StrSize() cannot return 0. As done in other packages, StrSize()
checks the length of the string doesn't exceed
PcdMaximumUnicodeStringLength. Add comments to make it more obvious.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4859
Reported-by: Tormod Volden <debian.tormod@gmail.com>
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
The "Found ACPI table" messages are informative and don't indicate an
error, so reduce the debug level from DEBUG_ERROR to DEBUG_INFO.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
ArmVirtKvmTool might execute at EL2 when running under nested
virtualization, and in this case, it should not use HVC but SMC to
invoke PSCI and SMCCC services.
Like QEMU, kvmtool provides the PSCI conduit via a node in the FDT, and
as per the SMCCC, the PSCI conduit and the SMCCC conduit are guaranteed
to be the same. So switch to the ArmMonitorLib implementation that
selects the conduit based on this FDT node.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
The implementation of ArmMonitorLib that selects the conduit (SMC or
HVC) based on the PSCI FDT node is suitable for other VMMs as well, so
rename it more appropriately.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
HCR_EL2 may contain fields that should be preserved (such as E2H, which
may be RES1 for all intents and purposes other than reading back the
register). So preserve the existing value when setting the TGE bit.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
With VHE enabled, EL2 uses the EL2&0 translation regime, which is
compatible with the EL1&0 translation regime when it comes to the TCR
configuration register and the page table descriptor.
Given that some CPUs may have VHE force enabled when executing at EL2,
the MMU code needs to be able to deal with this even if it doesn't
enable VHE itself.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Remove the code path for execution at EL3, which just dumps an error.
None of the other code is remotely suitable for execution at EL3, and so
just ASSERT()'ing here is sufficient, and simplifies future changes
related to VHE.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
When VHE is enabled, some pre-existing timer system register specifiers
are redirected to the HYP timer. To access the conventional timer,
special aliases have to be used that end in _EL02.
These aliases are not understood by Clang's internal assembler, so use
the generic mnemonics instead.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Add definitions for the non-global page tables descriptor attribute, as
well as the E2H TCR bit, so that we can use them in the MMU code.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ARM requires softfloat routines when incorporating OpenSSL, which is a
bit of a hassle for no benefit, given that ARM is mostly obsolete at
this point.
SignedCapsulePkg relies on OpenSSL for authentication, and while it
might be feasible to migrate ARM to MbedTLS and retain support, let's
just drop support entirely.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmSoftFloatLib is going away, so remove all residual references to it.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Redfish uses JsonLib, which supports encoding real numbers. This
handling is implemented using C floating point types, which means that
on 32-bit ARM, a softfloat library is required, even though the CPUs we
still (marginally) care about all support floating point in hardware.
The UEFI spec does not permit the use of floating point on ARM at all,
and so the correct thing to do here is to simply disable this driver on
32-bit ARM entirely.
Note that the ARM platform code does allow the VFP unit to be enabled at
boot time, and so rebuilding this driver with hardware FP should be
feasible, in case anyone has an interest in running it on a 32-bit ARM
system.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Drop the ArmSoftFloatLib dependency from the OpensslLib implementations,
so that we can retire this git submodule and associated dependencies in
other components.
The upshot of this is that OpenSSL can no longer be used on 32-bit ARM
by components that rely on the random number generation routines (which
is where the floating point usage resides). In practice, this means that
ARM platforms should use MbedTLs instead for things like signed
capsules, authenticated variables and TPM2 support. HTTPS boot is no
longer supported, as TlsDxe depends on OpensslLib directly.
Note that MbedTLS itself -surprisingly- depends on OpensslLib as well,
but only for the SM3 routines, and incorporating those does not require
softfloat support.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
If a GitHub account has been deleted entirely, a `None` user will
be returrned from the GitHub API. This change accounts for a `None`
user when querying GitHub APIs for user information.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
This patch updates libspdm to pull in various bug fixes,
but primarily commit ca4854be3325bd8fc7f2c714574d17aac2d4e13b
which updates libspdm's MbedTLS submodule to v3.6.2, fixing
CVE https://nvd.nist.gov/vuln/detail/CVE-2023-37920 there.
This CVE does not affect libspdm or edk2, but automatic
CVE scanning tools see the bad version of the certifi
pip module in the edk2/libspdm code trees and flag these
projects as failing.
libspdm has been updated to pull in the newer MbedTLS that
fixes this issue and this patch updates edk2 to pull in
the newer libspdm.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
As TPM2.0 is popular, updating default value for the Setup menu supports
a benefit for some systems that have another TPM Setup menu to select
TPM2.0 devices (e.g. dTPM, fTPM) depending on platform bios.
For example, when loading default configuration using F9 key in Setup
(Brower Action: SystemLevel), it is possible for them to load an
unsynchronized value. If user does not adjust the value before saving
Setup, it could influence an unexpected TPM initialization at next boot.
Setting TPM2.0 as default value supports the benefit related to the case.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
This commit is to check if the resource HOB range does not
exceed the max supported physical address.
