From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Ni, Ray" <ray.ni@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"lersek@redhat.com" <lersek@redhat.com>
Cc: "Dong, Eric" <eric.dong@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 2/2] UefiCpuPkg/PiSmmCpu: PcdCpuSmmAccessOut controls SMM access-out policy
Date: Thu, 1 Aug 2019 01:38:34 +0000 [thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F738DCC@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <734D49CCEBEEF84792F5B80ED585239D5C266BC4@SHSMSX104.ccr.corp.intel.com>
I agree that we only need support #2 and #3.
We need one PCD:
1) if it is set to TRUE, it locks SMM paging (make it static), only allows SMM access RSVD, ACPINVS, Runtime, as comm buffer, plus MMIO for device access. That is secure configuration.
2) it is FALSE, it allows SMM to access OS memory. It could be static or dynamic paging.
PcdCpuSmmAccessOut seems also confusing.
What "Out" means ???
What Out=False means? Only allow inside SMRAM access?
Anyway, I am open for the naming proposal.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Ni, Ray
> Sent: Thursday, August 1, 2019 9:28 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
> lersek@redhat.com
> Cc: Dong, Eric <eric.dong@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 2/2] UefiCpuPkg/PiSmmCpu:
> PcdCpuSmmAccessOut controls SMM access-out policy
>
> > Below is my thought, please correct if I am wrong.
> > 1) StaticPaging=false, AccessOut=false: it seems invalid. If we don’t
> support access out, why we need dynamic paging?
> > 2) StaticPaging=false, AccessOut=true: it seems valid. We need access out,
> but we only want a small paging in the beginning. As
> > such we use dynamic paging. This is to support Hotplug memory.
> > 3) StaticPaging=true, AccessOut=false: it seems valid. The is secure
> configuration.
> > 4) StaticPaging=true, AccessOut=true: it seems valid, but I do not see the
> value to support this. If we always allow access out,
> > what is the value to set static paging. Or why we care the paging is static
> or dynamic?
>
>
> Jiewen,
> The value of static paging is to reduce page table SMRAM consumption. We
> could create the page table in advance and that
> page table permits smm access out.
>
> >
> > As such I recommend we only support #2 and #3.
>
> Supporting #2 and #3 is based on real requirement, not from above
> discussion of 4 combinations.
>
> >
> > Again, if the naming is confusing, I agree we should clarify or even rename.
>
> I also agree that having fewer PCDs to provide fewer configurations. It also
> reduces validation effort.
>
> Jiewen & Laszlo,
> Do you agree that with only #2 and #3 supported, the existing PCD can be
> renamed to PcdCpuSmmAccessOut?
> If AccessOut=true, it implies static paging is not used.
> If AccessOut=false, it implies static paging is used.
>
> My goal is to have a way to allow RAS code access out from SMM after
> ReadyToLock.
> Any solution that can meet this goal is ok to me. I don't want to add
> confusing/unnecessary-complexity due to this goal.
>
> > What I am trying to achieve is to limit the number of supported
> combination to reduce the effort of validation and maintenance.
> >
> > thank you!
> > Yao, Jiewen
> >
> >
> > > 在 2019年8月1日,上午7:13,Laszlo Ersek <lersek@redhat.com> 写
> 道:
> > >
> > > Hi Ray, Jiewen,
> > >
> > > I've got several comments / questions:
> > >
> > >> On 07/31/19 18:38, Ni, Ray wrote:
> > >> This patch skips to update page table for non-SMRAM memory when
> > >> PcdCpuSmmAccessOut is TRUE.
> > >> So that when SMM accesses out, no page fault is triggered at all.
> > >>
> > >> Signed-off-by: Ray Ni <ray.ni@intel.com>
> > >> Cc: Eric Dong <eric.dong@intel.com>
> > >> Cc: Jiewen Yao <jiewen.yao@intel.com>
> > >> Cc: Jian J Wang <jian.j.wang@intel.com>
> > >> Cc: Laszlo Ersek <lersek@redhat.com>
> > >> ---
> > >> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 21
> +++++++++++++++++----
> > >> UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 2 +-
> > >> 2 files changed, 18 insertions(+), 5 deletions(-)
> > >>
> > >> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > >> index 69a04dfb23..427c33fb01 100644
> > >> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > >> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > >> @@ -130,6 +130,11 @@ UINT8
> mPhysicalAddressBits;
> > >> UINT32 mSmmCr0;
> > >> UINT32 mSmmCr4;
> > >>
> > >> +//
> > >> +// Cache of PcdCpuSmmAccessOut
> > >> +//
> > >> +BOOLEAN mSmmAccessOut;
> > >> +
> > >> /**
> > >> Initialize IDT to setup exception handlers for SMM.
> > >>
> > >> @@ -610,6 +615,12 @@ PiCpuSmmEntry (
> > >> mSmmCodeAccessCheckEnable = PcdGetBool
> (PcdCpuSmmCodeAccessCheckEnable);
> > >> DEBUG ((EFI_D_INFO, "PcdCpuSmmCodeAccessCheckEnable = %d\n",
> mSmmCodeAccessCheckEnable));
> > >>
> > >> + //
> > >> + // Save the PcdCpuSmmAccessOut value into a global variable.
> > >> + //
> > >> + mSmmAccessOut = PcdGetBool (PcdCpuSmmAccessOut);
> > >> + DEBUG ((DEBUG_INFO, "PcdCpuSmmAccessOut = %d\n",
> mSmmAccessOut));
> > >> +
> > >> //
> > >> // Save the PcdPteMemoryEncryptionAddressOrMask value into a
> global variable.
> > >> // Make sure AddressEncMask is contained to smallest supported
> address field.
> > >
> > > The above looks correct; however, the PcdGetBool() call depends on the
> > > INF file listing PcdCpuSmmAccessOut.
> > >
> > > (1) Ray, did you forget to stage the INF file update for this patch commit?
> > >
> > >
> > >> @@ -1431,10 +1442,12 @@ PerformRemainingTasks (
> > >> //
> > >> SetMemMapAttributes ();
> > >>
> > >> - //
> > >> - // For outside SMRAM, we only map SMM communication buffer
> or MMIO.
> > >> - //
> > >> - SetUefiMemMapAttributes ();
> > >> + if (!mSmmAccessOut) {
> > >> + //
> > >> + // For outside SMRAM, we only map SMM communication
> buffer or MMIO.
> > >> + //
> > >> + SetUefiMemMapAttributes ();
> > >> + }
> > >
> > > This change looks OK. It seems to conditionalize the logic added in
> > > commit d2fc7711136a ("UefiCpuPkg/PiSmmCpu: Add SMM Comm Buffer
> Paging
> > > Protection.", 2016-12-19).
> > >
> > > However, the comment confuses me a bit; it says "SMM communication
> > > buffer *or MMIO*".
> > >
> > > I assume "SMM communication buffer" can be in "reserved, runtime and
> > > ACPI NVS" RAM, so that part likely matches the new PCD's explanation
> > > from patch#1. But MMIO is not mentioned in patch#1.
> > >
> > > (2) Should we extend the description of the PCD in patch#1, with MMIO?
> > >
> > > Or is MMIO considered *runtime* MMIO (and so covered by "runtime")?
> > >
> > >>
> > >> //
> > >> // Set page table itself to be read-only
> > >
> > > In the previous version of the patch series, namely
> > >
> > > [edk2-devel] [PATCH 3/3]
> > > UefiCpuPkg/PiSmmCpu: Allow SMM access-out when static paging is
> OFF
> > >
> > >
> http://mid.mail-archive.com/20190727032850.337840-4-ray.ni@intel.com
> > > https://edk2.groups.io/g/devel/message/44470
> > >
> > > the next operation (namely SetPageTableAttributes()) was
> conditionalized
> > > too. Is that no longer necessary, with the new PCD? Shouldn't we still
> > > conditionalize SetPageTableAttributes() on the *other* (static paging)
> PCD?
> > >
> > > Ah wait, we already do it! SetPageTableAttributes() has two
> > > implementations, one for IA32 and another for X64.
> > >
> > > - The X64 variant checks for static page tables internally, and if they
> > > are disabled, then SetPageTableAttributes() does nothing.
> > >
> > > - The IA32 variant does not contain that check, because on IA32 the page
> > > tables are always built statically.
> > >
> > > So SetPageTableAttributes() already depends on static paging
> > > *internally*, hence gating the SetPageTableAttributes() call
> > > *externally*, like it was done in the previous version of the patch
> > > series, is superfluous in the first place.
