REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001
For S3BootScriptLib APIs:
S3BootScriptSaveIoWrite
S3BootScriptSaveMemWrite
S3BootScriptSavePciCfgWrite
S3BootScriptSavePciCfg2Write
S3BootScriptSaveSmbusExecute
S3BootScriptSaveInformation
S3BootScriptSaveInformationAsciiString
S3BootScriptLabel (happen in S3BootScriptLabelInternal())
possible numeric truncations will happen that may lead to S3 boot script
entry with improper size being returned to store the boot script data.
This commit will add checks to prevent this kind of issue.
Please note that the remaining S3BootScriptLib APIs:
S3BootScriptSaveIoReadWrite
S3BootScriptSaveMemReadWrite
S3BootScriptSavePciCfgReadWrite
S3BootScriptSavePciCfg2ReadWrite
S3BootScriptSaveStall
S3BootScriptSaveDispatch2
S3BootScriptSaveDispatch
S3BootScriptSaveMemPoll
S3BootScriptSaveIoPoll
S3BootScriptSavePciPoll
S3BootScriptSavePci2Poll
S3BootScriptCloseTable
S3BootScriptExecute
S3BootScriptMoveLastOpcode
S3BootScriptCompare
are not affected by such numeric truncation.
Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2212
In binary model the same binary may have to support both
S3 enabled and disabled scenarios, however not all DXE
drivers linking PiDxeS3BootScriptLib can return error to
invoke library DESTRUCTOR for releasing resource.
To support this usage model below PCD is used to skip
S3BootScript functions when PCD set to FALSE:
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
Test: Verified on internal platform and S3BootScript
functions can be skipped by PCD during boot time.
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Chasel Chiu <chasel.chiu@intel.com>
Reviewed-by: Nate DeSimone <nathaniel.l.desimone@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
There are cases that the operands of an expression are all with rank less
than UINT64/INT64 and the result of the expression is explicitly cast to
UINT64/INT64 to fit the target size.
An example will be:
UINT32 a,b;
// a and b can be any unsigned int type with rank less than UINT64, like
// UINT8, UINT16, etc.
UINT64 c;
c = (UINT64) (a + b);
Some static code checkers may warn that the expression result might
overflow within the rank of "int" (integer promotions) and the result is
then cast to a bigger size.
The commit refines codes by the following rules:
1). When the expression is possible to overflow the range of unsigned int/
int:
c = (UINT64)a + b;
2). When the expression will not overflow within the rank of "int", remove
the explicit type casts:
c = a + b;
3). When the expression will be cast to pointer of possible greater size:
UINT32 a,b;
VOID *c;
c = (VOID *)(UINTN)(a + b); --> c = (VOID *)((UINTN)a + b);
4). When one side of a comparison expression contains only operands with
rank less than UINT32:
UINT8 a;
UINT16 b;
UINTN c;
if ((UINTN)(a + b) > c) {...} --> if (((UINT32)a + b) > c) {...}
For rule 4), if we remove the 'UINTN' type cast like:
if (a + b > c) {...}
The VS compiler will complain with warning C4018 (signed/unsigned
mismatch, level 3 warning) due to promoting 'a + b' to type 'int'.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
For pointer subtraction, the result is of type "ptrdiff_t". According to
the C11 standard (Committee Draft - April 12, 2011):
"When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object; the
result is the difference of the subscripts of the two array elements. The
size of the result is implementation-defined, and its type (a signed
integer type) is ptrdiff_t defined in the <stddef.h> header. If the result
is not representable in an object of that type, the behavior is
undefined."
In our codes, there are cases that the pointer subtraction is not
performed by pointers to elements of the same array object. This might
lead to potential issues, since the behavior is undefined according to C11
standard.
Also, since the size of type "ptrdiff_t" is implementation-defined. Some
static code checkers may warn that the pointer subtraction might underflow
first and then being cast to a bigger size. For example:
UINT8 *Ptr1, *Ptr2;
UINTN PtrDiff;
...
PtrDiff = (UINTN) (Ptr1 - Ptr2);
The commit will refine the pointer subtraction expressions by casting each
pointer to UINTN first and then perform the subtraction:
PtrDiff = (UINTN) Ptr1 - (UINTN) Ptr2;
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
The BaseNull instance of S3BootScriptLib obviously doesn't care about the
type of the S3BootScriptSaveMemPoll() function's LoopTimes parameter; this
lib instance doesn't do anything with the parameters received in
S3BootScriptSaveMemPoll().
The PiDxe instance saves the LoopTimes parameter in
EFI_BOOT_SCRIPT_MEM_POLL.LoopTimes. This target field already has UINT64
type. Furthermore, the BootScriptExecuteMemPoll() function in the same
library instance already uses a local UINT64 variable called LoopTimes to
count up to EFI_BOOT_SCRIPT_MEM_POLL.LoopTimes. This means that the the
UINTN type for S3BootScriptSaveMemPoll()'s LoopTimes parameter is an
unnecessary restriction.
The callers of S3BootScriptSaveMemPoll() will be updated in the next
patches, functionally. At this stage, they will continue to compile, since
UINT64 parameters can accept UINTN arguments.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
Support multiple PCI segment for PCI_CONFIG2 opcodes.
PiDxeS3BootScriptLib needs to be updated to consume PciSegmentLib
instead of PciLib. That means platforms need to add PciSegmentLib
declaration like below in platform dsc if the PciSegmentLib was
not declared in platform dsc before.
PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
For platforms only have one segment,
MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf is recommended
to be used and declared in platform dsc for PiDxeS3BootScriptLib to have
equivalent functionality with before.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Amy Chan <amy.chan@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
When a driver also uses a same name, there will be a link error:
one or more multiply defined symbols found.
Use a specific name for mSmst to avoid the link error.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
There is static scan tool reports BootScriptSave.c:628:'mSmst' is
explicitly dereferenced.
The patch is to check (mSmst != NULL) before freeing SMRAM at
BootScriptSave.c:628.
Cc: Shumin Qiu <shumin.qiu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Shumin Qiu <shumin.qiu@intel.com>
With a destructor implemented, the shortcut from 058196bbb3
should be unnecessary.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
PiDxeS3BootScriptLib has a constructor S3BootScriptLibInitialize() that
registers ready-to-lock callback S3BootScriptSmmEventCallBack() and several
more. The library is linked to SMM modules. If the module entry-point
function returns error (because of lack of resources, unsupported,
whatever), the module will be unloaded and the notify callback pointers
will point to undefined memory. On ready-to-lock exception occurs when
calling S3BootScriptSmmEventCallBack(), and probably all the other
callbacks registered by the constructor would also cause exception.
This patch is to implement library Destructor to free the resources
allocated by S3BootScriptLibInitialize() and unregister callbacks.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
In the edk2 tree, there are currently four drivers that consume
PcdAcpiS3Enable:
IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf
MdeModulePkg/Universal/Acpi/SmmS3SaveState/SmmS3SaveState.inf
From these, AcpiS3SaveDxe is the only one that isn't also a client of the
S3BootScriptLib class; all the others (BootScriptExecutorDxe,
S3SaveStateDxe, SmmS3SaveState) are clients of the S3BootScriptLib class.
In turn, the edk2 tree contains only one non-Null instance of the
S3BootScriptLib class:
MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
Therefore we can safely state that BootScriptExecutorDxe, S3SaveStateDxe,
and SmmS3SaveState are all linked against PiDxeS3BootScriptLib.
Now, if PcdAcpiS3Enable is FALSE when either of BootScriptExecutorDxe,
SmmS3SaveState, or SmmS3SaveState is dispatched, then the following
happens:
- The constructor of PiDxeS3BootScriptLib, function
S3BootScriptLibInitialize(), registers a protocol installation callback
for gEfiDxeSmmReadyToLockProtocolGuid. Namely, the function
S3BootScriptEventCallBack().
- The driver immediately exits with EFI_UNSUPPORTED from its entry point
function, upon seeing PcdAcpiS3Enable == FALSE. (See commits
800c02fbe2, 125e093876, and d2d38610603f6.)
- This leaves a dangling callback pointer in the DXE core.
- When Platform BDS installs gEfiDxeSmmReadyToLockProtocolGuid (which is a
valid thing to do for locking down SMM, even in the absence of S3
support!), things blow up.
Fix this issue by returning immediately from S3BootScriptLibInitialize()
if PcdAcpiS3Enable is FALSE -- it is useless to initialize the library
instance if the containing driver module exits first thing in its entry
point.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jaben Carsey <Jaben.carsey@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
PcdSet## has no error status returned, then the caller has no idea about whether the set operation is successful or not.
PcdSet##S were added to return error status and PcdSet## APIs were put in ifndef DISABLE_NEW_DEPRECATED_INTERFACES condition.
To adopt PcdSet##S and further code development with DISABLE_NEW_DEPRECATED_INTERFACES defined, we need to Replace PcdSet## usage with PcdSet##S.
Normally, DynamicDefault PCD set is expected to be success, but DynamicHii PCD set failure is a legal case.
For this case, PcdS3BootScriptTablePrivateDataPtr and PcdS3BootScriptTablePrivateSmmDataPtr are expected to be DynamicDefault,
so use PcdSet64S to instead of PcdSet64 and assert when set failure.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18599 6f19259b-4bc3-4df7-8a09-765794883524
What to do:
1. Remove a hidden assumption "No SMM driver writes BootScript between
SmmReadyToLock and S3SleepEntryCallback".
1.1. Use SmmExitBootServices and SmmLegacyBoot notification to record
AtRuntime flag.
1.2. Use mBootScriptDataBootTimeGuid LockBox to save boot time boot
script data to handle potential INSERT boot script at runtime in SMM.
2. Do not depend on OS to help restore ACPINvs data and use
EfiReservedMemoryType instead of EfiACPIMemoryNVS.
2.1. Use mBootScriptSmmPrivateDataGuid LockBox to save boot script
SMM private data with BackFromS3 = TRUE at runtime. S3 resume
will help restore it to tell the Library the system is back
from S3.
Why to do:
1. The hidden assumption "No SMM driver writes BootScript between
SmmReadyToLock and S3SleepEntryCallback" will cause confusion to
the library's consumer and block the usage of "SMM driver writes
BootScript after SmmReadyToLock". So Remove the assumption.
2. In original code, there might be a corner case that malicious
code patch ACPINvs boot TableLength field same as SMM boot script.
So that it can skip the table restore. The impact is that BootScript
in SMM may be overridden by malicious code.
--------------------
CopyMem ((VOID*)&TableHeader, (VOID*)mS3BootScriptTablePtr->TableBase, sizeof(EFI_BOOT_SCRIPT_TABLE_HEADER));
if (mS3BootScriptTablePtr->TableLength + sizeof(EFI_BOOT_SCRIPT_TERMINATE) != TableHeader.TableLength) { // TableLength is in NVS
......
//
// NOTE: We should NOT use TableHeader.TableLength, because it is already updated to be whole length.
//
mS3BootScriptTablePtr->TableLength = (UINT32)(mLockBoxLength - sizeof(EFI_BOOT_SCRIPT_TERMINATE)); ? This line can be skipped.
--------------------
So use EfiReservedMemoryType instead of EfiACPIMemoryNVS as the code
has been updated to not depend on OS to help restore ACPINvs data.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18467 6f19259b-4bc3-4df7-8a09-765794883524
1. PciCfg Read/Write doesn't support UINT64 width.
2. PciCfg2 Segment must be zero.
Move CheckParameters () to BootScriptSave.c to check parameter early.
Add code for EfiSmbusBWBRProcessCall operation, and let the SmbusLib instance to decide if it is supported or not.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14018 6f19259b-4bc3-4df7-8a09-765794883524
2. Sync the change into LockBox for S3BootScriptMoveLastOpcode() at runtime in SMM.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13986 6f19259b-4bc3-4df7-8a09-765794883524
Allocate a SMM copy for private data structure, and use a new PCD PcdS3BootScriptTablePrivateSmmDataPtr to transfer and share data between multi-SMM drivers.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13984 6f19259b-4bc3-4df7-8a09-765794883524