public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Taylor Beebe" <taylor.d.beebe@gmail.com>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH v5 11/28] OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib
Date: Sun,  8 Oct 2023 17:07:23 -0700	[thread overview]
Message-ID: <20231009000742.1792-12-taylor.d.beebe@gmail.com> (raw)
In-Reply-To: <20231009000742.1792-1-taylor.d.beebe@gmail.com>

Use SetMemoryProtectionsLib to set the memory protections for
the platform in both normal and PEI-less boot. The protections
set are equivalent to the PCD settings and the ability to set
NxForStack via QemuCfg is preserved. Once the transition to use
SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete
in the rest of EDK2, the mechanics of setting protections in
OvmfPkg will be updated and the memory protection PCDs will
be deleted.

Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c      | 15 +++++++++++++--
 OvmfPkg/PlatformPei/Platform.c                          | 15 +++++++++++++--
 OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf |  3 +++
 OvmfPkg/PlatformPei/PlatformPei.inf                     |  1 +
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 1632a2317718..cf645aad3246 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -14,10 +14,13 @@
 #include <Protocol/DebugSupport.h>
 #include <Library/TdxLib.h>
 #include <IndustryStandard/Tdx.h>
+#include <Library/PcdLib.h>
 #include <Library/PrePiLib.h>
 #include <Library/PeilessStartupLib.h>
 #include <Library/PlatformInitLib.h>
 #include <Library/TdxHelperLib.h>
+#include <Library/SetMemoryProtectionsLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
 #include <ConfidentialComputingGuestAttr.h>
 #include <Guid/MemoryTypeInformation.h>
 #include <OvmfPlatforms.h>
@@ -42,7 +45,9 @@ InitializePlatform (
   EFI_HOB_PLATFORM_INFO  *PlatformInfoHob
   )
 {
-  VOID  *VariableStore;
+  VOID                            *VariableStore;
+  DXE_MEMORY_PROTECTION_SETTINGS  DxeSettings;
+  MM_MEMORY_PROTECTION_SETTINGS   MmSettings;
 
   DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
   PlatformDebugDumpCmos ();
@@ -104,7 +109,13 @@ InitializePlatform (
 
   PlatformMemMapInitialization (PlatformInfoHob);
 
-  PlatformNoexecDxeInitialization (PlatformInfoHob);
+  DxeSettings                                 = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+  MmSettings                                  = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+  DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+  QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+
+  SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
+  SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
 
   if (TdIsEnabled ()) {
     PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index f5dc41c3a8c4..bcd8d3a1be14 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -38,6 +38,7 @@
 #include <IndustryStandard/QemuCpuHotplug.h>
 #include <Library/MemEncryptSevLib.h>
 #include <OvmfPlatforms.h>
+#include <Library/SetMemoryProtectionsLib.h>
 
 #include "Platform.h"
 
@@ -304,8 +305,10 @@ InitializePlatform (
   IN CONST EFI_PEI_SERVICES     **PeiServices
   )
 {
-  EFI_HOB_PLATFORM_INFO  *PlatformInfoHob;
-  EFI_STATUS             Status;
+  EFI_HOB_PLATFORM_INFO           *PlatformInfoHob;
+  EFI_STATUS                      Status;
+  DXE_MEMORY_PROTECTION_SETTINGS  DxeSettings;
+  MM_MEMORY_PROTECTION_SETTINGS   MmSettings;
 
   DEBUG ((DEBUG_INFO, "Platform PEIM Loaded\n"));
   PlatformInfoHob = BuildPlatformInfoHob ();
@@ -342,6 +345,14 @@ InitializePlatform (
 
   PublishPeiMemory (PlatformInfoHob);
 
+  DxeSettings                                 = DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsPcd].Settings;
+  MmSettings                                  = MmMemoryProtectionProfiles[MmMemoryProtectionSettingsPcd].Settings;
+  DxeSettings.StackExecutionProtectionEnabled = PcdGetBool (PcdSetNxForStack);
+  QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecutionProtectionEnabled);
+
+  SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSettingsPcd);
+  SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPcd);
+
   PlatformQemuUc32BaseInitialization (PlatformInfoHob);
 
   InitializeRamRegions (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 585d50463748..f0a8a5a56df4 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -56,6 +56,8 @@ [LibraryClasses]
   PrePiLib
   QemuFwCfgLib
   PlatformInitLib
+  SetMemoryProtectionsLib
+  QemuFwCfgSimpleParserLib
 
 [Guids]
   gEfiHobMemoryAllocModuleGuid
@@ -81,6 +83,7 @@ [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy       ## SOMETIMES_CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask    ## CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask    ## CONSUMES
+  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack                       ## CONSUMES
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
   gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 3934aeed9514..6b8442d12b2c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -65,6 +65,7 @@ [LibraryClasses]
   PcdLib
   CcExitLib
   PlatformInitLib
+  SetMemoryProtectionsLib
 
 [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109416): https://edk2.groups.io/g/devel/message/109416
Mute This Topic: https://groups.io/mt/101843353/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  parent reply	other threads:[~2023-10-09  0:08 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-09  0:07 [edk2-devel] [PATCH v5 00/28] Implement Dynamic Memory Protection Settings Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 01/28] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Taylor Beebe
2023-11-03  5:52   ` Ni, Ray
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 02/28] MdeModulePkg: Define SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-10-09  7:52   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 03/28] MdeModulePkg: Add NULL Instances for Get/SetMemoryProtectionsLib Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 04/28] MdeModulePkg: Implement SetMemoryProtectionsLib and GetMemoryProtectionsLib Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 05/28] MdeModulePkg: Copy PEI PCD Database Into New Buffer Taylor Beebe
2023-10-09  6:47   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 06/28] MdeModulePkg: Apply Protections to the HOB List Taylor Beebe
2023-10-09  6:54   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 07/28] MdeModulePkg: Check Print Level Before Dumping GCD Memory Map Taylor Beebe
2023-10-09  7:10   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 08/28] UefiCpuPkg: Always Set Stack Guard in MpPei Init Taylor Beebe
2023-10-09  7:28   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 09/28] ArmVirtPkg: Add Memory Protection Library Definitions to Platforms Taylor Beebe
2023-10-09  7:30   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 10/28] OvmfPkg: " Taylor Beebe
2023-10-09  7:47   ` Laszlo Ersek
2023-10-09  0:07 ` Taylor Beebe [this message]
2023-10-09  8:19   ` [edk2-devel] [PATCH v5 11/28] OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 12/28] OvmfPkg: Update PeilessStartupLib to use SetMemoryProtectionsLib Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 13/28] UefiPayloadPkg: Update DXE Handoff " Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 14/28] MdeModulePkg: " Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 15/28] ArmPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 16/28] EmulatorPkg: " Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 17/28] OvmfPkg: " Taylor Beebe
2023-10-09  8:29   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 18/28] UefiCpuPkg: " Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 19/28] MdeModulePkg: " Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 20/28] MdeModulePkg: Add Additional Profiles to SetMemoryProtectionsLib Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 21/28] OvmfPkg: Add QemuFwCfgParseString to QemuFwCfgSimpleParserLib Taylor Beebe
2023-10-09  8:40   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 22/28] OvmfPkg: Add MemoryProtectionConfigLib Taylor Beebe
2023-10-09  9:17   ` Laszlo Ersek
2023-10-09  9:22     ` Laszlo Ersek
2023-10-09  9:34   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 23/28] OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg Taylor Beebe
2023-10-09  9:53   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 24/28] ArmVirtPkg: Apply Memory Protections via SetMemoryProtectionsLib Taylor Beebe
2023-10-09 10:00   ` Laszlo Ersek
2023-10-10 11:48     ` Gerd Hoffmann
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 25/28] MdeModulePkg: Delete PCD Profile from SetMemoryProtectionsLib Taylor Beebe
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 26/28] OvmfPkg: Delete Memory Protection PCDs Taylor Beebe
2023-10-09 10:02   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 27/28] ArmVirtPkg: " Taylor Beebe
2023-10-09 10:02   ` Laszlo Ersek
2023-10-09  0:07 ` [edk2-devel] [PATCH v5 28/28] MdeModulePkg: " Taylor Beebe
2023-10-09 10:03   ` Laszlo Ersek
2023-10-09 14:47     ` Taylor Beebe
2023-10-09 10:16 ` [edk2-devel] [PATCH v5 00/28] Implement Dynamic Memory Protection Settings Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231009000742.1792-12-taylor.d.beebe@gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox