2009-12-06 02:57:05 +01:00
|
|
|
/** @file
|
|
|
|
|
|
2010-04-29 14:15:47 +02:00
|
|
|
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
|
2011-06-20 23:35:50 +02:00
|
|
|
Copyright (c) 2011, ARM Limited. All rights reserved.
|
2014-08-19 15:29:52 +02:00
|
|
|
|
2019-04-04 01:03:18 +02:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
2009-12-06 02:57:05 +01:00
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
|
|
#include "CpuDxe.h"
|
|
|
|
|
|
2011-06-20 23:35:50 +02:00
|
|
|
#include <Guid/IdleLoopEvent.h>
|
|
|
|
|
|
ArmPkg/CpuDxe: Perform preliminary NX remap of free memory
The DXE core implementation of PcdDxeNxMemoryProtectionPolicy already
contains an assertion that EfiConventionalMemory and EfiBootServicesData
are subjected to the same policy when it comes to the use of NX
permissions. The reason for this is that we may otherwise end up with
unbounded recursion in the page table code, given that allocating a page
table would then involve a permission attribute change, and this could
result in the need for a block entry to be split, which would trigger
the allocation of a page table recursively.
For the same reason, a shortcut exists in ApplyMemoryProtectionPolicy()
where, instead of setting the memory attributes unconditionally, we
compare the NX policies and avoid touching the page tables if they are
the same for the old and the new memory types. Without this shortcut, we
may end up in a situation where, as the CPU arch protocol DXE driver is
ramping up, the same unbounded recursion is triggered, due to the fact
that the NX policy for EfiConventionalMemory has not been applied yet.
To break this cycle, let's remap all EfiConventionalMemory regions
according to the NX policy for EfiBootServicesData before exposing the
CPU arch protocol to the DXE core and other drivers. This ensures that
creating EfiBootServicesData allocations does not result in memory
attribute changes, and therefore no recursion.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
2023-02-08 16:34:33 +01:00
|
|
|
#include <Library/MemoryAllocationLib.h>
|
|
|
|
|
|
2017-02-24 10:58:38 +01:00
|
|
|
BOOLEAN mIsFlushingGCD;
|
2010-01-14 04:25:08 +01:00
|
|
|
|
|
|
|
|
/**
|
2014-08-19 15:29:52 +02:00
|
|
|
This function flushes the range of addresses from Start to Start+Length
|
|
|
|
|
from the processor's data cache. If Start is not aligned to a cache line
|
|
|
|
|
boundary, then the bytes before Start to the preceding cache line boundary
|
|
|
|
|
are also flushed. If Start+Length is not aligned to a cache line boundary,
|
|
|
|
|
then the bytes past Start+Length to the end of the next cache line boundary
|
|
|
|
|
are also flushed. The FlushType of EfiCpuFlushTypeWriteBackInvalidate must be
|
|
|
|
|
supported. If the data cache is fully coherent with all DMA operations, then
|
|
|
|
|
this function can just return EFI_SUCCESS. If the processor does not support
|
2010-01-14 04:25:08 +01:00
|
|
|
flushing a range of the data cache, then the entire data cache can be flushed.
|
|
|
|
|
|
|
|
|
|
@param This The EFI_CPU_ARCH_PROTOCOL instance.
|
|
|
|
|
@param Start The beginning physical address to flush from the processor's data
|
|
|
|
|
cache.
|
|
|
|
|
@param Length The number of bytes to flush from the processor's data cache. This
|
|
|
|
|
function may flush more bytes than Length specifies depending upon
|
|
|
|
|
the granularity of the flush operation that the processor supports.
|
|
|
|
|
@param FlushType Specifies the type of flush operation to perform.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The address range from Start to Start+Length was flushed from
|
|
|
|
|
the processor's data cache.
|
2016-07-08 08:20:55 +02:00
|
|
|
@retval EFI_UNSUPPORTED The processor does not support the cache flush type specified
|
2010-01-14 04:25:08 +01:00
|
|
|
by FlushType.
|
|
|
|
|
@retval EFI_DEVICE_ERROR The address range from Start to Start+Length could not be flushed
|
|
|
|
|
from the processor's data cache.
|
|
|
|
|
|
|
|
|
|
**/
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuFlushCpuDataCache (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This,
|
|
|
|
|
IN EFI_PHYSICAL_ADDRESS Start,
|
|
|
|
|
IN UINT64 Length,
|
|
|
|
|
IN EFI_CPU_FLUSH_TYPE FlushType
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
switch (FlushType) {
|
|
|
|
|
case EfiCpuFlushTypeWriteBack:
|
2010-01-08 22:12:20 +01:00
|
|
|
WriteBackDataCacheRange ((VOID *)(UINTN)Start, (UINTN)Length);
|
2009-12-06 02:57:05 +01:00
|
|
|
break;
|
|
|
|
|
case EfiCpuFlushTypeInvalidate:
|
2010-01-08 22:12:20 +01:00
|
|
|
InvalidateDataCacheRange ((VOID *)(UINTN)Start, (UINTN)Length);
|
2009-12-06 02:57:05 +01:00
|
|
|
break;
|
|
|
|
|
case EfiCpuFlushTypeWriteBackInvalidate:
|
2010-01-08 22:12:20 +01:00
|
|
|
WriteBackInvalidateDataCacheRange ((VOID *)(UINTN)Start, (UINTN)Length);
|
2009-12-06 02:57:05 +01:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return EFI_INVALID_PARAMETER;
|
|
|
|
|
}
|
2014-08-19 15:29:52 +02:00
|
|
|
|
2009-12-06 02:57:05 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
/**
|
2014-08-19 15:29:52 +02:00
|
|
|
This function enables interrupt processing by the processor.
|
2010-01-14 04:25:08 +01:00
|
|
|
|
|
|
|
|
@param This The EFI_CPU_ARCH_PROTOCOL instance.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS Interrupts are enabled on the processor.
|
|
|
|
|
@retval EFI_DEVICE_ERROR Interrupts could not be enabled on the processor.
|
|
|
|
|
|
|
|
|
|
**/
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuEnableInterrupt (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This
|
|
|
|
|
)
|
|
|
|
|
{
|
2010-01-09 00:07:33 +01:00
|
|
|
ArmEnableInterrupts ();
|
2010-01-08 22:12:20 +01:00
|
|
|
|
2009-12-06 02:57:05 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
/**
|
|
|
|
|
This function disables interrupt processing by the processor.
|
|
|
|
|
|
|
|
|
|
@param This The EFI_CPU_ARCH_PROTOCOL instance.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS Interrupts are disabled on the processor.
|
|
|
|
|
@retval EFI_DEVICE_ERROR Interrupts could not be disabled on the processor.
|
|
|
|
|
|
|
|
|
|
**/
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuDisableInterrupt (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This
|
|
|
|
|
)
|
|
|
|
|
{
|
2010-01-09 00:07:33 +01:00
|
|
|
ArmDisableInterrupts ();
|
2010-01-08 22:12:20 +01:00
|
|
|
|
2009-12-06 02:57:05 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
/**
|
2014-08-19 15:29:52 +02:00
|
|
|
This function retrieves the processor's current interrupt state a returns it in
|
|
|
|
|
State. If interrupts are currently enabled, then TRUE is returned. If interrupts
|
2010-01-14 04:25:08 +01:00
|
|
|
are currently disabled, then FALSE is returned.
|
|
|
|
|
|
|
|
|
|
@param This The EFI_CPU_ARCH_PROTOCOL instance.
|
|
|
|
|
@param State A pointer to the processor's current interrupt state. Set to TRUE if
|
|
|
|
|
interrupts are enabled and FALSE if interrupts are disabled.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The processor's current interrupt state was returned in State.
|
|
|
|
|
@retval EFI_INVALID_PARAMETER State is NULL.
