From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3A5ACAC1180 for ; Mon, 9 Oct 2023 10:02:29 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=l9sQUYakzJQntFXqm2/EWyhEir9TY9kWYm/2qWrv+d4=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1696845747; v=1; b=rf9EoWSRZlReXol9rki8Qh/c+z2eB2mUiS3YtwwMNmfJwx/d+MZEh/qaCXRW6+ujXbs+24eN Zta3PtbKIx8z0E2CpvaN4iU0XmV6lm0I98mgkjEvlY4UJhVZ0Uyg8qouOx/cpMq5dbUVCYloIEw fPFLEYLGn/fTQbIFQy79B6oI= X-Received: by 127.0.0.2 with SMTP id gIL0YY7687511xtQsLKAJuvC; Mon, 09 Oct 2023 03:02:27 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.57568.1696845746879685983 for ; Mon, 09 Oct 2023 03:02:27 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-256-5n5Ao7dWOPOcl4mT_0beiQ-1; Mon, 09 Oct 2023 06:02:18 -0400 X-MC-Unique: 5n5Ao7dWOPOcl4mT_0beiQ-1 X-Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3866B8060E8; Mon, 9 Oct 2023 10:02:17 +0000 (UTC) X-Received: from [10.39.192.114] (unknown [10.39.192.114]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1DF712026D37; Mon, 9 Oct 2023 10:02:13 +0000 (UTC) Message-ID: <5471e4ca-fad2-74e2-b014-71f773b107ba@redhat.com> Date: Mon, 9 Oct 2023 12:02:12 +0200 MIME-Version: 1.0 Subject: Re: [edk2-devel] [PATCH v5 26/28] OvmfPkg: Delete Memory Protection PCDs To: devel@edk2.groups.io, taylor.d.beebe@gmail.com Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , =?UTF-8?Q?Corvin_K=c3=b6hne?= , Jianyong Wu , Anatol Belski , Anthony Perard , Julien Grall , Erdem Aktas , James Bottomley , Min Xu , Tom Lendacky , Michael Roth , Sunil V L , Andrei Warkentin References: <20231009000742.1792-1-taylor.d.beebe@gmail.com> <20231009000742.1792-27-taylor.d.beebe@gmail.com> From: "Laszlo Ersek" In-Reply-To: <20231009000742.1792-27-taylor.d.beebe@gmail.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: JuYDMUqhdsaNGhUEOJroT3Gwx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=rf9EoWSR; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 10/9/23 02:07, Taylor Beebe wrote: > Now that the transition to use SetMemoryProtectionsLib and > GetMemoryProtectionsLib is complete, delete the memory protection PCDs > to avoid confusing the interface. All memory protection settings > will now be set and consumed via the libraries. > > Signed-off-by: Taylor Beebe > Cc: Ard Biesheuvel > Cc: Jiewen Yao > Cc: Jordan Justen > Cc: Gerd Hoffmann > Cc: Rebecca Cran > Cc: Peter Grehan > Cc: Corvin Köhne > Cc: Jianyong Wu > Cc: Anatol Belski > Cc: Anthony Perard > Cc: Julien Grall > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Min Xu > Cc: Tom Lendacky > Cc: Michael Roth > Cc: Sunil V L > Cc: Andrei Warkentin > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 3 --- > OvmfPkg/Bhyve/BhyveX64.dsc | 3 --- > OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 - > OvmfPkg/CloudHv/CloudHvX64.dsc | 3 --- > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 --- > OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 1 - > OvmfPkg/Microvm/MicrovmX64.dsc | 3 --- > OvmfPkg/OvmfPkgIa32.dsc | 3 --- > OvmfPkg/OvmfPkgIa32X64.dsc | 3 --- > OvmfPkg/OvmfPkgX64.dsc | 3 --- > OvmfPkg/OvmfXen.dsc | 3 --- > OvmfPkg/PlatformPei/PlatformPei.inf | 1 - > OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 ------------- > OvmfPkg/TdxDxe/TdxDxe.inf | 1 - > 14 files changed, 44 deletions(-) > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > index b67b50b833b9..46a74e4f8ee8 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -516,9 +516,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc > index 5af5831196f6..21baa47d2526 100644 > --- a/OvmfPkg/Bhyve/BhyveX64.dsc > +++ b/OvmfPkg/Bhyve/BhyveX64.dsc > @@ -550,9 +550,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000 > diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > index 07570d4e30ca..07f032941404 100644 > --- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > @@ -89,7 +89,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask > gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc > index c550ebcd659e..b8d643dfda3c 100644 > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc > @@ -600,9 +600,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > index a3370f45940c..513727ae98ff 100644 > --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > @@ -511,9 +511,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > index a6d7b53f52cf..009bee69e405 100644 > --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > @@ -79,7 +79,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## SOMETIMES_CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## CONSUMES > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize > gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc > index da5a4862bfdc..78f2ab64a60d 100644 > --- a/OvmfPkg/Microvm/MicrovmX64.dsc > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc > @@ -623,9 +623,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index d4d14b69ef1d..0f2b1812a821 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -634,9 +634,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index 674010323df1..6180d267067a 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -652,9 +652,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 08b70d76d292..937488b043f4 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -670,9 +670,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc > index d80e20a151d7..e3631202238b 100644 > --- a/OvmfPkg/OvmfXen.dsc > +++ b/OvmfPkg/OvmfXen.dsc > @@ -506,9 +506,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # Set memory encryption mask > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf > index fbaa6bdc8ee5..3085f4f46a50 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -104,7 +104,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask > gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase > diff --git a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > index fe320525153f..57304c40766a 100644 > --- a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > +++ b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > @@ -271,19 +271,6 @@ [PcdsFixedAtBuild.common] > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20 > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0 > > - # > - # Enable strict image permissions for all images. (This applies > - # only to images that were built with >= 4 KB section alignment.) > - # > - gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 > - > - # > - # Enable NX memory protection for all non-code regions, including OEM and OS > - # reserved ones, with the exception of LoaderData regions, of which OS loaders > - # (i.e., GRUB) may assume that its contents are executable. > - # > - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5 > - > [Components.common] > # > # Ramdisk support > diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf > index 9793562884c7..42317228c1aa 100644 > --- a/OvmfPkg/TdxDxe/TdxDxe.inf > +++ b/OvmfPkg/TdxDxe/TdxDxe.inf > @@ -68,6 +68,5 @@ [Pcd] > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr > gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize Seems reasonable, superficially; whether the new / default profile settings will ensure identical behavior (wherever needed for compatibility), I can't say. Of course if we can restrict the policies and everything just continues working, that's ideal; I can't tell whether that's the case though. Acked-by: Laszlo Ersek Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109451): https://edk2.groups.io/g/devel/message/109451 Mute This Topic: https://groups.io/mt/101843370/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-