From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4C02681DA9 for ; Wed, 9 Nov 2016 22:07:18 -0800 (PST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP; 09 Nov 2016 22:07:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,617,1473145200"; d="scan'208";a="784712543" Received: from jfan12-desk.ccr.corp.intel.com ([10.239.9.5]) by FMSMGA003.fm.intel.com with ESMTP; 09 Nov 2016 22:07:20 -0800 From: Jeff Fan To: edk2-devel@lists.01.org Cc: Laszlo Ersek , Paolo Bonzini , Jiewen Yao , Michael D Kinney Date: Thu, 10 Nov 2016 14:07:08 +0800 Message-Id: <20161110060708.13932-3-jeff.fan@intel.com> X-Mailer: git-send-email 2.9.3.windows.2 In-Reply-To: <20161110060708.13932-1-jeff.fan@intel.com> References: <20161110060708.13932-1-jeff.fan@intel.com> Subject: [PATCH 2/2] UefiCpuPkg/PiSmmCpuDxeSmm: Place AP to 32bit protected mode on S3 path X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2016 06:07:18 -0000 On S3 path, we may transfer to long mode (if DXE is long mode) to restore CPU contexts with CR3 = SmmS3Cr3 (in SMM). AP will execute hlt-loop after CPU contexts restoration. Once one NMI or SMI happens, APs may exit from hlt state and execute the instruction after HLT instruction. If APs are running on long mode, page table is required to fetch the instruction. However, CR3 pointer to page table in SMM. APs will crash. This fix is to disable long mode on APs and transfer to 32bit protected mode to execute hlt-loop. Then CR3 and page table will no longer be required. https://bugzilla.tianocore.org/show_bug.cgi?id=216 Reported-by: Laszlo Ersek Cc: Laszlo Ersek Cc: Paolo Bonzini Cc: Jiewen Yao Cc: Michael D Kinney Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jeff Fan --- UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 43 ++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c index c05dec7..1db0a6e 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c @@ -68,6 +68,38 @@ InitGdt ( *GdtStepSize = GdtTableStepSize; return GdtTssTables; } + +/** + Get Protected mode code segment from current GDT table. + + @return Protected mode code segment value. +**/ +UINT16 +GetProtectedModeCS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTN GdtEntryCount; + UINT16 Index; + + Index = (UINT16) -1; + AsmReadGdtr (&GdtrDesc); + GdtEntryCount = (GdtrDesc.Limit + 1) / sizeof (IA32_SEGMENT_DESCRIPTOR); + GdtEntry = (IA32_SEGMENT_DESCRIPTOR *) GdtrDesc.Base; + for (Index = 0; Index < GdtEntryCount; Index++) { + if (GdtEntry->Bits.L == 0) { + if (GdtEntry->Bits.Type > 8 && GdtEntry->Bits.L == 0) { + break; + } + } + GdtEntry++; + } + ASSERT (Index != -1); + return Index * 8; +} + /** Transfer AP to safe hlt-loop after it finished restore CPU features on S3 patch. @@ -81,11 +113,12 @@ TransferApToSafeState ( IN UINT32 TopOfStack ) { - SwitchStack ( - (SWITCH_STACK_ENTRY_POINT) (UINTN) ApHltLoopCode, - NULL, - NULL, - (VOID *) (UINTN) TopOfStack + AsmDisablePaging64 ( + GetProtectedModeCS (), + (UINT32) (UINTN) ApHltLoopCode, + 0, + 0, + TopOfStack ); // // It should never reach here -- 2.9.3.windows.2