The StandaloneMm implementation for Arm sets up the stack in
the early startup code using the data section reserved in the
assembly code.
When TF-A loads the StandaloneMM binary in the DRAM it maps
the entire StandaloneMM memory region as Read Only.
Therefore, the initial startup assembly code updates the mem
permissions of the stack region to Read Write.
However, when the StandaloneMmCore is loaded the function
UpdateMmFoundationPeCoffPermissions() starts applying the
memory permissions based on the PE COFF sections as below:
A. If the section is not executable, it first removes the
executable permission of the section by calling TextUpdate().
TextUpdate() is the StandaloneMM MMU library function
ArmSetMemoryRegionNoExec().
B. It then checks if the section is writable, and if it is
it calls ReadWriteUpdater(), which invokes the StandaloneMM
MMU library function ArmClearMemoryRegionReadOnly() to make
the section writable.
However, this results in the stack being made read-only
between A and B. To understand this please see the following
flow.
1. TF-A sets the entire StandaloneMM region as Read Only.
2. The stack is reserved in the data section by the early
assembly entry point code.
+--------------------+ <--- Start of Data Section
| |
| Data Section |
| |
| +----------------+ | <--- Stack region
| | Stack | |
| +----------------+ |
| |
+--------------------+
3. The StanaloneMM early entry point code updates the
attributes of the stack to Read Write.
4. When UpdateMmFoundationPeCoffPermissions() sets the
permission of the data section to remove the Execute
attribute, it calls ArmSetMemoryRegionNoExec().
5. The ArmSetMemoryRegionNoExec() implementation gets the
attributes of the first granule which is at the start
of the data section, then clears the execute permission
and applies the attribute for the entire data section.
6. Since TF-A has mapped the entire section as read only
the first granule of the data section is read only and
therefore the stack region attributes are changed to
Read Only no execute.
7. Since the stack is read only after point A any updates
to the stack result in an exception.
To resolve this issue with update the library with FF-A v1.2,
get/set memory permission per page unit.
Links: https://developer.arm.com/documentation/den0140/latest/ [0]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Add ArmFfaLib used in StandaloneMmCore/StandaloneMm Driver.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
PcdFfaEnabled is no more used because ArmFfaLib could find whether FF-A
is supported dynamically.
This patch removes usage of PcdFfaEnabled.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
To communicate with spmc or spmd, UEFI needs to map the Rx/Tx buffer
(which is a global resource in a partition)
by getting the required information from the partition descriptor.
for this, Define ArmFfaLib related Pcd and Guid.
Pcd:
- PcdFfaLibConduitSmc
conudit to use ArmFfaLib.
- PcdFfaTxBufeer
address of Tx buffer.
- PcdFfaRxBuffer:
address of Rx buffer.
- PcdTxRxPageCount:
specify buffer size with EFI_PAGE_SIZE unit.
- PcdFfaExitBootEventRegistered:
check exit boot event registered to unmap rx/tx buffer.
Guid:
- gArmFfaRxTxBufferInfoGuid:
This is used in Hob to get Rx/Tx buffer information to pass
Rx/Tx buffer information via HobList if Rx/Tx Buffer mapped in
PEI phase.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Partition descriptor is used to get partition information via
FFA_PARTITION_INFO_GET or FFA_PARTITION_INFO_GET_REGS FF-A ABI.
Adds defines for partition descriptor and some macros used to call above
ABIs.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
ArmFfaBootInfo.h contains boot information used in FF-A [0].
This boot information will be used to
initalize firmware (i.e) StandaloneMm.
Links: https://developer.arm.com/documentation/den0077/latest/ [0]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
To remove hob creation in StandaloneMm entrypoint,
TF-A should pass PHIT hob information to StandaloneMm.
When it passes PHIT hob, it passes according to
firmware handoff specification[0].
This patch applies boot protocol using transfer list with firmware
handoff specification and remove hob creation in StandaloneMm
entrypoint.
Link: https://github.com/FirmwareHandoff/firmware_handoff [0]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Introduce a new helper function SpmMmStatusToEfiStatus() to convert
the SPM_MM status values to EFI_STATUS values.
Signed-off-by: Levi yun <yeoreum.yun@arm.com>
Change naming convention in ArmMmSvc.h with
MM to SPM_MM
This would make it clear to discern ABI protocol used to communicate
with secure partition.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
By using transfer list passed by TF-A,
StandaloneMmCore is no more producer of HOBs, But it is consumer.
So, the Arm-specific implementation of StandaloneMmCoreHobLib
is no longer needed.
This change removes the Arm-specific HOB creation code and
integrates the necessary adjustments.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
ArmTransferList is used to pass boot information according to
firmware handoff protocol specification [0].
When initializing StandaloneMm, it gets boot information from
the PHIT HOB in the TransferList.
[0] https://github.com/FirmwareHandoff/firmware_handoff
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
This patch introduces a PI_MM_CPU_DRIVER_EP protocol to handle
Mmcommunication request based on the CPU driver.
Previously the CPU driver entry point was retrieved using the
gEfiArmTfCpuDriverEntryPoint HOB.
However, this practice is incorrect as StandaloneMM must be a HOB
consumer and not a HOB producer.
Therefore, remove the CPU entry HOB gEfiArmTfCpuDriverEntryPoint,
and replace it with the CPU driver entry protocol
EDKII_PI_MM_CPU_DRIVER_EP_PROTOCOL.
The EDKII_PI_MM_CPU_DRIVER_EP_PROTOCOL installed in
StandaloneMmCpuInitialize() will be used by the code in
Arm/StandaloneMmCoreEntryPoint.
This protocol is used like below:
+=====+
|StandaloneMmCore|
+=====+
|
CEntryPoint()
===================
|
ProcessModuleEntryPointList()
|
+--> StandaloneMmMain()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| // Load StandaloneMmCpu driver which implements
| // CpuDriverEntryPoint used by DelegatedEventLoop().
| // and install the gEdkiiPiMmCpuDriverEpProtocolGuid.
--------------
|
... // Get CpuDriverEntryPoint implemented by
// StandaloneMmCpu driver with gEdkiiPiMmCpuDriverEpProtocolGuid
|
DelegatedEventLoop() // Handle request by delegating it to
// CpuDriverEntryPoint.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Communication with Stmm can be via SPM using MM or FF-A.
However, some return values differ between these
communication models.
This patch adds helper functions to covert the return
values based on the communication model.
It also fixes an issue when using the SPM using MM model,
wherein an error code value of -7 was being returned when
an unknown error occurred. The -7 value is not defined in
SPM using MM. Therefore, return an UNSUPPORTED code instead.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
SnpDxe registers for an ExitBootServices callback and runs the
PXE_OPCODE_SHUTDOWN and PXE_OPCODE_STOP commands for any network
controllers that the driver is attached to.
Register the SnpDxe callback for gEfiEventBeforeExitBootServicesGuid
instead of gEfiEventExitBootServicesGuid to ensure the correct ordering:
1. ExitBootServices event
2. Network card shutdown sequence is completed
Also, close the event to prevent rerunning the shutdown if multiple
ExitBootServices events need to be called by the OS.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
Per RFC 1350, TFTP error packets include 2 byte OpCode and ErrorCode
fields in network byte order. Those need to be swapped to host order to
be interpreted correctly. Without this change, the TftpErrorReceived and
TftpError Mode fields are never set and EFI applications can't inspect
the error received from the TFTP server.
Signed-off-by: Dan Nicholson <dbn@endlessos.org>
While fixing https://github.com/tianocore/edk2/pull/6092 (the
fact that some OvmfPkg and ArmVirtPkg platforms included residual
NetworkPkg components even when compiled with -D NETWORK_ENABLE=0),
it was noted that OvmfPkg/Include/*/Shell*.inc files which apply
the required fix logic are available and already used in some
OvmfPkg platforms.
A previous commit applied these files consistently within OvmfPkg.
This commit applies these files within ArmVirtPkg.
This has the side effect that some platforms now include one or
more of HttpDynamicCommand, VariablePolicyDynamicCommand and
LinuxInitrdDynamicShellCommand when they previously did not.
This fixes unintentional drift between platforms, and provides
additional shell commands which may be useful in some cases.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
While fixing https://github.com/tianocore/edk2/pull/6092 (the
fact that some OvmfPkg and ArmVirtPkg platforms included residual
NetworkPkg components even when compiled with -D NETWORK_ENABLE=0),
it was noted that OvmfPkg/Include/*/Shell*.inc files which apply
the required fix logic are available and already used in some
OvmfPkg platforms.
This commit applies these files consistently within OvmfPkg.
This has the side effect that some platforms now include one or
more of HttpDynamicCommand, VariablePolicyDynamicCommand and
LinuxInitrdDynamicShellCommand when they previously did not.
This fixes unintentional drift between platforms, and provides
additional shell commands which may be useful in some cases.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
Place the EFI shell as EFI/BOOT/BOOT{ARCH}.EFI on the virtual drive.
This allows the "Run to shell" CI test case to work even in case the
shell is not included in the firmware image.
This is needed because a follow up patch will exclude the shell from
secure boot enabled firmware images.
The same update was previously applied to OvmfPkg by
6862b9d538.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
This issue showed up when addressing
https://bugzilla.tianocore.org/show_bug.cgi?id=4829
in https://github.com/tianocore/edk2/pull/6087 .
Various OvmfPkg and ArmVirtPkg platforms include some residual NetworkPkg
components when compiled with -D NETWORK_ENABLE=0, even though they use
NetworkPkg includes intended to allow all NetworkPkg components to be
disabled on this flag.
For the OvmfPkg Intel platforms only, commit
d933ec115b started
the change of not including these residual NetworkPkg
components, and commit
7f17a15564 completed it.
This commit rolls these changes out to the ArmVirtPkg platforms where
they make sense in the same way.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
This issue showed up when addressing
https://bugzilla.tianocore.org/show_bug.cgi?id=4829
in https://github.com/tianocore/edk2/pull/6087 .
Various OvmfPkg and ArmVirtPkg platforms include some residual NetworkPkg
components when compiled with -D NETWORK_ENABLE=0, even though they use
NetworkPkg includes intended to allow all NetworkPkg components to be
disabled on this flag.
For the OvmfPkg Intel platforms only, commit
d933ec115b started
the change of not including these residual NetworkPkg
components, and commit
7f17a15564 completed it.
This commit rolls these changes out to the remaining OvmfPkg platforms
where they make sense in the same way.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
Add a new gFspSmmBootLoaderFvContextHobGuid in IntelFsp2Pkg.dec.
The FSP SMM bootloader FV context HOB provides a mechanism for
the bootloader to provide platform specific configuration data
to platform specific SMM drivers.
Signed-off-by: Dun Tan <dun.tan@intel.com>
The clang compiler generates the following error
error: use of 'static_assert' without inclusion of <assert.h>
This is due to the use of the MSC Extension static_assert.
Use _Static_assert instead for clang and GNUC compilers.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Makes changes to comply with alerts raised by CodeQL.
Most of the issues here fall into the following two categories:
1. Potential use of uninitialized pointer.
2. Inconsistent integer width in comparison.
Co-authored-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Co-authored-by: Ken Lautner <kenlautner3@gmail.com>
Co-authored-by: Bret Barkelew <bret@corthon.com>
Signed-off-by: Vineel Kovvuri[MSFT] <vineelko@microsoft.com>
Since commit d64d1e195c ("MdeModulePkg: PeiMain: Introduce
implementation of delayed dispatch") the pei core wants read PCDs, so
the NULL lib doesn't cut it any more.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
When running the /wholearchive test build, generate the test .dll as a
different filename to prevent the system holding onto the dll file too
long and generating a build error that the actual dll cannot be found.
Remove the temporary file after it was generated because the successful
completion of the link command is the test case.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
For bootup of VMs with multiple accelerators, these logging instructions
flood the logs for a good 30 seconds.
Originally found by Gary Zibrat.
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Some parts and versions of TLS require HMAC. This adds the missing HMAC
algorithms to the UEFI provider. One entry in the default signature
algorithms and one in the key management algorithms.
Source of these entries is the default OpenSSL provider, defltprov.c,
included in the OpenSSL library.
This change was required to connect to some TLS servers depending
on the used ciphers.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
Currently, multiple dsc files within the OvmfPkg directory use the NULL
version of the CcProbeLib library. However, these packages have support
for confidential guests (usage of CcExitLib, MemEncrypt{Sev,Tdx}Lib, etc.)
and should be using the OvmfPkg version of the CcProbeLib.
The use of the NULL library causes the PCI option ROM to be enabled, which
can't be trusted as it originates from the hypervisor. The use of the NULL
library also causes a KVM hypervisor error when attempting to map/back the
option ROM region when running an SEV-SNP guest.
Update the various dsc files to reference the OvmfPkg version of the
CcProbeLib library and prevent usage of PCI option ROMs.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Since the tdx measurement APIs are implemented by
TdxMeasurementLib, the duplicate code are removed.
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
Add NULL instance of TdxMeasurementLib.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
When at last hob, the FV HOB check function should
exit from the loop
Signed-off-by: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Update SecPrint() to use _vsnprintf_s() instead of
_vsnprintf() that is a safe function and allows the
defines _CRT_SECURE_NO_WARNINGS and _CRT_SECURE_NO_DEPRECATE
to be removed from WinHost builds.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Move local variable init to C statements to follow
coding standard and remove the use of field names in
structure initialization to maximize compiler compatibility.
This issue was introduced by PR #6185
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
SplitPage may return OUT_OF_RESOURCES if no memory resource to split
page entry. ConvertMemoryPageAttributes should also return
OUT_OF_RESOURCES instead of override the status to UNSUPPORTED.
Then EfiSetMemoryAttributes and EfiClearMemoryAttributes can return
correct status of OUT_OF_RESOURCES when requested attributes cannot
be applied due to lack of system resource.
Cc: Felix Polyudov <felixp@ami.com>
Cc: David Hsieh <davidhsieh@ami.com>
Cc: James Wang <jameswang@ami.com>
Signed-off-by: Crystal Lee <crystallee@ami.com>
Produce the protocol introduced in UEFI v2.10 that permits the caller to
manage mapping permissions in the page tables.
Cc: Felix Polyudov <felixp@ami.com>
Cc: David Hsieh <davidhsieh@ami.com>
Cc: James Wang <jameswang@ami.com>
Signed-off-by: Crystal Lee <crystallee@ami.com>
A compiler warning was detected that 'IntId' could be used uninitialized
in the `else` branch.
Since there are no consumers of this function, it was decided to remove
this function completely.
Signed-off-by: Mike Maslenkin <mike.maslenkin@gmail.com>
Mbedtls requires the use of strncpy(), but it is currently included in
DummyOpensslSupport.c, which is not part of Mbedtls SecCryptLib.
To resolve this, move strncpy() to CrtWrapper.c, as Mbedtls SecCryptLib
not depend on OpensslLib
Signed-off-by: Amy Chan <amy.chan@intel.com>
This patch is to implement default IsCpuSyncAlwaysNeeded definition
for SmmCpuPlatformHookLibQemu. This interface will determine whether the first
CPU Synchronization should be executed unconditionally when a SMI occurs.
If the function returns true, it indicates that there is no need to check the system
configuration and status, and the first CPU Synchronization should be executed
unconditionally.
If the function returns false, it indicates that the first CPU Synchronization is
not executed unconditionally, and the decision to synchronize should be based on
the system configuration and status.
Signed-off-by: Khor Swee Aun <swee.aun.khor@intel.com>
This patch adds the IsCpuSyncAlwaysNeeded interface to the SmmCpuPlatformHookLib.
This interface will determine whether the first CPU Synchronization should be
executed unconditionally when a SMI occurs.
If the function returns true, it indicates that there is no need to check the
system configuration and status, and the first CPU Synchronization should be
executed unconditionally.
If the function returns false, it indicates that the first CPU Synchronization is
not executed unconditionally, and the decision to synchronize should be based on
the system configuration and status.
Signed-off-by: Khor Swee Aun <swee.aun.khor@intel.com>
Today, StandaloneMmCore calls PeCoffLoaderRelocateImage() when loading
images, which calls PeCoffLoaderRelocateImageExtraAction(). On AARCH64,
this sets the image memory protections accordingly, RO + E on code
sections, RW + NX on data sections.
However, if an image fails to start (i.e. its entry point returns a
failure) StandaloneMmCore does not call the corresponding
PeCoffLoaderUnloadImage, which calls PeCoffLoaderUnloadImageExtraAction,
which on AARCH64 undoes the memory protections on the image, setting the
whole memory region back to RW + NX. The core then frees this memory
and the next allocation attempts to use it, which results in a data
abort if a read only memory region is attempted to be written to.
Theoretically, other instances of the PeCoffExtraActionLib could take
other actions and so regardless of architecture, the contract with the
PeCoffLoader should be maintained.
This patch calls PeCoffLoaderUnloadImage when an image's entry point
returns a failure, before freeing the image memory. This meets the
contract and follows the DXE core behavior.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
Levi Yun
Nickle Wang
joe
Dan Nicholson
Mike Beaton
Michael Kubacki
Dun Tan
Michael D Kinney
Vineel Kovvuri[MSFT]
Gerd Hoffmann
Aaron Pop
Dionna Glaze
Praveen K Paladugu
Longhaox Lee
Sebastian Witt
Tom Lendacky
Ceping Sun
Hongbin1 Zhang
Crystal Lee
Mike Maslenkin
Amy Chan
Khor Swee Aun
Oliver Smith-Denny