> > >
> > > Good!
> > >
> > >
> > >> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> > >> index a3b62f7787..6699aac65d 100644
> > >> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> > >> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c
> > >> @@ -1029,7 +1029,7 @@ SmiPFHandler (
> > >> goto Exit;
> > >> }
> > >>
> > >> - if (mCpuSmmStaticPageTable &&
> IsSmmCommBufferForbiddenAddress (PFAddress)) {
> > >> + if (IsSmmCommBufferForbiddenAddress (PFAddress)) {
> > >> DumpCpuContext (InterruptType, SystemContext);
> > >> DEBUG ((DEBUG_ERROR, "Access SMM communication
> forbidden address (0x%lx)!\n", PFAddress));
> > >> DEBUG_CODE (
> > >>
> > >
> > > This hunk looks good. Because:
> > >
> > > - we ensure that there is no page fault at all, in the "access-out
> > > permitted" case, so there is no need to consider "access-out" in the
> > > fault handler at all;
> > >
> > > - the "mSmmAccessOut" logic in PerformRemainingTasks() applies to
> both
> > > IA32 and X64 (commonly), and the SmiPFHandler() function is
> implemented
> > > for both IA32 and X64 (separately), and after this patch, both fault
> > > handlers check IsSmmCommBufferForbiddenAddress() identically. So this
> is
> > > nice and symmetric;
> > >
> > > - we don't interfere with on-demand page table building (when it is
> > > enabled on X64) -- page faults should still be triggered by RAM pages
> > > not yet mapped at all, and the X64 variant of SmiDefaultPFHandler()
> > > should fix up *those* faults like before.
> > >
> > >
> > > However: given that this hunk practically undes commit c60d36b4, I
> would
> > > suggest that we revert commit c60d36b4 in a separate patch. So the
> > > series would go like:
> > >
> > > - patch#1: commit c60d36b4 is not good enough, we're going to
> implement
> > > a separate approach, so revert commit c60d36b4, at first.
> > > - patch#2: introduce the new PCD
> > > - patch#3: disable page fault generation for non-SMRAM addresses (=
> keep
> > > them mapped as normal) to which access-out is permitted.
> > >
> > > (3) Ray, do you agree to structure the patch series like that?
> > >
> > > (4) Jiewen, are you OK with the general approach, namely to relax
> > > access-out by eliminating *such* page faults, rather than fixing them up
> > > in the fault handler?
> > >
> > > (I certainly agree with this approach: the fixup in the fault handler,
> > > namely SmiDefaultPFHandler(), only covers the X64 case; in the IA32
> > > case, it just hangs. That shows that the fault fixup is inherently tied
> > > to on-demand page table building, whereas the access-out feature
> should
> > > be possible to permit on IA32 too.)
> > >
> > > Thanks,
> > > Laszlo
> > >
> > >
> > >
next prev parent reply other threads:[~2019-08-01 1:38 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 16:38 [PATCH v2 0/2] Add new PCD PcdCpuSmmAccessOut to control SMM access out Ni, Ray
2019-07-31 16:38 ` [PATCH v2 1/2] UefiCpuPkg: Add " Ni, Ray
2019-07-31 22:21 ` [edk2-devel] " Laszlo Ersek
2019-08-01 6:38 ` Ni, Ray
2019-07-31 16:38 ` [PATCH v2 2/2] UefiCpuPkg/PiSmmCpu: PcdCpuSmmAccessOut controls SMM access-out policy Ni, Ray
2019-07-31 23:13 ` [edk2-devel] " Laszlo Ersek
2019-07-31 23:46 ` Laszlo Ersek
2019-08-01 0:08 ` Laszlo Ersek
2019-08-01 0:02 ` Yao, Jiewen
2019-08-01 1:27 ` Ni, Ray
2019-08-01 1:38 ` Yao, Jiewen [this message]
2019-08-01 2:23 ` Ni, Ray
2019-08-01 3:10 ` Yao, Jiewen
2019-08-01 6:25 ` Ni, Ray
2019-08-02 1:41 ` Laszlo Ersek
2019-08-02 2:04 ` Laszlo Ersek
2019-08-02 2:46 ` Yao, Jiewen
2019-08-02 22:06 ` Laszlo Ersek
2019-08-03 2:23 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503F738DCC@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox