Webservers hosting multiple websites require the TLS SNI
(Server Name Indication) in the ClientHello to know which certificate
to return.
The current TLS code does not include the server name in the
ClientHello handshake, which leads to failed HTTPS boots when the
server does not return the correct certificate.
This sets the host name for SNI in TlsSetVerifyHost which receives the
host name also for verification against the certificates.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
A malicious host may be able to undermine the fw_cfg
interface such that loading a blob fails.
In this case rather than continuing to the next boot
option, the blob verifier should halt.
For non-confidential guests, the error should be non-fatal.
Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
The Blob Verifier checks boot artifacts against a hash table
injected by the hypervisor and measured by hardware.
Update the Blob Verifier to enter a dead loop if the artifacts
do not match.
The verifier still returns ACCESS_DENIED in some cases, but this
is considered non-fatal. These non-fatal cases occur when the
artifact cannot be verified because the hashes table makes no
claims about the artifiact (e.g. if the hashes table is not present
or if there is no entry for the blob in question).
Since the hash table is reflected in the launch measurement,
it is okay to continue the boot in these cases.
If the hash table does contain expected hash values, the boot cannot
continue if the provided blobs do not match.
In these cases we enter a dead loop to make sure no guest can boot
with a TCB that does not reflect the launch measurement.
Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
This patch fixes an error in calculating cache sizes for cores from
different Dies. The original code incorrectly cleared cache sizes for
different core types during intermediate calculation steps, leading to
mistakes in counting duplicate entries. This patch adds a check for
cache size to distinguish between different cache types.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: xieyuanh <yuanhao.xie@intel.com>
When building AArch64 code, cpp gets run with the `-undef` flag which on
Fedora 40 with gcc version 14.1.1 20240607 (Red Hat 14.1.1-5) causes
__has_builtin to be undefined. When running the check for
__builtin_unreachable in Base.h it causes an error
"missing binary operator before token "("".
Check that we have __has_builtin before trying to use it.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
Drop obsolete library declarations that are no longer (and should not
be) implemented in EDK2 or UEFI, given that they are specific to the
secure world.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Drop logic from the ARM architectural support libraries that can only
execute in EL3 on AArch64 or Monitor mode on 32-bit ARM. While early
32-bit ports (and even some early 64-bit code) included some monitor
logic in EDK2, UEFI per the spec runs in non-secure execution contexts
only, and secure monitor and other secure world duties are usually
delegated to TF-A (Trusted Firmware for the A profile).
Since there are no longer users of this code in EDK2 or the
edk2-platforms tree, let's remove it from the core support libraries.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
HBM/CXL memory systems are treated as special purpose memories. In many
cases it is desirable not to use special purpose memory for regular edk2
usages as these memories (HBm/CXL) are either meant for special purposes
or are less reliable to be used. Until such memory systems evolve and
we have better clarity from UEFI spec, avoid using them for edk2
boot memory purposes.
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Oliver Smith-Denny <osde@linux.microsoft.com>
Signed-off-by: Dhaval Sharma <dhaval@rivosinc.com>
Co-authored-by: Tim Wawrzynczak <tim@rivosinc.com>
The commit "MdeModulePkg/DxeCapsuleLibFmp: Fix crash if no ESRT is
found" leads to a compilation error in
MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf. The issue
occurs because the variable mDxeCapsuleLibReadyToBootEvent which is
declared as extern does not exist, while it is defined in
DxeCapsuleRuntime.c, a file not included in DxeCapsuleLib.inf. This
patch is to fix this by moving the variable defintion to DxeCapsuleLib.c
and declare it as extern in DxeCapsuleRuntime.c.
Reported-by: Gua Guo <gua.guo@intel.com>
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
Some platforms (such as SBSA-QEMU on recent builds of the emulator) only
tolerate misaligned accesses to normal memory, and raise alignment
faults on such accesses to device memory, which is the default for PCIe
MMIO BARs.
When emulating a PCIe graphics controller, the framebuffer is typically
exposed via a MMIO BAR, while the disposition of the region is closer to
memory (no side effects on reads or writes, except for the changing
picture on the screen; direct random access to any pixel in the image).
In order to permit the use of such controllers on platforms that only
tolerate these types of accesses for normal memory, it is necessary to
remap the memory. Use the DXE services to set the desired capabilities
and attributes.
Hide this behavior under a feature PCD so only platforms that really
need it can enable it. (OVMF on x86 has no need for this)
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Bhyve has added support for the bootorder FwCfg file some time ago
[1][2]. This FwCfg file is currently ignored by the OVMF and has no
effect. Copy the relevant code from Qemu to Bhyve to make it usable.
