From: "Taylor Beebe" <t@taylorbeebe.com>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jiewen Yao <jiewen.yao@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH 09/14] OvmfPkg: Update to use memory protection HOB
Date: Tue, 11 Jul 2023 16:52:46 -0700 [thread overview]
Message-ID: <2a75076df8e49640706faa25292f015e90aa6a89.1689101263.git.t@taylorbeebe.com> (raw)
In-Reply-To: <cover.1689101263.git.t@taylorbeebe.com>
From: Taylor Beebe <tabeebe@microsoft.com>
Replace references to the memory protection PCDs with references
to the memory protection HOB.
The stack NX setting will no longer be fetched from the QEMU
configuration file and will instead be determined via the
HOB published in PlatformPei/Platform.c. PeilessStartup
will check the HOB when creating the page tables
at DXE handoff.
Signed-off-by: Taylor Beebe <t@taylorbeebe.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +-
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +-
OvmfPkg/Include/Library/PlatformInitLib.h | 13 ---
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 25 ++--
.../PeilessStartupLib/PeilessStartup.c | 3 -
.../PeilessStartupLib/PeilessStartupLib.inf | 5 +-
.../PeilessStartupLib/X64/PageTables.h | 23 +---
.../PeilessStartupLib/X64/VirtualMemory.c | 107 ++++++------------
OvmfPkg/Library/PlatformInitLib/Platform.c | 15 ---
OvmfPkg/PlatformPei/IntelTdx.c | 2 -
OvmfPkg/PlatformPei/Platform.c | 16 ---
OvmfPkg/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +-
OvmfPkg/QemuVideoDxe/VbeShim.c | 5 +-
OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 ---
OvmfPkg/TdxDxe/TdxDxe.c | 7 +-
OvmfPkg/TdxDxe/TdxDxe.inf | 1 -
18 files changed, 68 insertions(+), 180 deletions(-)
diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
index 739d63098b..27b4a595fe 100644
--- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
@@ -88,7 +88,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
index 779bf5c827..93bce776a9 100644
--- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
+++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
@@ -13,6 +13,7 @@
#include <Library/DxeServicesTableLib.h>
#include <Library/PcdLib.h>
#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DxeMemoryProtectionHobLib.h>
#include <Protocol/Cpu.h>
#include <Protocol/FdtClient.h>
@@ -148,9 +149,7 @@ InitializeHighMemDxe (
// on the page table mappings by going through the cpu arch protocol.
//
Attributes = EFI_MEMORY_WB;
- if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) &
- (1U << (UINT32)EfiConventionalMemory)) != 0)
- {
+ if (gDxeMps.ExecutionProtection.EnabledForType[EfiConventionalMemory]) {
Attributes |= EFI_MEMORY_XP;
}
diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
index c7dde9f455..2d3add492b 100644
--- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
+++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
@@ -33,13 +33,11 @@
PcdLib
UefiBootServicesTableLib
UefiDriverEntryPoint
+ DxeMemoryProtectionHobLib
[Protocols]
gEfiCpuArchProtocolGuid ## CONSUMES
gFdtClientProtocolGuid ## CONSUMES
-[Pcd]
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy
-
[Depex]
gEfiCpuArchProtocolGuid AND gFdtClientProtocolGuid
diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h b/OvmfPkg/Include/Library/PlatformInitLib.h
index 57b18b94d9..b2468f2063 100644
--- a/OvmfPkg/Include/Library/PlatformInitLib.h
+++ b/OvmfPkg/Include/Library/PlatformInitLib.h
@@ -32,7 +32,6 @@ typedef struct {
UINT32 Uc32Base;
UINT32 Uc32Size;
- BOOLEAN PcdSetNxForStack;
UINT64 PcdTdxSharedBitMask;
UINT64 PcdPciMmio64Base;
@@ -182,18 +181,6 @@ PlatformMemMapInitialization (
IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
);
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- );
-
VOID
EFIAPI
PlatformMiscInitialization (
diff --git a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
index d34690eb8a..169b4931a6 100644
--- a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
+++ b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
@@ -11,18 +11,21 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/HobLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PcdLib.h>
#include <Guid/MemoryTypeInformation.h>
#include <Guid/MemoryAllocationHob.h>
#include <Guid/PcdDataBaseSignatureGuid.h>
+#include <Guid/DxeMemoryProtectionSettings.h>
#include <Register/Intel/Cpuid.h>
#include <Library/PrePiLib.h>
#include "X64/PageTables.h"
#include <Library/ReportStatusCodeLib.h>
#define STACK_SIZE 0x20000
-extern EFI_GUID gEfiNonCcFvGuid;
+extern EFI_GUID gEfiNonCcFvGuid;
+DXE_MEMORY_PROTECTION_SETTINGS mDxeMps;
/**
Transfers control to DxeCore.
@@ -41,13 +44,21 @@ HandOffToDxeCore (
VOID *BaseOfStack;
VOID *TopOfStack;
UINTN PageTables;
+ VOID *Ptr;
- //
- // Clear page 0 and mark it as allocated if NULL pointer detection is enabled.
- //
- if (IsNullDetectionEnabled ()) {
- ClearFirst4KPage (GetHobList ());
- BuildMemoryAllocationHob (0, EFI_PAGES_TO_SIZE (1), EfiBootServicesData);
+ Ptr = GetFirstGuidHob (&gDxeMemoryProtectionSettingsGuid);
+
+ if ((Ptr != NULL) && DXE_MPS_IS_STRUCT_VALID (GET_GUID_HOB_DATA (Ptr))) {
+ CopyMem (&mDxeMps, GET_GUID_HOB_DATA (Ptr), sizeof (DXE_MEMORY_PROTECTION_SETTINGS));
+ } else {
+ ZeroMem (&mDxeMps, sizeof (DXE_MEMORY_PROTECTION_SETTINGS));
+ }
+
+ if (mDxeMps.NullPointerDetection.Enabled) {
+ ASSERT (CanAllocateNullPage (GetHobList ()));
+ // Clear NULL page and mark it as allocated for NULL detection
+ SetMem (NULL, EFI_PAGE_SIZE, (UINTN)NULL);
+ BuildMemoryAllocationHob ((UINTN)NULL, EFI_PAGES_TO_SIZE (1), EfiBootServicesData);
}
//
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 164aa2d619..581413cd47 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -104,12 +104,9 @@ InitializePlatform (
PlatformMemMapInitialization (PlatformInfoHob);
- PlatformNoexecDxeInitialization (PlatformInfoHob);
-
if (TdIsEnabled ()) {
PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
PlatformInfoHob->PcdTdxSharedBitMask = TdSharedPageMask ();
- PlatformInfoHob->PcdSetNxForStack = TRUE;
}
PlatformMiscInitialization (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 7719b5031d..1e0879bb50 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -65,6 +65,7 @@
gPcdDataBaseHobGuid
gCcEventEntryHobGuid
gEfiNonCcFvGuid
+ gDxeMemoryProtectionSettingsGuid
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase
@@ -75,11 +76,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## SOMETIMES_CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ## SOMETIMES_CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ## CONSUMES
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
index a0d0d3547b..ab2ff8b38b 100644
--- a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
+++ b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
@@ -179,28 +179,17 @@ CreateIdentityMappingPageTables (
);
/**
- Clear legacy memory located at the first 4K-page.
+ Returns TRUE if the NULL page has not been allocated.
- This function traverses the whole HOB list to check if memory from 0 to 4095
- exists and has not been allocated, and then clear it if so.
+ @param HobStart The start of HobList passed to DxeCore.
- @param HobStart The start of HobList passed to DxeCore.
+ @retval TRUE NULL page is unallocated
+ @retval FALSE NULL page cannot be allocated
**/
-VOID
-ClearFirst4KPage (
- IN VOID *HobStart
- );
-
-/**
- Return configure status of NULL pointer detection feature.
-
- @return TRUE NULL pointer detection feature is enabled
- @return FALSE NULL pointer detection feature is disabled
-**/
BOOLEAN
-IsNullDetectionEnabled (
- VOID
+CanAllocateNullPage (
+ IN VOID *HobStart
);
#endif
diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
index e2c1bac5e0..25187e730c 100644
--- a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
+++ b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/PcdLib.h>
#include <Guid/MemoryTypeInformation.h>
#include <Guid/MemoryAllocationHob.h>
+#include <Guid/DxeMemoryProtectionSettings.h>
#include <Register/Intel/Cpuid.h>
#include <Library/PlatformInitLib.h>
#include "PageTables.h"
@@ -45,49 +46,37 @@ UINT64 mLevelSize[5] = {
SIZE_512GB
};
-BOOLEAN
-IsSetNxForStack (
- VOID
- )
-{
- EFI_HOB_GUID_TYPE *GuidHob;
- EFI_HOB_PLATFORM_INFO *PlatformInfo;
-
- GuidHob = GetFirstGuidHob (&gUefiOvmfPkgPlatformInfoGuid);
- if (GuidHob == NULL) {
- ASSERT (FALSE);
- return FALSE;
- }
-
- PlatformInfo = (EFI_HOB_PLATFORM_INFO *)GET_GUID_HOB_DATA (GuidHob);
-
- return PlatformInfo->PcdSetNxForStack;
-}
+extern DXE_MEMORY_PROTECTION_SETTINGS mDxeMps;
/**
- Clear legacy memory located at the first 4K-page, if available.
