Re: [edk2-devel] [Patch] BaseTools: Enable Module Scope Structure Pcd
Mike, thanks for catching this issue. I'll double check the patch.
Thanks,
Bob
-Original Message-
From: Kinney, Michael D
Sent: Friday, August 14, 2020 11:35 AM
To: devel@edk2.groups.io; Feng, Bob C ; Kinney, Michael D
Cc: Gao, Liming ; Chen, Christine
Subject: RE: [edk2-devel] [Patch] BaseTools: Enable Module Scope Structure Pcd
Hi Bob,
I think the behavior of this patch looks correct.
However, when I generate a build report, it does not show the module scope PCD
values used by a module. It only shows the platform scoped values.
Mike
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Bob
> Feng
> Sent: Monday, August 10, 2020 2:10 AM
> To: devel@edk2.groups.io
> Cc: Gao, Liming ; Chen, Christine
>
> Subject: [edk2-devel] [Patch] BaseTools: Enable Module Scope Structure
> Pcd
>
> This patch is to enable the Module scoped Structure Pcd usage.
> User can set structure pcd field value in module scope. For example,
> under the [components] section of a dsc file, user can override some
> field value for a specific module.
>
> Package/Module.inf{
>
> gUefiTokenSpaceGuid.StructurePcdModule.FieldName | 5
> }
>
> Signed-off-by: Bob Feng
> Cc: Liming Gao
> Cc: Yuwei Chen
>
> ---
> BaseTools/Source/Python/AutoGen/DataPipe.py | 5 +-
> .../Source/Python/AutoGen/ModuleAutoGen.py| 4 +-
> .../Python/AutoGen/ModuleAutoGenHelper.py | 10 +-
> .../Source/Python/AutoGen/PlatformAutoGen.py | 8 +-
> .../Python/Workspace/BuildClassObject.py | 12 +
> .../Source/Python/Workspace/DscBuildData.py | 242 --
> 6 files changed, 256 insertions(+), 25 deletions(-)
>
> diff --git a/BaseTools/Source/Python/AutoGen/DataPipe.py
> b/BaseTools/Source/Python/AutoGen/DataPipe.py
> index 50403fbfb5..86ac2b928d 100755
> --- a/BaseTools/Source/Python/AutoGen/DataPipe.py
> +++ b/BaseTools/Source/Python/AutoGen/DataPipe.py
> @@ -70,13 +70,14 @@ class MemoryDataPipe(DataPipe):
> }
>
> #Platform Module Pcds
> ModulePcds = {}
> for m in PlatformInfo.Platform.Modules:
> -m_pcds = PlatformInfo.Platform.Modules[m].Pcds
> +module = PlatformInfo.Platform.Modules[m]
> +m_pcds = module.Pcds
> if m_pcds:
> -ModulePcds[(m.File,m.Root,m.Arch)] = [PCD_DATA(
> +ModulePcds[module.Guid] = [PCD_DATA(
> pcd.TokenCName,pcd.TokenSpaceGuidCName,pcd.Type,
> pcd.DatumType,pcd.SkuInfoList,pcd.DefaultValue,
>
> pcd.MaxDatumSize,pcd.UserDefinedDefaultStoresFlag,pcd.validateranges,
>
> pcd.validlists,pcd.expressions,pcd.CustomAttribute,pcd.TokenValue)
> for pcd in
> PlatformInfo.Platform.Modules[m].Pcds.values()]
> diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> index dc8b1fe3d1..273bde117f 100755
> --- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> +++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> @@ -1030,11 +1030,11 @@ class ModuleAutoGen(AutoGen):
> # @retval listThe list of PCD
> #
> @cached_property
> def ModulePcdList(self):
> # apply PCD settings from platform
> -RetVal = self.PlatformInfo.ApplyPcdSetting(self.Module,
> self.Module.Pcds)
> +RetVal = self.PlatformInfo.ApplyPcdSetting(self,
> + self.Module.Pcds)
>
> return RetVal
> @cached_property
> def _PcdComments(self):
> ReVal = OrderedListDict()
> @@ -1061,11 +1061,11 @@ class ModuleAutoGen(AutoGen):
> # skip duplicated PCDs
> if Key in self.Module.Pcds or Key in Pcds:
> continue
> Pcds.add(Key)
> PcdsInLibrary[Key] = copy.copy(Library.Pcds[Key])
> -RetVal.extend(self.PlatformInfo.ApplyPcdSetting(self.Module,
> PcdsInLibrary, Library=Library))
> +RetVal.extend(self.PlatformInfo.ApplyPcdSetting(self,
> + PcdsInLibrary, Library=Library))
> return RetVal
>
> ## Get the GUID value mapping
> #
> # @retval dictThe mapping between GUID cname and its value
> diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> b/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> index 9dd93b9beb..8e60643d1f 100644
> --- a/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> +++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> @@ -477,12 +477,13 @@ class PlatformInfo(AutoGenInfo):
> SkuName = TAB_DEFAULT
> ToPcd.SkuInfoList = {
> SkuName : SkuInfoClass(SkuName,
> self.Platform.SkuIds[SkuName][0], '', '', '', '', '', ToPcd.DefaultValue)
> }
>
> -def ApplyPcdSetting(self, Module, Pcds, Library=""):
> +def ApplyPcdSetting(self, Ma, Pcds, Library=""):
> # for each PCD in module
> +
Re: [edk2-devel] [Patch] BaseTools: Enable Module Scope Structure Pcd
Hi Bob,
I think the behavior of this patch looks correct.
However, when I generate a build report, it does not show the module
scope PCD values used by a module. It only shows the platform scoped
values.
Mike
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Bob Feng
> Sent: Monday, August 10, 2020 2:10 AM
> To: devel@edk2.groups.io
> Cc: Gao, Liming ; Chen, Christine
> Subject: [edk2-devel] [Patch] BaseTools: Enable Module Scope Structure Pcd
>
> This patch is to enable the Module scoped Structure Pcd usage.
> User can set structure pcd field value in module scope. For example,
> under the [components] section of a dsc file, user can override some
> field value for a specific module.
>
> Package/Module.inf{
>
> gUefiTokenSpaceGuid.StructurePcdModule.FieldName | 5
> }
>
> Signed-off-by: Bob Feng
> Cc: Liming Gao
> Cc: Yuwei Chen
>
> ---
> BaseTools/Source/Python/AutoGen/DataPipe.py | 5 +-
> .../Source/Python/AutoGen/ModuleAutoGen.py| 4 +-
> .../Python/AutoGen/ModuleAutoGenHelper.py | 10 +-
> .../Source/Python/AutoGen/PlatformAutoGen.py | 8 +-
> .../Python/Workspace/BuildClassObject.py | 12 +
> .../Source/Python/Workspace/DscBuildData.py | 242 --
> 6 files changed, 256 insertions(+), 25 deletions(-)
>
> diff --git a/BaseTools/Source/Python/AutoGen/DataPipe.py
> b/BaseTools/Source/Python/AutoGen/DataPipe.py
> index 50403fbfb5..86ac2b928d 100755
> --- a/BaseTools/Source/Python/AutoGen/DataPipe.py
> +++ b/BaseTools/Source/Python/AutoGen/DataPipe.py
> @@ -70,13 +70,14 @@ class MemoryDataPipe(DataPipe):
> }
>
> #Platform Module Pcds
> ModulePcds = {}
> for m in PlatformInfo.Platform.Modules:
> -m_pcds = PlatformInfo.Platform.Modules[m].Pcds
> +module = PlatformInfo.Platform.Modules[m]
> +m_pcds = module.Pcds
> if m_pcds:
> -ModulePcds[(m.File,m.Root,m.Arch)] = [PCD_DATA(
> +ModulePcds[module.Guid] = [PCD_DATA(
> pcd.TokenCName,pcd.TokenSpaceGuidCName,pcd.Type,
> pcd.DatumType,pcd.SkuInfoList,pcd.DefaultValue,
>
> pcd.MaxDatumSize,pcd.UserDefinedDefaultStoresFlag,pcd.validateranges,
>
> pcd.validlists,pcd.expressions,pcd.CustomAttribute,pcd.TokenValue)
> for pcd in PlatformInfo.Platform.Modules[m].Pcds.values()]
> diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> index dc8b1fe3d1..273bde117f 100755
> --- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> +++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
> @@ -1030,11 +1030,11 @@ class ModuleAutoGen(AutoGen):
> # @retval listThe list of PCD
> #
> @cached_property
> def ModulePcdList(self):
> # apply PCD settings from platform
> -RetVal = self.PlatformInfo.ApplyPcdSetting(self.Module,
> self.Module.Pcds)
> +RetVal = self.PlatformInfo.ApplyPcdSetting(self, self.Module.Pcds)
>
> return RetVal
> @cached_property
> def _PcdComments(self):
> ReVal = OrderedListDict()
> @@ -1061,11 +1061,11 @@ class ModuleAutoGen(AutoGen):
> # skip duplicated PCDs
> if Key in self.Module.Pcds or Key in Pcds:
> continue
> Pcds.add(Key)
> PcdsInLibrary[Key] = copy.copy(Library.Pcds[Key])
> -RetVal.extend(self.PlatformInfo.ApplyPcdSetting(self.Module,
> PcdsInLibrary, Library=Library))
> +RetVal.extend(self.PlatformInfo.ApplyPcdSetting(self,
> PcdsInLibrary, Library=Library))
> return RetVal
>
> ## Get the GUID value mapping
> #
> # @retval dictThe mapping between GUID cname and its value
> diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> b/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> index 9dd93b9beb..8e60643d1f 100644
> --- a/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> +++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGenHelper.py
> @@ -477,12 +477,13 @@ class PlatformInfo(AutoGenInfo):
> SkuName = TAB_DEFAULT
> ToPcd.SkuInfoList = {
> SkuName : SkuInfoClass(SkuName,
> self.Platform.SkuIds[SkuName][0], '', '', '', '', '', ToPcd.DefaultValue)
> }
>
> -def ApplyPcdSetting(self, Module, Pcds, Library=""):
> +def ApplyPcdSetting(self, Ma, Pcds, Library=""):
> # for each PCD in module
> +Module=Ma.Module
> for Name, Guid in Pcds:
> PcdInModule = Pcds[Name, Guid]
> # find out the PCD setting in platform
> if (Name, Guid) in self.Pcds:
> PcdInPlatform = self.Pcds[Name, Guid]
> @@ -505,13 +506,16 @@ class PlatformInfo(AutoGenInfo):
>
Re: [edk2-devel] [edk2-wiki][PATCH v3] Update the Boot Guard TOCTOU wiki page.
Reviewed-by: Liming Gao -Original Message- From: Jiang, Guomin Sent: 2020年8月12日 15:21 To: devel@edk2.groups.io Cc: Wang, Jian J ; Gao, Liming Subject: [edk2-wiki][PATCH v3] Update the Boot Guard TOCTOU wiki page. The Boot Guard TOCTOU have been migrated into edk2/master. Update the document to meet the change. Signed-off-by: Guomin Jiang Cc: Jian J Wang Cc: Liming Gao --- Boot-Guard-TOCTOU-Vulnerability-Mitigation.md | 30 +++ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md b/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md index e59c7b1..3fce589 100644 --- a/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md +++ b/Boot-Guard-TOCTOU-Vulnerability-Mitigation.md @@ -45,32 +45,22 @@ references must be updated. In this mitigation, the process of performing these The changes described in this mitigation are intended to simply integrate into firmware solutions. For the changes to function as intended, the platform firmware implementation should follow these guidelines. -The changes are currently being staged in the following EDK II fork for additional validation before being -sent to the EDK II mailing list: https://github.com/makubacki/edk2/tree/btg_toctou_mitigation_staging - -The changes should not be considered final or production ready until they are reviewed and pushed onto edk2/master. - -1. Always ensure PcdShadowPeimOnBoot and PcdShadowPeimOnS3Boot - (if platform supports S3) are set to TRUE if Boot Guard is - enabled and V=1 or M=1. -2. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE. -3. Ensure that all PEIMs are relocatable. Relocation tables should +1. Always ensure PcdMigrateTemporaryRamFirmwareVolumes is set to TRUE + if Boot Guard is enabled and V=1 or M=1. +2. Ensure that all PEIMs are relocatable. Relocation tables should not be stripped. -4. If an Intel Firmware Support Package (FSP) binary solution is +3. If an Intel Firmware Support Package (FSP) binary solution is used, the binary must have these mitigation changes integrated. -5. Avoid maintaining pointers to pre-memory addresses inside embedded +4. Avoid maintaining pointers to pre-memory addresses inside embedded structures or other non-standard structures that the automatic migration code introduced in this change cannot identify. -6. Migrate the FIT table based on platform requirements for FIT +5. Migrate the FIT table based on platform requirements for FIT access in post-memory. +6. Add the SecMigrationPei.inf component to migrate the pointer from + the SEC phase. -**Very Important** - -7. Enable paging after memory initialization and mark the IBB range - as Not Present (NP). - - This will cause a page fault on access to the IBB region. This CR2 register can be used to identify the address - accessed and the IP. +Notes: IBB will be set Not Present, you will see a page fault if any code access to the IBB region after migration. + the address where the code access can be identified in the CR2 register. # High-Level Migration Required Resources that must be migrated can be categorized as code or data. -- 2.25.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64270): https://edk2.groups.io/g/devel/message/64270 Mute This Topic: https://groups.io/mt/76142970/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/2] Remove code wrapped by DISABLE_NEW_DEPRECATED_INTERFACES
Shenglei: Thanks for your update. The change is good. Reviewed-by: Liming Gao Per Leif change, this patch will be merged after stable tag 202008 is created. Thanks Liming -Original Message- From: Zhang, Shenglei Sent: 2020年8月5日 14:08 To: devel@edk2.groups.io Cc: Wang, Jian J ; Wu, Hao A ; Kinney, Michael D ; Gao, Liming Subject: [PATCH 0/2] Remove code wrapped by DISABLE_NEW_DEPRECATED_INTERFACES REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2777 Code wrapped by DISABLE_NEW_DEPRECATED_INTERFACES is deprecated. So remove it from MdePkg and MdeModulePkg. Cc: Jian J Wang Cc: Hao A Wu Cc: Michael D Kinney Cc: Liming Gao Shenglei Zhang (2): MdePkg: Remove code wrapped by DISABLE_NEW_DEPRECATED_INTERFACES MdeModulePkg: Remove code wrapped by DISABLE_NEW_DEPRECATED_INTERFACES .../DxePrintLibPrint2Protocol/PrintLib.c | 145 MdeModulePkg/Universal/PrintDxe/Print.c | 37 +- MdePkg/Library/BaseLib/String.c | 626 -- MdePkg/Library/BasePcdLibNull/PcdLib.c| 361 -- MdePkg/Library/BasePrintLib/PrintLib.c| 118 MdePkg/Library/DxePcdLib/DxePcdLib.c | 399 --- MdePkg/Library/PeiPcdLib/PeiPcdLib.c | 397 --- MdePkg/Library/UefiLib/UefiLib.c | 92 --- MdeModulePkg/MdeModulePkg.dsc | 1 - MdePkg/Include/Library/BaseLib.h | 409 MdePkg/Include/Library/PcdLib.h | 520 --- MdePkg/Include/Library/PrintLib.h | 110 --- MdePkg/Include/Library/UefiLib.h | 53 -- MdePkg/MdePkg.dsc | 1 - 14 files changed, 6 insertions(+), 3263 deletions(-) -- 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64269): https://edk2.groups.io/g/devel/message/64269 Mute This Topic: https://groups.io/mt/76002480/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v9 16/16] UnitTestFrameworkPkg: Add configuration for Ecc check in yaml file
Reviewed-by: Michael D Kinney
> -Original Message-
> From: Zhang, Shenglei
> Sent: Tuesday, August 11, 2020 12:02 AM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D ; Sean Brogan
> ; Bret Barkelew
>
> Subject: [PATCH v9 16/16] UnitTestFrameworkPkg: Add configuration for Ecc
> check in yaml file
>
> Add configuration ExceptionList and IgnoreFiles for package config
> files. So users can rely on this to ignore some Ecc issues.
> Besides, add submodule path in IgnoreFiles section.
>
> Cc: Michael D Kinney
> Cc: Sean Brogan
> Cc: Bret Barkelew
> Signed-off-by: Shenglei Zhang
> ---
> UnitTestFrameworkPkg/UnitTestFrameworkPkg.ci.yaml | 12
> 1 file changed, 12 insertions(+)
>
> diff --git a/UnitTestFrameworkPkg/UnitTestFrameworkPkg.ci.yaml
> b/UnitTestFrameworkPkg/UnitTestFrameworkPkg.ci.yaml
> index fc5b3b387664..9e9ffc1af113 100644
> --- a/UnitTestFrameworkPkg/UnitTestFrameworkPkg.ci.yaml
> +++ b/UnitTestFrameworkPkg/UnitTestFrameworkPkg.ci.yaml
> @@ -9,6 +9,18 @@
> "LicenseCheck": {
> "IgnoreFiles": []
> },
> +"EccCheck": {
> +## Exception sample looks like below:
> +## "ExceptionList": [
> +## "", ""
> +## ]
> +"ExceptionList": [
> +],
> +## Both file path and directory path are accepted.
> +"IgnoreFiles": [
> +"Library/CmockaLib/cmocka"
> +]
> +},
> ## options defined .pytool/Plugin/CompilerPlugin
> "CompilerPlugin": {
> "DscPath": "UnitTestFrameworkPkg.dsc"
> --
> 2.18.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64268): https://edk2.groups.io/g/devel/message/64268
Mute This Topic: https://groups.io/mt/76121700/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/2] BaseTools: fix ucs-2 lookup on python 3.9
Reviewed-by: Bob Feng
-Original Message-
From: Cole Robinson
Sent: Wednesday, August 12, 2020 1:28 AM
To: devel@edk2.groups.io
Cc: Feng, Bob C ; Gao, Liming ;
Cole Robinson
Subject: [PATCH 1/2] BaseTools: fix ucs-2 lookup on python 3.9
python3.9 changed/fixed codec.register behavior to always replace hyphen with
underscore for passed in codec names:
https://bugs.python.org/issue37751
So the custom Ucs2Search needs to be adapted to handle 'ucs_2' in addition to
existing 'ucs-2' for back compat.
This fixes test failures on python3.9, example:
==
FAIL: testUtf16InUniFile (CheckUnicodeSourceFiles.Tests)
--
Traceback (most recent call last):
File
"/builddir/build/BUILD/edk2-edk2-stable202002/BaseTools/Source/Python/AutoGen/UniClassObject.py",
line 375, in PreProcess
FileIn = UniFileClassObject.OpenUniFile(LongFilePath(File.Path))
File
"/builddir/build/BUILD/edk2-edk2-stable202002/BaseTools/Source/Python/AutoGen/UniClassObject.py",
line 303, in OpenUniFile
UniFileClassObject.VerifyUcs2Data(FileIn, FileName, Encoding)
File
"/builddir/build/BUILD/edk2-edk2-stable202002/BaseTools/Source/Python/AutoGen/UniClassObject.py",
line 312, in VerifyUcs2Data
Ucs2Info = codecs.lookup('ucs-2')
LookupError: unknown encoding: ucs-2
Signed-off-by: Cole Robinson
---
BaseTools/Source/Python/AutoGen/UniClassObject.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/BaseTools/Source/Python/AutoGen/UniClassObject.py
b/BaseTools/Source/Python/AutoGen/UniClassObject.py
index b2895f7e5c..883c2356e0 100644
--- a/BaseTools/Source/Python/AutoGen/UniClassObject.py
+++ b/BaseTools/Source/Python/AutoGen/UniClassObject.py
@@ -152,7 +152,7 @@ class Ucs2Codec(codecs.Codec):
TheUcs2Codec = Ucs2Codec() def Ucs2Search(name):-if name == 'ucs-2':+
if name in ['ucs-2', 'ucs_2']: return codecs.CodecInfo(
name=name, encode=TheUcs2Codec.encode,--
2.26.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64267): https://edk2.groups.io/g/devel/message/64267
Mute This Topic: https://groups.io/mt/76131665/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 2/2] BaseTools: Work around array.array.tostring() removal in python 3.9
Reviewed-by: Bob Feng
-Original Message-
From: Cole Robinson
Sent: Wednesday, August 12, 2020 1:28 AM
To: devel@edk2.groups.io
Cc: Feng, Bob C ; Gao, Liming ;
Cole Robinson
Subject: [PATCH 2/2] BaseTools: Work around array.array.tostring() removal in
python 3.9
In python3, array.array.tostring() was a compat alias for tobytes().
tostring() was removed in python 3.9.
Convert this to use tolist() which should be valid for all python versions.
This fixes this build error on python3.9:
(Python 3.9.0b5 on linux) Traceback (most recent call last):
File
"/root/edk2/edk2-edk2-stable202002/BaseTools/BinWrappers/PosixLike/../../Source/Python/Trim/Trim.py",
line 593, in Main
GenerateVfrBinSec(CommandOptions.ModuleName, CommandOptions.DebugDir,
CommandOptions.OutputFile)
File
"/root/edk2/edk2-edk2-stable202002/BaseTools/BinWrappers/PosixLike/../../Source/Python/Trim/Trim.py",
line 449, in GenerateVfrBinSec
VfrUniOffsetList = GetVariableOffset(MapFileName, EfiFileName, VfrNameList)
File
"/root/edk2/edk2-edk2-stable202002/BaseTools/Source/Python/Common/Misc.py",
line 88, in GetVariableOffset
return _parseForGCC(lines, efifilepath, varnames)
File
"/root/edk2/edk2-edk2-stable202002/BaseTools/Source/Python/Common/Misc.py",
line 151, in _parseForGCC
efisecs = PeImageClass(efifilepath).SectionHeaderList
File
"/root/edk2/edk2-edk2-stable202002/BaseTools/Source/Python/Common/Misc.py",
line 1638, in __init__
if ByteArray.tostring() != b'PE\0\0':
AttributeError: 'array.array' object has no attribute 'tostring'
Signed-off-by: Cole Robinson
---
BaseTools/Source/Python/Common/Misc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/BaseTools/Source/Python/Common/Misc.py
b/BaseTools/Source/Python/Common/Misc.py
index ad55671080..4be7957138 100755
--- a/BaseTools/Source/Python/Common/Misc.py
+++ b/BaseTools/Source/Python/Common/Misc.py
@@ -1635,7 +1635,7 @@ class PeImageClass():
ByteArray = array.array('B') ByteArray.fromfile(PeObject, 4)
# PE signature should be 'PE\0\0'-if ByteArray.tostring() !=
b'PE\0\0':+if ByteArray.tolist() != [ord('P'), ord('E'), 0, 0]:
self.ErrorInfo = self.FileName + ' has no valid PE signature PE00'
return --
2.26.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64266): https://edk2.groups.io/g/devel/message/64266
Mute This Topic: https://groups.io/mt/76131663/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v15 00/46] SEV-ES guest support
Laszlo:
-Original Message-
From: Laszlo Ersek
Sent: 2020年8月14日 3:54
To: Tom Lendacky ; devel@edk2.groups.io
Cc: Brijesh Singh ; Ard Biesheuvel
; Dong, Eric ; Justen, Jordan L
; Gao, Liming ; Kinney,
Michael D ; Ni, Ray ; Andrew Fish
; Anthony Perard ; You, Benjamin
; Bi, Dandan ; Dong, Guo
; Wu, Hao A ; Wang, Jian J
; Julien Grall ; Leif Lindholm
; Ma, Maurice
Subject: Re: [PATCH v15 00/46] SEV-ES guest support
On 08/13/20 15:22, Tom Lendacky wrote:
> From: Tom Lendacky
>
> This patch series provides support for running EDK2/OVMF under SEV-ES.
>
> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on
> the SEV support to protect the guest register state from the
> hypervisor. See
> "AMD64 Architecture Programmer's Manual Volume 2: System Programming",
> section "15.35 Encrypted State (SEV-ES)" [1].
>
> In order to allow a hypervisor to perform functions on behalf of a
> guest, there is architectural support for notifying a guest's
> operating system when certain types of VMEXITs are about to occur.
> This allows the guest to selectively share information with the
> hypervisor to satisfy the requested function. The notification is
> performed using a new exception, the VMM Communication exception
> (#VC). The information is shared through the Guest-Hypervisor Communication
> Block (GHCB) using the VMGEXIT instruction.
> The GHCB format and the protocol for using it is documented in "SEV-ES
> Guest-Hypervisor Communication Block Standardization" [2].
>
> The main areas of the EDK2 code that are updated to support SEV-ES are
> around the exception handling support and the AP boot support.
>
> Exception support is required starting in Sec, continuing through Pei
> and into Dxe in order to handle #VC exceptions that are generated.
> Each AP requires it's own GHCB page as well as a page to hold values
> specific to that AP.
>
> AP booting poses some interesting challenges. The INIT-SIPI-SIPI
> sequence is typically used to boot the APs. However, the hypervisor is
> not allowed to update the guest registers. The GHCB document [2] talks
> about how SMP booting under SEV-ES is performed.
>
> Since the GHCB page must be a shared (unencrypted) page, the processor
> must be running in long mode in order for the guest and hypervisor to
> communicate with each other. As a result, SEV-ES is only supported
> under the X64 architecture.
>
> This series adds a new library requirement for the VmgExitLib library
> against the UefiCpuPkg CpuExceptionHandlerLib library and the
> UefiCpuPkg MpInitLib library. The edk2-platforms repo requires
> updates/patches to add the new library requirement. To accomodate
> that, this series could be split between:
>
> patch number 10:
> UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
>
> and patch number 11:
> UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC
> exception
>
> The updates to edk2-platforms can be applied at the split.
>
> [1] https://www.amd.com/system/files/TechDocs/24593.pdf
> [2] https://developer.amd.com/wp-content/resources/56421.pdf
>
> ---
>
> These patches are based on commit:
> 65904cdbb33c ("UefiCpuPkg/MtrrLibUnitTest: Change to use static array
> for CI test")
>
> A version of the tree can be found at:
> https://github.com/AMDESE/ovmf/tree/sev-es-v24
>
> Cc: Andrew Fish
> Cc: Anthony Perard
> Cc: Ard Biesheuvel
> Cc: Benjamin You
> Cc: Dandan Bi
> Cc: Eric Dong
> Cc: Guo Dong
> Cc: Hao A Wu
> Cc: Jian J Wang
> Cc: Jordan Justen
> Cc: Julien Grall
> Cc: Laszlo Ersek
> Cc: Leif Lindholm
> Cc: Liming Gao
> Cc: Maurice Ma
> Cc: Michael D Kinney
> Cc: Ray Ni
>
> Changes since v14:
> - Address ECC errors
> - Fix non-boolean comparison to use a comparison operator
> - Separate declaration and initialization of variables
> - Add period to first line of block comments
> - Split single-line multiple declaration into multiple lines
The changes look good to me, thanks!
In this particular case, the updates do not invalidate my
"Regression-tested-by" given under v14:
https://edk2.groups.io/g/devel/message/63921
"""
For all patches except #10 ("UefiPayloadPkg: Prepare UefiPayloadPkg to use the
VmgExitLib library") and #46 ("Maintainers.txt: Add reviewers for the OvmfPkg
SEV-related files"):
Regression-tested-by: Laszlo Ersek """
So whoever merges this series should please apply that to the respective
patches.
[Liming] Got it. This patch set has passed all review. I will help merge it for
this stable tag stable202008.
Thanks!
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64265): https://edk2.groups.io/g/devel/message/64265
Mute This Topic: https://groups.io/mt/76166920/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v7 0/5] Use RngLib instead of TimerLib for OpensslLib
Hi Matt, BaseRngLibTimerLib === Thank you for updating BaseRngLibTimerLib to use GetPerformanceCounterProperties(). StartValue and EndValue are OPTIONAL, so the function DecentDelay() can be simplified to remove the StartValue and EndValue local variables and get the rate of the counter using the following: // Get the counter properties CounterHz = GetPerformanceCounterProperties (NULL, NULL); When you compute the min delay, I see the formula will generate a value of 0 when the rate of the performance counter is greater than 1.5MHz. MicroSecondDelay() may return immediately if MicroSeconds is 0. Is this your intended behavior? Or did you want to make sure the min value is 1 such as: MinumumDelayInMicroSeconds = MAX (150 / CounterHz, 1); CounterHz is also type UINT64 so this is a 64-bit divide operation that must use the BaseLib function DivU64x64Remainder() for 32-bit builds. MinumumDelayInMicroSeconds = MAX (DivU64x64Remainder (150, CounterHz, NULL), 1); The function DecentDelay() may interact with HW to get the performance counter rate and then do the divide operation. For the RngLib APIs that need the delay, I recommend you call DecentDelay() to get the MinumumDelayInMicroSeconds into a local variable and then use that value for calls to MicroSecondDelay() in the RngLib APIs. The comments in the RngLib APIs that describe the length of the delays in uS/mS need to be updated because the length of the delay is computed. Update with a more generic comment to perform a minimum delay to guarantee a different performance counter value. The UNI file header and strings need to be updated to match INF/C files. DxeRngLib == 1) Please add a UNI file for this lib. Best regards, Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of Matthew Carlson > Sent: Thursday, August 13, 2020 12:45 PM > To: devel@edk2.groups.io > Cc: Ard Biesheuvel ; Anthony Perard > ; Yao, Jiewen > ; Wang, Jian J ; Julien Grall > ; Justen, Jordan L > ; Laszlo Ersek ; Gao, Liming > ; Leif Lindholm > ; Kinney, Michael D ; Lu, > XiaoyuX ; Liu, Zhiguang > ; Sean Brogan ; Matthew > Carlson > Subject: [edk2-devel] [PATCH v7 0/5] Use RngLib instead of TimerLib for > OpensslLib > > From: Matthew Carlson > > Hello all, > > This patch contains a fix for Bugzilla 1871. > There's been a good bit of community discussion around the topic, > so below follows a general overview of the discussion and what this patch > does. > > This is the seventh iteration of this patch series, focused on code style and > a > few functions being renamed to comply with style. > > Back in Devel message#40590 (https://edk2.groups.io/g/devel/message/40590) > around the patch series that updates OpenSSL to 1.1.1b, a comment was made > that suggested that platforms be in charge of the entropy/randomness that > is provided to OpenSSL as currently the entropry source seems to be a > hand-rolled random number generator that uses the PerformanceCounter from > TimerLib. This causes OpenSSL to depend on TimerLib, which is often platform > specific. In addition to being a potentially weaker source of randomness, > this also poses a challenge to compile BaseCryptLibOnProtocol with a platform- > agnostic version of TimerLib that works universally. > > The solution here is to allow platform to specify their source of entropy in > addition to providing two new RngLibs: one that uses the TimerLib as well as > one that uses RngProtocol to provide randomness. Then the decision to use > RDRAND or other entropy sources is up to the platform. Mixing various entropy > sources is the onus of the platform. It has been suggested on Devel#40590 and > BZ#1871 that there should be mixing of the PerformanceCounter and RDRAND using > something similar to the yarrow alogirthm that FreeBSD uses for example. This > patch series doesn't offer an RngLib that offers that sort of mixing as the > ultimate source of random is defined by the platform. > > This patch series offers three benefits: > 1. Dependency reduction: Removes the need for a platform specific timer > library. We publish a single binary used on numerous platforms for > crypto and the introduced timer lib dependency caused issues because we > could not fulfill our platform needs with one library instance. > > 2. Code maintenance: Removing this additional code and leveraging an existing > library within Edk2 means less code to maintain. > > 3. Platform defined quality: A platform can choose which instance to use and > the implications of that instance. > > This patch series seeks to address five seperate issues. > 1) Use RngLib interface to generate random entropy in rand_pool > 2) Remove dependency on TimerLib in OpensslLib > 3) Add a new version of RngLib implemented by TimerLib > 4) Add a new version of RngLib implemented by EFI_RNG_PROTOCOL > 5) Add RngLib to platforms in EDK2 such as ArmVirtPkg and OvmfPkg > > Since this changes
Re: [edk2-devel] [Patch] BaseTools: Fix the issue in VS2017/VS2019 setting
Reviewed-by: Bob Feng -Original Message- From: Gao, Liming Sent: Thursday, August 13, 2020 3:59 PM To: devel@edk2.groups.io Cc: Feng, Bob C ; Chen, Christine Subject: [Patch] BaseTools: Fix the issue in VS2017/VS2019 setting edksetup.bat VS2017 should set VS2017 only. But now, it will set VS2017/VS2019 both. This patch corrects it. Signed-off-by: Liming Gao Cc: Bob Feng Cc: Yuwei Chen --- This patch bases on the change https://edk2.groups.io/g/devel/message/64138 BaseTools/set_vsprefix_envs.bat | 4 1 file changed, 4 insertions(+) diff --git a/BaseTools/set_vsprefix_envs.bat b/BaseTools/set_vsprefix_envs.bat index 2627587ba3..d4eb84f064 100644 --- a/BaseTools/set_vsprefix_envs.bat +++ b/BaseTools/set_vsprefix_envs.bat @@ -167,6 +167,8 @@ if not defined WINSDK_PATH_FOR_RC_EXE ( ) ) +if /I "%1"=="VS2017" goto SetWinDDK + :SetVS2019 if not defined VS160COMNTOOLS ( @REM clear two envs so that vcvars32.bat can run successfully. @@ -226,6 +228,8 @@ if not defined WINSDK_PATH_FOR_RC_EXE ( ) ) +if /I "%1"=="VS2019" goto SetWinDDK + :SetWinDDK if not defined WINDDK3790_PREFIX ( set WINDDK3790_PREFIX=C:\WINDDK\3790.1830\bin\ -- 2.27.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64261): https://edk2.groups.io/g/devel/message/64261 Mute This Topic: https://groups.io/mt/76163640/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch 2/2] BaseTools: Fix the issue in VS prefix setting for VS2017/VS2019
Reviewed-by: Bob Feng -Original Message- From: Liming Gao Sent: Thursday, August 13, 2020 2:41 PM To: devel@edk2.groups.io Cc: Feng, Bob C ; Chen, Christine Subject: [Patch 2/2] BaseTools: Fix the issue in VS prefix setting for VS2017/VS2019 BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2896 When VS2017/VS2019 are both installed. VS prefix setting will wrongly be set. VS2017_PREFIX is set to the same value of VS2019. This patch clears VSINSTALLDIR and VCToolsVersion env, then the different vcvars32 can set the correct VS env. Signed-off-by: Liming Gao Cc: Bob Feng Cc: Yuwei Chen --- BaseTools/set_vsprefix_envs.bat | 6 ++ 1 file changed, 6 insertions(+) diff --git a/BaseTools/set_vsprefix_envs.bat b/BaseTools/set_vsprefix_envs.bat index 38fb0eb260..2627587ba3 100644 --- a/BaseTools/set_vsprefix_envs.bat +++ b/BaseTools/set_vsprefix_envs.bat @@ -110,6 +110,9 @@ if /I "%1"=="VS2015" goto SetWinDDK :SetVS2017 if not defined VS150COMNTOOLS ( + @REM clear two envs so that vcvars32.bat can run successfully. + set VSINSTALLDIR= + set VCToolsVersion= if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" ( if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2017\BuildTools" ( call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -products Microsoft.VisualStudio.Product.BuildTools -version 15,16 > vswhereInfo @@ -166,6 +169,9 @@ if not defined WINSDK_PATH_FOR_RC_EXE ( :SetVS2019 if not defined VS160COMNTOOLS ( + @REM clear two envs so that vcvars32.bat can run successfully. + set VSINSTALLDIR= + set VCToolsVersion= if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" ( if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2019\BuildTools" ( call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -products Microsoft.VisualStudio.Product.BuildTools -version 16,17 > vswhereInfo -- 2.27.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64263): https://edk2.groups.io/g/devel/message/64263 Mute This Topic: https://groups.io/mt/76163156/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch 1/2] BaseTools: Move VS2019 env setting after VS2017 env setting
Reviewed-by: Bob Feng -Original Message- From: Gao, Liming Sent: Thursday, August 13, 2020 2:41 PM To: devel@edk2.groups.io Cc: Feng, Bob C ; Chen, Christine Subject: [Patch 1/2] BaseTools: Move VS2019 env setting after VS2017 env setting BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2896 Keep the latest VS version as the last one Signed-off-by: Liming Gao Cc: Bob Feng Cc: Yuwei Chen --- BaseTools/set_vsprefix_envs.bat | 46 - 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/BaseTools/set_vsprefix_envs.bat b/BaseTools/set_vsprefix_envs.bat index 9966a5a4ed..38fb0eb260 100644 --- a/BaseTools/set_vsprefix_envs.bat +++ b/BaseTools/set_vsprefix_envs.bat @@ -3,7 +3,7 @@ @REM however it may be executed directly from the BaseTools project folder @REM if the file is not executed within a WORKSPACE\BaseTools folder. @REM -@REM Copyright (c) 2016-2019, Intel Corporation. All rights reserved. +@REM Copyright (c) 2016-2020, Intel Corporation. All rights +reserved. @REM @REM SPDX-License-Identifier: BSD-2-Clause-Patent @REM @@ -108,45 +108,45 @@ if defined VS140COMNTOOLS ( ) if /I "%1"=="VS2015" goto SetWinDDK -:SetVS2019 -if not defined VS160COMNTOOLS ( +:SetVS2017 +if not defined VS150COMNTOOLS ( if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" ( -if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2019\BuildTools" ( - call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -products Microsoft.VisualStudio.Product.BuildTools -version 16,17 > vswhereInfo +if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2017\BuildTools" ( + call "%ProgramFiles(x86)%\Microsoft Visual + Studio\Installer\vswhere.exe" -products + Microsoft.VisualStudio.Product.BuildTools -version 15,16 > vswhereInfo for /f "usebackq tokens=1* delims=: " %%i in (vswhereInfo) do ( if /i "%%i"=="installationPath" call "%%j\VC\Auxiliary\Build\vcvars32.bat" ) del vswhereInfo ) else ( - call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -version 16,17 > vswhereInfo + call "%ProgramFiles(x86)%\Microsoft Visual + Studio\Installer\vswhere.exe" -version 15,16 > vswhereInfo for /f "usebackq tokens=1* delims=: " %%i in (vswhereInfo) do ( if /i "%%i"=="installationPath" call "%%j\VC\Auxiliary\Build\vcvars32.bat" ) del vswhereInfo ) ) else if exist "%ProgramFiles%\Microsoft Visual Studio\Installer\vswhere.exe" ( -if exist "%ProgramFiles%\Microsoft Visual Studio\2019\BuildTools" ( - call "%ProgramFiles%\Microsoft Visual Studio\Installer\vswhere.exe" -products Microsoft.VisualStudio.Product.BuildTools -version 16,17 > vswhereInfo +if exist "%ProgramFiles%\Microsoft Visual Studio\2017\BuildTools" ( + call "%ProgramFiles%\Microsoft Visual + Studio\Installer\vswhere.exe" -products + Microsoft.VisualStudio.Product.BuildTools -version 15,16 > vswhereInfo for /f "usebackq tokens=1* delims=: " %%i in (vswhereInfo) do ( if /i "%%i"=="installationPath" call "%%j\VC\Auxiliary\Build\vcvars32.bat" ) del vswhereInfo ) else ( - call "%ProgramFiles%\Microsoft Visual Studio\Installer\vswhere.exe" -version 16,17 > vswhereInfo + call "%ProgramFiles%\Microsoft Visual + Studio\Installer\vswhere.exe" -version 15,16 > vswhereInfo for /f "usebackq tokens=1* delims=: " %%i in (vswhereInfo) do ( if /i "%%i"=="installationPath" call "%%j\VC\Auxiliary\Build\vcvars32.bat" ) del vswhereInfo ) ) else ( -if /I "%1"=="VS2019" goto ToolNotInstall +if /I "%1"=="VS2017" goto ToolNotInstall goto SetWinDDK ) ) if defined VCToolsInstallDir ( - if not defined VS2019_PREFIX ( -set "VS2019_PREFIX=%VCToolsInstallDir%" + if not defined VS2017_PREFIX ( +set "VS2017_PREFIX=%VCToolsInstallDir%" ) if not defined WINSDK10_PREFIX ( if defined WindowsSdkVerBinPath ( @@ -164,45 +164,45 @@ if not defined WINSDK_PATH_FOR_RC_EXE ( ) ) -:SetVS2017 -if not defined VS150COMNTOOLS ( +:SetVS2019 +if not defined VS160COMNTOOLS ( if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" ( -if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2017\BuildTools" ( - call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -products Microsoft.VisualStudio.Product.BuildTools -version 15,16 > vswhereInfo +if exist "%ProgramFiles(x86)%\Microsoft Visual Studio\2019\BuildTools" ( + call "%ProgramFiles(x86)%\Microsoft Visual + Studio\Installer\vswhere.exe" -products + Microsoft.VisualStudio.Product.BuildTools -version 16,17 > vswhereInfo for /f "usebackq tokens=1* delims=: " %%i in (vswhereInfo) do ( if /i "%%i"=="installationPath" call "%%j\VC\Auxiliary\Build\vcvars32.bat" ) del vswhereInfo ) else ( - call
Re: [edk2-devel] [PATCH v7 5/5] CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool
Reviewed-by: Jiewen Yao
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Matthew
> Carlson
> Sent: Friday, August 14, 2020 3:45 AM
> To: devel@edk2.groups.io
> Cc: Ard Biesheuvel ; Yao, Jiewen
> ; Wang, Jian J ; Lu, XiaoyuX
> ; Matthew Carlson
> Subject: [edk2-devel] [PATCH v7 5/5] CryptoPkg: OpensslLib: Use RngLib to
> generate entropy in rand_pool
>
> From: Matthew Carlson
>
> Ref: https://github.com/tianocore/edk2/pull/845
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
>
> Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
> This allows platforms to decide for themsevles what sort of entropy source
> they provide to OpenSSL and TlsLib.
