diff options
| author | Jiewen Yao <jiewen.yao@intel.com> | 2016-11-24 13:36:56 +0800 |
|---|---|---|
| committer | Jiewen Yao <jiewen.yao@intel.com> | 2016-12-19 09:37:37 +0800 |
| commit | d2fc7711136a13ea3ea8e00de6d9651507b8ed50 (patch) | |
| tree | f340f1ec0b44f0baa315d485313b21020bbfa020 /UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | |
| parent | 09119a00cccaa08b28b7e2449998ba4c7aa4b0f8 (diff) | |
| download | edk2-d2fc7711136a13ea3ea8e00de6d9651507b8ed50.tar.gz edk2-d2fc7711136a13ea3ea8e00de6d9651507b8ed50.tar.bz2 edk2-d2fc7711136a13ea3ea8e00de6d9651507b8ed50.zip | |
UefiCpuPkg/PiSmmCpu: Add SMM Comm Buffer Paging Protection.
This patch sets the normal OS buffer EfiLoaderCode/Data,
EfiBootServicesCode/Data, EfiConventionalMemory, EfiACPIReclaimMemory
to be not present after SmmReadyToLock.
To access these region in OS runtime phase is not a good solution.
Previously, we did similar check in SmmMemLib to help SMI handler
do the check. But if SMI handler forgets the check, it can still
access these OS region and bring risk.
So here we enforce the policy to prevent it happening.
Cc: Jeff Fan <jeff.fan@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
Diffstat (limited to 'UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c')
| -rw-r--r-- | UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c index 4bef60a1ac..fc7714a3b9 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c @@ -504,6 +504,11 @@ SmmReadyToLockEventNotify ( GetAcpiCpuData ();
//
+ // Cache a copy of UEFI memory map before we start profiling feature.
+ //
+ GetUefiMemoryMap ();
+
+ //
// Set SMM ready to lock flag and return
//
mSmmReadyToLock = TRUE;
@@ -1154,17 +1159,6 @@ ConfigSmmCodeAccessCheck ( }
/**
- Set code region to be read only and data region to be execute disable.
-**/
-VOID
-SetRegionAttributes (
- VOID
- )
-{
- SetMemMapAttributes ();
-}
-
-/**
This API provides a way to allocate memory for page table.
This API can be called more once to allocate memory for page tables.
@@ -1320,7 +1314,12 @@ PerformRemainingTasks ( //
// Mark critical region to be read-only in page table
//
- SetRegionAttributes ();
+ SetMemMapAttributes ();
+
+ //
+ // For outside SMRAM, we only map SMM communication buffer or MMIO.
+ //
+ SetUefiMemMapAttributes ();
//
// Set page table itself to be read-only
|