The function BuildMemoryMapFromResDescHobs is to build Memory
Region from resource HOBs. Then the memory maps will be used
during creating or modifying SMM page table. If the resource
HOB range exceeds the max supported physical address, then
subsequent calling of PageTableMap() will fail.
Signed-off-by: Dun Tan <dun.tan@intel.com>
BaseCryptLib turn gettimeofday() from a Macro into a function call,
apply the same change to BaseCryptLibMbedTls
Signed-off-by: Amy Chan <amy.chan@intel.com>
Enable x2apic mode in case the number of possible CPUs (including
hotplug-able CPus which are not (yet) online) is larger than 255.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The UpdateArgcArgv() function documentation says "If OldArgv or OldArgc
is NULL then that value is not returned."
However, only OldArgc was checked for NULL, probably because of
copy-pasto. In case OldArgc was non-NULL, but OldArgv was null, it could
cause a segmentation fault.
Check OldArgv is not NULL before dereferencing the value.
Signed-off-by: Tormod Volden <debian.tormod@gmail.com>
Add a debug message that indicates when the NV variables are being
initialized through the template structure.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
When OVMF is built with SECURE_BOOT_ENABLE, the variable store will be
populated and validated in PlatformValidateNvVarStore(). When an SEV
or an SEV-ES guest is running, this may be encrypted or unencrypted
depending on how the guest was started. If the guest was started with the
combined code and variable contents (OVMF.fd), then the variable store
will be encrypted. If the guest was started with the separate code and
variables contents (OVMF_CODE.fd and OVMF_VARS.fd), then the variable
store will be unencrypted.
When PlatformValidateNvVarStore() is first invoked, the variable store
area is initially mapped encrypted, which may or may not pass the variable
validation step depending how the guest was launched. To accomodate this,
retry the validation step on failure after remapping the variable store
area as unencrypted.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
When OVMF is built with the SECURE_BOOT_ENABLE set to true, reserving and
initializing the emulated variable store happens before memory has been
accepted under SEV-SNP. This results in a #VC exception for accessing
memory that hasn't been validated (error code 0x404). The #VC handler
treats this error code as a fatal error, causing the OVMF boot to fail.
Move the call to ReserveEmuVariableNvStore() to after memory has been
accepted by AmdSevInitialize().
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
SEV-SNP does not support the use of the Qemu flash device as SEV-SNP
guests are started using the Qemu -bios option instead of the Qemu -drive
if=pflash option. Perform runtime detection of SEV-SNP and exit early from
the Qemu flash device initialization, indicating the Qemu flash device is
not present. SEV-SNP guests will use the emulated variable support.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
There are two issues in the GIC FDT parsing code:
- the GICC Flags 'Enabled' bit is overwritten when parsing the VGIC
Maintenance Interrupt, whose trigger type occupies another bit in the
same field;
- only the first CPU's Flags field is updated.
This breaks both SMP boot and KVM support on Linux, given that the boot
CPU is disabled in the MADT, and the VGIC maintenance interrupt is set
to 0x0 on all others.
Fix this, by OR'ing the trigger type into the field, and by iterating
over all discovered CPUs.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
This patch fixes a few instances of error cases in NetworkPkg
returning after a RaiseTPL call without restoring the TPL
first.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
gEfiHobMemoryAllocModuleGuid is referenced in the HobPrintLib,
but it is not defined in the INF file, causing an unresolved
external error when the module is consumed by code.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
As a BASE type library, some PEI drivers could link and use it.
Tcg2Pei.inf is an example. On edk2-stable202408 version, PEI drivers
that link the library include the global variable of mRdRandSupported.
The previous commit (c3a8ca7) that refers to the global variable actually
is found to influence the link status. Updating the global variable
in PEI drivers could affect the following issues.
PEI ROM Boot : Global variable is not updated
PEI RAM Boot : PEI FV integration/security check is failed
To address these issues, remove the global variable usage.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
The PCD token, PcdPciExpressBaseAddress is referred in the constructor.
If the token is defined as PcdsDynamic type, the PCD function that gets
the token value uses the gBS service to locate PCD protocol internally.
In this case, it is possible for the function to be called before
initializing gBS variable, then cause a system hang due to gBS variable.
Need to ensure the availability of gBS variable.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4873
Currently the function does not cover the 5 level paging case. it will
casued pagetable protection region set incorrectly. This patch do the
enhancemant and with the patch protection region has been set correctly.
Signed-off-by: Ning Feng <ning.feng@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4873
Currently the function does not cover the 5 level paging case. it will
casued pagetable protection region set incorrectly. This patch do the
enhancemant and with the patch protection region has been set correctly.
Signed-off-by: Ning Feng <ning.feng@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Resolves several issues in UefiCpuPkg related to:
1. Unchecked returns leading to potential NULL or uninitialized access.
2. Potential unchecked integer overflows.
3. Incorrect comparison between integers of different sizes.
Co-authored-by: kenlautner <85201046+kenlautner@users.noreply.github.com>
Signed-off-by: Chris Fernald <chfernal@microsoft.com>
Qualcomm is (finally) migrating its email infrastructure for open source
developers. Update Maintainers.txt (and .mailmap) to reflect.
