From: "Taylor Beebe" <taylor.d.beebe@gmail.com>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jiewen Yao <jiewen.yao@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH v3 11/26] OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib
Date: Wed, 30 Aug 2023 16:18:19 -0700 [thread overview]
Message-ID: <20230830231851.779-12-taylor.d.beebe@gmail.com> (raw)
In-Reply-To: <20230830231851.779-1-taylor.d.beebe@gmail.com>
Use SetMemoryProtectionsLib to set the memory protections for
the platform in both normal and PEI-less boot. The protections
set are equivalent to the PCD settings and the ability to set
NxForStack via QemuCfg is preserved. Once the transition to use
SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete
in the rest of EDK2, the mechanics of setting protections in
OvmfPkg will be updated and the memory protection PCDs will
be deleted.
Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 15 +++++++++++++--
OvmfPkg/PlatformPei/Platform.c | 15 +++++++++++++--
OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 3 +++
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 1632a2317718..cf645aad3246 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -14,10 +14,13 @@
#include <Protocol/DebugSupport.h>
#include <Library/TdxLib.h>
#include <IndustryStandard/Tdx.h>
+#include <Library/PcdLib.h>
#include <Library/PrePiLib.h>
#include <Library/PeilessStartupLib.h>
#include <Library/PlatformInitLib.h>
#include <Library/TdxHelperLib.h>
+#include <Library/SetMemoryProtectionsLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
#include <ConfidentialComputingGuestAttr.h>
#include <Guid/MemoryTypeInformation.h>
#include <OvmfPlatforms.h>
@@ -42,7 +45,9 @@ InitializePlatform (
EFI_HOB_PLATFORM_INFO *PlatformInfoHob
)
{
- VOID *VariableStore;
+ VOID *VariableStore;
+ DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
+ MM_MEMORY_PROTECTION_SETTINGS MmSettings;
DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
PlatformDebugDumpCmos ();
@@ -104,7 +109,13 @@ InitializePlatform (
PlatformMemMapInitialization (PlatformInfoHob);
- PlatformNoexecDxeInitialization (PlatformInfoHob);
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+ DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+ QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+
+ SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
if (TdIsEnabled ()) {
PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index f5dc41c3a8c4..bcd8d3a1be14 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -38,6 +38,7 @@
#include <IndustryStandard/QemuCpuHotplug.h>
#include <Library/MemEncryptSevLib.h>
#include <OvmfPlatforms.h>
+#include <Library/SetMemoryProtectionsLib.h>
#include "Platform.h"
@@ -304,8 +305,10 @@ InitializePlatform (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_HOB_PLATFORM_INFO *PlatformInfoHob;
- EFI_STATUS Status;
+ EFI_HOB_PLATFORM_INFO *PlatformInfoHob;
+ EFI_STATUS Status;
+ DXE_MEMORY_PROTECTION_SETTINGS DxeSettings;
+ MM_MEMORY_PROTECTION_SETTINGS MmSettings;
DEBUG ((DEBUG_INFO, "Platform PEIM Loaded\n"));
PlatformInfoHob = BuildPlatformInfoHob ();
@@ -342,6 +345,14 @@ InitializePlatform (
PublishPeiMemory (PlatformInfoHob);
+ DxeSettings = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+ MmSettings = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+ DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+ QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+
+ SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
+ SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
+
PlatformQemuUc32BaseInitialization (PlatformInfoHob);
InitializeRamRegions (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 585d50463748..f0a8a5a56df4 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -56,6 +56,8 @@ [LibraryClasses]
PrePiLib
QemuFwCfgLib
PlatformInitLib
+ SetMemoryProtectionsLib
+ QemuFwCfgSimpleParserLib
[Guids]
gEfiHobMemoryAllocModuleGuid
@@ -81,6 +83,7 @@ [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## CONSUMES
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 3934aeed9514..6b8442d12b2c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -65,6 +65,7 @@ [LibraryClasses]
PcdLib
CcExitLib
PlatformInitLib
+ SetMemoryProtectionsLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase
--
2.42.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108165): https://edk2.groups.io/g/devel/message/108165
Mute This Topic: https://groups.io/mt/101064083/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-08-30 23:19 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 23:18 [edk2-devel] [PATCH v3 00/26] Implement Dynamic Memory Protections Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 01/26] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 02/26] MdeModulePkg: Define SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 03/26] MdeModulePkg: Add NULL Instances for Get/SetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 04/26] MdeModulePkg: Implement SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 05/26] MdeModulePkg: Copy PEI PCD Database Into New Buffer Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 06/26] MdeModulePkg: Apply Protections to the HOB List Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 07/26] MdeModulePkg: Check Print Level Before Dumping GCD Memory Map Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 08/26] UefiCpuPkg: Always Set Stack Guard in MpPei Init Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 09/26] ArmVirtPkg: Add Memory Protection Library Definitions to Platforms Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 10/26] OvmfPkg: " Taylor Beebe
2023-08-30 23:18 ` Taylor Beebe [this message]
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 12/26] OvmfPkg: Update PeilessStartupLib to use SetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 13/26] UefiPayloadPkg: Update DXE Handoff " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 14/26] MdeModulePkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 15/26] ArmPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 16/26] EmulatorPkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 17/26] OvmfPkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 18/26] UefiCpuPkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 19/26] MdeModulePkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 20/26] MdeModulePkg: Add Additional Profiles to SetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 21/26] OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg Taylor Beebe
2023-09-11 11:27 ` Gerd Hoffmann
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 22/26] ArmVirtPkg: Apply Memory Protections via SetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 23/26] MdeModulePkg: Delete PCD Profile from SetMemoryProtectionsLib Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 24/26] OvmfPkg: Delete Memory Protection PCDs Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 25/26] ArmVirtPkg: " Taylor Beebe
2023-08-30 23:18 ` [edk2-devel] [PATCH v3 26/26] MdeModulePkg: " Taylor Beebe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230830231851.779-12-taylor.d.beebe@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox