SEC, PEI_CORE and PEIM type modules generally execute in place from
memory that is not writable. This means that it is not generally
possible to use an entrypoint implementation that stores a dynamically
generated stack cookie into a global variable. For PEIMs in particular,
there may be other options, such as a DEPEX on the permanent memory PPI,
but the current dynamic implementations of the stack checking library
entrypoints for PEI_CORE and PEIM modules must not be used as-is.
So remove them, and update the readme accordingly.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Remove some source files that were part of an earlier incarnation of
DynamicStackCookieEntryPointLib but are no longer actually in use.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Adds dynamic stack cookies in the form of copies of the entry
point libraries that use shared logic to update stack cookies
at runtime.
This relies on RDRAND on IA32/X64 and RNDR on AARCH64 to get a
random number to apply to the stack cookie on module entry point.
This simplifies the logic a platform must do to include stack
check functionality.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
This commit oves StackCheckLib from a NULL lib to an instance of
StackCheckLib. This requires every entry point to add a library
dependency on StackCheckLib. It also requires every SEC module
to have a dependency on StackCheckLib because there is no
standard SEC entry point.
It allows for greater flexibility for a platform to apply stack
cookies and simplifies DSC logic.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
Moves StandaloneMmCoreEntryPoint for X64 to MdePkg to live with
the other entry point libs. It does not move the ARM64 version,
as this was just moved to ArmPkg due to its heavy coupling with
ArmPkg code. This will need to be revisited when dynamic stack
cookie support is added to ARM64 StMM.
This commit just adds the library in MdePkg, a separate commit
will remove it from StandaloneMmPkg to make it easier to consume.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
StackCheckLib defines the interface between a compiler
and the stack checking code. It is being converted from
a NULL library class to an actual library class to make
it easier to use for a platform and be easier to define
the expected interface with a compiler, so if there is
a compiler change it can be tracked and caught.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
RNDR is a standard register defined in the ARM ARM for
AARCH64. Move the definition from BaseRngLib to AArch64.h.
Furthermore, move the inclusion of this register definition
to the ARM specific header file.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
REF:https://github.com/tianocore/edk2/issues/10529
Adds a new PEI library instance for RngLib that uses the RNG services
provided by the RNG PPI.
This library instance will add a DEPEX on gEfiRngPpiGuid on modules
it links against. It can be used to allow PEIMs to get RNG support
over a dynamic interface.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
gcc 15 switched to use the new ISO C23 standard by default.
'bool', 'true' and 'false' are keywords in C23, so do not
try to define them.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
PeCoffLoaderRelocateImageForRuntime() executes after boot services, and
so it should not use DEBUG() prints at all, given that these may rely on
MMIO mappings or other boot time facilities that are no longer
available.
So revert the changes in aedcaa3df8 ("MdePkg: Fix overflow issue in
PeCoffLoaderRelocateImageForRuntime") that replaced code comments with
DBEUG() statements.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code in
PeCoffLoaderRelocateImageForRuntime does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch uses
SafeIntLib to ensure that the addition does not overflow.
Signed-off-by: Sachin Ganesh <sachinganesh@ami.com>
If USB device reports class specific descriptors, it is currently the job of
device driver to parse the configuration to find the class specific data.
The new library functions parse the configuration descriptor and return class
specific interface and class specific endpoint descriptors.
Also, these new functions allow to retrieve the data from non-default alternate
settings without performing a switch to this setting. Switching to the
alternate setting currently implies the execution of UsbSetInterface function
that performs USB control trnasfer.
In some cases this switch is not desirable so the new functions
UsbGetInterfaceDescriptorSetting and UsbGetEndpointDescriptorSetting come
in handy.
Signed-off-by: Oleg Ilyasov <olegi@ami.com>
Enable foreign images loading on LoongArch64 if the
EDKII_PECOFF_IMAGE_EMULATOR_PROTOCOL is present.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Co-Authored-by: Dongyan Qian <qiandongyan@loongson.cn>
The GetRandomNumber functions in DxeRngLib can return success without
actually generating a random number. This occurs because there are code
paths through `GenerateRandomNumberViaNist800Algorithm` that do not
initialize the `Status` variable.
- Assume mFirstAlgo == MAX_UINTN (no secure algorithms available)
- Assume none of the secure algorithms have `Available` set.
- Assume PcdEnforceSecureRngAlgorithms is TRUE.
In this condition, the `Status` variable is never initialized, `Buffer`
data is never touched. It is fairly likely that Status is 0, so we can
return EFI_SUCCESS without writing anything to Buffer.
Fix is to set `Status = error_code` in this code path.
`EFI_SECURITY_VIOLATION` seems appropriate.
Signed-off-by: Doug Cook <idigdoug@gmail.com>
With mSecureHashAlgorithms being static this should not be
needed any more.
Suggested-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
As a BASE type library, some PEI drivers could link and use it.
Tcg2Pei.inf is an example. On edk2-stable202408 version, PEI drivers
that link the library include the global variable of mRdRandSupported.
The previous commit (c3a8ca7) that refers to the global variable actually
is found to influence the link status. Updating the global variable
in PEI drivers could affect the following issues.
PEI ROM Boot : Global variable is not updated
PEI RAM Boot : PEI FV integration/security check is failed
To address these issues, remove the global variable usage.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
The PCD token, PcdPciExpressBaseAddress is referred in the constructor.
If the token is defined as PcdsDynamic type, the PCD function that gets
the token value uses the gBS service to locate PCD protocol internally.
In this case, it is possible for the function to be called before
initializing gBS variable, then cause a system hang due to gBS variable.
Need to ensure the availability of gBS variable.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
Includes changes across the repo for the following CodeQL rules:
- cpp/comparison-with-wider-type
- cpp/overflow-buffer
- cpp/redundant-null-check-param
- cpp/uselesstest
Co-authored-by: Taylor Beebe <tabeebe@microsoft.com>
Co-authored-by: kenlautner <85201046+kenlautner@users.noreply.github.com>
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
In order to support a platform overriding StackCheckLibNull
provided by MdeLibs.dsc.inc, the CUSTOM_STACK_CHECK_LIB macro
is introduced. If this macro is defined, MdeLibs.dsc.inc will
not link StackCheckLibNull and it is expected that the platform
will link the version(s) of StackCheckLib that it requires.
The StackCheckLib README is also updated in this patch to
document the new macro and provide additional information.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.
Follow on change for:
REF!: https://github.com/tianocore/edk2/pull/6249
Signed-off-by: Doug Flick <dougflick@microsoft.com>
FdtLib.h uses CONST FDT_PROPERTY * return values for some wrapper
functions, but the implementation in FdtLib.c used to original
CONST struct fdt_property * instead of the exported typedef.
Import LibFdt.h in the implementation file and make the
implementation consistent with the declaration.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Add a wrapper for fdt_strerror () and add the currently supported error
code defines from submodule.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
There is currently a mix on functions named as Prop or Property.
The latter is in majority, and the better fit for tianocore coding style,
so rename FdtNodeOffsetByPropValue () and FdtSetProp () for consistency.
To avoid breaking bisect, change existing users in UefiPayloadPkg.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
FdtNumRsv and FdtGetMemRsv were added for the benefit of UefiPayloadPkg,
but their naming matches neither upstream libfdt nor tianocore coding
style rules. And there was scope for improvement of the doxygen
descriptions as well.
These functions currently have only one in-tree user, UefiPayloadPkg
FdtParserLib. So rename them more conformant
FdtGetNumberOfReserveMapEntries
and
FdtGetReserveMapEntry
and update the description comment blocks, at the same time as
updating the existing user.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
check to ensure that the addition does not overflow.
Signed-off-by: Doug Flick <dougflick@microsoft.com>
Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
Devicetree defines a short hand way of defining reserved memory
ranges. Add APIs to access such nodes
Signed-off-by: Dhaval Sharma <dhaval@rivosinc.com>
DxeRngLib iterates over a list of secure algorithms before trying
to use the default algorithm provided by the Rng protocol. Add
gEfiRngAlgorithmArmRndr to this list. The algorithm represented by
this GUID is a secure DRBG of an unknown type, implemented by the
aarch64 RNDR instruction.
On AARCH64 platform, use the RNDR instruction as the first option
if it is available.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol
with the default algorithm. All previous call to the Rng protocol
are requesting a secure Rng algorithm.
Not specifying the Rng algorithm GUID to use is considered unsecure.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Add a library constructor which:
- locate the RNG prototocol and keep a reference to it in order to avoid
locating it multiple times (for each random number generation)
- check which secure algorithm is available on the platform.
This avoids to try each secure algorithm until finding one
available for each random number generation call.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Now that the new stack check lib implementation is being used
everywhere, remove the old one.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
StackCheckLib contains the required functionality for initializing
the stack cookie value, checking the value, and triggering an interrupt
when a mismatch occurs. The stack cookie is a random value placed on the
stack between the stack variables and the return address so that
continuously writing past the stack variables will cause the stack cookie
to be overwritten. Before the function returns, the stack cookie value
will be checked and if there is a mismatch then StackCheckLib handles the
failure.
Because UEFI doesn't use the C runtime libraries provided by MSVC, the
stack check code is written in assembly within this library. GCC and
Clang compilers have built-in support for stack cookie checking, so this
library only handles failures.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Add Null libs for Stack Check and Stack Check Failure Hook Lib that
allow a platform to opt out of stack checks and the stack check failure
hook lib.
StackCheckLib allows implementation (or in this case null implementation)
of stack checks on binaries. There is a Host Application specific version
of this null lib because MSVC host applications must not be linked against
our lib (so the file here is a no-op but that doesn't cause the build
system to fail the build for not building a file for MSVC) as it links
against the MSVC C runtime lib that provides the stack cookie definitions.
GCC host applications do not link against such a C runtime lib and must
be linked against our version.
StackCheckFailureHookLib lets a platform do custom functionality when a
stack check failure occurs (such as log it to a platform defined
mechanism). The null lib simply returns.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
As per the emailed RFC in
https://edk2.groups.io/g/devel/topic/rfc_move/107675828,
this patch moves CompilerIntrinsicsLib from ArmPkg to
MdePkg as this library provides compiler intrinsics, which
are industry standard.
This aligns with the goal of integrating ArmPkg into existing
packages: https://bugzilla.tianocore.org/show_bug.cgi?id=4121.
The newly placed CompilerIntrinsicsLib is added to MdeLibs.dsc.inc
as every DSC that builds ARM/AARCH64 needs this library added. The
old location is removed from every DSC in edk2 in this commit also
to not break bisectability with minimal hoop jumping.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Moved SetMemN API to a separate file to eliminate unnecessary inclusion
of InternalMemSetMem64 and InternalMemSetMem32 APIs in driver binary.
When the compiler linking the Object files it may not remove all the
unused from NASM OBJs. This change is to reorganize the C files to
minimize the impact of the NASM behavior resulting is code size
reduction.
Signed-off-by: Ashraf Ali <ashraf.ali.s@intel.com>
Currently, the NULL version Tdx functions are only built for Ia32.
In BaseLib, the others architectures also need such NULL version
Tdx functions.
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not null
terminated. However, by using AllocateCopyPool, it tries to copy
'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only copy
'Length' characters instead.
This was reported by GCC's -Wstringop-overread when compiling a copy
of this routine included in a library on FreeBSD.
Signed-off-by: John Baldwin <jhb@FreeBSD.org>
Added a new name for CSR 0x20 because LoongArch SPEC has adjustd the CSR
0x20 register name.
Ref: LoongArch Reference Manual Vol 1, Seciton 7.1.
https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
FVP Base Revc doesn't support Trng.
ASSERT (FALSE) is causing the boot to stall.
Replacing ASSERT with ERROR log.
Signed-off-by: Prachotan Reddy Bathi <Prachotan.Bathi@arm.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4786
Disable some compiling warnings caused by submodule code.
Those can be removed later once issues fixed by submodule owner.
Signed-off-by: Linus Liu <linus.liu@intel.com>
This adds FdtNodeOffsetByCompatible() to support finding the offset of
the first node with a given 'compatible' value after an offset.
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
This change is added to incorporate basic implementation for
CRC16-CCITT-FALSE algorithm.
This function is useful for providing CRC16 value used in other data
structures that requires CRC16 value that complies with JEDEC SPD
requirements, i.e. BDAT table.
The lookup table is inherited from `https://crccalc.com/` and the result
values are also compared against this site.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
Ard Biesheuvel
Oliver Smith-Denny
Michael Kubacki
Gerd Hoffmann
INDIA\sachinganesh
Huang Yuqi
Oleg Ilyasov
Chao Li
Doug Cook (WINDOWS)
Phil Noh
Doug Flick
Leif Lindholm
Dhaval
Pierre Gondois
Oliver Smith-Denny
Taylor Beebe
Ashraf Ali
Ceping Sun
John Baldwin
Prachotan Reddy Bathi
Linus Liu
Nhi Pham
kuqin12