Github username remains unchanged.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Unlike CPACR_EL1 whose reserved bits are solely RES0, CPTR_EL2 has some
RES1 bits, and so we should not clear them unless we know what they
mean. For example, when SVE was introduced, CPACR_EL1.ZEN occupied a
RES0 field and thus 0 means trap (which is what we get at EL1), but
CPTR_EL2.TZ occupied a RES1 field and thus 1 means trap, but we set it
to 0, so the environment is inconsistent between EDK2 and EL1 and EL2.
Another concrete case is for Morello, where the CEN/TC fields similarly
gate access to capability register state, but also alter exception
delivery and return, such that VBAR_ELx and ELR_ELx become capabilities.
So long as software adheres to RES0/1 this is backwards-compatible, but
since EDK2 does not do so here it inadvertently enables capability-based
exception delivery and return and thus, when run at EL2, gets stuck in a
trap loop when taking its first interrupt, but works just fine at EL1.
Fix this by setting all the RES1 fields in CPTR_EL2, following the
pattern for CPACR_EL1's non-zero initial value (due to setting FPEN so
as to not trap on SIMD/FP use), tested by running ArmVirtQemu-AARCH64
(DEBUG) on Morello QEMU with EL2 enabled.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
These constants give the set of RES1 bits in CPTR_EL2, as 1s, and the
default value to use for CPTR_EL2 in order to enable all known (or
harmless) features but no unknown ones that require EL2 knowledge. This
will be used by ArmPlatformPkg in the following commit, separated due to
being different packages, even though the combined change is tiny.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
CP_FULL_ACCESS is a misnomer, we only enable access to SIMD/FP state,
and although the register's mnemonic is CPACR_EL1, its full name is
"Architectural Feature Access Control Register", with AArch64 having no
coprocessors like AArch32 did, so the "CP" is also not appropriate.
Rename it to show it's the default value we use on entry, and define it
in terms of the existing CPACR_FPEN_FULL rather than a magic constant
with the same value to more clearly document that fact. Also update
comments to reflect all this (including the CPTR_EL2 case).
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
The existing code here predates its existence as it's assuming that
CPTR_EL2 has the traditional layout rather than being like CPACR_EL1
(likely also true elsewhere for other registers), and the UEFI spec has
nothing to say on the matter. One assumes the intent is that if you're
in EL2 you're in EL2 proper, and it would be very strange to enter EDK2
with E2H set. Document this existing assumption.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Then we can use correct TimerLib in another code,
such as dpDynamicCommand(PerformanceLib).
These API are from profileapi.h header and can refer to the link:
https://learn.microsoft.com/en-us/windows/win32/api/profileapi/
Signed-off-by: Yang Gang <yanggang@byosoft.com.cn>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4860
- The condition of GPT header checking is mismatched between PEI FatPei
module in FatPkg and DXE PartitionDxe module in MdeModulePkg.
- This patch is intended to simplify the checking condition within
FatPei module to align with PartitionDxe module to reduce code flow gap
between both of them.
- Below of condition would be checked on GPT header,
1. GPT header signature value
2. GPT header CRC value
3. GPT header LBA value
4. GPT header size of partition entry
Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Now that the ResetVectors are USER_DEFINED modules, they will not
be linked against StackCheckLibNull, which were the only modules
causing issues. So, we can now remove the kludge we had before
and the requirement for every DSC to include StackCheckLibNull
for SEC modules and just apply StackCheckLibNull globally.
This also changes every DSC to drop the SEC definition of
StackCheckLibNull.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Following the change in UefiCpuPkg, this moves OvmfPkg's
ResetVectors to USER_DEFINED modules to prevent any
NULL libraries from being linked against them, allowing
for expected behavior from the ResetVector and for
simpler implementation of NULL libraries applied globally.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
The x86 reset vector is the initial FW code to run on an
AP. It should not link to any libraries and is implemented
entirely in assembly. This module is currently labled as
SEC, because it runs during the SEC phase, but by having it
SEC, it will be linked to all NULL libraries linked globally.
This causes issue with StackCheckLib (though any NULL
library being applied globally has the same issue) because
BaseTools will attempt to link the library and add an
extern to _ModuleEntryPoint, which does not exist for this
module.
Moving this module to USER_DEFINED instructs BaseTools to
not link any NULL libraries to it, which is the desired
behavior, and leads to a much cleaner global NULL library
implementation, in this case for StackCheckLib.
This change was tested on OVMF IA32/X64 and proved to work
as before.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Pierre Gondois
Rebecca Cran
Ard Biesheuvel
Michael Kubacki
Oliver Smith-Denny
Phil Noh
Dun Tan
Amy Chan
Gerd Hoffmann
Tormod Volden
Tom Lendacky
Aaron Pop
Ning Feng
kenlautner
Ray Ni
Leif Lindholm
Jessica Clarke
Yang Gang
Jason1 Lin
Linus Liu