>
> Cc: Ard Biesheuvel
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Xiaoyu Lu
>
> Acked-by: Ard Biesheuvel
> Signed-off-by: Matthew Carlson
> ---
> CryptoPkg/Library/OpensslLib/rand_pool.c | 265 +---
> CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ---
> CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43
> CryptoPkg/CryptoPkg.dsc| 1 +
> CryptoPkg/Library/OpensslLib/OpensslLib.inf| 15 +-
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 15 +-
> CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ---
> 7 files changed, 63 insertions(+), 334 deletions(-)
>
> diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
> b/CryptoPkg/Library/OpensslLib/rand_pool.c
> index 9e0179b03490..806549af81c1 100644
> --- a/CryptoPkg/Library/OpensslLib/rand_pool.c
> +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
> @@ -2,8 +2,8 @@
>OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
>
>The file implement these functions.
>
>
>
> -Copyright (c) 2019, Intel Corporation. All rights reserved.
>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
>
> + Copyright (c) 2019, Intel Corporation. All rights reserved.
>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
>
>
> @@ -11,53 +11,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include
>
>
>
> #include
>
> -#include
>
> -
>
> -#include "rand_pool_noise.h"
>
> -
>
> -/**
>
> - Get some randomness from low-order bits of GetPerformanceCounter results.
>
> - And combine them to the 64-bit value
>
> -
>
> - @param[out] RandBuffer pointer to store the 64-bit random value.
>
> -
>
> - @retval TRUERandom number generated successfully.
>
> - @retval FALSE Failed to generate.
>
> -**/
>
> -STATIC
>
> -BOOLEAN
>
> -EFIAPI
>
> -GetRandNoise64FromPerformanceCounter(
>
> - OUT UINT64 *Rand
>
> - )
>
> -{
>
> - UINT32 Index;
>
> - UINT32 *RandPtr;
>
> -
>
> - if (NULL == Rand) {
>
> -return FALSE;
>
> - }
>
> -
>
> - RandPtr = (UINT32 *) Rand;
>
> -
>
> - for (Index = 0; Index < 2; Index ++) {
>
> -*RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
>
> -MicroSecondDelay (10);
>
> -RandPtr++;
>
> - }
>
> -
>
> - return TRUE;
>
> -}
>
> +#include
>
>
>
> /**
>
>Calls RandomNumber64 to fill
>
>a buffer of arbitrary size with random bytes.
>
> + This is a shim layer to RngLib.
>
>
>
>@param[in] LengthSize of the buffer, in bytes, to fill with.
>
>@param[out] RandBufferPointer to the buffer to store the random
> result.
>
>
>
> - @retval EFI_SUCCESSRandom bytes generation succeeded.
>
> - @retval EFI_NOT_READY Failed to request random bytes.
>
> + @retval TRUERandom bytes generation succeeded.
>
> + @retval FALSE Failed to request random bytes.
>
>
>
> **/
>
> STATIC
>
> @@ -65,7 +30,7 @@ BOOLEAN
> EFIAPI
>
> RandGetBytes (
>
>IN UINTN Length,
>
> - OUT UINT8*RandBuffer
>
> + OUT UINT8 *RandBuffer
>
>)
>
> {
>
>BOOLEAN Ret;
>
> @@ -73,17 +38,17 @@ RandGetBytes (
>
>
>Ret = FALSE;
>
>
>
> + if (RandBuffer == NULL) {
>
> +DEBUG((DEBUG_ERROR, "[OPENSSL_RAND_POOL] NULL RandBuffer. No
> random numbers are generated and your system is not secure\n"));
>
> +ASSERT (RandBuffer != NULL); // Since we can't generate random numbers,
> we should assert. Otherwise we will just blow up later.
>
> +return Ret;
>
> + }
>
> +
>
> +
>
>while (Length > 0) {
>
> -//
>
> -// Get random noise from platform.
>
> -// If it failed, fallback to PerformanceCounter
>
> -// If you really care about security, you must override
>
> -// GetRandomNoise64FromPlatform.
>
> -//
>
> -Ret = GetRandomNoise64 ();
>
> -if (Ret == FALSE) {
>
> - Ret = GetRandNoise64FromPerformanceCounter ();
>
> -}
>
> +// Use RngLib to get random number
>
> +Ret = GetRandomNumber64 ();
>
> +
>
> if (!Ret) {
>
>return Ret;
>
> }
>
> @@ -91,7 +56,8 @@ RandGetBytes (
>*((UINT64*) RandBuffer) = TempRand;
>
>RandBuffer += sizeof
[edk2-devel] [PATCH 0/3] Platform/RasberryPi: Thermal zone
This set creates a basic thermal zone, which reads the SOC temp via a direct register read in AML. It also adds an active cooling policy using a GPIO pin for fan control that can optionally be enabled/disabled by the user from the BDS. With the fan enabled it should be possible to see the soc temp like: # sensors acpitz-acpi-0 Adapter: ACPI interface temp1:+57.6C (crit = +90.0C) and the fan state may be read/cycled with: /sys/bus/acpi/devices/PNP0C06:00/PNP0C0B:00/physical_node/thermal_cooling/cur_state Cc: Leif Lindholm Cc: Pete Batard Cc: Andrei Warkentin Cc: Ard Biesheuvel Cc: Samer El-Haj-Mahmoud Jeremy Linton (3): Platform/RaspberryPi4: Add a basic thermal zone Platform/RaspberryPi4: Create ACPI fan object Platform/RaspberryPi: Add entry for user fan control Platform/RaspberryPi/AcpiTables/Dsdt.asl | 31 Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c | 55 ++ .../RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf| 3 + .../RaspberryPi/Drivers/ConfigDxe/ConfigDxeHii.uni | 5 ++ .../RaspberryPi/Drivers/ConfigDxe/ConfigDxeHii.vfr | 17 + .../RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl | 83 ++ Platform/RaspberryPi/Include/ConfigVars.h | 4 ++ Platform/RaspberryPi/RPi3/RPi3.dsc | 5 ++ Platform/RaspberryPi/RPi4/RPi4.dsc | 8 +++ Platform/RaspberryPi/RaspberryPi.dec | 1 + .../Bcm27xx/Include/IndustryStandard/Bcm2711.h | 2 + 11 files changed, 214 insertions(+) create mode 100644 Platform/RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl -- 2.13.7 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64256): https://edk2.groups.io/g/devel/message/64256 Mute This Topic: https://groups.io/mt/76178262/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 2/3] Platform/RaspberryPi4: Create ACPI fan object
Now that we have a thermal zone we can add active cooling
by specifying active cooling points (_ACx) which can
be tied to fan objects that turn fans on/off using GPIO
pins.
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Cc: Samer El-Haj-Mahmoud
Signed-off-by: Jeremy Linton
---
.../RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl | 83 ++
1 file changed, 83 insertions(+)
create mode 100644 Platform/RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl
diff --git a/Platform/RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl
b/Platform/RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl
new file mode 100644
index 00..c87bda6dbc
--- /dev/null
+++ b/Platform/RaspberryPi/Drivers/ConfigDxe/SsdtThermal.asl
@@ -0,0 +1,83 @@
+/** @file
+ *
+ * Secondary System Description Table (SSDT) for active (fan) cooling
+ *
+ * Copyright (c) 2020, Arm Ltd. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-2-Clause-Patent
+ *
+ **/
+
+#include
+#include
+#include
+
+#include
+
+DefinitionBlock(__FILE__, "SSDT", 5, "RPIFDN", "RPITHFAN", 2)
+{
+#if (GPIO_FAN_PIN != 0)
+ External(\_SB_.EC0, DeviceObj)
+ External(\_SB_.EC0.TZ0, DeviceObj)
+
+ Scope (\_SB_.EC0)
+ {
+ // Describe a fan
+ PowerResource(PFAN, 0, 0) {
+OperationRegion (GPIO, SystemMemory, GPIO_BASE_ADDRESS, 0x1000)
+Field (GPIO, DWordAcc, NoLock, Preserve) {
+ Offset(0x1C),
+ GPS0, 32,
+ GPS1, 32,
+ RES1, 32,
+ GPC0, 32,
+ GPC1, 32,
+ RES2, 32,
+ GPL1, 32,
+ GPL2, 32
+}
+// We are hitting a GPIO pin to on/off the fan
+// this assumes that UEFI has programmed the
+// direction as OUT.
+// (search "rpi gpio fan controller" for how to
+// wire this up if your not electrically inclined
+// the basic idea is to use a BJT/etc to switch a
+// larger voltage through a fan where the GPIO pin
+// feeds a NPN/PNP base. Thats because its unlikly
+// that the fan can be driven directly from the GPIO
+// pin due to hitting the current limit on the pins.
+// Matching a resistor between the GPIO->Base can
+// allow pretty much any random NPN with a reasonable
+// EC current to work (to limit the GPIO current).)
+Method (_STA) {
+ if ( GPL1 & (1 << GPIO_FAN_PIN) ) {
+Return ( 1 ) // present and enabled
+ }
+ Return ( 0 )
+}
+Method (_ON) {//turn fan on
+ Store((1 << GPIO_FAN_PIN), GPS0)
+}
+Method (_OFF) {//turn fan off
+ Store((1 << GPIO_FAN_PIN), GPC0)
+}
+ }
+ Device(FAN) {
+// Note, not currently an ACPIv4 fan
+// the latter adds speed control/detection
+// but in the case of linux needs FIF, FPS, FSL, and FST
+Name(_HID, EISAID("PNP0C0B"))
+Name(_PR0, Package() {PFAN})
+ }
+ }
+
+ // merge in an active cooling point.
+ Scope (\_SB_.EC0.TZ0)
+ {
+Method(_AC0) { return(3332) }// (60K) active cooling trip point,
+ // if this is lower than PSV then we
+ // prefer active cooling
+Name(_AL0, Package(){\_SB_.EC0.FAN}) // the fan used for AC0 above
+ }
+#endif
+}
--
2.13.7
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64258): https://edk2.groups.io/g/devel/message/64258
Mute This Topic: https://groups.io/mt/76178275/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 1/3] Platform/RaspberryPi4: Add a basic thermal zone
Rather than exporting the temp sensor or mailbox
in ACPI land we can wrap them in AML and use the default
ACPI drivers provided by the OS. This enables the use of
"sensors" in linux to report the SOC temp.
This commit also adds a basic passive cooling ACPI thermalzone
with trip points for passive cooling (throttling) handled
by the vc firmware, hibernate and critical shutdown. The
vc apparently kicks in at ~80C, so the hibernate and critical
set points are set at +5 and +10 of that. In the future
CPPC should be able to monitor the thermal throttling.
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Cc: Samer El-Haj-Mahmoud
Signed-off-by: Jeremy Linton
---
Platform/RaspberryPi/AcpiTables/Dsdt.asl | 31 +++
1 file changed, 31 insertions(+)
diff --git a/Platform/RaspberryPi/AcpiTables/Dsdt.asl
b/Platform/RaspberryPi/AcpiTables/Dsdt.asl
index 353af2d876..a5c9567cdf 100644
--- a/Platform/RaspberryPi/AcpiTables/Dsdt.asl
+++ b/Platform/RaspberryPi/AcpiTables/Dsdt.asl
@@ -252,6 +252,37 @@ DefinitionBlock ("Dsdt.aml", "DSDT", 5, "RPIFDN", "RPI", 2)
}
})
}
+
+// Define a simple thermal zone. The idea here is we compute the SOC temp
+// via a register we can read, and give it to the OS. This enables basic
+// reports from the "sensors" utility, and the OS can then poll and take
+// actions if that temp exceeds any of the given thresholds.
+Device(EC0)
+{
+ Name(_HID, EISAID("PNP0C06"))
+ Name (_CCA, 0x0)
+
+ // all temps in are tenths of K (aka 2732 is the min temps in linux (aka
0C))
+ ThermalZone(TZ0) {
+Method(_TMP, 0, Serialized) {
+ OperationRegion (TEMS, SystemMemory, 0xfd5d2200, 0x8)
+ Field (TEMS, DWordAcc, NoLock, Preserve) {
+TMPS, 32
+ }
+ return (((419949 - ((TMPS & 0x3ff) * 487)) / 100) + 2732);
+}
+Method(_SCP, 3) { } // receive cooling policy from OS
+
+Method(_CRT) { return(3632) }// (90K) Critical temp point
(immediate power-off)
+Method(_HOT) { return(3582) }// (85K) HOT state where OS should
hibernate
+Method(_PSV) { return(3532) }// (80K) Passive cooling (CPU
throttling) trip point
+
+// SSDT inserts _AC0/_AL0 @60C here, if a FAN is configured
+
+Name(_TZP, 10) //The OSPM must poll this device
every 1 seconds
+Name(_PSL, Package(){ \_SB_.CPU0, \_SB_.CPU1, \_SB_.CPU2, \_SB_.CPU3})
+ }
+}
#endif
}
--
2.13.7
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64257): https://edk2.groups.io/g/devel/message/64257
Mute This Topic: https://groups.io/mt/76178274/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 3/3] Platform/RaspberryPi: Add entry for user fan control
Add a menu item that allows the user to enable GPIO based
fan control via SSDT. This should only be seen/enabled on RPI4
because that is what its been tested with. As of this commit
its currently limited to only operating on a single GPIO pin (19).
Given GPIO pin current limitations its likely that a bit of
additional circuitry is required to drive a fan, and the GPIO
high/low signal can only be used as a enable/disable signal. A
search for "rpi npn gpio fan" or similar should turn up some
hits for how to do this simply.
It appears there are a couple boards (fan SHIM) which operate this
way, and probably should have custom menu items/SSDT edits as
people acquire the boards and test them.
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Cc: Samer El-Haj-Mahmoud
Signed-off-by: Jeremy Linton
---
Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c | 55 ++
.../RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf| 3 ++
.../RaspberryPi/Drivers/ConfigDxe/ConfigDxeHii.uni | 5 ++
.../RaspberryPi/Drivers/ConfigDxe/ConfigDxeHii.vfr | 17 +++
Platform/RaspberryPi/Include/ConfigVars.h | 4 ++
Platform/RaspberryPi/RPi3/RPi3.dsc | 5 ++
Platform/RaspberryPi/RPi4/RPi4.dsc | 8
Platform/RaspberryPi/RaspberryPi.dec | 1 +
.../Bcm27xx/Include/IndustryStandard/Bcm2711.h | 2 +
9 files changed, 100 insertions(+)
diff --git a/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c
b/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c
index af54136ade..f10347be64 100644
--- a/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c
+++ b/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.c
@@ -15,6 +15,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -22,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -246,6 +248,14 @@ SetupVariables (
ASSERT_EFI_ERROR (Status);
}
+ Size = sizeof (UINT32);
+ Status = gRT->GetVariable (L"FanOnGpio",
+ ,
+ NULL, , );
+ if (EFI_ERROR (Status)) {
+PcdSet32 (PcdFanOnGpio, PcdGet32 (PcdFanOnGpio));
+ }
+
Size = sizeof(AssetTagVar);
Status = gRT->GetVariable(L"AssetTag",
@@ -368,6 +378,7 @@ ApplyVariables (
UINT32 CpuClock = PcdGet32 (PcdCpuClock);
UINT32 CustomCpuClock = PcdGet32 (PcdCustomCpuClock);
UINT32 Rate = 0;
+ UINT32 FanOnGpio = PcdGet32 (PcdFanOnGpio);
switch (CpuClock) {
case CHIPSET_CPU_CLOCK_LOW:
@@ -565,8 +576,49 @@ ApplyVariables (
GpioPinFuncSet (23, GPIO_FSEL_INPUT);
GpioPinFuncSet (24, GPIO_FSEL_INPUT);
}
+
+ if (FanOnGpio) {
+DEBUG ((DEBUG_INFO, "Fan enabled on GPIO %d\n", FanOnGpio));
+GpioPinFuncSet(FanOnGpio, GPIO_FSEL_OUTPUT);
+ }
}
+EFI_STATUS
+FindInstallSsdt(UINT64 OemTableId)
+{
+ EFI_ACPI_TABLE_PROTOCOL *AcpiTable;
+ UINTN Index;
+ EFI_ACPI_DESCRIPTION_HEADER *Ssdt;
+ UINTN SsdtSize;
+ EFI_STATUS Status;
+ UINTN TableKey;
+
+
+ Status = gBS->LocateProtocol (, NULL,
+(VOID **));
+ if (EFI_ERROR (Status)) {
+return Status;
+ }
+
+ for (Index = 0; !EFI_ERROR(Status); Index++) {
+Status = GetSectionFromFv (, EFI_SECTION_RAW, Index,
+ (VOID **), );
+if (Ssdt->OemTableId == OemTableId)
+break;
+SsdtSize = 0;
+ }
+
+ if (SsdtSize > 0) {
+Status = AcpiTable->InstallAcpiTable (AcpiTable, Ssdt, SsdtSize,
+ );
+if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_WARN, "%a: failed to install SSDT table %r\n",
+ __FUNCTION__, Status));
+}
+ }
+
+ return Status;
+}
EFI_STATUS
EFIAPI
@@ -620,6 +672,9 @@ ConfigInitialize (
PcdGet32 (PcdSystemTableMode) == SYSTEM_TABLE_MODE_BOTH) {
Status = LocateAndInstallAcpiFromFv ();
ASSERT_EFI_ERROR (Status);
+ if (PcdGet32 (PcdFanOnGpio)) {
+ FindInstallSsdt(SIGNATURE_64 ('R', 'P', 'I', 'T', 'H', 'F', 'A',
'N'));
+ }
}
Status = gBS->CreateEventEx (EVT_NOTIFY_SIGNAL, TPL_NOTIFY, RegisterDevices,
diff --git a/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf
b/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf
index cdce35bc74..fe3a01a570 100644
--- a/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf
+++ b/Platform/RaspberryPi/Drivers/ConfigDxe/ConfigDxe.inf
@@ -28,6 +28,7 @@
ConfigDxeFormSetGuid.h
ConfigDxeHii.vfr
ConfigDxeHii.uni
+ SsdtThermal.asl
XhciQuirk.c
[Packages]
@@ -46,6 +47,7 @@
AcpiLib
BaseLib
DebugLib
+ DxeServicesLib
DxeServicesTableLib
GpioLib
HiiLib
@@ -89,6 +91,7 @@
gRaspberryPiTokenSpaceGuid.PcdSystemTableMode
gRaspberryPiTokenSpaceGuid.PcdRamMoreThan3GB
gRaspberryPiTokenSpaceGuid.PcdRamLimitTo3GB
+ gRaspberryPiTokenSpaceGuid.PcdFanOnGpio
[Depex]
gPcdProtocolGuid AND
Re: [edk2-devel] [Patch ] Static IP based HTTP Support
Hi, On 08/13/20 17:59, Sivaraman Nainar wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2888 > > *** NetworkPkg\HttpBootDxe\HttpBootClient.c 2020-05-07 > 22:54:46.0 +05-30 > --- NetworkPkg\HttpBootDxe\HttpBootClient.c 2020-08-09 21:03:01.0 > +05-30 > *** > *** 1,6 > --- 1,13 > + //*** > + //* * > + //* Copyright (c) 1985-2020, American Megatrends International LLC. * > + //* * > + //* All rights reserved. Subject to AMI licensing agreement. * > + //* * > + //*** > /** @file > Implementation of the boot file download function. > > Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved. > (C) Copyright 2016 Hewlett Packard Enterprise Development LP > SPDX-License-Identifier: BSD-2-Clause-Patent this patch does not have a proper commit message, a proper Signed-off-by line, a proper subject line, and a proper diff format (it's not expressed as a unified diff). Please consult the following references: - official: https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Development-Process - unofficial: https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers I'd also think that the huge legal banner added at the top of the file is out of place. I think you can add a (C) notice (with the year 2020) near the existing copyright notices. However, the line "All rights reserved. Subject to AMI licensing agreement." is wrong; it conflicts with SPDX-License-Identifier: BSD-2-Clause-Patent Thanks, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64255): https://edk2.groups.io/g/devel/message/64255 Mute This Topic: https://groups.io/mt/76170404/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v15 00/46] SEV-ES guest support
On 08/13/20 15:22, Tom Lendacky wrote:
> From: Tom Lendacky
>
> This patch series provides support for running EDK2/OVMF under SEV-ES.
>
> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
> SEV support to protect the guest register state from the hypervisor. See
> "AMD64 Architecture Programmer's Manual Volume 2: System Programming",
> section "15.35 Encrypted State (SEV-ES)" [1].
>
> In order to allow a hypervisor to perform functions on behalf of a guest,
> there is architectural support for notifying a guest's operating system
> when certain types of VMEXITs are about to occur. This allows the guest to
> selectively share information with the hypervisor to satisfy the requested
> function. The notification is performed using a new exception, the VMM
> Communication exception (#VC). The information is shared through the
> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
> The GHCB format and the protocol for using it is documented in "SEV-ES
> Guest-Hypervisor Communication Block Standardization" [2].
>
> The main areas of the EDK2 code that are updated to support SEV-ES are
> around the exception handling support and the AP boot support.
>
> Exception support is required starting in Sec, continuing through Pei
> and into Dxe in order to handle #VC exceptions that are generated. Each
> AP requires it's own GHCB page as well as a page to hold values specific
> to that AP.
>
> AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence
> is typically used to boot the APs. However, the hypervisor is not allowed
> to update the guest registers. The GHCB document [2] talks about how SMP
> booting under SEV-ES is performed.
>
> Since the GHCB page must be a shared (unencrypted) page, the processor
> must be running in long mode in order for the guest and hypervisor to
> communicate with each other. As a result, SEV-ES is only supported under
> the X64 architecture.
>
> This series adds a new library requirement for the VmgExitLib library
> against the UefiCpuPkg CpuExceptionHandlerLib library and the UefiCpuPkg
> MpInitLib library. The edk2-platforms repo requires updates/patches to
> add the new library requirement. To accomodate that, this series could be
> split between:
>
> patch number 10:
> UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
>
> and patch number 11:
> UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
>
> The updates to edk2-platforms can be applied at the split.
>
> [1] https://www.amd.com/system/files/TechDocs/24593.pdf
> [2] https://developer.amd.com/wp-content/resources/56421.pdf
>
> ---
>
> These patches are based on commit:
> 65904cdbb33c ("UefiCpuPkg/MtrrLibUnitTest: Change to use static array for CI
> test")
>
> A version of the tree can be found at:
> https://github.com/AMDESE/ovmf/tree/sev-es-v24
>
> Cc: Andrew Fish
> Cc: Anthony Perard
> Cc: Ard Biesheuvel
> Cc: Benjamin You
> Cc: Dandan Bi
> Cc: Eric Dong
> Cc: Guo Dong
> Cc: Hao A Wu
> Cc: Jian J Wang
> Cc: Jordan Justen
> Cc: Julien Grall
> Cc: Laszlo Ersek
> Cc: Leif Lindholm
> Cc: Liming Gao
> Cc: Maurice Ma
> Cc: Michael D Kinney
> Cc: Ray Ni
>
> Changes since v14:
> - Address ECC errors
> - Fix non-boolean comparison to use a comparison operator
> - Separate declaration and initialization of variables
> - Add period to first line of block comments
> - Split single-line multiple declaration into multiple lines
The changes look good to me, thanks!
In this particular case, the updates do not invalidate my
"Regression-tested-by" given under v14:
https://edk2.groups.io/g/devel/message/63921
"""
For all patches except #10 ("UefiPayloadPkg: Prepare UefiPayloadPkg to
use the VmgExitLib library") and #46 ("Maintainers.txt: Add reviewers
for the OvmfPkg SEV-related files"):
Regression-tested-by: Laszlo Ersek
"""
So whoever merges this series should please apply that to the respective
patches.
Thanks!
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64254): https://edk2.groups.io/g/devel/message/64254
Mute This Topic: https://groups.io/mt/76166920/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v7 2/5] MdePkg: BaseRngLibDxe: Add RngLib that uses RngDxe
From: Matthew Carlson
This adds a RngLib that uses the RngProtocol to provide randomness.
This means that the RngLib is meant to be used with DXE_DRIVERS.
Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
Cc: Ard Biesheuvel
Cc: Michael D Kinney
Cc: Liming Gao
Cc: Zhiguang Liu
Signed-off-by: Matthew Carlson
---
MdePkg/Library/DxeRngLib/DxeRngLib.c | 206
MdePkg/Library/DxeRngLib/DxeRngLib.inf | 37
MdePkg/MdePkg.dsc | 4 +-
3 files changed, 246 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c
b/MdePkg/Library/DxeRngLib/DxeRngLib.c
new file mode 100644
index ..0bd6585357b5
--- /dev/null
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
@@ -0,0 +1,206 @@
+/** @file
+ Provides an implementation of the library class RngLib that uses the Rng
protocol.
+
+ Copyright (c) Microsoft Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include
+#include
+#include
+#include
+#include
+
+/**
+Routine Description:
+
+Generates a random number via the NIST
+800-9A algorithm. Refer to
+http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
+for more information.
+
+Arguments:
+
+Buffer -- Buffer to receive the random number.
+BufferSize -- Number of bytes in Buffer.
+
+Return Value:
+
+EFI_SUCCESS or underlying failure code.
+
+**/
+STATIC
+EFI_STATUS
+GenerateRandomNumberViaNist800Algorithm (
+ OUT UINT8 *Buffer,
+ IN UINTN BufferSize
+ )
+{
+ EFI_STATUSStatus;
+ EFI_RNG_PROTOCOL *RngProtocol;
+
+ RngProtocol = NULL;
+
+ if (Buffer == NULL) {
+ DEBUG((DEBUG_ERROR, "[%a] Buffer == NULL.\n", __FUNCTION__));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Status = gBS->LocateProtocol (, NULL, (VOID
**));
+ if (EFI_ERROR (Status) || RngProtocol == NULL) {
+ DEBUG((DEBUG_ERROR, "%a: Could not locate RNG prototocol, Status =
%r\n", __FUNCTION__, Status));
+ return Status;
+ }
+
+ Status = RngProtocol->GetRNG (RngProtocol,
, BufferSize, Buffer);
+ DEBUG((DEBUG_INFO, "%a: GetRNG algorithm CTR-256 - Status = %r\n",
__FUNCTION__, Status));
+ if(!EFI_ERROR(Status)) {
+return Status;
+ }
+
+ Status = RngProtocol->GetRNG (RngProtocol,
, BufferSize, Buffer);
+ DEBUG((DEBUG_INFO, "%a: GetRNG algorithm HMAC-256 - Status = %r\n",
__FUNCTION__, Status));
+ if(!EFI_ERROR(Status)) {
+return Status;
+ }
+
+ Status = RngProtocol->GetRNG (RngProtocol,
, BufferSize, Buffer);
+ DEBUG((DEBUG_INFO, "%a: GetRNG algorithm Hash-256 - Status = %r\n",
__FUNCTION__, Status));
+ if (!EFI_ERROR(Status)) {
+return Status;
+ }
+ // If all the other methods have failed, use the default method from the
RngProtocol
+ Status = RngProtocol->GetRNG (RngProtocol, NULL, BufferSize, Buffer);
+ DEBUG((DEBUG_INFO, "%a: GetRNG algorithm Hash-256 - Status = %r\n",
__FUNCTION__, Status));
+ if (!EFI_ERROR(Status)) {
+return Status;
+ }
+ // If we get to this point, we have failed
+ DEBUG((DEBUG_ERROR, "%a: GetRNG() failed, staus = %r\n", __FUNCTION__,
Status));
+
+ return Status;
+}// GenerateRandomNumberViaNist800Algorithm()
+
+
+/**
+ Generates a 16-bit random number.
+
+ if Rand is NULL, return FALSE.
+
+ @param[out] Rand Buffer pointer to store the 16-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber16 (
+ OUT UINT16*Rand
+ )
+{
+ EFI_STATUS Status;
+
+ if (Rand == NULL)
+ {
+return FALSE;
+ }
+
+ Status = GenerateRandomNumberViaNist800Algorithm ((UINT8 *)Rand, 2);
+ if (EFI_ERROR (Status))
+ {
+return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ Generates a 32-bit random number.
+
+ if Rand is NULL, return FALSE.
+
+ @param[out] Rand Buffer pointer to store the 32-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber32 (
+ OUT UINT32*Rand
+ )
+{
+ EFI_STATUS Status;
+
+ if (Rand == NULL) {
+return FALSE;
+ }
+
+ Status = GenerateRandomNumberViaNist800Algorithm ((UINT8 *)Rand, 4);
+ if (EFI_ERROR (Status)) {
+return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ Generates a 64-bit random number.
+
+ if Rand is NULL, return FALSE.
+
+ @param[out] Rand Buffer pointer to store the 64-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber64 (
+ OUT UINT64*Rand
+ )
+{
+ EFI_STATUS Status;
+
+ if (Rand == NULL)
+ {
+return FALSE;
+ }
+
+ Status = GenerateRandomNumberViaNist800Algorithm ((UINT8 *)Rand, 8);
+ if (EFI_ERROR (Status)) {
+
[edk2-devel] [PATCH v7 0/5] Use RngLib instead of TimerLib for OpensslLib
From: Matthew Carlson Hello all, This patch contains a fix for Bugzilla 1871. There's been a good bit of community discussion around the topic, so below follows a general overview of the discussion and what this patch does. This is the seventh iteration of this patch series, focused on code style and a few functions being renamed to comply with style. Back in Devel message#40590 (https://edk2.groups.io/g/devel/message/40590) around the patch series that updates OpenSSL to 1.1.1b, a comment was made that suggested that platforms be in charge of the entropy/randomness that is provided to OpenSSL as currently the entropry source seems to be a hand-rolled random number generator that uses the PerformanceCounter from TimerLib. This causes OpenSSL to depend on TimerLib, which is often platform specific. In addition to being a potentially weaker source of randomness, this also poses a challenge to compile BaseCryptLibOnProtocol with a platform- agnostic version of TimerLib that works universally. The solution here is to allow platform to specify their source of entropy in addition to providing two new RngLibs: one that uses the TimerLib as well as one that uses RngProtocol to provide randomness. Then the decision to use RDRAND or other entropy sources is up to the platform. Mixing various entropy sources is the onus of the platform. It has been suggested on Devel#40590 and BZ#1871 that there should be mixing of the PerformanceCounter and RDRAND using something similar to the yarrow alogirthm that FreeBSD uses for example. This patch series doesn't offer an RngLib that offers that sort of mixing as the ultimate source of random is defined by the platform. This patch series offers three benefits: 1. Dependency reduction: Removes the need for a platform specific timer library. We publish a single binary used on numerous platforms for crypto and the introduced timer lib dependency caused issues because we could not fulfill our platform needs with one library instance. 2. Code maintenance: Removing this additional code and leveraging an existing library within Edk2 means less code to maintain. 3. Platform defined quality: A platform can choose which instance to use and the implications of that instance. This patch series seeks to address five seperate issues. 1) Use RngLib interface to generate random entropy in rand_pool 2) Remove dependency on TimerLib in OpensslLib 3) Add a new version of RngLib implemented by TimerLib 4) Add a new version of RngLib implemented by EFI_RNG_PROTOCOL 5) Add RngLib to platforms in EDK2 such as ArmVirtPkg and OvmfPkg Since this changes the dependencies of OpenSSL, this has the potential of being a breaking change for platforms in edk2-platforms. The easiest solution is just to use the RngLib that uses the TimerLib as this closely mimics the behavior of OpenSSL prior to this patch series. There is also a null version of RngLib for CI environments that need this change (https://edk2.groups.io/g/devel/message/50432). Though it should be pointed out that in CI environments, the null version of BaseCryptLib or OpenSSL should be used. In addition, it has been suggested that 1) Add AsmRdSeed to BaseLib. 2) Update BaseRngLib to use AsmRdSeed() for the random number, if RdSeed is supported (CPUID BIT18) However, this is largely out of scope for this particular patch series and will likely need to be in a follow-up series later. It is my understanding that the OpenSSL code uses the values provided as a randomness pool rather than a seed or random numbers itself, so the requirements for randomness are not quite as stringent as other applications. For the ArmVirtPkg and OvmfPkg platforms, the patch series here just adds in the TimerLib based RngLib as that is similar to the functionality of before. It is added as a common library so any custom RngLib defined in the DSC should take precedence over the TimerLibRngLib. Ref: https://github.com/tianocore/edk2/pull/845 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871 Cc: Ard Biesheuvel Cc: Anthony Perard Cc: Jiewen Yao Cc: Jian J Wang Cc: Julien Grall Cc: Jordan Justen Cc: Laszlo Ersek Cc: Liming Gao Cc: Leif Lindholm Cc: Michael D Kinney Cc: Xiaoyu Lu Cc: Zhiguang Liu Cc: Sean Brogan Signed-off-by: Matthew Carlson Matthew Carlson (5): MdePkg: TimerRngLib: Added RngLib that uses TimerLib MdePkg: BaseRngLibDxe: Add RngLib that uses RngDxe OvmfPkg: Add RngLib based on TimerLib for Crypto ArmVirtPkg: Add RngLib based on TimerLib for CryptoPkg CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool CryptoPkg/Library/OpensslLib/rand_pool.c | 265 +--- CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 --- CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c | 188 ++ MdePkg/Library/DxeRngLib/DxeRngLib.c | 206 +++
[edk2-devel] [PATCH v7 4/5] ArmVirtPkg: Add RngLib based on TimerLib for CryptoPkg
From: Matthew Carlson Updates the DSC for the ArmVirtPkg platform to add a RngLib that uses the TimerLib. This is due to a later change that adds TimerLib as a dependency for OpenSSL. The TimerLib based RngLib mimics the behavior of OpenSSL previously and it is recommended to switch to a better source of entropy than the system's performance counter. Ref: https://github.com/tianocore/edk2/pull/845 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871 Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Leif Lindholm Reviewed-by: Laszlo Ersek Signed-off-by: Matthew Carlson --- ArmVirtPkg/ArmVirt.dsc.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index cf44fc73890b..cb3845d2bd37 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -160,6 +160,7 @@ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf # # Secure Boot dependencies -- 2.27.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64252): https://edk2.groups.io/g/devel/message/64252 Mute This Topic: https://groups.io/mt/76174752/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v7 3/5] OvmfPkg: Add RngLib based on TimerLib for Crypto
From: Matthew Carlson Updates the DSC's for Ovmf based platforms to add a RngLib that uses the TimerLib. This is due to a later change that adds TimerLib as a dependency for OpenSSL. The TimerLib based RngLib mimics the behavior of OpenSSL previously and it is recommended to switch to a better source of entropy than the system's performance counter. Ref: https://github.com/tianocore/edk2/pull/845 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871 Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Anthony Perard Cc: Julien Grall Reviewed-by: Laszlo Ersek Signed-off-by: Matthew Carlson --- OvmfPkg/Bhyve/BhyvePkgX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc| 1 + OvmfPkg/OvmfPkgX64.dsc| 1 + OvmfPkg/OvmfXen.dsc | 1 + 5 files changed, 5 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyvePkgX64.dsc b/OvmfPkg/Bhyve/BhyvePkgX64.dsc index 8eba48d109a3..4b1fbb361b28 100644 --- a/OvmfPkg/Bhyve/BhyvePkgX64.dsc +++ b/OvmfPkg/Bhyve/BhyvePkgX64.dsc @@ -185,6 +185,7 @@ !else OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf !if $(SECURE_BOOT_ENABLE) == TRUE PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 9178ffeb71cb..fc1c8014eba1 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -189,6 +189,7 @@ !else OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf !if $(SECURE_BOOT_ENABLE) == TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a665f78f0dc7..2365dc2fa98d 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -193,6 +193,7 @@ !else OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf !if $(SECURE_BOOT_ENABLE) == TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 17f345acf4ee..6992cfd98b70 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -193,6 +193,7 @@ !else OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf !if $(SECURE_BOOT_ENABLE) == TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index 782803cb2787..416f81f06a04 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -179,6 +179,7 @@ !else OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf !endif + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf -- 2.27.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64251): https://edk2.groups.io/g/devel/message/64251 Mute This Topic: https://groups.io/mt/76174750/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v7 5/5] CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool
From: Matthew Carlson
Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
This allows platforms to decide for themsevles what sort of entropy source
they provide to OpenSSL and TlsLib.
Cc: Ard Biesheuvel
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Acked-by: Ard Biesheuvel
Signed-off-by: Matthew Carlson
---
CryptoPkg/Library/OpensslLib/rand_pool.c | 265 +---
CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ---
CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43
CryptoPkg/CryptoPkg.dsc| 1 +
CryptoPkg/Library/OpensslLib/OpensslLib.inf| 15 +-
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 15 +-
CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ---
7 files changed, 63 insertions(+), 334 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
b/CryptoPkg/Library/OpensslLib/rand_pool.c
index 9e0179b03490..806549af81c1 100644
--- a/CryptoPkg/Library/OpensslLib/rand_pool.c
+++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
@@ -2,8 +2,8 @@
OpenSSL_1_1_1b doesn't implement rand_pool_* functions for UEFI.
The file implement these functions.
-Copyright (c) 2019, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -11,53 +11,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
-#include
-
-#include "rand_pool_noise.h"
-
-/**
- Get some randomness from low-order bits of GetPerformanceCounter results.
- And combine them to the 64-bit value
-
- @param[out] RandBuffer pointer to store the 64-bit random value.
-
- @retval TRUERandom number generated successfully.
- @retval FALSE Failed to generate.
-**/
-STATIC
-BOOLEAN
-EFIAPI
-GetRandNoise64FromPerformanceCounter(
- OUT UINT64 *Rand
- )
-{
- UINT32 Index;
- UINT32 *RandPtr;
-
- if (NULL == Rand) {
-return FALSE;
- }
-
- RandPtr = (UINT32 *) Rand;
-
- for (Index = 0; Index < 2; Index ++) {
-*RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
-MicroSecondDelay (10);
-RandPtr++;
- }
-
- return TRUE;
-}
+#include
/**
Calls RandomNumber64 to fill
a buffer of arbitrary size with random bytes.
+ This is a shim layer to RngLib.
@param[in] LengthSize of the buffer, in bytes, to fill with.
@param[out] RandBufferPointer to the buffer to store the random result.
- @retval EFI_SUCCESSRandom bytes generation succeeded.
- @retval EFI_NOT_READY Failed to request random bytes.
+ @retval TRUERandom bytes generation succeeded.
+ @retval FALSE Failed to request random bytes.
**/
STATIC
@@ -65,7 +30,7 @@ BOOLEAN
EFIAPI
RandGetBytes (
IN UINTN Length,
- OUT UINT8*RandBuffer
+ OUT UINT8 *RandBuffer
)
{
BOOLEAN Ret;
@@ -73,17 +38,17 @@ RandGetBytes (
Ret = FALSE;
+ if (RandBuffer == NULL) {
+DEBUG((DEBUG_ERROR, "[OPENSSL_RAND_POOL] NULL RandBuffer. No random
numbers are generated and your system is not secure\n"));
+ASSERT (RandBuffer != NULL); // Since we can't generate random numbers, we
should assert. Otherwise we will just blow up later.
+return Ret;
+ }
+
+
while (Length > 0) {
-//
-// Get random noise from platform.
-// If it failed, fallback to PerformanceCounter
-// If you really care about security, you must override
-// GetRandomNoise64FromPlatform.
-//
-Ret = GetRandomNoise64 ();
-if (Ret == FALSE) {
- Ret = GetRandNoise64FromPerformanceCounter ();
-}
+// Use RngLib to get random number
+Ret = GetRandomNumber64 ();
+
if (!Ret) {
return Ret;
}
@@ -91,7 +56,8 @@ RandGetBytes (
*((UINT64*) RandBuffer) = TempRand;
RandBuffer += sizeof (UINT64);
Length -= sizeof (TempRand);
-} else {
+}
+else {
CopyMem (RandBuffer, , Length);
Length = 0;
}
@@ -100,125 +66,6 @@ RandGetBytes (
return Ret;
}
-/**
- Creates a 128bit random value that is fully forward and backward prediction
resistant,
- suitable for seeding a NIST SP800-90 Compliant.
- This function takes multiple random numbers from PerformanceCounter to
ensure reseeding
- and performs AES-CBC-MAC over the data to compute the seed value.
-
- @param[out] SeedBufferPointer to a 128bit buffer to store the random
seed.
-
- @retval TRUERandom seed generation succeeded.
- @retval FALSE Failed to request random bytes.
-
-**/
-STATIC
-BOOLEAN
-EFIAPI
-RandGetSeed128 (
- OUT UINT8*SeedBuffer
- )
-{
- BOOLEAN Ret;
- UINT8 RandByte[16];
- UINT8 Key[16];
- UINT8 Ffv[16];
- UINT8 Xored[16];
- UINT32 Index;
- UINT32 Index2;
-
[edk2-devel] [PATCH v7 1/5] MdePkg: TimerRngLib: Added RngLib that uses TimerLib
From: Matthew Carlson
Added a new RngLib that provides random numbers from the TimerLib
using the performance counter. This is meant to be used for OpenSSL
to replicate past behavior. This should not be used in production as
a real source of entropy.
Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
Cc: Ard Biesheuvel
Cc: Michael D Kinney
Cc: Liming Gao
Cc: Zhiguang Liu
Signed-off-by: Matthew Carlson
---
MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c | 188
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | 36
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.uni | 15 ++
MdePkg/MdePkg.dsc| 3 +-
4 files changed, 241 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
new file mode 100644
index ..405bdf1dcec1
--- /dev/null
+++ b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
@@ -0,0 +1,188 @@
+/** @file
+ BaseRng Library that uses the TimerLib to provide reasonably random numbers.
+ Do not use this on a production system.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include
+#include
+#include
+#include
+
+/**
+ * Using the TimerLib GetPerformanceCounterProperties() we delay
+ * for enough time for the PerformanceCounter to increment.
+ * Depending on your system
+ *
+ * If the return value from GetPerformanceCounterProperties (TimerLib)
+ * is zero, this function will not delay and attempt to assert.
+ */
+STATIC
+VOID
+DecentDelay (
+ VOID
+ )
+{
+ UINT64 StartValue;
+ UINT64 EndValue;
+ UINT64 CounterHz;
+ UINT64 MinumumDelayInMicroSeconds;
+
+ // Get the counter properties
+ CounterHz = GetPerformanceCounterProperties (, );
+ // Make sure we won't divide by zero
+ if (CounterHz == 0) {
+ASSERT(CounterHz != 0); // Assert so the developer knows something is wrong
+return;
+ }
+ // Calculate the minimum delay based on 1.5 microseconds divided by the
hertz.
+ // We calculate the length of a cycle (1/CounterHz) and multiply it by 1.5
microseconds
+ // This ensures that the performance counter has increased by at least one
+ MinumumDelayInMicroSeconds = 150 / CounterHz;
+
+ MicroSecondDelay (MinumumDelayInMicroSeconds);
+}
+
+
+/**
+ Generates a 16-bit random number.
+
+ if Rand is NULL, then ASSERT().
+
+ @param[out] Rand Buffer pointer to store the 16-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber16 (
+ OUT UINT16*Rand
+ )
+{
+ UINT32 Index;
+ UINT8 *RandPtr;
+
+ ASSERT (Rand != NULL);
+
+ if (Rand == NULL) {
+return FALSE;
+ }
+
+ RandPtr = (UINT8*)Rand;
+ // Get 2 bytes of random ish data
+ // This should take around 10us
+ for (Index = 0; Index < 2; Index ++) {
+*RandPtr = (UINT8)(GetPerformanceCounter () & 0xFF);
+DecentDelay (); // delay to give chance for performance counter to catch up
+RandPtr++;
+ }
+ return TRUE;
+}
+
+/**
+ Generates a 32-bit random number.
+
+ if Rand is NULL, then ASSERT().
+
+ @param[out] Rand Buffer pointer to store the 32-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber32 (
+ OUT UINT32*Rand
+ )
+{
+ UINT32 Index;
+ UINT8* RandPtr;
+
+ ASSERT (Rand != NULL);
+
+ if (NULL == Rand) {
+return FALSE;
+ }
+
+ RandPtr = (UINT8 *) Rand;
+ // Get 4 bytes of random ish data
+ // This should take around 20ms
+ for (Index = 0; Index < 4; Index ++) {
+*RandPtr = (UINT8) (GetPerformanceCounter () & 0xFF);
+DecentDelay (); // delay to give chance for performance counter to catch up
+RandPtr++;
+ }
+ return TRUE;
+}
+
+/**
+ Generates a 64-bit random number.
+
+ if Rand is NULL, then ASSERT().
+
+ @param[out] Rand Buffer pointer to store the 64-bit random value.
+
+ @retval TRUE Random number generated successfully.
+ @retval FALSEFailed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber64 (
+ OUT UINT64*Rand
+ )
+{
+ UINT32 Index;
+ UINT8* RandPtr;
+
+ ASSERT (Rand != NULL);
+
+ if (NULL == Rand) {
+return FALSE;
+ }
+
+ RandPtr = (UINT8 *) Rand;
+ // Get 8 bytes of random ish data
+ // This should take around 40ms
+ for (Index = 0; Index < 8; Index ++) {
+*RandPtr = (UINT8) (GetPerformanceCounter () & 0xFF);
+DecentDelay (); // delay to give chance for performance counter to catch up
+RandPtr++;
+ }
+
+ return TRUE;
+}
+
+/**
+ Generates a 128-bit random number.
+
+ if Rand is NULL, then ASSERT().
+
+ @param[out] Rand Buffer pointer to store the
Re: [edk2-devel] [PATCH v6 0/5] Use RngLib instead of TimerLib for OpensslLib
I'll file a new bugzilla. https://bugzilla.tianocore.org/show_bug.cgi?id=2897 -Matthew Carlson On Thu, Aug 13, 2020 at 8:15 AM Yao, Jiewen wrote: > Thanks Matthew. > > I am OK, if you want to address the RDSEED in follow-up patch series. > > Would you please file a new Bugzilla to record this, so we won't lose the > information ? > > > > > -Original Message- > > From: matthewfcarl...@gmail.com > > Sent: Thursday, August 13, 2020 6:44 AM > > To: devel@edk2.groups.io > > Cc: Ard Biesheuvel ; Anthony Perard > > ; Yao, Jiewen ; Wang, > > Jian J ; Julien Grall ; Justen, > Jordan L > > ; Laszlo Ersek ; Gao, > Liming > > ; Leif Lindholm ; Kinney, > Michael D > > ; Lu, XiaoyuX ; Liu, > > Zhiguang ; Sean Brogan > > ; Matthew Carlson > > > > Subject: [PATCH v6 0/5] Use RngLib instead of TimerLib for OpensslLib > > > > From: Matthew Carlson > > > > Hello all, > > > > This patch contains a fix for Bugzilla 1871. > > There's been a good bit of community discussion around the topic, > > so below follows a general overview of the discussion and what this > patch does. > > > > Back in Devel message#40590 ( > https://edk2.groups.io/g/devel/message/40590) > > around the patch series that updates OpenSSL to 1.1.1b, a comment was > made > > that suggested that platforms be in charge of the entropy/randomness that > > is provided to OpenSSL as currently the entropry source seems to be a > > hand-rolled random number generator that uses the PerformanceCounter from > > TimerLib. This causes OpenSSL to depend on TimerLib, which is often > platform > > specific. In addition to being a potentially weaker source of randomness, > > this also poses a challenge to compile BaseCryptLibOnProtocol with a > platform- > > agnostic version of TimerLib that works universally. > > > > The solution here is to allow platform to specify their source of > entropy in > > addition to providing two new RngLibs: one that uses the TimerLib as > well as > > one that uses RngProtocol to provide randomness. Then the decision to use > > RDRAND or other entropy sources is up to the platform. Mixing various > entropy > > sources is the onus of the platform. It has been suggested on > Devel#40590 and > > BZ#1871 that there should be mixing of the PerformanceCounter and RDRAND > > using > > something similar to the yarrow alogirthm that FreeBSD uses for example. > This > > patch series doesn't offer an RngLib that offers that sort of mixing as > the > > ultimate source of random is defined by the platform. > > > > This patch series offers three benefits: > > 1. Dependency reduction: Removes the need for a platform specific timer > > library. We publish a single binary used on numerous platforms for > > crypto and the introduced timer lib dependency caused issues because we > > could not fulfill our platform needs with one library instance. > > > > 2. Code maintenance: Removing this additional code and leveraging an > existing > > library within Edk2 means less code to maintain. > > > > 3. Platform defined quality: A platform can choose which instance to use > and > > the implications of that instance. > > > > This patch series seeks to address five seperate issues. > > 1) Use RngLib interface to generate random entropy in rand_pool > > 2) Remove dependency on TimerLib in OpensslLib > > 3) Add a new version of RngLib implemented by TimerLib > > 4) Add a new version of RngLib implemented by EFI_RNG_PROTOCOL > > 5) Add RngLib to platforms in EDK2 such as ArmVirtPkg and OvmfPkg > > > > Since this changes the dependencies of OpenSSL, this has the potential > of being > > a breaking change for platforms in edk2-platforms. The easiest solution > is just > > to use the RngLib that uses the TimerLib as this closely mimics the > behavior of > > OpenSSL prior to this patch series. There is also a null version of > RngLib for > > CI environments that need this change > > (https://edk2.groups.io/g/devel/message/50432). Though it should be > pointed > > out > > that in CI environments, the null version of BaseCryptLib or OpenSSL > should be > > used. > > > > In addition, it has been suggested that > > 1) Add AsmRdSeed to BaseLib. > > 2) Update BaseRngLib to use AsmRdSeed() for the random number, > > if RdSeed is supported (CPUID BIT18) > > > > However, this is largely out of scope for this particular patch series > and > > will likely need to be in a follow-up series later. > > > > It is my understanding that the OpenSSL code uses the values provided as > a > > randomness pool rather than a seed or random numbers itself, so the > > requirements for randomness are not quite as stringent as other > applications. > > > > For the ArmVirtPkg and OvmfPkg platforms, the patch series here just > adds in > > the TimerLib based RngLib as that is similar to the functionality of > before. > > It is added as a common library so any custom RngLib defined in the DSC > > should take precedence over the TimerLibRngLib. > > > > Ref:
Re: [edk2-devel] [PATCH v6 2/5] MdePkg: BaseRngLibDxe: Add RngLib that uses RngDxe
Thanks for the feedback.
I've addressed all the comments except the one about the success handling
pattern. I think the algorithms it requests are made in a specific order so
that it can make some promising regarding the validity of its random number
generation. That said, this is code that another coworker at Microsoft
wrote, so I'm not 100% sure why it does that this particular way.
Do you have a suggestion about what sort of algorithm should be selected?
Perhaps just using the default every time? Keep the pattern as it stands
now but add a final check to use the default if the previous ones fail?
I kept in the check for NULL since any inputs should be
sanitized regardless of where they're coming from. I'm open to adding an
assert there as well to help debugability.
-Matthew Carlson
On Thu, Aug 13, 2020 at 5:19 AM Ard Biesheuvel
wrote:
> On 8/13/20 12:43 AM, matthewfcarl...@gmail.com wrote:
> > From: Matthew Carlson
> >
> > This adds a RngLib that uses the RngProtocol to provide randomness.
> > This means that the RngLib is meant to be used with DXE_DRIVERS.
> >
> > Ref: https://github.com/tianocore/edk2/pull/845
> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
> >
> > Cc: Ard Biesheuvel
> > Cc: Michael D Kinney
> > Cc: Liming Gao
> > Cc: Zhiguang Liu
> > Signed-off-by: Matthew Carlson
> > ---
> > MdePkg/Library/BaseRngLibDxe/RngDxeLib.c | 200
>
> > MdePkg/Library/BaseRngLibDxe/BaseRngLibDxe.inf | 38
> > MdePkg/MdePkg.dsc | 4 +-
> > 3 files changed, 241 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdePkg/Library/BaseRngLibDxe/RngDxeLib.c
> b/MdePkg/Library/BaseRngLibDxe/RngDxeLib.c
> > new file mode 100644
> > index ..8ee29329de13
> > --- /dev/null
> > +++ b/MdePkg/Library/BaseRngLibDxe/RngDxeLib.c
> > @@ -0,0 +1,200 @@
> > +/** @file
> > + Provides an implementation of the library class RngLib that uses the
> Rng protocol.
> > +
> > +Copyright (c) Microsoft Corporation. All rights reserved.
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> Please use matching indentation
>
> > +
> > +**/
> > +#include
> > +#include
> > +#include
> > +#include
> > +#include
> > +
> > +/**
> > +Routine Description:
> > +
> > +Generates a random number via the NIST
> > +800-9A algorithm. Refer to
> > +http://csrc.nist.gov/groups/STM/cavp/documents/drbg/DRBGVS.pdf
> > +for more information.
> > +
> > +Arguments:
> > +
> > +Buffer -- Buffer to receive the random number.
> > +BufferSize -- Number of bytes in Buffer.
> > +
> > +Return Value:
> > +
> > +EFI_SUCCESS or underlying failure code.
> > +
> > +**/
>
> STATIC ?
>
> > +EFI_STATUS
> > +EFIAPI
> > +GenerateRandomNumberViaNist800Algorithm(
>
> space before (
>
> > + OUT UINT8* Buffer,
>
> put * on the rhs
>
> > + IN UINTN BufferSize
> > + )
> > +{
> > + EFI_STATUSStatus;
> > + EFI_RNG_PROTOCOL* RngProtocol;
>
> likewise
>
> > +
> > + RngProtocol = NULL;
> > +
> > + if (Buffer == NULL) {
> > + DEBUG((DEBUG_ERROR, "[%a] Buffer == NULL.\n", __FUNCTION__));
>
> Could you drop the [] around the function name? This is rather
> unidiomatic for EDK2
>
> > + return EFI_INVALID_PARAMETER;
> > + }
> > +
> > + Status = gBS->LocateProtocol(, NULL, (VOID
> **));
>
> Space before (
>
> > + if (EFI_ERROR(Status) || RngProtocol == NULL) {
>
> Space before (. Also, I think the second condition could be an ASSERT()
>
> > + DEBUG((DEBUG_ERROR, "[%a] Could not locate RNG prototocol, Status
> = %r\n", __FUNCTION__, Status));
> > + return Status;
> > + }
> > +
> > + Status = RngProtocol->GetRNG(RngProtocol,
> , BufferSize, Buffer);
> > + DEBUG((DEBUG_INFO, "[%a] GetRNG algorithm CTR-256 - Status = %r\n",
> __FUNCTION__, Status)); > + if(!EFI_ERROR(Status)) {
>
> Space after 'if' and before (.
>
> Please do a pass over all the patches, I will stop pointing out the
> spacing around ( from this point.
>
>
> > +return Status;
> > + }
> > +
> > + Status = RngProtocol->GetRNG(RngProtocol,
> , BufferSize, Buffer);
> > + DEBUG((DEBUG_INFO, "[%a] GetRNG algorithm HMAC-256 - Status = %r\n",
> __FUNCTION__, Status));
> > + if(!EFI_ERROR(Status)) {
> > +return Status;
> > + }
> > +
> > + Status = RngProtocol->GetRNG(RngProtocol,
> , BufferSize, Buffer);
> > + DEBUG((DEBUG_INFO, "[%a] GetRNG algorithm Hash-256 - Status = %r\n",
> __FUNCTION__, Status));
> > + if(!EFI_ERROR(Status)) {
> > +return Status;
> > + }
>
> I don't like this 'success handling' pattern tbh. Also, why are these
> algorithms singled out like this? EFI_RNG_PROTOCOL typically has a
> default algorithm, and even raw entropy is perfectly suitable for key
> generation (although perhaps slightly wasteful in some case)
>
> I am aware there is a check in the RdRand RngDxe that refuses to return
> 32 bytes from the raw algorithm, but this is simply a misinterpretation
> of the spec that we should fix at some point,
>
> >
Re: [edk2-devel] [PATCH v6 1/5] MdePkg: TimerRngLib: Added RngLib that uses TimerLib
Good things to point out. Should be fixed.
The original code in CryptoPkg simply just delayed 10 microseconds and
hoped the performance counter had incremented in that time frame.
https://github.com/tianocore/edk2/blob/313d2ec991039abe24727eced80d8ece1befbc93/CryptoPkg/Library/OpensslLib/rand_pool.c#L45
This new code ensures that we are delaying for at least 1.5 performance
counter ticks, so we're guaranteed to get a different performance counter
value with some hope for randomness. As Mike K pointed out if a system has
a slow performance counter you just get the same number repeated a few
times.
Copyright (c) Microsoft Corporation is the preferred way for the Microsoft
copyright
-Matthew Carlson
On Thu, Aug 13, 2020 at 5:09 AM Ard Biesheuvel
wrote:
> On 8/13/20 12:43 AM, matthewfcarl...@gmail.com wrote:
> > From: Matthew Carlson
> >
> > Added a new RngLib that provides random numbers from the TimerLib
> > using the performance counter. This is meant to be used for OpenSSL
> > to replicate past behavior. This should not be used in production as
> > a real source of entropy.
> >
> > Ref: https://github.com/tianocore/edk2/pull/845
> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871
> >
> > Cc: Ard Biesheuvel
> > Cc: Michael D Kinney
> > Cc: Liming Gao
> > Cc: Zhiguang Liu
> > Signed-off-by: Matthew Carlson
> > ---
> > MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c | 187
>
> > MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | 40 +
> > MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.uni | 17 ++
> > MdePkg/MdePkg.dsc| 3 +-
> > 4 files changed, 246 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
> b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
> > new file mode 100644
> > index ..915382fb9278
> > --- /dev/null
> > +++ b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
> > @@ -0,0 +1,187 @@
> > +/** @file
> > + BaseRng Library that uses the TimerLib to provide reasonably random
> numbers.
> > + Do not use this on a production system.
> > +
> > + Copyright (c) Microsoft Corporation.
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +**/
> > +
> > +#include
> > +#include
> > +#include
> > +#include
> > +
> > +/**
> > + * Using the TimerLib GetPerformanceCounterProperties() we delay
> > + * for enough time for the PerformanceCounter to increment.
> > + * Depending on your system
> > + *
> > + * If the return value from GetPerformanceCounterProperties (TimerLib)
> > + * is zero, this function will not delay and attempt to assert.
> > + */
>
> Make this STATIC please
>
> > +VOID
> > +EFIAPI
> > +DecentDelay(
>
> space before (
>
> > + VOID
> > + )
> > +{
> > + UINT64 StartValue;
> > + UINT64 EndValue;
> > + UINT64 CounterHz;
> > + UINT64 MinumumDelayInMicroSeconds;
>
> newline here
>
> > + // Get the counter properties
> > + CounterHz = GetPerformanceCounterProperties(, );
>
> space before (
>
> > + // Make sure we won't divide by zero
> > + if (CounterHz == 0) {
> > +ASSERT(FALSE); // Assert so the developer knows something is wrong
>
> This will print
>
> ASSERT (FALSE)
>
> into the DEBUG log, whereas
>
> ASSERT (CounterHz != 0)
>
> will appear if you assert on the actual value, which is much more useful.
>
> > +return;
> > + }
> > + // Calculate the minimum delay based on 1.5 microseconds divided by
> the hertz.
> > + // We calculate the length of a cycle (1/CounterHz) and multiply it
> by 1.5 microseconds
> > + // This ensures that the performance counter has increased by at
> least one
> > + MinumumDelayInMicroSeconds = 150 / CounterHz;
> > +
> > + MicroSecondDelay(MinumumDelayInMicroSeconds);
>
> Space before (
>
> > +}
> > +
> > +
> > +/**
> > + Generates a 16-bit random number.
> > +
> > + if Rand is NULL, then ASSERT().
> > +
> > + @param[out] Rand Buffer pointer to store the 16-bit random value.
> > +
> > + @retval TRUE Random number generated successfully.
> > + @retval FALSEFailed to generate the random number.
> > +
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +GetRandomNumber16 (
> > + OUT UINT16*Rand
> > + )
> > +{
> > + UINT32 Index;
> > + UINT8* RandPtr;
>
> Please align the variable names vertically, and put the * on the right
> hand side.
>
> > +
> > + ASSERT (Rand != NULL);
> > +
> > + if (NULL == Rand) {
>
> No yoda style comparisons please
>
> > +return FALSE;
> > + }
> > +
> > + RandPtr = (UINT8 *) Rand;
>
> Please drop the space after )
>
> > + // Get 2 bytes of random ish data
> > + // This should take around 10us
> > + for (Index = 0; Index < 2; Index ++) {
> > +*RandPtr = (UINT8) (GetPerformanceCounter () & 0xFF);
>
> Same here
>
> > +DecentDelay (); // delay to give chance for performance counter to
> catch up
>
> So the delay is intended to ensure that the perf counter assumes its
> prior value +
Re: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
On 08/13/20 13:55, Wenyi Xie wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2215
>
> There is an integer overflow vulnerability in DxeImageVerificationHandler
> function when parsing the PE files attribute certificate table. In cases
> where WinCertificate->dwLength is sufficiently large, it's possible to
> overflow Offset back to 0 causing an endless loop.
>
> Check offset inbetween VirtualAddress and VirtualAddress + Size.
> Using SafeintLib to do offset addition with result check.
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Laszlo Ersek
> Signed-off-by: Wenyi Xie
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf |
> 1 +
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h |
> 1 +
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c |
> 111 +++-
> 3 files changed, 63 insertions(+), 50 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> index 1e1a639857e0..a7ac4830b3d4 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> @@ -53,6 +53,7 @@ [LibraryClasses]
>SecurityManagementLib
>PeCoffLib
>TpmMeasurementLib
> + SafeIntLib
>
> [Protocols]
>gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONSUMES
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> index 17955ff9774c..060273917d5d 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> @@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 36b87e16d53d..dbc03e28c05b 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1658,6 +1658,10 @@ DxeImageVerificationHandler (
>EFI_STATUS HashStatus;
>EFI_STATUS DbStatus;
>BOOLEAN IsFound;
> + UINT32 AlignedLength;
> + UINT32 Result;
> + EFI_STATUS AddStatus;
> + BOOLEAN IsAuthDataAssigned;
>
>SignatureList = NULL;
>SignatureListSize = 0;
> @@ -1667,6 +1671,7 @@ DxeImageVerificationHandler (
>Action= EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
>IsVerified= FALSE;
>IsFound = FALSE;
> + Result= 0;
>
>//
>// Check the image type and get policy setting.
> @@ -1850,9 +1855,10 @@ DxeImageVerificationHandler (
>// The first certificate starts at offset (SecDataDir->VirtualAddress)
> from the start of the file.
>//
>for (OffSet = SecDataDir->VirtualAddress;
> - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> - OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> (WinCertificate->dwLength))) {
> + (OffSet >= SecDataDir->VirtualAddress) && (OffSet <
> (SecDataDir->VirtualAddress + SecDataDir->Size));) {
> +IsAuthDataAssigned = FALSE;
> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> +AlignedLength = WinCertificate->dwLength + ALIGN_SIZE
> (WinCertificate->dwLength);
I disagree with this patch.
The primary reason for my disagreement is that the bug report
is inexact, and
so this patch tries to fix the wrong thing.
With edk2 master at commit 65904cdbb33c, it is *not* possible to
overflow the OffSet variable to zero with "WinCertificate->dwLength"
*purely*, and cause an endless loop. Note that we have (at commit
65904cdbb33c):
for (OffSet = SecDataDir->VirtualAddress;
OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate->dwLength))) {
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
WinCertificate->dwLength) {
break;
}
The last sub-condition checks whether the Security Data Directory has
enough room left for "WinCertificate->dwLength". If not, then we break
out of the loop.
If we *do* have enough room, that is:
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) >=
Re: [edk2-devel] [edk2-platform][PATCH v1 1/1] Platforms/RaspberryPi: Fix DBG2 UART namespace reference
On 8/13/20 5:13 PM, Pete Batard wrote:
On 2020.08.13 15:27, Samer El-Haj-Mahmoud wrote:
The UART namespace reference in DBG2 is incorrect. Fix to point to the
correct name.
This fixes the certification failure reported by FWTS tests at:
https://github.com/pftf/RPi4/issues/69
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Signed-off-by: Samer El-Haj-Mahmoud
---
Platform/RaspberryPi/AcpiTables/Dbg2.aslc | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
index c35b15693f5a..e3f2adae7e21 100644
--- a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
+++ b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
@@ -3,7 +3,7 @@
* Debug Port Table (DBG2)
*
* Copyright (c) 2019, Pete Batard
- * Copyright (c) 2012-2016, ARM Limited. All rights reserved.
+ * Copyright (c) 2012-2020, ARM Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-2-Clause-Patent
*
@@ -21,13 +21,13 @@
#define RPI_DBG2_NUM_DEBUG_PORTS 1
#define RPI_DBG2_NUMBER_OF_GENERIC_ADDRESS_REGISTERS 1
-#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 10
+#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 15
#if (RPI_MODEL == 4)
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_PL011_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_PL011_UART_BASE_ADDRESS
#define RPI_UART_LENGTH
BCM2836_PL011_UART_LENGTH
-#define RPI_UART_STR { '\\', '_',
'S', 'B', '.', 'U', 'R', 'T', '0', 0x00 }
+#define RPI_UART_STR { '\\', '_',
'S', 'B', '.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', '0', 0x00 }
#else
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_BCM2835_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_MINI_UART_BASE_ADDRESS
@@ -35,7 +35,7 @@
//
// RPI_UART_STR should match the value used Uart.asl
//
-#define RPI_UART_STR { '\\', '_',
'S', 'B', '.', 'U', 'R', 'T', 'M', 0x00 }
+#define RPI_UART_STR { '\\', '_',
'S', 'B', '.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', 'M', 0x00 }
#endif
typedef struct {
Reviewed-by: Pete Batard
Thanks
Pushed as cec6bb18ae97..fe34d84a73cf
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64242): https://edk2.groups.io/g/devel/message/64242
Mute This Topic: https://groups.io/mt/76168434/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-test] [PATCH 1/1] uefi-sct/SctPkg: fix variable services conformance test
Hello Heinrich, The patches are under review. Will complete the review and merge by end of this week. With Warm Regards, Edhay > -Original Message- > From: devel@edk2.groups.io On Behalf Of Heinrich > Schuchardt via groups.io > Sent: 12 August 2020 19:25 > To: devel@edk2.groups.io; G Edhaya Chandran > Cc: Samer El-Haj-Mahmoud ; Eric Jin > > Subject: Re: [edk2-devel] [edk2-test] [PATCH 1/1] uefi-sct/SctPkg: fix > variable > services conformance test > > On 8/4/20 1:13 PM, Samer El-Haj-Mahmoud wrote: > > Reviewed-by: Samer El-Haj-Mahmoud > > Dear Edhaya, > > could you, please, consider these patches > > https://edk2.groups.io/g/devel/message/63354 > https://edk2.groups.io/g/devel/message/52599 > > for review and merging. > > Best regards > > Heinrich > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64241): https://edk2.groups.io/g/devel/message/64241 Mute This Topic: https://groups.io/mt/75828348/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 44/46] OvmfPkg: Move the GHCB allocations into reserved memory
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 After having transitioned from UEFI to the OS, the OS will need to boot the APs. For an SEV-ES guest, the APs will have been parked by UEFI using GHCB pages allocated by UEFI. The hypervisor will write to the GHCB SW_EXITINFO2 field of the GHCB when the AP is booted. As a result, the GHCB pages must be marked reserved so that the OS does not attempt to use them and experience memory corruption because of the hypervisor write. Change the GHCB allocation from the default boot services memory to reserved memory. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/PlatformPei/AmdSev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index a2b38c591236..4a515a484720 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -51,9 +51,11 @@ AmdSevEsInitialize ( // // Allocate GHCB and per-CPU variable pages. + // Since the pages must survive across the UEFI to OS transition + // make them reserved. // GhcbPageCount = mMaxCpuCount * 2; - GhcbBase = AllocatePages (GhcbPageCount); + GhcbBase = AllocateReservedPages (GhcbPageCount); ASSERT (GhcbBase != NULL); GhcbBasePa = (PHYSICAL_ADDRESS)(UINTN) GhcbBase; -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64238): https://edk2.groups.io/g/devel/message/64238 Mute This Topic: https://groups.io/mt/76170993/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 45/46] UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Before UEFI transfers control to the OS, it must park the AP. This is
done using the AsmRelocateApLoop function to transition into 32-bit
non-paging mode. For an SEV-ES guest, a few additional things must be
done:
- AsmRelocateApLoop must be updated to support SEV-ES. This means
performing a VMGEXIT AP Reset Hold instead of an MWAIT or HLT loop.
- Since the AP must transition to real mode, a small routine is copied
to the WakeupBuffer area. Since the WakeupBuffer will be used by
the AP during OS booting, it must be placed in reserved memory.
Additionally, the AP stack must be located where it can be accessed
in real mode.
- Once the AP is in real mode it will transfer control to the
destination specified by the OS in the SEV-ES AP Jump Table. The
SEV-ES AP Jump Table address is saved by the hypervisor for the OS
using the GHCB VMGEXIT AP Jump Table exit code.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Reviewed-by: Eric Dong
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/Library/MpInitLib/MpLib.h | 8 +-
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c| 54 +++-
UefiCpuPkg/Library/MpInitLib/Ia32/MpFuncs.nasm | 5 +-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 130 ++--
4 files changed, 179 insertions(+), 18 deletions(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h
b/UefiCpuPkg/Library/MpInitLib/MpLib.h
index b1a9d99cb3eb..02652eaae126 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -293,7 +293,8 @@ struct _CPU_MP_DATA {
UINT64 GhcbBase;
};
-#define AP_RESET_STACK_SIZE 64
+#define AP_SAFE_STACK_SIZE 128
+#define AP_RESET_STACK_SIZE AP_SAFE_STACK_SIZE
#pragma pack(1)
@@ -350,7 +351,10 @@ VOID
IN UINTN ApTargetCState,
IN UINTN PmCodeSegment,
IN UINTN TopOfApStack,
- IN UINTN NumberToFinish
+ IN UINTN NumberToFinish,
+ IN UINTN Pm16CodeSegment,
+ IN UINTN SevEsAPJumpTable,
+ IN UINTN WakeupBuffer
);
/**
diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
index 9115ff9e3e30..2c00d72ddefe 100644
--- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
@@ -12,6 +12,7 @@
#include
#include
#include
+#include
#include
#include
@@ -85,6 +86,13 @@ GetWakeupBuffer (
{
EFI_STATUS Status;
EFI_PHYSICAL_ADDRESSStartAddress;
+ EFI_MEMORY_TYPE MemoryType;
+
+ if (PcdGetBool (PcdSevEsIsEnabled)) {
+MemoryType = EfiReservedMemoryType;
+ } else {
+MemoryType = EfiBootServicesData;
+ }
//
// Try to allocate buffer below 1M for waking vector.
@@ -97,7 +105,7 @@ GetWakeupBuffer (
StartAddress = 0x88000;
Status = gBS->AllocatePages (
AllocateMaxAddress,
- EfiBootServicesData,
+ MemoryType,
EFI_SIZE_TO_PAGES (WakeupBufferSize),
);
@@ -159,8 +167,10 @@ GetSevEsAPMemory (
VOID
)
{
- EFI_STATUSStatus;
- EFI_PHYSICAL_ADDRESS StartAddress;
+ EFI_STATUSStatus;
+ EFI_PHYSICAL_ADDRESS StartAddress;
+ MSR_SEV_ES_GHCB_REGISTER Msr;
+ GHCB *Ghcb;
//
// Allocate 1 page for AP jump table page
@@ -176,6 +186,16 @@ GetSevEsAPMemory (
DEBUG ((DEBUG_INFO, "Dxe: SevEsAPMemory = %lx\n", (UINTN) StartAddress));
+ //
+ // Save the SevEsAPMemory as the AP jump table.
+ //
+ Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
+ Ghcb = Msr.Ghcb;
+
+ VmgInit (Ghcb);
+ VmgExit (Ghcb, SVM_EXIT_AP_JUMP_TABLE, 0, (UINT64) (UINTN) StartAddress);
+ VmgDone (Ghcb);
+
return (UINTN) StartAddress;
}
@@ -330,17 +350,26 @@ RelocateApLoop (
BOOLEANMwaitSupport;
ASM_RELOCATE_AP_LOOP AsmRelocateApLoopFunc;
UINTN ProcessorNumber;
+ UINTN StackStart;
MpInitLibWhoAmI ();
CpuMpData= GetCpuMpData ();
MwaitSupport = IsMwaitSupport ();
+ if (CpuMpData->SevEsIsEnabled) {
+StackStart = CpuMpData->SevEsAPResetStackStart;
+ } else {
+StackStart = mReservedTopOfApStack;
+ }
AsmRelocateApLoopFunc = (ASM_RELOCATE_AP_LOOP) (UINTN) mReservedApLoopFunc;
AsmRelocateApLoopFunc (
MwaitSupport,
CpuMpData->ApTargetCState,
CpuMpData->PmCodeSegment,
-mReservedTopOfApStack - ProcessorNumber * AP_SAFE_STACK_SIZE,
-(UINTN)
+StackStart - ProcessorNumber * AP_SAFE_STACK_SIZE,
+(UINTN) ,
+CpuMpData->Pm16CodeSegment,
+CpuMpData->SevEsAPBuffer,
+CpuMpData->WakeupBuffer
);
//
// It should never reach here
@@ -374,6 +403,21 @@ MpInitChangeApLoopCallback (
while (mNumberToFinish > 0) {
[edk2-devel] [PATCH v15 46/46] Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files
From: Tom Lendacky Register reviewers for the SEV-related files in OvmfPkg. Cc: Andrew Fish Cc: Laszlo Ersek Cc: Leif Lindholm Cc: Michael D Kinney Cc: Brijesh Singh Acked-by: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- Maintainers.txt | 10 ++ 1 file changed, 10 insertions(+) diff --git a/Maintainers.txt b/Maintainers.txt index 4c163496b1b0..f673ddd2b38c 100644 --- a/Maintainers.txt +++ b/Maintainers.txt @@ -441,6 +441,16 @@ F: OvmfPkg/PvScsiDxe/ R: Liran Alon R: Nikita Leshenko +OvmfPkg: SEV-related modules +F: OvmfPkg/AmdSevDxe/ +F: OvmfPkg/Include/Library/MemEncryptSevLib.h +F: OvmfPkg/IoMmuDxe/AmdSevIoMmu.* +F: OvmfPkg/Library/BaseMemEncryptSevLib/ +F: OvmfPkg/Library/VmgExitLib/ +F: OvmfPkg/PlatformPei/AmdSev.c +R: Tom Lendacky +R: Brijesh Singh + OvmfPkg: TCG- and TPM2-related modules F: OvmfPkg/Include/IndustryStandard/QemuTpm.h F: OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64240): https://edk2.groups.io/g/devel/message/64240 Mute This Topic: https://groups.io/mt/76170999/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 40/46] UefiCpuPkg: Add a 16-bit protected mode code segment descriptor
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
A hypervisor is not allowed to update an SEV-ES guests register state,
so when booting an SEV-ES guest AP, the hypervisor is not allowed to
set the RIP to the guest requested value. Instead, an SEV-ES AP must be
transition from 64-bit long mode to 16-bit real mode in response to an
INIT-SIPI-SIPI sequence. This requires a 16-bit code segment descriptor.
For PEI, create this descriptor in the reset vector GDT table. For DXE,
create this descriptor from the newly reserved entry at location 0x28.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Reviewed-by: Eric Dong
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/CpuDxe/CpuGdt.h | 4 ++--
UefiCpuPkg/CpuDxe/CpuGdt.c | 8
UefiCpuPkg/ResetVector/Vtf0/Ia16/Real16ToFlat32.asm | 9 +
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/UefiCpuPkg/CpuDxe/CpuGdt.h b/UefiCpuPkg/CpuDxe/CpuGdt.h
index 3a0210b2f172..1c94487cbee8 100644
--- a/UefiCpuPkg/CpuDxe/CpuGdt.h
+++ b/UefiCpuPkg/CpuDxe/CpuGdt.h
@@ -36,7 +36,7 @@ struct _GDT_ENTRIES {
GDT_ENTRY LinearCode;
GDT_ENTRY SysData;
GDT_ENTRY SysCode;
- GDT_ENTRY Spare4;
+ GDT_ENTRY SysCode16;
GDT_ENTRY LinearData64;
GDT_ENTRY LinearCode64;
GDT_ENTRY Spare5;
@@ -49,7 +49,7 @@ struct _GDT_ENTRIES {
#define LINEAR_CODE_SEL OFFSET_OF (GDT_ENTRIES, LinearCode)
#define SYS_DATA_SEL OFFSET_OF (GDT_ENTRIES, SysData)
#define SYS_CODE_SEL OFFSET_OF (GDT_ENTRIES, SysCode)
-#define SPARE4_SELOFFSET_OF (GDT_ENTRIES, Spare4)
+#define SYS_CODE16_SELOFFSET_OF (GDT_ENTRIES, SysCode16)
#define LINEAR_DATA64_SEL OFFSET_OF (GDT_ENTRIES, LinearData64)
#define LINEAR_CODE64_SEL OFFSET_OF (GDT_ENTRIES, LinearCode64)
#define SPARE5_SELOFFSET_OF (GDT_ENTRIES, Spare5)
diff --git a/UefiCpuPkg/CpuDxe/CpuGdt.c b/UefiCpuPkg/CpuDxe/CpuGdt.c
index 64efadeba601..a1ab543f2da5 100644
--- a/UefiCpuPkg/CpuDxe/CpuGdt.c
+++ b/UefiCpuPkg/CpuDxe/CpuGdt.c
@@ -70,14 +70,14 @@ STATIC GDT_ENTRIES GdtTemplate = {
0x0,
},
//
- // SPARE4_SEL
+ // SYS_CODE16_SEL
//
{
-0x0,// limit 15:0
+0x0,// limit 15:0
0x0,// base 15:0
0x0,// base 23:16
-0x0,// type
-0x0,// limit 19:16, flags
+0x09A, // present, ring 0, code, execute/read
+0x08F, // page-granular, 16-bit
0x0,// base 31:24
},
//
diff --git a/UefiCpuPkg/ResetVector/Vtf0/Ia16/Real16ToFlat32.asm
b/UefiCpuPkg/ResetVector/Vtf0/Ia16/Real16ToFlat32.asm
index ce4ebfffb688..0e79a3984b16 100644
--- a/UefiCpuPkg/ResetVector/Vtf0/Ia16/Real16ToFlat32.asm
+++ b/UefiCpuPkg/ResetVector/Vtf0/Ia16/Real16ToFlat32.asm
@@ -129,5 +129,14 @@ LINEAR_CODE64_SEL equ $-GDT_BASE
DB 0; base 31:24
%endif
+; linear code segment descriptor
+LINEAR_CODE16_SEL equ $-GDT_BASE
+DW 0x ; limit 15:0
+DW 0; base 15:0
+DB 0; base 23:16
+DB PRESENT_FLAG(1)|DPL(0)|SYSTEM_FLAG(1)|DESC_TYPE(CODE32_TYPE)
+DB
GRANULARITY_FLAG(1)|DEFAULT_SIZE32(0)|CODE64_FLAG(0)|UPPER_LIMIT(0xf)
+DB 0; base 31:24
+
GDT_END:
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64234): https://edk2.groups.io/g/devel/message/64234
Mute This Topic: https://groups.io/mt/76170980/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 43/46] OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A hypervisor is not allowed to update an SEV-ES guest's register state, so when booting an SEV-ES guest AP, the hypervisor is not allowed to set the RIP to the guest requested value. Instead an SEV-ES AP must be re-directed from within the guest to the actual requested staring location as specified in the INIT-SIPI-SIPI sequence. Use the SEV-ES work area for the reset vector code that contains support to jump to the desired RIP location after having been started. This is required for only the very first AP reset. This new OVMF source file, ResetVectorVtf0.asm, is used in place of the original file through the use of the include path order set in OvmfPkg/ResetVector/ResetVector.inf under "[BuildOptions]". Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 100 OvmfPkg/ResetVector/ResetVector.nasmb| 1 + 2 files changed, 101 insertions(+) diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm new file mode 100644 index ..980e0138e7fe --- /dev/null +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -0,0 +1,100 @@ +;-- +; @file +; First code executed by processor after resetting. +; Derived from UefiCpuPkg/ResetVector/Vtf0/Ia16/ResetVectorVtf0.asm +; +; Copyright (c) 2008 - 2014, Intel Corporation. All rights reserved. +; SPDX-License-Identifier: BSD-2-Clause-Patent +; +;-- + +BITS16 + +ALIGN 16 + +; +; Pad the image size to 4k when page tables are in VTF0 +; +; If the VTF0 image has page tables built in, then we need to make +; sure the end of VTF0 is 4k above where the page tables end. +; +; This is required so the page tables will be 4k aligned when VTF0 is +; located just below 0x1 (4GB) in the firmware device. +; +%ifdef ALIGN_TOP_TO_4K_FOR_PAGING +TIMES (0x1000 - ($ - EndOfPageTables) - 0x20) DB 0 +%endif + +; +; SEV-ES Processor Reset support +; +; sevEsResetBlock: +; For the initial boot of an AP under SEV-ES, the "reset" RIP must be +; programmed to the RAM area defined by SEV_ES_AP_RESET_IP. A known offset +; and GUID will be used to locate this block in the firmware and extract +; the build time RIP value. The GUID must always be 48 bytes from the +; end of the firmware. +; +; 0xffca (-0x36) - IP value +; 0xffcc (-0x34) - CS segment base [31:16] +; 0xffce (-0x32) - Size of the SEV-ES reset block +; 0xffd0 (-0x30) - SEV-ES reset block GUID +;(00f771de-1a7e-4fcb-890e-68c77e2fb44e) +; +; A hypervisor reads the CS segement base and IP value. The CS segment base +; value represents the high order 16-bits of the CS segment base, so the +; hypervisor must left shift the value of the CS segement base by 16 bits to +; form the full CS segment base for the CS segment register. It would then +; program the EIP register with the IP value as read. +; + +TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0 + +sevEsResetBlockStart: +DD SEV_ES_AP_RESET_IP +DW sevEsResetBlockEnd - sevEsResetBlockStart +DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F +DB 0x89, 0x0E, 0x68, 0xC7, 0x7E, 0x2F, 0xB4, 0x4E +sevEsResetBlockEnd: + +ALIGN 16 + +applicationProcessorEntryPoint: +; +; Application Processors entry point +; +; GenFv generates code aligned on a 4k boundary which will jump to this +; location. (0xffe0) This allows the Local APIC Startup IPI to be +; used to wake up the application processors. +; +jmp EarlyApInitReal16 + +ALIGN 8 + +DD 0 + +; +; The VTF signature +; +; VTF-0 means that the VTF (Volume Top File) code does not require +; any fixups. +; +vtfSignature: +DB 'V', 'T', 'F', 0 + +ALIGN 16 + +resetVector: +; +; Reset Vector +; +; This is where the processor will begin execution +; +nop +nop +jmp EarlyBspInitReal16 + +ALIGN 16 + +fourGigabytes: + diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 762661115d50..4913b379a993 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -82,5 +82,6 @@ %include "Main.asm" + %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) %include "Ia16/ResetVectorVtf0.asm" -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64237): https://edk2.groups.io/g/devel/message/64237 Mute This Topic: https://groups.io/mt/76170989/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 41/46] UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is enabled
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
When starting APs in an SMP configuration, the AP needs to know if it is
running as an SEV-ES guest in order to assign a GHCB page.
Add a field to the CPU_MP_DATA structure that will indicate if SEV-ES is
enabled. This new field is set during MP library initialization with the
PCD value PcdSevEsIsEnabled. This flag can then be used to determine if
SEV-ES is enabled.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Reviewed-by: Eric Dong
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 2 ++
UefiCpuPkg/Library/MpInitLib/MpLib.c | 1 +
4 files changed, 5 insertions(+)
diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
index 9907f4157b09..583276595619 100644
--- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
@@ -71,4 +71,5 @@ [Pcd]
gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ##
CONSUMES
gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ##
SOMETIMES_CONSUMES
gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ##
CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ##
CONSUMES
diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf
b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf
index 89ee9a79d8c5..4b3d39fbf36c 100644
--- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf
+++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf
@@ -61,6 +61,7 @@ [Pcd]
gUefiCpuPkgTokenSpaceGuid.PcdCpuMicrocodePatchRegionSize ## CONSUMES
gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES
gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ##
SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONSUMES
[Ppis]
gEdkiiPeiShadowMicrocodePpiGuid## SOMETIMES_CONSUMES
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h
b/UefiCpuPkg/Library/MpInitLib/MpLib.h
index a8ca03efb8e3..5b46c295b6b2 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -276,6 +276,8 @@ struct _CPU_MP_DATA {
// driver.
//
BOOLEANWakeUpByInitSipiSipi;
+
+ BOOLEANSevEsIsEnabled;
};
extern EFI_GUID mCpuInitMpLibHobGuid;
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c
b/UefiCpuPkg/Library/MpInitLib/MpLib.c
index 9b0660a5d4ea..2a3fbeef35f7 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
@@ -1704,6 +1704,7 @@ MpInitLibInitialize (
CpuMpData->CpuData = (CPU_AP_DATA *) (CpuMpData + 1);
CpuMpData->CpuInfoInHob = (UINT64) (UINTN) (CpuMpData->CpuData +
MaxLogicalProcessorNumber);
InitializeSpinLock(>MpLock);
+ CpuMpData->SevEsIsEnabled = PcdGetBool (PcdSevEsIsEnabled);
//
// Make sure no memory usage outside of the allocated buffer.
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64235): https://edk2.groups.io/g/devel/message/64235
Mute This Topic: https://groups.io/mt/76170982/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 42/46] UefiCpuPkg: Allow AP booting under SEV-ES
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Typically, an AP is booted using the INIT-SIPI-SIPI sequence. This sequence is intercepted by the hypervisor, which sets the AP's registers to the values requested by the sequence. At that point, the hypervisor can start the AP, which will then begin execution at the appropriate location. Under SEV-ES, AP booting presents some challenges since the hypervisor is not allowed to alter the AP's register state. In this situation, we have to distinguish between the AP's first boot and AP's subsequent boots. First boot: Once the AP's register state has been defined (which is before the guest is first booted) it cannot be altered. Should the hypervisor attempt to alter the register state, the change would be detected by the hardware and the VMRUN instruction would fail. Given this, the first boot for the AP is required to begin execution with this initial register state, which is typically the reset vector. This prevents the BSP from directing the AP startup location through the INIT-SIPI-SIPI sequence. To work around this, the firmware will provide a build time reserved area that can be used as the initial IP value. The hypervisor can extract this location value by checking for the SEV-ES reset block GUID that must be located 48-bytes from the end of the firmware. The format of the SEV-ES reset block area is: 0x00 - 0x01 - SEV-ES Reset IP 0x02 - 0x03 - SEV-ES Reset CS Segment Base[31:16] 0x04 - 0x05 - Size of the SEV-ES reset block 0x06 - 0x15 - SEV-ES Reset Block GUID (00f771de-1a7e-4fcb-890e-68c77e2fb44e) The total size is 22 bytes. Any expansion to this block must be done by adding new values before existing values. The hypervisor will use the IP and CS values obtained from the SEV-ES reset block to set as the AP's initial values. The CS Segment Base represents the upper 16 bits of the CS segment base and must be left shifted by 16 bits to form the complete CS segment base value. Before booting the AP for the first time, the BSP must initialize the SEV-ES reset area. This consists of programming a FAR JMP instruction to the contents of a memory location that is also located in the SEV-ES reset area. The BSP must program the IP and CS values for the FAR JMP based on values drived from the INIT-SIPI-SIPI sequence. Subsequent boots: Again, the hypervisor cannot alter the AP register state, so a method is required to take the AP out of halt state and redirect it to the desired IP location. If it is determined that the AP is running in an SEV-ES guest, then instead of calling CpuSleep(), a VMGEXIT is issued with the AP Reset Hold exit code (0x8004). The hypervisor will put the AP in a halt state, waiting for an INIT-SIPI-SIPI sequence. Once the sequence is recognized, the hypervisor will resume the AP. At this point the AP must transition from the current 64-bit long mode down to 16-bit real mode and begin executing at the derived location from the INIT-SIPI-SIPI sequence. Another change is around the area of obtaining the (x2)APIC ID during AP startup. During AP startup, the AP can't take a #VC exception before the AP has established a stack. However, the AP stack is set by using the (x2)APIC ID, which is obtained through CPUID instructions. A CPUID instruction will cause a #VC, so a different method must be used. The GHCB protocol supports a method to obtain CPUID information from the hypervisor through the GHCB MSR. This method does not require a stack, so it is used to obtain the necessary CPUID information to determine the (x2)APIC ID. The new 16-bit protected mode GDT entry is used in order to transition from 64-bit long mode down to 16-bit real mode. A new assembler routine is created that takes the AP from 64-bit long mode to 16-bit real mode. This is located under 1MB in memory and transitions from 64-bit long mode to 32-bit compatibility mode to 16-bit protected mode and finally 16-bit real mode. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Reviewed-by: Eric Dong Signed-off-by: Tom Lendacky --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 60 UefiCpuPkg/Library/MpInitLib/DxeMpLib.c| 70 +++- UefiCpuPkg/Library/MpInitLib/MpLib.c | 336 +++- UefiCpuPkg/Library/MpInitLib/PeiMpLib.c| 19 ++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +- UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc| 2 +- UefiCpuPkg/Library/MpInitLib/Ia32/MpFuncs.nasm | 15 + UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 4 +- UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 239 ++ 11 files changed, 738 insertions(+), 15 deletions(-) diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index 583276595619..1771575c69c1
Re: [edk2-devel] [PATCH edk2-platforms v1-resend 0/7] Updates to support Dynamic AML
Reviewed-by: Alexei Fedorov -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64231): https://edk2.groups.io/g/devel/message/64231 Mute This Topic: https://groups.io/mt/76166622/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 00/30] Add Dynamic AML generation support
Reviewed-by: Alexei Fedorov -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64228): https://edk2.groups.io/g/devel/message/64228 Mute This Topic: https://groups.io/mt/76149133/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v6 0/5] Use RngLib instead of TimerLib for OpensslLib
Thanks Matthew. I am OK, if you want to address the RDSEED in follow-up patch series. Would you please file a new Bugzilla to record this, so we won't lose the information ? > -Original Message- > From: matthewfcarl...@gmail.com > Sent: Thursday, August 13, 2020 6:44 AM > To: devel@edk2.groups.io > Cc: Ard Biesheuvel ; Anthony Perard > ; Yao, Jiewen ; Wang, > Jian J ; Julien Grall ; Justen, Jordan > L > ; Laszlo Ersek ; Gao, Liming > ; Leif Lindholm ; Kinney, Michael D > ; Lu, XiaoyuX ; Liu, > Zhiguang ; Sean Brogan > ; Matthew Carlson > > Subject: [PATCH v6 0/5] Use RngLib instead of TimerLib for OpensslLib > > From: Matthew Carlson > > Hello all, > > This patch contains a fix for Bugzilla 1871. > There's been a good bit of community discussion around the topic, > so below follows a general overview of the discussion and what this patch > does. > > Back in Devel message#40590 (https://edk2.groups.io/g/devel/message/40590) > around the patch series that updates OpenSSL to 1.1.1b, a comment was made > that suggested that platforms be in charge of the entropy/randomness that > is provided to OpenSSL as currently the entropry source seems to be a > hand-rolled random number generator that uses the PerformanceCounter from > TimerLib. This causes OpenSSL to depend on TimerLib, which is often platform > specific. In addition to being a potentially weaker source of randomness, > this also poses a challenge to compile BaseCryptLibOnProtocol with a platform- > agnostic version of TimerLib that works universally. > > The solution here is to allow platform to specify their source of entropy in > addition to providing two new RngLibs: one that uses the TimerLib as well as > one that uses RngProtocol to provide randomness. Then the decision to use > RDRAND or other entropy sources is up to the platform. Mixing various entropy > sources is the onus of the platform. It has been suggested on Devel#40590 and > BZ#1871 that there should be mixing of the PerformanceCounter and RDRAND > using > something similar to the yarrow alogirthm that FreeBSD uses for example. This > patch series doesn't offer an RngLib that offers that sort of mixing as the > ultimate source of random is defined by the platform. > > This patch series offers three benefits: > 1. Dependency reduction: Removes the need for a platform specific timer > library. We publish a single binary used on numerous platforms for > crypto and the introduced timer lib dependency caused issues because we > could not fulfill our platform needs with one library instance. > > 2. Code maintenance: Removing this additional code and leveraging an existing > library within Edk2 means less code to maintain. > > 3. Platform defined quality: A platform can choose which instance to use and > the implications of that instance. > > This patch series seeks to address five seperate issues. > 1) Use RngLib interface to generate random entropy in rand_pool > 2) Remove dependency on TimerLib in OpensslLib > 3) Add a new version of RngLib implemented by TimerLib > 4) Add a new version of RngLib implemented by EFI_RNG_PROTOCOL > 5) Add RngLib to platforms in EDK2 such as ArmVirtPkg and OvmfPkg > > Since this changes the dependencies of OpenSSL, this has the potential of > being > a breaking change for platforms in edk2-platforms. The easiest solution is > just > to use the RngLib that uses the TimerLib as this closely mimics the behavior > of > OpenSSL prior to this patch series. There is also a null version of RngLib for > CI environments that need this change > (https://edk2.groups.io/g/devel/message/50432). Though it should be pointed > out > that in CI environments, the null version of BaseCryptLib or OpenSSL should be > used. > > In addition, it has been suggested that > 1) Add AsmRdSeed to BaseLib. > 2) Update BaseRngLib to use AsmRdSeed() for the random number, > if RdSeed is supported (CPUID BIT18) > > However, this is largely out of scope for this particular patch series and > will likely need to be in a follow-up series later. > > It is my understanding that the OpenSSL code uses the values provided as a > randomness pool rather than a seed or random numbers itself, so the > requirements for randomness are not quite as stringent as other applications. > > For the ArmVirtPkg and OvmfPkg platforms, the patch series here just adds in > the TimerLib based RngLib as that is similar to the functionality of before. > It is added as a common library so any custom RngLib defined in the DSC > should take precedence over the TimerLibRngLib. > > Ref: https://github.com/tianocore/edk2/pull/845 > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871 > > Cc: Ard Biesheuvel > Cc: Anthony Perard > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Julien Grall > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Liming Gao > Cc: Leif Lindholm > Cc: Michael D Kinney > Cc: Xiaoyu Lu > Cc: Zhiguang Liu > Cc: Sean Brogan > > Signed-off-by: Matthew Carlson
Re: [edk2-devel] [edk2-platform][PATCH v1 1/1] Platforms/RaspberryPi: Fix DBG2 UART namespace reference
On 2020.08.13 15:27, Samer El-Haj-Mahmoud wrote:
The UART namespace reference in DBG2 is incorrect. Fix to point to the
correct name.
This fixes the certification failure reported by FWTS tests at:
https://github.com/pftf/RPi4/issues/69
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Signed-off-by: Samer El-Haj-Mahmoud
---
Platform/RaspberryPi/AcpiTables/Dbg2.aslc | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
index c35b15693f5a..e3f2adae7e21 100644
--- a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
+++ b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
@@ -3,7 +3,7 @@
* Debug Port Table (DBG2)
*
* Copyright (c) 2019, Pete Batard
- * Copyright (c) 2012-2016, ARM Limited. All rights reserved.
+ * Copyright (c) 2012-2020, ARM Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-2-Clause-Patent
*
@@ -21,13 +21,13 @@
#define RPI_DBG2_NUM_DEBUG_PORTS1
#define RPI_DBG2_NUMBER_OF_GENERIC_ADDRESS_REGISTERS1
-#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 10
+#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 15
#if (RPI_MODEL == 4)
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_PL011_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_PL011_UART_BASE_ADDRESS
#define RPI_UART_LENGTH
BCM2836_PL011_UART_LENGTH
-#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'U', 'R', 'T', '0', 0x00 }
+#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', '0', 0x00 }
#else
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_BCM2835_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_MINI_UART_BASE_ADDRESS
@@ -35,7 +35,7 @@
//
// RPI_UART_STR should match the value used Uart.asl
//
-#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'U', 'R', 'T', 'M', 0x00 }
+#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', 'M', 0x00 }
#endif
typedef struct {
Reviewed-by: Pete Batard
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64226): https://edk2.groups.io/g/devel/message/64226
Mute This Topic: https://groups.io/mt/76168434/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool
OK. I just see you describe that in v6 0/5 (not in v6 3/5 or Bugzilla 1871).
However, 0/5 will not be committed and information might be lost.
Would you please add your response in
https://bugzilla.tianocore.org/show_bug.cgi?id=1871 ?
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Yao, Jiewen
> Sent: Thursday, August 13, 2020 10:44 PM
> To: devel@edk2.groups.io; Yao, Jiewen ;
> matthewfcarl...@gmail.com
> Cc: Wang, Jian J ; Lu, XiaoyuX
> Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to
> generate entropy in rand_pool
>
> Hi Matthew Carlson
> Do you have any thought on the feedback below?
>
> Do you make any update in your patch V6?
>
>
>
> > -Original Message-
> > From: devel@edk2.groups.io On Behalf Of Yao,
> Jiewen
> > Sent: Saturday, August 1, 2020 8:26 AM
> > To: matthewfcarl...@gmail.com; devel@edk2.groups.io
> > Cc: Wang, Jian J ; Lu, XiaoyuX
> > Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib
> > to
> > generate entropy in rand_pool
> >
> > Hi
> > I have read https://bugzilla.tianocore.org/show_bug.cgi?id=1871
> > I would like to give R-B, because the code matches what described in
> > Bugzilla.
> >
> > Before that, I would like double confirm on the randomness requirement.
> > According to
> > https://software.intel.com/content/www/us/en/develop/blogs/the-
> difference-
> > between-rdrand-and-rdseed.html, the RDSEED is a "Non-deterministic random
> > bit generator", while RDRAND is a "Cryptographically secure pseudorandom
> > number generator"
> >
> > Before this patch:
> > rand_pool_acquire_entropy()-> RandGetSeed128()-
> > >MicroSecondDelay()+RandGetBytes()->GetRandomNoise64()-
> > >AsmReadTsc()+MicroSecondDelay().
> > rand_pool_add_nonce_data()->GetPerformanceCounter()+RandGetBytes()
> > It seems return TSC and TimerCounter.
> >
> > After this patch:
> > rand_pool_acquire_entropy()->RandGetBytes()->GetRandomNumber64()-
> > >AsmRdRand64().
> > rand_pool_add_nonce_data()->RandGetBytes()
> > It becomes pseudorandom.
> >
> > So the meaning of the function seems changed.
> > I have not checked the randomness requirement for those two functions yet.
> > But could anyone confirm that a pseudorandom value returned is OK?
> >
> > Or should we use RDSEED for non-deterministic value?
> >
> > Thank you
> > Yao Jiewen
> >
> >
> > > -Original Message-
> > > From: matthewfcarl...@gmail.com
> > > Sent: Saturday, August 1, 2020 4:27 AM
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen ; Wang, Jian J
> > ;
> > > Lu, XiaoyuX ; Matthew Carlson
> > >
> > > Subject: [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to generate
> > entropy
> > > in rand_pool
> > >
> > > From: Matthew Carlson
> > >
> > > Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
> > > This allows platforms to decide for themsevles what sort of entropy source
> > > they provide to OpenSSL and TlsLib.
> > >
> > > Cc: Jiewen Yao
> > > Cc: Jian J Wang
> > > Cc: Xiaoyu Lu
> > > Signed-off-by: Matthew Carlson
> > > ---
> > > CryptoPkg/Library/OpensslLib/rand_pool.c | 203
> > > ++--
> > > CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ---
> > > CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 -
> > > CryptoPkg/CryptoPkg.dsc| 1 +
> > > CryptoPkg/Library/OpensslLib/OpensslLib.inf| 15 +-
> > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 15 +-
> > > CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ---
> > > 7 files changed, 22 insertions(+), 313 deletions(-)
> > >
> > > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
> > > b/CryptoPkg/Library/OpensslLib/rand_pool.c
> > > index 9e0179b03490..b3ff03b2aa13 100644
> > > --- a/CryptoPkg/Library/OpensslLib/rand_pool.c
> > > +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
> > > @@ -11,53 +11,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > > #include
> > >
> > >
> > >
> > > #include
> > >
> > > -#include
> > >
> > > -
> > >
> > > -#include "rand_pool_noise.h"
> > >
> > > -
> > >
> > > -/**
> > >
> > > - Get some randomness from low-order bits of GetPerformanceCounter
> > results.
> > >
> > > - And combine them to the 64-bit value
> > >
> > > -
> > >
> > > - @param[out] RandBuffer pointer to store the 64-bit random value.
> > >
> > > -
> > >
> > > - @retval TRUERandom number generated successfully.
> > >
> > > - @retval FALSE Failed to generate.
> > >
> > > -**/
> > >
> > > -STATIC
> > >
> > > -BOOLEAN
> > >
> > > -EFIAPI
> > >
> > > -GetRandNoise64FromPerformanceCounter(
> > >
> > > - OUT UINT64 *Rand
> > >
> > > - )
> > >
> > > -{
> > >
> > > - UINT32 Index;
> > >
> > > - UINT32 *RandPtr;
> > >
> > > -
> > >
> > > - if (NULL == Rand) {
> > >
> > > -return FALSE;
> > >
> > > - }
> > >
> > > -
> > >
> > > - RandPtr = (UINT32 *) Rand;
> > >
> > > -
> > >
> > > - for (Index = 0; Index < 2; Index ++) {
> >
Re: [edk2-devel] [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native instruction support for X64
Hi Christopher Thanks. 1) Would you please help me understand more on "ApiHooks.c contains a stub function for a Windows API call" ? Why we need this? If it is compiler specific in openssl, should we submit patch to openssl to exclude this with OPENSSL_SYS_UEFI? That should be a cleaner solution for UEFI. 2) Would you please describe what compiler you have tried? VS? GCC? LLVM? 3) Would you please describe what unit test you have done? Thank you Yao Jiewen > -Original Message- > From: Zurcher, Christopher J > Sent: Tuesday, August 4, 2020 8:24 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Lu, XiaoyuX ; Ard Biesheuvel > Subject: [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native instruction support > for X64 > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507 > > Adding OpensslLibX64.inf and modifying process_files.pl to process this > file and generate the necessary assembly files. > ApiHooks.c contains a stub function for a Windows API call. > uefi-asm.conf contains the limited assembly configurations for OpenSSL. > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Ard Biesheuvel > Signed-off-by: Christopher J Zurcher > --- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf| 2 +- > CryptoPkg/Library/OpensslLib/OpensslLibX64.inf | 656 > > CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - > CryptoPkg/Library/OpensslLib/ApiHooks.c | 18 + > CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c | 34 + > CryptoPkg/Library/OpensslLib/process_files.pl| 223 +-- > CryptoPkg/Library/OpensslLib/uefi-asm.conf | 15 + > 8 files changed, 903 insertions(+), 50 deletions(-) > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index dbbe5386a1..bd62d86936 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -16,7 +16,7 @@ >VERSION_STRING = 1.0 > >LIBRARY_CLASS = OpensslLib > >DEFINE OPENSSL_PATH= openssl > > - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE - > DOPENSSL_NO_ASM > > > > # > > # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > index 616ccd9f62..2b7324a990 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > @@ -16,7 +16,7 @@ >VERSION_STRING = 1.0 > >LIBRARY_CLASS = OpensslLib > >DEFINE OPENSSL_PATH= openssl > > - DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE - > DOPENSSL_NO_ASM > > > > # > > # VALID_ARCHITECTURES = IA32 X64 ARM AARCH64 > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf > b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf > new file mode 100644 > index 00..825eea0254 > --- /dev/null > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf > @@ -0,0 +1,656 @@ > +## @file > > +# This module provides OpenSSL Library implementation. > > +# > > +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved. > > +# (C) Copyright 2020 Hewlett Packard Enterprise Development LP > > +# SPDX-License-Identifier: BSD-2-Clause-Patent > > +# > > +## > > + > > +[Defines] > > + INF_VERSION= 0x00010005 > > + BASE_NAME = OpensslLibX64 > > + MODULE_UNI_FILE= OpensslLib.uni > > + FILE_GUID = 18125E50-0117-4DD0-BE54-4784AD995FEF > > + MODULE_TYPE= BASE > > + VERSION_STRING = 1.0 > > + LIBRARY_CLASS = OpensslLib > > + DEFINE OPENSSL_PATH= openssl > > + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT > -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE > > + DEFINE OPENSSL_FLAGS_CONFIG= -DOPENSSL_CPUID_OBJ -DSHA1_ASM - > DSHA256_ASM -DSHA512_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM > > + CONSTRUCTOR= OpensslLibConstructor > > + > > +# > > +# VALID_ARCHITECTURES = X64 > > +# > > + > > +[Sources] > > + OpensslLibConstructor.c > > + $(OPENSSL_PATH)/e_os.h > > + $(OPENSSL_PATH)/ms/uplink.h > > +# Autogenerated files list starts here > > +
Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool
Hi Matthew Carlson
Do you have any thought on the feedback below?
Do you make any update in your patch V6?
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Yao, Jiewen
> Sent: Saturday, August 1, 2020 8:26 AM
> To: matthewfcarl...@gmail.com; devel@edk2.groups.io
> Cc: Wang, Jian J ; Lu, XiaoyuX
> Subject: Re: [edk2-devel] [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to
> generate entropy in rand_pool
>
> Hi
> I have read https://bugzilla.tianocore.org/show_bug.cgi?id=1871
> I would like to give R-B, because the code matches what described in Bugzilla.
>
> Before that, I would like double confirm on the randomness requirement.
> According to
> https://software.intel.com/content/www/us/en/develop/blogs/the-difference-
> between-rdrand-and-rdseed.html, the RDSEED is a "Non-deterministic random
> bit generator", while RDRAND is a "Cryptographically secure pseudorandom
> number generator"
>
> Before this patch:
> rand_pool_acquire_entropy()-> RandGetSeed128()-
> >MicroSecondDelay()+RandGetBytes()->GetRandomNoise64()-
> >AsmReadTsc()+MicroSecondDelay().
> rand_pool_add_nonce_data()->GetPerformanceCounter()+RandGetBytes()
> It seems return TSC and TimerCounter.
>
> After this patch:
> rand_pool_acquire_entropy()->RandGetBytes()->GetRandomNumber64()-
> >AsmRdRand64().
> rand_pool_add_nonce_data()->RandGetBytes()
> It becomes pseudorandom.
>
> So the meaning of the function seems changed.
> I have not checked the randomness requirement for those two functions yet.
> But could anyone confirm that a pseudorandom value returned is OK?
>
> Or should we use RDSEED for non-deterministic value?
>
> Thank you
> Yao Jiewen
>
>
> > -Original Message-
> > From: matthewfcarl...@gmail.com
> > Sent: Saturday, August 1, 2020 4:27 AM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen ; Wang, Jian J
> ;
> > Lu, XiaoyuX ; Matthew Carlson
> >
> > Subject: [PATCH v3 1/3] CryptoPkg: OpensslLib: Use RngLib to generate
> entropy
> > in rand_pool
> >
> > From: Matthew Carlson
> >
> > Changes OpenSSL to no longer depend on TimerLib and instead use RngLib.
> > This allows platforms to decide for themsevles what sort of entropy source
> > they provide to OpenSSL and TlsLib.
> >
> > Cc: Jiewen Yao
> > Cc: Jian J Wang
> > Cc: Xiaoyu Lu
> > Signed-off-by: Matthew Carlson
> > ---
> > CryptoPkg/Library/OpensslLib/rand_pool.c | 203
> > ++--
> > CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ---
> > CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 -
> > CryptoPkg/CryptoPkg.dsc| 1 +
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf| 15 +-
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 15 +-
> > CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ---
> > 7 files changed, 22 insertions(+), 313 deletions(-)
> >
> > diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c
> > b/CryptoPkg/Library/OpensslLib/rand_pool.c
> > index 9e0179b03490..b3ff03b2aa13 100644
> > --- a/CryptoPkg/Library/OpensslLib/rand_pool.c
> > +++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
> > @@ -11,53 +11,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #include
> >
> >
> >
> > #include
> >
> > -#include
> >
> > -
> >
> > -#include "rand_pool_noise.h"
> >
> > -
> >
> > -/**
> >
> > - Get some randomness from low-order bits of GetPerformanceCounter
> results.
> >
> > - And combine them to the 64-bit value
> >
> > -
> >
> > - @param[out] RandBuffer pointer to store the 64-bit random value.
> >
> > -
> >
> > - @retval TRUERandom number generated successfully.
> >
> > - @retval FALSE Failed to generate.
> >
> > -**/
> >
> > -STATIC
> >
> > -BOOLEAN
> >
> > -EFIAPI
> >
> > -GetRandNoise64FromPerformanceCounter(
> >
> > - OUT UINT64 *Rand
> >
> > - )
> >
> > -{
> >
> > - UINT32 Index;
> >
> > - UINT32 *RandPtr;
> >
> > -
> >
> > - if (NULL == Rand) {
> >
> > -return FALSE;
> >
> > - }
> >
> > -
> >
> > - RandPtr = (UINT32 *) Rand;
> >
> > -
> >
> > - for (Index = 0; Index < 2; Index ++) {
> >
> > -*RandPtr = (UINT32) (GetPerformanceCounter () & 0xFF);
> >
> > -MicroSecondDelay (10);
> >
> > -RandPtr++;
> >
> > - }
> >
> > -
> >
> > - return TRUE;
> >
> > -}
> >
> > +#include
> >
> >
> >
> > /**
> >
> >Calls RandomNumber64 to fill
> >
> >a buffer of arbitrary size with random bytes.
> >
> > + This is a shim layer to RngLib.
> >
> >
> >
> >@param[in] LengthSize of the buffer, in bytes, to fill with.
> >
> >@param[out] RandBufferPointer to the buffer to store the random
> > result.
> >
> >
> >
> > - @retval EFI_SUCCESSRandom bytes generation succeeded.
> >
> > - @retval EFI_NOT_READY Failed to request random bytes.
> >
> > + @retval TrueRandom bytes generation succeeded.
> >
> > + @retval False Failed to request random bytes.
> >
> >
> >
> > **/
> >
> > STATIC
> >
> > @@ -73,17 +38,17 @@
Re: [edk2-devel] [PATCH 1/1] CryptoPkg/BaseCryptLib: Add EVP (Envelope) Digest interface
1) Agree with Laszlo. We need extend internal protocol/ppi for this new API. 2) Do you have any data on the size difference between old SHA implementation or new MD implementation? Thank you Yao Jiewen > -Original Message- > From: Laszlo Ersek > Sent: Thursday, August 13, 2020 5:47 PM > To: devel@edk2.groups.io; Zurcher, Christopher J > > Cc: Yao, Jiewen ; Wang, Jian J ; > Lu, XiaoyuX > Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg/BaseCryptLib: Add EVP > (Envelope) Digest interface > > Hi Christopher, > > (+Mike, > > On 08/13/20 03:20, Zurcher, Christopher J wrote: > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2545 > > > > The EVP interface should be used in place of discrete digest function > > calls. > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Xiaoyu Lu > > Signed-off-by: Christopher J Zurcher > > --- > > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf| 1 + > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 1 + > > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | 1 + > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 1 + > > CryptoPkg/Include/Library/BaseCryptLib.h | 122 +++ > > CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c| 228 > > > 6 files changed, 354 insertions(+) > > (1) This patch extends the library class header, but updates only one > *set* of the three library instance *sets*. The other two instance > *sets* are: > > - BaseCryptLibNull (just one instance), for which it should not be hard > to provide Null implementations of the new functions; > > - BaseCryptLibOnProtocolPpi (three instances -- Pei, Dxe, Smm). > > > BaseCryptLibOnProtocolPpi is a tough nut, because it seems to require > extending: > > - the crypto service driver at CryptoPkg/Driver/, > > - the interface to that driver (CryptoPkg/Private/Protocol/Crypto.h -- > reused by both "CryptoPkg/Private/Ppi/Crypto.h" and > "CryptoPkg/Private/Protocol/SmmCrypto.h"), > > - the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure at > "CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h", for configuring > the driver, > > - the various PcdCryptoServiceFamilyEnable settings / build profiles in > CryptoPkg/CryptoPkg.dsc. > > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > index 4aae2aba95..3968f29412 100644 > > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > @@ -50,6 +50,7 @@ > >Pk/CryptAuthenticode.c > >Pk/CryptTs.c > >Pem/CryptPem.c > > + Evp/CryptEvpMd.c > > > >SysCall/CrtWrapper.c > >SysCall/TimerWrapper.c > > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > index dc28e3a11d..d0b91716d0 100644 > > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > @@ -57,6 +57,7 @@ > >Pk/CryptTsNull.c > >Pem/CryptPemNull.c > >Rand/CryptRandNull.c > > + Evp/CryptEvpMd.c > > > >SysCall/CrtWrapper.c > >SysCall/ConstantTimeClock.c > > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > index 5005beed02..9f3accd35b 100644 > > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > @@ -56,6 +56,7 @@ > >Pk/CryptAuthenticodeNull.c > >Pk/CryptTsNull.c > >Pem/CryptPem.c > > + Evp/CryptEvpMd.c > > > >SysCall/CrtWrapper.c > >SysCall/TimerWrapper.c > > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > index 91ec3e03bf..420623cdc6 100644 > > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > @@ -54,6 +54,7 @@ > >Pk/CryptAuthenticodeNull.c > >Pk/CryptTsNull.c > >Pem/CryptPem.c > > + Evp/CryptEvpMd.c > > > >SysCall/CrtWrapper.c > >SysCall/ConstantTimeClock.c > > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h > b/CryptoPkg/Include/Library/BaseCryptLib.h > > index ae9bde9e37..f3bf8aac0c 100644 > > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > > @@ -1012,6 +1012,128 @@ HmacSha256Final ( > >OUT UINT8 *HmacValue > >); > > > > > +//== > === > > +//EVP (Envelope) Primitive > > > +//== > === > > + > > +/** > > + Allocates and initializes one EVP_MD_CTX context for subsequent EVP_MD > use. > > + > > + @return Pointer to the EVP_MD_CTX context that has been initialized. > > + If the allocations fails, EvpMdNew() returns NULL. > > + > > +**/ > > +VOID * > > +EFIAPI > > +EvpMdNew ( > > + VOID > > + ); >
Re: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
Thanks Wenyi.
May I know how you test the new code logic?
Any unit test you can share, such as a mal-formed PE image, which may break the
old implementation but is caught by this patch?
Thank you
Yao Jiewen
> -Original Message-
> From: Wenyi Xie
> Sent: Thursday, August 13, 2020 7:56 PM
> To: devel@edk2.groups.io; Yao, Jiewen ; Wang, Jian J
> ; ler...@redhat.com
> Cc: huangmin...@huawei.com; songdongku...@huawei.com
> Subject: [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced
> verification of Offset
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2215
>
> There is an integer overflow vulnerability in DxeImageVerificationHandler
> function when parsing the PE files attribute certificate table. In cases
> where WinCertificate->dwLength is sufficiently large, it's possible to
> overflow Offset back to 0 causing an endless loop.
>
> Check offset inbetween VirtualAddress and VirtualAddress + Size.
> Using SafeintLib to do offset addition with result check.
>
> Cc: Jiewen Yao
> Cc: Jian J Wang
> Cc: Laszlo Ersek
> Signed-off-by: Wenyi Xie
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf | 1
> +
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h |
> 1 +
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 111
> +++-
> 3 files changed, 63 insertions(+), 50 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> index 1e1a639857e0..a7ac4830b3d4 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> @@ -53,6 +53,7 @@ [LibraryClasses]
>SecurityManagementLib
>PeCoffLib
>TpmMeasurementLib
> + SafeIntLib
>
> [Protocols]
>gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONSUMES
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> index 17955ff9774c..060273917d5d 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
> @@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 36b87e16d53d..dbc03e28c05b 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1658,6 +1658,10 @@ DxeImageVerificationHandler (
>EFI_STATUS HashStatus;
>EFI_STATUS DbStatus;
>BOOLEAN IsFound;
> + UINT32 AlignedLength;
> + UINT32 Result;
> + EFI_STATUS AddStatus;
> + BOOLEAN IsAuthDataAssigned;
>
>SignatureList = NULL;
>SignatureListSize = 0;
> @@ -1667,6 +1671,7 @@ DxeImageVerificationHandler (
>Action= EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
>IsVerified= FALSE;
>IsFound = FALSE;
> + Result= 0;
>
>//
>// Check the image type and get policy setting.
> @@ -1850,9 +1855,10 @@ DxeImageVerificationHandler (
>// The first certificate starts at offset (SecDataDir->VirtualAddress)
> from the
> start of the file.
>//
>for (OffSet = SecDataDir->VirtualAddress;
> - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> - OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >dwLength))) {
> + (OffSet >= SecDataDir->VirtualAddress) && (OffSet < (SecDataDir-
> >VirtualAddress + SecDataDir->Size));) {
> +IsAuthDataAssigned = FALSE;
> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> +AlignedLength = WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >dwLength);
> if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
> (WIN_CERTIFICATE) ||
> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> WinCertificate-
> >dwLength) {
>break;
> @@ -1872,6 +1878,8 @@ DxeImageVerificationHandler (
>}
>AuthData = PkcsCertData->CertData;
>AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof(PkcsCertData->Hdr);
> + IsAuthDataAssigned = TRUE;
> + HashStatus = HashPeImageByType (AuthData, AuthDataSize);
> } else if (WinCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
>//
>// The certificate is formatted as
[edk2-devel] [edk2-platform][PATCH v1 1/1] Platforms/RaspberryPi: Fix DBG2 UART namespace reference
The UART namespace reference in DBG2 is incorrect. Fix to point to the
correct name.
This fixes the certification failure reported by FWTS tests at:
https://github.com/pftf/RPi4/issues/69
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Signed-off-by: Samer El-Haj-Mahmoud
---
Platform/RaspberryPi/AcpiTables/Dbg2.aslc | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
index c35b15693f5a..e3f2adae7e21 100644
--- a/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
+++ b/Platform/RaspberryPi/AcpiTables/Dbg2.aslc
@@ -3,7 +3,7 @@
* Debug Port Table (DBG2)
*
* Copyright (c) 2019, Pete Batard
- * Copyright (c) 2012-2016, ARM Limited. All rights reserved.
+ * Copyright (c) 2012-2020, ARM Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-2-Clause-Patent
*
@@ -21,13 +21,13 @@
#define RPI_DBG2_NUM_DEBUG_PORTS1
#define RPI_DBG2_NUMBER_OF_GENERIC_ADDRESS_REGISTERS1
-#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 10
+#define RPI_DBG2_NAMESPACESTRING_FIELD_SIZE 15
#if (RPI_MODEL == 4)
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_PL011_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_PL011_UART_BASE_ADDRESS
#define RPI_UART_LENGTH
BCM2836_PL011_UART_LENGTH
-#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'U', 'R', 'T', '0', 0x00 }
+#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', '0', 0x00 }
#else
#define RPI_UART_INTERFACE_TYPE
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_BCM2835_UART
#define RPI_UART_BASE_ADDRESS
BCM2836_MINI_UART_BASE_ADDRESS
@@ -35,7 +35,7 @@
//
// RPI_UART_STR should match the value used Uart.asl
//
-#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'U', 'R', 'T', 'M', 0x00 }
+#define RPI_UART_STR{ '\\', '_', 'S', 'B',
'.', 'G', 'D', 'V', '0', '.', 'U', 'R', 'T', 'M', 0x00 }
#endif
typedef struct {
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64220): https://edk2.groups.io/g/devel/message/64220
Mute This Topic: https://groups.io/mt/76168434/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platform][PATCH v1 0/2] Platform/RaspberryPi : Set supported platform Language to English
On 7/19/20 1:04 AM, Samer El-Haj-Mahmoud wrote: Set the RaspberryPi suppoted Platform Language to English (US). Cc: Leif Lindholm Cc: Pete Batard Cc: Andrei Warkentin Cc: Ard Biesheuvel Signed-off-by: Samer El-Haj-Mahmoud Samer El-Haj-Mahmoud (2): Platforms/RaspberryPi: Set RPi4 Language supported to English Platforms/RaspberryPi: Set RPi3 Language supported to English Thanks Pushed as 602a7ea1ab6d..cec6bb18ae97 Platform/RaspberryPi/RPi3/RPi3.dsc | 5 - Platform/RaspberryPi/RPi4/RPi4.dsc | 5 - 2 files changed, 8 insertions(+), 2 deletions(-) -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64219): https://edk2.groups.io/g/devel/message/64219 Mute This Topic: https://groups.io/mt/75654069/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platform][PATCH v1 1/1] Platforms/RaspberryPi: Fix RPi4 GICC PMU PPI
On 7/31/20 9:55 AM, Pete Batard wrote:
On 2020.07.28 22:00, Samer El-Haj-Mahmoud wrote:
Arm SBSA specification section ver 6.0, 4.1.5 defines specific PPI
values for certain standard interrupt IDs. The value for
"Performance Monitors Interrupt" needs to be 23.
REF: https://developer.arm.com/documentation/den0029/latest
This partially fixes SBSA test #11 ("Incorrect PPI value") reported in
https://github.com/pftf/RPi4/issues/74
Cc: Leif Lindholm
Cc: Pete Batard
Cc: Andrei Warkentin
Cc: Ard Biesheuvel
Signed-off-by: Samer El-Haj-Mahmoud
---
Platform/RaspberryPi/RPi4/RPi4.dsc | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc
b/Platform/RaspberryPi/RPi4/RPi4.dsc
index c481c3534263..00683afe96b9 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -433,10 +433,10 @@ [PcdsFixedAtBuild.common]
gRaspberryPiTokenSpaceGuid.PcdGicInterruptInterfaceHBase|0xFF844000
gRaspberryPiTokenSpaceGuid.PcdGicInterruptInterfaceVBase|0xFF846000
gRaspberryPiTokenSpaceGuid.PcdGicGsivId|0x19
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq0|0x30
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq1|0x31
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq2|0x32
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq3|0x33
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq0|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq1|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq2|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq3|23
#
# Fixed CPU settings.
Reviewed-by: Pete Batard
Thanks
Pushed as cf825de918f9..602a7ea1ab6d
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64218): https://edk2.groups.io/g/devel/message/64218
Mute This Topic: https://groups.io/mt/75853085/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platform][PATCH v1 0/3] Platform/RaspberryPi : SCT EFI_GRAPHICS_OUTPUT_PROTOCOL fixes
On 7/22/20 4:01 AM, Samer El-Haj-Mahmoud wrote: This series fixes various failures reported by SCT for EFI_GRAPHICS_OUTPUT_PROTOCOL (https://github.com/pftf/RPi4/issues/73) Cc: Leif Lindholm Cc: Pete Batard Cc: Andrei Warkentin Cc: Ard Biesheuvel Signed-off-by: Samer El-Haj-Mahmoud Samer El-Haj-Mahmoud (3): Platforms/RaspberryPi: Fix GOP parameter handling Platforms/RaspberryPi: Return GOP PixelInformation in QueryMode() Platforms/RaspberryPi: Fix GOP FrameBufferSize returned by SetMode() Thanks Pushed as f2e4f25b83bf..cf825de918f9 .../Drivers/DisplayDxe/DisplayDxe.c | 22 +++ 1 file changed, 18 insertions(+), 4 deletions(-) -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64217): https://edk2.groups.io/g/devel/message/64217 Mute This Topic: https://groups.io/mt/75717277/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platform][PATCH v1 0/7] Platform/RaspberryPi : SMBIOS fixes and cleanup
On 7/20/20 8:16 PM, Samer El-Haj-Mahmoud wrote: Fixes and enhancements to RaspberryPi SMBIOS Types 0, 2, 3, 4, 7, 16, 17, and 19. These were compared against SMBIOS spec ver 3.3, and SBBR ver 1.2, and tested in UEFI Shell with smbiosview. One issue found in smbiosview (for Type 17, "VolatileSize") and will be fixed as a seperate patch. This series addresses : - Most items in https://github.com/pftf/RPi4/issues/16 - One of the issues in https://github.com/pftf/RPi4/issues/75 Series pushed to: https://github.com/samerhaj/edk2-platforms/tree/rpi_smbios_fixes_v1 Cc: Leif Lindholm Cc: Pete Batard Cc: Andrei Warkentin Cc: Ard Biesheuvel Signed-off-by: Samer El-Haj-Mahmoud Samer El-Haj-Mahmoud (7): Platforms/RaspberryPi: Fix NULL AssetTag in SMBIOS Platforms/RaspberryPi: SMBIOS Type 2 and Type 3 fixes Platforms/RaspberryPi: SMBIOS Type 0 fixes Platforms/RaspberryPi: SMBIOS Type 4 fixes Platforms/RaspberryPi: SMBIOS Type 7 fixes Platforms/RaspberryPi: SMBIOS Memory Types fixes Platforms/RaspberryPi: SMBIOS minor cleanup Thanks Pushed as e28ea561e07b..f2e4f25b83bf .../PlatformSmbiosDxe/PlatformSmbiosDxe.inf | 7 +- .../PlatformSmbiosDxe/PlatformSmbiosDxe.c | 457 -- 2 files changed, 320 insertions(+), 144 deletions(-) -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64216): https://edk2.groups.io/g/devel/message/64216 Mute This Topic: https://groups.io/mt/75687842/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 33/46] UefiCpuPkg: Create an SEV-ES workarea PCD
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Create an SEV-ES workarea PCD. This PCD will be used for BSP communication during SEC and for AP startup during PEI and DXE phases, the latter is the reason for creating it in the UefiCpuPkg. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Reviewed-by: Eric Dong Signed-off-by: Tom Lendacky --- UefiCpuPkg/UefiCpuPkg.dec | 8 UefiCpuPkg/UefiCpuPkg.uni | 8 2 files changed, 16 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 17228cb5a84f..d83c084467b3 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -164,6 +164,14 @@ [PcdsFixedAtBuild] # @Prompt Specify the count of pre allocated SMM MP tokens per chunk. gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmMpTokenCountPerChunk|64|UINT32|0x30002002 + ## Area of memory where the SEV-ES work area block lives. + # @Prompt Configure the SEV-ES work area base + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|0x0|UINT32|0x30002005 + + ## Size of teh area of memory where the SEV-ES work area block lives. + # @Prompt Configure the SEV-ES work area base + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize|0x0|UINT32|0x30002006 + [PcdsFixedAtBuild, PcdsPatchableInModule] ## This value is the CPU Local APIC base address, which aligns the address on a 4-KByte boundary. # @Prompt Configure base address of CPU Local APIC diff --git a/UefiCpuPkg/UefiCpuPkg.uni b/UefiCpuPkg/UefiCpuPkg.uni index f4a0c72f6293..219c1963bf08 100644 --- a/UefiCpuPkg/UefiCpuPkg.uni +++ b/UefiCpuPkg/UefiCpuPkg.uni @@ -281,3 +281,11 @@ #string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsIsEnabled_PROMPT #language en-US "Specifies whether SEV-ES is enabled" #string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsIsEnabled_HELP#language en-US "Set to TRUE when running as an SEV-ES guest, FALSE otherwise." + +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsWorkAreaBase_PROMPT #language en-US "Specify the address of the SEV-ES work area" + +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsWorkAreaBase_HELP#language en-US "Specifies the address of the work area used by an SEV-ES guest." + +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsWorkAreaSize_PROMPT #language en-US "Specify the size of the SEV-ES work area" + +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsWorkAreaSize_HELP#language en-US "Specifies the size of the work area used by an SEV-ES guest." -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64209): https://edk2.groups.io/g/devel/message/64209 Mute This Topic: https://groups.io/mt/76167035/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 36/46] OvmfPkg/ResetVector: Add support for a 32-bit SEV check
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 During BSP startup, the reset vector code will issue a CPUID instruction while in 32-bit mode. When running as an SEV-ES guest, this will trigger a #VC exception. Add exception handling support to the early reset vector code to catch these exceptions. Also, since the guest is in 32-bit mode at this point, writes to the GHCB will be encrypted and thus not able to be read by the hypervisor, so use the GHCB CPUID request/response protocol to obtain the requested CPUID function values and provide these to the guest. The exception handling support is active during the SEV check and uses the OVMF temporary RAM space for a stack. After the SEV check is complete, the exception handling support is removed and the stack pointer cleared. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/ResetVector/ResetVector.inf | 3 + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 275 +++- OvmfPkg/ResetVector/ResetVector.nasmb | 2 + 3 files changed, 277 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 483fd90fe785..a53ae6c194ae 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -34,9 +34,12 @@ [BuildOptions] *_*_X64_NASMB_FLAGS = -I$(WORKSPACE)/UefiCpuPkg/ResetVector/Vtf0/ [Pcd] + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index 9f86ddf6f08f..7c72128a84d6 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -36,13 +36,58 @@ BITS32 PAGE_READ_WRITE + \ PAGE_PRESENT) +; +; SEV-ES #VC exception handler support +; +; #VC handler local variable locations +; +%define VC_CPUID_RESULT_EAX 0 +%define VC_CPUID_RESULT_EBX 4 +%define VC_CPUID_RESULT_ECX 8 +%define VC_CPUID_RESULT_EDX12 +%define VC_GHCB_MSR_EDX16 +%define VC_GHCB_MSR_EAX20 +%define VC_CPUID_REQUEST_REGISTER 24 +%define VC_CPUID_FUNCTION 28 + +; #VC handler total local variable size +; +%define VC_VARIABLE_SIZE 32 + +; #VC handler GHCB CPUID request/response protocol values +; +%define GHCB_CPUID_REQUEST 4 +%define GHCB_CPUID_RESPONSE 5 +%define GHCB_CPUID_REGISTER_SHIFT 30 +%define CPUID_INSN_LEN 2 + + ; Check if Secure Encrypted Virtualization (SEV) feature is enabled ; -; If SEV is enabled then EAX will be at least 32 +; Modified: EAX, EBX, ECX, EDX, ESP +; +; If SEV is enabled then EAX will be at least 32. ; If SEV is disabled then EAX will be zero. ; CheckSevFeature: +; Set the first byte of the workarea to zero to communicate to the SEC +; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID +; instruction will trigger a #VC exception where the first byte of the +; workarea will be set to one. +mov byte[SEV_ES_WORK_AREA], 0 + +; +; Set up exception handlers to check for SEV-ES +; Load temporary RAM stack based on PCDs (see SevEsIdtVmmComm for +; stack usage) +; Establish exception handlers +; +mov esp, SEV_ES_VC_TOP_OF_STACK +mov eax, ADDR_OF(Idtr) +lidt [cs:eax] + ; Check if we have a valid (0x8000_001F) CPUID leaf +; CPUID raises a #VC exception if running as an SEV-ES guest mov eax, 0x8000 cpuid @@ -53,8 +98,8 @@ CheckSevFeature: jlNoSev ; Check for memory encryption feature: -; CPUID Fn8000_001F[EAX] - Bit 1 -; +; CPUID Fn8000_001F[EAX] - Bit 1 +; CPUID raises a #VC exception if running as an SEV-ES guest mov eax, 0x801f cpuid bteax, 1 @@ -78,6 +123,15 @@ NoSev: xor eax, eax SevExit: +; +; Clear exception handlers and stack +; +push eax +mov eax, ADDR_OF(IdtrClear) +lidt [cs:eax] +pop eax +mov esp, 0 + OneTimeCallRet CheckSevFeature ; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feature @@ -222,3 +276,218 @@ SetCr3: mov cr3, eax OneTimeCallRet SetCr3ForPageTables64 + +; +; Start of #VC exception handling routines +; + +SevEsIdtNotCpuid: +; +; Use VMGEXIT to request termination. +; 1 -
[edk2-devel] [PATCH v15 37/46] OvmfPkg/Sec: Add #VC exception handling for Sec phase
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
An SEV-ES guest will generate a #VC exception when it encounters a
non-automatic exit (NAE) event. It is expected that the #VC exception
handler will communicate with the hypervisor using the GHCB to handle
the NAE event.
NAE events can occur during the Sec phase, so initialize exception
handling early in the OVMF Sec support.
Before establishing the exception handling, validate that the supported
version of the SEV-ES protocol in OVMF is supported by the hypervisor.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Sec/SecMain.inf | 4 +
OvmfPkg/Sec/SecMain.c | 182 ++--
2 files changed, 173 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf
index 63ba4cb555fb..7f78dcee2772 100644
--- a/OvmfPkg/Sec/SecMain.inf
+++ b/OvmfPkg/Sec/SecMain.inf
@@ -50,15 +50,19 @@ [LibraryClasses]
PeCoffExtraActionLib
ExtractGuidedSectionLib
LocalApicLib
+ CpuExceptionHandlerLib
[Ppis]
gEfiTemporaryRamSupportPpiGuid# PPI ALWAYS_PRODUCED
[Pcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
index 6dea6e771a29..169c04b9cec7 100644
--- a/OvmfPkg/Sec/SecMain.c
+++ b/OvmfPkg/Sec/SecMain.c
@@ -24,6 +24,9 @@
#include
#include
#include
+#include
+#include
+#include
#include
@@ -34,6 +37,10 @@ typedef struct _SEC_IDT_TABLE {
IA32_IDT_GATE_DESCRIPTOR IdtTable[SEC_IDT_ENTRY_COUNT];
} SEC_IDT_TABLE;
+typedef struct _SEC_SEV_ES_WORK_AREA {
+ UINT8 SevEsEnabled;
+} SEC_SEV_ES_WORK_AREA;
+
VOID
EFIAPI
SecStartupPhase2 (
@@ -712,6 +719,120 @@ FindAndReportEntryPoints (
return;
}
+/**
+ Handle an SEV-ES/GHCB protocol check failure.
+
+ Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest
+ wishes to be terminated.
+
+ @param[in] ReasonCode Reason code to provide to the hypervisor for the
+ termination request.
+
+**/
+STATIC
+VOID
+SevEsProtocolFailure (
+ IN UINT8 ReasonCode
+ )
+{
+ MSR_SEV_ES_GHCB_REGISTER Msr;
+
+ //
+ // Use the GHCB MSR Protocol to request termination by the hypervisor
+ //
+ Msr.GhcbPhysicalAddress = 0;
+ Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST;
+ Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB;
+ Msr.GhcbTerminate.ReasonCode = ReasonCode;
+ AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress);
+
+ AsmVmgExit ();
+
+ ASSERT (FALSE);
+ CpuDeadLoop ();
+}
+
+/**
+ Validate the SEV-ES/GHCB protocol level.
+
+ Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor
+ and the guest intersect. If they don't intersect, request termination.
+
+**/
+STATIC
+VOID
+SevEsProtocolCheck (
+ VOID
+ )
+{
+ MSR_SEV_ES_GHCB_REGISTER Msr;
+ GHCB *Ghcb;
+
+ //
+ // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for
+ // protocol checking
+ //
+ Msr.GhcbPhysicalAddress = 0;
+ Msr.GhcbInfo.Function = GHCB_INFO_SEV_INFO_GET;
+ AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress);
+
+ AsmVmgExit ();
+
+ Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
+
+ if (Msr.GhcbInfo.Function != GHCB_INFO_SEV_INFO) {
+SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL);
+ }
+
+ if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMax) {
+SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL);
+ }
+
+ if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) ||
+ (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) {
+SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL);
+ }
+
+ //
+ // SEV-ES protocol checking succeeded, set the initial GHCB address
+ //
+ Msr.GhcbPhysicalAddress = FixedPcdGet32 (PcdOvmfSecGhcbBase);
+ AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress);
+
+ Ghcb = Msr.Ghcb;
+ SetMem (Ghcb, sizeof (*Ghcb), 0);
+
+ //
+ // Set the version to the maximum that can be supported
+ //
+ Ghcb->ProtocolVersion = MIN (Msr.GhcbProtocol.SevEsProtocolMax,
GHCB_VERSION_MAX);
+ Ghcb->GhcbUsage = GHCB_STANDARD_USAGE;
+}
+
+/**
+ Determine if SEV-ES is active.
+
+ During early booting, SEV-ES support code will set a flag to indicate that
+ SEV-ES is enabled. Return the value of this flag as an indicator that SEV-ES
+ is enabled.
+
+ @retval TRUE SEV-ES is enabled
+ @retval FALSE SEV-ES is not enabled
+
+**/
+STATIC
[edk2-devel] [PATCH v15 38/46] OvmfPkg/Sec: Enable cache early to speed up booting
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Currently, the OVMF code relies on the hypervisor to enable the cache
support on the processor in order to improve the boot speed. However,
with SEV-ES, the hypervisor is not allowed to change the CR0 register
to enable caching.
Update the OVMF Sec support to enable caching in order to improve the
boot speed when running as an SEV-ES guest.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Sec/SecMain.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
index 169c04b9cec7..63aca7020727 100644
--- a/OvmfPkg/Sec/SecMain.c
+++ b/OvmfPkg/Sec/SecMain.c
@@ -906,6 +906,13 @@ SecCoreStartupWithStack (
// For non SEV-ES guests, just load the IDTR.
//
AsmWriteIdtr ();
+ } else {
+//
+// Under SEV-ES, the hypervisor can't modify CR0 and so can't enable
+// caching in order to speed up the boot. Enable caching early for
+// an SEV-ES guest.
+//
+AsmEnableCache ();
}
DEBUG ((DEBUG_INFO,
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64214): https://edk2.groups.io/g/devel/message/64214
Mute This Topic: https://groups.io/mt/76167052/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 39/46] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with SEV-ES
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The flash detection routine will attempt to determine how the flash
device behaves (e.g. ROM, RAM, Flash). But when SEV-ES is enabled and
the flash device behaves as a ROM device (meaning it is marked read-only
by the hypervisor), this check may result in an infinite nested page fault
because of the attempted write. Since the instruction cannot be emulated
when SEV-ES is enabled, the RIP is never advanced, resulting in repeated
nested page faults.
When SEV-ES is enabled, exit the flash detection early and assume that
the FD behaves as Flash. This will result in QemuFlashWrite() being called
to store EFI variables, which will also result in an infinite nested page
fault when the write is performed. In this case, update QemuFlashWrite()
to use the VMGEXIT MMIO write support to have the hypervisor perform the
write without having to emulate the instruction.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf | 2 +
OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h | 13 +++
OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c | 23
+--
OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c| 40
OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashSmm.c| 16
5 files changed, 91 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
index 72cabba4357d..8bb2325157ea 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
@@ -38,6 +38,7 @@ [Sources]
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
OvmfPkg/OvmfPkg.dec
[LibraryClasses]
@@ -52,6 +53,7 @@ [LibraryClasses]
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiRuntimeLib
+ VmgExitLib
[Guids]
gEfiEventVirtualAddressChangeGuid # ALWAYS_CONSUMED
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h
b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h
index f1afabcbe6ae..219d0d6e83cf 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h
@@ -89,5 +89,18 @@ QemuFlashBeforeProbe (
IN UINTN FdBlockCount
);
+/**
+ Write to QEMU Flash
+
+ @param[in] PtrPointer to the location to write.
+ @param[in] Value The value to write.
+
+**/
+VOID
+QemuFlashPtrWrite (
+ INvolatile UINT8*Ptr,
+ INUINT8 Value
+ );
+
#endif
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
index 1b0d6c053f1a..0d29bf701aca 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
@@ -9,6 +9,7 @@
#include
#include
+#include
#include
#include "QemuFlash.h"
@@ -80,6 +81,21 @@ QemuFlashDetected (
DEBUG ((DEBUG_INFO, "QEMU Flash: Attempting flash detection at %p\n", Ptr));
+ if (MemEncryptSevEsIsEnabled ()) {
+//
+// When SEV-ES is enabled, the check below can result in an infinite
+// loop with respect to a nested page fault. When the memslot is mapped
+// read-only, the nested page table entry is read-only. The check below
+// will cause a nested page fault that cannot be emulated, causing
+// the instruction to retried over and over. For SEV-ES, acknowledge that
+// the FD appears as ROM and not as FLASH, but report FLASH anyway because
+// FLASH behavior can be simulated using VMGEXIT.
+//
+DEBUG ((DEBUG_INFO,
+ "QEMU Flash: SEV-ES enabled, assuming FD behaves as FLASH\n"));
+return TRUE;
+ }
+
OriginalUint8 = *Ptr;
*Ptr = CLEAR_STATUS_CMD;
ProbeUint8 = *Ptr;
@@ -181,8 +197,9 @@ QemuFlashWrite (
//
Ptr = QemuFlashPtr (Lba, Offset);
for (Loop = 0; Loop < *NumBytes; Loop++) {
-*Ptr = WRITE_BYTE_CMD;
-*Ptr = Buffer[Loop];
+QemuFlashPtrWrite (Ptr, WRITE_BYTE_CMD);
+QemuFlashPtrWrite (Ptr, Buffer[Loop]);
+
Ptr++;
}
@@ -190,7 +207,7 @@ QemuFlashWrite (
// Restore flash to read mode
//
if (*NumBytes > 0) {
-*(Ptr - 1) = READ_ARRAY_CMD;
+QemuFlashPtrWrite (Ptr - 1, READ_ARRAY_CMD);
}
return EFI_SUCCESS;
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
index 5aabe9d7b59c..565383ee26d2 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
@@ -10,6 +10,9 @@
**/
#include
+#include
+#include
+#include
#include "QemuFlash.h"
@@ -32,3 +35,40 @@ QemuFlashBeforeProbe (
[edk2-devel] [PATCH v15 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Protect the SEV-ES work area memory used by an SEV-ES guest.
Regarding the lifecycle of the SEV-ES memory area:
PcdSevEsWorkArea
(a) when and how it is initialized after first boot of the VM
If SEV-ES is enabled, the SEV-ES area is initialized during
the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].
(b) how it is protected from memory allocations during DXE
If SEV-ES is enabled, then InitializeRamRegions()
[OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
allocation HOB, in PEI.
(c) how it is protected from the OS
If S3 is enabled, then (b) reserves it from the OS too.
If S3 is disabled, then the range needs no protection.
(d) how it is accessed on the S3 resume path
It is rewritten same as in (a), which is fine because (b) reserved it.
(e) how it is accessed on the warm reset path
It is rewritten same as in (a).
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Cc: Anthony Perard
Cc: Julien Grall
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++
OvmfPkg/PlatformPei/MemDetect.c | 20
2 files changed, 22 insertions(+)
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 4742e1bdf42b..c53be2f4925c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -118,6 +118,8 @@ [FixedPcd]
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
[FeaturePcd]
gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 6b5fee166b5d..ffbbef891a11 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -940,5 +940,25 @@ InitializeRamRegions (
);
}
}
+
+#ifdef MDE_CPU_X64
+if (MemEncryptSevEsIsEnabled ()) {
+ //
+ // If SEV-ES is enabled, reserve the SEV-ES work area.
+ //
+ // Since this memory range will be used by the Reset Vector on S3
+ // resume, it must be reserved as ACPI NVS.
+ //
+ // If S3 is unsupported, then various drivers might still write to the
+ // work area. We ought to prevent DXE from serving allocation requests
+ // such that they would overlap the work area.
+ //
+ BuildMemoryAllocationHob (
+(EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
+(UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
+mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
+);
+}
+#endif
}
}
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64211): https://edk2.groups.io/g/devel/message/64211
Mute This Topic: https://groups.io/mt/76167040/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 34/46] OvmfPkg: Reserve a page in memory for the SEV-ES usage
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Reserve a fixed area of memory for SEV-ES use and set a fixed PCD, PcdSevEsWorkAreaBase, to this value. This area will be used by SEV-ES support for two purposes: 1. Communicating the SEV-ES status during BSP boot to SEC: Using a byte of memory from the page, the BSP reset vector code can communicate the SEV-ES status to SEC for use before exception handling can be enabled in SEC. After SEC, this field is no longer valid and the standard way of determine if SEV-ES is active should be used. 2. Establishing an area of memory for AP boot support: A hypervisor is not allowed to update an SEV-ES guest's register state, so when booting an SEV-ES guest AP, the hypervisor is not allowed to set the RIP to the guest requested value. Instead an SEV-ES AP must be re-directed from within the guest to the actual requested staring location as specified in the INIT-SIPI-SIPI sequence. Use this memory for reset vector code that can be programmed to have the AP jump to the desired RIP location after starting the AP. This is required for only the very first AP reset. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/OvmfPkgX64.fdf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index edb03b5464d4..8da59037e5f0 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -82,6 +82,9 @@ [FD.MEMFD] 0x009000|0x002000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize +0x00B000|0x001000 +gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64210): https://edk2.groups.io/g/devel/message/64210 Mute This Topic: https://groups.io/mt/76167039/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 27/46] OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Create a function that can be used to determine if the VM is running
as an SEV-ES guest.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Include/Library/MemEncryptSevLib.h | 12
OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c | 75
+---
2 files changed, 60 insertions(+), 27 deletions(-)
diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h
b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index 64dd6977b0f8..fc70b0114354 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -13,6 +13,18 @@
#include
+/**
+ Returns a boolean to indicate whether SEV-ES is enabled.
+
+ @retval TRUE SEV-ES is enabled
+ @retval FALSE SEV-ES is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsIsEnabled (
+ VOID
+ );
+
/**
Returns a boolean to indicate whether SEV is enabled
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
index 96a66e373f11..02b8eb225d81 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
@@ -20,19 +20,17 @@
#include
STATIC BOOLEAN mSevStatus = FALSE;
+STATIC BOOLEAN mSevEsStatus = FALSE;
STATIC BOOLEAN mSevStatusChecked = FALSE;
/**
+ Reads and sets the status of SEV features.
