The timer counter register can wrap around and when this happens,
we'll get misbehavior for any MicroSecondDelay() calls. This adds
handling for that.
Signed-off-by: Carsten Haitzler <carsten.haitzler@foss.arm.com>
This patch measures the ExitBootServices invocation to the
TPM even in the case of ExitBootServices failing, per TCG
PC Client Platform Firmware Profile Version 1.06 Revision
52 Family 2.0 section 8.2.4(i).
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
When including one ASL file in another, add a header / footer to the
included file to easily tell where the included file starts and ends.
Signed-off-by: Joey Vagedes <joey.vagedes@gmail.com>
Clang complains about a couple of variables potentially being
uninitialized, and those complaints seem to be valid.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
'asm' is not a keyword in C99, but GCC supports it nonetheless as a GNU
extension. So when using Clang, we must specify the gnu99 dialect
explicitly, or inline asm blocks using asm() rather than __asm__() will
be rejected by the compiler.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
When launching a SEV-SNP VM, the ROM is not all that must be measured.
The OvmfSevMetadata sections describe ranges of memory that must be
measured with different types than PAGE_TYPE_NORMAL, except one. The
SevSnpKernelHashes page is also PAGE_TYPE_NORMAL, but is populated by
the VMM from configuration data that is separate from the OVMF build
itself. To more compactly provide reference values for the measurement
of the firmware separately from the kernel hashes, it's advantageous to
measure as much known information as possible first.
Whereas VMMs are permitted to measure these sections in any order they
prefer, the normative order of how they appear in the .fd is easiest to
follow. This change is semantics-preserving. Measurement calculation
tools that do not follow the normative ordering would need updating to
accommodate, but I don't know of any. The accounting for EC2 moving the
CPUID page to the end of measurement would be unchanged.
This change is to improve performance of a proposed launch update event
log to separate responsibility for initially measured data before VM
launch, application/vnd.amd.sevsnp.launch-updates+cbor:
https://github.com/deeglaze/draft-deeglaze-amd-sev-snp-corim-profile
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
On AARCH64 systems, the GCD is not fully synced with the page table. On
x86 systems, the GCD is synced by adding `EFI_MEMORY_RO`,
`EFI_MEMORY_RP`, and `EFI_MEMORY_XP` to the current capabilities of the
GCD, then the page table attributes are set on the GCD attributes.
However, on AARCH64, the GCD capabilities do not get updated, instead
only the attributes from the page table are masked by the existing GCD
capabilities, which means that any new page table attribute which are
already set are dropped and the GCD does not reflect the state of the
system. This has been seen to cause issues where memory in the page
table that was marked `EFI_MEMORY_XP` had an additional attribute set
using the GCD capabilities, which did not include `EFI_MEMORY_XP`, this
caused the page table to be updated to lose `EFI_MEMORY_XP`, which is a
potential security issue.
The existing behavior on AARCH64 systems is an implementation error, it
assumes one of two things:
- The page table attributes must be a subset of the GCD capabilities
- The GCD does not need to have its capabilities synced to what the page
table attributes are
The first is incorrect as important attributes such as `EFI_MEMORY_XP`
do not get applied to the GCD capabilities by default and therefore must
be synced back. This comment from ArmPkg's CpuDxe driver helps explain:
```c
// The GCD implementation maintains its own copy of the state of memory
// space attributes. GCD needs to know what the initial memory space
// attributes are. The CPU Arch. Protocol does not provide a
// GetMemoryAttributes function for GCD to get this so we must resort to
// calling GCD (as if we were a client) to update its copy of the
// attributes. This is bad architecture and should be replaced with a
// way for GCD to query the CPU Arch. driver of the existing memory
// space attributes instead.
```
However, this comment misses that updating the capabilities is critical
to updating the attributes.
