)
Hi everybody, I am sorry for bothering you, I just want to reminder you that I want catch those change up next stable tag. So I hope that you can give me some comments or reviewed-by. Appreciate it. > -Original Message- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Thursday, July 2, 2020 1:15 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A > ; Bi, Dandan ; Gao, Liming > ; De, Debkumar ; Han, > Harry ; West, Catharine ; > Dong, Eric ; Ni, Ray ; Laszlo Ersek > ; Kumar, Rahul1 ; Yao, > Jiewen ; Zhang, Chao B ; > Zhang, Qi1 > Subject: [edk2-devel] [PATCH v2 0/9] Migrate Pointer from flash to > permanent memory (CVE-2019-11098) > > The TOCTOU vulnerability allow that the physical present person to replace > the code with the normal BootGuard check and PCR0 value. > The issue occur when BootGuard measure IBB and access flash code after > NEM disable. > the reason why we access the flash code is that we have some pointer to > flash. > To avoid this vulnerability, we need to convert those pointers, the patch > series do this work and make sure that no code will access flash address. > > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Dandan Bi > Cc: Liming Gao > Cc: Debkumar De > Cc: Harry Han > Cc: Catharine West > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Qi Zhang > > Guomin Jiang (5): > MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash > (CVE-2019-11098) > SecurityPkg/Tcg2Pei: Use Migrated FV Info Hob for calculating hash > (CVE-2019-11098) > MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature > (CVE-2019-11098) > UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI > (CVE-2019-11098) > UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU > (CVE-2019-11098) > > Jian J Wang (1): > MdeModulePkg/DxeIplPeim: Register for shadow on S3 shadowed boot > (CVE-2019-11098) > > Michael Kubacki (3): > MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore > (CVE-2019-11098) > UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support > (CVE-2019-11098) > UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) > > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 + > MdeModulePkg/Core/DxeIplPeim/DxeLoad.c| 2 +- > MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 417 > ++ > MdeModulePkg/Core/Pei/Image/Image.c | 115 + > MdeModulePkg/Core/Pei/Memory/MemoryServices.c | 82 > MdeModulePkg/Core/Pei/PeiMain.h | 169 +++ > MdeModulePkg/Core/Pei/PeiMain.inf | 3 + > MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 17 + > MdeModulePkg/Core/Pei/Ppi/Ppi.c | 287 > MdeModulePkg/Include/Guid/MigratedFvInfo.h| 22 + > MdeModulePkg/MdeModulePkg.dec | 8 + > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 31 +- > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 + > UefiCpuPkg/CpuMpPei/CpuMpPei.c| 40 +- > UefiCpuPkg/CpuMpPei/CpuMpPei.h| 13 + > UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 + > UefiCpuPkg/CpuMpPei/CpuPaging.c | 31 +- > UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ > .../Ia32/ArchExceptionHandler.c | 4 +- > .../SecPeiCpuException.c | 2 +- > UefiCpuPkg/SecCore/SecCore.inf| 2 + > UefiCpuPkg/SecCore/SecMain.c | 26 +- > UefiCpuPkg/SecCore/SecMain.h | 1 + > UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 374 > UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 170 +++ > .../SecMigrationPei/SecMigrationPei.inf | 68 +++ > .../SecMigrationPei/SecMigrationPei.uni | 13 + > UefiCpuPkg/UefiCpuPkg.dec | 4 + > UefiCpuPkg/UefiCpuPkg.dsc | 1 + > 29 files changed, 1947 insertions(+), 16 deletions(-) create mode 100644 > MdeModulePkg/Include/Guid/MigratedFvInfo.h > create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni > > -- > 2.25.1.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61951): https://edk2.groups.io/g/devel/message/61951 Mute This Topic: https://groups.io/mt/75252659/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 00/16] Add a plugin to check Ecc issues for edk2 on open ci
Shenglei: Thanks for your work to enable ECC checker in open CI. Have you the step to run this checker in local environment? The developer may want to reproduce the issue and fix it. Thanks Liming -Original Message- From: devel@edk2.groups.io On Behalf Of Zhang, Shenglei Sent: 2020年7月1日 9:55 To: devel@edk2.groups.io Cc: Feng, Bob C ; Bret Barkelew ; Kinney, Michael D ; Gao, Liming ; Sean Brogan Subject: [edk2-devel] [PATCH v6 00/16] Add a plugin to check Ecc issues for edk2 on open ci REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2606 As planed we will enable Ecc check for edk2 on open ci. And they are ready now. I appreciate receiving feedback and comments if someone find errors or false positive issues. I created a pipline of EccCheck for my forked edk2. Welcome everyone to create pull request to test the quality of this plugin. My forked tree: https://github.com/shenglei10/edk2 And I also created some test cases for ECC plugin. Below are test cases. https://github.com/shenglei10/edk2/tree/ECC Results can be view in below azure server. https://dev.azure.com/shengleizhang/shengleizhang/_build?definitionId=12&_a=summary Patches 1/16: It's a lib necessary for py3 to run Ecc on azure servers. 2/16: EccCheck.py is a plugin to report Ecc issues for commits. It can be run on azure servers for open ci, or a local virtual environment. 3/16~16/16: We consider some cases that will report out Ecc issues but they won't be fixed, like submodule and industry standard related things. So we add two configuration fields "Exception" and "IgnoreFiles" for people to use. These patches add configuration in yaml files for Ecc check. Cc: Bob Feng Cc: Bret Barkelew Cc: Michael D Kinney Cc: Liming Gao Cc: Sean Brogan v2: Update 1/17, fix the bug that the script can't hanlde multiple commits. v3: Update 1/17, set the only workalbe workspace is edk2 root directory. Update 2/17, designate the version of antlr4 is 4.7.1. Add 4/17~17/17. v4. Update 1/17, remove the function EdksetupRebuild(), instead add function SetupEnvironment(). Update variables' format and type hints to pass flake8 and mypy. v5. Conver the former method to plugin solution, to align with other check points on open ci. v6. The 1/16 patch is missed in v5 series. Now add it in v6. Shenglei Zhang (16): pip-requirements.txt: Add Ecc required lib .pytool/Plugin: Add a plugin EccCheck MdeModulePkg/MdeModulePkg.ci.yaml: Add configuration for Ecc check ArmVirtPkg/ArmVirtPkg.ci.yaml: Add configuration for Ecc check CryptoPkg/CryptoPkg.ci.yaml: Add configuration for Ecc check EmulatorPkg/EmulatorPkg.ci.yaml: Add configuration for Ecc check FatPkg/FatPkg.ci.yaml: Add configuration for Ecc check FmpDevicePkg/FmpDevicePkg.ci.yaml: Add configuration for Ecc check MdePkg/MdePkg.ci.yaml: Add configuration for Ecc check NetworkPkg/NetworkPkg.ci.yaml: Add configuration for Ecc check OvmfPkg/OvmfPkg.ci.yaml: Add configuration for Ecc check PcAtChipsetPkg/PcAtChipsetPkg.ci.yaml: Add configuration for Ecc check SecurityPkg/SecurityPkg.ci.yaml: Add configuration for Ecc check ShellPkg/ShellPkg.ci.yaml: Add configuration for Ecc check UefiCpuPkg/UefiCpuPkg.ci.yaml: Add configuration for Ecc