- Returns a boolean to indicate whether SEV is enabled
-
- @retval TRUE SEV is enabled
- @retval FALSE SEV is not enabled
**/
STATIC
-BOOLEAN
+VOID
EFIAPI
-InternalMemEncryptSevIsEnabled (
+InternalMemEncryptSevStatus (
VOID
)
{
@@ -56,32 +54,55 @@ InternalMemEncryptSevIsEnabled (
//
Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS);
if (Msr.Bits.SevBit) {
-return TRUE;
+mSevStatus = TRUE;
+ }
+
+ //
+ // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled)
+ //
+ if (Msr.Bits.SevEsBit) {
+mSevEsStatus = TRUE;
}
}
}
- return FALSE;
-}
-
-/**
- Returns a boolean to indicate whether SEV is enabled
-
- @retval TRUE SEV is enabled
- @retval FALSE SEV is not enabled
-**/
-BOOLEAN
-EFIAPI
-MemEncryptSevIsEnabled (
- VOID
- )
-{
- if (mSevStatusChecked) {
-return mSevStatus;
- }
-
- mSevStatus = InternalMemEncryptSevIsEnabled();
mSevStatusChecked = TRUE;
+}
+
+/**
+ Returns a boolean to indicate whether SEV-ES is enabled.
+
+ @retval TRUE SEV-ES is enabled
+ @retval FALSE SEV-ES is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsIsEnabled (
+ VOID
+ )
+{
+ if (!mSevStatusChecked) {
+InternalMemEncryptSevStatus ();
+ }
+
+ return mSevEsStatus;
+}
+
+/**
+ Returns a boolean to indicate whether SEV is enabled.
+
+ @retval TRUE SEV is enabled
+ @retval FALSE SEV is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevIsEnabled (
+ VOID
+ )
+{
+ if (!mSevStatusChecked) {
+InternalMemEncryptSevStatus ();
+ }
return mSevStatus;
}
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64203): https://edk2.groups.io/g/devel/message/64203
Mute This Topic: https://groups.io/mt/76167012/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 28/46] OvmfPkg: Add support to perform SEV-ES initialization
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
When SEV-ES is enabled, then SEV is also enabled. Add support to the SEV
initialization function to also check for SEV-ES being enabled, and if
enabled, set the SEV-ES enabled PCD (PcdSevEsIsEnabled).
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/OvmfPkgIa32.dsc | 3 +++
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
OvmfPkg/OvmfPkgX64.dsc | 3 +++
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
OvmfPkg/PlatformPei/AmdSev.c| 26
5 files changed, 36 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index c57bba1ba197..f84f23f250ef 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -607,6 +607,9 @@ [PcdsDynamicDefault]
# Set memory encryption mask
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
+ # Set SEV-ES defaults
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
+
!if $(SMM_REQUIRE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8
gUefiOvmfPkgTokenSpaceGuid.PcdQ35SmramAtDefaultSmbase|FALSE
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 22e930b12b9b..a66abccf8266 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -619,6 +619,9 @@ [PcdsDynamicDefault]
# Set memory encryption mask
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
+ # Set SEV-ES defaults
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
+
!if $(SMM_REQUIRE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8
gUefiOvmfPkgTokenSpaceGuid.PcdQ35SmramAtDefaultSmbase|FALSE
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 60be5eae3d2b..2a8975fd3d29 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -617,6 +617,9 @@ [PcdsDynamicDefault]
# Set memory encryption mask
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
+ # Set SEV-ES defaults
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
+
!if $(SMM_REQUIRE) == TRUE
gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8
gUefiOvmfPkgTokenSpaceGuid.PcdQ35SmramAtDefaultSmbase|FALSE
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
b/OvmfPkg/PlatformPei/PlatformPei.inf
index ff397b3ee9d7..00feb96c9308 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -103,6 +103,7 @@ [Pcd]
gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber
gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber
gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled
[FixedPcd]
gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index e484f4b311fe..4dc5340caa7a 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -21,6 +21,27 @@
#include "Platform.h"
+/**
+
+ Initialize SEV-ES support if running as an SEV-ES guest.
+
+ **/
+STATIC
+VOID
+AmdSevEsInitialize (
+ VOID
+ )
+{
+ RETURN_STATUS PcdStatus;
+
+ if (!MemEncryptSevEsIsEnabled ()) {
+return;
+ }
+
+ PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
+ ASSERT_RETURN_ERROR (PcdStatus);
+}
+
/**
Function checks if SEV support is available, if present then it sets
@@ -103,4 +124,9 @@ AmdSevInitialize (
);
}
}
+
+ //
+ // Check and perform SEV-ES initialization if required.
+ //
+ AmdSevEsInitialize ();
}
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64204): https://edk2.groups.io/g/devel/message/64204
Mute This Topic: https://groups.io/mt/76167017/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 25/46] OvmfPkg/VmgExitLib: Add support for MWAIT/MWAITX NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a MWAIT/MWAITX intercept generates a #VC exception.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 36
1 file changed, 36 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 1e8b8ce424c3..a741b080dd1a 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -858,6 +858,38 @@ MmioExit (
return Status;
}
+/**
+ Handle a MWAIT event.
+
+ Use the VMGEXIT instruction to handle a MWAIT event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+MwaitExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ DecodeModRm (Regs, InstructionData);
+
+ Ghcb->SaveArea.Rax = Regs->Rax;
+ GhcbSetRegValid (Ghcb, GhcbRax);
+ Ghcb->SaveArea.Rcx = Regs->Rcx;
+ GhcbSetRegValid (Ghcb, GhcbRcx);
+
+ return VmgExit (Ghcb, SVM_EXIT_MWAIT, 0, 0);
+}
+
/**
Handle a MONITOR event.
@@ -1534,6 +1566,10 @@ VmgExitHandleVc (
NaeExit = MonitorExit;
break;
+ case SVM_EXIT_MWAIT:
+NaeExit = MwaitExit;
+break;
+
case SVM_EXIT_NPF:
NaeExit = MmioExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64201): https://edk2.groups.io/g/devel/message/64201
Mute This Topic: https://groups.io/mt/76167009/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 26/46] OvmfPkg/VmgExitLib: Add support for DR7 Read/Write NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a DR7 read or write intercept generates a #VC exception.
The #VC handler must provide special support to the guest for this. On
a DR7 write, the #VC handler must cache the value and issue a VMGEXIT
to notify the hypervisor of the write. However, the #VC handler must
not actually set the value of the DR7 register. On a DR7 read, the #VC
handler must return the cached value of the DR7 register to the guest.
VMGEXIT is not invoked for a DR7 register read.
The caching of the DR7 values will make use of the per-CPU data pages
that are allocated along with the GHCB pages. The per-CPU page for a
vCPU is the page that immediately follows the vCPU's GHCB page. Since
each GHCB page is unique for a vCPU, the page that follows becomes
unique for that vCPU. The SEC phase will reserves an area of memory for
a single GHCB and per-CPU page for use by the BSP. After transitioning
to the PEI phase, new GHCB and per-CPU pages are allocated for the BSP
and all APs.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 114
1 file changed, 114 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index a741b080dd1a..8e42b305e83c 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -126,6 +126,14 @@ UINT64
SEV_ES_INSTRUCTION_DATA *InstructionData
);
+//
+// Per-CPU data mapping structure
+//
+typedef struct {
+ BOOLEAN Dr7Cached;
+ UINT64 Dr7;
+} SEV_ES_PER_CPU_DATA;
+
/**
Checks the GHCB to determine if the specified register has been marked valid.
@@ -1482,6 +1490,104 @@ RdtscExit (
return 0;
}
+/**
+ Handle a DR7 register write event.
+
+ Use the VMGEXIT instruction to handle a DR7 write event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+Dr7WriteExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ SEV_ES_INSTRUCTION_OPCODE_EXT *Ext;
+ SEV_ES_PER_CPU_DATA*SevEsData;
+ UINT64 *Register;
+ UINT64 Status;
+
+ Ext = >Ext;
+ SevEsData = (SEV_ES_PER_CPU_DATA *) (Ghcb + 1);
+
+ DecodeModRm (Regs, InstructionData);
+
+ //
+ // MOV DRn always treats MOD == 3 no matter how encoded
+ //
+ Register = GetRegisterPointer (Regs, Ext->ModRm.Rm);
+
+ //
+ // Using a value of 0 for ExitInfo1 means RAX holds the value
+ //
+ Ghcb->SaveArea.Rax = *Register;
+ GhcbSetRegValid (Ghcb, GhcbRax);
+
+ Status = VmgExit (Ghcb, SVM_EXIT_DR7_WRITE, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ SevEsData->Dr7 = *Register;
+ SevEsData->Dr7Cached = TRUE;
+
+ return 0;
+}
+
+/**
+ Handle a DR7 register read event.
+
+ Use the VMGEXIT instruction to handle a DR7 read event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+
+**/
+STATIC
+UINT64
+Dr7ReadExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ SEV_ES_INSTRUCTION_OPCODE_EXT *Ext;
+ SEV_ES_PER_CPU_DATA*SevEsData;
+ UINT64 *Register;
+
+ Ext = >Ext;
+ SevEsData = (SEV_ES_PER_CPU_DATA *) (Ghcb + 1);
+
+ DecodeModRm (Regs, InstructionData);
+
+ //
+ // MOV DRn always treats MOD == 3 no matter how encoded
+ //
+ Register = GetRegisterPointer (Regs, Ext->ModRm.Rm);
+
+ //
+ // If there is a cached valued for DR7, return that. Otherwise return the
+ // DR7 standard reset value of 0x400 (no debug breakpoints set).
+ //
+ *Register = (SevEsData->Dr7Cached) ? SevEsData->Dr7 : 0x400;
+
+ return 0;
+}
+
/**
Handle a #VC exception.
@@ -1526,6 +1632,14 @@ VmgExitHandleVc (
ExitCode = Regs->ExceptionData;
switch (ExitCode) {
+ case SVM_EXIT_DR7_READ:
+NaeExit = Dr7ReadExit;
+break;
+
+ case SVM_EXIT_DR7_WRITE:
+NaeExit = Dr7WriteExit;
+break;
+
case SVM_EXIT_RDTSC:
NaeExit = RdtscExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64202):
[edk2-devel] [PATCH v15 29/46] OvmfPkg: Create a GHCB page for use during Sec phase
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A GHCB page is needed during the Sec phase, so this new page must be created. Since the #VC exception handler routines assume that a per-CPU variable area is immediately after the GHCB, this per-CPU variable area must also be created. Since the GHCB must be marked as an un-encrypted, or shared, page, an additional pagetable page is required to break down the 2MB region where the GHCB page lives into 4K pagetable entries. Create a new entry in the OVMF memory layout for the new page table page and for the SEC GHCB and per-CPU variable pages. After breaking down the 2MB page, update the GHCB page table entry to remove the encryption mask. The GHCB page will be used by the SEC #VC exception handler. The #VC exception handler will fill in the necessary fields of the GHCB and exit to the hypervisor using the VMGEXIT instruction. The hypervisor then accesses the GHCB in order to perform the requested function. Four new fixed PCDs are needed to support the SEC GHCB page: - PcdOvmfSecGhcbBase UINT32 value that is the base address of the GHCB used during the SEC phase. - PcdOvmfSecGhcbSize UINT32 value that is the size, in bytes, of the GHCB area used during the SEC phase. - PcdOvmfSecGhcbPageTableBase UINT32 value that is address of a page table page used to break down the 2MB page into 512 4K pages. - PcdOvmfSecGhcbPageTableSize UINT32 value that is the size, in bytes, of the page table page. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/OvmfPkg.dec | 9 +++ OvmfPkg/OvmfPkgX64.fdf| 6 ++ OvmfPkg/ResetVector/ResetVector.inf | 5 ++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 76 OvmfPkg/ResetVector/ResetVector.nasmb | 17 + 5 files changed, 113 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 55bb8ea91a00..6abde4fd9351 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -294,6 +294,15 @@ [PcdsFixedAtBuild] ## Number of page frames to use for storing grant table entries. gUefiOvmfPkgTokenSpaceGuid.PcdXenGrantFrames|4|UINT32|0x33 + ## Specify the extra page table needed to mark the GHCB as unencrypted. + # The value should be a multiple of 4KB for each. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase|0x0|UINT32|0x3e + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize|0x0|UINT32|0x3f + + ## The base address of the SEC GHCB page used by SEV-ES. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 83ff6aef2e8c..edb03b5464d4 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -76,6 +76,12 @@ [FD.MEMFD] 0x007000|0x001000 gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress|gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize +0x008000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize + +0x009000|0x002000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index b0ddfa5832a2..483fd90fe785 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -26,6 +26,7 @@ [Sources] [Packages] OvmfPkg/OvmfPkg.dec MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec UefiCpuPkg/UefiCpuPkg.dec [BuildOptions] @@ -33,5 +34,9 @@ [BuildOptions] *_*_X64_NASMB_FLAGS = -I$(WORKSPACE)/UefiCpuPkg/ResetVector/Vtf0/ [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index abad009f20f5..9f86ddf6f08f 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -21,6 +21,11 @@ BITS32 %define PAGE_2M_MBO0x080 %define PAGE_2M_PAT 0x01000 +%define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \ + PAGE_DIRTY + \ +
[edk2-devel] [PATCH v15 30/46] OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Protect the memory used by an SEV-ES guest when S3 is supported. This
includes the page table used to break down the 2MB page that contains
the GHCB so that it can be marked un-encrypted, as well as the GHCB
area.
Regarding the lifecycle of the GHCB-related memory areas:
PcdOvmfSecGhcbPageTableBase
PcdOvmfSecGhcbBase
(a) when and how it is initialized after first boot of the VM
If SEV-ES is enabled, the GHCB-related areas are initialized during
the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].
(b) how it is protected from memory allocations during DXE
If S3 and SEV-ES are enabled, then InitializeRamRegions()
[OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with an AcpiNVS
memory allocation HOB, in PEI.
If S3 is disabled, then these ranges are not protected. DXE's own page
tables are first built while still in PEI (see HandOffToDxeCore()
[MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are
located in permanent PEI memory. After CR3 is switched over to them
(which occurs before jumping to the DXE core entry point), we don't have
to preserve PcdOvmfSecGhcbPageTableBase. PEI switches to GHCB pages in
permanent PEI memory and DXE will use these PEI GHCB pages, so we don't
have to preserve PcdOvmfSecGhcbBase.
(c) how it is protected from the OS
If S3 is enabled, then (b) reserves it from the OS too.
If S3 is disabled, then the range needs no protection.
(d) how it is accessed on the S3 resume path
It is rewritten same as in (a), which is fine because (b) reserved it.
(e) how it is accessed on the warm reset path
It is rewritten same as in (a).
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Cc: Anthony Perard
Cc: Julien Grall
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/PlatformPei/PlatformPei.inf | 4
OvmfPkg/PlatformPei/MemDetect.c | 23
2 files changed, 27 insertions(+)
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 00feb96c9308..a54d10ba90d5 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -75,6 +75,10 @@ [Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSize
gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize
diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 3b46ea431ade..6b5fee166b5d 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -27,6 +27,7 @@ Module Name:
#include
#include
#include
+#include
#include
#include
#include
@@ -866,6 +867,28 @@ InitializeRamRegions (
(UINT64)(UINTN) PcdGet32 (PcdOvmfSecPageTablesSize),
EfiACPIMemoryNVS
);
+
+if (MemEncryptSevEsIsEnabled ()) {
+ //
+ // If SEV-ES is enabled, reserve the GHCB-related memory area. This
+ // includes the extra page table used to break down the 2MB page
+ // mapping into 4KB page entries where the GHCB resides and the
+ // GHCB area itself.
+ //
+ // Since this memory range will be used by the Reset Vector on S3
+ // resume, it must be reserved as ACPI NVS.
+ //
+ BuildMemoryAllocationHob (
+(EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSecGhcbPageTableBase),
+(UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbPageTableSize),
+EfiACPIMemoryNVS
+);
+ BuildMemoryAllocationHob (
+(EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSecGhcbBase),
+(UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbSize),
+EfiACPIMemoryNVS
+);
+}
#endif
}
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64206): https://edk2.groups.io/g/devel/message/64206
Mute This Topic: https://groups.io/mt/76167024/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 32/46] OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The SEV support will clear the C-bit from non-RAM areas. The early GDT
lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
will be read as un-encrypted even though it is encrypted. This will result
in a failure to be able to handle the exception.
Move the GDT into RAM so it can be accessed without error when running as
an SEV-ES guest.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/PlatformPei/AmdSev.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 4fd4534cabea..a2b38c591236 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -39,6 +39,8 @@ AmdSevEsInitialize (
PHYSICAL_ADDRESS GhcbBasePa;
UINTN GhcbPageCount, PageCount;
RETURN_STATUS PcdStatus, DecryptStatus;
+ IA32_DESCRIPTOR Gdtr;
+ VOID *Gdt;
if (!MemEncryptSevEsIsEnabled ()) {
return;
@@ -83,6 +85,22 @@ AmdSevEsInitialize (
(UINT64)GhcbPageCount, GhcbBase));
AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa);
+
+ //
+ // The SEV support will clear the C-bit from non-RAM areas. The early GDT
+ // lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
+ // will be read as un-encrypted even though it was created before the C-bit
+ // was cleared (encrypted). This will result in a failure to be able to
+ // handle the exception.
+ //
+ AsmReadGdtr ();
+
+ Gdt = AllocatePages (EFI_SIZE_TO_PAGES ((UINTN) Gdtr.Limit + 1));
+ ASSERT (Gdt != NULL);
+
+ CopyMem (Gdt, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+ Gdtr.Base = (UINTN) Gdt;
+ AsmWriteGdtr ();
}
/**
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64208): https://edk2.groups.io/g/devel/message/64208
Mute This Topic: https://groups.io/mt/76167032/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 31/46] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Allocate memory for the GHCB pages and the per-CPU variable pages during
SEV initialization for use during Pei and Dxe phases. The GHCB page(s)
must be shared pages, so clear the encryption mask from the current page
table entries. Upon successful allocation, set the GHCB PCDs (PcdGhcbBase
and PcdGhcbSize).
The per-CPU variable page needs to be unique per AP. Using the page after
the GHCB ensures that it is unique per AP. Only the GHCB page is marked as
shared, keeping the per-CPU variable page encyrpted. The same logic is
used in DXE using CreateIdentityMappingPageTables() before switching to
the DXE pagetables.
The GHCB pages (one per vCPU) will be used by the PEI and DXE #VC
exception handlers. The #VC exception handler will fill in the necessary
fields of the GHCB and exit to the hypervisor using the VMGEXIT
instruction. The hypervisor then accesses the GHCB associated with the
vCPU in order to perform the requested function.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Reviewed-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/OvmfPkgIa32.dsc | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.dsc | 2 +
OvmfPkg/PlatformPei/PlatformPei.inf | 2 +
OvmfPkg/PlatformPei/AmdSev.c| 45 +++-
5 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f84f23f250ef..133a9a93c071 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -608,6 +608,8 @@ [PcdsDynamicDefault]
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
# Set SEV-ES defaults
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
!if $(SMM_REQUIRE) == TRUE
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a66abccf8266..338c38db29b5 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -620,6 +620,8 @@ [PcdsDynamicDefault]
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
# Set SEV-ES defaults
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
!if $(SMM_REQUIRE) == TRUE
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 2a8975fd3d29..b80710fbdca4 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -618,6 +618,8 @@ [PcdsDynamicDefault]
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
# Set SEV-ES defaults
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0
!if $(SMM_REQUIRE) == TRUE
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
b/OvmfPkg/PlatformPei/PlatformPei.inf
index a54d10ba90d5..4742e1bdf42b 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -102,6 +102,8 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 4dc5340caa7a..4fd4534cabea 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -10,12 +10,15 @@
// The package level header files this module uses
//
#include
+#include
#include
#include
#include
+#include
#include
#include
#include
+#include
#include
#include
@@ -32,7 +35,10 @@ AmdSevEsInitialize (
VOID
)
{
- RETURN_STATUS PcdStatus;
+ VOID *GhcbBase;
+ PHYSICAL_ADDRESS GhcbBasePa;
+ UINTN GhcbPageCount, PageCount;
+ RETURN_STATUS PcdStatus, DecryptStatus;
if (!MemEncryptSevEsIsEnabled ()) {
return;
@@ -40,6 +46,43 @@ AmdSevEsInitialize (
PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
ASSERT_RETURN_ERROR (PcdStatus);
+
+ //
+ // Allocate GHCB and per-CPU variable pages.
+ //
+ GhcbPageCount = mMaxCpuCount * 2;
+ GhcbBase = AllocatePages (GhcbPageCount);
+ ASSERT (GhcbBase != NULL);
+
+ GhcbBasePa = (PHYSICAL_ADDRESS)(UINTN) GhcbBase;
+
+ //
+ // Each vCPU gets two consecutive pages, the first is the GHCB and the
+ // second is the per-CPU variable page. Loop through the allocation and
+ // only clear the encryption mask for the GHCB pages.
+ //
+ for (PageCount = 0; PageCount < GhcbPageCount; PageCount += 2) {
+DecryptStatus = MemEncryptSevClearPageEncMask (
+ 0,
+ GhcbBasePa +
[edk2-devel] [PATCH v15 19/46] OvmfPkg/VmgExitLib: Add support for RDTSC NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDTSC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 43
1 file changed, 43 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 2070c943de93..aa1e78f35735 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -1223,6 +1223,45 @@ CpuidExit (
return 0;
}
+/**
+ Handle a RDTSC event.
+
+ Use the VMGEXIT instruction to handle a RDTSC event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+RdtscExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 Status;
+
+ Status = VmgExit (Ghcb, SVM_EXIT_RDTSC, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (!GhcbIsRegValid (Ghcb, GhcbRax) ||
+ !GhcbIsRegValid (Ghcb, GhcbRdx)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ Regs->Rax = Ghcb->SaveArea.Rax;
+ Regs->Rdx = Ghcb->SaveArea.Rdx;
+
+ return 0;
+}
+
/**
Handle a #VC exception.
@@ -1267,6 +1306,10 @@ VmgExitHandleVc (
ExitCode = Regs->ExceptionData;
switch (ExitCode) {
+ case SVM_EXIT_RDTSC:
+NaeExit = RdtscExit;
+break;
+
case SVM_EXIT_CPUID:
NaeExit = CpuidExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64195): https://edk2.groups.io/g/devel/message/64195
Mute This Topic: https://groups.io/mt/76166987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 20/46] OvmfPkg/VmgExitLib: Add support for RDPMC NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDPMC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 46
1 file changed, 46 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index aa1e78f35735..0dd119fdecb1 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -1223,6 +1223,48 @@ CpuidExit (
return 0;
}
+/**
+ Handle a RDPMC event.
+
+ Use the VMGEXIT instruction to handle a RDPMC event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+RdpmcExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 Status;
+
+ Ghcb->SaveArea.Rcx = Regs->Rcx;
+ GhcbSetRegValid (Ghcb, GhcbRcx);
+
+ Status = VmgExit (Ghcb, SVM_EXIT_RDPMC, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (!GhcbIsRegValid (Ghcb, GhcbRax) ||
+ !GhcbIsRegValid (Ghcb, GhcbRdx)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ Regs->Rax = Ghcb->SaveArea.Rax;
+ Regs->Rdx = Ghcb->SaveArea.Rdx;
+
+ return 0;
+}
+
/**
Handle a RDTSC event.
@@ -1310,6 +1352,10 @@ VmgExitHandleVc (
NaeExit = RdtscExit;
break;
+ case SVM_EXIT_RDPMC:
+NaeExit = RdpmcExit;
+break;
+
case SVM_EXIT_CPUID:
NaeExit = CpuidExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64196): https://edk2.groups.io/g/devel/message/64196
Mute This Topic: https://groups.io/mt/76166990/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 23/46] OvmfPkg/VmgExitLib: Add support for RDTSCP NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDTSCP intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 47
1 file changed, 47 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index dbea9c1f6aff..9bb32f0c3c1e 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -883,6 +883,49 @@ WbinvdExit (
return VmgExit (Ghcb, SVM_EXIT_WBINVD, 0, 0);
}
+/**
+ Handle a RDTSCP event.
+
+ Use the VMGEXIT instruction to handle a RDTSCP event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+RdtscpExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 Status;
+
+ DecodeModRm (Regs, InstructionData);
+
+ Status = VmgExit (Ghcb, SVM_EXIT_RDTSCP, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (!GhcbIsRegValid (Ghcb, GhcbRax) ||
+ !GhcbIsRegValid (Ghcb, GhcbRcx) ||
+ !GhcbIsRegValid (Ghcb, GhcbRdx)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ Regs->Rax = Ghcb->SaveArea.Rax;
+ Regs->Rcx = Ghcb->SaveArea.Rcx;
+ Regs->Rdx = Ghcb->SaveArea.Rdx;
+
+ return 0;
+}
+
/**
Handle a VMMCALL event.
@@ -1445,6 +1488,10 @@ VmgExitHandleVc (
NaeExit = VmmCallExit;
break;
+ case SVM_EXIT_RDTSCP:
+NaeExit = RdtscpExit;
+break;
+
case SVM_EXIT_WBINVD:
NaeExit = WbinvdExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64199): https://edk2.groups.io/g/devel/message/64199
Mute This Topic: https://groups.io/mt/76167003/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 24/46] OvmfPkg/VmgExitLib: Add support for MONITOR/MONITORX NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a MONITOR/MONITORX intercept generates a #VC exception.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 38
1 file changed, 38 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 9bb32f0c3c1e..1e8b8ce424c3 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -858,6 +858,40 @@ MmioExit (
return Status;
}
+/**
+ Handle a MONITOR event.
+
+ Use the VMGEXIT instruction to handle a MONITOR event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+MonitorExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ DecodeModRm (Regs, InstructionData);
+
+ Ghcb->SaveArea.Rax = Regs->Rax; // Identity mapped, so VA = PA
+ GhcbSetRegValid (Ghcb, GhcbRax);
+ Ghcb->SaveArea.Rcx = Regs->Rcx;
+ GhcbSetRegValid (Ghcb, GhcbRcx);
+ Ghcb->SaveArea.Rdx = Regs->Rdx;
+ GhcbSetRegValid (Ghcb, GhcbRdx);
+
+ return VmgExit (Ghcb, SVM_EXIT_MONITOR, 0, 0);
+}
+
/**
Handle a WBINVD event.
@@ -1496,6 +1530,10 @@ VmgExitHandleVc (
NaeExit = WbinvdExit;
break;
+ case SVM_EXIT_MONITOR:
+NaeExit = MonitorExit;
+break;
+
case SVM_EXIT_NPF:
NaeExit = MmioExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64200): https://edk2.groups.io/g/devel/message/64200
Mute This Topic: https://groups.io/mt/76167008/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 21/46] OvmfPkg/VmgExitLib: Add support for INVD NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a INVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 29
1 file changed, 29 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 0dd119fdecb1..ddaa19c7bcb4 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -1168,6 +1168,31 @@ IoioExit (
return 0;
}
+/**
+ Handle a INVD event.
+
+ Use the VMGEXIT instruction to handle a INVD event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+InvdExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ return VmgExit (Ghcb, SVM_EXIT_INVD, 0, 0);
+}
+
/**
Handle a CPUID event.
@@ -1360,6 +1385,10 @@ VmgExitHandleVc (
NaeExit = CpuidExit;
break;
+ case SVM_EXIT_INVD:
+NaeExit = InvdExit;
+break;
+
case SVM_EXIT_IOIO_PROT:
NaeExit = IoioExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64197): https://edk2.groups.io/g/devel/message/64197
Mute This Topic: https://groups.io/mt/76166993/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 18/46] OvmfPkg/VmgExitLib: Add support for WBINVD NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a WBINVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 29
1 file changed, 29 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 03fa9f6f7f46..2070c943de93 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -858,6 +858,31 @@ MmioExit (
return Status;
}
+/**
+ Handle a WBINVD event.
+
+ Use the VMGEXIT instruction to handle a WBINVD event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+WbinvdExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ return VmgExit (Ghcb, SVM_EXIT_WBINVD, 0, 0);
+}
+
/**
Handle an MSR event.
@@ -1254,6 +1279,10 @@ VmgExitHandleVc (
NaeExit = MsrExit;
break;
+ case SVM_EXIT_WBINVD:
+NaeExit = WbinvdExit;
+break;
+
case SVM_EXIT_NPF:
NaeExit = MmioExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64194): https://edk2.groups.io/g/devel/message/64194
Mute This Topic: https://groups.io/mt/76166983/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 22/46] OvmfPkg/VmgExitLib: Add support for VMMCALL NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a VMMCALL intercept generates a #VC exception. VMGEXIT must
be used to allow the hypervisor to handle this intercept.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 48
1 file changed, 48 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index ddaa19c7bcb4..dbea9c1f6aff 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -883,6 +883,50 @@ WbinvdExit (
return VmgExit (Ghcb, SVM_EXIT_WBINVD, 0, 0);
}
+/**
+ Handle a VMMCALL event.
+
+ Use the VMGEXIT instruction to handle a VMMCALL event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+VmmCallExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 Status;
+
+ DecodeModRm (Regs, InstructionData);
+
+ Ghcb->SaveArea.Rax = Regs->Rax;
+ GhcbSetRegValid (Ghcb, GhcbRax);
+ Ghcb->SaveArea.Cpl = (UINT8) (Regs->Cs & 0x3);
+ GhcbSetRegValid (Ghcb, GhcbCpl);
+
+ Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (!GhcbIsRegValid (Ghcb, GhcbRax)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ Regs->Rax = Ghcb->SaveArea.Rax;
+
+ return 0;
+}
+
/**
Handle an MSR event.
@@ -1397,6 +1441,10 @@ VmgExitHandleVc (
NaeExit = MsrExit;
break;
+ case SVM_EXIT_VMMCALL:
+NaeExit = VmmCallExit;
+break;
+
case SVM_EXIT_WBINVD:
NaeExit = WbinvdExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64198): https://edk2.groups.io/g/devel/message/64198
Mute This Topic: https://groups.io/mt/76166997/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 13/46] OvmfPkg/VmgExitLib: Add support for IOIO_PROT NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a IOIO_PROT intercept generates a #VC exception. VMGEXIT
must be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a IOIO_PROT
NAE event. Parse the instruction that generated the #VC exception,
setting the required register values in the GHCB and creating the proper
SW_EXITINFO1 value in the GHCB.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Include/IndustryStandard/InstructionParsing.h | 83 +++
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 560
+++-
2 files changed, 629 insertions(+), 14 deletions(-)
diff --git a/OvmfPkg/Include/IndustryStandard/InstructionParsing.h
b/OvmfPkg/Include/IndustryStandard/InstructionParsing.h
new file mode 100644
index ..149ff328e06c
--- /dev/null
+++ b/OvmfPkg/Include/IndustryStandard/InstructionParsing.h
@@ -0,0 +1,83 @@
+/** @file
+ Instruction parsing support definitions.
+
+ Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __INSTRUCTION_PARSING_H__
+#define __INSTRUCTION_PARSING_H__
+
+#include
+#include
+
+//
+// Instruction REX prefix definition
+//
+typedef union {
+ struct {
+UINT8 BitB:1;
+UINT8 BitX:1;
+UINT8 BitR:1;
+UINT8 BitW:1;
+UINT8 Rex:4;
+ } Bits;
+
+ UINT8 Uint8;
+} INSTRUCTION_REX_PREFIX;
+
+//
+// Instruction ModRM definition
+//
+typedef union {
+ struct {
+UINT8 Rm:3;
+UINT8 Reg:3;
+UINT8 Mod:2;
+ } Bits;
+
+ UINT8 Uint8;
+} INSTRUCTION_MODRM;
+
+//
+// Instruction SIB definition
+//
+typedef union {
+ struct {
+UINT8 Base:3;
+UINT8 Index:3;
+UINT8 Scale:2;
+ } Bits;
+
+ UINT8 Uint8;
+} INSTRUCTION_SIB;
+
+//
+// Legacy Instruction Prefixes
+//
+#define OVERRIDE_SEGMENT_CS 0x2E
+#define OVERRIDE_SEGMENT_DS 0x3E
+#define OVERRIDE_SEGMENT_ES 0x26
+#define OVERRIDE_SEGMENT_SS 0x36
+#define OVERRIDE_SEGMENT_FS 0x64
+#define OVERRIDE_SEGMENT_GS 0x65
+#define OVERRIDE_OPERAND_SIZE0x66
+#define OVERRIDE_ADDRESS_SIZE0x67
+#define LOCK_PREFIX 0xF0
+#define REPNZ_PREFIX 0xF2
+#define REPZ_PREFIX 0xF3
+
+//
+// REX Prefixes
+//
+#define REX_PREFIX_START 0x40
+#define REX_PREFIX_STOP 0x4F
+#define REX_64BIT_OPERAND_SIZE_MASK 0x08
+
+//
+// Two-byte Opcode Flag
+//
+#define TWO_BYTE_OPCODE_ESCAPE 0x0F
+
+#endif
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index b6a955ed8088..04e8b8aebf7d 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -11,6 +11,529 @@
#include
#include
#include
+#include
+
+//
+// Instruction execution mode definition
+//
+typedef enum {
+ LongMode64Bit= 0,
+ LongModeCompat32Bit,
+ LongModeCompat16Bit,
+} SEV_ES_INSTRUCTION_MODE;
+
+//
+// Instruction size definition (for operand and address)
+//
+typedef enum {
+ Size8Bits= 0,
+ Size16Bits,
+ Size32Bits,
+ Size64Bits,
+} SEV_ES_INSTRUCTION_SIZE;
+
+//
+// Intruction segment definition
+//
+typedef enum {
+ SegmentEs= 0,
+ SegmentCs,
+ SegmentSs,
+ SegmentDs,
+ SegmentFs,
+ SegmentGs,
+} SEV_ES_INSTRUCTION_SEGMENT;
+
+//
+// Instruction rep function definition
+//
+typedef enum {
+ RepNone = 0,
+ RepZ,
+ RepNZ,
+} SEV_ES_INSTRUCTION_REP;
+
+typedef struct {
+ UINT8 Rm;
+ UINT8 Reg;
+ UINT8 Mod;
+} SEV_ES_INSTRUCTION_MODRM_EXT;
+
+typedef struct {
+ UINT8 Base;
+ UINT8 Index;
+ UINT8 Scale;
+} SEV_ES_INSTRUCTION_SIB_EXT;
+
+//
+// Instruction opcode definition
+//
+typedef struct {
+ SEV_ES_INSTRUCTION_MODRM_EXT ModRm;
+
+ SEV_ES_INSTRUCTION_SIB_EXTSib;
+
+ UINTN RegData;
+ UINTN RmData;
+} SEV_ES_INSTRUCTION_OPCODE_EXT;
+
+//
+// Instruction parsing context definition
+//
+typedef struct {
+ GHCB *Ghcb;
+
+ SEV_ES_INSTRUCTION_MODEMode;
+ SEV_ES_INSTRUCTION_SIZEDataSize;
+ SEV_ES_INSTRUCTION_SIZEAddrSize;
+ BOOLEANSegmentSpecified;
+ SEV_ES_INSTRUCTION_SEGMENT Segment;
+ SEV_ES_INSTRUCTION_REP RepMode;
+
+ UINT8 *Begin;
+ UINT8 *End;
+
+ UINT8 *Prefixes;
+ UINT8 *OpCodes;
+ UINT8 *Displacement;
+ UINT8 *Immediate;
+
+ INSTRUCTION_REX_PREFIX RexPrefix;
+
+ BOOLEANModRmPresent;
+ INSTRUCTION_MODRM ModRm;
+
+ BOOLEANSibPresent;
+
[edk2-devel] [PATCH v15 17/46] OvmfPkg/VmgExitLib: Add support for NPF NAE events (MMIO)
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a NPF intercept for an NPT entry with a reserved bit set
generates a #VC exception. This condition is assumed to be an MMIO access.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a NPF NAE
event for MMIO. Parse the instruction that generated the #VC exception,
setting the required register values in the GHCB and creating the proper
SW_EXIT_INFO1, SW_EXITINFO2 and SW_SCRATCH values in the GHCB.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 488
1 file changed, 488 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index f6cfd7fa2993..03fa9f6f7f46 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -183,6 +183,281 @@ GhcbSetRegValid (
Ghcb->SaveArea.ValidBitmap[RegIndex] |= (1 << RegBit);
}
+/**
+ Return a pointer to the contents of the specified register.
+
+ Based upon the input register, return a pointer to the registers contents
+ in the x86 processor context.
+
+ @param[in] Regs x64 processor context
+ @param[in] Register Register to obtain pointer for
+
+ @return Pointer to the contents of the requested register
+
+**/
+STATIC
+UINT64 *
+GetRegisterPointer (
+ IN EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN UINT8Register
+ )
+{
+ UINT64 *Reg;
+
+ switch (Register) {
+ case 0:
+Reg = >Rax;
+break;
+ case 1:
+Reg = >Rcx;
+break;
+ case 2:
+Reg = >Rdx;
+break;
+ case 3:
+Reg = >Rbx;
+break;
+ case 4:
+Reg = >Rsp;
+break;
+ case 5:
+Reg = >Rbp;
+break;
+ case 6:
+Reg = >Rsi;
+break;
+ case 7:
+Reg = >Rdi;
+break;
+ case 8:
+Reg = >R8;
+break;
+ case 9:
+Reg = >R9;
+break;
+ case 10:
+Reg = >R10;
+break;
+ case 11:
+Reg = >R11;
+break;
+ case 12:
+Reg = >R12;
+break;
+ case 13:
+Reg = >R13;
+break;
+ case 14:
+Reg = >R14;
+break;
+ case 15:
+Reg = >R15;
+break;
+ default:
+Reg = NULL;
+ }
+ ASSERT (Reg != NULL);
+
+ return Reg;
+}
+
+/**
+ Update the instruction parsing context for displacement bytes.
+
+ @param[in, out] InstructionData Instruction parsing context
+ @param[in] Size The instruction displacement size
+
+**/
+STATIC
+VOID
+UpdateForDisplacement (
+ IN OUT SEV_ES_INSTRUCTION_DATA *InstructionData,
+ IN UINTNSize
+ )
+{
+ InstructionData->DisplacementSize = Size;
+ InstructionData->Immediate += Size;
+ InstructionData->End += Size;
+}
+
+/**
+ Determine if an instruction address if RIP relative.
