From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web11.8400.1593776318931675659 for ; Fri, 03 Jul 2020 04:38:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=d4zgaTcW; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593776318; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KpmMrs+x746gZGngh89nIHg0m4chBD0hP78QyNY/Xvs=; b=d4zgaTcWe/NJ2AgxiliX4X9xkoKB26EJY54Ul/VBKRwNhc+LIyVrN6HJCbhYxLZok3BuQX lf1GJOygI3lVUNaE0QGFGlXqmVsjrUX2iMTAxxxq6mLjCgV/KmOK97Qw91qazNOBKXyP8B iMB1mdGbeKO7UY2xp0py7kEBF8I6ddY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-226-3ZEToiybN26lMisCEAy8vw-1; Fri, 03 Jul 2020 07:38:34 -0400 X-MC-Unique: 3ZEToiybN26lMisCEAy8vw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 94515800C64; Fri, 3 Jul 2020 11:38:32 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-238.ams2.redhat.com [10.36.114.238]) by smtp.corp.redhat.com (Postfix) with ESMTP id 474165C1C3; Fri, 3 Jul 2020 11:38:30 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 3/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) To: devel@edk2.groups.io, guomin.jiang@intel.com Cc: Michael Kubacki , Eric Dong , Ray Ni , Rahul Kumar , Debkumar De , Harry Han , Catharine West References: <20200702051525.1102-1-guomin.jiang@intel.com> <20200702051525.1102-4-guomin.jiang@intel.com> From: "Laszlo Ersek" Message-ID: <88685b8d-1944-e864-2219-e0687f4446c2@redhat.com> Date: Fri, 3 Jul 2020 13:38:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200702051525.1102-4-guomin.jiang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/02/20 07:15, Guomin Jiang wrote: > From: Michael Kubacki > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > Adds a PEIM that republishes structures produced in SEC. This > is done because SEC modules may not be shadowed in some platforms > due to space constraints or special alignment requirements. The > SecMigrationPei module locates interfaces that may be published in > SEC and reinstalls the interface with permanent memory addresses. > > This is important if pre-memory address access is forbidden after > memory initialization and data such as a PPI descriptor, PPI GUID, > or PPI inteface reside in pre-memory. > > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Cc: Debkumar De > Cc: Harry Han > Cc: Catharine West > Signed-off-by: Michael Kubacki > --- > UefiCpuPkg/Include/Ppi/RepublishSecPpi.h | 54 +++ > UefiCpuPkg/SecCore/SecCore.inf | 2 + > UefiCpuPkg/SecCore/SecMain.c | 26 +- > UefiCpuPkg/SecCore/SecMain.h | 1 + > UefiCpuPkg/SecMigrationPei/SecMigrationPei.c | 372 ++++++++++++++++++ > UefiCpuPkg/SecMigrationPei/SecMigrationPei.h | 170 ++++++++ > .../SecMigrationPei/SecMigrationPei.inf | 64 +++ > .../SecMigrationPei/SecMigrationPei.uni | 13 + > UefiCpuPkg/UefiCpuPkg.dec | 4 + > UefiCpuPkg/UefiCpuPkg.dsc | 1 + > 10 files changed, 705 insertions(+), 2 deletions(-) > create mode 100644 UefiCpuPkg/Include/Ppi/RepublishSecPpi.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.c > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.h > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > create mode 100644 UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni So this patch introduces SecMigrationPei, and a new PPI. OVMF doesn't use those. The patch also changes the existent UefiCpuPkg/SecCore module. OVMF doesn't use that either. Because of the above, I defer to Eric and Ray on this patch. Thanks Laszlo > > diff --git a/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h b/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h > new file mode 100644 > index 000000000000..6fb9f1b005b4 > --- /dev/null > +++ b/UefiCpuPkg/Include/Ppi/RepublishSecPpi.h > @@ -0,0 +1,54 @@ > +/** @file > + This file declares Sec Platform Information PPI. > + > + This service is the primary handoff state into the PEI Foundation. > + The Security (SEC) component creates the early, transitory memory > + environment and also encapsulates knowledge of at least the > + location of the Boot Firmware Volume (BFV). > + > + Copyright (c) 2020, Intel Corporation. All rights reserved.
> + SPDX-License-Identifier: BSD-2-Clause-Patent > + > + @par Revision Reference: > + This PPI is introduced in PI Version 1.0. > + > +**/ > + > +#ifndef __REPUBLISH_SEC_PPI_H__ > +#define __REPUBLISH_SEC_PPI_H__ > + > +#include > + > +#define REPUBLISH_SEC_PPI_PPI_GUID \ > + { \ > + 0x27a71b1e, 0x73ee, 0x43d6, { 0xac, 0xe3, 0x52, 0x1a, 0x2d, 0xc5, 0xd0, 0x92 } \ > + } > + > +typedef struct _REPUBLISH_SEC_PPI_PPI REPUBLISH_SEC_PPI_PPI; > + > +/** > + This interface re-installs PPIs installed in SecCore from a post-memory PEIM. > + > + This is to allow a platform that may not support relocation of SecCore to update the PPI instance to a post-memory > + copy from a PEIM that has been shadowed to permanent memory. > + > + @retval EFI_SUCCESS The SecCore PPIs were re-installed successfully. > + @retval Others An error occurred re-installing the SecCore PPIs. > + > +**/ > +typedef > +EFI_STATUS > +(EFIAPI *REPUBLISH_SEC_PPI_REPUBLISH_SEC_PPIS)( > + VOID > + ); > + > +/// > +/// > +/// > +struct _REPUBLISH_SEC_PPI_PPI { > + REPUBLISH_SEC_PPI_REPUBLISH_SEC_PPIS RepublishSecPpis; > +}; > + > +extern EFI_GUID gRepublishSecPpiPpiGuid; > + > +#endif > diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf > index 0562820c95e0..545781d6b4b3 100644 > --- a/UefiCpuPkg/SecCore/SecCore.inf > +++ b/UefiCpuPkg/SecCore/SecCore.inf > @@ -68,6 +68,8 @@ [Ppis] > ## SOMETIMES_CONSUMES > gPeiSecPerformancePpiGuid > gEfiPeiCoreFvLocationPpiGuid > + ## CONSUMES > + gRepublishSecPpiPpiGuid > > [Guids] > ## SOMETIMES_PRODUCES ## HOB > diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c > index 5d5e7f17dced..155be49a6011 100644 > --- a/UefiCpuPkg/SecCore/SecMain.c > +++ b/UefiCpuPkg/SecCore/SecMain.c > @@ -370,13 +370,35 @@ SecTemporaryRamDone ( > VOID > ) > { > - BOOLEAN State; > + EFI_STATUS Status; > + EFI_STATUS Status2; > + UINTN Index; > + BOOLEAN State; > + EFI_PEI_PPI_DESCRIPTOR *PeiPpiDescriptor; > + REPUBLISH_SEC_PPI_PPI *RepublishSecPpiPpi; > > // > // Republish Sec Platform Information(2) PPI > // > RepublishSecPlatformInformationPpi (); > > + // > + // Re-install SEC PPIs using a PEIM produced service if published > + // > + for (Index = 0, Status = EFI_SUCCESS; Status == EFI_SUCCESS; Index++) { > + Status = PeiServicesLocatePpi ( > + &gRepublishSecPpiPpiGuid, > + Index, > + &PeiPpiDescriptor, > + (VOID **) &RepublishSecPpiPpi > + ); > + if (!EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Calling RepublishSecPpi instance %d.\n", Index)); > + Status2 = RepublishSecPpiPpi->RepublishSecPpis (); > + ASSERT_EFI_ERROR (Status2); > + } > + } > + > // > // Migrate DebugAgentContext. > // > @@ -385,7 +407,7 @@ SecTemporaryRamDone ( > // > // Disable interrupts and save current interrupt state > // > - State = SaveAndDisableInterrupts(); > + State = SaveAndDisableInterrupts (); > > // > // Disable Temporary RAM after Stack and Heap have been migrated at this point. > diff --git a/UefiCpuPkg/SecCore/SecMain.h b/UefiCpuPkg/SecCore/SecMain.h > index e8c05d713668..e20bcf86532c 100644 > --- a/UefiCpuPkg/SecCore/SecMain.h > +++ b/UefiCpuPkg/SecCore/SecMain.h > @@ -15,6 +15,7 @@ > #include > #include > #include > +#include > > #include > > diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c > new file mode 100644 > index 000000000000..f96013b09b21 > --- /dev/null > +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.c > @@ -0,0 +1,372 @@ > +/** @file > + Migrates SEC structures after permanent memory is installed. > + > + Copyright (c) 2020, Intel Corporation. All rights reserved.
> + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "SecMigrationPei.h" > + > +STATIC REPUBLISH_SEC_PPI_PPI mEdkiiRepublishSecPpiPpi = { > + RepublishSecPpis > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_SEC_PLATFORM_INFORMATION_PPI mSecPlatformInformationPostMemoryPpi = { > + SecPlatformInformationPostMemory > + }; > + > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_TEMPORARY_RAM_DONE_PPI mSecTemporaryRamDonePostMemoryPpi = { > + SecTemporaryRamDonePostMemory > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI mSecTemporaryRamSupportPostMemoryPpi = { > + SecTemporaryRamSupportPostMemory > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED PEI_SEC_PERFORMANCE_PPI mSecPerformancePpi = { > + GetPerformancePostMemory > + }; > + > +STATIC EFI_PEI_PPI_DESCRIPTOR mEdkiiRepublishSecPpiDescriptor = { > + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > + &gRepublishSecPpiPpiGuid, > + &mEdkiiRepublishSecPpiPpi > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_PPI_DESCRIPTOR mSecPlatformInformationPostMemoryDescriptor = { > + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > + &gEfiSecPlatformInformationPpiGuid, > + &mSecPlatformInformationPostMemoryPpi > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_PPI_DESCRIPTOR mSecTemporaryRamDonePostMemoryDescriptor = { > + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > + &gEfiTemporaryRamDonePpiGuid, > + &mSecTemporaryRamDonePostMemoryPpi > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_PPI_DESCRIPTOR mSecTemporaryRamSupportPostMemoryDescriptor = { > + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > + &gEfiTemporaryRamSupportPpiGuid, > + &mSecTemporaryRamSupportPostMemoryPpi > + }; > + > +GLOBAL_REMOVE_IF_UNREFERENCED EFI_PEI_PPI_DESCRIPTOR mSecPerformancePpiDescriptor = { > + (EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), > + &gPeiSecPerformancePpiGuid, > + &mSecPerformancePpi > + }; > + > +/** > + Disables the use of Temporary RAM. > + > + If present, this service is invoked by the PEI Foundation after > + the EFI_PEI_PERMANANT_MEMORY_INSTALLED_PPI is installed. > + > + @retval EFI_SUCCESS Use of Temporary RAM was disabled. > + @retval EFI_INVALID_PARAMETER Temporary RAM could not be disabled. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecTemporaryRamDonePostMemory ( > + VOID > + ) > +{ > + // > + // Temporary RAM Done is already done in post-memory > + // install a stub function that is located in permanent memory > + // > + return EFI_SUCCESS; > +} > + > +/** > + This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into > + permanent memory. > + > + @param PeiServices Pointer to the PEI Services Table. > + @param TemporaryMemoryBase Source Address in temporary memory from which the SEC or PEIM will copy the > + Temporary RAM contents. > + @param PermanentMemoryBase Destination Address in permanent memory into which the SEC or PEIM will copy the > + Temporary RAM contents. > + @param CopySize Amount of memory to migrate from temporary to permanent memory. > + > + @retval EFI_SUCCESS The data was successfully returned. > + @retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when > + TemporaryMemoryBase > PermanentMemoryBase. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecTemporaryRamSupportPostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN EFI_PHYSICAL_ADDRESS TemporaryMemoryBase, > + IN EFI_PHYSICAL_ADDRESS PermanentMemoryBase, > + IN UINTN CopySize > + ) > +{ > + // > + // Temporary RAM Support is already done in post-memory > + // install a stub function that is located in permanent memory > + // > + return EFI_SUCCESS; > +} > + > +/** > + This interface conveys performance information out of the Security (SEC) phase into PEI. > + > + This service is published by the SEC phase. The SEC phase handoff has an optional > + EFI_PEI_PPI_DESCRIPTOR list as its final argument when control is passed from SEC into the > + PEI Foundation. As such, if the platform supports collecting performance data in SEC, > + this information is encapsulated into the data structure abstracted by this service. > + This information is collected for the boot-strap processor (BSP) on IA-32. > + > + @param[in] PeiServices The pointer to the PEI Services Table. > + @param[in] This The pointer to this instance of the PEI_SEC_PERFORMANCE_PPI. > + @param[out] Performance The pointer to performance data collected in SEC phase. > + > + @retval EFI_SUCCESS The performance data was successfully returned. > + > +**/ > +EFI_STATUS > +EFIAPI > +GetPerformancePostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN PEI_SEC_PERFORMANCE_PPI *This, > + OUT FIRMWARE_SEC_PERFORMANCE *Performance > + ) > +{ > + SEC_PLATFORM_INFORMATION_CONTEXT_HOB *SecPlatformInformationContexHob; > + > + if (This == NULL || Performance == NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + SecPlatformInformationContexHob = GetFirstGuidHob (&gEfiCallerIdGuid); > + if (SecPlatformInformationContexHob == NULL) { > + return EFI_NOT_FOUND; > + } > + > + Performance->ResetEnd = SecPlatformInformationContexHob->FirmwareSecPerformance.ResetEnd; > + > + return EFI_SUCCESS; > +} > + > +/** > + This interface conveys state information out of the Security (SEC) phase into PEI. > + > + @param[in] PeiServices Pointer to the PEI Services Table. > + @param[in,out] StructureSize Pointer to the variable describing size of the input buffer. > + @param[out] PlatformInformationRecord Pointer to the EFI_SEC_PLATFORM_INFORMATION_RECORD. > + > + @retval EFI_SUCCESS The data was successfully returned. > + @retval EFI_BUFFER_TOO_SMALL The buffer was too small. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecPlatformInformationPostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN OUT UINT64 *StructureSize, > + OUT EFI_SEC_PLATFORM_INFORMATION_RECORD *PlatformInformationRecord > + ) > +{ > + SEC_PLATFORM_INFORMATION_CONTEXT_HOB *SecPlatformInformationContexHob; > + > + if (StructureSize == NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + SecPlatformInformationContexHob = GetFirstGuidHob (&gEfiCallerIdGuid); > + if (SecPlatformInformationContexHob == NULL) { > + return EFI_NOT_FOUND; > + } > + > + if (*StructureSize < SecPlatformInformationContexHob->Context.StructureSize) { > + *StructureSize = SecPlatformInformationContexHob->Context.StructureSize; > + return EFI_BUFFER_TOO_SMALL; > + } > + > + if (PlatformInformationRecord == NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + *StructureSize = SecPlatformInformationContexHob->Context.StructureSize; > + CopyMem ( > + (VOID *) PlatformInformationRecord, > + (VOID *) SecPlatformInformationContexHob->Context.PlatformInformationRecord, > + (UINTN) SecPlatformInformationContexHob->Context.StructureSize > + ); > + > + return EFI_SUCCESS; > +} > + > +/** > + This interface re-installs PPIs installed in SecCore from a post-memory PEIM. > + > + This is to allow a platform that may not support relocation of SecCore to update the PPI instance to a post-memory > + copy from a PEIM that has been shadowed to permanent memory. > + > + @retval EFI_SUCCESS The SecCore PPIs were re-installed successfully. > + @retval Others An error occurred re-installing the SecCore PPIs. > + > +**/ > +EFI_STATUS > +EFIAPI > +RepublishSecPpis ( > + VOID > + ) > +{ > + EFI_STATUS Status; > + EFI_PEI_PPI_DESCRIPTOR *PeiPpiDescriptor; > + VOID *PeiPpi; > + SEC_PLATFORM_INFORMATION_CONTEXT_HOB *SecPlatformInformationContextHob; > + EFI_SEC_PLATFORM_INFORMATION_RECORD *SecPlatformInformationPtr; > + UINT64 SecStructureSize; > + > + SecPlatformInformationPtr = NULL; > + SecStructureSize = 0; > + > + Status = PeiServicesLocatePpi ( > + &gEfiTemporaryRamDonePpiGuid, > + 0, > + &PeiPpiDescriptor, > + (VOID **) &PeiPpi > + ); > + if (!EFI_ERROR (Status)) { > + Status = PeiServicesReInstallPpi ( > + PeiPpiDescriptor, > + &mSecTemporaryRamDonePostMemoryDescriptor > + ); > + ASSERT_EFI_ERROR (Status); > + } > + > + Status = PeiServicesLocatePpi ( > + &gEfiTemporaryRamSupportPpiGuid, > + 0, > + &PeiPpiDescriptor, > + (VOID **) &PeiPpi > + ); > + if (!EFI_ERROR (Status)) { > + Status = PeiServicesReInstallPpi ( > + PeiPpiDescriptor, > + &mSecTemporaryRamSupportPostMemoryDescriptor > + ); > + ASSERT_EFI_ERROR (Status); > + } > + > + Status = PeiServicesCreateHob ( > + EFI_HOB_TYPE_GUID_EXTENSION, > + sizeof (SEC_PLATFORM_INFORMATION_CONTEXT_HOB), > + (VOID **) &SecPlatformInformationContextHob > + ); > + ASSERT_EFI_ERROR (Status); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "SecPlatformInformation Context HOB could not be created.\n")); > + return Status; > + } > + > + SecPlatformInformationContextHob->Header.Name = gEfiCallerIdGuid; > + SecPlatformInformationContextHob->Revision = 1; > + > + Status = PeiServicesLocatePpi ( > + &gPeiSecPerformancePpiGuid, > + 0, > + &PeiPpiDescriptor, > + (VOID **) &PeiPpi > + ); > + if (!EFI_ERROR (Status)) { > + Status = ((PEI_SEC_PERFORMANCE_PPI *) PeiPpi)->GetPerformance ( > + GetPeiServicesTablePointer (), > + (PEI_SEC_PERFORMANCE_PPI *) PeiPpi, > + &SecPlatformInformationContextHob->FirmwareSecPerformance > + ); > + ASSERT_EFI_ERROR (Status); > + if (!EFI_ERROR (Status)) { > + Status = PeiServicesReInstallPpi ( > + PeiPpiDescriptor, > + &mSecPerformancePpiDescriptor > + ); > + ASSERT_EFI_ERROR (Status); > + } > + } > + > + Status = PeiServicesLocatePpi ( > + &gEfiSecPlatformInformationPpiGuid, > + 0, > + &PeiPpiDescriptor, > + (VOID **) &PeiPpi > + ); > + if (!EFI_ERROR (Status)) { > + Status = ((EFI_SEC_PLATFORM_INFORMATION_PPI *) PeiPpi)->PlatformInformation ( > + GetPeiServicesTablePointer (), > + &SecStructureSize, > + SecPlatformInformationPtr > + ); > + ASSERT (Status == EFI_BUFFER_TOO_SMALL); > + if (Status != EFI_BUFFER_TOO_SMALL) { > + return EFI_NOT_FOUND; > + } > + > + ZeroMem ((VOID *) &(SecPlatformInformationContextHob->Context), sizeof (SEC_PLATFORM_INFORMATION_CONTEXT)); > + SecPlatformInformationContextHob->Context.PlatformInformationRecord = AllocatePool ((UINTN) SecStructureSize); > + ASSERT (SecPlatformInformationContextHob->Context.PlatformInformationRecord != NULL); > + if (SecPlatformInformationContextHob->Context.PlatformInformationRecord == NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + SecPlatformInformationContextHob->Context.StructureSize = SecStructureSize; > + > + Status = ((EFI_SEC_PLATFORM_INFORMATION_PPI *) PeiPpi)->PlatformInformation ( > + GetPeiServicesTablePointer (), > + &(SecPlatformInformationContextHob->Context.StructureSize), > + SecPlatformInformationContextHob->Context.PlatformInformationRecord > + ); > + ASSERT_EFI_ERROR (Status); > + if (!EFI_ERROR (Status)) { > + Status = PeiServicesReInstallPpi ( > + PeiPpiDescriptor, > + &mSecPlatformInformationPostMemoryDescriptor > + ); > + ASSERT_EFI_ERROR (Status); > + } > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + This function is the entry point which installs an instance of REPUBLISH_SEC_PPI_PPI. > + > + @param[in] FileHandle Pointer to image file handle. > + @param[in] PeiServices Pointer to PEI Services Table > + > + @retval EFI_SUCCESS An instance of REPUBLISH_SEC_PPI_PPI was installed successfully. > + @retval Others An error occurred installing and instance of REPUBLISH_SEC_PPI_PPI. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecMigrationPeiInitialize ( > + IN EFI_PEI_FILE_HANDLE FileHandle, > + IN CONST EFI_PEI_SERVICES **PeiServices > + ) > +{ > + EFI_STATUS Status; > + > + Status = PeiServicesInstallPpi (&mEdkiiRepublishSecPpiDescriptor); > + ASSERT_EFI_ERROR (Status); > + > + return Status; > +} > diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.h b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.h > new file mode 100644 > index 000000000000..372f8044bdb2 > --- /dev/null > +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.h > @@ -0,0 +1,170 @@ > +/** @file > + Migrates SEC structures after permanent memory is installed. > + > + Copyright (c) 2020, Intel Corporation. All rights reserved.
> + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __SEC_MIGRATION_H__ > +#define __SEC_MIGRATION_H__ > + > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/** > + This interface conveys state information out of the Security (SEC) phase into PEI. > + > + @param[in] PeiServices Pointer to the PEI Services Table. > + @param[in,out] StructureSize Pointer to the variable describing size of the input buffer. > + @param[out] PlatformInformationRecord Pointer to the EFI_SEC_PLATFORM_INFORMATION_RECORD. > + > + @retval EFI_SUCCESS The data was successfully returned. > + @retval EFI_BUFFER_TOO_SMALL The buffer was too small. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecPlatformInformationPostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN OUT UINT64 *StructureSize, > + OUT EFI_SEC_PLATFORM_INFORMATION_RECORD *PlatformInformationRecord > + ); > + > +/** > + Re-installs the SEC Platform Information PPIs to implementation in this module to support post-memory. > + > + @param[in] PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation. > + @param[in] NotifyDescriptor Address of the notification descriptor data structure. > + @param[in] Ppi Address of the PPI that was installed. > + > + @retval EFI_SUCCESS The SEC Platform Information PPI could not be re-installed. > + @return Others An error occurred during PPI re-install. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecPlatformInformationPpiNotifyCallback ( > + IN EFI_PEI_SERVICES **PeiServices, > + IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor, > + IN VOID *Ppi > + ); > + > +/** > + This interface re-installs PPIs installed in SecCore from a post-memory PEIM. > + > + This is to allow a platform that may not support relocation of SecCore to update the PPI instance to a post-memory > + copy from a PEIM that has been shadowed to permanent memory. > + > + @retval EFI_SUCCESS The SecCore PPIs were re-installed successfully. > + @retval Others An error occurred re-installing the SecCore PPIs. > + > +**/ > +EFI_STATUS > +EFIAPI > +RepublishSecPpis ( > + VOID > + ); > + > +/** > + Disables the use of Temporary RAM. > + > + If present, this service is invoked by the PEI Foundation after > + the EFI_PEI_PERMANANT_MEMORY_INSTALLED_PPI is installed. > + > + @retval EFI_SUCCESS Use of Temporary RAM was disabled. > + @retval EFI_INVALID_PARAMETER Temporary RAM could not be disabled. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecTemporaryRamDonePostMemory ( > + VOID > + ); > + > +/** > + This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into > + permanent memory. > + > + @param PeiServices Pointer to the PEI Services Table. > + @param TemporaryMemoryBase Source Address in temporary memory from which the SEC or PEIM will copy the > + Temporary RAM contents. > + @param PermanentMemoryBase Destination Address in permanent memory into which the SEC or PEIM will copy the > + Temporary RAM contents. > + @param CopySize Amount of memory to migrate from temporary to permanent memory. > + > + @retval EFI_SUCCESS The data was successfully returned. > + @retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when > + TemporaryMemoryBase > PermanentMemoryBase. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecTemporaryRamSupportPostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN EFI_PHYSICAL_ADDRESS TemporaryMemoryBase, > + IN EFI_PHYSICAL_ADDRESS PermanentMemoryBase, > + IN UINTN CopySize > + ); > + > +/** > + This interface conveys performance information out of the Security (SEC) phase into PEI. > + > + This service is published by the SEC phase. The SEC phase handoff has an optional > + EFI_PEI_PPI_DESCRIPTOR list as its final argument when control is passed from SEC into the > + PEI Foundation. As such, if the platform supports collecting performance data in SEC, > + this information is encapsulated into the data structure abstracted by this service. > + This information is collected for the boot-strap processor (BSP) on IA-32. > + > + @param[in] PeiServices The pointer to the PEI Services Table. > + @param[in] This The pointer to this instance of the PEI_SEC_PERFORMANCE_PPI. > + @param[out] Performance The pointer to performance data collected in SEC phase. > + > + @retval EFI_SUCCESS The performance data was successfully returned. > + > +**/ > +EFI_STATUS > +EFIAPI > +GetPerformancePostMemory ( > + IN CONST EFI_PEI_SERVICES **PeiServices, > + IN PEI_SEC_PERFORMANCE_PPI *This, > + OUT FIRMWARE_SEC_PERFORMANCE *Performance > + ); > + > +// /** > +// Disables the use of Temporary RAM. > + > +// If present, this service is invoked by the PEI Foundation after > +// the EFI_PEI_PERMANANT_MEMORY_INSTALLED_PPI is installed. > + > +// @retval EFI_SUCCESS Use of Temporary RAM was disabled. > +// @retval EFI_INVALID_PARAMETER Temporary RAM could not be disabled. > + > +// **/ > +// EFI_STATUS > +// EFIAPI > +// SecTemporaryRamDonePostMemory ( > +// VOID > +// ); > + > +typedef struct { > + UINT64 StructureSize; > + EFI_SEC_PLATFORM_INFORMATION_RECORD *PlatformInformationRecord; > +} SEC_PLATFORM_INFORMATION_CONTEXT; > + > +typedef struct { > + EFI_HOB_GUID_TYPE Header; > + UINT8 Revision; > + UINT8 Reserved[3]; > + FIRMWARE_SEC_PERFORMANCE FirmwareSecPerformance; > + SEC_PLATFORM_INFORMATION_CONTEXT Context; > +} SEC_PLATFORM_INFORMATION_CONTEXT_HOB; > + > +#endif > diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > new file mode 100644 > index 000000000000..e29c04710941 > --- /dev/null > +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > @@ -0,0 +1,64 @@ > +## @file > +# Migrates SEC structures after permanent memory is installed. > +# > +# Copyright (c) 2019, Intel Corporation. All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecMigrationPei > + MODULE_UNI_FILE = SecMigrationPei.uni > + FILE_GUID = 58B35361-8922-41BC-B313-EF7ED9ADFDF7 > + MODULE_TYPE = PEIM > + VERSION_STRING = 1.0 > + ENTRY_POINT = SecMigrationPeiInitialize > + > +# > +# The following information is for reference only and not required by the build tools. > +# > +# VALID_ARCHITECTURES = IA32 X64 EBC > +# > + > +[Sources] > + SecMigrationPei.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + UefiCpuPkg/UefiCpuPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + HobLib > + MemoryAllocationLib > + PeimEntryPoint > + PeiServicesLib > + PeiServicesTablePointerLib > + > +[Ppis] > + ## PRODUCES > + gRepublishSecPpiPpiGuid > + > + ## SOMETIMES_PRODUCES > + gEfiTemporaryRamDonePpiGuid > + > + ## SOMETIME_PRODUCES > + gEfiTemporaryRamSupportPpiGuid > + > + ## SOMETIMES_PRODUCES > + gPeiSecPerformancePpiGuid > + > + ## SOMETIMES_CONSUMES > + ## PRODUCES > + gEfiSecPlatformInformationPpiGuid > + > + ## SOMETIMES_CONSUMES > + ## SOMETIMES_PRODUCES > + gEfiSecPlatformInformation2PpiGuid > + > +[Depex] > + TRUE > diff --git a/UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni > new file mode 100644 > index 000000000000..62c2064ba217 > --- /dev/null > +++ b/UefiCpuPkg/SecMigrationPei/SecMigrationPei.uni > @@ -0,0 +1,13 @@ > +// /** @file > +// Migrates SEC structures after permanent memory is installed. > +// > +// Copyright (c) 2019, Intel Corporation. All rights reserved.
> +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Migrates SEC structures after permanent memory is installed" > + > +#string STR_MODULE_DESCRIPTION #language en-US "Migrates SEC structures after permanent memory is installed." > + > diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec > index 762badf5d239..0a005bd20311 100644 > --- a/UefiCpuPkg/UefiCpuPkg.dec > +++ b/UefiCpuPkg/UefiCpuPkg.dec > @@ -66,6 +66,10 @@ [Guids] > ## Include/Guid/MicrocodePatchHob.h > gEdkiiMicrocodePatchHobGuid = { 0xd178f11d, 0x8716, 0x418e, { 0xa1, 0x31, 0x96, 0x7d, 0x2a, 0xc4, 0x28, 0x43 }} > > +[Ppis] > + ## Include/Ppi/RepublishSecPpi.h > + gRepublishSecPpiPpiGuid = { 0x27a71b1e, 0x73ee, 0x43d6, { 0xac, 0xe3, 0x52, 0x1a, 0x2d, 0xc5, 0xd0, 0x92 }} > + > [Protocols] > ## Include/Protocol/SmmCpuService.h > gEfiSmmCpuServiceProtocolGuid = { 0x1d202cab, 0xc8ab, 0x4d5c, { 0x94, 0xf7, 0x3c, 0xfc, 0xc0, 0xd3, 0xd3, 0x35 }} > diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc > index afa304128221..964720048dd7 100644 > --- a/UefiCpuPkg/UefiCpuPkg.dsc > +++ b/UefiCpuPkg/UefiCpuPkg.dsc > @@ -146,6 +146,7 @@ [Components.IA32, Components.X64] > UefiCpuPkg/PiSmmCommunication/PiSmmCommunicationPei.inf > UefiCpuPkg/PiSmmCommunication/PiSmmCommunicationSmm.inf > UefiCpuPkg/SecCore/SecCore.inf > + UefiCpuPkg/SecMigrationPei/SecMigrationPei.inf > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf { > >