From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 05FC894178A for ; Mon, 24 Jun 2024 12:39:27 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=GC4m6Z9zWuUsZLomWEp0H7dSrlLjgoQR3QVR35YLZ2M=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1719232767; v=1; b=BXG1z3Wke9iU08MjD0qDGRjSshimSlLC+4rAGyFB64N/kQfOz09bmsJWXxW4Z2RxzHr8Fpc+ qxjFhVV0ObirSCA9DYH3UCxw206GLLUjxDfi0ALVfW2tGqV4S6cJsr59yVP/gVwW+YwSh7pG9MO pDN3ZQ4S1hCiky2qkPWQ7uAY/Vy6KTFV49ErUougi3po9iI6LPhjdnk8sOR70iWbhfK8WiSu7pM C0aJc8I00hn3d0S8kUd29dr+zmhhF+hPU2rqOPA8IEK6upEXBKqHhAknM9j0RKFj8DBuaIf/f4g IZHrCgpEaXHRoDjK8g5sj3XD0CAYuoDy0h2XgqSwQItZQ== X-Received: by 127.0.0.2 with SMTP id 5VMKYY7687511xxYuhTywwKi; Mon, 24 Jun 2024 05:39:26 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) by mx.groups.io with SMTP id smtpd.web11.139484.1719232757282897668 for ; Mon, 24 Jun 2024 05:39:26 -0700 X-CSE-ConnectionGUID: BauAHLG8SPKPJM2Qtbz2wg== X-CSE-MsgGUID: scyA8yYuSGudQAybSqNVIQ== X-IronPort-AV: E=McAfee;i="6700,10204,11112"; a="33660734" X-IronPort-AV: E=Sophos;i="6.08,262,1712646000"; d="scan'208";a="33660734" X-Received: from orviesa008.jf.intel.com ([10.64.159.148]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jun 2024 05:39:25 -0700 X-CSE-ConnectionGUID: q4CkVpK4Souc8OgSfIgkbQ== X-CSE-MsgGUID: gCodmqG6RvC4YrZ3220p2Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,262,1712646000"; d="scan'208";a="43983555" X-Received: from xieyuanh-mobl.ccr.corp.intel.com ([10.125.242.201]) by orviesa008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jun 2024 05:39:23 -0700 From: "Yuanhao Xie" To: devel@edk2.groups.io Cc: Liming Gao , Jiaxin Wu , Ray Ni , Ard Biesheuvel , Sami Mujawar , Yuanhao Xie Subject: [edk2-devel] [Patch V2 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver. Date: Mon, 24 Jun 2024 20:38:41 +0800 Message-ID: <20240624123841.534-4-yuanhao.xie@intel.com> In-Reply-To: <20240624123841.534-1-yuanhao.xie@intel.com> References: <20240624123841.534-1-yuanhao.xie@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 24 Jun 2024 05:39:26 -0700 Resent-From: yuanhao.xie@intel.com Reply-To: devel@edk2.groups.io,yuanhao.xie@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: k6gj08fXUUtY90FWqoVjLI0ox7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=BXG1z3Wk; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io The Lockbox Driver allows sensitive data to be securely stored in a designated area, thus protected against unauthorized access. This patch adds a Standalone MM Lockbox Driver with main modifications: 1. Separating shared code between the Standalone MM driver and the DXE MM Driver. 2. Utilizing services from the SMM Services Table (gSmst) as opposed to relying on Boot Services. Cc: Liming Gao Cc: Jiaxin Wu Cc: Ray Ni Cc: Ard Biesheuvel Cc: Sami Mujawar Signed-off-by: Yuanhao Xie Reviewed-by: Jiaxin Wu Reviewed-by: Ray Ni --- MdeModulePkg/MdeModulePkg.dsc | 1 + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni | 14 ++++++++++++++ MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni | 14 ++++++++++++++ 5 files changed, 169 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index a1c8e2f905..64baa3f3b0 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -505,6 +505,7 @@ MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterSmm.inf MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterStandaloneMm.inf MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf + MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationProfileLib.inf MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c new file mode 100644 index 0000000000..503be7efa8 --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c @@ -0,0 +1,84 @@ +/** @file + LockBox MM driver. + +Copyright (c) 2024, Intel Corporation. All rights reserved.
+ +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "SmmLockBoxCommon.h" + +/** + This function is an abstraction layer for implementation specific Mm buffer validation routine. + + @param Buffer The buffer start address to be checked. + @param Length The buffer length to be checked. + + @retval TRUE This buffer is valid per processor architecture and not overlap with SMRAM. + @retval FALSE This buffer is not valid per processor architecture or overlap with SMRAM. +**/ +BOOLEAN +IsBufferOutsideMmValid ( + IN EFI_PHYSICAL_ADDRESS Buffer, + IN UINT64 Length + ) +{ + return MmIsBufferOutsideMmValid (Buffer, Length); +} + +/** + Entry Point for LockBox MM driver. + + @param[in] ImageHandle Image handle of this driver. + @param[in] SystemTable A Pointer to the EFI System Table. + + @retval EFI_SUCEESS + @return Others Some error occurs. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxStandaloneMmEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_MM_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DispatchHandle; + VOID *Registration; + + // + // Register LockBox communication handler + // + Status = gMmst->MmiHandlerRegister ( + SmmLockBoxHandler, + &gEfiSmmLockBoxCommunicationGuid, + &DispatchHandle + ); + ASSERT_EFI_ERROR (Status); + + // + // Register SMM Ready To Lock Protocol notification + // + Status = gMmst->MmRegisterProtocolNotify ( + &gEfiSmmReadyToLockProtocolGuid, + SmmReadyToLockEventNotify, + &Registration + ); + ASSERT_EFI_ERROR (Status); + return Status; +} diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf new file mode 100644 index 0000000000..001f2dea9a --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf @@ -0,0 +1,56 @@ +## @file +# LockBox MM driver. +# +# Copyright (c) 2024, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SmmLockBoxStandaloneMm + MODULE_UNI_FILE = SmmLockBoxStandaloneMm.uni + FILE_GUID = a83a87a0-8a3e-482d-86c8-84a139f6ded0 + MODULE_TYPE = MM_STANDALONE + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x00010032 + ENTRY_POINT = SmmLockBoxStandaloneMmEntryPoint + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + SmmLockBoxStandaloneMm.c + SmmLockBoxCommon.c + SmmLockBoxCommon.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + StandaloneMmPkg/StandaloneMmPkg.dec + +[LibraryClasses] + MmServicesTableLib + BaseLib + BaseMemoryLib + DebugLib + LockBoxLib + MemLib + StandaloneMmDriverEntryPoint + +[Guids] + gEfiSmmLockBoxCommunicationGuid ## PRODUCES ## GUID # SmiHandlerRegister + +[Protocols] + gEfiSmmReadyToLockProtocolGuid ## NOTIFY + gEfiLockBoxProtocolGuid ## PRODUCES + +[Depex] + TRUE + +[UserExtensions.TianoCore."ExtraFiles"] + SmmLockBoxStandaloneMmExtra.uni diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni new file mode 100644 index 0000000000..7f6218102f --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni @@ -0,0 +1,14 @@ +// /** @file +// LockBox MM driver. +// +// Copyright (c) 2024, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "LockBox MM driver." + +#string STR_MODULE_DESCRIPTION #language en-US "LockBox MM driver." + diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni new file mode 100644 index 0000000000..a5443ca5f9 --- /dev/null +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni @@ -0,0 +1,14 @@ +// /** @file +// SmmLockBox Localized Strings and Content +// +// Copyright (c) 2024, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_PROPERTIES_MODULE_NAME +#language en-US +"MM Lock Box Driver" + + -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119689): https://edk2.groups.io/g/devel/message/119689 Mute This Topic: https://groups.io/mt/106848517/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-