+
+ Examine the instruction parsing context to determine if the address offset
+ is relative to the instruction pointer.
+
+ @param[in] InstructionData Instruction parsing context
+
+ @retval TRUEInstruction addressing is RIP relative
+ @retval FALSE Instruction addressing is not RIP relative
+
+**/
+STATIC
+BOOLEAN
+IsRipRelative (
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ SEV_ES_INSTRUCTION_OPCODE_EXT *Ext;
+
+ Ext = >Ext;
+
+ return ((InstructionData->Mode == LongMode64Bit) &&
+ (Ext->ModRm.Mod == 0) &&
+ (Ext->ModRm.Rm == 5) &&
+ (InstructionData->SibPresent == FALSE));
+}
+
+/**
+ Return the effective address of a memory operand.
+
+ Examine the instruction parsing context to obtain the effective memory
+ address of a memory operand.
+
+ @param[in] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @return The memory operand effective address
+
+**/
+STATIC
+UINT64
+GetEffectiveMemoryAddress (
+ IN EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ SEV_ES_INSTRUCTION_OPCODE_EXT *Ext;
+ UINT64 EffectiveAddress;
+
+ Ext = >Ext;
+ EffectiveAddress = 0;
+
+ if (IsRipRelative (InstructionData)) {
+//
+// RIP-relative displacement is a 32-bit signed value
+//
+INT32 RipRelative;
+
+RipRelative = *(INT32 *) InstructionData->Displacement;
+
+UpdateForDisplacement (InstructionData, 4);
+
+//
+// Negative displacement is handled by standard UINT64 wrap-around.
+//
+return Regs->Rip + (UINT64) RipRelative;
+ }
+
+ switch (Ext->ModRm.Mod) {
+ case 1:
+UpdateForDisplacement (InstructionData, 1);
+EffectiveAddress += (UINT64) (*(INT8 *) (InstructionData->Displacement));
+break;
+ case 2:
+switch (InstructionData->AddrSize) {
+case Size16Bits:
+ UpdateForDisplacement (InstructionData, 2);
+ EffectiveAddress += (UINT64)
[edk2-devel] [PATCH v15 12/46] OvmfPkg/VmgExitLib: Implement library support for VmgExitLib in OVMF
From: Tom Lendacky
The base VmgExitLib library provides a default limited interface. As it
does not provide full support, create an OVMF version of this library to
begin the process of providing full support of SEV-ES within OVMF.
SEV-ES support is only provided for X64 builds, so only OvmfPkgX64.dsc is
updated to make use of the OvmfPkg version of the library.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/OvmfPkgX64.dsc| 2 +-
OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 36 +
OvmfPkg/Library/VmgExitLib/VmgExitLib.c | 159
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 81 ++
4 files changed, 277 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 27f5225fc281..60be5eae3d2b 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -233,7 +233,7 @@ [LibraryClasses]
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
- VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
+ VmgExitLib|OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
new file mode 100644
index ..d003ac63173e
--- /dev/null
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
@@ -0,0 +1,36 @@
+## @file
+# VMGEXIT Support Library.
+#
+# Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = VmgExitLib
+ FILE_GUID = 0e923c25-13cd-430b-8714-ffe85652a97b
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VmgExitLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = X64
+#
+
+[Sources.common]
+ VmgExitLib.c
+ VmgExitVcHandler.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.c
b/OvmfPkg/Library/VmgExitLib/VmgExitLib.c
new file mode 100644
index ..53040cc6f649
--- /dev/null
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.c
@@ -0,0 +1,159 @@
+/** @file
+ VMGEXIT Support Library.
+
+ Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+#include
+#include
+#include
+
+/**
+ Check for VMGEXIT error
+
+ Check if the hypervisor has returned an error after completion of the VMGEXIT
+ by examining the SwExitInfo1 field of the GHCB.
+
+ @param[in] Ghcb A pointer to the GHCB
+
+ @retval 0 VMGEXIT succeeded.
+ @returnException number to be propagated, VMGEXIT processing
+ did not succeed.
+
+**/
+STATIC
+UINT64
+VmgExitErrorCheck (
+ IN GHCB*Ghcb
+ )
+{
+ GHCB_EVENT_INJECTION Event;
+ GHCB_EXIT_INFOExitInfo;
+ UINT64Status;
+
+ ExitInfo.Uint64 = Ghcb->SaveArea.SwExitInfo1;
+ ASSERT ((ExitInfo.Elements.Lower32Bits == 0) ||
+ (ExitInfo.Elements.Lower32Bits == 1));
+
+ Status = 0;
+ if (ExitInfo.Elements.Lower32Bits == 0) {
+return Status;
+ }
+
+ if (ExitInfo.Elements.Lower32Bits == 1) {
+ASSERT (Ghcb->SaveArea.SwExitInfo2 != 0);
+
+//
+// Check that the return event is valid
+//
+Event.Uint64 = Ghcb->SaveArea.SwExitInfo2;
+if (Event.Elements.Valid &&
+Event.Elements.Type == GHCB_EVENT_INJECTION_TYPE_EXCEPTION) {
+ switch (Event.Elements.Vector) {
+ case GP_EXCEPTION:
+ case UD_EXCEPTION:
+//
+// Use returned event as return code
+//
+Status = Event.Uint64;
+ }
+}
+ }
+
+ if (Status == 0) {
+GHCB_EVENT_INJECTION GpEvent;
+
+GpEvent.Uint64 = 0;
+GpEvent.Elements.Vector = GP_EXCEPTION;
+GpEvent.Elements.Type = GHCB_EVENT_INJECTION_TYPE_EXCEPTION;
+GpEvent.Elements.Valid = 1;
+
+Status = GpEvent.Uint64;
+ }
+
+ return Status;
+}
+
+/**
+ Perform VMGEXIT.
+
+ Sets the necessary fields of the GHCB, invokes the VMGEXIT instruction and
+ then handles the return actions.
+
+ @param[in, out] Ghcb A pointer to the GHCB
+ @param[in] ExitCode VMGEXIT code to be assigned to the SwExitCode
+ field of the GHCB.
+ @param[in] ExitInfo1 VMGEXIT information to be assigned to the
+ SwExitInfo1 field of the GHCB.
+ @param[in] ExitInfo2 VMGEXIT information to be assigned to the
+
[edk2-devel] [PATCH v15 15/46] OvmfPkg/VmgExitLib: Add support for CPUID NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a CPUID intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a CPUID NAE
event. Additionally, CPUID 0x_000d (CPUID_EXTENDED_STATE) requires
XCR0 to be supplied in the GHCB, so add support to issue the XGETBV
instruction.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 60
1 file changed, 60 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index bc2e270a7ce8..476e94ce5fb7 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -11,6 +11,7 @@
#include
#include
#include
+#include
#include
//
@@ -597,6 +598,61 @@ IoioExit (
return 0;
}
+/**
+ Handle a CPUID event.
+
+ Use the VMGEXIT instruction to handle a CPUID event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+CpuidExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 Status;
+
+ Ghcb->SaveArea.Rax = Regs->Rax;
+ GhcbSetRegValid (Ghcb, GhcbRax);
+ Ghcb->SaveArea.Rcx = Regs->Rcx;
+ GhcbSetRegValid (Ghcb, GhcbRcx);
+ if (Regs->Rax == CPUID_EXTENDED_STATE) {
+IA32_CR4 Cr4;
+
+Cr4.UintN = AsmReadCr4 ();
+Ghcb->SaveArea.XCr0 = (Cr4.Bits.OSXSAVE == 1) ? AsmXGetBv (0) : 1;
+GhcbSetRegValid (Ghcb, GhcbXCr0);
+ }
+
+ Status = VmgExit (Ghcb, SVM_EXIT_CPUID, 0, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (!GhcbIsRegValid (Ghcb, GhcbRax) ||
+ !GhcbIsRegValid (Ghcb, GhcbRbx) ||
+ !GhcbIsRegValid (Ghcb, GhcbRcx) ||
+ !GhcbIsRegValid (Ghcb, GhcbRdx)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ Regs->Rax = Ghcb->SaveArea.Rax;
+ Regs->Rbx = Ghcb->SaveArea.Rbx;
+ Regs->Rcx = Ghcb->SaveArea.Rcx;
+ Regs->Rdx = Ghcb->SaveArea.Rdx;
+
+ return 0;
+}
+
/**
Handle a #VC exception.
@@ -641,6 +697,10 @@ VmgExitHandleVc (
ExitCode = Regs->ExceptionData;
switch (ExitCode) {
+ case SVM_EXIT_CPUID:
+NaeExit = CpuidExit;
+break;
+
case SVM_EXIT_IOIO_PROT:
NaeExit = IoioExit;
break;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64191): https://edk2.groups.io/g/devel/message/64191
Mute This Topic: https://groups.io/mt/76166968/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 16/46] OvmfPkg/VmgExitLib: Add support for MSR_PROT NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a MSR_PROT intercept generates a #VC exception. VMGEXIT must
be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support an MSR_PROT
NAE event. Parse the instruction that generated the #VC exception to
determine whether it is RDMSR or WRMSR, setting the required register
register values in the GHCB and creating the proper SW_EXIT_INFO1 value in
the GHCB.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 65
1 file changed, 65 insertions(+)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 476e94ce5fb7..f6cfd7fa2993 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -374,6 +374,67 @@ UnsupportedExit (
return Status;
}
+/**
+ Handle an MSR event.
+
+ Use the VMGEXIT instruction to handle either a RDMSR or WRMSR event.
+
+ @param[in, out] Ghcb Pointer to the Guest-Hypervisor
Communication
+ Block
+ @param[in, out] Regs x64 processor context
+ @param[in] InstructionData Instruction parsing context
+
+ @retval 0Event handled successfully
+ @return New exception value to propagate
+
+**/
+STATIC
+UINT64
+MsrExit (
+ IN OUT GHCB *Ghcb,
+ IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs,
+ IN SEV_ES_INSTRUCTION_DATA *InstructionData
+ )
+{
+ UINT64 ExitInfo1, Status;
+
+ ExitInfo1 = 0;
+
+ switch (*(InstructionData->OpCodes + 1)) {
+ case 0x30: // WRMSR
+ExitInfo1 = 1;
+Ghcb->SaveArea.Rax = Regs->Rax;
+GhcbSetRegValid (Ghcb, GhcbRax);
+Ghcb->SaveArea.Rdx = Regs->Rdx;
+GhcbSetRegValid (Ghcb, GhcbRdx);
+//
+// fall through
+//
+ case 0x32: // RDMSR
+Ghcb->SaveArea.Rcx = Regs->Rcx;
+GhcbSetRegValid (Ghcb, GhcbRcx);
+break;
+ default:
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+
+ Status = VmgExit (Ghcb, SVM_EXIT_MSR, ExitInfo1, 0);
+ if (Status != 0) {
+return Status;
+ }
+
+ if (ExitInfo1 == 0) {
+if (!GhcbIsRegValid (Ghcb, GhcbRax) ||
+!GhcbIsRegValid (Ghcb, GhcbRdx)) {
+ return UnsupportedExit (Ghcb, Regs, InstructionData);
+}
+Regs->Rax = Ghcb->SaveArea.Rax;
+Regs->Rdx = Ghcb->SaveArea.Rdx;
+ }
+
+ return 0;
+}
+
/**
Build the IOIO event information.
@@ -705,6 +766,10 @@ VmgExitHandleVc (
NaeExit = IoioExit;
break;
+ case SVM_EXIT_MSR:
+NaeExit = MsrExit;
+break;
+
default:
NaeExit = UnsupportedExit;
}
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64192): https://edk2.groups.io/g/devel/message/64192
Mute This Topic: https://groups.io/mt/76166975/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 14/46] OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Add support to the #VC exception handler to handle string IO. This
requires expanding the IO instruction parsing to recognize string based
IO instructions as well as preparing an un-encrypted buffer to be used
to transfer (either to or from the guest) the string contents for the IO
operation. The SW_EXITINFO2 and SW_SCRATCH fields of the GHCB are set
appropriately for the operation. Multiple VMGEXIT invocations may be
needed to complete the string IO operation.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 90 +---
1 file changed, 76 insertions(+), 14 deletions(-)
diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
index 04e8b8aebf7d..bc2e270a7ce8 100644
--- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
+++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
@@ -397,6 +397,26 @@ IoioExitInfo (
ExitInfo = 0;
switch (*(InstructionData->OpCodes)) {
+ //
+ // INS opcodes
+ //
+ case 0x6C:
+ case 0x6D:
+ExitInfo |= IOIO_TYPE_INS;
+ExitInfo |= IOIO_SEG_ES;
+ExitInfo |= ((Regs->Rdx & 0x) << 16);
+break;
+
+ //
+ // OUTS opcodes
+ //
+ case 0x6E:
+ case 0x6F:
+ExitInfo |= IOIO_TYPE_OUTS;
+ExitInfo |= IOIO_SEG_DS;
+ExitInfo |= ((Regs->Rdx & 0x) << 16);
+break;
+
//
// IN immediate opcodes
//
@@ -445,6 +465,8 @@ IoioExitInfo (
//
// Single-byte opcodes
//
+ case 0x6C:
+ case 0x6E:
case 0xE4:
case 0xE6:
case 0xEC:
@@ -506,30 +528,70 @@ IoioExit (
IN SEV_ES_INSTRUCTION_DATA *InstructionData
)
{
- UINT64 ExitInfo1, Status;
+ UINT64 ExitInfo1, ExitInfo2, Status;
+ BOOLEAN IsString;
ExitInfo1 = IoioExitInfo (Regs, InstructionData);
if (ExitInfo1 == 0) {
return UnsupportedExit (Ghcb, Regs, InstructionData);
}
- if ((ExitInfo1 & IOIO_TYPE_IN) != 0) {
-Ghcb->SaveArea.Rax = 0;
+ IsString = ((ExitInfo1 & IOIO_TYPE_STR) != 0) ? TRUE : FALSE;
+ if (IsString) {
+UINTN IoBytes, VmgExitBytes;
+UINTN GhcbCount, OpCount;
+
+Status = 0;
+
+IoBytes = IOIO_DATA_BYTES (ExitInfo1);
+GhcbCount = sizeof (Ghcb->SharedBuffer) / IoBytes;
+
+OpCount = ((ExitInfo1 & IOIO_REP) != 0) ? Regs->Rcx : 1;
+while (OpCount != 0) {
+ ExitInfo2 = MIN (OpCount, GhcbCount);
+ VmgExitBytes = ExitInfo2 * IoBytes;
+
+ if ((ExitInfo1 & IOIO_TYPE_IN) == 0) {
+CopyMem (Ghcb->SharedBuffer, (VOID *) Regs->Rsi, VmgExitBytes);
+Regs->Rsi += VmgExitBytes;
+ }
+
+ Ghcb->SaveArea.SwScratch = (UINT64) Ghcb->SharedBuffer;
+ Status = VmgExit (Ghcb, SVM_EXIT_IOIO_PROT, ExitInfo1, ExitInfo2);
+ if (Status != 0) {
+return Status;
+ }
+
+ if ((ExitInfo1 & IOIO_TYPE_IN) != 0) {
+CopyMem ((VOID *) Regs->Rdi, Ghcb->SharedBuffer, VmgExitBytes);
+Regs->Rdi += VmgExitBytes;
+ }
+
+ if ((ExitInfo1 & IOIO_REP) != 0) {
+Regs->Rcx -= ExitInfo2;
+ }
+
+ OpCount -= ExitInfo2;
+}
} else {
-CopyMem (>SaveArea.Rax, >Rax, IOIO_DATA_BYTES (ExitInfo1));
- }
- GhcbSetRegValid (Ghcb, GhcbRax);
+if ((ExitInfo1 & IOIO_TYPE_IN) != 0) {
+ Ghcb->SaveArea.Rax = 0;
+} else {
+ CopyMem (>SaveArea.Rax, >Rax, IOIO_DATA_BYTES (ExitInfo1));
+}
+GhcbSetRegValid (Ghcb, GhcbRax);
- Status = VmgExit (Ghcb, SVM_EXIT_IOIO_PROT, ExitInfo1, 0);
- if (Status != 0) {
-return Status;
- }
+Status = VmgExit (Ghcb, SVM_EXIT_IOIO_PROT, ExitInfo1, 0);
+if (Status != 0) {
+ return Status;
+}
- if ((ExitInfo1 & IOIO_TYPE_IN) != 0) {
-if (!GhcbIsRegValid (Ghcb, GhcbRax)) {
- return UnsupportedExit (Ghcb, Regs, InstructionData);
+if ((ExitInfo1 & IOIO_TYPE_IN) != 0) {
+ if (!GhcbIsRegValid (Ghcb, GhcbRax)) {
+return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+ CopyMem (>Rax, >SaveArea.Rax, IOIO_DATA_BYTES (ExitInfo1));
}
-CopyMem (>Rax, >SaveArea.Rax, IOIO_DATA_BYTES (ExitInfo1));
}
return 0;
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64190): https://edk2.groups.io/g/devel/message/64190
Mute This Topic: https://groups.io/mt/76166965/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 10/46] UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Various CpuExceptionHandlerLib libraries will updated to use the new VmgExitLib library. To prevent any build breakage, update the UefiPayloadPkg DSC files that use a form of the CpuExceptionHandlerLib library to include the VmgExitLib library. Cc: Maurice Ma Cc: Guo Dong Cc: Benjamin You Reviewed-by: Guo Dong Reviewed-by: Maurice Ma Signed-off-by: Tom Lendacky --- UefiPayloadPkg/UefiPayloadPkgIa32.dsc| 2 ++ UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 2 ++ 2 files changed, 4 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkgIa32.dsc b/UefiPayloadPkg/UefiPayloadPkgIa32.dsc index 9a9ca3060e47..460da1c504dc 100644 --- a/UefiPayloadPkg/UefiPayloadPkgIa32.dsc +++ b/UefiPayloadPkg/UefiPayloadPkgIa32.dsc @@ -237,6 +237,7 @@ [LibraryClasses.common.DXE_CORE] DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/DxeDebugAgentLib.inf !endif CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.DXE_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -249,6 +250,7 @@ [LibraryClasses.common.DXE_DRIVER] !endif CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.DXE_RUNTIME_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf diff --git a/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc b/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc index a768a8702c66..942bc9076634 100644 --- a/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc +++ b/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc @@ -238,6 +238,7 @@ [LibraryClasses.common.DXE_CORE] DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/DxeDebugAgentLib.inf !endif CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.DXE_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -250,6 +251,7 @@ [LibraryClasses.common.DXE_DRIVER] !endif CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.DXE_RUNTIME_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64186): https://edk2.groups.io/g/devel/message/64186 Mute This Topic: https://groups.io/mt/76166953/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 11/46] UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Add base support to handle #VC exceptions. Update the common exception
handlers to invoke the VmgExitHandleVc () function of the VmgExitLib
library when a #VC is encountered. A non-zero return code will propagate
to the targeted exception handler.
Under SEV-ES, a DR7 read or write intercept generates a #VC exception.
To avoid exception recursion, a #VC exception will not try to read and
push the actual debug registers into the EFI_SYSTEM_CONTEXT_X64 struct
and instead push zeroes. The #VC exception handler does not make use of
the debug registers from the saved context and the exception processing
exit code does not attempt to restore the debug register values.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Reviewed-by: Eric Dong
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
| 1 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
| 1 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
| 1 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
| 1 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
| 1 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.c
| 10 +-
UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiDxeSmmCpuException.c
| 20 +++-
UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuException.c
| 19 +++
UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm
| 17 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/Xcode5ExceptionHandlerAsm.nasm
| 17 +
10 files changed, 86 insertions(+), 2 deletions(-)
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
index 61e2ec30b089..07b34c92a892 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
@@ -57,3 +57,4 @@ [LibraryClasses]
PeCoffGetEntryPointLib
MemoryAllocationLib
DebugLib
+ VmgExitLib
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
index 093374944df6..feae7b3e06de 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
@@ -52,6 +52,7 @@ [LibraryClasses]
HobLib
MemoryAllocationLib
SynchronizationLib
+ VmgExitLib
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard# CONSUMES
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
index 6d25cafe2ca3..967cb61ba6d9 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
@@ -48,3 +48,4 @@ [LibraryClasses]
PrintLib
LocalApicLib
PeCoffGetEntryPointLib
+ VmgExitLib
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
index 2ffbbccc302f..4cdb11c04ea0 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
@@ -51,4 +51,5 @@ [LibraryClasses]
LocalApicLib
PeCoffGetEntryPointLib
DebugLib
+ VmgExitLib
diff --git
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
index 7e21beaab6f2..743c2aa76684 100644
---
a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
+++
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Xcode5SecPeiCpuExceptionHandlerLib.inf
@@ -53,3 +53,4 @@ [LibraryClasses]
PrintLib
LocalApicLib
PeCoffGetEntryPointLib
+ VmgExitLib
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.c
b/UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.c
index 8adbd43fefb4..c9003b10e552 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.c
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.c
@@ -14,7 +14,7 @@
//
// 1 means an error code will be pushed, otherwise 0
//
-CONST UINT32 mErrorCodeFlag = 0x00227d00;
+CONST UINT32 mErrorCodeFlag = 0x20227d00;
//
// Define the maximum message length
@@ -45,6 +45,14 @@ CONST CHAR8 *mExceptionNameStr[] = {
"#XM - SIMD floating-point",
"#VE - Virtualization",
"#CP - Control Protection"
+
[edk2-devel] [PATCH v15 08/46] UefiCpuPkg: Implement library support for VMGEXIT
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
To support handling #VC exceptions and issuing VMGEXIT instructions,
create a library with functions that can be used to perform these
#VC/VMGEXIT related operations. This includes functions for:
- Handling #VC exceptions
- Preparing for and issuing a VMGEXIT
- Performing MMIO-related write operations to support flash emulation
- Performing AP related boot opeations
The base functions in this driver will not do anything and will return
an error if a return value is required. It is expected that other packages
(like OvmfPkg) will create a version of the library to fully support an
SEV-ES guest.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Reviewed-by: Eric Dong
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/UefiCpuPkg.dec| 3 +
UefiCpuPkg/UefiCpuPkg.dsc| 2 +
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf | 27 +
UefiCpuPkg/Include/Library/VmgExitLib.h | 103 +
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.c | 121
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.uni | 15 +++
6 files changed, 271 insertions(+)
diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec
index d52912ddca1f..17228cb5a84f 100644
--- a/UefiCpuPkg/UefiCpuPkg.dec
+++ b/UefiCpuPkg/UefiCpuPkg.dec
@@ -53,6 +53,9 @@ [LibraryClasses.IA32, LibraryClasses.X64]
##
MpInitLib|Include/Library/MpInitLib.h
+ ## @libraryclass Provides function to support VMGEXIT processing.
+ VmgExitLib|Include/Library/VmgExitLib.h
+
[Guids]
gUefiCpuPkgTokenSpaceGuid = { 0xac05bf33, 0x995a, 0x4ed4, { 0xaa, 0xb8,
0xef, 0x7a, 0xe8, 0xf, 0x5c, 0xb0 }}
gMsegSmramGuid = { 0x5802bce4, 0x, 0x4e33, { 0xa1, 0x30,
0xeb, 0xad, 0x27, 0xf0, 0xe4, 0x39 }}
diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc
index 964720048dd7..b2b6d78a71b0 100644
--- a/UefiCpuPkg/UefiCpuPkg.dsc
+++ b/UefiCpuPkg/UefiCpuPkg.dsc
@@ -56,6 +56,7 @@ [LibraryClasses]
PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
PeCoffExtraActionLib|MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
[LibraryClasses.common.SEC]
PlatformSecLib|UefiCpuPkg/Library/PlatformSecLibNull/PlatformSecLibNull.inf
@@ -143,6 +144,7 @@ [Components.IA32, Components.X64]
UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf
UefiCpuPkg/Library/SmmCpuFeaturesLib/SmmCpuFeaturesLib.inf
UefiCpuPkg/Library/SmmCpuFeaturesLib/SmmCpuFeaturesLibStm.inf
+ UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
UefiCpuPkg/PiSmmCommunication/PiSmmCommunicationPei.inf
UefiCpuPkg/PiSmmCommunication/PiSmmCommunicationSmm.inf
UefiCpuPkg/SecCore/SecCore.inf
diff --git a/UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
b/UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
new file mode 100644
index ..d8770a21c355
--- /dev/null
+++ b/UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
@@ -0,0 +1,27 @@
+## @file
+# VMGEXIT Support Library.
+#
+# Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = VmgExitLibNull
+ MODULE_UNI_FILE= VmgExitLibNull.uni
+ FILE_GUID = 3cd7368f-ef9b-4a9b-9571-2ed93813677e
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VmgExitLib
+
+[Sources.common]
+ VmgExitLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+
diff --git a/UefiCpuPkg/Include/Library/VmgExitLib.h
b/UefiCpuPkg/Include/Library/VmgExitLib.h
new file mode 100644
index ..45fc27d35e29
--- /dev/null
+++ b/UefiCpuPkg/Include/Library/VmgExitLib.h
@@ -0,0 +1,103 @@
+/** @file
+ Public header file for the VMGEXIT Support library class.
+
+ This library class defines some routines used when invoking the VMGEXIT
+ instruction in support of SEV-ES and to handle #VC exceptions.
+
+ Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __VMG_EXIT_LIB_H__
+#define __VMG_EXIT_LIB_H__
+
+#include
+#include
+
+
+/**
+ Perform VMGEXIT.
+
+ Sets the necessary fields of the GHCB, invokes the VMGEXIT instruction and
+ then handles the return actions.
+
+ @param[in, out] Ghcb A pointer to the GHCB
+ @param[in] ExitCode VMGEXIT code to be assigned to the SwExitCode
+ field of the GHCB.
+ @param[in] ExitInfo1 VMGEXIT
[edk2-devel] [PATCH v15 03/46] MdePkg: Add the MSR definition for the GHCB register
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
For SEV-ES, the GHCB page address is stored in the GHCB MSR register
(0xc0010130). Define the register and the format used for register
during GHCB protocol negotiation.
Cc: Michael D Kinney
Cc: Liming Gao
Reviewed-by: Liming Gao
Signed-off-by: Tom Lendacky
---
MdePkg/Include/Register/Amd/Fam17Msr.h | 46
1 file changed, 46 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h
b/MdePkg/Include/Register/Amd/Fam17Msr.h
index 6ef45a9b21d3..e4db09c5184c 100644
--- a/MdePkg/Include/Register/Amd/Fam17Msr.h
+++ b/MdePkg/Include/Register/Amd/Fam17Msr.h
@@ -17,6 +17,52 @@
#ifndef __FAM17_MSR_H__
#define __FAM17_MSR_H__
+/**
+ Secure Encrypted Virtualization - Encrypted State (SEV-ES) GHCB register
+
+**/
+#define MSR_SEV_ES_GHCB0xc0010130
+
+/**
+ MSR information returned for #MSR_SEV_ES_GHCB
+**/
+typedef union {
+ struct {
+UINT32 Function:12;
+UINT32 Reserved1:20;
+UINT32 Reserved2:32;
+ } GhcbInfo;
+
+ struct {
+UINT8 Reserved[3];
+UINT8 SevEncryptionBitPos;
+UINT16 SevEsProtocolMin;
+UINT16 SevEsProtocolMax;
+ } GhcbProtocol;
+
+ struct {
+UINT32 Function:12;
+UINT32 ReasonCodeSet:4;
+UINT32 ReasonCode:8;
+UINT32 Reserved1:8;
+UINT32 Reserved2:32;
+ } GhcbTerminate;
+
+ VOID*Ghcb;
+
+ UINT64 GhcbPhysicalAddress;
+} MSR_SEV_ES_GHCB_REGISTER;
+
+#define GHCB_INFO_SEV_INFO 1
+#define GHCB_INFO_SEV_INFO_GET 2
+#define GHCB_INFO_CPUID_REQUEST4
+#define GHCB_INFO_CPUID_RESPONSE 5
+#define GHCB_INFO_TERMINATE_REQUEST256
+
+#define GHCB_TERMINATE_GHCB0
+#define GHCB_TERMINATE_GHCB_GENERAL0
+#define GHCB_TERMINATE_GHCB_PROTOCOL 1
+
/**
Secure Encrypted Virtualization (SEV) status register
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64179): https://edk2.groups.io/g/devel/message/64179
Mute This Topic: https://groups.io/mt/76166933/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 07/46] MdePkg/BaseLib: Add support for the VMGEXIT instruction
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 VMGEXIT is a new instruction used for Hypervisor/Guest communication when running as an SEV-ES guest. A VMGEXIT will cause an automatic exit (AE) to occur, resulting in a #VMEXIT with an exit code value of 0x403. Since SEV-ES is only supported in X64, provide the necessary X64 support to execute the VMGEXIT instruction, which is coded as "rep vmmcall". For IA32, since "vmmcall" is not supported in NASM 32-bit mode and VMGEXIT should never be called, provide a stub implementation that is identical to CpuBreakpoint(). Cc: Michael D Kinney Cc: Liming Gao Reviewed-by: Liming Gao Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- MdePkg/Library/BaseLib/BaseLib.inf | 2 ++ MdePkg/Include/Library/BaseLib.h | 14 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 38 MdePkg/Library/BaseLib/X64/VmgExit.nasm | 32 + 4 files changed, 86 insertions(+) diff --git a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/BaseLib.inf index 3b93b5db8d24..3b85c56c3c03 100644 --- a/MdePkg/Library/BaseLib/BaseLib.inf +++ b/MdePkg/Library/BaseLib/BaseLib.inf @@ -184,6 +184,7 @@ [Sources.Ia32] Ia32/DisableCache.nasm| GCC Ia32/RdRand.nasm Ia32/XGetBv.nasm + Ia32/VmgExit.nasm Ia32/DivS64x64Remainder.c Ia32/InternalSwitchStack.c | MSFT @@ -317,6 +318,7 @@ [Sources.X64] X64/DisablePaging64.nasm X64/RdRand.nasm X64/XGetBv.nasm + X64/VmgExit.nasm ChkStkGcc.c | GCC [Sources.EBC] diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h index 7edf0051a0a0..04fb329eaabb 100644 --- a/MdePkg/Include/Library/BaseLib.h +++ b/MdePkg/Include/Library/BaseLib.h @@ -7848,6 +7848,20 @@ AsmXGetBv ( ); +/** + Executes a VMGEXIT instruction (VMMCALL with a REP prefix) + + Executes a VMGEXIT instruction. This function is only available on IA-32 and + x64. + +**/ +VOID +EFIAPI +AsmVmgExit ( + VOID + ); + + /** Patch the immediate operand of an IA32 or X64 instruction such that the byte, word, dword or qword operand is encoded at the end of the instruction's diff --git a/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm b/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm new file mode 100644 index ..69f7fbf3506a --- /dev/null +++ b/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm @@ -0,0 +1,38 @@ +;-- +; +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved. +; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; VmgExit.Asm +; +; Abstract: +; +; AsmVmgExit function +; +; Notes: +; +;-- + +SECTION .text + +;-- +; VOID +; EFIAPI +; AsmVmgExit ( +; VOID +; ); +;-- +global ASM_PFX(AsmVmgExit) +ASM_PFX(AsmVmgExit): +; +; NASM doesn't support the vmmcall instruction in 32-bit mode and NASM versions +; before 2.12 cannot translate the 64-bit "rep vmmcall" instruction into elf32 +; format. Given that VMGEXIT does not make sense on IA32, provide a stub +; implementation that is identical to CpuBreakpoint(). In practice, AsmVmgExit() +; should never be called on IA32. +; +int 3 +ret + diff --git a/MdePkg/Library/BaseLib/X64/VmgExit.nasm b/MdePkg/Library/BaseLib/X64/VmgExit.nasm new file mode 100644 index ..26f034593c67 --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/VmgExit.nasm @@ -0,0 +1,32 @@ +;-- +; +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved. +; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; VmgExit.Asm +; +; Abstract: +; +; AsmVmgExit function +; +; Notes: +; +;-- + +DEFAULT REL +SECTION .text + +;-- +; VOID +; EFIAPI +; AsmVmgExit ( +; VOID +; ); +;-- +global ASM_PFX(AsmVmgExit) +ASM_PFX(AsmVmgExit): +rep vmmcall +ret + -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64183): https://edk2.groups.io/g/devel/message/64183 Mute This Topic: https://groups.io/mt/76166944/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 04/46] MdePkg: Add a structure definition for the GHCB
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The GHCB is used by an SEV-ES guest for communicating between the guest
and the hypervisor. Create the GHCB definition as defined by the GHCB
protocol definition.
Cc: Michael D Kinney
Cc: Liming Gao
Reviewed-by: Liming Gao
Signed-off-by: Tom Lendacky
---
MdePkg/Include/Register/Amd/Ghcb.h | 166
1 file changed, 166 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Ghcb.h
b/MdePkg/Include/Register/Amd/Ghcb.h
new file mode 100644
index ..54a80da0f6d7
--- /dev/null
+++ b/MdePkg/Include/Register/Amd/Ghcb.h
@@ -0,0 +1,166 @@
+/** @file
+ Guest-Hypervisor Communication Block (GHCB) Definition.
+
+ Provides data types allowing an SEV-ES guest to interact with the hypervisor
+ using the GHCB protocol.
+
+ Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ SEV-ES Guest-Hypervisor Communication Block Standardization
+
+**/
+
+#ifndef __GHCB_H__
+#define __GHCB_H__
+
+#include
+#include
+#include
+
+#define UD_EXCEPTION 6
+#define GP_EXCEPTION 13
+#define VC_EXCEPTION 29
+
+#define GHCB_VERSION_MIN 1
+#define GHCB_VERSION_MAX 1
+
+#define GHCB_STANDARD_USAGE 0
+
+//
+// SVM Exit Codes
+//
+#define SVM_EXIT_DR7_READ 0x27ULL
+#define SVM_EXIT_DR7_WRITE 0x37ULL
+#define SVM_EXIT_RDTSC 0x6EULL
+#define SVM_EXIT_RDPMC 0x6FULL
+#define SVM_EXIT_CPUID 0x72ULL
+#define SVM_EXIT_INVD 0x76ULL
+#define SVM_EXIT_IOIO_PROT 0x7BULL
+#define SVM_EXIT_MSR0x7CULL
+#define SVM_EXIT_VMMCALL0x81ULL
+#define SVM_EXIT_RDTSCP 0x87ULL
+#define SVM_EXIT_WBINVD 0x89ULL
+#define SVM_EXIT_MONITOR0x8AULL
+#define SVM_EXIT_MWAIT 0x8BULL
+#define SVM_EXIT_NPF0x400ULL
+
+//
+// VMG Special Exit Codes
+//
+#define SVM_EXIT_MMIO_READ 0x8001ULL
+#define SVM_EXIT_MMIO_WRITE 0x8002ULL
+#define SVM_EXIT_NMI_COMPLETE 0x8003ULL
+#define SVM_EXIT_AP_RESET_HOLD 0x8004ULL
+#define SVM_EXIT_AP_JUMP_TABLE 0x8005ULL
+#define SVM_EXIT_UNSUPPORTED0x8000ULL
+
+//
+// IOIO Exit Information
+//
+#define IOIO_TYPE_STR BIT2
+#define IOIO_TYPE_IN1
+#define IOIO_TYPE_INS (IOIO_TYPE_IN | IOIO_TYPE_STR)
+#define IOIO_TYPE_OUT 0
+#define IOIO_TYPE_OUTS (IOIO_TYPE_OUT | IOIO_TYPE_STR)
+
+#define IOIO_REPBIT3
+
+#define IOIO_ADDR_64BIT9
+#define IOIO_ADDR_32BIT8
+#define IOIO_ADDR_16BIT7
+
+#define IOIO_DATA_32BIT6
+#define IOIO_DATA_16BIT5
+#define IOIO_DATA_8 BIT4
+#define IOIO_DATA_MASK (BIT6 | BIT5 | BIT4)
+#define IOIO_DATA_OFFSET4
+#define IOIO_DATA_BYTES(x) (((x) & IOIO_DATA_MASK) >> IOIO_DATA_OFFSET)
+
+#define IOIO_SEG_ES 0
+#define IOIO_SEG_DS (BIT11 | BIT10)
+
+
+typedef enum {
+ GhcbCpl = 25,
+ GhcbRflags = 46,
+ GhcbRip,
+ GhcbRsp = 59,
+ GhcbRax = 63,
+ GhcbRcx = 97,
+ GhcbRdx,
+ GhcbRbx,
+ GhcbRbp = 101,
+ GhcbRsi,
+ GhcbRdi,
+ GhcbR8,
+ GhcbR9,
+ GhcbR10,
+ GhcbR11,
+ GhcbR12,
+ GhcbR13,
+ GhcbR14,
+ GhcbR15,
+ GhcbXCr0 = 125,
+} GHCB_REGISTER;
+
+typedef PACKED struct {
+ UINT8 Reserved1[203];
+ UINT8 Cpl;
+ UINT8 Reserved2[148];
+ UINT64 Dr7;
+ UINT8 Reserved3[144];
+ UINT64 Rax;
+ UINT8 Reserved4[264];
+ UINT64 Rcx;
+ UINT64 Rdx;
+ UINT64 Rbx;
+ UINT8 Reserved5[112];
+ UINT64 SwExitCode;
+ UINT64 SwExitInfo1;
+ UINT64 SwExitInfo2;
+ UINT64 SwScratch;
+ UINT8 Reserved6[56];
+ UINT64 XCr0;
+ UINT8 ValidBitmap[16];
+ UINT64 X87StateGpa;
+ UINT8 Reserved7[1016];
+} GHCB_SAVE_AREA;
+
+typedef PACKED struct {
+ GHCB_SAVE_AREA SaveArea;
+ UINT8 SharedBuffer[2032];
+ UINT8 Reserved1[10];
+ UINT16 ProtocolVersion;
+ UINT32 GhcbUsage;
+} GHCB;
+
+typedef union {
+ struct {
+UINT32 Lower32Bits;
+UINT32 Upper32Bits;
+ } Elements;
+
+ UINT64Uint64;
+} GHCB_EXIT_INFO;
+
+typedef union {
+ struct {
+UINT32 Vector:8;
+UINT32 Type:3;
+UINT32 ErrorCodeValid:1;
+UINT32 Rsvd:19;
+UINT32 Valid:1;
+UINT32 ErrorCode;
+ } Elements;
+
+ UINT64Uint64;
+} GHCB_EVENT_INJECTION;
+
+#define GHCB_EVENT_INJECTION_TYPE_INT0
+#define GHCB_EVENT_INJECTION_TYPE_NMI2
+#define GHCB_EVENT_INJECTION_TYPE_EXCEPTION 3
+#define GHCB_EVENT_INJECTION_TYPE_SOFT_INT 4
+
+#endif
--
2.28.0
[edk2-devel] [PATCH v15 09/46] OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Various CpuExceptionHandlerLib libraries will updated to use the new VmgExitLib library. To prevent any build breakage, update the OvmfPkg DSC files that use a form of the CpuExceptionHandlerLib library to include the VmgExitLib library. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Anthony Perard Cc: Julien Grall Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/OvmfPkgIa32.dsc| 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc| 1 + 4 files changed, 4 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 9178ffeb71cb..c57bba1ba197 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -229,6 +229,7 @@ [LibraryClasses] [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.SEC] TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a665f78f0dc7..22e930b12b9b 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -233,6 +233,7 @@ [LibraryClasses] [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.SEC] TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 17f345acf4ee..27f5225fc281 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -233,6 +233,7 @@ [LibraryClasses] [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.SEC] TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index 782803cb2787..37b63a874067 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -213,6 +213,7 @@ [LibraryClasses] [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf [LibraryClasses.common.SEC] QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64185): https://edk2.groups.io/g/devel/message/64185 Mute This Topic: https://groups.io/mt/76166948/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 05/46] MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
GHCB pages must be mapped as shared pages, so modify the process of
creating identity mapped pagetable entries so that GHCB entries are
created without the encryption bit set. The GHCB range consists of
two pages per CPU, the first being the GHCB and the second being a
per-CPU variable page. Only the GHCB page is mapped as shared.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan Bi
Cc: Liming Gao
Acked-by: Hao A Wu
Signed-off-by: Tom Lendacky
---
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 +
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 12 -
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 +-
MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 57
5 files changed, 70 insertions(+), 16 deletions(-)
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
index 3f1702854660..19b8a4c8aefa 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
@@ -115,6 +115,8 @@ [Pcd.IA32,Pcd.X64]
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ##
CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdUse5LevelPageTable ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase##
CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize##
CONSUMES
[Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
index 2d0493f109e8..6b7c38a441d6 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
@@ -201,6 +201,8 @@ EnableExecuteDisableBit (
@param[in, out] PageEntry2M Pointer to 2M page entry.