The second is incorrect because significant pieces of core code
reference the GCD attributes instead of the page table attributes. For
example, NonDiscoverablePciDeviceDxe uses the GCD capabilities and
attributes when interacting with a non-discoverable PCI device. When the
GCD is not synced to the page table, we get the errors and security
concerns listed above.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
There are a number of mostly older guests such as RHEL-7 which do not
support 5-level paging. This patch adds support for switching from
5-level paging mode back to 4-level paging mode. This is done in PEI,
after inspecting the address space needed (installed memory and
reservations configured via fw_cfg).
By default small guests (which need less than 1 TB) will use 4-level
paging mode. There is a fw_cfg override though, so it is possible to
force the one or the other this way:
qemu-system-x86_64 -fw_cfg name=opt/org.tianocode/PagingLevel,string=5
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Since all places where the old name was used for the LoongArch CSR 0x20
regiser have been changed to the new name, the old name is removed.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Since the LoongArch SPEC has adjusted the CSR 0x20 register name and
the MdePkg also added the new name, so enable it in OvmfPkg.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Since the LoongArch SPEC has adjusted the CSR 0x20 register name and
the MdePkg also added the new name, so enable it in UefiCpuPkg.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Added a new name for CSR 0x20 because LoongArch SPEC has adjustd the CSR
0x20 register name.
Ref: LoongArch Reference Manual Vol 1, Seciton 7.1.
https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
X64 arch needs to restart the MM dispatcher once MM entry point is
registered, therefore set PcdRestartMmDispatcherOnceMmEntryRegistered
to TRUE by default for X64 only.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
When booting OvmfXen, the ACPI interface for shutdown/reset might not
be available, instead use the hypercall interface.
While it's probably possible to use the hypercall in all cases, we
keep using the same interface while it still possible. That is ACPI on
HVM guest, and fallback to hypercall on PVH guest.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Add a new function to allow to make an hypercall to shutdown the
machine.
This import "sched.h" public header from Xen Project's repo. Some
changes have been made to be closer to EDK2's coding style.
Add the entire OvmfPkg/Include/IndustryStandard/Xen/ directory to
LicenseCheck ignore. All the existing header files, as well as the new
sched.h, are MIT licensed.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
XenHypercallLib now makes direct hypercalls, so HyperPages is
unnecessary and can be removed.
Change the XenPvhDetected() ASSERT to use the Xen version. That has
never been 0, AFAIK.
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
This removes the need to allocate memory for the hypercall page,
particularly for use during runtime. This also makes the library usable
in all phases, so LIBRARY_CLASS can remove the restrictions.
The processor vendor is used to select vmmcall or vmcall instructions.
The listed vendors are those in the Xen tree.
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
In the current code, TDVF reads the PcdSetNxForStack value via fw_cfg ,
but overwrites it with a fixed value after the read is complete.
In this patch, TDVF removes the redundant logic code.
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
LocateAndInstallAcpiFromFvConditional was always returning EFI_SUCCESS
even when it failed to find `AcpiFile`. Fix that, and improve the layout
by checking if an error occurred and breaking earlier.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
According to TCG's Platform Reset Attack Mitigation spec, the OS should
never create the MOR variable, only read and write it.
But some OSes (Fedora 24 and 25) don't follow the TCG's Platform Reset
Attack Mitigation spec and unintentionally create MOR variable.
The commit fda8f631ed added function
VariableHaveTcgProtocols() to check against Tcg/Tcg2 protocol to infer
whether the MOR variable is created by platform firmware or not. If not,
delete the variable created by OS and lock the variable to avoid OS to
create it.
But in VariableStandaloneMm, VariableHaveTcgProtocols() always returns
FALSE, it causes TCG MOR secure feature does not work in standalone MM
environment.
As Fedora 24 and 25 are EOL today, directly returns TRUE in the function
VariableHaveTcgProtocols() for VariableStandaloneMm, and rename the
function to VariableIsMorVariableLegitimate() to make it more obvious
what the narrow use-case is for which it exists.
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
REF : https://bugzilla.tianocore.org/show_bug.cgi?id=4817
This commit is to add OrderedCollectionLib in MdePkg for DxeCore usage.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Andrew Fish <afish@apple.com>
Tested-by: Xiaoqiang Zhang <xiaoqiang.zhang@intel.com>
REF : https://bugzilla.tianocore.org/show_bug.cgi?id=4817
Before entering BIOS setup, CoreValidateHandle function executed
over 600,000 times during BDS phase on latest 8S server platform.
In CoreValidateHandle function, current implementation will go
through the doubly-linked list handle database in each call, and
this will have big impact on boot performance.
The optimization is using Red-black tree to store the EFI handle
address when insert each EFI handle into the handle database, and
remove the handle from Red-black tree if the handle is removed
from the handle database. CoreValidateHandle function changed to
go through the Red-black tree.
After verification on latest 8S server platform, BDS boot time can
save 20s+ after this change.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Andrew Fish <afish@apple.com>
Tested-by: Xiaoqiang Zhang <xiaoqiang.zhang@intel.com>
LzmaDecompressLib does not exist as a library class, and the library
implementation that is usually referenced in this context is intended to
be incorporated using NULL library class resolution.
Let's fix this so that we can drop the reference to LzmaDecompressLib.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Sami Mujawar <sami.mujawar@arm.com>
Some of the boilerplate in ArmPlatformLib is only relevant when entering
UEFI on multiple cores, and this is no longer supported. So retire the
associated helper routines.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Some of the boilerplate in ArmPlatformLib is only relevant when entering
UEFI on multiple cores, and this is no longer supported. So retire the
associated helper routines.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Add helper functions to generate AML resource data
for I/O resource descriptor.
Cc: Pierre Gondois <pierre.gondois@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Abdul Lateef Attar <AbdulLateef.Attar@amd.com>
Implementation of MEDIA_SANITIZE_PROTOCOL for NIST
purge/clear actions with mapping to NVM Express native
commands.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
When allocating memory for a non-discoverable PCI device's IO, the
current core code removes the XP attribute, allowing code to execute
from that region. This is a security vulnerability and unneeded. This
change updates to mark the region as XP when allocating memory for the
non-discoverable PCI device.
These allocations in this function are limited to `EfiBootServicesData`
and `EfiRuntimeServicesData`, which we expect to be XP.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
Currently whenever gDS->SetMemorySpaceCapabilities() is called, it
attempts to set the corresponding attributes in the gMemoryMap
descriptor. However, gMemoryMap only contains entries from GCD types
EfiGcdMemoryTypeSystemMemory and EfiGcdMemoryTypeMoreReliable, so
for all other types a failure is reported in the code. This is a
failure that is expected, so it does not provide value and can
lead to real failures being ignored.
This patch updates the gDS->SetMemorySpaceCapabilities() code to
only call into updating gMemoryMap if the GCD type is SystemMemory
or MoreReliable, to avoid spurious errors being reported. This
also avoids the expensive operation of searching through gMemoryMap
for entries we know we will fail to find.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
The Memory Attributes Table is generated by fetching the EFI memory map
and splitting entries which contain loaded images so DATA and CODE
sections have separate descriptors. The splitting is done via a call to
SplitTable() which
marks image DATA sections with the EFI_MEMORY_XP attribute and CODE
sections with the EFI_MEMORY_RO attribute when
splitting. After this process, there may still be EfiRuntimeServicesCode
regions which did not have their attributes set because they are not
part of loaded images.
This patch updates the MAT EnforceMemoryMapAttribute logic to set the
access attributes of runtime memory regions which are not part of loaded
images (have not had their access attributes set). The attributes of the
code regions will be read-only and no-execute because the UEFI spec
dictates that runtime code regions should only contain loaded EFI
modules.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4832
Refs:
1.
https://edk2.groups.io/g/devel/topic/patch_v1_mdemodulepkg/105570114?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105570114
2.
https://edk2.groups.io/g/devel/topic/mdemodulepkg_fix_mat/105477564?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105477564
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Per UEFI spec 2.10 section 4.6.3 EFI_MEMORY_ATTRIBUTES_TABLE,
"The Memory Attributes Table is currently used to describe memory
protections that may be applied to the EFI Runtime code and data
by an operating system or hypervisor. Consumers of this table must
currently ignore entries containing any values for Type except for
EfiRuntimeServicesData and EfiRuntimeServicesCode to ensure
compatibility with future uses of this table."
However, the current MAT code also enforces attributes for
EfiMemoryMappedIo and EfiMemoryMappedIoPortSpace, which it should
not be. Per
https://edk2.groups.io/g/devel/topic/patch_v1_mdemodulepkg/105570114?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105570114,
it was suggested to remove these types from the MAT logic.
This patch removes EfiMemoryMappedIo and EfiMemoryMappedIoPortSpace
from the MAT logic in accordance with the UEFI spec.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Check HTTP response content type to see if it is application/json
type or not. In Redfish, we expect to see response data in JSON
format. If it is not, show warning message to developer.
Signed-off-by: Nickle Wang <nicklew@nvidia.com>
Add HTTP status code check for POST, PUT, PATCH and DELETE Redfish
request. When status code is not expected, return failure to caller.
The expected HTTP status code is defined in Redfish specification.
Signed-off-by: Nickle Wang <nicklew@nvidia.com>
FVP Base Revc doesn't support Trng.
ASSERT (FALSE) is causing the boot to stall.
Replacing ASSERT with ERROR log.
Signed-off-by: Prachotan Reddy Bathi <Prachotan.Bathi@arm.com>
In the system boot phase, if OS postpone onlining some CPU
until later, the sec page tables could be overwritten.
So, TDVF needs to reserve the initial page tables that would be
used by APs on Mailbox wakeup.
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Cc: Kirill A Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4830
Allow BrainpoolP512r1 to be leveraged when the corresponding curve ID
is passed to crypto libraries in EDK2
Signed-off-by: Michael G.A. Holland <michael.holland@intel.com>
This moves the WatchdogDisable() function before the installation of the
gEfiWatchdogTimerArchProtocolGuid protocol. It allows a platform to
promptly carry out platform specific configurations, such as UEFI boot
monitoring, by registering the protocol installation callback.
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
The BSP's APIC mode is synced to all APs in CollectProcessorCount().
So, it's safe to skip the X2 APIC enabling in AutoEnableX2Apic() which
runs later when BSP's APIC mode is X2 APIC already.
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
The change saves the BSP's initial APIC mode and syncs to all APs
in first time wakeup. It allows certain platforms to switch to X2 APIC
as early as possible and also independent on CpuFeaturePei/Dxe.
The platform should switch BSP to X2 APIC mode first before the
CpuMpPeim runs.
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
It's very confusing that auto X2 APIC enabling and APIC ID sorting
are all performed inside CollectProcessorCount().
The change is to separate the X2 APIC enabling to AutoEnableX2Apic()
and call that from MpInitLibInitialize().
SortApicId() is called from MpInitLibInitialize() as well.
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Carsten Haitzler
Saloni Kasbekar
zodf0055980
Matthew Carlson
Ashraf Ali
Joey Vagedes
Ard Biesheuvel
Dionna Glaze
Oliver Smith-Denny
Gerd Hoffmann
Chao Li
Wei6 Xu
Anthony PERARD
Jason Andryuk
Ceping Sun
Rebecca Cran
Xiaoqiang Zhang
Abdul Lateef Attar
Ray Robles
Oliver Smith-Denny
Nickle Wang
Prachotan Reddy Bathi
Michael G.A. Holland
Nhi Pham
HoraceX Lien
Ray Ni