From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id BDAE3740040 for ; Thu, 30 May 2024 05:12:25 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=POiJxyEjBM45iPyM3ydPBzfGluGLIe0bu0l/oWD6c7Q=; c=relaxed/simple; d=groups.io; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Thread-Index:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Content-Language; s=20240206; t=1717045945; v=1; b=1VX5WKniznsDJFt4x1AdoaHUWnlqdxxcyJe3rDYkTJiB672I9MWQqV1N6hzSPI/zq2lo1257 4A7qzUrt/4TRE7Crx8s08CpyPirGIJLrWToZXBYV8nC+F3eCAzh3jI6v/HEJk7r3mzBeuGYLw+a yRJeMRS/WgiHDE7fbGoCubSWs3Q09lKOH6UdvkHBg0y/jAI0csrwPkNZ3UW7YAU0u35oI9rvQr4 Jmq0JCQSqyHXHTVA+dTqW8VEvP2YDXPrAVdgDl5dmxWAuPR24ww8PTwRHoSFvv8U1iTFmSoS1pf mhk/X6B6w6ScZhrTlFoO6M4ATcfXG5WKEVnZjIhluYa4A== X-Received: by 127.0.0.2 with SMTP id PYNhYY7687511xC3jigqVAbq; Wed, 29 May 2024 22:12:24 -0700 X-Received: from zrleap.intel-email.com (zrleap.intel-email.com [114.80.218.36]) by mx.groups.io with SMTP id smtpd.web10.1010.1717045942948705484 for ; Wed, 29 May 2024 22:12:23 -0700 X-Received: from zrleap.intel-email.com (localhost [127.0.0.1]) by zrleap.intel-email.com (Postfix) with ESMTP id AEE0CA32E083 for ; Thu, 30 May 2024 13:12:20 +0800 (CST) X-Received: from localhost (localhost [127.0.0.1]) by zrleap.intel-email.com (Postfix) with ESMTP id 83F6FA32E056 for ; Thu, 30 May 2024 13:12:20 +0800 (CST) X-Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by zrleap.intel-email.com (Postfix) with SMTP id AE22FA32E07C for ; Thu, 30 May 2024 13:12:16 +0800 (CST) X-Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP(SSL) for ; Thu, 30 May 2024 13:12:12 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming via groups.io" To: , Cc: "'Chiu, Chasel'" , "'Desimone, Nathaniel L'" , "'Duggapu, Chinni B'" , "'Chen, Gang C'" References: <20240429032001.6657-1-zhihao.li@intel.com> <00d401dab0e3$968a1ef0$c39e5cd0$@byosoft.com.cn> In-Reply-To: Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHYxIDEvMl0gTWRlTW9kdWxlUGtnL0NvcmUvUGVpOiBJbnN0YWxsIE1pZ3JhdGVUZW1wUmFtUHBp?= Date: Thu, 30 May 2024 13:12:16 +0800 Message-ID: <00e501dab24f$f098b0b0$d1ca1210$@byosoft.com.cn> MIME-Version: 1.0 Thread-Index: AQEWmBJrNQu4hLldKbkjEgORZ47PJgJetQRvAg2PiNqzFAxgMA== Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 29 May 2024 22:12:23 -0700 Resent-From: gaoliming@byosoft.com.cn Reply-To: devel@edk2.groups.io,gaoliming@byosoft.com.cn List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: IQlxqNxCBgB80lesh6aIugUYx7686176AA= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=1VX5WKni; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io Zhihao: If Fsp-T/M is not installed, are they still used in PEI boot? If they are= used, I agree they should be measured.=20 Thanks Liming > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > =E5=8F=91=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io = =E4=BB=A3=E8=A1=A8 Li, Zhihao > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2024=E5=B9=B45=E6=9C=8829=E6=97=A5 = 11:36 > =E6=94=B6=E4=BB=B6=E4=BA=BA: gaoliming ; devel@= edk2.groups.io > =E6=8A=84=E9=80=81: Chiu, Chasel ; Desimone, Natha= niel L > ; Duggapu, Chinni B > ; Chen, Gang C > =E4=B8=BB=E9=A2=98: Re: [edk2-devel] [PATCH v1 1/2] MdeModulePkg/Core/Pei= : Install > MigrateTempRamPpi >=20 > Issue description: > 1. PeiCore only migrates Fsp-M in dispatch mode and doesn't migrate Fsp-T= and > Fsp-M in Api mode. > 2. Fsp-T and Fsp-M will be measured in post-mem PEI and the measurement u= ses > original addresses. > RootCause: > PeiCore only migrates installed FVs and Fsp-T/M may not be installed. >=20 > Defect in implementation: > In MdeModulePkg/Core/Pei/PeiMain/PeiMain.c line 450: > EvacuateTempRam will migrate installed content from Temporary RAM to > Permanent RAM because of BootGuard TOCTOU > vulnerability(https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614). > In IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.c line 220: > FspmWrapperInit will install Fspm in dispatch mode or directly call > PeiFspMemoryInit function in api mode. > =3D=3D> > Api mode: Fsp-T and Fsp-M are not migrated because they are not installed= . > Dispatch mode: Fsp-T is not migrated because it is not installed. >=20 > In IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.c line 291, 300: > TcgPpiNotify transmits original addresses(PcdFsptBaseAddress, > PcdFspmBaseAddress) to MeasureFspFirmwareBlob which will trigger > HashLogExtendEvent. > In SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c line 966: > TcgPpi will be installed in PeimEntryMP which will be called when the PEI > Foundation discovers permanent memory(line 1059 mImageInMemory =3D TRUE). > =3D=3D> > Original addresses of Fsp-T and Fsp-M will be used for measurement after > permanent memory is ready and installed FVs are migrated. >=20 >=20 > Solution: > MdeModulePkg: PeiCore Installs MigrateTempRamPpi if > PcdMigrateTemporaryRamFirmwareVolumes is True. > IntelFsp2WrapperPkg : 1. MigrateTempRamPpi nitification in FspmWrapperPei= m > migrates FspT/M binary to permanent memory and build MigatedFvInfoHob. > 2. TCG notification checks > MigatedFvInfoHob and transmits DRAM address for measurement. >=20 > BR, > Zhihao >=20 >=20 > -----Original Message----- > From: gaoliming > Sent: Tuesday, May 28, 2024 5:44 PM > To: Li, Zhihao ; devel@edk2.groups.io > Cc: Chiu, Chasel ; Desimone, Nathaniel L > ; Duggapu, Chinni B > ; Chen, Gang C > Subject: =E5=9B=9E=E5=A4=8D: [PATCH v1 1/2] MdeModulePkg/Core/Pei: Instal= l > MigrateTempRamPpi >=20 > Zhihao: > Could you explain the situation that FSP-T/M is not migrated by PeiCore= ? >=20 > Thanks > Liming > > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > > =E5=8F=91=E4=BB=B6=E4=BA=BA: Zhihao Li > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2024=E5=B9=B44=E6=9C=8829=E6=97= =A5 11:20 > > =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io > > =E6=8A=84=E9=80=81: Chasel Chiu ; Nate DeSimone > > ; Duggapu Chinni B > > ; Chen Gang C ; > > Liming Gao > > =E4=B8=BB=E9=A2=98: [PATCH v1 1/2] MdeModulePkg/Core/Pei: Install Migra= teTempRamPpi > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4716 > > > > Migrate FSP-T/M binary from temporary RAM to permanent RAM before NEM > > tear down. Tcg module will use permanent address of FSP-T/M for > > measurement. > > 1. PeiCore installs mMigrateTempRamPpi if > > PcdMigrateTemporaryRamFirmwareVolumes is True 2. FspmWrapperPeim > > migrate FspT/M binary to permanent memory and build MigatedFvInfoHob > > 3. TCG notification checks MigatedFvInfoHob and transmits DRAM address > > for measurement > > > > Cc: Chasel Chiu > > Cc: Nate DeSimone > > Cc: Duggapu Chinni B > > Cc: Chen Gang C > > Cc: Liming Gao > > > > Signed-off-by: Zhihao Li > > --- > > MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 10 ++++++++- > > MdeModulePkg/Core/Pei/PeiMain.h | 3 ++- > > MdeModulePkg/Core/Pei/PeiMain.inf | 3 ++- > > MdeModulePkg/Include/Guid/MigratedFvInfo.h | 4 ++-- > > MdeModulePkg/Include/Ppi/MigrateTempRam.h | 23 > > ++++++++++++++++++++ > > MdeModulePkg/MdeModulePkg.dec | 5 ++++- > > 6 files changed, 42 insertions(+), 6 deletions(-) > > > > diff --git a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c > > b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c > > index bf1719d7941a..0e3d9a843816 100644 > > --- a/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c > > +++ b/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c > > @@ -1,7 +1,7 @@ > > /** @file > > Pei Core Main Entry Point > > > > -Copyright (c) 2006 - 2019, Intel Corporation. All rights > > reserved.
> > +Copyright (c) 2006 - 2024, Intel Corporation. All rights > > +reserved.
> > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > @@ -13,6 +13,11 @@ EFI_PEI_PPI_DESCRIPTOR mMemoryDiscoveredPpi =3D { > > &gEfiPeiMemoryDiscoveredPpiGuid, > > NULL > > }; > > +EFI_PEI_PPI_DESCRIPTOR mMigrateTempRamPpi =3D { > > + (EFI_PEI_PPI_DESCRIPTOR_PPI | > > EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > > + &gEdkiiPeiMigrateTempRamPpiGuid, > > + NULL > > +}; > > > > /// > > /// Pei service instance > > @@ -449,6 +454,9 @@ PeiCore ( > > // > > EvacuateTempRam (&PrivateData, SecCoreData); > > > > + Status =3D PeiServicesInstallPpi (&mMigrateTempRamPpi); > > + ASSERT_EFI_ERROR (Status); > > + > > DEBUG ((DEBUG_VERBOSE, "PPI lists after temporary RAM > > evacuation:\n")); > > DumpPpiList (&PrivateData); > > } > > diff --git a/MdeModulePkg/Core/Pei/PeiMain.h > > b/MdeModulePkg/Core/Pei/PeiMain.h index 46b6c23014a3..8df0c2d561f7 > > 100644 > > --- a/MdeModulePkg/Core/Pei/PeiMain.h > > +++ b/MdeModulePkg/Core/Pei/PeiMain.h > > @@ -1,7 +1,7 @@ > > /** @file > > Definition of Pei Core Structures and Services > > > > -Copyright (c) 2006 - 2019, Intel Corporation. All rights > > reserved.
> > +Copyright (c) 2006 - 2024, Intel Corporation. All rights > > +reserved.
> > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > @@ -26,6 +26,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > #include #include > > #include > > +#include > > #include > > #include #include > > diff --git a/MdeModulePkg/Core/Pei/PeiMain.inf > > b/MdeModulePkg/Core/Pei/PeiMain.inf > > index 893bdc052798..4e545ddab2ab 100644 > > --- a/MdeModulePkg/Core/Pei/PeiMain.inf > > +++ b/MdeModulePkg/Core/Pei/PeiMain.inf > > @@ -6,7 +6,7 @@ > > # 2) Dispatch PEIM from discovered FV. > > # 3) Handoff control to DxeIpl to load DXE core and enter DXE phase. > > # > > -# Copyright (c) 2006 - 2019, Intel Corporation. All rights > > reserved.
> > +# Copyright (c) 2006 - 2024, Intel Corporation. All rights > > +reserved.
> > # > > # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -101,6 +101,7 > > @@ > > gEfiPeiReset2PpiGuid ## > > SOMETIMES_CONSUMES > > gEfiSecHobDataPpiGuid ## > > SOMETIMES_CONSUMES > > gEfiPeiCoreFvLocationPpiGuid ## > > SOMETIMES_CONSUMES > > + gEdkiiPeiMigrateTempRamPpiGuid ## PRODUCES > > > > [Pcd] > > gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeiStackSize > > ## CONSUMES > > diff --git a/MdeModulePkg/Include/Guid/MigratedFvInfo.h > > b/MdeModulePkg/Include/Guid/MigratedFvInfo.h > > index 1c8b0dfefc49..255e278235b1 100644 > > --- a/MdeModulePkg/Include/Guid/MigratedFvInfo.h > > +++ b/MdeModulePkg/Include/Guid/MigratedFvInfo.h > > @@ -1,7 +1,7 @@ > > /** @file > > Migrated FV information > > > > -Copyright (c) 2020, Intel Corporation. All rights reserved.
> > +Copyright (c) 2020 - 2024, Intel Corporation. All rights > > +reserved.
> > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > @@ -50,7 +50,7 @@ typedef struct { > > > > typedef struct { > > UINT32 FvOrgBase; // original FV address > > - UINT32 FvNewBase; // new FV address > > + UINT32 FvNewBase; // new FV address, 0 means rebased > data > > is not copied > > UINT32 FvDataBase; // original FV data, 0 means raw data i= s > not > > copied > > UINT32 FvLength; // Fv Length > > } EDKII_MIGRATED_FV_INFO; > > diff --git a/MdeModulePkg/Include/Ppi/MigrateTempRam.h > > b/MdeModulePkg/Include/Ppi/MigrateTempRam.h > > new file mode 100644 > > index 000000000000..9bbb55d5cf86 > > --- /dev/null > > +++ b/MdeModulePkg/Include/Ppi/MigrateTempRam.h > > @@ -0,0 +1,23 @@ > > +/** @file > > + This file declares Migrate Temporary Memory PPI. > > + > > + This PPI is published by the PEI Foundation when temporary RAM > > + needs to > > evacuate. > > + Its purpose is to be used as a signal for other PEIMs who can > > + register > for a > > + notification on its installation. > > + > > + Copyright (c) 2024, Intel Corporation. All rights reserved.
> > + SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#ifndef PEI_MIGRATE_TEMP_RAM_PPI_H_ > > +#define PEI_MIGRATE_TEMP_RAM_PPI_H_ > > + > > +#define EFI_PEI_MIGRATE_TEMP_RAM_PPI_GUID \ > > + { \ > > + 0xc79dc53b, 0xafcd, 0x4a6a, {0xad, 0x94, 0xa7, 0x6a, 0x3f, 0xa9, > 0xe9, > > 0xc2 } \ > > + } > > + > > +extern EFI_GUID gEdkiiPeiMigrateTempRamPpiGuid; > > + > > +#endif > > diff --git a/MdeModulePkg/MdeModulePkg.dec > > b/MdeModulePkg/MdeModulePkg.dec index 3a239a1687ea..43e92c68ca20 > > 100644 > > --- a/MdeModulePkg/MdeModulePkg.dec > > +++ b/MdeModulePkg/MdeModulePkg.dec > > @@ -4,7 +4,7 @@ > > # and libraries instances, which are used for those modules. > > # > > # Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved. > > -# Copyright (c) 2007 - 2021, Intel Corporation. All rights > > reserved.
> > +# Copyright (c) 2007 - 2024, Intel Corporation. All rights > > +reserved.
> > # Copyright (c) 2016, Linaro Ltd. All rights reserved.
# (C) > > Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
# > > Copyright (c) 2017, AMD Incorporated. All rights reserved.
@@ > > -546,6 +546,9 @@ > > ## Include/Ppi/MemoryAttribute.h > > gEdkiiMemoryAttributePpiGuid =3D { 0x1be840de, 0x2d92, > > 0x41ec, { 0xb6, 0xd3, 0x19, 0x64, 0x13, 0x50, 0x51, 0xfb } } > > > > + ## Include/Ppi/MigrateTempRam.h > > + gEdkiiPeiMigrateTempRamPpiGuid =3D { 0xc79dc53b, 0xafcd, > > 0x4a6a, { 0xad, 0x94, 0xa7, 0x6a, 0x3f, 0xa9, 0xe9, 0xc2 } } > > + > > [Protocols] > > ## Load File protocol provides capability to load and unload EFI > > image > into > > memory and execute it. > > # Include/Protocol/LoadPe32Image.h > > -- > > 2.44.0.windows.1 >=20 >=20 >=20 >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119380): https://edk2.groups.io/g/devel/message/119380 Mute This Topic: https://groups.io/mt/106383349/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-