From: Laszlo Ersek <lersek@redhat.com>
To: Jian J Wang <jian.j.wang@intel.com>, edk2-devel@lists.01.org
Cc: Ruiyu Ni <ruiyu.ni@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
Eric Dong <eric.dong@intel.com>
Subject: Re: [PATCH 1/6] UefiCpuPkg/MpInitLib: split wake up buffer into two parts
Date: Sun, 28 Jan 2018 22:43:56 +0100 [thread overview]
Message-ID: <6264fc27-bf8d-5ee5-f631-31c28c32abeb@redhat.com> (raw)
In-Reply-To: <a45cad7f-a55f-32c0-e284-23a8479dc0a5@redhat.com>
On 01/27/18 17:17, Laszlo Ersek wrote:
> Hello Jian,
>
> On 01/15/18 09:54, Jian J Wang wrote:
>> If PcdDxeNxMemoryProtectionPolicy is set to enable protection for memory
>> of EfiBootServicesCode, EfiConventionalMemory, the BIOS will hang at a page
>> fault exception during MP initialization.
>>
>> The root cause is that the AP wake up buffer, which is below 1MB and used
>> to hold both AP init code and data, is type of EfiConventionalMemory (not
>> really allocated because of potential conflict with legacy code), and is
>> marked as non-executable. During the transition from real address mode
>> to long mode, the AP init code has to enable paging which will then cause
>> itself a page fault exception because it's just running in non-executable
>> memory.
>>
>> The solution is splitting AP wake up buffer into two part: lower part is
>> still below 1MB and shared with legacy system, higher part is really
>> allocated memory of BootServicesCode type. The init code in the memory
>> below 1MB will not enable paging but just switch to protected mode and
>> jump to higher memory, in which the init code will enable paging and
>> switch to long mode.
>>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>> Cc: Eric Dong <eric.dong@intel.com>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Contributed-under: TianoCore Contribution Agreement 1.1
>> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
>> ---
>> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 34 ++++++++++
>> UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc | 5 ++
>> UefiCpuPkg/Library/MpInitLib/Ia32/MpFuncs.nasm | 32 +++++-----
>> UefiCpuPkg/Library/MpInitLib/MpLib.c | 45 +++++++++++++
>> UefiCpuPkg/Library/MpInitLib/MpLib.h | 22 +++++++
>> UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 23 +++++++
>> UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 5 +-
>> UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 87 ++++++++++++++++----------
>> 8 files changed, 204 insertions(+), 49 deletions(-)
>
> This patch breaks OVMF on KVM. The symptom is that the guest crashes
> and reboots as follows (infinite reboot loop):
>
>> Loading PEIM at 0x0007FEB0000 EntryPoint=0x0007FEB5C96 CpuMpPei.efi
>> AP Loop Mode is 1
>> WakeupBufferStart = 9F000, WakeupBufferSize = 1000
>> -- crash & reboot here --
>> SecCoreStartupWithStack(0xFFFCC000, 0x820000)
The following build options were used for this build:
$ build -a X64 -p OvmfPkg/OvmfPkgX64.dsc -D SECURE_BOOT_ENABLE \
-t GCC48 -b NOOPT -D HTTP_BOOT_ENABLE
The tree was built at 06c1f423e17f ("BeagleBoardPkg: reroute Firmware
Vendor Pcd to MdeModulePkg", 2018-01-26). (This commit is listed at the
top of the bisection log in my previous email.)
Here's the KVM log up to the triple fault:
> CPU-32283 [004] 13652.374591: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374594: kvm_exit: reason CR_ACCESS rip 0x3a info 0 0
> CPU-32283 [004] 13652.374595: kvm_cr: cr_write 0 = 0x60000013
> CPU-32283 [004] 13652.374596: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374597: kvm_exit: reason CR_ACCESS rip 0x9f06a info 4 0
> CPU-32283 [004] 13652.374598: kvm_cr: cr_write 4 = 0x20
> CPU-32283 [004] 13652.374603: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374604: kvm_exit: reason CR_ACCESS rip 0x9f075 info 103 0
> CPU-32283 [004] 13652.374605: kvm_cr: cr_write 3 = 0x800000
> CPU-32283 [004] 13652.374606: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374607: kvm_exit: reason MSR_READ rip 0x9f07d info 0 0
> CPU-32283 [004] 13652.374608: kvm_msr: msr_read c0000080 = 0x0
> CPU-32283 [004] 13652.374608: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374609: kvm_exit: reason MSR_WRITE rip 0x9f083 info 0 0
> CPU-32283 [004] 13652.374611: kvm_msr: msr_write c0000080 = 0x100
> CPU-32283 [004] 13652.374612: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374613: kvm_exit: reason CR_ACCESS rip 0x9f08c info 0 0
> CPU-32283 [004] 13652.374613: kvm_cr: cr_write 0 = 0xe0000013
> CPU-32283 [004] 13652.374620: kvm_entry: vcpu 2
> CPU-32283 [004] 13652.374622: kvm_exit: reason TRIPLE_FAULT rip 0x9f096 info 0 0
Offset 0x96 (relative to 0x9F000) is from
"UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm":
> 5c66d125eaae5 (Jeff Fan 2016-07-29 21:13:34 +0800 103) SkipEnableExecuteDisableBit:
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 104) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 105) ; Enable PAE
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 106) ;
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 107) mov eax, cr4
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 108) bts eax, 5
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 109) mov cr4, eax
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 110)
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 111) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 112) ; Load page table
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 113) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 114) mov esi, Cr3Location ; Save CR3 in ecx
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 115) mov ecx, [ebx + esi]
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 116) mov cr3, ecx ; Load CR3
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 117)
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 118) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 119) ; Enable long mode
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 120) ;
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 121) mov ecx, 0c0000080h ; EFER MSR number
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 122) rdmsr ; Read EFER
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 123) bts eax, 8 ; Set LME=1
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 124) wrmsr ; Write EFER
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 125)
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 126) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 127) ; Enable paging
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 128) ;
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 129) mov eax, cr0 ; Read CR0
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 130) bts eax, 31 ; Set PG=1
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 131) mov cr0, eax ; Write CR0
> d94e5f672994f (Jeff Fan 2016-07-20 22:44:39 +0800 132)
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 133) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 134) ; Far jump to 64-bit code
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 135) ;
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 136) mov edi, ModeHighMemoryLocation
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 137) add edi, ebx
> f32bfe6d06142 (Jian J Wang 2017-12-29 09:12:54 +0800 138) jmp far [edi] <- here
Thanks
Laszlo
next prev parent reply other threads:[~2018-01-28 21:38 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-15 8:54 [PATCH 0/6] Fix issues caused by NX memory protection Jian J Wang
2018-01-15 8:54 ` [PATCH 1/6] UefiCpuPkg/MpInitLib: split wake up buffer into two parts Jian J Wang
2018-01-18 6:53 ` Dong, Eric
2018-01-27 16:17 ` Laszlo Ersek
2018-01-28 21:43 ` Laszlo Ersek [this message]
2018-01-29 1:06 ` Wang, Jian J
2018-01-29 15:50 ` Laszlo Ersek
2018-01-15 8:54 ` [PATCH 2/6] UefiCpuPkg/CpuExceptionHandlerLib: alloc code memory for exception handlers Jian J Wang
2018-01-16 14:02 ` Dong, Eric
2018-01-15 8:54 ` [PATCH 3/6] UefiCpuPkg/CpuDxe: clear NX attr for page directory Jian J Wang
2018-01-16 14:02 ` Dong, Eric
2018-01-15 8:54 ` [PATCH 4/6] UefiCpuPkg/PiSmmCpuDxeSmm: Enable NXE if it's supported Jian J Wang
2018-01-16 14:02 ` Dong, Eric
2018-01-28 22:46 ` Laszlo Ersek
2018-01-29 9:02 ` Wang, Jian J
2018-01-29 19:48 ` Laszlo Ersek
2018-01-30 13:09 ` Laszlo Ersek
2018-02-01 1:08 ` Wang, Jian J
2018-01-15 8:54 ` [PATCH 5/6] MdeModulePkg/PiSmmCore: remove NX attr for SMM RAM Jian J Wang
2018-01-15 10:18 ` Zeng, Star
2018-01-15 8:54 ` [PATCH 6/6] MdeModulePkg/BootScriptExecutorDxe: remove NX attr for FfsBuffer Jian J Wang
2018-01-15 10:18 ` Zeng, Star
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6264fc27-bf8d-5ee5-f631-31c28c32abeb@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox