summaryrefslogtreecommitdiffstats
path: root/OvmfPkg/Sec
Commit message (Collapse)AuthorAgeFilesLines
* OvmfPkg/Sec: Skip setup MTRR early in TD-GuestCeping Sun2024-07-111-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the commit ce4c76e (“OvmfPkg/Sec: Setup MTRR early in the boot process.”), we find an unexpected #VE is triggered in TD-Guest. The background of importing the above commit is that: Before running lzma uncompress of the main firmware volume, if not correctly set MTRR, that would make the uncompress be extremely slow. Detailed discussion info can refer to below links: https://edk2.groups.io/g/devel/message/114202 https://edk2.groups.io/g/devel/message/114977 Refer to [intel-tdx-module-1.5-base-spec] Section 11.3 and section11.6.1, CR0.CD is enforced to 0 in TD-Guest. And refer to section 18.2.1.4, TDX module MTRR emulation enforces WB in VMM. Currently the initial MTRR are: - Td-Guest : MTRR disabled, Type is WB. - Non-Td-Guest : MTRR disabled, Type is UC. In DXE phase, OVMF/TDVF would check the MTRR Type for MMIO (in CpuSetMemoryAttributes -> MtrrGetMemoryAttribute -> MtrrGetMemoryAttributeworker: https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/Library/MtrrLib/MtrrLib.c#L929 ). If MTRR is disabled, it always returns UC. Otherwise, it returns the actual value. If it checks that the type is not UC then the MTRR is programmed. It is required to disable cache by setting CR0.CD to 1. That will trigger an unexpected #VE in TD-Guest. Based on above analysis we propose to skip "Setup MTRR early" in TD-Guest because of: - TD-Guest doesn’t have the issue that lzma uncompress extremely slow. - This patch will trigger an unexpected #VE in TD-Guest. intel-tdx-module-1.5-base-spec: https://cdrdv2.intel.com/v1/dl/getContent/733575 Cc: Erdem Aktas <erdemaktas@google.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
* OvmfPkg/Sec: use cache type #defines from ArchitecturalMsr.hGerd Hoffmann2024-06-261-1/+1
| | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* OvmfPkg/Sec: Setup MTRR early in the boot process.Gerd Hoffmann2024-06-261-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | Specifically before running lzma uncompress of the main firmware volume. This is needed to make sure caching is enabled, otherwise the uncompress can be extremely slow. Adapt the ASSERTs and MTRR setup in PlatformInitLib to the changes. Background: Depending on virtual machine configuration kvm may uses EPT memory types to apply guest MTRR settings. In case MTRRs are disabled kvm will use the uncachable memory type for all mappings. The vmx_get_mt_mask() function in the linux kernel handles this and can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/kvm/vmx/vmx.c?h=v6.7.1#n7580 In most VM configurations kvm uses MTRR_TYPE_WRBACK unconditionally. In case the VM has a mdev device assigned that is not the case though. Before commit e8aa4c6546ad ("UefiCpuPkg/ResetVector: Cache Disable should not be set by default in CR0") kvm also ended up using MTRR_TYPE_WRBACK due to KVM_X86_QUIRK_CD_NW_CLEARED. After that commit kvm evaluates guest mtrr settings, which why setting up MTRRs early is important now. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* OvmfPkg: Don't make APIC MMIO accesses with encryption bit setMichael Roth2024-05-024-0/+76
| | | | | | | | | | | | | | | | | | | | | | | | | For the most part, OVMF will clear the encryption bit for MMIO regions, but there is currently one known exception during SEC when the APIC base address is accessed via MMIO with the encryption bit set for SEV-ES/SEV-SNP guests. In the case of SEV-SNP, this requires special handling on the hypervisor side which may not be available in the future[1], so make the necessary changes in the SEC-configured page table to clear the encryption bit for 4K region containing the APIC base address. [1] https://lore.kernel.org/lkml/20240208002420.34mvemnzrwwsaesw@amd.com/#t Suggested-by: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jianyong Wu <jianyong.wu@arm.com> Cc: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Michael Roth <michael.roth@amd.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* OvmfPkg: auto-generate (and fix) SEC ProcessLibraryConstructorList() declLaszlo Ersek2024-03-082-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | <Library/PeimEntryPoint.h> declares a bogus ProcessLibraryConstructorList() for OVMF's SEC module. Rely on AutoGen for (properly) declaring ProcessLibraryConstructorList(). Update the call. Build-tested with: build -a X64 -b DEBUG -m OvmfPkg/Sec/SecMain.inf \ -p OvmfPkg/OvmfPkgX64.dsc -t GCC5 Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=990 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4643 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20240305113843.68812-3-lersek@redhat.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
* OvmfPkg: Update code to be more C11 compliant by using __func__Rebecca Cran2023-04-101-1/+1
| | | | | | | | | | | | | __FUNCTION__ is a pre-standard extension that gcc and Visual C++ among others support, while __func__ was standardized in C99. Since it's more standard, replace __FUNCTION__ with __func__ throughout OvmfPkg. Signed-off-by: Rebecca Cran <rebecca@bsdio.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
* OvmfPkg: Remove UefiCpuLib from module INFs.Yu Pu2023-03-102-2/+0
| | | | | | | | | | | | Because UefiCpuPkg/UefiCpuLib is merged to MdePkg/CpuLib, remove the dependency of UefiCpuLib. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Yu Pu <yu.pu@intel.com> Signed-off-by: Zhiguang Liu <zhiguang.liu@intel.com>
* OvmfPkg/OvmfPkgX64: Measure TdHob and Configuration FV in SecMainMin M Xu2023-02-041-0/+13
| | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdHob and Configuration FV (Cfv) are external inputs from VMM. From the security perspective, they should be measured before they're consumed. This patch measures TdHob and Cfv and stores the measurement values in WorkArea. Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg: Refactor ProcessHobListMin M Xu2023-02-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 ProcessHobList once was implemented in PlatformInitLib and it walks thru TdHob list and accept un-accepted memories. This patch moves the codes to SecTdxHelperLib and rename ProcessHobList as TdxHelperProcessTdHob After TdxHelperProcessTdHob is introduced, below changes are applied: - Call TdxHelperProcessTdHob instead of ProcessHobList in SecMain.c (in both OvmfPkgX64/Sec and IntelTdx/Sec). - Delete the duplicated codes in PlatformInitLib Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg/Sec: Move TDX APs related nasm code to IntelTdxAPs.nasmMin M Xu2022-12-211-53/+5
| | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4172 This patch moves the TDX APs nasm code from SecEntry.nasm to IntelTdxAPs.nasm. IntelTdxX64 and OvmfPkgX64 use the same nasm so that it can be easier to be managed. In the following patch there will be AcceptMemory related changes in IntelTdxAPs.nasm. Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* mv OvmfPkg: move fdf include snippets to Include/FdfGerd Hoffmann2022-12-092-2/+2
| | | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* Revert "OvmfPkg/Sec: fix stack switch"Gerd Hoffmann2022-06-101-4/+0
| | | | | | | | | This reverts commit ff36b2550f94dc5fac838cf298ae5a23cfddf204. Has no effect because GCC_IA32_CC_FLAGS and GCC_X64_CC_FLAGS are unused. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* OvmfPkg/Sec: fix stack switchGerd Hoffmann2022-06-081-0/+4
| | | | | | | | | | | | | | | | | | | | The ebp/rbp register can either be used for the frame pointer or as general purpose register. With gcc (and clang) this depends on the -f(no-)omit-frame-pointer switch. This patch updates tools_def.template to explicitly set the compiler option and also add a define to allow conditionally compile code. The new define is used to fix stack switching in TemporaryRamMigration. The ebp/rbp must not be touched when the compiler can use it as general purpose register. With version 12 gcc starts actually using the register, so changing it leads to firmware crashes in some configurations. Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3934 Reported-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* OvmfPkg/Sec: Install MpInitLibDepLib PPIs in SecMain.cMin M Xu2022-05-112-2/+34
| | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3918 Td guest should use MpInitLibUp, other guest use the MpInitLib. So in SecMain.c different PPI is installed according to the working guest type. Cc: Eric Dong <eric.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Tested-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Ray Ni <ray.ni@intel.com>
* OvmfPkg: Add CpuLib to module INFs that depend on UefiCpuLib.Yu Pu2022-05-062-0/+2
| | | | | | | | | | | | | There are two libraries: MdePkg/CpuLib and UefiCpuPkg/UefiCpuLib and UefiCpuPkg/UefiCpuLib will be merged to MdePkg/CpuLib. To avoid build failure, add CpuLib dependency to all modules that depend on UefiCpuLib. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Yu Pu <yu.pu@intel.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
* OvmfPkg: Call CcProbe in SecMain.c instead of TsIsEnabledMin Xu2022-04-192-2/+4
| | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3902 TdIsEnabled() uses the CPUID instruction. At this point, exception handling is not established and a CPUID instruction will generate a #VC and cause the booting guest to crash. CcProbe() checks Ovmf work area to return the guest type. So call of CcProbe() instead of TdIsEnabled() to fix the above issue. Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg: Replace GUEST_TYPE with CC_GUEST_TYPEMin Xu2022-04-191-1/+1
| | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3902 Replace GUEST_TYPE with CC_GUEST_TYPE which is defined in MdePkg/Include/ConfidentialComputingGuestAttr.h. Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg: Update Sec to support TdxMin Xu2022-04-023-2/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 There are below major changes in this commit. 1. SecEntry.nasm In TDX BSP and APs goes to the same entry point in SecEntry.nasm. BSP initialize the temporary stack and then jumps to SecMain, just as legacy Ovmf does. APs spin in a modified mailbox loop using initial mailbox structure. Its structure defition is in OvmfPkg/Include/IndustryStandard/IntelTdx.h. APs wait for command to see if the command is for me. If so execute the command. 2. Sec/SecMain.c When host VMM create the Td guest, the system memory informations are stored in TdHob, which is a memory region described in Tdx metadata. The system memory region in TdHob should be accepted before it can be accessed. So the major task of this patch is to process the TdHobList to accept the memory. After that TDVF follow the standard OVMF flow and jump to PEI phase. PcdUse1GPageTable is set to FALSE by default in OvmfPkgX64.dsc. It gives no chance for Intel TDX to support 1G page table. To support 1G page table this PCD is set to TRUE in OvmfPkgX64.dsc. TDX_GUEST_SUPPORTED is defined in OvmfPkgX64.dsc. This macro wraps the Tdx specific code. TDX only works on X64, so the code is only valid in X64 arch. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg/Sec: Declare local variable as volatile in SecCoreStartupWithStackMin Xu2022-04-021-5/+10
| | | | | | | | | | | | | | | | | | | | RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 Declare the local variables in SecCoreStartupWithStack that actually move the data elements as volatile to prevent the optimizer from replacing this function with the intrinsic memcpy(). Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* OvmfPkg/ResetVector: cache the SEV status MSR value in workareaBrijesh Singh2022-02-281-1/+1
| | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3582 In order to probe the SEV feature the BaseMemEncryptLib and Reset vector reads the SEV_STATUS MSR. Cache the value on the first read in the workarea. In the next patches the value saved in the workarea will be used by the BaseMemEncryptLib. This not only eliminates the extra MSR reads it also helps cleaning up the code in BaseMemEncryptLib. Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
* OvmfPkg/SecMain: validate the memory used for decompressing FvBrijesh Singh2021-12-094-1/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The VMM launch sequence should have pre-validated all the data pages used in the Reset vector. The range does not cover the data pages used during the SEC phase (mainly PEI and DXE firmware volume decompression memory). When SEV-SNP is active, the memory must be pre-validated before the access. Add support to pre-validate the memory range from SnpSecPreValidatedStart to SnpSecPreValidatedEnd. This should be sufficent to enter into the PEI phase. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
* OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guestBrijesh Singh via groups.io2021-12-091-0/+119
| | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
* OvmfPkg/ResetVector: move clearing GHCB in SecMainBrijesh Singh via groups.io2021-12-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 In preparation for SEV-SNP support move clearing of the GHCB memory from the ResetVector/AmdSev.asm to SecMain/AmdSev.c. The GHCB page is not accessed until SevEsProtocolCheck() switch to full GHCB. So, the move does not make any changes in the code flow or logic. The move will simplify the SEV-SNP support. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
* OvmfPkg/SecMain: move SEV specific routines in AmdSev.cBrijesh Singh via groups.io2021-12-094-154/+239
| | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
* OvmfPkg: Apply uncrustify changesMichael Kubacki2021-12-071-187/+203
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the OvmfPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Andrew Fish <afish@apple.com>
* OvmfPkg/ResetVector: update SEV support to use new work area formatBrijesh Singh2021-08-272-1/+37
| | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 Update the SEV support to switch to using the newer work area format. Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Min Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header fileTom Lendacky2021-01-071-4/+2
| | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In order to allow for the SEV-ES workarea to be used for other purposes and by other files, move the definition into the BaseMemEncryptSevLib header file, MemEncryptSevLib.h. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Message-Id: <07d66f3384bd54da97d540e89b9f3473a6d17231.1610045305.git.thomas.lendacky@amd.com>
* OvmfPkg/Sec: Enable cache early to speed up bootingTom Lendacky2020-08-171-0/+7
| | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Currently, the OVMF code relies on the hypervisor to enable the cache support on the processor in order to improve the boot speed. However, with SEV-ES, the hypervisor is not allowed to change the CR0 register to enable caching. Update the OVMF Sec support to enable caching in order to improve the boot speed when running as an SEV-ES guest. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg/Sec: Add #VC exception handling for Sec phaseTom Lendacky2020-08-172-13/+173
| | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 An SEV-ES guest will generate a #VC exception when it encounters a non-automatic exit (NAE) event. It is expected that the #VC exception handler will communicate with the hypervisor using the GHCB to handle the NAE event. NAE events can occur during the Sec phase, so initialize exception handling early in the OVMF Sec support. Before establishing the exception handling, validate that the supported version of the SEV-ES protocol in OVMF is supported by the hypervisor. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg: replace old EFI_D_ debug levels with new DEBUG_ onesRebecca Cran2020-04-301-14/+14
| | | | | | | | | | | | | Generated mechanically with: find OvmfPkg -type f -exec sed -i -e 's/EFI_D_/DEBUG_/g' {} \; Signed-off-by: Rebecca Cran <rebecca@bsdio.com> Cc: Philippe Mathieu-Daude <philmd@redhat.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Cc: Laszlo Ersek <lersek@redhat.com> Message-Id: <20200429215327.606467-1-rebecca@bsdio.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg: strip trailing whitespaceLeif Lindholm2019-10-041-17/+17
| | | | | | | | | | | | | Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Julien Grall <julien.grall@arm.com> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
* OvmfPkg/Sec: fix out-of-bounds readsLaszlo Ersek2019-04-241-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RH covscan justifiedly reports that accessing "EFI_FFS_FILE_HEADER.Size" and "EFI_COMMON_SECTION_HEADER.Size", which both are of type UINT8[3], through (UINT32*), is undefined behavior: > Error: OVERRUN (CWE-119): > edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:283: overrun-local: Overrunning > array of 3 bytes at byte offset 3 by dereferencing pointer > "(UINT32 *)File->Size". > # 281| > # 282| File = (EFI_FFS_FILE_HEADER*)(UINTN) CurrentAddress; > # 283|-> Size = *(UINT32*) File->Size & 0xffffff; > # 284| if (Size < (sizeof (*File) + sizeof (EFI_COMMON_SECTION_HEADER))) { > # 285| return EFI_VOLUME_CORRUPTED; > > Error: OVERRUN (CWE-119): > edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:614: overrun-local: Overrunning > array of 3 bytes at byte offset 3 by dereferencing pointer > "(UINT32 *)File->Size". > # 612| > # 613| File = (EFI_FFS_FILE_HEADER*)(UINTN) CurrentAddress; > # 614|-> Size = *(UINT32*) File->Size & 0xffffff; > # 615| if (Size < sizeof (*File)) { > # 616| return EFI_NOT_FOUND; > > Error: OVERRUN (CWE-119): > edk2-89910a39dcfd/OvmfPkg/Sec/SecMain.c:639: overrun-local: Overrunning > array of 3 bytes at byte offset 3 by dereferencing pointer > "(UINT32 *)Section->Size". > # 637| Section = (EFI_COMMON_SECTION_HEADER*)(UINTN) CurrentAddress; > # 638| > # 639|-> Size = *(UINT32*) Section->Size & 0xffffff; > # 640| if (Size < sizeof (*Section)) { > # 641| return EFI_NOT_FOUND; Fix these by invoking the FFS_FILE_SIZE() and SECTION_SIZE() macros, which by now have been fixed too. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1710 Issue: scan-1008.txt Issue: scan-1009.txt Issue: scan-1010.txt Signed-off-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
* OvmfPkg: Replace BSD License with BSD+Patent LicenseMichael D Kinney2019-04-094-28/+4
| | | | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=1373 Replace BSD 2-Clause License with BSD+Patent License. This change is based on the following emails: https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html RFCs with detailed process for the license change: V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg: Removing ipf which is no longer supported from edk2.chenc22018-06-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing rules for Ipf sources file: * Remove the source file which path with "ipf" and also listed in [Sources.IPF] section of INF file. * Remove the source file which listed in [Components.IPF] section of DSC file and not listed in any other [Components] section. * Remove the embedded Ipf code for MDE_CPU_IPF. Removing rules for Inf file: * Remove IPF from VALID_ARCHITECTURES comments. * Remove DXE_SAL_DRIVER from LIBRARY_CLASS in [Defines] section. * Remove the INF which only listed in [Components.IPF] section in DSC. * Remove statements from [BuildOptions] that provide IPF specific flags. * Remove any IPF sepcific sections. Removing rules for Dec file: * Remove [Includes.IPF] section from Dec. Removing rules for Dsc file: * Remove IPF from SUPPORTED_ARCHITECTURES in [Defines] section of DSC. * Remove any IPF specific sections. * Remove statements from [BuildOptions] that provide IPF specific flags. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Michael D Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chen A Chen <chen.a.chen@intel.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
* OvmfPkg/Sec: Fix 64bit SEC build failureRuiyu Ni2017-11-291-4/+2
| | | | | | | | | | | | | Original code breaks a single assembly code to multiple lines. But, when VS CL.exe preprocesses the FixedPcdGet32() macro invocation to the replacement text, it loses '\', and causes NASM to fail. Changing the multiple lines to one line to resolve the build failure. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg/Sec/X64: seed the temporary RAM with PcdInitValueInTempStackLaszlo Ersek2017-11-171-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the PEI core to report the maximum temporary SEC/PEI stack usage on the DEBUG_INFO level, in the PeiCheckAndSwitchStack() function [MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c]: * Normal boot: > Temp Stack : BaseAddress=0x814000 Length=0x4000 > Temp Heap : BaseAddress=0x810000 Length=0x4000 > Total temporary memory: 32768 bytes. > temporary memory stack ever used: 5080 bytes. <---- > temporary memory heap used for HobList: 8080 bytes. > temporary memory heap occupied by memory pages: 0 bytes. * S3 resume (no SMM / PEI decompression) > Temp Stack : BaseAddress=0x814000 Length=0x4000 > Temp Heap : BaseAddress=0x810000 Length=0x4000 > Total temporary memory: 32768 bytes. > temporary memory stack ever used: 5048 bytes. <---- > temporary memory heap used for HobList: 7112 bytes. > temporary memory heap occupied by memory pages: 0 bytes. I unit-tested this change by transitorily adding an infinite loop right after the "rep stosq", and dumping the guest's temp SEC/PEI RAM (32KB currently) while the guest was stuck in the loop. The dump includes one dword from before and after the temp SEC/PEI RAM: > $ virsh qemu-monitor-command GUEST_NAME --hmp 'xp /8194wx 0x80FFFC' > > 000000000080fffc: 0x00000000 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > 000000000081000c: 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > ... > 0000000000817fec: 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > 0000000000817ffc: 0x5aa55aa5 0x00000000 Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=747 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
