Remove unnecessary check in API MmIsBufferOutsideMmValid of
StandaloneMmMemLib.
The API is used to check if a input buffer is outside MMRAM and
inside a valid non-MMRAM range. Previously, the API only checks
if the input buffer is
overlapped with MMRAM range. In the last
commit, we add logic to check if the input buffer is inside valid
non-MMRAM
ranges reported by the resource HOB. Since the resource
HOB only covers valid non-MMRAM ranges, we doesn't need to check
if the input buffer is inside the MMRAM anymore.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Check if the non-MMRAM buffer is inside valid non-mmram
range in API MmIsBufferOutsideMmValid of StandaloneMmMemLib.
Previously, the API only checks if the input buffer is
overlapped with MMRAM range. Currently, in the new standalone
MM infrastructure, we limit the non-MMRAM access to the ranges
reported by the resource HOB. To meet the new design, in this
API, we cache all the memory ranges reported by the resource
HOB and check if the input buffer is inside valid non-MMRAM
ranges reported by the resource HOB.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Add a internal header file for StandaloneMmMemLib.
Move some common reference and declaration into
StandaloneMmMemLibInternal.h.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Makes changes to comply with alerts raised by CodeQL.
Most of the issues here fall into the following two categories:
1. Potential use of uninitialized pointer
2. Inconsistent integer width used in loop comparison
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Add the support using gEfiSmmSmramMemoryGuid to get MMRAM ranges.
If gEfiSmmSmramMemoryGuid HOB is not found, then try to get MMRAM ranges
from gEfiMmPeiMmramMemoryReserveGuid HOB.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
MM_CORE_PRIVATE_DATA is not used as shared structures between MM IPL
and MM Core, therefore clean up the code related to gMmCorePrivate.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
MM_CORE_PRIVATE_DATA is not used as shared structures between MM IPL
and MM Core, therefore clean up the code related to gMmCorePrivate.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
The LockBox Dependency Library is designed for standalone MM
environments where gBS are not accessible to indicates that LockBox API
is readyfor use.
For DXE drivers use lockbox APIs via a communication mechanism
triggering an SMI, it's must to have the corresponding SMI handler
pre-installed for interrupt management. To ensure orderly operations
and proper notification, besides specified the guid in
the [Depex] section of the .inf file. The installation of smi handler,
along with the LockBox protocol marked by gEfiLockBoxProtocolGuid,
must be informed to the DXE driver. This protocol installation signifies
that the LockBox API is ready for use, and this functionality is
implemented in the constructor of this library.
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Yuanhao Xie <yuanhao.xie@intel.com>
This change fixes an issue where the returned section data length
is always 4 bytes larger than the actual section length. This could
cause an issue where the caller accesses the final 4 bytes which
would be invalid.
Co-authored-by: Kun Qin <kuqin@microsoft.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Update entry point library for Arm to use the new architecture independent
StandaloneMmCpu driver.
Signed-off-by: Tuan Phan <tphan@ventanamicro.com>
Reviewed-by: levi.yun <yeoreum.yun@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765
The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```
No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.
Reported-by: Marc Beatove <mbeatove@google.com>
Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: John Mathew <john.mathews@intel.com>
Authored-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gua Guo <gua.guo@intel.com>
According to the discussion in "StandaloneMmPkg: Fix HOB space and
heap space conflicted issue" [1], Standalone MM modules should be HOB
consumers where HOB is read-only. Therefore, this patch removes the
supported functions for HOB creation in the StandaloneMmHobLib.
[1] https://edk2.groups.io/g/devel/message/108333
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Oliver Smith-Denny <osde@linux.microsoft.com>
Signed-off-by: Nhi Pham <nhiphambka@gmail.com>
StandaloneMm has its own version of the ArmMmuLib library class, but
includes the ArmMmuLib header. This happens to work because the
prototypes that are referenced are the same, but this will no longer be
the case after a future patch. So correct the #includes.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
__FUNCTION__ is a pre-standard extension that gcc and Visual C++ among
others support, while __func__ was standardized in C99.
Since it's more standard, replace __FUNCTION__ with __func__ throughout
StandaloneMmPkg.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Currently the standalonemmlibinternal assumes the max physical bits
to be 36 which is causing issues on v8 architectures.
Instead use the MAX_ALLOC_ADDRESS macro to determine the maximum
allowed address rather than recomputing it locally.
Signed-off-by: Girish Mahadevan <gmahadevan@nvidia.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
In an effort to clean the documentation of the above
package, remove duplicated words.
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
TF-A: TrustedFirmware-A
SPM: Secure Partition Manager(MM)
In TF-A, the name of this field is sp_shared_buf_size. This field is
the size of range for transmit data from TF-A to standaloneMM when
SPM enable.
SpPcpuSharedBufSize is pass from TF-A while StandaloneMM initialize.
So, SpPcpuSharedBufSize should be rename to SpSharedBufSize and this field
should no multiply by PayloadBootInfo->NumCpus;
Signed-off-by: Ming Huang <huangming@linux.alibaba.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3769
Current FvLib will hit parse issue when encountering LARGE file, then
ignore latter ffs/section, thus causing required drivers not being
dispatched. Therefore, need to add support for EFI_FFS_FILE_HEADER2
and EFI_COMMON_SECTION_HEADER2 in FvLib to fix this issue.
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737
Apply uncrustify changes to .c/.h files in the StandaloneMmPkg package
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760
Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params.
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Currently, the flag "-fpie" is passed for all builds with a GCC
family toolchain, including CLANGPDB. CLANGPDB however does not
support this flag as it generates PE/COFF files directly.
As the flag is mostly required for ARM-specific self-relocation, drop
it for other architectures and document the limitation to enable e.g.
X64 CLANGPDB builds of StandaloneMmCore.
Signed-off-by: Marvin Häuser <mhaeuser@posteo.de>
Acked-by: Shi Steven <steven.shi@intel.com>
This change allows to build StandaloneMmPkg components for 32bit Arm
StandaloneMm firmware.
This change mainly moves AArch64/ source files to Arm/ side directory
for several components: StandaloneMmCpu, StandaloneMmCoreEntryPoint
and StandaloneMmMemLib. The source file is built for both 32b and 64b
Arm targets.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Use intermediate (UINTN) cast when casting int from/to pointer. This
is needed as UINT64 values cast from/to 32bit pointer for 32bit
architectures.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Add support for reporting completion of a MM request using either the
Firmware Framework(FF-A) ABI transport or through the earlier used SVC
calls.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
With the introduction of Firmware Framework(FF-A), a Secure Partition
can get the SPM version either using FF-A calls or through the
existing svc calls. Use a runtime check to use either of the two
methods based on the Pcd feature flag value.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Co-developed-by: Achin Gupta <achin.gupta@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Declare module wide variables for SPM major and minor versions to be
used in checking the SPM version compatibility. Use the SPM major and
minor version macros declared in the previous patch for the version
check.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Add the Firmware Framework(FF-A) header in the StandaloneMm entry
point driver. Support for invoking the functions through FF-A will be
added in a subsequent patch.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
This change extends StandaloneMmMemLib library to support X64
architecture. The implementation is ported from MdePkg/Library/SmmMemLib.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Assigning MmramRangeCount from MmCorePrivate (UINT64) to local variable
MmramRangeCount (UINT32) will cause compilation failure due to "warning
C4244: '=': conversion from 'UINT64' to 'UINT32', possible loss of data".
This changes defines local MmramRangeCount as UINTN type and adds type
cast before value assignment.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
This change adds support of x64 version of StandaloneMmCoreHobLib. It
brings in global variable "gHobList" through StandaloneMmCoreEntryPoint,
imports implementation from DxeCoreHobLib.inf to support x64 Mm Core and
moved shared functional plementations into a common file.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
This change extends StandaloneMmCoreEntryPoint library to support X64
architecture.
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Signed-off-by: Kun Qin <kun.q@outlook.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
The ECC tool reports error [8005] Variable name does not follow the rules:
1. First character should be upper case
2. Must contain lower case characters
3. No white space characters
4. Global variable name must start with a 'g'
for the constants SPM_MAJOR_VER, SPM_MINOR_VER & BOOT_PAYLOAD_VERSION.
Fix this by changing converting these constant variables to #defined
values.