[1] 6632a0a4e3
[2] 480bef9481
Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
Update Maintainers.txt to add Chao Li and Bibo Mao as LoongArchVirt Qemu
virt-machine platform maintainers, add Xianglai Li as the reviewer.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Chao Li <lichao@loongson.cn>
Add support for building LoongArchVirtQemu platform in CI
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
This library provides interface related to restart and shudown the
LoongArch64 virtual machine.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Chao Li <lichao@loongson.cn>
Co-authored-by: Xianglai Li <lixianglai@loongson.cn>
Co-authored-by: Bibo Mao <maobibo@loongson.cn>
This library is provides real time clock for LoongArch virtual machine.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Chao Li <lichao@loongson.cn>
Co-authored-by: Baoqi Zhang <zhangbaoqi@loongson.cn>
Co-authored-by: Xianglai Li <lixianglai@loongson.cn>
Added a new GUID use for store the RTC register base address if the
platform can not uses the dynamic PCD in PEI stage.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Add a early serial port output library into LoongArchVirt that named
EarlyFdtSerialPortLib16550, this library is referenced from
MdeModulePkg.
This library is used in the PEI phase. Since the serial port address can
not be saved in memory of the LoongArch QEMU virtual machine in the PEI
phase, the serial prot base address will be obtained from the FDT before
each output.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Chao Li <lichao@loongson.cn>
Co-authored-by: Xianglai Li <lixianglai@loongson.cn>
Add a serial port hook library in LoongArchVirt named
Fdt16550SerialProtHookLib, this library is referenced from ArmVirtPkg.
LoongArch QEMU virtual machine uses register of LOONGARCH_CSR_KS1 to
transfer serial port base addres from the PEI phase to the DXE phase.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4584
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Chao Li <lichao@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Added a new library for LoongArch, it use for initialization the CPU
MMU, it consumed the CpuMmuLib.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Co-authored-by: Baoqi Zhang <zhangbaoqi@loongson.cn>
Co-authored-by: Dongyan Qian <qiandongyan@loongson.cn>
Co-authored-by: Xianglai Li <lixianglai@loongson.cn>
Co-authored-by: Bibo Mao <maobibo@loongson.cn>
Fedora 35 is EOL. Use Fedora 39 instead: don't use 40 for now since it
comes with gcc 14 which still has some problems building edk2.
Fix the git command to disable the safe directory checks.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4716
Migrate FSP-T/M binary from temporary RAM to permanent RAM before NEM
tear down. Tcg module will use permanent address of FSP-T/M for
measurement. In MdeModulePkg, PeiCore installs mMigrateTempRamPpi if
PcdMigrateTemporaryRamFirmwareVolumes is True before NEM tear down and
after permanent memory ready.
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Duggapu Chinni B <chinni.b.duggapu@intel.com>
Cc: Chen Gang C <gang.c.chen@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Zhihao Li <zhihao.li@intel.com>
Update AMD sepcification references (code comments) as part of a refactor of
MSR definitions and SEV-SNP related defines, which aims to remove
family-specific references (filename) as these defines are common to all
modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Update the Msr.h eader guard to comply with latest edk2 coding guidelines. This
change is part of a refactor of MSR definitions and SEV-SNP related defines,
which aims to remove family-specific references (filename) as these defines are
common to all modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Delete Fam17Msr.h as part of a refactor of MSR definitions and SEV-SNP related
defines, which aims to remove family-specific references (filename) as these
defines are common to all modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Update reference to SevSnpMsr.h as part of a refactor of MSR definitions and
SEV-SNP related defines. Remove family-specific references (filename) as these
defines are common to all modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Update reference to SevSnpMsr.h as part of a refactor of MSR definitions and
SEV-SNP related defines. Remove family-specific references (filename) as these
defines are common to all modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Add SevSnpMsr.h as part of a refactor of MSR definitions and SEV-SNP related
defines, which aims to remove family-specific references (filename) as these
defines are common to all modern EPYC Processors.
Signed-off-by: Paul Grimes <paul.grimes@amd.com>
Add global variable mVariableRtCacheInfo to save the
content in gEdkiiVariableRuntimeCacheInfoHobGuid. With
this new global variable, 7 global variables can be
removed.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Refine the code logic in InitVariableCache().
In this commit, three times calling of
InitVariableCache() for different type cache are
merged into one calling. This commit is to make
the code looks cleaner and doesn't change any
code functionality.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Remove the usage of PcdEnableVariableRuntimeCache. We can
use the existence of gEdkiiVariableRuntimeCacheInfoHobGuid
to indicate if variable runtime cache is enabled or not.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Consume gEdkiiVariableRuntimeCacheInfoHobGuid in
VariableSmmRuntimeDxe driver to initialize the following
variable cache related buffer:
*mVariableRuntimeHobCacheBuffer
*mVariableRuntimeNvCacheBuffer
*mVariableRuntimeVolatileCacheBuffer
*mVariableRuntimeCachePendingUpdate
*mVariableRuntimeCacheReadLock
*mHobFlushComplete
The code to to allocate
and unblock the buffer for
different type cache in VariableSmmRuntimeDxe is also
removed in this commit.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Remove unneed FreePages() for RuntimeHobCacheBuffer which is
allocated in PEI phase.