* OvmfPkg/Sec/Ia32: seed the temporary RAM with PcdInitValueInTempStackLaszlo Ersek2017-11-172-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the PEI core to report the maximum temporary SEC/PEI stack usage on the DEBUG_INFO level, in the PeiCheckAndSwitchStack() function [MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c]: * Normal boot: > Temp Stack : BaseAddress=0x814000 Length=0x4000 > Temp Heap : BaseAddress=0x810000 Length=0x4000 > Total temporary memory: 32768 bytes. > temporary memory stack ever used: 3664 bytes. <---- > temporary memory heap used for HobList: 5904 bytes. > temporary memory heap occupied by memory pages: 0 bytes. * S3 resume (with PEI decompression / SMM): > Temp Stack : BaseAddress=0x814000 Length=0x4000 > Temp Heap : BaseAddress=0x810000 Length=0x4000 > Total temporary memory: 32768 bytes. > temporary memory stack ever used: 3428 bytes. <---- > temporary memory heap used for HobList: 4816 bytes. > temporary memory heap occupied by memory pages: 0 bytes. I unit-tested this change by transitorily adding an infinite loop right after the "rep stosd", and dumping the guest's temp SEC/PEI RAM (32KB currently) while the guest was stuck in the loop. The dump includes one dword from before and after the temp SEC/PEI RAM: > $ virsh qemu-monitor-command GUEST_NAME --hmp 'xp /8194wx 0x80FFFC' > > 000000000080fffc: 0x00000000 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > 000000000081000c: 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > ... > 0000000000817fec: 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 0x5aa55aa5 > 0000000000817ffc: 0x5aa55aa5 0x00000000 Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=747 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
* OvmfPkg/SecMain: Fix stack switching to permanent memoryGe Song2017-09-061-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In earlier PEI stage, temporary memory at PcdOvmfSecPeiTempRamBase is employed as stack and heap. We move them to the new room and do some relocation fixup when permanent memory becomes available. TemporaryRamMigration() is responsible for switching the stack. Before entering TemporaryRamMigration(), Ebp/Rbp is populated with the content of Esp/Rsp and used as frame pointer. After the execution of SetJump/LongJump, stack migrates to new position while the context keeps unchanged. But when TemporaryRamMigration() exits, Esp/Rsp is filled with the content of Ebp/Rbp to destroy this stack frame. The result is, stack switches back to previous temporary memory. When permanent memory becomes available, modules that have registered themselves for shadowing will be scheduled to execute. Some of them need to consume more memory(heap/stack). Contrast to temporary stack, permanent stack possesses larger space. The potential risk is overflowing the stack if stack staying in temporary memory. When it happens, system may crash during S3 resume. More detailed information: > (gdb) disassemble /r > Dump of assembler code for function TemporaryRamMigration: > 0x00000000fffcd29c <+0>: 55 push %rbp > 0x00000000fffcd29d <+1>: 48 89 e5 mov %rsp,%rbp > 0x00000000fffcd2a0 <+4>: 48 81 ec 70 01 00 00 sub > $0x170,%rsp > ... > ... > 0x00000000fffcd425 <+393>: e8 80 10 00 00 callq 0xfffce4aa > <SaveAndSetDebugTimerInterrupt> > => 0x00000000fffcd42a <+398>: b8 00 00 00 00 mov $0x0,%eax > 0x00000000fffcd42f <+403>: c9 leaveq > 0x00000000fffcd430 <+404>: c3 retq > End of assembler dump. See the description of leave(opcode: c9), from Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 2A "Releases the stack frame set up by an earlier ENTER instruction. The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer (the frame pointer for the calling procedure that was saved by the ENTER instruction) is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame." To solve this, update Ebp/Rbp too when Esp/Rsp is updated Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ge Song <ge.song@hxt-semitech.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
* OvmfPkg: Fix typos in commentsGary Lin2016-10-191-1/+1
| | | | | | | | | | | | | | | - Incude -> Include - futhure -> future - Predfined -> Predefined - minimue -> minimum - predeined -> predefined - excute -> execute - dirver -> driver - inforamtion -> information Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
* OvmfPkg/Sec: Support SECTION2 DXEFV typesThomas Palmer2016-07-271-3/+13
