From: "Taylor Beebe" <taylor.d.beebe@gmail.com>
To: devel@edk2.groups.io
Cc: "Ard Biesheuvel" <ardb+tianocore@kernel.org>,
"Jiewen Yao" <jiewen.yao@intel.com>,
"Jordan Justen" <jordan.l.justen@intel.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Rebecca Cran" <rebecca@bsdio.com>,
"Peter Grehan" <grehan@freebsd.org>,
"Corvin Köhne" <corvink@freebsd.org>
Subject: [edk2-devel] [PATCH v2 20/25] OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg
Date: Fri, 18 Aug 2023 15:31:52 -0700 [thread overview]
Message-ID: <20230818223159.1073-21-taylor.d.beebe@gmail.com> (raw)
In-Reply-To: <20230818223159.1073-1-taylor.d.beebe@gmail.com>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 23251 bytes --]
Now that the EDK2 tree uses GetMemoryProtectionsLib to query
the platform memory protection settings, OvmfPkg can be updated
to use QemuCfg to set the entire memory protection profile instead
of just SetNxForStack.
For example, the following will set the DXE memory protection to
the RELEASE preset. Other presets are "debug" and "off":
-fw_cfg name=opt/org.tianocore/DxeMemoryProtectionProfile,string=release
The following will set the DXE memory protection to
the RELEASE preset. Other presets are "debug" and "off":
-fw_cfg name=opt/org.tianocore/MmMemoryProtectionProfile,string=release
For users of Stuart, DXE_MEMORY_PROTECTION_PROFILE=release and
MM_MEMORY_PROTECTION_PROFILE=release are equivalent to the above
examples.
Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Peter Grehan <grehan@freebsd.org>
Cc: Corvin Köhne <corvink@freebsd.org>
---
OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 56 ++++++++++++++--
OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c | 13 +---
OvmfPkg/Library/PlatformInitLib/Platform.c | 15 -----
OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c | 11 +++
OvmfPkg/PlatformPei/IntelTdx.c | 2 -
OvmfPkg/PlatformPei/Platform.c | 70 ++++++++++++++------
OvmfPkg/TdxDxe/TdxDxe.c | 7 +-
OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/Include/Library/PlatformInitLib.h | 13 ----
OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h | 8 +++
OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 1 -
OvmfPkg/PlatformCI/PlatformBuildLib.py | 31 ++++++++-
OvmfPkg/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/TdxDxe/TdxDxe.inf | 1 -
14 files changed, 148 insertions(+), 82 deletions(-)
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index cf645aad3246..a6ac6a8a15cc 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -28,6 +28,12 @@
#define GET_GPAW_INIT_STATE(INFO) ((UINT8) ((INFO) & 0x3f))
+#define DXE_MEMORY_PROTECTION_PROFILE_FWCFG_FILE \
+ "opt/org.tianocore/DxeMemoryProtectionProfile"
+
+#define MM_MEMORY_PROTECTION_PROFILE_FWCFG_FILE \
+ "opt/org.tianocore/MmMemoryProtectionProfile"
+
EFI_MEMORY_TYPE_INFORMATION mDefaultMemoryTypeInformation[] = {
{ EfiACPIMemoryNVS, 0x004 },
{ EfiACPIReclaimMemory, 0x008 },
@@ -48,6 +54,9 @@ InitializePlatform (
VOID *VariableStore;
DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
MM_MEMORY_PROTECTION_SETTINGS MmSettings;
+ CHAR8 String[100];
+ UINTN StringSize;
+ EFI_STATUS Status;
DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
PlatformDebugDumpCmos ();
@@ -109,18 +118,51 @@ InitializePlatform (
PlatformMemMapInitialization (PlatformInfoHob);
- DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
- MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
- DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
- QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+ StringSize = sizeof (String);
- SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
- SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
+ Status = QemuFwCfgParseString (DXE_MEMORY_PROTECTION_PROFILE_FWCFG_FILE, &StringSize, String);
+ if (!EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Setting DXE Memory Protection Profile: %a\n", String));
+ if (AsciiStriCmp (String, "debug") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsDebug].Settings;
+ } else if (AsciiStriCmp (String, "release") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsRelease].Settings;
+ } else if (AsciiStriCmp (String, "off") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsOff].Settings;
+ } else {
+ DEBUG ((DEBUG_ERROR, "Invalid DXE memory protection profile: %a\n", String));
+ ASSERT (FALSE);
+ }
+ } else {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsDebug].Settings;
+ }
+
+ Status = QemuFwCfgParseString (MM_MEMORY_PROTECTION_PROFILE_FWCFG_FILE, &StringSize, String);
+ if (!EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Setting MM Memory Protection Profile: %a\n", String));
+ if (AsciiStriCmp (String, "debug") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsDebug].Settings;
+ } else if (AsciiStriCmp (String, "release") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsRelease].Settings;
+ } else if (AsciiStriCmp (String, "off") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsOff].Settings;
+ } else {
+ DEBUG ((DEBUG_ERROR, "Invalid MM memory protection profile: %a\n", String));
+ ASSERT (FALSE);
+ }
+ } else {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsOff].Settings;
+ }
+
+ // Always disable NullPointerDetection in EndOfDxe phase for shim compatability
+ DxeSettings.NullPointerDetection.DisableEndOfDxe = TRUE;
+
+ SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsDebug);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsOff);
if (TdIsEnabled ()) {
PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
PlatformInfoHob->PcdTdxSharedBitMask = TdSharedPageMask ();
- PlatformInfoHob->PcdSetNxForStack = TRUE;
}
PlatformMiscInitialization (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
index 41521e3d3d71..7ae9b5743810 100644
--- a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
+++ b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
@@ -53,18 +53,7 @@ IsSetNxForStack (
VOID
)
{
- EFI_HOB_GUID_TYPE *GuidHob;
- EFI_HOB_PLATFORM_INFO *PlatformInfo;
-
- GuidHob = GetFirstGuidHob (&gUefiOvmfPkgPlatformInfoGuid);
- if (GuidHob == NULL) {
- ASSERT (FALSE);
- return FALSE;
- }
-
- PlatformInfo = (EFI_HOB_PLATFORM_INFO *)GET_GUID_HOB_DATA (GuidHob);
-
- return PlatformInfo->PcdSetNxForStack;
+ return mMps.Dxe.StackExecutionProtectionEnabled;
}
/**
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c b/OvmfPkg/Library/PlatformInitLib/Platform.c
index f48bf16ae300..bc9becc4016e 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -249,21 +249,6 @@ PlatformMemMapInitialization (
PlatformInfoHob->PcdPciIoSize = PciIoSize;
}
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- return QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &PlatformInfoHob->PcdSetNxForStack);
-}
-
VOID
PciExBarInitialization (
VOID
diff --git a/OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c b/OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c
index c9e0091b82d1..63c8711a9f2e 100644
--- a/OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c
+++ b/OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c
@@ -426,3 +426,14 @@ QemuFwCfgParseUintn (
*Value = (UINTN)Uint64;
return RETURN_SUCCESS;
}
+
+RETURN_STATUS
+EFIAPI
+QemuFwCfgParseString (
+ IN CONST CHAR8 *FileName,
+ IN OUT UINTN *BufferSize,
+ OUT CHAR8 *Buffer
+ )
+{
+ return QemuFwCfgGetAsString (FileName, BufferSize, Buffer);
+}
diff --git a/OvmfPkg/PlatformPei/IntelTdx.c b/OvmfPkg/PlatformPei/IntelTdx.c
index 3d625cabd844..1cb6729e56e6 100644
--- a/OvmfPkg/PlatformPei/IntelTdx.c
+++ b/OvmfPkg/PlatformPei/IntelTdx.c
@@ -48,7 +48,5 @@ IntelTdxInitialize (
PcdStatus = PcdSet64S (PcdTdxSharedBitMask, TdSharedPageMask ());
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, TRUE);
- ASSERT_RETURN_ERROR (PcdStatus);
#endif
}
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index bcd8d3a1be14..e86eec471fa1 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -50,6 +50,12 @@ EFI_PEI_PPI_DESCRIPTOR mPpiBootMode[] = {
}
};
+#define DXE_MEMORY_PROTECTION_PROFILE_FWCFG_FILE \
+ "opt/org.tianocore/DxeMemoryProtectionProfile"
+
+#define MM_MEMORY_PROTECTION_PROFILE_FWCFG_FILE \
+ "opt/org.tianocore/MmMemoryProtectionProfile"
+
VOID
MemMapInitialization (
IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
@@ -74,21 +80,6 @@ MemMapInitialization (
ASSERT_RETURN_ERROR (PcdStatus);
}
-STATIC
-VOID
-NoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- RETURN_STATUS Status;
-
- Status = PlatformNoexecDxeInitialization (PlatformInfoHob);
- if (!RETURN_ERROR (Status)) {
- Status = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (Status);
- }
-}
-
static const UINT8 EmptyFdt[] = {
0xd0, 0x0d, 0xfe, 0xed, 0x00, 0x00, 0x00, 0x48,
0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x48,
@@ -309,6 +300,8 @@ InitializePlatform (
EFI_STATUS Status;
DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
MM_MEMORY_PROTECTION_SETTINGS MmSettings;
+ CHAR8 String[100];
+ UINTN StringSize;
DEBUG ((DEBUG_INFO, "Platform PEIM Loaded\n"));
PlatformInfoHob = BuildPlatformInfoHob ();
@@ -345,13 +338,47 @@ InitializePlatform (
PublishPeiMemory (PlatformInfoHob);
- DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
- MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
- DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
- QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+ StringSize = sizeof (String);
- SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
- SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
+ Status = QemuFwCfgParseString (DXE_MEMORY_PROTECTION_PROFILE_FWCFG_FILE, &StringSize, String);
+ if (!EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Setting DXE Memory Protection Profile: %a\n", String));
+ if (AsciiStriCmp (String, "debug") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsDebug].Settings;
+ } else if (AsciiStriCmp (String, "release") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsRelease].Settings;
+ } else if (AsciiStriCmp (String, "off") == 0) {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsOff].Settings;
+ } else {
+ DEBUG ((DEBUG_ERROR, "Invalid DXE memory protection profile: %a\n", String));
+ ASSERT (FALSE);
+ }
+ } else {
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsDebug].Settings;
+ }
+
+ Status = QemuFwCfgParseString (MM_MEMORY_PROTECTION_PROFILE_FWCFG_FILE, &StringSize, String);
+ if (!EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Setting MM Memory Protection Profile: %a\n", String));
+ if (AsciiStriCmp (String, "debug") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsDebug].Settings;
+ } else if (AsciiStriCmp (String, "release") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsRelease].Settings;
+ } else if (AsciiStriCmp (String, "off") == 0) {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsOff].Settings;
+ } else {
+ DEBUG ((DEBUG_ERROR, "Invalid MM memory protection profile: %a\n", String));
+ ASSERT (FALSE);
+ }
+ } else {
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsOff].Settings;
+ }
+
+ // Always disable NullPointerDetection in EndOfDxe phase for shim compatability
+ DxeSettings.NullPointerDetection.DisableEndOfDxe = TRUE;
+
+ SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsDebug);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsOff);
PlatformQemuUc32BaseInitialization (PlatformInfoHob);
@@ -365,7 +392,6 @@ InitializePlatform (
PeiFvInitialization (PlatformInfoHob);
MemTypeInfoInitialization (PlatformInfoHob);
MemMapInitialization (PlatformInfoHob);
- NoexecDxeInitialization (PlatformInfoHob);
}
InstallClearCacheCallback ();
diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c
index 30732f421bb6..5e497ba66227 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.c
+++ b/OvmfPkg/TdxDxe/TdxDxe.c
@@ -131,15 +131,12 @@ SetPcdSettings (
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, PlatformInfoHob->PcdConfidentialComputingGuestAttr);
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (PcdStatus);
DEBUG ((
DEBUG_INFO,
- "HostBridgeDevId=0x%x, CCAttr=0x%x, SetNxForStack=%x\n",
+ "HostBridgeDevId=0x%x, CCAttr=0x%x\n",
PlatformInfoHob->HostBridgeDevId,
- PlatformInfoHob->PcdConfidentialComputingGuestAttr,
- PlatformInfoHob->PcdSetNxForStack
+ PlatformInfoHob->PcdConfidentialComputingGuestAttr
));
PcdStatus = PcdSet32S (PcdCpuBootLogicalProcessorNumber, PlatformInfoHob->PcdCpuBootLogicalProcessorNumber);
diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
index 07570d4e30ca..07f032941404 100644
--- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
@@ -89,7 +89,6 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h b/OvmfPkg/Include/Library/PlatformInitLib.h
index 57b18b94d9b8..b2468f206321 100644
--- a/OvmfPkg/Include/Library/PlatformInitLib.h
+++ b/OvmfPkg/Include/Library/PlatformInitLib.h
@@ -32,7 +32,6 @@ typedef struct {
UINT32 Uc32Base;
UINT32 Uc32Size;
- BOOLEAN PcdSetNxForStack;
UINT64 PcdTdxSharedBitMask;
UINT64 PcdPciMmio64Base;
@@ -182,18 +181,6 @@ PlatformMemMapInitialization (
IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
);
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- );
-
VOID
EFIAPI
PlatformMiscInitialization (
diff --git a/OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h b/OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h
index bcbf3bc4fc96..ea9fcf7b402e 100644
--- a/OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h
+++ b/OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h
@@ -125,4 +125,12 @@ QemuFwCfgParseUintn (
OUT UINTN *Value
);
+RETURN_STATUS
+EFIAPI
+QemuFwCfgParseString (
+ IN CONST CHAR8 *FileName,
+ IN OUT UINTN *BufferSize,
+ OUT CHAR8 *Buffer
+ );
+
#endif // QEMU_FW_CFG_SIMPLE_PARSER_LIB_H_
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 47bd42d23d11..f433a6681bbd 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -79,7 +79,6 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## CONSUMES
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
diff --git a/OvmfPkg/PlatformCI/PlatformBuildLib.py b/OvmfPkg/PlatformCI/PlatformBuildLib.py
index 1ada935d3cb4..72119a8bfb66 100644
--- a/OvmfPkg/PlatformCI/PlatformBuildLib.py
+++ b/OvmfPkg/PlatformCI/PlatformBuildLib.py
@@ -170,6 +170,8 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
self.env.SetValue("PRODUCT_NAME", "OVMF", "Platform Hardcoded")
self.env.SetValue("MAKE_STARTUP_NSH", "FALSE", "Default to false")
self.env.SetValue("QEMU_HEADLESS", "FALSE", "Default to false")
+ self.env.SetValue("QEMU_CPUHP_QUIRK", "FALSE", "Default to false")
+ self.env.SetValue("MEMORY_PROTECTION_PROFILE", "DEBUG", "Default to Debug")
return 0
def PlatformPreBuild(self):
@@ -182,6 +184,8 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
VirtualDrive = os.path.join(self.env.GetValue("BUILD_OUTPUT_BASE"), "VirtualDrive")
os.makedirs(VirtualDrive, exist_ok=True)
OutputPath_FV = os.path.join(self.env.GetValue("BUILD_OUTPUT_BASE"), "FV")
+ DxeMemoryProtection = self.env.GetValue("DXE_MEMORY_PROTECTION_PROFILE", "NONE")
+ MmMemoryProtection = self.env.GetValue("MM_MEMORY_PROTECTION_PROFILE", "NONE")
if (self.env.GetValue("QEMU_SKIP") and
self.env.GetValue("QEMU_SKIP").upper() == "TRUE"):
@@ -195,15 +199,27 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
args = "-debugcon stdio" # write messages to stdio
args += " -global isa-debugcon.iobase=0x402" # debug messages out thru virtual io port
args += " -net none" # turn off network
- args += " -smp 4"
args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk" # Mount disk with startup.nsh
+ if (DxeMemoryProtection.upper() == "OFF"):
+ args += " -fw_cfg name=opt/org.tianocore/DxeMemoryProtectionProfile,string=off"
+ elif (DxeMemoryProtection.upper() == "RELEASE"):
+ args += " -fw_cfg name=opt/org.tianocore/DxeMemoryProtectionProfile,string=release"
+ elif (DxeMemoryProtection.upper() == "DEBUG"):
+ args += " -fw_cfg name=opt/org.tianocore/DxeMemoryProtectionProfile,string=debug"
+
+ if (MmMemoryProtection.upper() == "OFF"):
+ args += " -fw_cfg name=opt/org.tianocore/MmMemoryProtectionProfile,string=off"
+ elif (MmMemoryProtection.upper() == "RELEASE"):
+ args += " -fw_cfg name=opt/org.tianocore/MmMemoryProtectionProfile,string=release"
+ elif (MmMemoryProtection.upper() == "DEBUG"):
+ args += " -fw_cfg name=opt/org.tianocore/MmMemoryProtectionProfile,string=debug"
+
if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
args += " -display none" # no graphics
if (self.env.GetBuildValue("SMM_REQUIRE") == "1"):
args += " -machine q35,smm=on" #,accel=(tcg|kvm)"
- args += " --accel tcg,thread=single"
#args += " -m ..."
args += " -global driver=cfi.pflash01,property=secure,value=on"
args += " -drive if=pflash,format=raw,unit=0,file=" + os.path.join(OutputPath_FV, "OVMF_CODE.fd") + ",readonly=on"
@@ -212,6 +228,17 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
args += " -pflash " + os.path.join(OutputPath_FV, "OVMF.fd") # path to firmware
+ ###
+ ### NOTE This is a temporary workaround to allow platform CI to cope with
+ ### a QEMU bug in the CPU hotplug code. Once the CI environment has
+ ### been updated to carry a fixed version of QEMU, this can be
+ ### removed again
+ ###
+ ### Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=4250
+ ###
+ if (self.env.GetValue("QEMU_CPUHP_QUIRK").upper() == "TRUE"):
+ args += " -fw_cfg name=opt/org.tianocore/X-Cpuhp-Bugcheck-Override,string=yes"
+
if (self.env.GetValue("MAKE_STARTUP_NSH").upper() == "TRUE"):
f = open(os.path.join(VirtualDrive, "startup.nsh"), "w")
f.write("BOOT SUCCESS !!! \n")
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 6b8442d12b2c..c4179931a583 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -103,7 +103,6 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase
diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf
index 9793562884c7..42317228c1aa 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.inf
+++ b/OvmfPkg/TdxDxe/TdxDxe.inf
@@ -68,6 +68,5 @@ [Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
--
2.41.0.windows.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107875): https://edk2.groups.io/g/devel/message/107875
Mute This Topic: https://groups.io/mt/100830924/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-08-18 22:58 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 22:31 [edk2-devel] [PATCH v2 00/25] Implement Dynamic Memory Protections Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 01/25] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 02/25] MdeModulePkg: Define SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 03/25] MdeModulePkg: Add NULL Instances for Get/SetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 04/25] MdeModulePkg: Implement SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 05/25] MdeModulePkg: Apply Protections to the HOB List Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 06/25] MdeModulePkg: Check Print Level Before Dumping GCD Memory Map Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 07/25] UefiCpuPkg: Always Set Stack Guard in MpPei Init Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 08/25] ArmVirtPkg: Add Memory Protection Library Definitions to Platforms Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 09/25] OvmfPkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 10/25] OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 11/25] OvmfPkg: Update PeilessStartupLib to use SetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 12/25] UefiPayloadPkg: Update DXE Handoff " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 13/25] MdeModulePkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 14/25] ArmPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 15/25] EmulatorPkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 16/25] OvmfPkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 17/25] UefiCpuPkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 18/25] MdeModulePkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 19/25] MdeModulePkg: Add Additional Profiles to SetMemoryProtectionsLib Taylor Beebe
2023-08-29 10:46 ` Gerd Hoffmann
2023-08-29 16:08 ` Taylor Beebe
2023-08-18 22:31 ` Taylor Beebe [this message]
2023-08-29 11:17 ` [edk2-devel] [PATCH v2 20/25] OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg Gerd Hoffmann
2023-08-29 16:26 ` Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 21/25] ArmVirtPkg: Apply Memory Protections via SetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 22/25] MdeModulePkg: Delete PCD Profile from SetMemoryProtectionsLib Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 23/25] OvmfPkg: Delete Memory Protection PCDs Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 24/25] ArmVirtPkg: " Taylor Beebe
2023-08-18 22:31 ` [edk2-devel] [PATCH v2 25/25] MdeModulePkg: " Taylor Beebe
2023-08-19 22:13 ` [edk2-devel] [PATCH v2 00/25] Implement Dynamic Memory Protections Pedro Falcato
2023-08-21 16:19 ` Taylor Beebe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230818223159.1073-21-taylor.d.beebe@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox