From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.4780.1686342382082748506 for ; Fri, 09 Jun 2023 13:26:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@taylorbeebe.com header.s=google header.b=Coozp80G; spf=pass (domain: taylorbeebe.com, ip: 209.85.214.181, mailfrom: t@taylorbeebe.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1b04949e5baso11513235ad.0 for ; Fri, 09 Jun 2023 13:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=taylorbeebe.com; s=google; t=1686342381; x=1688934381; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=6eZK1sWFZLYIcnziJom9nHUj1jKCB1crwh68oyqT7JU=; b=Coozp80G5bsJPgmcD84uwhbdxKaHXkXXChPtj4OvIsrxZrfats9syDa7O5Yn/0JDln 5Et1UIBPDRnP6bDPZ9ObqprfSzM9vfxNSldpLqCkpM/gC5ww0QRccIPJesCibausIp8E 49tqvhy0Y8eL2971DmQf3uWYUkxrGMBdkhk/AKVdncCJgAcNxu+fhiwLQ3GrxxXar1dh UNrUUrYJVfKVEqLa6ulHlJlWqcbL3KRjz6lzrWwR5tMZVfEleuaKLgrsl+0JQPXJrZYN sHqK2qfp2mSIJWoGcivlOgaoDGFsL/2ta+KqxjiStGqPShsg7xDBV3oNk4VxiwNNs+AN Oz3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686342381; x=1688934381; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6eZK1sWFZLYIcnziJom9nHUj1jKCB1crwh68oyqT7JU=; b=Ihp40+YxSnNgjfbhUy0OiKrZFo2E6Z1hzXcbbItm/WZlPdWkBP8qco+q277zcfKBVF 8S6GXnWS5t9FJ56X/ODvIbZnDHVLfPFCXlf2fEjCNWxkNMBZd6o3R3jlMdYHkjUVfErr 60bMp20vdtY3iNd1wBJxkrLabeGJjhpYu2nWAoBD75QIczgm3uZ96SZZTLbdZid5ZFHz fj7QJ9VF4g1cmAICJ0agP3PX1/UZJbiHIM706c7+u1f0c0ghk9JWFVl9/YeA7e+wZDo+ ZqYV+1b+ARC6TVeZWilnR4lPR6FUIhvtwi/PIqbDCMnuUDGNAYS16JTGjmgTtdmd63iS /wwg== X-Gm-Message-State: AC+VfDyxkpGyoco9CtSUL4Mz79AteuyBMpuc9e7vFBvN1F4uOvJPZ/Tv m3E67gkfcRyWF7dk6dIvoTu05g0HJj70vYUWpXHddw== X-Google-Smtp-Source: ACHHUZ5zw+qmYDZT9vnzTuzVmZb0eHkqwmFJQc6eDcBHHCLQUl/EuJ6auSMQPJhfyMnu02GCJLN8WA== X-Received: by 2002:a17:902:cecf:b0:19c:dbce:dce8 with SMTP id d15-20020a170902cecf00b0019cdbcedce8mr2669332plg.15.1686342381042; Fri, 09 Jun 2023 13:26:21 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.46.230.135]) by smtp.gmail.com with ESMTPSA id a7-20020a170902ecc700b001a69c1c78e7sm3689500plh.71.2023.06.09.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jun 2023 13:26:20 -0700 (PDT) From: "Taylor Beebe" To: devel@edk2.groups.io Cc: Taylor Beebe , Jian J Wang , Liming Gao , Dandan Bi , Ard Biesheuvel , Ray Ni , Oliver Smith-Denny , Michael Kubacki , Kun Qin , Sean Brogan Subject: [PATCH v1 0/3] MdeModulePkg: Adding Dynamic Memory Protection Settings Libraries Date: Fri, 9 Jun 2023 13:25:58 -0700 Message-Id: <20230609202601.1153-1-t@taylorbeebe.com> X-Mailer: git-send-email 2.36.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Memory protection settings are currently configured via FixedAtBuild PCDs which resulted in a build-time configuration of memory mitigations. To improve flexibility and compatibility, this patchset adds HOB definitions and libraries required for configuring memory protection settings at runtime. Once the PCD references in the codebase are replaced with references to the memory protection HOB entries, platforms will need to produce a HOB of the format defined in DxeMemoryProtectionSettings.h and MmMemoryProtectionSettings.h. For example, to enable strict protections in DXE the platform could do the following: DXE_MEMORY_PROTECTION_SETTINGS DxeSettings = (DXE_MEMORY_PROTECTION_SETTINGS)DXE_MEMORY_PROTECTION_SETTINGS_DEBUG; BuildGuidDataHob (&gDxeMemoryProtectionSettingsGuid, &DxeSettings, sizeof (DxeSettings)); Deviations from the preset configurations are also easy, and analogous profiles are provided for SMM and Standalone MM. A future patch series will replace references to the memory protection PCDs with references to the HOB entry in the codebase. With the PCDs, the NX setting for EfiConventionalMemory is checked with a call like: PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & (1 << EfiConventionalMemory) != 0 Using the HOB, the NX setting for EfiConventionalMemory in the DXE environment will be checked with a call like: gDxeMps.NxProtectionPolicy.Fields.EfiConventionalMemory != 0 Cc: Jian J Wang Cc: Liming Gao Cc: Dandan Bi Cc: Ard Biesheuvel Cc: Ray Ni Cc: Oliver Smith-Denny Cc: Michael Kubacki Cc: Kun Qin Cc: Sean Brogan Taylor Beebe (3): MdeModulePkg: Add DXE and MM Memory Protection Settings HOB Definitions MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib Implementations MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c | 182 +++++++ MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c | 139 ++++++ MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c | 37 ++ MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c | 37 ++ MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c | 33 ++ MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c | 33 ++ MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h | 503 ++++++++++++++++++++ MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h | 239 ++++++++++ MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h | 36 ++ MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h | 36 ++ MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf | 34 ++ MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf | 35 ++ MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf | 36 ++ MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf | 25 + MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf | 26 + MdeModulePkg/MdeModulePkg.dec | 18 + MdeModulePkg/MdeModulePkg.dsc | 11 + 17 files changed, 1460 insertions(+) create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c create mode 100644 MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h create mode 100644 MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h create mode 100644 MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h create mode 100644 MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf -- 2.36.1.windows.1