Introduce a driver that allows users to disable the EFI Memory Attribute
protocol through an HII setup option, in order to work around a broken
version of rhboot's shim used in some distros (e.g. CentOS Stream 9)
which incorrectly invokes the protocol and results in a Synchronous
Exception.
Default is enabled, which can also be overridden at build time by
changing `gEmbeddedTokenSpaceGuid.PcdMemoryAttributeEnabledDefault`.
It is only applicable to ARM64 and there isn't any other technical
reason for disabling this security feature.
See:
- https://github.com/microsoft/mu_silicon_arm_tiano/issues/124
- https://edk2.groups.io/g/devel/topic/99631663
- https://github.com/tianocore/edk2/pull/5840
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
This query seems to produce a rate of false positives with some
common patterns in edk2 like passing function pointers for callback.
Due to the usage of `STATIC` instead of `static` particularly for
functions, this query was rarely used in the past. It is removed
here to prevent future false positives.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Some unit tests would fail to execute or execute and not produce any output
logs. In these cases, the only output would be in the CI Log as
`UnitTest Execution Error`.
A UnitTest Execution Error should be considered the same as a unit tests
test failing.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
The GeneralCheckNonAscii() function is a sledgehammer rejecting any file
containing any character outside of the 7-bit ASCII encoding space, as
well as the DEL character (which seems unrelated).
This conflicts with basic stuff like correctly spelling certain proper
nouns in comments (like copyright statements), or string literals (for
example in multi-language driver binding ComponentNames).
So rip it out, to be replaced by more fine-grained checks to be added as
identified and needed.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Ecc concistently referred to ASCII/Ascii as ACSII/Acsii, which
bugged me to no end when trying to figure out how those tests
worked. Fix all instances.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Open the network option to enable networking on the LoongArch QEMU
platform.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Keep ZKR feature disabled by default until HW supports
it. Feature is implemented in RISC-V BaseRngLib.
Cc: Andrei Warkentin <andrei.warkentin@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Sunil V L <sunilvl@ventanamicro.com>
Signed-off-by: Dhaval Sharma <dhaval@rivosinc.com>
Co-authored-by: Tim Wawrzynczak <tim@rivosinc.com>
The ratified RISC-V crypto scalar extensions provide entropy bits via the
seed CSR, as exposed by the Zkr extension. The Zkr extension is ratified
and provides 16 bits of entropy seed when reading the SEED CSR.
Guarded by a RISCV64 Feature PCD, 64-bit random numbers can be
accumulated from the `seed` CSR. This driver is based on the driver in
the Linux kernel.
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Dhaval Sharma <dhaval@rivosinc.com>
Co-authored-by: Tim Wawrzynczak <tim@rivosinc.com>
This debug print may attempt to print a string without a null
terminator that can lead to a machine check.
The value printed is substituted with a source buffer to still
allow debug.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
There was a wild pointer in Fdt16550SerialProtHookLib which pointed to
an unknown space, which was very wrong and has been fixed.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
Static relocation types have been handled in GenFw if using the PIC, and
the CC flags not enable `fno-pic` by default.
The option `fno-plt` is not necessary, as is not created by defualt in
edk2(static linking) regardless of wether `fplt` is used or not, so
remove this option from the LoongArch common CC flags.
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Signed-off-by: Chao Li <lichao@loongson.cn>
CC_MEASUREMENT_ENABLE is designed to control the loading of TdTcg2Dxe
driver which is for EFI_CC_MEASUREMENT_PROTOCOL. TdTcg2Dxe is TD-Guest
specific driver.
From the security perspective a TD-Guest shall always load the TdTcg2Dxe
driver so that EFI_CC_MEASUREMENT_PROTOCOL is installed and booting
events are measured and extended to RTMRs.
TdTcg2Dxe will check if it is running in a TD-Guest. If not then it
returns right now and no EFI_CC_MEASUREMENT_PROTOCOL is installed.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
REF : https://bugzilla.tianocore.org/show_bug.cgi?id=4725
ACM provides register to report TPM measurement status. If ACM has
already measured FSP component, BIOS shoule be able to skip measurement.
PcdFspMeasurementConfig should be DynamicEx to skip measurement.
Signed-off-by: Awiral Shrivastava <awiral.shrivastava@intel.com>
Makes the `mInternalRT` global static in this library instance to
avoid conflicting with other code such as a global variable with
the same name in MdePkg/Library/UefiRuntimeLib.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
In EfiHttpRequest(), length of target URLs was always compared to
fixed-size value, even after allocating a larger URL buffer. Added
UrlLen to HTTP_PROTOCOL to store the size and reallocate if the size
changes.
Signed-off-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
With the commit ce4c76e (“OvmfPkg/Sec: Setup MTRR early
in the boot process.”), we find an unexpected #VE is triggered
in TD-Guest.
The background of importing the above commit is that:
Before running lzma uncompress of the main firmware volume,
if not correctly set MTRR, that would make the uncompress be
extremely slow.
Detailed discussion info can refer to below links:
https://edk2.groups.io/g/devel/message/114202https://edk2.groups.io/g/devel/message/114977
Refer to [intel-tdx-module-1.5-base-spec] Section 11.3 and
section11.6.1, CR0.CD is enforced to 0 in TD-Guest.
And refer to section 18.2.1.4, TDX module MTRR emulation
enforces WB in VMM.
Currently the initial MTRR are:
- Td-Guest : MTRR disabled, Type is WB.
- Non-Td-Guest : MTRR disabled, Type is UC.
In DXE phase, OVMF/TDVF would check the MTRR Type for MMIO
(in CpuSetMemoryAttributes -> MtrrGetMemoryAttribute ->
MtrrGetMemoryAttributeworker:
https://github.com/tianocore/edk2/blob/master/UefiCpuPkg/Library/MtrrLib/MtrrLib.c#L929
).
If MTRR is disabled, it always returns UC. Otherwise, it returns
the actual value.
If it checks that the type is not UC then the MTRR is programmed.
It is required to disable cache by setting CR0.CD to 1. That will trigger
an unexpected #VE in TD-Guest.
Based on above analysis we propose to skip "Setup MTRR early" in
TD-Guest because of:
- TD-Guest doesn’t have the issue that lzma uncompress extremely slow.
- This patch will trigger an unexpected #VE in TD-Guest.
intel-tdx-module-1.5-base-spec:
https://cdrdv2.intel.com/v1/dl/getContent/733575
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
Currently, `STATIC` is allowed as a function modifier but `static`
results in the below ECC errors:
```
*Error code: 5001
*Return type of a function should exist and in the first line
*file: D:\src\edk2\Build\.pytool\Plugin\EccCheck\MdePkg\Library\UefiDebugLibDebugPortProtocol\DebugLibConstructor.c
*Line number: 37
*[UefiDebugLibDebugPortProtocolExitBootServicesCallback] Return
Type should appear at the start of line
EFI coding style error
*Error code: 5002
*Any optional functional modifiers should exist and next to the
return type
*file: D:\src\edk2\Build\.pytool\Plugin\EccCheck\MdePkg\Library\UefiDebugLibDebugPortProtocol\DebugLibConstructor.c
*Line number: 37
```
This is because `GetDataTypeFromModifier()` will return both `static`
and the return type (e.g. `VOID`) whereas for a modifier in the list
(e.g. `STATIC`) it will return only the return type allowing logic in
Ecc/c.py to process the modifier and return type with current logic.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Change the debug message level to DEBUG_INFO for protocol
notification functions. The protocol notification function
is invoked at least one time. So, the failure of locating
protocol is expected because protocol may not be installed
when Redfish platform config driver is launched.
Signed-off-by: Nickle Wang <nicklew@nvidia.com>
Cc: Abner Chang <abner.chang@amd.com>
Cc: Igor Kulchytskyy <igork@ami.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4352
Implemented dumping of the UEFI Conformance Profiles Table using Dmem.c
Uses header file for GUIDs added in previous patches
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Sam Kaynor <Sam.Kaynor@arm.com>
Tested-by: Stuart Yoder <stuart.yoder@arm.com>
Reviewed-by: Stuart Yoder <stuart.yoder@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4352
Adding additional GUIDs for the EFI_CONFORMANCE_PROFILE_TABLE
that are defined in the Embedded Base Boot Requirments (EBBR)
Specification.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Sam Kaynor <Sam.Kaynor@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4352
Adding support for EFI_CONFORMANCE_PROFILE_TABLE by adding an
associated header file and relevant GUIDs to MdePkg.dec as defined
in the UEFI 2.10 spec.
This table is needed to address changes being made within ShellPkg.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Sam Kaynor <Sam.Kaynor@arm.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4352
Implemented dumping of the Image Execution Table using Dmem.c
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Sam Kaynor <Sam.Kaynor@arm.com>
Tested-by: Stuart Yoder <stuart.yoder@arm.com>
Reviewed-by: Stuart Yoder <stuart.yoder@arm.com>
Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4352
Implemented the dumping of the UEFI RT Properties Table using Dmem.c
Added new entry to the help command for the -verbose option
Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Sam Kaynor <Sam.Kaynor@arm.com>
Tested-by: Stuart Yoder <stuart.yoder@arm.com>
Reviewed-by: Stuart Yoder <stuart.yoder@arm.com>
Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>
Removes an assert if PeiAllocatePool() fails to allocate memory to
defer error handling to the caller so the error can be handled
gracefully or asserted at that location which is more specific to
the call that led to the allocation.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Commit 2f6f3329ad ("FmpDevicePkg/FmpDxe: Use new Variable Lock interface"),
moved to using gEdkiiVariablePolicyProtocolGuid instead of
gEdkiiVariableLockProtocolGuid however the Depex was not updated to
reflect the change.
Correct the dependency.
Signed-off-by: Vishal Oliyil Kunnil <quic_vishalo@quicinc.com>
Commit ea56fa3d47 ("BaseTools: Enable RISC-V architecture for RISC-V
EDK2 CI") introduced a UTF-8 NBSP (0xc2a0) inside a comment block
otherwise copied identically from pre-existing architectures.
This was clearly unintentional and confuses things when looking for
which files contain UTF-8 encodings, so change it to good old 0x20.
Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Adding tools_def for VS2022.
Update WindowsVsToolChain to support VS2022.
Update set_vsPrefix_envs and toolsetup and edksetup to support VS2022.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
Print HOB information at top of StandaloneMmMain().
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Leverage generic HOB print code in MdeModulePkg/Library/HobPrintLib.
Print UefiPayload specified GUID HOB info as custom HOB print handler
when calling the PrintHobList() interface.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
The HobPrintLib prints all HOB info from the HOB list. The code is
abstracted from UefiPayloadPkg/UefiPayloadEntry/PrintHob.c.
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Interface PrintHobList() is added to dump all HOBs info in the HobList.
Caller could specify a custom HOB print handler to replace the default
print handler when calling the interface.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
For SMM, the SMM Handlers is to validate the buffer outside MMRAM
including the Primary & NonPrimary buffer.
For MM, the MM Handlers do not need to validate the Primary buffer
if it is passed from MmCore through the MmiHandler() parameter.
Return TRUE directly in this case. But need to validate NonPrimary
buffer that outside MMRAM.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
VariableSmmIsBufferOutsideSmmValid function is to check the buffer
is outside SMM or not. This patch fix the issue that always return
true for MM.
Meanwhile, this patch renames VariableSmmIsBufferOutsideSmmValid
to VariableSmmIsNonPrimaryBufferValid.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
Add a new function (VariableSmmIsPrimaryBufferValid) to check
Primary Buffer valid or not.
original function (VariableSmmIsBufferOutsideSmmValid) is used to
check the buffer outside MMRAM.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
For MM, the MM Handlers do not need to validate the buffer if it is
the CommBuffer passed from MmCore through the MmiHandler() parameter.