check UnitTestFrameworkPkg: Add configuration for Ecc check in yaml file .pytool/Plugin/EccCheck/EccCheck.py | 268 ++ .pytool/Plugin/EccCheck/EccCheck_plug_in.yaml | 11 + .pytool/Plugin/EccCheck/Readme.md | 15 + ArmVirtPkg/ArmVirtPkg.ci.yaml | 11 + CryptoPkg/CryptoPkg.ci.yaml | 11 + EmulatorPkg/EmulatorPkg.ci.yaml | 11 + FatPkg/FatPkg.ci.yaml | 11 + FmpDevicePkg/FmpDevicePkg.ci.yaml | 11 + MdeModulePkg/MdeModulePkg.ci.yaml | 11 + MdePkg/MdePkg.ci.yaml | 11 + NetworkPkg/NetworkPkg.ci.yaml | 11 + OvmfPkg/OvmfPkg.ci.yaml | 11 + PcAtChipsetPkg/PcAtChipsetPkg.ci.yaml | 11 + SecurityPkg/SecurityPkg.ci.yaml | 11 + ShellPkg/ShellPkg.ci.yaml | 11 + UefiCpuPkg/UefiCpuPkg.ci.yaml | 11 + .../UnitTestFrameworkPkg.ci.yaml | 10 + pip-requirements.txt | 1 + 18 files changed, 448 insertions(+) create mode 100644 .pytool/Plugin/EccCheck/EccCheck.py create mode 100644 .pytool/Plugin/EccCheck/EccCheck_plug_in.yaml create mode 100644 .pytool/Plugin/EccCheck/Readme.md -- 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61937): https://edk2.groups.io/g/devel/message/61937 Mute This Topic: https://groups.io/mt/75227224/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 1/1] MdePkg : UefiFileHandleLib: fix buffer overrun in FileHandleReadLine()
If the size of the supplied buffer in FileHandleReadLine(), module
UefiFileHandleLib.c, was not 0, but was not enough to fit in
the line, the size is increased, and then the Buffer of the new
size is zeroed. This size is always larger than the supplied buffer size,
causing supplied buffer overrun. Fix the issue by using the
supplied buffer size in ZeroMem().
Signed-off-by: Vladimir Olovyannikov
Cc: Michael D Kinney
Cc: Liming Gao
Cc: Zhiguang Liu
---
MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
index 28e28e5f67d5..ab34e6ccd5f4 100644
--- a/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
+++ b/MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.c
@@ -969,6 +969,7 @@ FileHandleReadLine(
UINTN CharSize;
UINTN CountSoFar;
UINTN CrCount;
+ UINTN OldSize;
UINT64 OriginalFilePosition;
if (Handle == NULL
@@ -1039,10 +1040,11 @@ FileHandleReadLine(
// if we ran out of space tell when...
//
if ((CountSoFar+1-CrCount)*sizeof(CHAR16) > *Size){
+OldSize = *Size;
*Size = (CountSoFar+1-CrCount)*sizeof(CHAR16);
if (!Truncate) {
- if (Buffer != NULL && *Size != 0) {
-ZeroMem(Buffer, *Size);
+ if (Buffer != NULL && OldSize != 0) {
+ZeroMem(Buffer, OldSize);
}
FileHandleSetPosition(Handle, OriginalFilePosition);
return (EFI_BUFFER_TOO_SMALL);
--
2.26.2.266.ge870325ee8
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61938): https://edk2.groups.io/g/devel/message/61938
Mute This Topic: https://groups.io/mt/75251007/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v5 1/5] BaseTools: PatchCheck: Exclude bash scripts from CRLF check
Reviewed-by: Bob Feng
-Original Message-
From: PierreGondois
Sent: Wednesday, July 1, 2020 10:06 PM
To: devel@edk2.groups.io
Cc: Pierre Gondois ; sami.muja...@arm.com;
tomas.pi...@arm.com; Feng, Bob C ; Gao, Liming
; n...@arm.com
Subject: [PATCH v5 1/5] BaseTools: PatchCheck: Exclude bash scripts from CRLF
check
From: Pierre Gondois
Bash scripts require LF line endings to work.
PatchCheck.py checks that the files added in a patch have CRLF line endings. It
excludes files ending with the ".sh" extension from this check.
Some bash script don't have a ".sh" extension. Most of them are located in:
- BaseTools/BinWrappers/PosixLike/
- BaseTools/Bin/CYGWIN_NT-5.1-i686/
This patch excludes these folder plus BaseTools/BuildEnv from this CRLF check.
Signed-off-by: Pierre Gondois
---
The changes can be seen at:
https://github.com/PierreARM/edk2/commits/803_Compile_AML_bytecode_array_into_OBJ_file_v5
Notes:
v5:
- Exclude some directories/files having LF line
endings from the PatchCheck,py script. [Bob]
BaseTools/Scripts/PatchCheck.py | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/BaseTools/Scripts/PatchCheck.py b/BaseTools/Scripts/PatchCheck.py
index
106b434c750d71d8aa1658109f146dc066633c2c..e38cf61f93da50f77d4e1e2e37de5f6a08d25408
100755
--- a/BaseTools/Scripts/PatchCheck.py
+++ b/BaseTools/Scripts/PatchCheck.py
@@ -3,6 +3,7 @@
#
# Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved. #
Copyright (C) 2020, Red Hat, Inc.
+# Copyright (c) 2020, ARM Ltd. All rights reserved.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -384,9 +385,14 @@ class
GitDiffCheck:
self.is_newfile = False
self.force_crlf = True
self.force_notabs = True
-if self.filename.endswith('.sh'):
+if self.filename.endswith('.sh') or \
+
self.filename.startswith('BaseTools/BinWrappers/PosixLike/') or \
+
self.filename.startswith('BaseTools/Bin/CYGWIN_NT-5.1-i686/') or \
+self.filename == 'BaseTools/BuildEnv':
#
# Do not enforce CR/LF line endings for linux shell
scripts.
+# Some linux shell scripts don't end with the ".sh"
extension,
+# they are identified by their path.
#
self.force_crlf = False
if self.filename == '.gitmodules':
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61939): https://edk2.groups.io/g/devel/message/61939
Mute This Topic: https://groups.io/mt/75236040/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/Smbios34] ShellPkg/SmbiosView: Add DDR5 support
Reviewed-by: Ray Ni
> > -Original Message-
> > From: devel@edk2.groups.io On Behalf Of Gao,
> Zhichao
> > Sent: Friday, March 13, 2020 10:54 AM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray
> > Subject: [edk2-devel] [edk2-staging/Smbios34] ShellPkg/SmbiosView: Add
> DDR5
> > support
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2352
> >
> > Refer to SMBIOS 3.4 spec, add new memory device type - DDR5 and LPDDR5
> > support for the shell command "smbiosview".
> >
> > Cc: Ray Ni
> > Signed-off-by: Zhichao Gao
> > ---
> > .../UefiShellDebug1CommandsLib/SmbiosView/QueryTable.c| 8
>
> > 1 file changed, 8 insertions(+)
> >
> > diff --git
> >
> a/ShellPkg/Library/UefiShellDebug1CommandsLib/SmbiosView/QueryTable.c
> >
> b/ShellPkg/Library/UefiShellDebug1CommandsLib/SmbiosView/QueryTable.c
> > index b80e16d56a..17a2a89d51 100644
> > ---
> a/ShellPkg/Library/UefiShellDebug1CommandsLib/SmbiosView/QueryTable.c
> > +++
> b/ShellPkg/Library/UefiShellDebug1CommandsLib/SmbiosView/QueryTable.
> > +++ c
> > @@ -2550,6 +2550,14 @@ TABLE_ITEM MemoryDeviceTypeTable[] = {
> >{
> > MemoryTypeHBM2,
> > L" HBM2 (High Bandwidth Memory Generation 2)"
> > + },
> > + {
> > +MemoryTypeDdr5,
> > +L" DDR5"
> > + },
> > + {
> > +MemoryTypeLpddr5,
> > +L" LPDDR5"
> >}
> > };
> >
> > --
> > 2.21.0.windows.1
> >
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61940): https://edk2.groups.io/g/devel/message/61940
Mute This Topic: https://groups.io/mt/75252405/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 1/1] ShellPkg/DynamicCommand: add HttpDynamicCommand
Hi,
Sorry for the delay. As I said in the V1, the patch required the NetworkPkg
maintainers' help to review the network connection implementation part.
Some comments below.
1. for function RunHttp:
'''
UINTN StartSize;
CHAR16 *Walker;
CHAR16 *VStr;
'''
The above variable is block scope which is strongly discouraged. See
CSS_2_1_Draft Section 5.4.1.1.
2. Some indentations need adjust:
a) GetResponse function body
b) "if (!gHttpError) {" section of GetResponse
c) " ValueStr = ShellCommandLineGetValue (CheckPackage, L"-s");" the if
section below this statement
Thanks,
Zhichao
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Vladimir
> Olovyannikov via groups.io
> Sent: Tuesday, May 12, 2020 2:03 AM
> To: devel@edk2.groups.io
> Cc: Vladimir Olovyannikov ; Samer El-
> Haj-Mahmoud ; Gao, Zhichao
> ; Maciej Rabeda ; Wu,
> Jiaxin ; Fu, Siyuan ; Ni, Ray
> ; Gao, Liming ; Nd
> Subject: [edk2-devel] [PATCH v2 1/1] ShellPkg/DynamicCommand: add
> HttpDynamicCommand
>
> Introduce an http client utilizing EDK2 HTTP protocol, to
> allow fast image downloading from http/https servers.
> HTTP download speed is usually faster than tftp.
> The client is based on the same approach as tftp dynamic command, and
> uses the same UEFI Shell command line parameters. This makes it easy
> integrating http into existing UEFI Shell scripts.
> Note that to enable HTTP download, feature Pcd
> gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections must
> be set to TRUE.
>
> Signed-off-by: Vladimir Olovyannikov
> Tested-By: Samer El-Haj-Mahmoud
> Cc: Zhichao Gao
> Cc: Maciej Rabeda
> Cc: Jiaxin Wu
> Cc: Siyuan Fu
> Cc: Ray Ni
> Cc: Liming Gao
> Cc: Nd
> ---
> .../DynamicCommand/HttpDynamicCommand/Http.c | 1701
> +
> .../DynamicCommand/HttpDynamicCommand/Http.h | 84 +
> .../HttpDynamicCommand/Http.uni | 113 ++
> .../HttpDynamicCommand/HttpApp.c | 53 +
> .../HttpDynamicCommand/HttpApp.inf| 58 +
> .../HttpDynamicCommand/HttpDynamicCommand.c | 134 ++
> .../HttpDynamicCommand/HttpDynamicCommand.inf | 63 +
> ShellPkg/Include/Guid/ShellLibHiiGuid.h |5 +
> ShellPkg/ShellPkg.dec |1 +
> ShellPkg/ShellPkg.dsc |5 +
> 10 files changed, 2217 insertions(+)
> create mode 100644 ShellPkg/DynamicCommand/HttpDynamicCommand/Http.c
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/Http.h
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/Http.uni
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/HttpApp.c
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/HttpApp.inf
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.c
> create mode 100644
> ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
>
> diff --git a/ShellPkg/DynamicCommand/HttpDynamicCommand/Http.c
> b/ShellPkg/DynamicCommand/HttpDynamicCommand/Http.c
> new file mode 100644
> index ..7238cc6a07cc
> --- /dev/null
> +++ b/ShellPkg/DynamicCommand/HttpDynamicCommand/Http.c
> @@ -0,0 +1,1701 @@
> +/** @file
>
> + The implementation for the 'http' Shell command.
>
> +
>
> + Copyright (c) 2015, ARM Ltd. All rights reserved.
>
> + Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
>
> + (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>
> + Copyright (c) 2020, Broadcom. All rights reserved.
>
> +
>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +**/
>
> +
>
> +#include "Http.h"
>
> +
>
> +#define IP4_CONFIG2_INTERFACE_INFO_NAME_LENGTH 32
>
> +EFI_HII_HANDLE mHttpHiiHandle;
>
> +
>
> +/*
>
> + Constant strings and definitions related to the message
>
> + indicating the amount of progress in the dowloading of a HTTP file.
