From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.27041.1683621793784717542 for ; Tue, 09 May 2023 01:43:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ODvlaeWq; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683621792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=87WixVFYVi0xbRoue34zEq4kurFrj6GyddOcPcU2xdU=; b=ODvlaeWqcxYzr60X80ZEkCYD75Kd73u5r2ETUuNJ/JS8SUqjf2J5lC0NpD/FInwA2zzEgG nS+r8ksUmuGop9upivTmnfq3wmYxxWkMVLqFIb0U44R1gyOi2aGk6lxXf51+II+huV1YVh f6coBRKTLGzxS/qNYz+XGwqxIagTonQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-113-DbDJj0RLNsS-r369oXZ2qQ-1; Tue, 09 May 2023 04:43:09 -0400 X-MC-Unique: DbDJj0RLNsS-r369oXZ2qQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DC16B886462; Tue, 9 May 2023 08:43:08 +0000 (UTC) Received: from [10.39.192.152] (unknown [10.39.192.152]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6FFF940C6E67; Tue, 9 May 2023 08:43:07 +0000 (UTC) Message-ID: <50bf1804-70ba-dfff-73ad-d2afdbedf5e7@redhat.com> Date: Tue, 9 May 2023 10:43:06 +0200 MIME-Version: 1.0 Subject: Re: [PATCH 0/2] OvmfPkg: Relax assertion that interrupts do not occur at TPL_HIGH_LEVEL To: Michael Brown , devel@edk2.groups.io Cc: Gerd Hoffmann , Oliver Steffen , Pawel Polawski , Jiewen Yao , Ard Biesheuvel , Jordan Justen References: <476bbc17-6484-9afd-9be9-08de14d1d72e@redhat.com> <01020187fd46b80f-a69b4ae5-545f-45ae-ab0d-a48f725c7a40-000000@eu-west-1.amazonses.com> From: "Laszlo Ersek" In-Reply-To: <01020187fd46b80f-a69b4ae5-545f-45ae-ab0d-a48f725c7a40-000000@eu-west-1.amazonses.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/8/23 23:31, Michael Brown wrote: > At TPL_HIGH_LEVEL, CPU interrupts are disabled (as per the UEFI > specification) and so we should never encounter a situation in which > an interrupt occurs at TPL_HIGH_LEVEL. The specification also > restricts usage of TPL_HIGH_LEVEL to the firmware itself. > > However, nothing prevents a rogue UEFI application from illegally > calling gBS->RaiseTPL(TPL_HIGH_LEVEL) and then deliberately violating > the invariant by enabling interrupts via the STI or equivalent > instruction. Some versions of the Microsoft Windows bootloader are > known to do this. > > NestedInterruptTplLib maintains the invariant that interrupts are > disabled at TPL_HIGH_LEVEL (even when performing the dark art of > deliberately manipulating the stack so that IRET will return with > interrupts still disabled), but does not itself rely on external code > maintaining this invariant. > > Relax the assertion that the interrupted TPL is below TPL_HIGH_LEVEL > to an error message, to allow rogue UEFI applications such as the > Microsoft Windows bootloader to continue to function. > > Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2189136 > Cc: Laszlo Ersek > Cc: Gerd Hoffmann > Cc: Oliver Steffen > Cc: Pawel Polawski > Cc: Jiewen Yao > Cc: Ard Biesheuvel > Cc: Jordan Justen > > Michael Brown (2): > OvmfPkg: Clarify invariants for NestedInterruptTplLib > OvmfPkg: Relax assertion that interrupts do not occur at > TPL_HIGH_LEVEL > > OvmfPkg/Library/NestedInterruptTplLib/Tpl.c | 31 +++++++++++++++++---- > 1 file changed, 26 insertions(+), 5 deletions(-) > I'm not subscribed to the list, so I don't have a copy of patch#1. I've checked patch#1 at this URL: https://listman.redhat.com/archives/edk2-devel-archive/2023-May/063591.html and I'll comment on it using the cover letter: I really like that patch, with one stylistic exception: in edk2, explicit FALSE and TRUE comparisons are not desired. So I suggest: ASSERT (!GetInterruptState ()); Twice. In fact, I *think* that if you run uncrustify with the edk2 config on the patch, then it will rewrite that code. Uncrustify normally only complains in CI on github, but you can run it manually too, after each commit: (1) Clone and build uncrustify: https://projectmu@dev.azure.com/projectmu/Uncrustify/_git/Uncrustify (2) After each commit, preferably when your working tree *and* index are clean, run uncrustify in the edk2 project root, with the following flags: -c .pytool/Plugin/UncrustifyCheck/uncrustify.cfg \ --replace \ --no-backup \ --if-changed The file list can be passed in via stdin ("-F -") or on the uncrustify command line. The "file list" is generally the list of *.c and *.h files modified by the particular commit. Just dumping the entire file list modified by a commit to uncrustify is not good: uncrustify will happily garble (for example) *.inf files, and then it will also crash with SEGV. Thank you! Laszlo