@param[in] StackBase Stack base address.
@param[in] StackSize Stack size.
+ @param[in] GhcbBase GHCB page area base address.
+ @param[in] GhcbSize GHCB page area size.
**/
VOID
@@ -208,7 +210,9 @@ Split2MPageTo4K (
IN EFI_PHYSICAL_ADDRESS PhysicalAddress,
IN OUT UINT64 *PageEntry2M,
IN EFI_PHYSICAL_ADDRESS StackBase,
- IN UINTN StackSize
+ IN UINTN StackSize,
+ IN EFI_PHYSICAL_ADDRESS GhcbBase,
+ IN UINTN GhcbSize
);
/**
@@ -217,6 +221,8 @@ Split2MPageTo4K (
@param[in] StackBase Stack base address.
@param[in] StackSize Stack size.
+ @param[in] GhcbBase GHCB page area base address.
+ @param[in] GhcbSize GHCB page area size.
@return The address of 4 level page map.
@@ -224,7 +230,9 @@ Split2MPageTo4K (
UINTN
CreateIdentityMappingPageTables (
IN EFI_PHYSICAL_ADDRESS StackBase,
- IN UINTN StackSize
+ IN UINTN StackSize,
+ IN EFI_PHYSICAL_ADDRESS GhcbBase,
+ IN UINTN GhcbkSize
);
diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
index 6e8ca824d469..284b34818ca7 100644
--- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
+++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
@@ -123,7 +123,7 @@ Create4GPageTablesIa32Pae (
//
// Need to split this 2M page that covers stack range.
//
-Split2MPageTo4K (PhysicalAddress, (UINT64 *) PageDirectoryEntry,
StackBase, StackSize);
+Split2MPageTo4K (PhysicalAddress, (UINT64 *) PageDirectoryEntry,
StackBase, StackSize, 0, 0);
} else {
//
// Fill in the Page Directory entries
@@ -282,7 +282,7 @@ HandOffToDxeCore (
//
// Create page table and save PageMapLevel4 to CR3
//
-PageTables = CreateIdentityMappingPageTables (BaseOfStack, STACK_SIZE);
+PageTables = CreateIdentityMappingPageTables (BaseOfStack, STACK_SIZE, 0,
0);
//
// End of PEI phase signal
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c
b/MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c
index f465eb1d8ac4..156a477d8467 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c
@@ -35,6 +35,8 @@ HandOffToDxeCore (
UINT32 Index;
EFI_VECTOR_HANDOFF_INFO *VectorInfo;
EFI_PEI_VECTOR_HANDOFF_INFO_PPI *VectorHandoffInfoPpi;
+ VOID*GhcbBase;
+ UINTN GhcbSize;
//
// Clear page 0 and mark it as allocated if NULL pointer detection is
enabled.
@@ -81,12 +83,19 @@ HandOffToDxeCore (
[edk2-devel] [PATCH v15 02/46] UefiCpuPkg: Create PCD to be used in support of SEV-ES
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A new dynamic UefiCpuPkg PCD is needed to support SEV-ES under OVMF: - PcdSevEsIsEnabled: BOOLEAN value used to indicate if SEV-ES is enabled Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Reviewed-by: Eric Dong Signed-off-by: Tom Lendacky --- UefiCpuPkg/UefiCpuPkg.dec | 6 ++ UefiCpuPkg/UefiCpuPkg.uni | 3 +++ 2 files changed, 9 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 8b2e03d49d07..d52912ddca1f 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -373,5 +373,11 @@ [PcdsDynamic, PcdsDynamicEx] # @ValidRange 0x8001 | 0 - 1 gUefiCpuPkgTokenSpaceGuid.PcdCpuProcTraceOutputScheme|0x0|UINT8|0x6015 + ## This dynamic PCD indicates whether SEV-ES is enabled + # TRUE - SEV-ES is enabled + # FALSE - SEV-ES is not enabled + # @Prompt SEV-ES Status + gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|FALSE|BOOLEAN|0x6016 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni diff --git a/UefiCpuPkg/UefiCpuPkg.uni b/UefiCpuPkg/UefiCpuPkg.uni index 1780dfdc126d..f4a0c72f6293 100644 --- a/UefiCpuPkg/UefiCpuPkg.uni +++ b/UefiCpuPkg/UefiCpuPkg.uni @@ -278,3 +278,6 @@ #string STR_gUefiCpuPkgTokenSpaceGuid_PcdCpuApStatusCheckIntervalInMicroSeconds_PROMPT #language en-US "Periodic interval value in microseconds for AP status check in DXE.\n" #string STR_gUefiCpuPkgTokenSpaceGuid_PcdCpuApStatusCheckIntervalInMicroSeconds_HELP #language en-US "Periodic interval value in microseconds for the status check of APs for StartupAllAPs() and StartupThisAP() executed in non-blocking mode in DXE phase.\n" + +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsIsEnabled_PROMPT #language en-US "Specifies whether SEV-ES is enabled" +#string STR_gUefiCpuPkgTokenSpaceGuid_PcdSevEsIsEnabled_HELP#language en-US "Set to TRUE when running as an SEV-ES guest, FALSE otherwise." -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64178): https://edk2.groups.io/g/devel/message/64178 Mute This Topic: https://groups.io/mt/76166930/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 06/46] MdePkg/BaseLib: Add support for the XGETBV instruction
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Under SEV-ES, a CPUID instruction requires the current value of the XCR0 register. In order to retrieve that value, the XGETBV instruction needs to be executed. Provide the necessary support to execute the XGETBV instruction. Cc: Michael D Kinney Cc: Liming Gao Reviewed-by: Liming Gao Signed-off-by: Tom Lendacky --- MdePkg/Library/BaseLib/BaseLib.inf | 2 ++ MdePkg/Include/Library/BaseLib.h| 17 ++ MdePkg/Library/BaseLib/Ia32/XGetBv.nasm | 31 ++ MdePkg/Library/BaseLib/X64/XGetBv.nasm | 34 4 files changed, 84 insertions(+) diff --git a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/BaseLib.inf index c740a819cacf..3b93b5db8d24 100644 --- a/MdePkg/Library/BaseLib/BaseLib.inf +++ b/MdePkg/Library/BaseLib/BaseLib.inf @@ -183,6 +183,7 @@ [Sources.Ia32] Ia32/EnableCache.nasm| GCC Ia32/DisableCache.nasm| GCC Ia32/RdRand.nasm + Ia32/XGetBv.nasm Ia32/DivS64x64Remainder.c Ia32/InternalSwitchStack.c | MSFT @@ -315,6 +316,7 @@ [Sources.X64] X64/EnableDisableInterrupts.nasm X64/DisablePaging64.nasm X64/RdRand.nasm + X64/XGetBv.nasm ChkStkGcc.c | GCC [Sources.EBC] diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h index 8e7b87cbda4e..7edf0051a0a0 100644 --- a/MdePkg/Include/Library/BaseLib.h +++ b/MdePkg/Include/Library/BaseLib.h @@ -7831,6 +7831,23 @@ AsmLfence ( VOID ); +/** + Executes a XGETBV instruction + + Executes a XGETBV instruction. This function is only available on IA-32 and + x64. + + @param[in] IndexExtended control register index + + @return The current value of the extended control register +**/ +UINT64 +EFIAPI +AsmXGetBv ( + IN UINT32 Index + ); + + /** Patch the immediate operand of an IA32 or X64 instruction such that the byte, word, dword or qword operand is encoded at the end of the instruction's diff --git a/MdePkg/Library/BaseLib/Ia32/XGetBv.nasm b/MdePkg/Library/BaseLib/Ia32/XGetBv.nasm new file mode 100644 index ..9f7b03bbff35 --- /dev/null +++ b/MdePkg/Library/BaseLib/Ia32/XGetBv.nasm @@ -0,0 +1,31 @@ +;-- +; +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved. +; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; XGetBv.Asm +; +; Abstract: +; +; AsmXgetBv function +; +; Notes: +; +;-- + +SECTION .text + +;-- +; UINT64 +; EFIAPI +; AsmXGetBv ( +; IN UINT32 Index +; ); +;-- +global ASM_PFX(AsmXGetBv) +ASM_PFX(AsmXGetBv): +mov ecx, [esp + 4] +xgetbv +ret diff --git a/MdePkg/Library/BaseLib/X64/XGetBv.nasm b/MdePkg/Library/BaseLib/X64/XGetBv.nasm new file mode 100644 index ..09f3be8ae0a8 --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/XGetBv.nasm @@ -0,0 +1,34 @@ +;-- +; +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights reserved. +; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; XGetBv.Asm +; +; Abstract: +; +; AsmXgetBv function +; +; Notes: +; +;-- + +DEFAULT REL +SECTION .text + +;-- +; UINT64 +; EFIAPI +; AsmXGetBv ( +; IN UINT32 Index +; ); +;-- +global ASM_PFX(AsmXGetBv) +ASM_PFX(AsmXGetBv): +xgetbv +shl rdx, 32 +or rax, rdx +ret + -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64182): https://edk2.groups.io/g/devel/message/64182 Mute This Topic: https://groups.io/mt/76166943/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 01/46] MdeModulePkg: Create PCDs to be used in support of SEV-ES
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Two new dynamic MdeModulePkg PCDs are needed to support SEV-ES under OVMF: - PcdGhcbBase: UINT64 value that is the base address of the GHCB allocation. - PcdGhcbSize: UINT64 value that is the size, in bytes, of the GHCB allocation (size is dependent on the number of APs). Cc: Jian J Wang Cc: Hao A Wu Reviewed-by: Hao A Wu Signed-off-by: Tom Lendacky --- MdeModulePkg/MdeModulePkg.dec | 9 + MdeModulePkg/MdeModulePkg.uni | 8 2 files changed, 17 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index d7572eedd18c..cb30a7975849 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -2063,6 +2063,15 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt If there is any test key used by the platform. gEfiMdeModulePkgTokenSpaceGuid.PcdTestKeyUsed|FALSE|BOOLEAN|0x00030003 + ## This dynamic PCD holds the base address of the Guest-Hypervisor Communication Block (GHCB) pool allocation. + # @Prompt GHCB Pool Base Address + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0|UINT64|0x00030007 + + ## This dynamic PCD holds the total size of the Guest-Hypervisor Communication Block (GHCB) pool allocation. + # The amount of memory allocated for GHCBs is dependent on the number of APs. + # @Prompt GHCB Pool Size + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0|UINT64|0x00030008 + [PcdsDynamicEx] ## This dynamic PCD enables the default variable setting. # Its value is the default store ID value. The default value is zero as Standard default. diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index 5235dee561ad..b8c867379a86 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -1303,3 +1303,11 @@ #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_PROMPT #language en-US "TCG Platform Firmware Profile revision" #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_HELP #language en-US "Indicates which TCG Platform Firmware Profile revision the EDKII firmware follows." + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdGhcbBase_PROMPT #language en-US "Guest-Hypervisor Communication Block (GHCB) Pool Base Address" + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdGhcbBase_HELP #language en-US "Used with SEV-ES support to identify an address range that is not to be encrypted." + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdGhcbSize_PROMPT #language en-US "Guest-Hypervisor Communication Block (GHCB) Pool Base Size" + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdGhcbSize_HELP #language en-US "Used with SEV-ES support to identify the size of the address range that is not to be encrypted." -- 2.28.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64177): https://edk2.groups.io/g/devel/message/64177 Mute This Topic: https://groups.io/mt/76166924/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v15 00/46] SEV-ES guest support
From: Tom Lendacky
This patch series provides support for running EDK2/OVMF under SEV-ES.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System Programming",
section "15.35 Encrypted State (SEV-ES)" [1].
In order to allow a hypervisor to perform functions on behalf of a guest,
there is architectural support for notifying a guest's operating system
when certain types of VMEXITs are about to occur. This allows the guest to
selectively share information with the hypervisor to satisfy the requested
function. The notification is performed using a new exception, the VMM
Communication exception (#VC). The information is shared through the
Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
The GHCB format and the protocol for using it is documented in "SEV-ES
Guest-Hypervisor Communication Block Standardization" [2].
The main areas of the EDK2 code that are updated to support SEV-ES are
around the exception handling support and the AP boot support.
Exception support is required starting in Sec, continuing through Pei
and into Dxe in order to handle #VC exceptions that are generated. Each
AP requires it's own GHCB page as well as a page to hold values specific
to that AP.
AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence
is typically used to boot the APs. However, the hypervisor is not allowed
to update the guest registers. The GHCB document [2] talks about how SMP
booting under SEV-ES is performed.
Since the GHCB page must be a shared (unencrypted) page, the processor
must be running in long mode in order for the guest and hypervisor to
communicate with each other. As a result, SEV-ES is only supported under
the X64 architecture.
This series adds a new library requirement for the VmgExitLib library
against the UefiCpuPkg CpuExceptionHandlerLib library and the UefiCpuPkg
MpInitLib library. The edk2-platforms repo requires updates/patches to
add the new library requirement. To accomodate that, this series could be
split between:
patch number 10:
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
and patch number 11:
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
The updates to edk2-platforms can be applied at the split.
[1] https://www.amd.com/system/files/TechDocs/24593.pdf
[2] https://developer.amd.com/wp-content/resources/56421.pdf
---
These patches are based on commit:
65904cdbb33c ("UefiCpuPkg/MtrrLibUnitTest: Change to use static array for CI
test")
A version of the tree can be found at:
https://github.com/AMDESE/ovmf/tree/sev-es-v24
Cc: Andrew Fish
Cc: Anthony Perard
Cc: Ard Biesheuvel
Cc: Benjamin You
Cc: Dandan Bi
Cc: Eric Dong
Cc: Guo Dong
Cc: Hao A Wu
Cc: Jian J Wang
Cc: Jordan Justen
Cc: Julien Grall
Cc: Laszlo Ersek
Cc: Leif Lindholm
Cc: Liming Gao
Cc: Maurice Ma
Cc: Michael D Kinney
Cc: Ray Ni
Changes since v14:
- Address ECC errors
- Fix non-boolean comparison to use a comparison operator
- Separate declaration and initialization of variables
- Add period to first line of block comments
- Split single-line multiple declaration into multiple lines
Changes since v13:
- Fixup the AsmRelocateApLoop() call site so IA32 successfully boots APs.
Do this by appending the three new parameters without altering the
original parameter passing order.
- Minor updates to description text and help text to expand the GHCB
acronym.
Changes since v12:
- Change IA32 VMGEXIT .nasm file to issue an int 3. Depending on the
version of NASM, the "BITS 64" trick to get NASM to recognize the
VMMCALL instruction (VMGEXIT is a REP VMMCALL) caused an error. Since
SEV-ES is X64 only, VMGEXIT should never be called in IA32.
Changes since v11:
- Make the XGETBV and VMGEXIT .nasm files buildable for all environments
and remove the updates that add these instructions to GccInline.c
Changes since v10:
- Fix conflicts around GccInline.c file after moving to latest commit
- Fix conflicts with OVMF PCD values after moving to latest commit
Changes since v9:
- Fixed bit field declarations in the GHCB structure to use UINT32
and not UINT64.
- Fixed a warning produced by VS2019 in the instruction parsing code
by expliciting casting a bit shift to an INT64.
- Sorted section entries in the OVMF VmgExitLib INF file.
- Moved the new Maintainers.txt entry so entries remain sorted.
- Documentation style fixes for return values.
- Miscellaneous code style fixes.
Changes since v8:
- Move IOIO exit info definitions into Ghcb.h file
- Add a macro for calculating IO instruction bytes (IOIO_DATA_BYTES)
- Exception handler support for debug registers
- Moved the DRx register saving changes into the UefiCpuPkg patch for
base #VC support in CpuExceptionHandlerLib.
- OvmfPkg VmgExitLib
- Remove the .uni file
- Update .inf file:
- New
[edk2-devel] [PATCH edk2-platforms v1-resend 2/7] ArmPlatformPkg: Juno: Increase FD size
From: Pierre Gondois Dynamic Tables Framework has been updated to include support for SSDT Serial Port generator. The SSDT Serial port generator uses AmlLib library to parse, iterate and update AML nodes. The addition of these libraries to the Dynamic Tables Framework have increased the size requirement of the Firmware Device (FD) Image. The current FD size is not sufficient due to which the Juno firmware builds are failing. This patch adds one additional block to accommodate the increase in FD size. Signed-off-by: Pierre Gondois Signed-off-by: Sami Mujawar Acked-by: Ard Biesheuvel --- Platform/ARM/JunoPkg/ArmJuno.fdf | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Platform/ARM/JunoPkg/ArmJuno.fdf b/Platform/ARM/JunoPkg/ArmJuno.fdf index 5d791a4e16075073992a5646db34d094677837d2..f70d30c6a9d9d6eb73087dc673f0c9287d23d666 100644 --- a/Platform/ARM/JunoPkg/ArmJuno.fdf +++ b/Platform/ARM/JunoPkg/ArmJuno.fdf @@ -1,5 +1,5 @@ # -# Copyright (c) 2013-2018, ARM Limited. All rights reserved. +# Copyright (c) 2013-2019, Arm Limited. All rights reserved. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -20,12 +20,12 @@ [FD.BL33_AP_UEFI] BaseAddress = 0xE000|gArmTokenSpaceGuid.PcdFdBaseAddress # The base address of the Firmware in NOR Flash. -Size = 0x000F8000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the FLASH Device +Size = 0x000F9000|gArmTokenSpaceGuid.PcdFdSize # The size in bytes of the FLASH Device ErasePolarity = 1 # This one is tricky, it must be: BlockSize * NumBlocks = Size BlockSize = 0x1000 -NumBlocks = 0xF8 +NumBlocks = 0xF9 # @@ -43,7 +43,7 @@ [FD.BL33_AP_UEFI] # -0x|0x000F8000 +0x|0x000F9000 gArmTokenSpaceGuid.PcdFvBaseAddress|gArmTokenSpaceGuid.PcdFvSize FV = FVMAIN_COMPACT -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64169): https://edk2.groups.io/g/devel/message/64169 Mute This Topic: https://groups.io/mt/76166623/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 0/7] Updates to support Dynamic AML
Resending the patch series after dropping gerrit change IDs. Dynamic Tables Framework has been updated to add support for Dynamic AML at https://edk2.groups.io/g/devel/topic/patch_v1_00_30_add_dynamic/76149133 The SPCR and DBG2 generators have been updated to use the Serial Port Fixup Library to dynamically generate the corresponding Serial ports as Definition Block tables. This makes the static description of the SPCR and DBG2 Serial Port definition blocks redundant. To dynamically describe the platform serial ports a SSDT Serial Port generator has also been introduced. In light of the above, the patches in this series: - Remove the redundant static Serial port definition blocks. - Use the SSDT Serial Port generator to describe the FVP platform Serial ports. - Fix an issue with incorrect interrupt assignment on FVP platform. - Remove unnecessary libraries linked with the Configuration Manager. - Increase the Juno FD size to accommodate AmlLib. Note: This patch series is dependent on the patch series at https://edk2.groups.io/g/devel/message/63246, which must be merged before this series can be integrated. The changes for this patch series can be seen at: https://github.com/samimujawar/edk2-platforms/tree/675_dynamic_aml_v1 Pierre Gondois (1): ArmPlatformPkg: Juno: Increase FD size Sami Mujawar (6): Platform/ARM/Juno: Remove SSDT UART table Platform/ARM: FVP: Fix serial port interrupt Platform/ARM: FVP: Add UART base address length Platform/ARM: FVP: Enable SSDT Serial generation Platform/ARM: Juno: Configuration Mgr lib linkage Platform/ARM: FVP: Configuration Mgr lib linkage Platform/ARM/JunoPkg/ArmJuno.fdf | 8 ++-- Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl | 42 --- Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c | 7 Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h | 3 +- Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf | 4 +- Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc | 4 +- Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl | 25 ++- Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c | 44 ++-- Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h | 5 ++- Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf | 2 - 10 files changed, 56 insertions(+), 88 deletions(-) delete mode 100644 Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64168): https://edk2.groups.io/g/devel/message/64168 Mute This Topic: https://groups.io/mt/76166622/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 6/7] Platform/ARM: Juno: Configuration Mgr lib linkage
Rationalise the libraries linked with the Juno Configuration Manager. Signed-off-by: Sami Mujawar Acked-by: Ard Biesheuvel --- Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf index 59e2410d255d71067319204575e9050b6e452427..8e1f4a8fece304e9992e67e91948038b9774095b 100644 --- a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf +++ b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf @@ -35,11 +35,10 @@ [Packages] Platform/ARM/JunoPkg/ArmJuno.dec [LibraryClasses] - ArmPlatformLib + IoLib PrintLib UefiBootServicesTableLib UefiDriverEntryPoint - UefiRuntimeServicesTableLib [Protocols] gEdkiiConfigurationManagerProtocolGuid -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64170): https://edk2.groups.io/g/devel/message/64170 Mute This Topic: https://groups.io/mt/76166631/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 7/7] Platform/ARM: FVP: Configuration Mgr lib linkage
Rationalise the libraries linked with the FVP Configuration Manager. Signed-off-by: Sami Mujawar Acked-by: Ard Biesheuvel --- Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf | 2 -- 1 file changed, 2 deletions(-) diff --git a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf index c17595b7ec37cdd1c99b258cd32d1bde6c76a5ed..359c37166a50daacdd2d2f5371060870ddcfe629 100644 --- a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf +++ b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf @@ -33,11 +33,9 @@ [Packages] Platform/ARM/VExpressPkg/ArmVExpressPkg.dec [LibraryClasses] - ArmPlatformLib PrintLib UefiBootServicesTableLib UefiDriverEntryPoint - UefiRuntimeServicesTableLib [Protocols] gEdkiiConfigurationManagerProtocolGuid -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64175): https://edk2.groups.io/g/devel/message/64175 Mute This Topic: https://groups.io/mt/76166643/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 5/7] Platform/ARM: FVP: Enable SSDT Serial generation
The SSDT Serial Port Generator queries the
Configuration Manager for a list of serial
port devices. It uses the SerialPortFixupLib
to build SSDT AML tables describing the
serial ports.
The SerialPortFixupLib uses the AmlLib library
interfaces to load a Serial Port AML template
code and represents it as an AML tree. It then
traverses the AML tree to locate and fixup the
Base address and Interrupt information for the
serial port devices. The AML tree is then
serialized to a buffer representing the
definition block which is returned as an ACPI
SSDT table.
The SSDT Serial Port Generator returns a list
of SSDT AML tables representing the serial port
devices to the Table Manager for installing.
This patch enables dynamic SSDT Serial Port
generation for FVP platform and adds support
to the Configuration Manager to return the
CM_ARM_SERIAL_PORT_INFO objects that represents
the serial port devices on the platform.
Signed-off-by: Pierre Gondois
Signed-off-by: Sami Mujawar
Acked-by: Ard Biesheuvel
---
Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl
| 25 ++
Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
| 36
Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
| 5 ++-
3 files changed, 43 insertions(+), 23 deletions(-)
diff --git
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl
index
9192a0070772209e5cec8d7d9a71ea7a9e10aa69..3475f976b59fc68384ed11f7de23f552efe441e9
100644
---
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl
+++
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/Dsdt.asl
@@ -1,8 +1,9 @@
/** @file
Differentiated System Description Table Fields (DSDT)
- Copyright (c) 2014-2017, ARM Ltd. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) 2014-2020, Arm Ltd. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -43,25 +44,5 @@ DefinitionBlock("DsdtTable.aml", "DSDT", 1, "ARMLTD",
"ARM-VEXP", 1) {
Name(_HID, "ACPI0007")
Name(_UID, 7)
}
-
-// UART PL011
-Device(COM2) {
- Name(_HID, "ARMH0011")
- Name(_CID, "PL011")
- Name(_UID, Zero)
-
- Method(_STA) {
-Return(0xF)
- }
-
- Method(_CRS, 0x0, NotSerialized) {
-Name(RBUF, ResourceTemplate() {
- Memory32Fixed(ReadWrite, 0x1c09, 0x1000)
- Interrupt(ResourceConsumer, Level, ActiveHigh, Exclusive) { 0x25 }
-})
-Return (RBUF)
- }
-}
-
} // Scope(_SB)
}
diff --git
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
index
76ea46023250d244205a5d8bc715e6e49e37b673..d49da52634cf70228852e4351c5538b85aab60e0
100644
---
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
+++
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
@@ -74,6 +74,13 @@ EDKII_PLATFORM_REPOSITORY_INFO VExpressPlatRepositoryInfo = {
EFI_ACPI_DBG2_DEBUG_DEVICE_INFORMATION_STRUCT_REVISION,
CREATE_STD_ACPI_TABLE_GEN_ID (EStdAcpiTableIdDbg2),
NULL
+},
+// SSDT Serial Port Table
+{
+ EFI_ACPI_6_3_SECONDARY_SYSTEM_DESCRIPTION_TABLE_SIGNATURE,
+ 0, // Not used.
+ CREATE_STD_ACPI_TABLE_GEN_ID (EStdAcpiTableIdSsdtSerialPort),
+ NULL
}
},
@@ -212,6 +219,28 @@ EDKII_PLATFORM_REPOSITORY_INFO VExpressPlatRepositoryInfo
= {
0x1000// BaseAddressLen
},
+ // Standard Serial Ports
+ {
+// Serial Port - UART0
+{
+ 0x1C09, // BaseAddress
+ 37, // Interrupt
+ FixedPcdGet64 (PcdSerialDbgUartBaudRate), // BaudRate
+ FixedPcdGet32 (PcdSerialDbgUartClkInHz),// Clock
+ EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_PL011_UART, // Port subtype
+ 0x1000 // BaseAddressLen
+},
+// Serial Port - UART3
+{
+ 0x1C0C, // BaseAddress
+ 40, // Interrupt
+ FixedPcdGet64 (PcdSerialDbgUartBaudRate), // BaudRate
+ FixedPcdGet32 (PcdSerialDbgUartClkInHz),// Clock
+ EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_PL011_UART, // Port subtype
+ 0x1000 // BaseAddressLen
+},
+ },
+
[edk2-devel] [PATCH edk2-platforms v1-resend 4/7] Platform/ARM: FVP: Add UART base address length
The SPCR and DBG2 generators have been updated to
generate SSDT serial port tables representing the
SPCR and DBG2 serial ports. This is done using the
Dynamic AML feature. The Base address range for the
serial device is required so that it can be fixed-up
in the SSDT serial port template AML code.
To facilitate this the serial port information
structure CM_ARM_SERIAL_PORT_INFO has been updated
to include the Base address length for the serial
port.
Update the Configuration Manager repository to
populate the serial port Base Address Length field
in the CM_ARM_SERIAL_PORT_INFO structure.
Signed-off-by: Sami Mujawar
Acked-by: Ard Biesheuvel
---
Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
| 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
index
48559cb6af46309b13e2f8746f883875c3c0cc8b..76ea46023250d244205a5d8bc715e6e49e37b673
100644
---
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
+++
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
@@ -199,7 +199,8 @@ EDKII_PLATFORM_REPOSITORY_INFO VExpressPlatRepositoryInfo =
{
FixedPcdGet32 (PL011UartInterrupt), // Interrupt
FixedPcdGet64 (PcdUartDefaultBaudRate), // BaudRate
FixedPcdGet32 (PL011UartClkInHz), // Clock
-EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_SBSA_GENERIC_UART // Port subtype
+EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_SBSA_GENERIC_UART, // Port subtype
+0x1000// BaseAddressLen
},
// Debug Serial Port
{
@@ -207,7 +208,8 @@ EDKII_PLATFORM_REPOSITORY_INFO VExpressPlatRepositoryInfo =
{
39, // Interrupt
FixedPcdGet64 (PcdSerialDbgUartBaudRate), // BaudRate
FixedPcdGet32 (PcdSerialDbgUartClkInHz), // Clock
-EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_SBSA_GENERIC_UART // Port subtype
+EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_SBSA_GENERIC_UART, // Port subtype
+0x1000// BaseAddressLen
},
// GIC ITS
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64171): https://edk2.groups.io/g/devel/message/64171
Mute This Topic: https://groups.io/mt/76166632/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 3/7] Platform/ARM: FVP: Fix serial port interrupt
The UART base address and IRQ assignment for FVP platform
is as below:
UARTBASE ADDRESSIRQ ID
UART0 0x1C09_ 37
UART1 0x1C0A_ 38
UART2 0x1C0B_ 39
UART3 0x1C0C_ 40
Reference:
https://developer.arm.com/documentation/100964//Base-Platform
Fix the IRQ IDs assignment in the firmware for UART1 and UART2.
Signed-off-by: Sami Mujawar
Acked-by: Ard Biesheuvel
---
Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
| 4 ++--
Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
| 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
index
a6f536a332281a624403dac2e4bf18aa9ba96d0b..dc4735c025e969e17d24184abf77e6dbb28ef581
100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2011-2018, ARM Limited. All rights reserved.
+# Copyright (c) 2011-2020, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -126,7 +126,7 @@ [PcdsFixedAtBuild.common]
gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x1c0a
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|115200
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultReceiveFifoDepth|0
- gArmPlatformTokenSpaceGuid.PL011UartInterrupt|0x25
+ gArmPlatformTokenSpaceGuid.PL011UartInterrupt|0x26
## PL011 Serial Debug UART (DBG2)
gArmPlatformTokenSpaceGuid.PcdSerialDbgRegisterBase|0x1c0b
diff --git
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
index
a48eb0285c60177078324bdbcd8fa29c308e6a13..48559cb6af46309b13e2f8746f883875c3c0cc8b
100644
---
a/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
+++
b/Platform/ARM/VExpressPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
@@ -204,7 +204,7 @@ EDKII_PLATFORM_REPOSITORY_INFO VExpressPlatRepositoryInfo =
{
// Debug Serial Port
{
FixedPcdGet64 (PcdSerialDbgRegisterBase), // BaseAddress
-38, // Interrupt
+39, // Interrupt
FixedPcdGet64 (PcdSerialDbgUartBaudRate), // BaudRate
FixedPcdGet32 (PcdSerialDbgUartClkInHz), // Clock
EFI_ACPI_DBG2_PORT_SUBTYPE_SERIAL_ARM_SBSA_GENERIC_UART // Port subtype
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64172): https://edk2.groups.io/g/devel/message/64172
Mute This Topic: https://groups.io/mt/76166636/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH edk2-platforms v1-resend 1/7] Platform/ARM/Juno: Remove SSDT UART table
With the introduction of Dynamic AML the DBG2 and SPCR port
generators have been updates to generate the AML code for
describing the Serial ports.
This makes the UART description in the SSDT table redundant.
This patch removes the SsdtUart.asl and makes the corresponding
changes to the configuration manager.
Signed-off-by: Sami Mujawar
Acked-by: Ard Biesheuvel
---
Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl
| 42
Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
| 7
Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
| 3 +-
Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf
| 1 -
4 files changed, 1 insertion(+), 52 deletions(-)
diff --git
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl
deleted file mode 100644
index
55a7ffc83fd6bb44ed9b9ca8b0a53e757aa2dd58..
---
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/AslTables/SsdtUart.asl
+++ /dev/null
@@ -1,42 +0,0 @@
-/** @file
- SSDT for UART
-
- Copyright (c) 2014 - 2019, ARM Ltd. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-#include "ArmPlatform.h"
-
-DefinitionBlock("SsdtUart.aml", "SSDT", 1, "ARMLTD", "ARM-JUNO",
EFI_ACPI_ARM_OEM_REVISION) {
- Scope(_SB) {
-// UART PL011
-Device(COM2) {
- Name(_HID, "ARMH0011")
- Name(_CID, "PL011")
- Name(_UID, Zero)
-
- Method(_STA) {
-Return (0xF)
- }
-
- Method(_CRS, 0x0, NotSerialized) {
-Name(RBUF, ResourceTemplate() {
- Memory32Fixed(
-ReadWrite,
-FixedPcdGet64 (PcdSerialRegisterBase),
-0x1000
-)
- Interrupt(
-ResourceConsumer,
-Level,
-ActiveHigh,
-Exclusive
-) {
- FixedPcdGet32 (PL011UartInterrupt)
-}
- })
-Return (RBUF)
- }
-}
- }
-}
diff --git
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
index
913cffc9b994319065b5292b0d28970a0a0d8320..1d0bcc20b325911d4f1079e8394b20bfb4492507
100644
---
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
+++
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.c
@@ -83,13 +83,6 @@ EDKII_PLATFORM_REPOSITORY_INFO ArmJunoPlatformRepositoryInfo
= {
CREATE_STD_ACPI_TABLE_GEN_ID (EStdAcpiTableIdSsdt),
(EFI_ACPI_DESCRIPTION_HEADER*)ssdtjunousb_aml_code
},
-// SSDT table describing the PL011 UART
-{
- EFI_ACPI_6_2_SECONDARY_SYSTEM_DESCRIPTION_TABLE_SIGNATURE,
- 0, // Unused
- CREATE_STD_ACPI_TABLE_GEN_ID (EStdAcpiTableIdSsdt),
- (EFI_ACPI_DESCRIPTION_HEADER*)ssdtuart_aml_code
-},
// PPTT Table
{
EFI_ACPI_6_3_PROCESSOR_PROPERTIES_TOPOLOGY_TABLE_STRUCTURE_SIGNATURE,
diff --git
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
index
2073ae4902e540de869612353bfaf0ebacaea50d..b6e15015b6edd65a53ea842ac05b5a2e63186b95
100644
---
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
+++
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManager.h
@@ -19,7 +19,6 @@
extern CHAR8 dsdt_aml_code[];
extern CHAR8 ssdtjunousb_aml_code[];
extern CHAR8 ssdtpci_aml_code[];
-extern CHAR8 ssdtuart_aml_code[];
/** The configuration manager version
*/
@@ -186,7 +185,7 @@ extern CHAR8 ssdtuart_aml_code[];
/** The number of ACPI tables to install
*/
-#define PLAT_ACPI_TABLE_COUNT 11
+#define PLAT_ACPI_TABLE_COUNT 10
/** The number of platform generic timer blocks
*/
diff --git
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf
index
a3e7db12f8c913f7111b5ff4ad724a5bdcc35956..59e2410d255d71067319204575e9050b6e452427
100644
---
a/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf
+++
b/Platform/ARM/JunoPkg/ConfigurationManager/ConfigurationManagerDxe/ConfigurationManagerDxe.inf
@@ -25,7 +25,6 @@ [Sources]
AslTables/Dsdt.asl
AslTables/SsdtJunoUsb.asl
AslTables/SsdtPci.asl
- AslTables/SsdtUart.asl
[Packages]
ArmPkg/ArmPkg.dec
--
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You