>
> +*/
>
> +
>
> +// Number of steps in the progression slider
>
> +#define HTTP_PROGRESS_SLIDER_STEPS \
>
> + ((sizeof (HTTP_PROGR_FRAME) / sizeof (CHAR16)) - 3)
>
> +
>
> +// Size in number of characters plus one (final zero) of the message to
>
> +// indicate the progress of an HTTP download. The format is "[(progress
> slider:
>
> +// 40 characters)] (nb of KBytes downloaded so far: 7 characters) Kb". There
>
> +// are thus the number of characters in HTTP_PROGR_FRAME[] plus 11
> characters
>
> +// (2 // spaces, "Kb" and seven characters for the number of KBytes).
>
> +#define HTTP_PROGRESS_MESSAGE_SIZE \
>
> + ((sizeof (HTTP_PROGR_FRAME) / sizeof (CHAR16)) + 12)
>
> +
>
> +//
>
> +// Buffer size. Note that larger buffer does not mean better speed!
>
> +//
>
> +#define DEFAULT_BUF_SIZE SIZE_32KB
>
> +#define MAX_BUF_SIZE SIZE_4MB
>
> +
>
> +#define MIN_PARAM_COUNT 2
>
> +#define MAX_PARAM_COUNT 4
>
> +
>
> +#define TIMER_MAX_TIMEOUT_S 10
>
> +
>
> +// File name to use when URI ends with "/"
>
> +#define DEFAULT_HTML_FILE
[edk2-devel] [PATCH v2 8/9] UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
SecMigrationPei create RepublishSecPpi, if the TOCTOU switch is off,
the Ppi is meaningless, so relate it with TOCTOU switch to avoid
producing useless PPI.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Cc: Rahul Kumar
Signed-off-by: Guomin Jiang
---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 8 +---
UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf | 4
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
index f96013b09b21..ab8066e8e0de 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c
@@ -363,10 +363,12 @@ SecMigrationPeiInitialize (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_STATUS Status;
+ EFI_STATUS Status = EFI_SUCCESS;
- Status = PeiServicesInstallPpi ();
- ASSERT_EFI_ERROR (Status);
+ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+Status = PeiServicesInstallPpi ();
+ASSERT_EFI_ERROR (Status);
+ }
return Status;
}
diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
index e29c04710941..8edbd3aa23a9 100644
--- a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
+++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf
@@ -60,5 +60,9 @@ [Ppis]
## SOMETIMES_PRODUCES
gEfiSecPlatformInformation2PpiGuid
+[Pcd]
+ ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes
+
[Depex]
TRUE
--
2.25.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#61949): https://edk2.groups.io/g/devel/message/61949
Mute This Topic: https://groups.io/mt/75252667/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms][PATCH v1 1/1] IntelSiliconPkg.dsc: Add DxeAslUpdateLib to Components
Reviewed-by: Sai Chaganty -Original Message- From: michael.kuba...@outlook.com Sent: Wednesday, July 01, 2020 10:50 AM To: devel@edk2.groups.io Cc: Chaganty, Rangasai V ; Ni, Ray Subject: [edk2-platforms][PATCH v1 1/1] IntelSiliconPkg.dsc: Add DxeAslUpdateLib to Components From: Michael Kubacki REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2824 Adds DxeAslUpdateLib to the [Components] section so it is included in the package build. Cc: Rangasai V Chaganty Cc: Ray Ni Signed-off-by: Michael Kubacki --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc index f9958836917a..029b9156f6dd 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc @@ -2,6 +2,7 @@ # This package provides common open source Intel silicon modules. # # Copyright (c) 2017 - 2020, Intel Corporation. All rights reserved. +# Copyright (c) Microsoft Corporation. # #SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -87,6 +88,7 @@ [Components] IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.inf IntelSiliconPkg/Library/PeiDxeSmmBootMediaLib/PeiFirmwareBootMediaLib.inf IntelSiliconPkg/Library/PeiDxeSmmBootMediaLib/DxeSmmFirmwareBootMediaLib.inf + IntelSiliconPkg/Library/DxeAslUpdateLib/DxeAslUpdateLib.inf [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES -- 2.25.1.vfs.1.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61921): https://edk2.groups.io/g/devel/message/61921 Mute This Topic: https://groups.io/mt/75241446/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