-
- This function traverses the whole HOB list to check if memory from 0 to 4095
- exists and has not been allocated, and then clear it if so.
+ Returns TRUE if the NULL page has not been allocated.
@param HobStart The start of HobList passed to DxeCore.
+ @retval TRUE NULL page is unallocated
+ @retval FALSE NULL page cannot be allocated
+
**/
-VOID
-ClearFirst4KPage (
+BOOLEAN
+CanAllocateNullPage (
IN VOID *HobStart
)
{
EFI_PEI_HOB_POINTERS RscHob;
EFI_PEI_HOB_POINTERS MemHob;
- BOOLEAN DoClear;
+ BOOLEAN CanAllocate;
+
+ if (HobStart == NULL) {
+ ASSERT (HobStart != NULL);
+ return FALSE;
+ }
- RscHob.Raw = HobStart;
- MemHob.Raw = HobStart;
- DoClear = FALSE;
+ RscHob.Raw = HobStart;
+ MemHob.Raw = HobStart;
+ CanAllocate = FALSE;
//
- // Check if page 0 exists and free
+ // Check if page 0 exists and is free
//
while ((RscHob.Raw = GetNextHob (
EFI_HOB_TYPE_RESOURCE_DESCRIPTOR,
@@ -95,9 +84,9 @@ ClearFirst4KPage (
)) != NULL)
{
if ((RscHob.ResourceDescriptor->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) &&
- (RscHob.ResourceDescriptor->PhysicalStart == 0))
+ (RscHob.ResourceDescriptor->PhysicalStart == (UINTN)NULL))
{
- DoClear = TRUE;
+ CanAllocate = TRUE;
//
// Make sure memory at 0-4095 has not been allocated.
//
@@ -106,10 +95,10 @@ ClearFirst4KPage (
MemHob.Raw
)) != NULL)
{
- if (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress
- < EFI_PAGE_SIZE)
+ if ((MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress >= (UINTN)NULL) &&
+ (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress < (UINTN)NULL + EFI_PAGE_SIZE))
{
- DoClear = FALSE;
+ CanAllocate = FALSE;
break;
}
@@ -122,27 +111,7 @@ ClearFirst4KPage (
RscHob.Raw = GET_NEXT_HOB (RscHob);
}
- if (DoClear) {
- DEBUG ((DEBUG_INFO, "Clearing first 4K-page!\r\n"));
- SetMem (NULL, EFI_PAGE_SIZE, 0);
- }
-
- return;
-}
-
-/**
- Return configure status of NULL pointer detection feature.
-
- @return TRUE NULL pointer detection feature is enabled
- @return FALSE NULL pointer detection feature is disabled
-
-**/
-BOOLEAN
-IsNullDetectionEnabled (
- VOID
- )
-{
- return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
+ return CanAllocate;
}
/**
@@ -188,17 +157,7 @@ IsEnableNonExecNeeded (
VOID
)
{
- if (!IsExecuteDisableBitAvailable ()) {
- return FALSE;
- }
-
- //
- // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set.
- // Features controlled by Following PCDs need this feature to be enabled.
- //
- return (IsSetNxForStack () ||
- FixedPcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
- PcdGet32 (PcdImageProtectionPolicy) != 0);
+ return IsExecuteDisableBitAvailable ();
}
/**
@@ -237,17 +196,17 @@ ToSplitPageTable (
IN UINTN StackSize
)
{
- if (IsNullDetectionEnabled () && (Address == 0)) {
+ if (mDxeMps.NullPointerDetection.Enabled && (Address == (UINTN)NULL)) {
return TRUE;
}
- if (FixedPcdGetBool (PcdCpuStackGuard)) {
+ if (mDxeMps.CpuStackGuardEnabled) {
if ((StackBase >= Address) && (StackBase < (Address + Size))) {
return TRUE;
}
}
- if (IsSetNxForStack ()) {
+ if (mDxeMps.StackExecutionProtectionEnabled) {
if ((Address < StackBase + StackSize) && ((Address + Size) > StackBase)) {
return TRUE;
}
@@ -426,17 +385,17 @@ Split2MPageTo4K (
PageTableEntry->Uint64 = (UINT64)PhysicalAddress4K;
PageTableEntry->Bits.ReadWrite = 1;
- if ((IsNullDetectionEnabled () && (PhysicalAddress4K == 0)) ||
- (FixedPcdGetBool (PcdCpuStackGuard) && (PhysicalAddress4K == StackBase)))
+ if ((mDxeMps.NullPointerDetection.Enabled && (PhysicalAddress4K == (UINTN)NULL)) ||
+ (mDxeMps.CpuStackGuardEnabled && (PhysicalAddress4K == StackBase)))
{
PageTableEntry->Bits.Present = 0;
} else {
PageTableEntry->Bits.Present = 1;
}
- if ( IsSetNxForStack ()
- && (PhysicalAddress4K >= StackBase)
- && (PhysicalAddress4K < StackBase + StackSize))
+ if (mDxeMps.StackExecutionProtectionEnabled &&
+ (PhysicalAddress4K >= StackBase) &&
+ (PhysicalAddress4K < StackBase + StackSize))
{
//
// Set Nx bit for stack.
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c b/OvmfPkg/Library/PlatformInitLib/Platform.c
index f48bf16ae3..bc9becc401 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -249,21 +249,6 @@ PlatformMemMapInitialization (
PlatformInfoHob->PcdPciIoSize = PciIoSize;
}
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- return QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &PlatformInfoHob->PcdSetNxForStack);
-}
-
VOID
PciExBarInitialization (
VOID
diff --git a/OvmfPkg/PlatformPei/IntelTdx.c b/OvmfPkg/PlatformPei/IntelTdx.c
index 3d625cabd8..1cb6729e56 100644
--- a/OvmfPkg/PlatformPei/IntelTdx.c
+++ b/OvmfPkg/PlatformPei/IntelTdx.c
@@ -48,7 +48,5 @@ IntelTdxInitialize (
PcdStatus = PcdSet64S (PcdTdxSharedBitMask, TdSharedPageMask ());
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, TRUE);
- ASSERT_RETURN_ERROR (PcdStatus);
#endif
}
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 075de3fce6..2ed76f81a4 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -75,21 +75,6 @@ MemMapInitialization (
ASSERT_RETURN_ERROR (PcdStatus);
}
-STATIC
-VOID
-NoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- RETURN_STATUS Status;
-
- Status = PlatformNoexecDxeInitialization (PlatformInfoHob);
- if (!RETURN_ERROR (Status)) {
- Status = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (Status);
- }
-}
-
static const UINT8 EmptyFdt[] = {
0xd0, 0x0d, 0xfe, 0xed, 0x00, 0x00, 0x00, 0x48,
0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x48,
@@ -377,7 +362,6 @@ InitializePlatform (
PeiFvInitialization (PlatformInfoHob);
MemTypeInfoInitialization (PlatformInfoHob);
MemMapInitialization (PlatformInfoHob);
- NoexecDxeInitialization (PlatformInfoHob);
}
InstallClearCacheCallback ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 9e30d616eb..d06ac422ac 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -104,7 +104,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase
diff --git a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
index 43a6e07faa..cb451b6211 100644
--- a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+++ b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
@@ -55,6 +55,7 @@
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiLib
+ DxeMemoryProtectionHobLib
[Protocols]
gEfiGraphicsOutputProtocolGuid # PROTOCOL BY_START
@@ -64,6 +65,5 @@
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
gUefiOvmfPkgTokenSpaceGuid.PcdVideoResolutionSource
- gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.c b/OvmfPkg/QemuVideoDxe/VbeShim.c
index 8f151b96f9..aa042b2e97 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.c
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.c
@@ -19,6 +19,7 @@
#include <Library/DebugLib.h>
#include <Library/PciLib.h>
#include <Library/PrintLib.h>
+#include <Library/DxeMemoryProtectionHobLib.h>
#include <OvmfPlatforms.h>
#include "Qemu.h"
@@ -69,7 +70,9 @@ InstallVbeShim (
UINTN Printed;
VBE_MODE_INFO *VbeModeInfo;
- if ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & (BIT0|BIT7)) == BIT0) {
+ if (gDxeMps.NullPointerDetection.Enabled &&
+ !gDxeMps.NullPointerDetection.DisableEndOfDxe)
+ {
DEBUG ((
DEBUG_WARN,
"%a: page 0 protected, not installing VBE shim\n",
diff --git a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
index 731f54f73f..edb4782e2f 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
+++ b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
@@ -270,19 +270,6 @@
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0
- #
- # Enable strict image permissions for all images. (This applies
- # only to images that were built with >= 4 KB section alignment.)
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
-
- #
- # Enable NX memory protection for all non-code regions, including OEM and OS
- # reserved ones, with the exception of LoaderData regions, of which OS loaders
- # (i.e., GRUB) may assume that its contents are executable.
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
-
[Components.common]
#
# Ramdisk support
diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c
index 30732f421b..5e497ba662 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.c
+++ b/OvmfPkg/TdxDxe/TdxDxe.c
@@ -131,15 +131,12 @@ SetPcdSettings (
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, PlatformInfoHob->PcdConfidentialComputingGuestAttr);
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (PcdStatus);
DEBUG ((
DEBUG_INFO,
- "HostBridgeDevId=0x%x, CCAttr=0x%x, SetNxForStack=%x\n",
+ "HostBridgeDevId=0x%x, CCAttr=0x%x\n",
PlatformInfoHob->HostBridgeDevId,
- PlatformInfoHob->PcdConfidentialComputingGuestAttr,
- PlatformInfoHob->PcdSetNxForStack
+ PlatformInfoHob->PcdConfidentialComputingGuestAttr
));
PcdStatus = PcdSet32S (PcdCpuBootLogicalProcessorNumber, PlatformInfoHob->PcdCpuBootLogicalProcessorNumber);
diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf
index 9793562884..42317228c1 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.inf
+++ b/OvmfPkg/TdxDxe/TdxDxe.inf
@@ -68,6 +68,5 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
--
2.41.0.windows.2
next prev parent reply other threads:[~2023-07-11 23:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-11 23:52 [PATCH 00/14] Implement Dynamic Memory Protections Taylor Beebe
2023-07-11 23:52 ` [PATCH 01/14] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Taylor Beebe
2023-07-11 23:52 ` [PATCH 02/14] MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs Taylor Beebe
2023-07-11 23:52 ` [PATCH 03/14] MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib Implementations Taylor Beebe
2023-07-11 23:52 ` [PATCH 04/14] OvmfPkg: Create the memory protection settings HOB Taylor Beebe
2023-07-11 23:52 ` [PATCH 05/14] ArmVirtPkg: Create " Taylor Beebe
2023-07-11 23:52 ` [PATCH 06/14] ArmPkg: Update to use memory protection HOB Taylor Beebe
2023-07-11 23:52 ` [PATCH 07/14] EmulatorPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 08/14] MdeModulePkg: " Taylor Beebe
2023-07-11 23:52 ` Taylor Beebe [this message]
2023-07-11 23:52 ` [PATCH 10/14] UefiCpuPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 11/14] UefiPayloadPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 12/14] OvmfPkg: Delete Memory Protection PCDs Taylor Beebe
2023-07-11 23:52 ` [PATCH 14/14] MdeModulePkg: " Taylor Beebe
2023-07-11 23:52 ` Taylor Beebe
[not found] ` <1770F551E2E594C0.16575@groups.io>
2023-07-12 0:01 ` [edk2-devel] " Taylor Beebe
2023-07-12 10:05 ` [PATCH 00/14] Implement Dynamic Memory Protections Gerd Hoffmann
2023-07-12 21:54 ` Taylor Beebe
2023-07-17 11:14 ` [edk2-devel] " Gerd Hoffmann
2023-07-17 16:15 ` Pedro Falcato
2023-07-17 16:25 ` Ard Biesheuvel
2023-07-17 16:49 ` Pedro Falcato
2023-07-18 2:45 ` Taylor Beebe
2023-07-18 6:11 ` Ni, Ray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a75076df8e49640706faa25292f015e90aa6a89.1689101263.git.t@taylorbeebe.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox