From: zwei4 <david.wei@intel.com>
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>, Mang, Guo <mang.guo@intel.com>
Subject: [Patch][edk2-platforms/devel-MinnowBoardMax-UDK2017] Lock SMRAM at proper point.
Date: Fri, 1 Jun 2018 18:22:47 +0800 [thread overview]
Message-ID: <20180601102247.18544-1-david.wei@intel.com> (raw)
(1) Lock SMRAM with EFI_SMM_ACCESS2_PROTOCOL.Lock() before PCI bus enumeration. This is for DMA protection.
(2) Call InstallReadyToLock after PCI enumeration and initialization of trusted console. If InstallReadyToLock is called before PCI enumeration, some silicon drivers would fail to save S3 boot script.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: zwei4 <david.wei@intel.com>
CC: Yao, Jiewen <jiewen.yao@intel.com>
CC: Mang, Guo <mang.guo@intel.com>
---
.../Library/PlatformBdsLib/BdsPlatform.c | 111 ++++++++++++++++-----
1 file changed, 88 insertions(+), 23 deletions(-)
diff --git a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
index 22cdb4382f..cb5711a620 100644
--- a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
+++ b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
@@ -143,8 +143,8 @@ DisableAhciCtlr (
}
/**
- Issues EndOfDxe event, installs gExitPmAuthProtocolGuid, and issues SMM lock envent. Bus Master DMA mus
- not be enabled before SMM lock.
+ Lock SMRAM with EFI_SMM_ACCESS2_PROTOCOL. To prevent DMA attack, Bus Master DMA of untrusetd PCI devices
+ must not be enabled before SMRAM lock.
@param VOID
@@ -152,14 +152,12 @@ DisableAhciCtlr (
**/
VOID
-InstallReadyToLock (
+SmramLock (
VOID
)
{
EFI_STATUS Status;
- EFI_HANDLE Handle;
EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
- EFI_ACPI_S3_SAVE_PROTOCOL *AcpiS3Save;
UINTN PciDeviceConfigAdd;
UINT16 VendorID;
UINT16 CommandReg;
@@ -167,7 +165,7 @@ InstallReadyToLock (
UINT8 FunIndex;
//
- // Check Buster Master Enable bit of PCI devices,including PCIe root ports, on bus 0.
+ // Check Buster Master Enable bit of untrusted PCI devices,including PCIe root ports, on bus 0.
//
DEBUG ((DEBUG_ERROR, "BDS: Check Bus Master Enable of PCI devices before SMRAM lock: \n"));
@@ -204,12 +202,50 @@ InstallReadyToLock (
// Report error if Bus Master has been enabled.
//
if (((CommandReg & BIT2) == BIT2)) {
- DEBUG ((DEBUG_ERROR, "Error: Bus Master is enabled before SMRAM lock!\n"));
+ DEBUG ((DEBUG_ERROR, "Error: Bus Master of above device is enabled before SMRAM lock!\n"));
ASSERT_EFI_ERROR(FALSE);
}
}
}
+ //
+ // Lock SMRAM.
+ //
+ Status = gBS->LocateProtocol (
+ &gEfiSmmAccess2ProtocolGuid,
+ NULL,
+ (VOID **) &SmmAccess
+ );
+ if (!EFI_ERROR (Status)) {
+ //
+ //
+ //
+ Status = SmmAccess->Lock(SmmAccess);
+ DEBUG ((DEBUG_ERROR, "SMRAM is locked by EFI_SMM_ACCESS2_PROTOCOL!\n"));
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return ;
+}
+
+/**
+ Issues EndOfDxe event, installs gExitPmAuthProtocolGuid, and issues SMM lock envent.
+
+ @param VOID
+
+ @retval None.
+
+**/
+VOID
+InstallReadyToLock (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EFI_HANDLE Handle;
+ EFI_SMM_ACCESS2_PROTOCOL *SmmAccess;
+ EFI_ACPI_S3_SAVE_PROTOCOL *AcpiS3Save;
+
//
// Install DxeSmmReadyToLock protocol prior to the processing of boot options
//
@@ -240,11 +276,14 @@ InstallReadyToLock (
NULL
);
ASSERT_EFI_ERROR (Status);
+
+ DEBUG ((DEBUG_INFO, "Signal gEfiEndOfDxeEventGroupGuid event! End of DXE!\n"));
//
// Signal EndOfDxe PI Event
//
EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);
+ DEBUG ((DEBUG_INFO, "Signal gEfiDxeSmmReadyToLockProtocolGuid event!\n"));
Handle = NULL;
Status = gBS->InstallProtocolInterface (
&Handle,
@@ -1855,14 +1894,19 @@ PlatformBdsPolicyBehavior (
#ifdef FTPM_ENABLE
TrEEPhysicalPresenceLibProcessRequest(NULL);
#endif
+
//
- // Close boot script and install ready to lock
+ // Lock SMRAM.
//
- InstallReadyToLock ();
+ SmramLock ();
PlatformBdsInitHotKeyEvent ();
PlatformBdsConnectSimpleConsole (gPlatformSimpleConsole);
+ //
+ // Close boot script and install ready to lock.
+ //
+ InstallReadyToLock ();
//
// Check to see if it's needed to dispatch more DXE drivers.
@@ -1951,9 +1995,9 @@ PlatformBdsPolicyBehavior (
case BOOT_ASSUMING_NO_CONFIGURATION_CHANGES:
//
- // Close boot script and install ready to lock
+ // Lock SMRAM.
//
- InstallReadyToLock ();
+ SmramLock ();
//
// In no-configuration boot mode, we can connect the
@@ -1962,6 +2006,11 @@ PlatformBdsPolicyBehavior (
BdsLibConnectAllDefaultConsoles ();
PlatformBdsDiagnostics (IGNORE, FALSE, BaseMemoryTest);
+ //
+ // Close boot script and install ready to lock
+ //
+ InstallReadyToLock ();
+
//
// Perform some platform specific connect sequence
//
@@ -1996,7 +2045,10 @@ PlatformBdsPolicyBehavior (
case BOOT_ON_FLASH_UPDATE:
-
+ //
+ // Lock SMRAM.
+ //
+ SmramLock ();
//
// Boot with the specific configuration
@@ -2048,9 +2100,9 @@ PlatformBdsPolicyBehavior (
case BOOT_IN_RECOVERY_MODE:
//
- // Close boot script and install ready to lock
+ // Lock SMRAM.
//
- InstallReadyToLock ();
+ SmramLock ();
//
// In recovery mode, just connect platform console
@@ -2058,6 +2110,12 @@ PlatformBdsPolicyBehavior (
//
PlatformBdsConnectConsole (gPlatformConsole);
PlatformBdsDiagnostics (EXTENSIVE, FALSE, BaseMemoryTest);
+
+ //
+ // Close boot script and install ready to lock
+ //
+ InstallReadyToLock ();
+
BdsLibConnectAll ();
//
@@ -2097,11 +2155,13 @@ FULL_CONFIGURATION:
if (EsrtManagement != NULL) {
EsrtManagement->SyncEsrtFmp();
}
+
+
//
- // Close boot script and install ready to lock
+ // Lock SMRAM.
//
- InstallReadyToLock ();
-
+ SmramLock ();
+
//
// Connect platform console
//
@@ -2115,7 +2175,12 @@ FULL_CONFIGURATION:
}
//
- // Chenyunh[TODO]: This is Workgroud to show the fs for uSDcard,
+ // Close boot script and install ready to lock.
+ //
+ InstallReadyToLock ();
+
+ //
+ // This is Workgroud to show the fs for uSDcard,
// Need to root cause this issue.
//
DEBUG ((DEBUG_ERROR, "Start to reconnect all driver.\n"));
@@ -2168,11 +2233,11 @@ FULL_CONFIGURATION:
//
PlatformBdsEnterFrontPageWithHotKey (Timeout, FALSE);
- //
- // Give one chance to enter the setup if we
- // select Gummiboot "Reboot Into Firmware Interface"
- //
- BootIntoFirmwareInterface();
+ //
+ // Give one chance to enter the setup if we
+ // select Gummiboot "Reboot Into Firmware Interface"
+ //
+ BootIntoFirmwareInterface();
//
// In default boot mode, always find all boot
--
2.14.1.windows.1
reply other threads:[~2018-06-01 10:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180601102247.18544-1-david.wei@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox