This implements a DXE memory protection policy that ensures that regions
that don't require executable permissions are mapped with the non-exec
attribute set.
First of all, it iterates over all entries in the UEFI memory map, and
removes executable permissions according to the configured DXE memory
protection policy, as recorded in PcdDxeNxMemoryProtectionPolicy.
Secondly, it sets or clears the non-executable attribute when allocating
or freeing pages, both for page based or pool based allocations.
Note that this complements the image protection facility, which applies
strict permissions to BootServicesCode/RuntimeServicesCode regions when
the section alignment allows it. The memory protection configured by this
patch operates on non-code regions only.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
If the UEFI image is page aligned, the image code section is set to read
only and the image data section is set to non-executable.
1) This policy is applied for all UEFI image including boot service driver,
runtime driver or application.
2) This policy is applied only if the UEFI image meets the page alignment
requirement.
3) This policy is applied only if the Source UEFI image matches the
PcdImageProtectionPolicy definition.
4) This policy is not applied to the non-PE image region.
The DxeCore calls CpuArchProtocol->SetMemoryAttributes() to protect
the image. If the CpuArch protocol is not installed yet, the DxeCore
enqueues the protection request. Once the CpuArch is installed, the
DxeCore dequeues the protection request and applies policy.
Once the image is unloaded, the protection is removed automatically.
The UEFI runtime image protection is teared down at ExitBootServices(),
the runtime image code relocation need write code segment at
SetVirtualAddressMap(). We cannot assume OS/Loader has taken over
page table at that time.
NOTE: It is per-requisite that code section and data section
should not be not merged. That is same criteria for SMM/runtime driver.
We are not able to detect during BIOS boot, because
we can only get LINK warning below:
"LINK : warning LNK4254: section '.data' (C0000040) merged into
'.text' (60000020) with different attributes"
But final attribute in PE code section is same.
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Instead of comparing a GUID with gZeroGuid via the CompareGuid API, the
commit uses the IsZeroGuid API to check if the given GUID is a zero GUID.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Feng Tian <feng.tian@Intel.com>
1. Implement include GetRecordingState/SetRecordingState/Record for
memory profile protocol.
2. Consume PcdMemoryProfilePropertyMask to support disable recording
at the start.
3. Consume PcdMemoryProfileDriverPath to control which drivers need
memory profile data.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
1. Usage information in INF file comment blocks are either incomplete or incorrect.
This includes usage information for Protocols/PPIs/GUIDs/PCDs/HOBs/Events/BootModes.
The syntax for usage information in comment blocks is defined in the EDK II Module Information (INF) Specification
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zeng, Star <star.zeng@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15962 6f19259b-4bc3-4df7-8a09-765794883524
2. DxeMain will get Vector Handoff Table GUIDed HOB to install configuration table if it has.
3. Updated CPU Exception Handler Library to provide 3 new APIs to replace original one API and updated NULL instance accordingly.
4. Updated DxeMain/CapsuleX64/BootSriptExectorDxe to use the new API in CPU Exception Handler Lib.
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14884 6f19259b-4bc3-4df7-8a09-765794883524
1. Update SecurityManagementLib to support SAP2 and SAP services.
2. Update SecurityStub driver to produce SAP2 and SAP protocol both.
3. Update DxeCore and SmmCore to use SAP2 and SAP service to verify Image.
4. Update DxeCore ConnectController() to use SAP2 service to check user permission.
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guo Dong <dong.guo@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13660 6f19259b-4bc3-4df7-8a09-765794883524
2. Updated DXE Core, BootScriptExecutorDxe and CapsuleX64Pei to consume CPU Exception Library to setup the default CPU Exception handlers.
Signed-off-by: vanjeff
Reviewed-by: jyao1
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13097 6f19259b-4bc3-4df7-8a09-765794883524
PI 1.2 SMM Drivers are allowed to call UEFI/DXE services and Protocols from the entry point of the PI 1.2 SMM Driver. These UEFI/DXE services and Protocols may directly or indirectly calls the UEFI Boot Services RaiseTPL() and RestoreTPL(). These UEFI Boot Services use the CPU Architectural Protocol to enable interrupts if the TPL level is below TPL_HIGH_LEVEL and enable interrupts of the TPL is at TPL_HIGH_LEVEL. Interrupts should be masked while executing SMM drivers, so if a direct or indirect call to the UEFI Boot Service RestoreTPL() would enable interrupts, then an interrupt could be incorrectly delivered in SMM context.
The solution is for the DXE Core to register for the PI 1.2 SMM Base2 Protocol. If that protocol is present in the platform, then the DXE Core can use the SMM Base 2 Protocol's InSmm() function to determine if the platform is currently executing in SMM content. If the current context is in SMM, then do not allow any requests to be forwarded to the CPU Architecture Protocol to enable interrupts.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9997 6f19259b-4bc3-4df7-8a09-765794883524
Ard Biesheuvel
Jiewen Yao
Hao Wu
Star Zeng
Jeff Fan
erictian
lgao4
czhang46
vanjeff
lzeng14
jljusten
niruiyu
mdkinney
hhtian
klu2
jchen20
xli24
davidhuang
qhuang8
eric_tian
gikidy
jji4