From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) by mx.groups.io with SMTP id smtpd.web10.1858.1689119590749492093 for ; Tue, 11 Jul 2023 16:53:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@taylorbeebe.com header.s=google header.b=K4GIsIiF; spf=pass (domain: taylorbeebe.com, ip: 209.85.219.41, mailfrom: t@taylorbeebe.com) Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-634a3682c25so47267626d6.3 for ; Tue, 11 Jul 2023 16:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=taylorbeebe.com; s=google; t=1689119589; x=1691711589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Agerf240afTcyMWRtajqhk0fgst9jlTFiaCVts9dFDw=; b=K4GIsIiFNcwsTMHTVaK9FIg/i0C2ynAc2ssHhjboewnmC+zBKV/vfo/BrbAweI7aFj /P9g7StYB0llASbpZFEusFsfYKyDGuky8C5dFxwLeZzAnSQQx9XnFOI8PnxWc0TTJpw/ LI1cwXyKQoyUE3RBXqgTpKDvqkFmXSQENnb3AsPpVFj/U++GZAuXoAbC0quHCUD5sjms Bf5zT2hQ58vHdvhm36Vu8r7m3rwNlzKUyihJjSO+BV4t+JkS0UjadqOtJOOtyOJTK3J3 C/M99kP9TRMXO03fCVeE0UIO3gAOkWznWkHv8uqkGQjV+ZgvALTKYGak4YkNs+jvVNDe Rlmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689119589; x=1691711589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Agerf240afTcyMWRtajqhk0fgst9jlTFiaCVts9dFDw=; b=NVbJ83tLUw4dI3jR4vSSE0oWzFGj1uRK8rkaNKUIBy/OBFv6mT8JV7uo5qvqi/nfNO WUURh5hae/dB5ggPmZSgLxttfv7VvhaWBM/v4CIFkOIl6WDsZfr1k4agIFsOiUuAlqDV mcEhGBxHrtT8D6Rh9Po+rV7LDwO640m426tjscd55FrQKMGvH1lkmR/95ExzypoRSR0D Yp0Q+UjblJysI4JjaJQxWAEaJDzYo0c/OOsKiJ+GQh1Nyob+hQjNC0+1S/Fu3eToFniH 9wGlf9wUBbtkxhfcFJq541aNXHfsMzp8LT2eBcQeCr7UlVPwpk4TmpB4h+1bIKWuPVlg JZRA== X-Gm-Message-State: ABy/qLZ6v59IDToIhk5SBgK7n+qymUrVGG5IbuRpqkW7eYxyyAISRfnB Be+MUJDP/rDwl+OlaWB7AN88rEUUpayZPA1V760wFA== X-Google-Smtp-Source: APBJJlEVL90Cyq3W+jZpSyqZaOVW8iO6N1uCNJSF3kPus2rbRtNkITdj128J1NadiAZlwv9qsSSSpQ== X-Received: by 2002:ac8:59c6:0:b0:403:99eb:6fcf with SMTP id f6-20020ac859c6000000b0040399eb6fcfmr20025820qtf.49.1689119589067; Tue, 11 Jul 2023 16:53:09 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.46.230.135]) by smtp.gmail.com with ESMTPSA id a13-20020a62e20d000000b00660d80087a8sm2232677pfi.187.2023.07.11.16.53.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 16:53:08 -0700 (PDT) From: "Taylor Beebe" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann Subject: [PATCH 09/14] OvmfPkg: Update to use memory protection HOB Date: Tue, 11 Jul 2023 16:52:46 -0700 Message-ID: <2a75076df8e49640706faa25292f015e90aa6a89.1689101263.git.t@taylorbeebe.com> X-Mailer: git-send-email 2.41.0.windows.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Taylor Beebe Replace references to the memory protection PCDs with references to the memory protection HOB. The stack NX setting will no longer be fetched from the QEMU configuration file and will instead be determined via the HOB published in PlatformPei/Platform.c. PeilessStartup will check the HOB when creating the page tables at DXE handoff. Signed-off-by: Taylor Beebe Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann --- OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 - OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +- OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +- OvmfPkg/Include/Library/PlatformInitLib.h | 13 --- OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 25 ++-- .../PeilessStartupLib/PeilessStartup.c | 3 - .../PeilessStartupLib/PeilessStartupLib.inf | 5 +- .../PeilessStartupLib/X64/PageTables.h | 23 +--- .../PeilessStartupLib/X64/VirtualMemory.c | 107 ++++++------------ OvmfPkg/Library/PlatformInitLib/Platform.c | 15 --- OvmfPkg/PlatformPei/IntelTdx.c | 2 - OvmfPkg/PlatformPei/Platform.c | 16 --- OvmfPkg/PlatformPei/PlatformPei.inf | 1 - OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +- OvmfPkg/QemuVideoDxe/VbeShim.c | 5 +- OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 --- OvmfPkg/TdxDxe/TdxDxe.c | 7 +- OvmfPkg/TdxDxe/TdxDxe.inf | 1 - 18 files changed, 68 insertions(+), 180 deletions(-) diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf index 739d63098b..27b4a595fe 100644 --- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf @@ -88,7 +88,6 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c index 779bf5c827..93bce776a9 100644 --- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c +++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -148,9 +149,7 @@ InitializeHighMemDxe ( // on the page table mappings by going through the cpu arch protocol. // Attributes = EFI_MEMORY_WB; - if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & - (1U << (UINT32)EfiConventionalMemory)) != 0) - { + if (gDxeMps.ExecutionProtection.EnabledForType[EfiConventionalMemory]) { Attributes |= EFI_MEMORY_XP; } diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf index c7dde9f455..2d3add492b 100644 --- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf +++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf @@ -33,13 +33,11 @@ PcdLib UefiBootServicesTableLib UefiDriverEntryPoint + DxeMemoryProtectionHobLib [Protocols] gEfiCpuArchProtocolGuid ## CONSUMES gFdtClientProtocolGuid ## CONSUMES -[Pcd] - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy - [Depex] gEfiCpuArchProtocolGuid AND gFdtClientProtocolGuid diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h b/OvmfPkg/Include/Library/PlatformInitLib.h index 57b18b94d9..b2468f2063 100644 --- a/OvmfPkg/Include/Library/PlatformInitLib.h +++ b/OvmfPkg/Include/Library/PlatformInitLib.h @@ -32,7 +32,6 @@ typedef struct { UINT32 Uc32Base; UINT32 Uc32Size; - BOOLEAN PcdSetNxForStack; UINT64 PcdTdxSharedBitMask; UINT64 PcdPciMmio64Base; @@ -182,18 +181,6 @@ PlatformMemMapInitialization ( IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob ); -/** - * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU - * - * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack". - * @return EFI_SUCCESS Successfully fetch the settings. - */ -EFI_STATUS -EFIAPI -PlatformNoexecDxeInitialization ( - IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob - ); - VOID EFIAPI PlatformMiscInitialization ( diff --git a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c index d34690eb8a..169b4931a6 100644 --- a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c +++ b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c @@ -11,18 +11,21 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #include #include #include #include #include +#include #include #include #include "X64/PageTables.h" #include #define STACK_SIZE 0x20000 -extern EFI_GUID gEfiNonCcFvGuid; +extern EFI_GUID gEfiNonCcFvGuid; +DXE_MEMORY_PROTECTION_SETTINGS mDxeMps; /** Transfers control to DxeCore. @@ -41,13 +44,21 @@ HandOffToDxeCore ( VOID *BaseOfStack; VOID *TopOfStack; UINTN PageTables; + VOID *Ptr; - // - // Clear page 0 and mark it as allocated if NULL pointer detection is enabled. - // - if (IsNullDetectionEnabled ()) { - ClearFirst4KPage (GetHobList ()); - BuildMemoryAllocationHob (0, EFI_PAGES_TO_SIZE (1), EfiBootServicesData); + Ptr = GetFirstGuidHob (&gDxeMemoryProtectionSettingsGuid); + + if ((Ptr != NULL) && DXE_MPS_IS_STRUCT_VALID (GET_GUID_HOB_DATA (Ptr))) { + CopyMem (&mDxeMps, GET_GUID_HOB_DATA (Ptr), sizeof (DXE_MEMORY_PROTECTION_SETTINGS)); + } else { + ZeroMem (&mDxeMps, sizeof (DXE_MEMORY_PROTECTION_SETTINGS)); + } + + if (mDxeMps.NullPointerDetection.Enabled) { + ASSERT (CanAllocateNullPage (GetHobList ())); + // Clear NULL page and mark it as allocated for NULL detection + SetMem (NULL, EFI_PAGE_SIZE, (UINTN)NULL); + BuildMemoryAllocationHob ((UINTN)NULL, EFI_PAGES_TO_SIZE (1), EfiBootServicesData); } // diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c index 164aa2d619..581413cd47 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c @@ -104,12 +104,9 @@ InitializePlatform ( PlatformMemMapInitialization (PlatformInfoHob); - PlatformNoexecDxeInitialization (PlatformInfoHob); - if (TdIsEnabled ()) { PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx; PlatformInfoHob->PcdTdxSharedBitMask = TdSharedPageMask (); - PlatformInfoHob->PcdSetNxForStack = TRUE; } PlatformMiscInitialization (PlatformInfoHob); diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf index 7719b5031d..1e0879bb50 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf @@ -65,6 +65,7 @@ gPcdDataBaseHobGuid gCcEventEntryHobGuid gEfiNonCcFvGuid + gDxeMemoryProtectionSettingsGuid [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase @@ -75,11 +76,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## SOMETIMES_CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ## SOMETIMES_CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ## CONSUMES gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h index a0d0d3547b..ab2ff8b38b 100644 --- a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h +++ b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h @@ -179,28 +179,17 @@ CreateIdentityMappingPageTables ( ); /** - Clear legacy memory located at the first 4K-page. + Returns TRUE if the NULL page has not been allocated. - This function traverses the whole HOB list to check if memory from 0 to 4095 - exists and has not been allocated, and then clear it if so. + @param HobStart The start of HobList passed to DxeCore. - @param HobStart The start of HobList passed to DxeCore. + @retval TRUE NULL page is unallocated + @retval FALSE NULL page cannot be allocated **/ -VOID -ClearFirst4KPage ( - IN VOID *HobStart - ); - -/** - Return configure status of NULL pointer detection feature. - - @return TRUE NULL pointer detection feature is enabled - @return FALSE NULL pointer detection feature is disabled -**/ BOOLEAN -IsNullDetectionEnabled ( - VOID +CanAllocateNullPage ( + IN VOID *HobStart ); #endif diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c index e2c1bac5e0..25187e730c 100644 --- a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c +++ b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c @@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #include #include #include "PageTables.h" @@ -45,49 +46,37 @@ UINT64 mLevelSize[5] = { SIZE_512GB }; -BOOLEAN -IsSetNxForStack ( - VOID - ) -{ - EFI_HOB_GUID_TYPE *GuidHob; - EFI_HOB_PLATFORM_INFO *PlatformInfo; - - GuidHob = GetFirstGuidHob (&gUefiOvmfPkgPlatformInfoGuid); - if (GuidHob == NULL) { - ASSERT (FALSE); - return FALSE; - } - - PlatformInfo = (EFI_HOB_PLATFORM_INFO *)GET_GUID_HOB_DATA (GuidHob); - - return PlatformInfo->PcdSetNxForStack; -} +extern DXE_MEMORY_PROTECTION_SETTINGS mDxeMps; /** - Clear legacy memory located at the first 4K-page, if available. - - This function traverses the whole HOB list to check if memory from 0 to 4095 - exists and has not been allocated, and then clear it if so. + Returns TRUE if the NULL page has not been allocated. @param HobStart The start of HobList passed to DxeCore. + @retval TRUE NULL page is unallocated + @retval FALSE NULL page cannot be allocated + **/ -VOID -ClearFirst4KPage ( +BOOLEAN +CanAllocateNullPage ( IN VOID *HobStart ) { EFI_PEI_HOB_POINTERS RscHob; EFI_PEI_HOB_POINTERS MemHob; - BOOLEAN DoClear; + BOOLEAN CanAllocate; + + if (HobStart == NULL) { + ASSERT (HobStart != NULL); + return FALSE; + } - RscHob.Raw = HobStart; - MemHob.Raw = HobStart; - DoClear = FALSE; + RscHob.Raw = HobStart; + MemHob.Raw = HobStart; + CanAllocate = FALSE; // - // Check if page 0 exists and free + // Check if page 0 exists and is free // while ((RscHob.Raw = GetNextHob ( EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, @@ -95,9 +84,9 @@ ClearFirst4KPage ( )) != NULL) { if ((RscHob.ResourceDescriptor->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) && - (RscHob.ResourceDescriptor->PhysicalStart == 0)) + (RscHob.ResourceDescriptor->PhysicalStart == (UINTN)NULL)) { - DoClear = TRUE; + CanAllocate = TRUE; // // Make sure memory at 0-4095 has not been allocated. // @@ -106,10 +95,10 @@ ClearFirst4KPage ( MemHob.Raw )) != NULL) { - if (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress - < EFI_PAGE_SIZE) + if ((MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress >= (UINTN)NULL) && + (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress < (UINTN)NULL + EFI_PAGE_SIZE)) { - DoClear = FALSE; + CanAllocate = FALSE; break; } @@ -122,27 +111,7 @@ ClearFirst4KPage ( RscHob.Raw = GET_NEXT_HOB (RscHob); } - if (DoClear) { - DEBUG ((DEBUG_INFO, "Clearing first 4K-page!\r\n")); - SetMem (NULL, EFI_PAGE_SIZE, 0); - } - - return; -} - -/** - Return configure status of NULL pointer detection feature. - - @return TRUE NULL pointer detection feature is enabled - @return FALSE NULL pointer detection feature is disabled - -**/ -BOOLEAN -IsNullDetectionEnabled ( - VOID - ) -{ - return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0); + return CanAllocate; } /** @@ -188,17 +157,7 @@ IsEnableNonExecNeeded ( VOID ) { - if (!IsExecuteDisableBitAvailable ()) { - return FALSE; - } - - // - // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set. - // Features controlled by Following PCDs need this feature to be enabled. - // - return (IsSetNxForStack () || - FixedPcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 || - PcdGet32 (PcdImageProtectionPolicy) != 0); + return IsExecuteDisableBitAvailable (); } /** @@ -237,17 +196,17 @@ ToSplitPageTable ( IN UINTN StackSize ) { - if (IsNullDetectionEnabled () && (Address == 0)) { + if (mDxeMps.NullPointerDetection.Enabled && (Address == (UINTN)NULL)) { return TRUE; } - if (FixedPcdGetBool (PcdCpuStackGuard)) { + if (mDxeMps.CpuStackGuardEnabled) { if ((StackBase >= Address) && (StackBase < (Address + Size))) { return TRUE; } } - if (IsSetNxForStack ()) { + if (mDxeMps.StackExecutionProtectionEnabled) { if ((Address < StackBase + StackSize) && ((Address + Size) > StackBase)) { return TRUE; } @@ -426,17 +385,17 @@ Split2MPageTo4K ( PageTableEntry->Uint64 = (UINT64)PhysicalAddress4K; PageTableEntry->Bits.ReadWrite = 1; - if ((IsNullDetectionEnabled () && (PhysicalAddress4K == 0)) || - (FixedPcdGetBool (PcdCpuStackGuard) && (PhysicalAddress4K == StackBase))) + if ((mDxeMps.NullPointerDetection.Enabled && (PhysicalAddress4K == (UINTN)NULL)) || + (mDxeMps.CpuStackGuardEnabled && (PhysicalAddress4K == StackBase))) { PageTableEntry->Bits.Present = 0; } else { PageTableEntry->Bits.Present = 1; } - if ( IsSetNxForStack () - && (PhysicalAddress4K >= StackBase) - && (PhysicalAddress4K < StackBase + StackSize)) + if (mDxeMps.StackExecutionProtectionEnabled && + (PhysicalAddress4K >= StackBase) && + (PhysicalAddress4K < StackBase + StackSize)) { // // Set Nx bit for stack. diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c b/OvmfPkg/Library/PlatformInitLib/Platform.c index f48bf16ae3..bc9becc401 100644 --- a/OvmfPkg/Library/PlatformInitLib/Platform.c +++ b/OvmfPkg/Library/PlatformInitLib/Platform.c @@ -249,21 +249,6 @@ PlatformMemMapInitialization ( PlatformInfoHob->PcdPciIoSize = PciIoSize; } -/** - * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU - * - * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack". - * @return EFI_SUCCESS Successfully fetch the settings. - */ -EFI_STATUS -EFIAPI -PlatformNoexecDxeInitialization ( - IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob - ) -{ - return QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &PlatformInfoHob->PcdSetNxForStack); -} - VOID PciExBarInitialization ( VOID diff --git a/OvmfPkg/PlatformPei/IntelTdx.c b/OvmfPkg/PlatformPei/IntelTdx.c index 3d625cabd8..1cb6729e56 100644 --- a/OvmfPkg/PlatformPei/IntelTdx.c +++ b/OvmfPkg/PlatformPei/IntelTdx.c @@ -48,7 +48,5 @@ IntelTdxInitialize ( PcdStatus = PcdSet64S (PcdTdxSharedBitMask, TdSharedPageMask ()); ASSERT_RETURN_ERROR (PcdStatus); - PcdStatus = PcdSetBoolS (PcdSetNxForStack, TRUE); - ASSERT_RETURN_ERROR (PcdStatus); #endif } diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c index 075de3fce6..2ed76f81a4 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -75,21 +75,6 @@ MemMapInitialization ( ASSERT_RETURN_ERROR (PcdStatus); } -STATIC -VOID -NoexecDxeInitialization ( - IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob - ) -{ - RETURN_STATUS Status; - - Status = PlatformNoexecDxeInitialization (PlatformInfoHob); - if (!RETURN_ERROR (Status)) { - Status = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack); - ASSERT_RETURN_ERROR (Status); - } -} - static const UINT8 EmptyFdt[] = { 0xd0, 0x0d, 0xfe, 0xed, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x48, @@ -377,7 +362,6 @@ InitializePlatform ( PeiFvInitialization (PlatformInfoHob); MemTypeInfoInitialization (PlatformInfoHob); MemMapInitialization (PlatformInfoHob); - NoexecDxeInitialization (PlatformInfoHob); } InstallClearCacheCallback (); diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 9e30d616eb..d06ac422ac 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -104,7 +104,6 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase diff --git a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf index 43a6e07faa..cb451b6211 100644 --- a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +++ b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf @@ -55,6 +55,7 @@ UefiBootServicesTableLib UefiDriverEntryPoint UefiLib + DxeMemoryProtectionHobLib [Protocols] gEfiGraphicsOutputProtocolGuid # PROTOCOL BY_START @@ -64,6 +65,5 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId gUefiOvmfPkgTokenSpaceGuid.PcdVideoResolutionSource - gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.c b/OvmfPkg/QemuVideoDxe/VbeShim.c index 8f151b96f9..aa042b2e97 100644 --- a/OvmfPkg/QemuVideoDxe/VbeShim.c +++ b/OvmfPkg/QemuVideoDxe/VbeShim.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include "Qemu.h" @@ -69,7 +70,9 @@ InstallVbeShim ( UINTN Printed; VBE_MODE_INFO *VbeModeInfo; - if ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & (BIT0|BIT7)) == BIT0) { + if (gDxeMps.NullPointerDetection.Enabled && + !gDxeMps.NullPointerDetection.DisableEndOfDxe) + { DEBUG (( DEBUG_WARN, "%a: page 0 protected, not installing VBE shim\n", diff --git a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc index 731f54f73f..edb4782e2f 100644 --- a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc +++ b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc @@ -270,19 +270,6 @@ gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20 gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0 - # - # Enable strict image permissions for all images. (This applies - # only to images that were built with >= 4 KB section alignment.) - # - gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 - - # - # Enable NX memory protection for all non-code regions, including OEM and OS - # reserved ones, with the exception of LoaderData regions, of which OS loaders - # (i.e., GRUB) may assume that its contents are executable. - # - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5 - [Components.common] # # Ramdisk support diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c index 30732f421b..5e497ba662 100644 --- a/OvmfPkg/TdxDxe/TdxDxe.c +++ b/OvmfPkg/TdxDxe/TdxDxe.c @@ -131,15 +131,12 @@ SetPcdSettings ( PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, PlatformInfoHob->PcdConfidentialComputingGuestAttr); ASSERT_RETURN_ERROR (PcdStatus); - PcdStatus = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack); - ASSERT_RETURN_ERROR (PcdStatus); DEBUG (( DEBUG_INFO, - "HostBridgeDevId=0x%x, CCAttr=0x%x, SetNxForStack=%x\n", + "HostBridgeDevId=0x%x, CCAttr=0x%x\n", PlatformInfoHob->HostBridgeDevId, - PlatformInfoHob->PcdConfidentialComputingGuestAttr, - PlatformInfoHob->PcdSetNxForStack + PlatformInfoHob->PcdConfidentialComputingGuestAttr )); PcdStatus = PcdSet32S (PcdCpuBootLogicalProcessorNumber, PlatformInfoHob->PcdCpuBootLogicalProcessorNumber); diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf index 9793562884..42317228c1 100644 --- a/OvmfPkg/TdxDxe/TdxDxe.inf +++ b/OvmfPkg/TdxDxe/TdxDxe.inf @@ -68,6 +68,5 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize -- 2.41.0.windows.2