OVMF's PlatformBdsLib currently makes SMM vulnerable to the following
attack:
(1) a malicious guest OS copies a UEFI driver module to the EFI system
partition,
(2) the OS adds the driver as a Driver#### option, and references it from
DriverOrder,
(3) at next boot, the BdsEntry() function in
"IntelFrameworkModulePkg/Universal/BdsDxe/BdsEntry.c" processes
Driver#### and DriverOrder between the calls to PlatformBdsInit() and
PlatformBdsPolicyBehavior(),
(4) OVMF locks down SMM only in PlatformBdsPolicyBehavior(), hence the
driver runs with SMM unlocked.
The BdsEntry() function of the MdeModulePkg BDS driver (in file
"MdeModulePkg/Universal/BdsDxe/BdsEntry.c") recommends to "Signal
ReadyToLock event" in PlatformBootManagerBeforeConsole() -- which
corresponds to PlatformBdsInit() --, not in
PlatformBootManagerAfterConsole() -- which corresponds to
PlatformBdsPolicyBehavior().
Albeit an independent question, but it's worth mentioning: this patch also
brings OvmfPkg's PlatformBdsInit() closer to ArmVirtPkg's. Namely, the
latter signals End-of-Dxe in PlatformBdsInit() already.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
In the edk2 tree, there are currently four drivers that consume
PcdAcpiS3Enable:
IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
MdeModulePkg/Universal/Acpi/SmmS3SaveState/SmmS3SaveState.inf
From these, AcpiS3SaveDxe is the only one that isn't also a client of the
S3BootScriptLib class; all the others (BootScriptExecutorDxe,
S3SaveStateDxe, SmmS3SaveState) are clients of the S3BootScriptLib class.
In turn, the edk2 tree contains only one non-Null instance of the
S3BootScriptLib class:
MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
Therefore we can safely state that BootScriptExecutorDxe, S3SaveStateDxe,
and SmmS3SaveState are all linked against PiDxeS3BootScriptLib.
Now, if PcdAcpiS3Enable is FALSE when either of BootScriptExecutorDxe,
SmmS3SaveState, or SmmS3SaveState is dispatched, then the following
happens:
- The constructor of PiDxeS3BootScriptLib, function
S3BootScriptLibInitialize(), registers a protocol installation callback
for gEfiDxeSmmReadyToLockProtocolGuid. Namely, the function
S3BootScriptEventCallBack().
- The driver immediately exits with EFI_UNSUPPORTED from its entry point
function, upon seeing PcdAcpiS3Enable == FALSE. (See commits
800c02fbe2, 125e093876, and d2d38610603f6.)
- This leaves a dangling callback pointer in the DXE core.
- When Platform BDS installs gEfiDxeSmmReadyToLockProtocolGuid (which is a
valid thing to do for locking down SMM, even in the absence of S3
support!), things blow up.
Fix this issue by returning immediately from S3BootScriptLibInitialize()
if PcdAcpiS3Enable is FALSE -- it is useless to initialize the library
instance if the containing driver module exits first thing in its entry
point.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jaben Carsey <Jaben.carsey@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
FragmentBuffer of each TcpWrap in HttpDxe should not be
freed in HttpTcpTokenCleanup(). This buffer points to
HttpMsg body actually, which is the responsibility of the
caller to allocate a buffer for Body.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Need the timer check to avoid the indefinite wait case
in HttpDxe driver
A.HTTP receive Header process in HttpTcpReceiveHeader();
B.HTTP receive Body process in HttpTcpReceiveBody();
Cc: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com>
Cc: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Hegde Nagaraj P <nagaraj-p.hegde@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Use 128 bytes as the start size region to be same to previous one.
64 bytes is small as the first range. On X64 arch, POOL_OVERHEAD
takes 40 bytes, the pool data less than 24 bytes can be fit into
it. But, the real allocation is few that can't reduce its free pool
link list. And, the second range (64~128) has more allocation
that also increases the free pool link list of the first range.
Then, the link list will become longer and longer. When LinkList
check enable in DEBUG tip, the long link list will bring the
additional overhead and bad performance. Here is the performance
data collected in our X64 platform with DEBUG enable.
64 byte: 22 seconds in BDS phase
128 byte: 19.6 seconds in BDS phase
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
The Hii runtime support feature will export the content of
HiiDatabase and the ConfigResp string to runtime buffer
after ReadyToBoot event is triggered. If some drivers
add/update/remove packages from Hiidatabase after ReadyToBoot:
Originally we will both export the content of HiiDatabase and
the ConfigResp string for all packages.
But now after investigation, we found only for form packages need
to export the content of HiiDatabase and the ConfigResp string,
for other packages just need to export the content of HiiDatabase.
Now to enhance this logic.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
HttpGenRequestString is updated to HttpGenRequestMessage,
with an additional argument. This patch updates the caller
of the DxeHttpLib API. Also, we will avoid adding any '\0'
to the string, which was added to make AsciiStrLen to
work on the string.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Nagaraj Hegde <nagaraj-p.hegde@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Rename and update the logic of HttpGenRequestString API provided
by DxeHttpLib. The RequestString size is returned as an argument.
The user is not expected to do a AsciiStrLen anymore, and is not
logical too, since request string can contain message body and
using AsciiStrLen on such a string can provide truncated lengths.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Nagaraj Hegde <nagaraj-p.hegde@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
This patch updates the HTTP Boot Configuration page to allow the user to create
a corporate mode HTTP boot option, by leaving the URI string empty.
The patch also fix a bug that the L"https://" should use StrnCmp() with Length 8.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Add #defines for "Expect" header, which is a part of RFC 2616
and used for HTTP PUT/POST operations.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hegde, Nagaraj P <nagaraj-p.hegde@hpe.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Per build spec, the .aml file should use ASL binary type in the Asbuilt
inf file. the original bug is .aml file may use BIN as binary type when
the module type is not BASE or USER_DEFINED. This patch 1) fix this bug.
2) fix some indent coding style issue.
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Current the FMP Capsule feature is supported, but its format has a little
different with FDF spec. so this patch 1) Align the FMP Capsule with FDF
spec. 2) fix some style issue, eg: Tab. 3) Add a SectionParser function to
check the section header info since this method is used in 7 places.
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
It would be possible to remove the UAF without local variables, by calling
SataPrivateData->PciIo->Attributes() before releasing SataPrivateData.
However, by keeping the location of the call (for which temporary
variables are necessary), we continue to match the error path logic in
SataControllerStart(), which is always recommended.
Reported-by: wang xiaofeng <winggundum82@163.com>
Fixes: bcab714134
Cc: wang xiaofeng <winggundum82@163.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
"ASSERT (SataPrivateData != NULL)" is just a few lines higher up.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
It can improve profile performance, especially when
PcdMemoryProfileMemoryType configured without EfiBootServicesData.
CoreUpdateProfile() can return quickly, but not depend on the further
code to find the buffer not recorded and then return.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Phase Tag, SqTdbl/CqHdbl and SqBuffer/CqBuffer should be cleared in
NvmeControllerInit() to make HC functionality work when user invokes
NvmeBlockIoReset().
Cc: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
In EnumerateNvmeDevNamespace(), when Private->ControllerData->Sn and/or
Private->ControllerData->Mn are NOT null-terminated strings,
UnicodeSPrintAsciiFormat(…) may generate unexpected (garbage) output
string.
Cc: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Memory pointed to by Private->ControllerData has not been freed up
correctly at error handling path.
Cc: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Simon (Xiang) Lian-SSI <simon.lian@ssi.samsung.com>
The close brace of EmmcDxeComponentNameGetControllerName should be
at the beginning of a line.
Cc: Qiu Shumin <shumin.qiu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Shumin Qiu <shumin.qiu@intel.com>
UEFI Shell 2.x cannot recognize whether a .EFI file is an application or
a driver. This means when we typed in a driver image in Shell command
line, Shell will load the driver image and try to run the entry point
function of the driver.
This patch check the ImageCodeType to fix the issue.
Cc: Jaben Carsey <jaben.carsey@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qiu Shumin <shumin.qiu@intel.com>
mGicNumInterrupts is the total number of interrupts, so the interrupt
ID equal to mGicNumInterrupts is also invalid.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Heyi Guo <heyi.guo@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
When the type of HiiValue is BUFFER Type, the BufferValue
of the related question can not be NULL, so can remove the
check.
Cc: Qiu Shumin <shumin.qiu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
The patch uses CoreAcquireLockOrFail() instead of
CoreAcquireProtocolLock() in CoreLocateProtocol() to avoid
assertion when CoreLocateProtocol() is called with the
protocol database locked.
The issue was found when changing PcdDebugPrintErrorLevel to
enable page/pool allocation debug message.
Nt32 platform hangs immediately after DxeCore is loaded.
Investigation shows the following calling stacks:
DxeCore entry point (Install a certain protocol)
0 DxeCore::CoreInstallProtocolInterface // Protocol DB is locked
1 DxeCore::AllocatePool
2 PeiDxeDebugLibReportStatusCode::DebugPrint
3 DxeReportStatusCodeLib::ReportStatusCodeEx // <-------------------|
4 DxeReportStatusCodeLib::InternalGetReportStatusCode |
5 DxeCore::LocateProtocol(StatusCodeRuntimeProtocol) |
// Assertion when locking Protocol DB 2nd time |
6 DxeCore::CoreAcquireProtocolLock |
7 PeiDxeDebugLibReportStatusCode::DebugAssert |
8 DxeReportStatusCodeLib::ReportSatusCodeEx // loop begins ---------
In frame #6 the assertion is triggered due to the protocol database
is already locked. #8 calls #4 and the loop begins.
After changing #6 to CoreAcquireLockOrFail(), the assertion is
avoided and the loop is broken.
With the fix, NT32 can boot to Shell even setting
PcdDebugPrintErrorLevel to 0xFFFFFFFF, with all error levels turned
on.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
This library instance is PEIM type, not BASE type. It has the PPI
dependency for PEIM.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Now that FatPkg is open source (and therefore in the EDK II tree) we
can build and use it directly.
Note: Not build tested
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Tim He <tim.he@intel.com>
The FatPkg is now open source. Update FatBinPkg license to match
FatPkg.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
This is copied from MdePkg/Contributions.txt
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
A script was used to convert the license text for the entire FatPkg.
It used the shorter BSD text that we use in most files:
This program and the accompanying materials are licensed and made
available under the terms and conditions of the BSD License which
accompanies this distribution. The full text of the license may be
found at http://opensource.org/licenses/bsd-license.php
The script also used the short version in FatPkg/License.txt. In each
package's License.txt, we normally include the full BSD license text.
This change copies the longer version of License.txt from MdePkg.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Add error handling logic in DriverBingingStop function,
it may return error status when invoking the
UninstallProtocolInterface.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Add error handling logic in DriverBingingStop function,
it may return error status when invoking the
UninstallProtocolInterface.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Current MemoryAttributesTable will be installed on ReadyToBoot event
at TPL_NOTIFY level, it maybe incorrect when PcdHiiOsRuntimeSupport
= TRUE as HiiDatabaseDxe will have runtime memory allocation for HII
OS runtime support on and after ReadyToBoot. The issue was exposed at
http://article.gmane.org/gmane.comp.bios.edk2.devel/10125.
To make sure the correctness of MemoryAttributesTable, this patch is
to enhance MemoryAttributesTable installation to install
MemoryAttributesTable on ReadyToBoot event at TPL_CALLBACK - 1 level
to make sure it is at the last of ReadyToBoot event, and also hook
runtime memory allocation after ReadyToBoot.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
The following patch for MemoryAttributesTable will need the memory type.
And CoreUpdateProfile() can also use the memory type for check.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Originally, the code block for "Report DXE Core image information to the PE/COFF
Extra Action Library" was after ProcessLibraryConstructorList(). To fix an issue,
ProcessLibraryConstructorList() was moved to be right after CoreInitializeGcdServices()
at c5d5379937, but the code block was left.
As there maybe PeCoffExtraActionLib implementation need Constructor executed first,
the patch is to move the code block for "Report DXE Core image information to the PE/COFF
Extra Action Library" to be after ProcessLibraryConstructorList.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
According to SD Host Controller 3.0 spec figure 3-10, we have to wait
1ms before checking DAT[3:0] in voltage switch proc
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
The original code doesn't reset the slot when there is device change.
It may bring issue on device identification procedure of some SD cards.
Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Feng Tian <feng.tian@Intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>