Return TRUE directly in this case. Fix buffer valid check for MM in
this patch.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
In the MdeModulePkg/VarCheckPolicyLib, the Primary Buffer
(CommBuffer) check function has been updated to match the buffer
validation behavior.
For SMM, the SMM Handlers is to validate the buffer outside MMRAM.
For MM, the MM Handlers do not need to validate the buffer if it is
the CommBuffer passed from MmCore through the MmiHandler() parameter.
Return TRUE directly in this case. Existing code is incorrect for
the MM check. This will be fixed in the following patch.
There is no function impact.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
In the MdeModulePkg/FaultTolerantWriteSmm, the Primary Buffer
(CommBuffer) check function has been updated to match the buffer
validation behavior:
For SMM, the SMM Handlers is to validate the buffer outside MMRAM.
For MM, the MM Handlers do not need to validate the buffer if it is
the CommBuffer passed from MmCore through the MmiHandler() parameter.
Return TRUE directly in this case.
There is no function impact.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Yuanhao Xie <yuanhao.xie@intel.com>
struct.unpack() returns a tuple even for a single-element pack,
resulting in signature verification being evaluated to false even when
the signature is there.
This fixes --decode and --dump-info actions incorrectly reporting issues
with parsing capsule dependencies when there are none.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
--decode unconditionally uses args.OutputFile.name as a prefix for
output files that it creates and fails in a non-pretty way without
--output option.
This doesn't address creation/truncation of the file specified via
--output, but at least you're able to decode a capsule.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
This field seems to be one-based according UEFI specification, default
value is 1 and --decode of GenerateCapsule.py errors upon seeing
UpdateImageIndex less than 1. So align --encode behaviour to enforce a
value within the 1..255 range.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Commit b68d566439 added support for
input subject name with signtool and broke --decode operation by using
incorrect identifier in one place (could be an incomplete rename during
review).
It's `args.SignToolSubjectName`, not `args.SignSubjectName`.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
This patch is to consume the PcdCpuSmmApSyncTimeout2 to
enhance the flexibility of timeout configuration.
In some cases, certain processors may not be able to enter
SMI, and prolonged waiting could lead to kernel soft/hard
lockup. We have now defined two timeouts. The first timeout
can be set to a smaller value to reduce the waiting period.
Processors that are unable to enter SMI will be woken up
through SMIIPL to enter SMI, followed by a second waiting
period. The second timeout can be set to a larger value to
prevent delays in processors entering SMI case due to the
long instruction execution.
This patch adjust the location of PcdCpuSmmApSyncTimeout2
to avoid conflict.
Signed-off-by: Yanbo Huang <yanbo.huang@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
This reverts commit cb3134612d.
Intel server platform sync this commit will hit conflict since our code base is old.
We don't want to cherry-pick the dependent patches to avoid potential issue.
We need to revert this commit first and then fix the conflict and reapply the change.
Sorry for the incovenience.
Signed-off-by: Yanbo Huang <yanbo.huang@intel.com>
Because the complex dependency between SerialPortLib and
PciExpressLib leads to multiple references to the lib
library in the loongarch dsc file, optimizing SerialPortLib
now simplifies multiple references to lib in the dsc file.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Bibo Mao <maobibo@loongson.cn>
Cc: Chao Li <lichao@loongson.cn>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Xianglai Li <lixianglai@loongson.cn>
Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
Mario Bălănică
Michael Kubacki
v-bhavanisu
Leif Lindholm
Chao Li
Dhaval
KasimX Liu
Min M Xu
Awiral Shrivastava
Saloni Kasbekar
Ceping Sun
Nickle Wang
Sam Kaynor
Kun Qin
Thamballi Sreelalitha
Matthew Carlson
Wei6 Xu
Jiaxin Wu
Sergii Dmytruk
Yanbo Huang
Xianglai Li