So the global variable mVariableRuntimeHobCacheBufferSize
also can be removed.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Remove the two unnecessary global variables and
replace them by two local variables:
mVariableRuntimeNvCacheBufferSize
mVariableRuntimeVolatileCacheBufferSize
Signed-off-by: Dun Tan <dun.tan@intel.com>
Install the callback of gEfiPeiMemoryDiscoveredPpiGuid
to create gEdkiiVariableRuntimeCacheInfoHobGuid in
VariablePei module. When PcdEnableVariableRuntimeCache
is TRUE, the callback will be installed to allocate
the needed buffer for different type variable runtime
cache, unblock the buffer and build this HOB. Then the
runtime cache buffer address and size will be saved in
the HOB content.
Signed-off-by: Dun Tan <dun.tan@intel.com>
This commit defines VARIABLE_RUNTIME_CACHE_INFO HOB.
The HOB is used to store the address and size of the
buffer that will be used for variable runtime service
when the PcdEnableVariableRuntimeCache is TRUE.
In following patches, when PcdEnableVariableRuntimeCache
is TRUE, VariablePei module will install a callback of
gEfiPeiMemoryDiscoveredPpiGuid to allocate needed buffer
for different type cache, unblock the buffer and build HOB.
Then VariableSmmRuntimeDxe driver will consume the
gEdkiiVariableRuntimeCacheInfoHobGuid to initialize the
variable runtime cache related content.
Signed-off-by: Dun Tan <dun.tan@intel.com>
The CoreCount, EnabledCore and ThreadCount counts
should be set to 0xFF if value is greater than
255 per the SMBIOS specification.
Signed-off-by: Jeff Brasen <jbrasen@nvidia.com>
Declares in the .inf file that the current component is an MM_STANDALONE
Signed-off-by: Yuanhao Xie <yuanhao.xie@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
This produces output that matches CodeChecker log command
- Set directory to build output path
- Set build destination to the object created instead of the path
- Add recursive macro support
- Add lookup in module.Macros dictionary
- Add leading include flag to include list
- Add source file to compile commands
Signed-off-by: Jeff Brasen <jbrasen@nvidia.com>
The compiler will use this function if it is
left shifting a 128 bit value.
Seen when updating OpenSSL.
Signed-off-by: Jeff Brasen <jbrasen@nvidia.com>
Since commit 4c4ceb2ceb ("NetworkPkg: SECURITY PATCH CVE-2023-45237"),
networking modules depend on gEfiRngProtocolGuid but nothing in OvmfXen
provides it. This is visible in the logs as several modules present but
not loading:
Driver A2F436EA-A127-4EF8-957C-8048606FF670 was discovered but not loaded!!
Driver E4F61863-FE2C-4B56-A8F4-08519BC439DF was discovered but not loaded!!
Driver 025BBFC7-E6A9-4B8B-82AD-6815A1AEAF4A was discovered but not loaded!!
Driver 529D3F93-E8E9-4E73-B1E1-BDF6A9D50113 was discovered but not loaded!!
Driver 94734718-0BBC-47FB-96A5-EE7A5AE6A2AD was discovered but not loaded!!
Include SecurityPkg/RandomNumberGenerator/RngDxe to fix this.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Following the discussion at [1] and as the ArmLib relies on them,
move ArmPkg/Chipset/Aarch64[|Mmu].h files to the MdePkg.
Update the path to correctly include the moved files.
[1] https://edk2.groups.io/g/devel/message/111566
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Following the discussion at [1] and as the ArmLib relies on them,
move ArmPkg/Chipset/ArmV7[|Mmu].h files to the MdePkg.
Update the path to correctly include the moved files.
[1] https://edk2.groups.io/g/devel/message/111566
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Related to https://bugzilla.tianocore.org/show_bug.cgi?id=4121, but not
resolving it. (Nearly?) all of ArmPkg describes industry standard
behaviour, and hence according to general rules, ought to live in MdePkg.
Addressing this will however be a substantial task.
Take a first step by moving the ArmLib interface definition to MdePkg,
as discussed in
https://edk2.groups.io/g/devel/topic/patch_v5_2_6/102725178
Continuous-integration-options: PatchCheck.ignore-multi-package
Cc: Pierre Gondois <pierre.gondois@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Sebastian Witt
Tobin Feldman-Fitzthum
Mike Maslenkin
xieyuanh
Rebecca Cran
Ard Biesheuvel
Dhaval
Nhi Pham
Corvin Köhne
Chao Li
Zhihao Li
Paul Grimes
Dun Tan
Jeff Brasen
Wenxing Hou
Ross Lagerwall
Pierre Gondois
Leif Lindholm