From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=40.107.4.61; helo=eur03-db5-obe.outbound.protection.outlook.com; envelope-from=achin.gupta@arm.com; receiver=edk2-devel@lists.01.org Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40061.outbound.protection.outlook.com [40.107.4.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2F3F1211ACEDA for ; Mon, 7 Jan 2019 11:21:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JooFqlUGqWyws/V+7zzIW2gDtr2s3gFBdbojMY1R9LY=; b=Vrcyq8HOQP6xq26o7VYIfeJLqb/FIbDzOmAzSGWCg6QKc/tmkrdKdJW2sRI6fujJ4NRId/5wndknoncuQlaC2pMc/E2wWI9JPjgKmLk2ShN4XnAalzToJ95E9DiXmnlxuFJWVe+olTFx3NIzCZfLkxdxam4XW4ZbLXchHpr74m0= Received: from AM0PR08MB2980.eurprd08.prod.outlook.com (52.134.92.153) by AM0PR08MB3011.eurprd08.prod.outlook.com (52.134.92.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.7; Mon, 7 Jan 2019 19:21:33 +0000 Received: from AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::e1e6:4e33:e916:e4f4]) by AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::e1e6:4e33:e916:e4f4%3]) with mapi id 15.20.1495.011; Mon, 7 Jan 2019 19:21:33 +0000 From: Achin Gupta To: Ard Biesheuvel CC: Laszlo Ersek , Jagadeesh Ujja , "Gao, Liming" , "Kinney, Michael D" , "edk2-devel@lists.01.org" , "Zhang, Chao B" , Leif Lindholm , Supreeth Venkatesh , Jian J Wang , nd Thread-Topic: [PATCH v2 04/11] MdePkg/Include: Add StandaloneMmServicesTableLib library Thread-Index: AQHUop0PpHFsTLXAiEyGWsiTID6ivaWdYpkAgABW/YCAAUpzAIAE8eWAgAAjCACAABVzAIAAAYIAgAAHRYA= Date: Mon, 7 Jan 2019 19:21:33 +0000 Message-ID: <20190107192137.GG14419@e104320-lin> References: <1546434828-24405-1-git-send-email-jagadeesh.ujja@arm.com> <1546434828-24405-5-git-send-email-jagadeesh.ujja@arm.com> <8a6e1c80-5b6e-e337-06af-5992bc38a844@redhat.com> <20190107185012.GF14419@e104320-lin> In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Mutt/1.5.21 (2010-09-15) x-originating-ip: [217.140.106.50] x-clientproxiedby: LO2P265CA0399.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::27) To AM0PR08MB2980.eurprd08.prod.outlook.com (2603:10a6:208:5b::25) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Achin.Gupta@arm.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM0PR08MB3011; 6:PYQVO2/yL13BVIUV+ve4FFvA8xAIdvDUXbf4HYMwOjgFjXrN7bQXDEMZsSATCShzm6TSh6j6PTR+OjKUT+vB8ivxrsHUNa2FqDF9rnObC6u4ing5OLfqLvIl/txTAaYHT6lIqZmW+sRC7D+H0yzR4v/AGgfL4ZsAaU9cLENKTrpzY24XSI7oPGjDrwxITaKdhQQI4PLc8KQKznWP9x4zR1h1PbqfF1j/7iglBGvFTgv+FqD49+KSIdDUusat4feTivxv8cS8cgcusBkRF9/qd1QnVKPM2Q+6Gj0p4dfTTfCvIDrjMqZrAqkEVDnJOYLZLEh/firXP8B/Mpuf1Me2GHxS1sXyFE61uhr70t/OhcKOfLXpCXa9BjSf51Y4AE99El55E+0KvQZtRCdRNrLU4hvZiX5++GrQZlD4elUrJIQSa+HBa5p9Bru42P/IQNQ3bfTi9u1i6ngNF156kKYdLA==; 5:jvgtvgQoHdHkm1qBUi2LcNnufBZWodID6+y+oRgoHYBOm7G7jZoXoPJGYmzbIjuDmdCJVc7zWkoCORju2bMSQhHj1pabBXX/YLxiPhjvX2rnhB8RaG8R0pN5xtK6hAJspuQDHVDNzrOz6Q8Wr133fbs99nGXjI10algcaiYXmEo5aTeZLvF0T66/udVR5W9SbaEZVU1gKgLM5JZFWmcJWA==; 7:4OJdRl3zhhSA8yjaP3yEWrd10D4VZGBl+6OaTagHqSUI4QRFe3Mf9eNCRWkTCb8itcqmqTtH51PWK1fDPKI28FDCyzSE1mFV6GaQZaO3ZhqG2GyODuteIs1NZnTHdf66Bf4PBotCW9I0OS8R4P9v2A== x-ms-office365-filtering-correlation-id: 547506df-ee07-40e5-ff60-08d674d55584 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM0PR08MB3011; x-ms-traffictypediagnostic: AM0PR08MB3011: nodisclaimer: True x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(10201501046)(93006095)(93001095)(3231475)(944501520)(52105112)(3002001)(6055026)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:AM0PR08MB3011; BCL:0; PCL:0; RULEID:; SRVR:AM0PR08MB3011; x-forefront-prvs: 0910AAF391 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6029001)(7916004)(376002)(136003)(39860400002)(346002)(396003)(366004)(52314003)(199004)(189003)(186003)(6116002)(81166006)(26005)(99286004)(16799955002)(81156014)(33716001)(52116002)(44832011)(3846002)(6916009)(66066001)(71190400001)(105586002)(102836004)(478600001)(1076003)(2906002)(6436002)(33896004)(575784001)(97736004)(86362001)(14454004)(76176011)(106356001)(54906003)(71200400001)(53936002)(6486002)(25786009)(4326008)(305945005)(58126008)(72206003)(316002)(5660300001)(6246003)(229853002)(8936002)(6506007)(476003)(11346002)(486006)(53546011)(256004)(9686003)(6512007)(14444005)(6306002)(68736007)(8676002)(446003)(386003)(93886005)(7736002)(33656002)(18370500001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3011; H:AM0PR08MB2980.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: AgnOlw/+F/xr35AZtSdJqwjKInUAUcdJvX/ezb/PGRqH9gvXCXPA6Ti7/K/PfAdf74oOzijwvaWYuLRRUwEi0DXL4VUfwLLvXKWTHYLHHy5d23FjO9WdvJjx47AW7vuN4Nkhwf7G/ndETVralfrX/gILACsZxJZ4IXzrVcCdxPH9LLul91ajnMSTTYSJupQOnddlA6DyvevKHplcwjBq3vsGQhvORVz4Eq8W1o6wUEdVWUA39jyK9VfQV7kC0krB5UyJRdMhZCO0sO3rlP4W80t53Osgg21iR4cBcKppGe9exTItWJ2kRyRMCbHcnhda spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: 547506df-ee07-40e5-ff60-08d674d55584 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2019 19:21:32.9264 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3011 Subject: Re: [PATCH v2 04/11] MdePkg/Include: Add StandaloneMmServicesTableLib library X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 X-List-Received-Date: Mon, 07 Jan 2019 19:21:36 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-ID: <7C01488144CE7A4A83B766F3264E33A6@eurprd08.prod.outlook.com> Content-Transfer-Encoding: quoted-printable On Mon, Jan 07, 2019 at 07:55:36PM +0100, Ard Biesheuvel wrote: > On Mon, 7 Jan 2019 at 19:50, Achin Gupta wrote: > > > > On Mon, Jan 07, 2019 at 06:33:26PM +0100, Ard Biesheuvel wrote: > > > On Mon, 7 Jan 2019 at 16:28, Laszlo Ersek wrote: > > > > > > > > On 01/04/19 12:57, Ard Biesheuvel wrote: > > > > > On Thu, 3 Jan 2019 at 17:14, Laszlo Ersek wro= te: > > > > >> > > > > >> On 01/03/19 12:03, Ard Biesheuvel wrote: > > > > >>> On Wed, 2 Jan 2019 at 14:14, Jagadeesh Ujja wrote: > > > > >>>> > > > > >>>> Some of the existing DXE drivers can be refactored to execute = within > > > > >>>> the Standalone MM execution environment as well. Allow such dr= ivers to > > > > >>>> get access to the Standalone MM services tables. > > > > >>>> > > > > >>>> Add a mechanism to determine the execution mode is required. > > > > >>>> i.e, in MM or non-MM > > > > >>>> > > > > >>>> Contributed-under: TianoCore Contribution Agreement 1.1 > > > > >>>> Signed-off-by: Jagadeesh Ujja > > > > >>>> --- > > > > >>>> MdePkg/Include/Library/StandaloneMmServicesTableLib.h = | 43 ++++++++++++++++++++ > > > > >>>> MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServi= cesTableLib.c | 39 ++++++++++++++++++ > > > > >>>> MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServi= cesTableLib.inf | 36 ++++++++++++++++ > > > > >>>> MdePkg/MdePkg.dec = | 4 ++ > > > > >>>> 4 files changed, 122 insertions(+) > > > > >>>> > > > > >>> > > > > >>> OK, so since the PI spec only refers to MM mode now, this libra= ry > > > > >>> class should be > > > > >>> > > > > >>> MmServicesTableLib|Include/Library/MmServicesTableLib.h > > > > >>> > > > > >>> with an implementation in MdeModulePkg that exposes the depreca= ted SMM > > > > >>> system table as the MM system table. > > > > >>> > > > > >>> In StandaloneMmPkg, we can add an implementation that exposes t= he > > > > >>> standalone MM system table. > > > > >>> > > > > >>> (They are binary compatible, so it is just a matter of casting = one > > > > >>> pointer to the other) > > > > >>> > > > > >>> With this in place, we can go ahead and update FaultTolerantWri= te and > > > > >>> Variable SMM driver to switch from SmmServicesTableLib to > > > > >>> MmServicesTableLib. This will require existing x86 platforms to= define > > > > >>> a new library class resolution for MmServicesTableLib, referrin= g to > > > > >>> the implementation in MdeModulePkg. This is unfortunate, but it= is an > > > > >>> unavoidable consequence of the PI spec changes. > > > > >> > > > > >> It shouldn't be too intrusive or hard to review, I expect. > > > > >> > > > > >>> > > > > >>> Remaining question is what to do with InSmm() ... > > > > >> > > > > >> I'm lacking the context on this; on the other hand, I can refer = back to > > > > >> at least one earlier discussion -- there had been multiple -- of= the > > > > >> discrepancy between the PI spec and the edk2 code. See: > > > > >> > > > > >> - bullet (9) in > > > > >> , > > > > >> - and > > > > >> . > > > > >> > > > > >> Not sure how that can be applied to Arm. > > > > >> > > > > > > > > > > The code I posted yesterday does not use InMm() at all. For stand= alone > > > > > MM, it should always return TRUE anyway, and any code that a driv= er > > > > > would execute if it returned FALSE needs to be factored out anywa= y, > > > > > since it should not end up in standalone MM binaries as dead code= . > > > > > > > > > > > > > OK. That seems to make sense. I've read up a bit on "standalone MM"= in > > > > the PI v1.6 spec, vol 4. Having no access to UEFI protocols even in= the > > > > entry point function, at driver init time, seems challenging to me.= I > > > > guess I'll learn more about this as a part of the usual list traffi= c. > > > > > > > > What is the MODULE_TYPE that standalone MM drivers use, in place of > > > > DXE_SMM_DRIVER (=3D EFI_FV_FILETYPE_MM, 0x0A)? > > > > > > > > Hm... from the other patches, it seems to be MM_STANDALONE (=3D > > > > EFI_FV_FILETYPE_MM_STANDALONE, 0x0E). OK. > > > > > > > > If I'd like to see a short summary of standalone MM, relative to > > > > traditional MM, and why it is more suitable -- I presume -- for aar= ch64, > > > > which document should I look at, from > > > > , for example? > > > > > > > > > > Perhaps Achin can answer this, since he has been driving the spec sid= e > > > of this? (and maintains StandaloneMmPkg) > > > > The idea behind MM Standalone mode was to sandbox MM code in self suffi= cient > > execution context. This was a step to avoid some of the vulnerabilities= in > > traditional SMM due to code and data sharing with DXE. > > > > On AArch64, the MM standalone mode is initialised during the SEC phase.= This > > corresponds to Trustzone initialisation. Furthermore, the MM standalone > > execution context is placed in user mode (Secure EL0) instead of runnin= g it in a > > privileged processor mode (S-EL1 or EL3 on AArch64, Ring -2 or SMM on x= 86). This > > restricts what the MM standalone context can see and do. Lastly, after = SEC no > > more MM Standalone drivers can be initialized during PEI or DXE (in con= trast to > > the example in PI 1.6 Section 1.5.2). > > > > Hope that makes sense? > > >=20 > I agree, but this is not what StandaloneMmPkg implements today: it > implements a MmFvDispatchHandler that permits a FV to be brough into > the MM environment, and the MM dispatcher will happily dispatch all > the MM_STANDALONE modules it contains. Umm! Not following why is that a problem. The FV on AArch64 must only conta= in MM_STANDALONE drivers. These drivers rely on the MMST which is exclusively = used in the secure world. So the isolation is still achieved right? Are you sayi= ng that additional checks are required to enforce this on AArch64? >=20 > Also, there are some other pieces missing (which I mentioned in one of > the other threads but I suppose you may not have caught up yet): > EndOfDxe (as well as some other PI defined events) needs to be > signalled to the standalone MM context by some non-MM agent, and I > think there are other parts of the traditional SMM IPL that have not > been ported to standalone MM yet. Yes! I am still catching up but saw the patches that Supreeth has reviewed = and they make sense. Could you please explain the need for End of DXE signallin= g and the traditional SMM IPL. It is not obvious to me :o( cheers, Achin >=20 > > I have not seen all the patches in this and related series but the use = of InMM() > > to allow code to have a DXE driver or a MM Standalone driver personalit= y seems > > to defeat the entire purpose of Standalone MM. My concern is that any c= ode that > > is relevant only to DXE or PEI must not be a part of the MM Standalone > > context. This could be achieved through proper refactoring + conditiona= l > > compilation. If the decision is taken at runtime then this is just trad= itional > > MM. > >