When OVMF is built with SECURE_BOOT_ENABLE, the variable store will be
populated and validated in PlatformValidateNvVarStore(). When an SEV
or an SEV-ES guest is running, this may be encrypted or unencrypted
depending on how the guest was started. If the guest was started with the
combined code and variable contents (OVMF.fd), then the variable store
will be encrypted. If the guest was started with the separate code and
variables contents (OVMF_CODE.fd and OVMF_VARS.fd), then the variable
store will be unencrypted.
When PlatformValidateNvVarStore() is first invoked, the variable store
area is initially mapped encrypted, which may or may not pass the variable
validation step depending how the guest was launched. To accomodate this,
retry the validation step on failure after remapping the variable store
area as unencrypted.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
When OVMF is built with the SECURE_BOOT_ENABLE set to true, reserving and
initializing the emulated variable store happens before memory has been
accepted under SEV-SNP. This results in a #VC exception for accessing
memory that hasn't been validated (error code 0x404). The #VC handler
treats this error code as a fatal error, causing the OVMF boot to fail.
Move the call to ReserveEmuVariableNvStore() to after memory has been
accepted by AmdSevInitialize().
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
SEV-SNP does not support the use of the Qemu flash device as SEV-SNP
guests are started using the Qemu -bios option instead of the Qemu -drive
if=pflash option. Perform runtime detection of SEV-SNP and exit early from
the Qemu flash device initialization, indicating the Qemu flash device is
not present. SEV-SNP guests will use the emulated variable support.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
There are two issues in the GIC FDT parsing code:
- the GICC Flags 'Enabled' bit is overwritten when parsing the VGIC
Maintenance Interrupt, whose trigger type occupies another bit in the
same field;
- only the first CPU's Flags field is updated.
This breaks both SMP boot and KVM support on Linux, given that the boot
CPU is disabled in the MADT, and the VGIC maintenance interrupt is set
to 0x0 on all others.
Fix this, by OR'ing the trigger type into the field, and by iterating
over all discovered CPUs.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
This patch fixes a few instances of error cases in NetworkPkg
returning after a RaiseTPL call without restoring the TPL
first.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
gEfiHobMemoryAllocModuleGuid is referenced in the HobPrintLib,
but it is not defined in the INF file, causing an unresolved
external error when the module is consumed by code.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
As a BASE type library, some PEI drivers could link and use it.
Tcg2Pei.inf is an example. On edk2-stable202408 version, PEI drivers
that link the library include the global variable of mRdRandSupported.
The previous commit (c3a8ca7) that refers to the global variable actually
is found to influence the link status. Updating the global variable
in PEI drivers could affect the following issues.
PEI ROM Boot : Global variable is not updated
PEI RAM Boot : PEI FV integration/security check is failed
To address these issues, remove the global variable usage.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
The PCD token, PcdPciExpressBaseAddress is referred in the constructor.
If the token is defined as PcdsDynamic type, the PCD function that gets
the token value uses the gBS service to locate PCD protocol internally.
In this case, it is possible for the function to be called before
initializing gBS variable, then cause a system hang due to gBS variable.
Need to ensure the availability of gBS variable.
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4873
Currently the function does not cover the 5 level paging case. it will
casued pagetable protection region set incorrectly. This patch do the
enhancemant and with the patch protection region has been set correctly.
Signed-off-by: Ning Feng <ning.feng@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4873
Currently the function does not cover the 5 level paging case. it will
casued pagetable protection region set incorrectly. This patch do the
enhancemant and with the patch protection region has been set correctly.
Signed-off-by: Ning Feng <ning.feng@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Resolves several issues in UefiCpuPkg related to:
1. Unchecked returns leading to potential NULL or uninitialized access.
2. Potential unchecked integer overflows.
3. Incorrect comparison between integers of different sizes.
Co-authored-by: kenlautner <85201046+kenlautner@users.noreply.github.com>
Signed-off-by: Chris Fernald <chfernal@microsoft.com>
Qualcomm is (finally) migrating its email infrastructure for open source
developers. Update Maintainers.txt (and .mailmap) to reflect.
Github username remains unchanged.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Unlike CPACR_EL1 whose reserved bits are solely RES0, CPTR_EL2 has some
RES1 bits, and so we should not clear them unless we know what they
mean. For example, when SVE was introduced, CPACR_EL1.ZEN occupied a
RES0 field and thus 0 means trap (which is what we get at EL1), but
CPTR_EL2.TZ occupied a RES1 field and thus 1 means trap, but we set it
to 0, so the environment is inconsistent between EDK2 and EL1 and EL2.
Another concrete case is for Morello, where the CEN/TC fields similarly
gate access to capability register state, but also alter exception
delivery and return, such that VBAR_ELx and ELR_ELx become capabilities.
So long as software adheres to RES0/1 this is backwards-compatible, but
since EDK2 does not do so here it inadvertently enables capability-based
exception delivery and return and thus, when run at EL2, gets stuck in a
trap loop when taking its first interrupt, but works just fine at EL1.
Fix this by setting all the RES1 fields in CPTR_EL2, following the
pattern for CPACR_EL1's non-zero initial value (due to setting FPEN so
as to not trap on SIMD/FP use), tested by running ArmVirtQemu-AARCH64
(DEBUG) on Morello QEMU with EL2 enabled.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
These constants give the set of RES1 bits in CPTR_EL2, as 1s, and the
default value to use for CPTR_EL2 in order to enable all known (or
harmless) features but no unknown ones that require EL2 knowledge. This
will be used by ArmPlatformPkg in the following commit, separated due to
being different packages, even though the combined change is tiny.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
CP_FULL_ACCESS is a misnomer, we only enable access to SIMD/FP state,
and although the register's mnemonic is CPACR_EL1, its full name is
"Architectural Feature Access Control Register", with AArch64 having no
coprocessors like AArch32 did, so the "CP" is also not appropriate.
Rename it to show it's the default value we use on entry, and define it
in terms of the existing CPACR_FPEN_FULL rather than a magic constant
with the same value to more clearly document that fact. Also update
comments to reflect all this (including the CPTR_EL2 case).
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
The existing code here predates its existence as it's assuming that
CPTR_EL2 has the traditional layout rather than being like CPACR_EL1
(likely also true elsewhere for other registers), and the UEFI spec has
nothing to say on the matter. One assumes the intent is that if you're
in EL2 you're in EL2 proper, and it would be very strange to enter EDK2
with E2H set. Document this existing assumption.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Then we can use correct TimerLib in another code,
such as dpDynamicCommand(PerformanceLib).
These API are from profileapi.h header and can refer to the link:
https://learn.microsoft.com/en-us/windows/win32/api/profileapi/
Signed-off-by: Yang Gang <yanggang@byosoft.com.cn>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4860
- The condition of GPT header checking is mismatched between PEI FatPei
module in FatPkg and DXE PartitionDxe module in MdeModulePkg.
- This patch is intended to simplify the checking condition within
FatPei module to align with PartitionDxe module to reduce code flow gap
between both of them.
- Below of condition would be checked on GPT header,
1. GPT header signature value
2. GPT header CRC value
3. GPT header LBA value
4. GPT header size of partition entry
Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Now that the ResetVectors are USER_DEFINED modules, they will not
be linked against StackCheckLibNull, which were the only modules
causing issues. So, we can now remove the kludge we had before
and the requirement for every DSC to include StackCheckLibNull
for SEC modules and just apply StackCheckLibNull globally.
This also changes every DSC to drop the SEC definition of
StackCheckLibNull.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Following the change in UefiCpuPkg, this moves OvmfPkg's
ResetVectors to USER_DEFINED modules to prevent any
NULL libraries from being linked against them, allowing
for expected behavior from the ResetVector and for
simpler implementation of NULL libraries applied globally.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
The x86 reset vector is the initial FW code to run on an
AP. It should not link to any libraries and is implemented
entirely in assembly. This module is currently labled as
SEC, because it runs during the SEC phase, but by having it
SEC, it will be linked to all NULL libraries linked globally.
This causes issue with StackCheckLib (though any NULL
library being applied globally has the same issue) because
BaseTools will attempt to link the library and add an
extern to _ModuleEntryPoint, which does not exist for this
module.
Moving this module to USER_DEFINED instructs BaseTools to
not link any NULL libraries to it, which is the desired
behavior, and leads to a much cleaner global NULL library
implementation, in this case for StackCheckLib.
This change was tested on OVMF IA32/X64 and proved to work
as before.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
In PcRtcInit(), it always read RTC time and then write it back. It could
potentially cause two issues:
1) There is time gap between read RTC and write RTC, writing RTC time on
every boot could cause RTC time drift after many reboot cycles
2) Writing RTC registers on every boot could cause some unnecessary delay,
slightly impact the boot performance.
The change is only writing RTC time when 1) the current RTC time is not
valid or 2) the RegisterB value is changed.
Signed-off-by: Chen Lin Z <lin.z.chen@intel.com>
Legacy BIOS design sets only the Update Cycle Inhibit (SET) bit when
changing the RTC time. Update Cycle Inhibit Bit may not be supported
by the backend device (Common I2C RTC device). It could add Division
Chain Select (DV) bit to stop the RTC first (Write to 0x07), Changing
the RTC time and then Set the DV bit back.
Signed-off-by: Di Zhang <di.zhang@intel.com>
Removes the following types from the memory type information HOB
produced:
- `EfiBootServicesCode`
- `EfiBootServicesData`
- `EfiLoaderCode`
- `EfiLoaderData`
This follows the guidance in the whitepaper "A Tour Beyond BIOS
Memory Map and Practices in UEFI BIOS".
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_Memory_Map_And_Practices_in_UEFI_BIOS_V2.pdf
"NOTE: We recommend a platform only define the ReservedMemory,
ACPINvs, ACPIReclaim, RuntimeCode, RuntimeData in Memory Type
Information table, because OSes only request these regions to be
consistent. There is no need to add BootServicesCode,
BootServicesData, LoaderCode, LoaderData in memory type information
table, because these regions will not be reserved during S4 resume."
Since these memory types are not tracked in memory type information
any longer it also reduces the number of resets that may need to
occur to update memory type buckets that are not needed.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Removes the following types from the memory type information HOBs
produced in the MemoryInitPei PEIM:
- `EfiBootServicesCode`
- `EfiBootServicesData`
- `EfiLoaderCode`
- `EfiLoaderData`
Our platform has a memory type information validation routine that
currently expects those types to be excluded as they would not impact
the UEFI memory map since they are not runtime memory types.
This follows the guidance in the whitepaper "A Tour Beyond BIOS
Memory Map and Practices in UEFI BIOS".
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_Memory_Map_And_Practices_in_UEFI_BIOS_V2.pdf
"NOTE: We recommend a platform only define the ReservedMemory,
ACPINvs, ACPIReclaim, RuntimeCode, RuntimeData in Memory Type
Information table, because OSes only request these regions to be
consistent. There is no need to add BootServicesCode,
BootServicesData, LoaderCode, LoaderData in memory type information
table, because these regions will not be reserved during S4 resume."
Since these memory types are not tracked in memory type information
any longer it also reduces the number of resets that may need to
occur to update memory type buckets that are not needed.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Removes the following types from the memory type information HOBs
produced in the MemoryInitPei code:
- `EfiBootServicesCode`
- `EfiBootServicesData`
- `EfiLoaderCode`
- `EfiLoaderData`
Our platform has a memory type information validation routine that
currently expects those types to be excluded as they would not impact
the UEFI memory map since they are not runtime memory types.
This follows the guidance in the whitepaper "A Tour Beyond BIOS
Memory Map and Practices in UEFI BIOS".
https://github.com/tianocore-docs/Docs/raw/master/White_Papers/A_Tour_Beyond_BIOS_Memory_Map_And_Practices_in_UEFI_BIOS_V2.pdf
"NOTE: We recommend a platform only define the ReservedMemory,
ACPINvs, ACPIReclaim, RuntimeCode, RuntimeData in Memory Type
Information table, because OSes only request these regions to be
consistent. There is no need to add BootServicesCode,
BootServicesData, LoaderCode, LoaderData in memory type information
table, because these regions will not be reserved during S4 resume."
Since these memory types are not tracked in memory type information
any longer it also reduces the number of resets that may need to
occur to update memory type buckets that are not needed.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Rename `NetworkPcds` to `NetworkFixedPcds` to avoid confusion with
dynamic PCDs
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jianyong Wu <jianyong.wu@arm.com>
Cc: Anatol Belski <anbelski@linux.microsoft.com>
Cc: Sunil V L <sunilvl@ventanamicro.com>
Cc: Andrei Warkentin <andrei.warkentin@intel.com>
Cc: Chao Li <lichao@loongson.cn>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Aleksandr Goncharov <chat@joursoir.net>
Rename `NetworkPcds` to `NetworkFixedPcds` to avoid confusion with
dynamic PCDs. The next patches in the chain will update all references
across the codebase to use the new name.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Aleksandr Goncharov <chat@joursoir.net>
Start using the include file in the ArmVirtPkg package to manage
dynamic network-related PCDs. This change removes the manual addition
of `PcdIPv4PXESupport` and `PcdIPv6PXESupport` from the DSC file,
relying instead on the centralized include file introduced in
NetworkPkg.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Aleksandr Goncharov <chat@joursoir.net>
Start using the include file in the OvmfPkg package to manage dynamic
network-related PCDs. This change removes the manual addition of
`PcdIPv4PXESupport` and `PcdIPv6PXESupport` from the DSC file,
relying instead on the centralized include file introduced in
NetworkPkg.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jianyong Wu <jianyong.wu@arm.com>
Cc: Anatol Belski <anbelski@linux.microsoft.com>
Cc: Sunil V L <sunilvl@ventanamicro.com>
Cc: Andrei Warkentin <andrei.warkentin@intel.com>
Cc: Chao Li <lichao@loongson.cn>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Aleksandr Goncharov <chat@joursoir.net>
Introduce an include file with dynamic PCDs to simplify the usage of
the network stage. This allows us to stop manually adding
`PcdIPv4PXESupport` and `PcdIPv6PXESupport` to the DSC file.
`NETWORK_IP4_ENABLE` and `NETWORK_IP6_ENABLE` are not used because
PXEv4 and PXEv6 boot support can be controlled from the QEMU command
line.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Aleksandr Goncharov <chat@joursoir.net>
* EFI_DHCP6_DUID structure declares Duid[1], so the size
of that structure is not large enough to hold an entire
Duid. Instead, compute the correct size to allocate an
EFI_DHCP6_DUID structure.
* Dhcp6AppendOption() takes a length parameter that in
network order. Update test cases to make sure a network
order length is passed in. A value of 0x0004 was being
passed in and was then converted to 0x0400 length and
buffer overflow was detected.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Change conditional check to check the array index before
reading the array member to prevent read past end of buffer.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Unit test checks if AppendDevicePathInstance() returns NULL.
In those cases, AppendDevicePathInstance() does not allocate
a device path, so the call to FreePool() must not be performed.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Consume PcdMaxMappingAddressBeforeTempRamExit for page table creation in
permanent memory before Temp Ram Exit.
This patch will create the full page table in two steps:
Step 1: Create the max address in page table before the Temporary RAM exit.
Step 2: Create the full range page table after the Temporary RAM exit.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
This change is made for boot performance considerations.
Before the Temporary RAM is disabled, the permanent memory is in UC
state, causing the creation of the page table in
permanent memory to take more time with larger page table sizes.
Therefore, this patch adds the PcdMaxMappingAddressBeforeTempRamExit
to provide the platform with the capability to control the max
mapping address in page table before Temp Ram Exit. The value of
0xFFFFFFFFFFFFFFFF, then firmware will map entire physical address
space.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Remove unnecessary check in API MmIsBufferOutsideMmValid of
StandaloneMmMemLib.
The API is used to check if a input buffer is outside MMRAM and
inside a valid non-MMRAM range. Previously, the API only checks
if the input buffer is
overlapped with MMRAM range. In the last
commit, we add logic to check if the input buffer is inside valid
non-MMRAM
ranges reported by the resource HOB. Since the resource
HOB only covers valid non-MMRAM ranges, we doesn't need to check
if the input buffer is inside the MMRAM anymore.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Check if the all the resource HOB in the input HOB list of
MmCore entry only covers non-Mmram ranges. The Resource HOB
is to describe the accessible non-Mmram range. All Resource
HOB should not overlap with any Mmram range.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Separate a function called InitializeMmHobList() to gather
all the operations related to initializing HOB. It doesn't
change any code logic.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Check if the non-MMRAM buffer is inside valid non-mmram
range in API MmIsBufferOutsideMmValid of StandaloneMmMemLib.
Previously, the API only checks if the input buffer is
overlapped with MMRAM range. Currently, in the new standalone
MM infrastructure, we limit the non-MMRAM access to the ranges
reported by the resource HOB. To meet the new design, in this
API, we cache all the memory ranges reported by the resource
HOB and check if the input buffer is inside valid non-MMRAM
ranges reported by the resource HOB.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Add a internal header file for StandaloneMmMemLib.
Move some common reference and declaration into
StandaloneMmMemLibInternal.h.
Signed-off-by: Dun Tan <dun.tan@intel.com>
Tom Lendacky
Ard Biesheuvel
Oliver Smith-Denny
Aaron Pop
Phil Noh
Ning Feng
kenlautner
Ray Ni
Gerd Hoffmann
Leif Lindholm
Jessica Clarke
Yang Gang
Jason1 Lin
Linus Liu
Chen Lin Z
Vivian Nowka-Keane
Kun Qin
Michael Kubacki
Aleksandr Goncharov
Michael D Kinney
Jiaxin Wu
Dun Tan