|
|
|
|
|
|
|
|
|
|
**/
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuGetInterruptState (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This,
|
|
|
|
|
OUT BOOLEAN *State
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (State == NULL) {
|
|
|
|
|
return EFI_INVALID_PARAMETER;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-23 00:08:27 +01:00
|
|
|
*State = ArmGetInterruptState ();
|
2009-12-06 02:57:05 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
/**
|
|
|
|
|
This function generates an INIT on the processor. If this function succeeds, then the
|
2014-08-19 15:29:52 +02:00
|
|
|
processor will be reset, and control will not be returned to the caller. If InitType is
|
|
|
|
|
not supported by this processor, or the processor cannot programmatically generate an
|
|
|
|
|
INIT without help from external hardware, then EFI_UNSUPPORTED is returned. If an error
|
2010-01-14 04:25:08 +01:00
|
|
|
occurs attempting to generate an INIT, then EFI_DEVICE_ERROR is returned.
|
|
|
|
|
|
|
|
|
|
@param This The EFI_CPU_ARCH_PROTOCOL instance.
|
|
|
|
|
@param InitType The type of processor INIT to perform.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The processor INIT was performed. This return code should never be seen.
|
|
|
|
|
@retval EFI_UNSUPPORTED The processor INIT operation specified by InitType is not supported
|
|
|
|
|
by this processor.
|
|
|
|
|
@retval EFI_DEVICE_ERROR The processor INIT failed.
|
|
|
|
|
|
|
|
|
|
**/
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuInit (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This,
|
|
|
|
|
IN EFI_CPU_INIT_TYPE InitType
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
return EFI_UNSUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuRegisterInterruptHandler (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This,
|
|
|
|
|
IN EFI_EXCEPTION_TYPE InterruptType,
|
|
|
|
|
IN EFI_CPU_INTERRUPT_HANDLER InterruptHandler
|
|
|
|
|
)
|
|
|
|
|
{
|
2010-01-08 22:12:20 +01:00
|
|
|
return RegisterInterruptHandler (InterruptType, InterruptHandler);
|
2009-12-06 02:57:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
CpuGetTimerValue (
|
|
|
|
|
IN EFI_CPU_ARCH_PROTOCOL *This,
|
|
|
|
|
IN UINT32 TimerIndex,
|
|
|
|
|
OUT UINT64 *TimerValue,
|
|
|
|
|
OUT UINT64 *TimerPeriod OPTIONAL
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
return EFI_UNSUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-20 23:35:50 +02:00
|
|
|
/**
|
|
|
|
|
Callback function for idle events.
|
2014-08-19 15:29:52 +02:00
|
|
|
|
2011-06-20 23:35:50 +02:00
|
|
|
@param Event Event whose notification function is being invoked.
|
|
|
|
|
@param Context The pointer to the notification function's context,
|
|
|
|
|
which is implementation-dependent.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
VOID
|
|
|
|
|
EFIAPI
|
|
|
|
|
IdleLoopEventCallback (
|
|
|
|
|
IN EFI_EVENT Event,
|
|
|
|
|
IN VOID *Context
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
CpuSleep ();
|
|
|
|
|
}
|
2009-12-06 02:57:05 +01:00
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Globals used to initialize the protocol
|
|
|
|
|
//
|
|
|
|
|
EFI_HANDLE mCpuHandle = NULL;
|
|
|
|
|
EFI_CPU_ARCH_PROTOCOL mCpu = {
|
|
|
|
|
CpuFlushCpuDataCache,
|
|
|
|
|
CpuEnableInterrupt,
|
|
|
|
|
CpuDisableInterrupt,
|
|
|
|
|
CpuGetInterruptState,
|
|
|
|
|
CpuInit,
|
|
|
|
|
CpuRegisterInterruptHandler,
|
|
|
|
|
CpuGetTimerValue,
|
|
|
|
|
CpuSetMemoryAttributes,
|
|
|
|
|
0, // NumberOfTimers
|
2016-10-31 16:43:49 +01:00
|
|
|
2048, // DmaBufferAlignment
|
2009-12-06 02:57:05 +01:00
|
|
|
};
|
|
|
|
|
|
2016-10-31 16:43:49 +01:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
InitializeDma (
|
|
|
|
|
IN OUT EFI_CPU_ARCH_PROTOCOL *CpuArchProtocol
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
CpuArchProtocol->DmaBufferAlignment = ArmCacheWritebackGranule ();
|
|
|
|
|
}
|
|
|
|
|
|
ArmPkg/CpuDxe: Perform preliminary NX remap of free memory
The DXE core implementation of PcdDxeNxMemoryProtectionPolicy already
contains an assertion that EfiConventionalMemory and EfiBootServicesData
are subjected to the same policy when it comes to the use of NX
permissions. The reason for this is that we may otherwise end up with
unbounded recursion in the page table code, given that allocating a page
table would then involve a permission attribute change, and this could
result in the need for a block entry to be split, which would trigger
the allocation of a page table recursively.
For the same reason, a shortcut exists in ApplyMemoryProtectionPolicy()
where, instead of setting the memory attributes unconditionally, we
compare the NX policies and avoid touching the page tables if they are
the same for the old and the new memory types. Without this shortcut, we
may end up in a situation where, as the CPU arch protocol DXE driver is
ramping up, the same unbounded recursion is triggered, due to the fact
that the NX policy for EfiConventionalMemory has not been applied yet.
To break this cycle, let's remap all EfiConventionalMemory regions
according to the NX policy for EfiBootServicesData before exposing the
CPU arch protocol to the DXE core and other drivers. This ensures that
creating EfiBootServicesData allocations does not result in memory
attribute changes, and therefore no recursion.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
2023-02-08 16:34:33 +01:00
|
|
|
/**
|
|
|
|
|
Map all EfiConventionalMemory regions in the memory map with NX
|
|
|
|
|
attributes so that allocating or freeing EfiBootServicesData regions
|
|
|
|
|
does not result in changes to memory permission attributes.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
RemapUnusedMemoryNx (
|
|
|
|
|
VOID
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
UINT64 TestBit;
|
|
|
|
|
UINTN MemoryMapSize;
|
|
|
|
|
UINTN MapKey;
|
|
|
|
|
UINTN DescriptorSize;
|
|
|
|
|
UINT32 DescriptorVersion;
|
|
|
|
|
EFI_MEMORY_DESCRIPTOR *MemoryMap;
|
|
|
|
|
EFI_MEMORY_DESCRIPTOR *MemoryMapEntry;
|
|
|
|
|
EFI_MEMORY_DESCRIPTOR *MemoryMapEnd;
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
|
|
|
|
|
TestBit = LShiftU64 (1, EfiBootServicesData);
|
|
|
|
|
if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & TestBit) == 0) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
MemoryMapSize = 0;
|
|
|
|
|
MemoryMap = NULL;
|
|
|
|
|
|
|
|
|
|
Status = gBS->GetMemoryMap (
|
|
|
|
|
&MemoryMapSize,
|
|
|
|
|
MemoryMap,
|
|
|
|
|
&MapKey,
|
|
|
|
|
&DescriptorSize,
|
|
|
|
|
&DescriptorVersion
|
|
|
|
|
);
|
|
|
|
|
ASSERT (Status == EFI_BUFFER_TOO_SMALL);
|
|
|
|
|
do {
|
|
|
|
|
MemoryMap = (EFI_MEMORY_DESCRIPTOR *)AllocatePool (MemoryMapSize);
|
|
|
|
|
ASSERT (MemoryMap != NULL);
|
|
|
|
|
Status = gBS->GetMemoryMap (
|
|
|
|
|
&MemoryMapSize,
|
|
|
|
|
MemoryMap,
|
|
|
|
|
&MapKey,
|
|
|
|
|
&DescriptorSize,
|
|
|
|
|
&DescriptorVersion
|
|
|
|
|
);
|
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
|
|
|
FreePool (MemoryMap);
|
|
|
|
|
}
|
|
|
|
|
} while (Status == EFI_BUFFER_TOO_SMALL);
|
|
|
|
|
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
|
|
|
|
MemoryMapEntry = MemoryMap;
|
|
|
|
|
MemoryMapEnd = (EFI_MEMORY_DESCRIPTOR *)((UINT8 *)MemoryMap + MemoryMapSize);
|
|
|
|
|
while ((UINTN)MemoryMapEntry < (UINTN)MemoryMapEnd) {
|
|
|
|
|
if (MemoryMapEntry->Type == EfiConventionalMemory) {
|
2023-06-25 11:21:55 +02:00
|
|
|
ArmSetMemoryAttributes (
|
ArmPkg/CpuDxe: Perform preliminary NX remap of free memory
The DXE core implementation of PcdDxeNxMemoryProtectionPolicy already
contains an assertion that EfiConventionalMemory and EfiBootServicesData
are subjected to the same policy when it comes to the use of NX
permissions. The reason for this is that we may otherwise end up with
unbounded recursion in the page table code, given that allocating a page
table would then involve a permission attribute change, and this could
result in the need for a block entry to be split, which would trigger
the allocation of a page table recursively.
For the same reason, a shortcut exists in ApplyMemoryProtectionPolicy()
where, instead of setting the memory attributes unconditionally, we
compare the NX policies and avoid touching the page tables if they are
the same for the old and the new memory types. Without this shortcut, we
may end up in a situation where, as the CPU arch protocol DXE driver is
ramping up, the same unbounded recursion is triggered, due to the fact
that the NX policy for EfiConventionalMemory has not been applied yet.
To break this cycle, let's remap all EfiConventionalMemory regions
according to the NX policy for EfiBootServicesData before exposing the
CPU arch protocol to the DXE core and other drivers. This ensures that
creating EfiBootServicesData allocations does not result in memory
attribute changes, and therefore no recursion.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
2023-02-08 16:34:33 +01:00
|
|
|
MemoryMapEntry->PhysicalStart,
|
2023-06-25 11:21:55 +02:00
|
|
|
EFI_PAGES_TO_SIZE (MemoryMapEntry->NumberOfPages),
|
|
|
|
|
EFI_MEMORY_XP,
|
|
|
|
|
EFI_MEMORY_XP
|
ArmPkg/CpuDxe: Perform preliminary NX remap of free memory
The DXE core implementation of PcdDxeNxMemoryProtectionPolicy already
contains an assertion that EfiConventionalMemory and EfiBootServicesData
are subjected to the same policy when it comes to the use of NX
permissions. The reason for this is that we may otherwise end up with
unbounded recursion in the page table code, given that allocating a page
table would then involve a permission attribute change, and this could
result in the need for a block entry to be split, which would trigger
the allocation of a page table recursively.
For the same reason, a shortcut exists in ApplyMemoryProtectionPolicy()
where, instead of setting the memory attributes unconditionally, we
compare the NX policies and avoid touching the page tables if they are
the same for the old and the new memory types. Without this shortcut, we
may end up in a situation where, as the CPU arch protocol DXE driver is
ramping up, the same unbounded recursion is triggered, due to the fact
that the NX policy for EfiConventionalMemory has not been applied yet.
To break this cycle, let's remap all EfiConventionalMemory regions
according to the NX policy for EfiBootServicesData before exposing the
CPU arch protocol to the DXE core and other drivers. This ensures that
creating EfiBootServicesData allocations does not result in memory
attribute changes, and therefore no recursion.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
2023-02-08 16:34:33 +01:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
MemoryMapEntry = NEXT_MEMORY_DESCRIPTOR (MemoryMapEntry, DescriptorSize);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-06 02:57:05 +01:00
|
|
|
EFI_STATUS
|
|
|
|
|
CpuDxeInitialize (
|
|
|
|
|
IN EFI_HANDLE ImageHandle,
|
|
|
|
|
IN EFI_SYSTEM_TABLE *SystemTable
|
|
|
|
|
)
|
2010-01-14 04:25:08 +01:00
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
2011-06-20 23:35:50 +02:00
|
|
|
EFI_EVENT IdleLoopEvent;
|
2010-01-14 04:25:08 +01:00
|
|
|
|
2014-08-19 15:29:52 +02:00
|
|
|
InitializeExceptions (&mCpu);
|
|
|
|
|
|
2016-10-31 16:43:49 +01:00
|
|
|
InitializeDma (&mCpu);
|
|
|
|
|
|
ArmPkg/CpuDxe: Perform preliminary NX remap of free memory
The DXE core implementation of PcdDxeNxMemoryProtectionPolicy already
contains an assertion that EfiConventionalMemory and EfiBootServicesData
are subjected to the same policy when it comes to the use of NX
permissions. The reason for this is that we may otherwise end up with
unbounded recursion in the page table code, given that allocating a page
table would then involve a permission attribute change, and this could
result in the need for a block entry to be split, which would trigger
the allocation of a page table recursively.
For the same reason, a shortcut exists in ApplyMemoryProtectionPolicy()
where, instead of setting the memory attributes unconditionally, we
compare the NX policies and avoid touching the page tables if they are
the same for the old and the new memory types. Without this shortcut, we
may end up in a situation where, as the CPU arch protocol DXE driver is
ramping up, the same unbounded recursion is triggered, due to the fact
that the NX policy for EfiConventionalMemory has not been applied yet.
To break this cycle, let's remap all EfiConventionalMemory regions
according to the NX policy for EfiBootServicesData before exposing the
CPU arch protocol to the DXE core and other drivers. This ensures that
creating EfiBootServicesData allocations does not result in memory
attribute changes, and therefore no recursion.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
2023-02-08 16:34:33 +01:00
|
|
|
//
|
|
|
|
|
// Once we install the CPU arch protocol, the DXE core's memory
|
|
|
|
|
// protection routines will invoke them to manage the permissions of page
|
|
|
|
|
// allocations as they are created. Given that this includes pages
|
|
|
|
|
// allocated for page tables by this driver, we must ensure that unused
|
|
|
|
|
// memory is mapped with the same permissions as boot services data
|
|
|
|
|
// regions. Otherwise, we may end up with unbounded recursion, due to the
|
|
|
|
|
// fact that updating permissions on a newly allocated page table may trigger
|
|
|
|
|
// a block entry split, which triggers a page table allocation, etc etc
|
|
|
|
|
//
|
|
|
|
|
if (FeaturePcdGet (PcdRemapUnusedMemoryNx)) {
|
|
|
|
|
RemapUnusedMemoryNx ();
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
Status = gBS->InstallMultipleProtocolInterfaces (
|
2014-08-19 15:29:52 +02:00
|
|
|
&mCpuHandle,
|
|
|
|
|
&gEfiCpuArchProtocolGuid,
|
|
|
|
|
&mCpu,
|
2023-01-31 23:26:25 +01:00
|
|
|
&gEfiMemoryAttributeProtocolGuid,
|
|
|
|
|
&mMemoryAttribute,
|
2010-01-14 04:25:08 +01:00
|
|
|
NULL
|
|
|
|
|
);
|
2014-08-19 15:29:52 +02:00
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
//
|
|
|
|
|
// Make sure GCD and MMU settings match. This API calls gDS->SetMemorySpaceAttributes ()
|
|
|
|
|
// and that calls EFI_CPU_ARCH_PROTOCOL.SetMemoryAttributes, so this code needs to go
|
|
|
|
|
// after the protocol is installed
|
|
|
|
|
//
|
2017-02-24 10:58:38 +01:00
|
|
|
mIsFlushingGCD = TRUE;
|
2010-01-14 04:25:08 +01:00
|
|
|
SyncCacheConfig (&mCpu);
|
2017-02-24 10:58:38 +01:00
|
|
|
mIsFlushingGCD = FALSE;
|
2014-08-19 15:29:52 +02:00
|
|
|
|
2011-06-20 23:35:50 +02:00
|
|
|
//
|
|
|
|
|
// Setup a callback for idle events
|
|
|
|
|
//
|
|
|
|
|
Status = gBS->CreateEventEx (
|
|
|
|
|
EVT_NOTIFY_SIGNAL,
|
|
|
|
|
TPL_NOTIFY,
|
|
|
|
|
IdleLoopEventCallback,
|
|
|
|
|
NULL,
|
|
|
|
|
&gIdleLoopEventGuid,
|
|
|
|
|
&IdleLoopEvent
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
2010-01-14 04:25:08 +01:00
|
|
|
return Status;
|
2009-12-06 02:57:05 +01:00
|
|
|
}
|