| | | | | | | | | | | | | | | | Support down-stream projects that require large DXEFV sizes greater than 16MB by handling SECTION2 common headers. These are already created by the build tools when necessary. Use IS_SECTION2 and SECTION2_SIZE macros to calculate accurate image sizes when appropriate. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com> [lersek@redhat.com: fix NB->MB typo in commit message] Signed-off-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg/Sec: Use EFI_COMMON_SECTION_HEADER to avoid castsThomas Palmer2016-07-271-4/+5
| | | | | | | | | | | Drop superfluous casts. There is no change in behavior because EFI_FIRMWARE_VOLUME_IMAGE_SECTION is just a typedef of EFI_COMMON_SECTION_HEADER. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
* OvmfPkg: decompress FVs on S3 resume if SMM_REQUIRE is setLaszlo Ersek2015-11-302-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If OVMF was built with -D SMM_REQUIRE, that implies that the runtime OS is not trusted and we should defend against it tampering with the firmware's data. One such datum is the PEI firmware volume (PEIFV). Normally PEIFV is decompressed on the first boot by SEC, then the OS preserves it across S3 suspend-resume cycles; at S3 resume SEC just reuses the originally decompressed PEIFV. However, if we don't trust the OS, then SEC must decompress PEIFV from the pristine flash every time, lest we execute OS-injected code or work with OS-injected data. Due to how FVMAIN_COMPACT is organized, we can't decompress just PEIFV; the decompression brings DXEFV with itself, plus it uses a temporary output buffer and a scratch buffer too, which even reach above the end of the finally installed DXEFV. For this reason we must keep away a non-malicious OS from DXEFV too, plus the memory up to PcdOvmfDecomprScratchEnd. The delay introduced by the LZMA decompression on S3 resume is negligible. If -D SMM_REQUIRE is not specified, then PcdSmmSmramRequire remains FALSE (from the DEC file), and then this patch has no effect (not counting some changed debug messages). If QEMU doesn't support S3 (or the user disabled it on the QEMU command line), then this patch has no effect also. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19037 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg: Sec: assert the build-time calculated end of the scratch bufferLaszlo Ersek2015-11-302-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | The DecompressMemFvs() function in "OvmfPkg/Sec/SecMain.c" uses more memory, temporarily, than what PEIFV and DXEFV will ultimately need. First, it uses an output buffer for decompression, second, the decompression itself needs a scratch buffer (and this scratch buffer is the highest area that SEC uses). DecompressMemFvs() used to be called on normal boots only (ie. not on S3 resume), which is why the decompression output buffer and the scratch buffer were allowed to scribble over RAM. However, we'll soon start to worry during S3 resume that the runtime OS might tamper with the pre-decompressed PEIFV, and we'll decompress the firmware volumes on S3 resume too, from pristine flash. For this we'll need to know the end of the scratch buffer in advance, so we can prepare a non-malicious OS for it. Calculate the end of the scratch buffer statically in the FDF files, and assert in DecompressMemFvs() that the runtime decompression will match it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19036 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg: Sec: force reinit of BaseExtractGuidedSectionLib handler tableLaszlo Ersek2015-11-302-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BaseExtractGuidedSectionLib uses a table at the static physical address PcdGuidedExtractHandlerTableAddress, and modules that are linked against BaseExtractGuidedSectionLib are expected to work together on that table. Namely, some modules can register handlers for GUIDed sections, some other modules can decode such sections with the pre-registered handlers. The table carries persistent information between these modules. BaseExtractGuidedSectionLib checks a table signature whenever it is used (by whichever module that is linked against it), and at the first use (identified by a signature mismatch) it initializes the table. One of the module types that BaseExtractGuidedSectionLib can be used with is SEC, if the SEC module in question runs with the platform's RAM already available. In such cases the question emerges whether the initial contents of the RAM (ie. contents that predate the very first signature check) can be trusted. Normally RAM starts out with all zeroes (leading to a signature mismatch on the first check); however a malicious runtime OS can populate the area with some payload, then force a warm platform reset or an S3 suspend-and-resume. In such cases the signature check in the SEC module might not fire, and ExtractGuidedSectionDecode() might run code injected by the runtime OS, as part of SEC (ie. with high privileges). Therefore we clear the handler table in SEC. See also git commit ad43bc6b2e (SVN rev 15433) -- this patch secures the (d) and (e) code paths examined in that commit. Furthermore, a non-malicious runtime OS will observe no change in behavior; see case (c) in said commit. Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> [michael.d.kinney@intel.com: prevent VS20xx loop intrinsic with volatile] Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19035 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg: Sec: Fix SOURCE_DEBUG_ENABLE ASSERT()Michael Kinney2015-10-162-2/+12
| | | | | | | | | | | | | | | | | | | | | The update to the LocalApicLib instances to make sure the Local APIC is initialized before use (SVN r18595 / git commit 6d72ff7d9daf) generates an ASSERT() when SOURCE_DEBUG_ENABLE is enabled for OVMF. The fix is to initialize the Local APIC Timer and mask it before initializing the DebugAgent. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com> [lersek@redhat.com: rewrap code comment, rewrap commit msg, add precise commit ref] Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18622 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg: fix conversion specifiers in DEBUG format stringsLaszlo Ersek2015-07-281-4/+4
| | | | | | | | | | | | Cc: Scott Duplichan <scott@notabs.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Reported-by: Scott Duplichan <scott@notabs.org> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Build-tested-by: Scott Duplichan <scott@notabs.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18095 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg Sec: Convert X64/SecEntry.asm to NASMJordan Justen2014-10-313-69/+9
| | | | | | | | | | | | | The BaseTools/Scripts/ConvertMasmToNasm.py script was used to convert X64/SecEntry.asm to X64/SecEntry.nasm Note: Manually collapsed .inf sources Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16292 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg Sec: Convert Ia32/SecEntry.asm to NASMJordan Justen2014-10-313-73/+7
| | | | | | | | | | | | | The BaseTools/Scripts/ConvertMasmToNasm.py script was used to convert Ia32/SecEntry.asm to Ia32/SecEntry.nasm Note: Manually collapsed .inf sources Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16291 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg/Sec: Don't decompress the FV on S3 resumeJordan Justen2014-03-041-2/+52
| | | | | | | | | | | | | | Since we marked the FV at PcdOvmfPeiMemFvBase as ACPI NVS memory, we can use it on S3 resume. The FV at PcdOvmfDxeMemFvBase may have been overwritten by the OS, but we do not use it's contents on S3 resume. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15296 6f19259b-4bc3-4df7-8a09-765794883524
* OvmfPkg: Split MAINFV into a separate PEI and DXE FVsJordan Justen2014-01-212-19/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By splitting the PEI and DXE phases into separate FVs, we can only reserve the PEI FV for ACPI S3 support. This should save about 7MB. Unfortunately, this all has to happen in a single commit. DEC: * Remove PcdOvmfMemFv(Base|Size) * Add PcdOvmfPeiMemFv(Base|Size) * Add PcdOvmfDxeMemFv(Base|Size) FDF: * Add new PEIFV. Move PEI modules here. * Remove MAINFV * Add PEIFV and DXEFV into FVMAIN_COMPACT - They are added as 2 sections of a file, and compressed together so they should retain good compression * PcdOvmf(Pei|Dxe)MemFv(Base|Size) are set SEC: * Find both the PEI and DXE FVs after decompression. - Copy them separately to their memory locations. Platform PEI driver: * Fv.c: Publish both FVs as appropriate * MemDetect.c: PcdOvmfMemFv(Base|Size) => PcdOvmfDxeMemFv(Base|Size) OVMF.fd before: Non-volatile data storage FVMAIN_COMPACT uncompressed FV FFS file LZMA compressed MAINFV uncompressed individual PEI modules uncompressed FV FFS file compressed with PI_NONE DXEFV uncompressed individual DXE modules uncompressed SECFV uncompressed OVMF.fd after: Non-volatile data storage FVMAIN_COMPACT uncompressed FV FFS file LZMA compressed PEIFV uncompressed individual PEI modules uncompressed DXEFV uncompressed individual DXE modules uncompressed SECFV uncompressed Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15151 6f19259b-4bc3-4df7-8a09-765794883524