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix the ECC reported error "[9002] The function headers should follow
Doxygen special documentation blocks in section 2.3.5".
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix the ECC reported error "[9003] The first line of text in a comment
block should be a brief description of the element being documented and
the brief description must end with a period. Comment description should
end with period '.'".
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix the ECC reported error "[9002] The function headers should follow
Doxygen special documentation blocks in section 2.3.5 in Comment".
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix the ECC reported error: "[9002] The function headers should
follow Doxygen special documentation blocks in section 2.3.5".
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix ECC error "[5007] There should be no initialization of a variable
as part of its declaration Variable."
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Bugzilla: 3150 (https://bugzilla.tianocore.org/show_bug.cgi?id=3150)
Fix the spelling mistakes reported by the spell check utility
that is run as part of the Core CI.
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Apply PE/COFF fixups when starting up the standalone MM core, so that
it can execute at any address regardless of the link time address.
Note that this requires the PE/COFF image to be emitted with its
relocation section preserved. Special care is taken to ensure that
TE images are dealt with correctly as well.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The standalone MM core runs in a restricted environment that is set
up by a higher privilege level, and which may not allow memory regions
to be writable and executable at the same time.
This means that making the StMM core self-relocatable requires that
all the targets of the relocation fixups are outside of the executable
region of the image, given that we cannot remap the executable code
writable from the executable code itself without losing those execute
permissions.
So instead, use the existing toolchain support to ensure that position
independent code is used where possible, and that all the remaining
relocated quantities are emitted into the data section. (Note that
staticallly initialized const pointers will be emitted into the
.data.rel.ro section, which gets pulled into the .data section by
our linker script)
To ensure that we don't pick up any absolute references in executable
code inadvertently (e.g., in assembler code), add the '-z text' linker
option which will force the build to fail in this case.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Fix few typos in comments.
Cc: Achin Gupta <achin.gupta@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Signed-off-by: Antoine Coeur <coeur@gmx.fr>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
Message-Id: <20200207010831.9046-76-philmd@redhat.com>
The PCD PcdStandaloneMmEnable is unused, and shouldn't exist in the
first place since the value is implied by the context (it is never
valid to set it to FALSE for standalone MM or TRUE for traditional
MM). So drop it.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: Achin Gupta <achin.gupta@arm.com>
Sending DEBUG output to the serial port should only be done via
DebugLib calls, which is in charge of initializing the serial
port when appropriate. So drop the explicit SerialPortInitialize ()
invocation, and rely on normal constructor ordering to get the
serial port into the appropriate state at the right time.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: Achin Gupta <achin.gupta@arm.com>
In a system implementing the variable store in MM, there are no variable
arch protocol and variable write arch protocol installed into the
DXE_SMM protocol database. On such systems, it is not required to
locate these protocols by the DXE runtime variable drivers because
it can be assumed that these protocols are already installed in the
MM context. But then such an implementation will deviate from the
existing traditional MM based variable driver implementation.
So in order to maintain consistency with the traditional MM variable
driver implementation, allow platforms to install these protocols into
the DXE protocol database but these protocol will not be consumed
by non-secure variable service runtime driver.
The Platform which uses StandaloneMM based secure variable storage
have to include this library
Example
In edk2-platforms/Platform/ARM/SgiPkg/SgiPlatform.dsc
ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf {
<LibraryClasses>
NULL|StandaloneMmPkg/Library/VariableMmDependency/VariableMmDependency.inf
}
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
Acked-by "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
TE images take up less space when using 4 KB section alignment, since
the FFS/FV generation code optimizes away the redundant, nested padding.
This saves 4 KB of space, which is a worthwhile improvement for code
that executes in place in secure context.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Achin Gupta <achin.gupta@arm.com>
Dun Tan
Michael Kubacki
Wei6 Xu
xieyuanh
Tuan Phan
Gua Guo
Nhi Pham
Ard Biesheuvel
Rebecca Cran
Girish Mahadevan
Pierre Gondois
Ming Huang
Michael D Kinney
Marvin Häuser
Etienne Carriere
Achin Gupta
Sughosh Ganu
Kun Qin
Sami Mujawar
Ard Biesheuvel
Antoine Coeur
Ard Biesheuvel
Jagadeesh Ujja