From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Mon, 22 Jul 2019 13:40:49 -0700
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 68FEB3DD47;
	Mon, 22 Jul 2019 20:40:48 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-117-23.ams2.redhat.com [10.36.117.23])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 14B195D9D3;
	Mon, 22 Jul 2019 20:40:45 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH 5/5] MdeModulePkg/PiSmmIpl: Use SecurityLockAuditLib for debug
To: devel@edk2.groups.io, zhichao.gao@intel.com
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>,
 Jian J Wang <jian.j.wang@intel.com>, Hao A Wu <hao.a.wu@intel.com>,
 Ray Ni <ray.ni@intel.com>, Star Zeng <star.zeng@intel.com>,
 Liming gao <liming.gao@intel.com>, Sean Brogan <sean.brogan@microsoft.com>,
 Michael Turner <Michael.Turner@microsoft.com>
References: <20190722040204.33108-1-zhichao.gao@intel.com>
 <20190722040204.33108-6-zhichao.gao@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <184e8188-45b9-2b34-d8fa-0da5ffdf6cae@redhat.com>
Date: Mon, 22 Jul 2019 22:40:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20190722040204.33108-6-zhichao.gao@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 22 Jul 2019 20:40:48 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 07/22/19 06:02, Gao, Zhichao wrote:
> From: Bret Barkelew <Bret.Barkelew@microsoft.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2006
> 
> Use SecurityLockAuditLib in PiSmmIpl to output debug message
> while lock the SMRAM.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Liming gao <liming.gao@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael Turner <Michael.Turner@microsoft.com>
> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c   | 2 ++
>  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 +
>  2 files changed, 3 insertions(+)
> 
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> index 1cf8c93227..604eb1b98e 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
> @@ -33,6 +33,7 @@
>  #include <Library/UefiRuntimeLib.h>
>  #include <Library/PcdLib.h>
>  #include <Library/ReportStatusCodeLib.h>
> +#include <Library/SecurityLockAuditLib.h>
>  
>  #include "PiSmmCorePrivateData.h"
>  
> @@ -780,6 +781,7 @@ SmmIplReadyToLockEventNotify (
>    // Lock the SMRAM (Note: Locking SMRAM may not be supported on all platforms)
>    //
>    mSmmAccess->Lock (mSmmAccess);
> +  SECURITY_LOCK_REPORT_EVENT ("Lock SMRAM", HARDWARE_LOCK);
>  
>    //
>    // Close protocol and event notification events that do not apply after the
> diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> index b6b1bbcdac..2240ab3c5f 100644
> --- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
> @@ -46,6 +46,7 @@
>    DxeServicesLib
>    PcdLib
>    ReportStatusCodeLib
> +  SecurityLockAuditLib
>  
>  [Protocols]
>    gEfiSmmBase2ProtocolGuid                      ## PRODUCES
> 

Here a new lib class dependency is being introduced to "PiSmmIpl.inf".
In addition, the new lib class itself is introduced as a new feature, to
"MdeModulePkg.dec", in patch #1.

This means that every platform DSC that currently consumes
"PiSmmIpl.inf" will fail to build, after this patch set is merged.

That is fine for platform DSCs that live outside of the edk2 repository.
It is not fine for platform DSCs that live inside edk2.

Whenever implementing such patches, please always grep the entire edk2
repo for matches, and implement the necessary updates (you can of course
ask for details before submitting v1).

In the present case, we have

$ git grep -F PiSmmIpl.inf -- '*dsc*'
MdeModulePkg/MdeModulePkg.dsc:  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
OvmfPkg/OvmfPkgIa32.dsc:  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
OvmfPkg/OvmfPkgIa32X64.dsc:  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
OvmfPkg/OvmfPkgX64.dsc:  MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf

MdeModulePkg.dsc is updated in patch #4.

(1) Thus, please *prepend* a patch to patch#5, for OvmfPkg:

In the [LibraryClasses] section of all three DSC files, please resolve
the SecurityLockAuditLib class to the SecurityLockAuditDebugLib instance.

Doing things in this order will keep the tree bisectable -- at no stage
of the patch series will OVMF fail to build.

Thanks
Laszlo