From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.363.1686262666471492454 for ; Thu, 08 Jun 2023 15:17:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tVSv8SD6; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E81E965157 for ; Thu, 8 Jun 2023 22:17:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 53DE2C4339E for ; Thu, 8 Jun 2023 22:17:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1686262665; bh=e3AQMT4QgMW3ANFEpVIU5J/hb63KtJq0HTZfLLbz96s=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=tVSv8SD6093msxvIca862ZuElJN7i3XHxyTOaLBaQXOTOhIZIOvWnukUO/9r3dSGu XtBIdauo4uF7YynenKDsrv3iWFILpJZas8GYWcAqlens4ixe8ztfTq2TILbjO7Y2/z KgUX1QFn6ureocT4+Jiz+xhKnXeiN8AAQw0z/jiKP3rgiiAKX4HyhZRN+XfuHVzT6y NnD6h1K6MVjyUyabRr1z1QTsBAXatD+d41YkER4vK0rkFWxhVgoOnuATaKM/2/xTg8 wW7Yvyn9RRFgRNRdtXZUQgFceRuCBmDRmYCLRhpcr0B5R5WvmPyr39Z3D9W20KNl92 BoajCZoZ9VctA== Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2b1a6a8e851so11381161fa.2 for ; Thu, 08 Jun 2023 15:17:45 -0700 (PDT) X-Gm-Message-State: AC+VfDxQOVHSkH2wLG5ek5ShAIoq1I/ofnKggLSVS4U/NtJU4yBvewQL LaeWupNa4zAqbKznvgiKI8imapAK73XUKRMutSw= X-Google-Smtp-Source: ACHHUZ7tZ+vPAIWFLQmATo5wa3VK0R1NGoLgCOkMyVi0z8kB62GAXlCtSXBrvA8X3Csk0xG1jv5qIbQFT3lAePCL9OE= X-Received: by 2002:a2e:3809:0:b0:2af:3147:86c8 with SMTP id f9-20020a2e3809000000b002af314786c8mr4450lja.16.1686262663407; Thu, 08 Jun 2023 15:17:43 -0700 (PDT) MIME-Version: 1.0 References: <20230608172323.9096-1-ardb@kernel.org> <20230608172323.9096-3-ardb@kernel.org> <90e33c93-8965-dd26-15ed-8f6f2c5c3745@linux.microsoft.com> <7f309bc4-5900-491e-c526-3ab04e23e947@linux.microsoft.com> In-Reply-To: <7f309bc4-5900-491e-c526-3ab04e23e947@linux.microsoft.com> From: "Ard Biesheuvel" Date: Fri, 9 Jun 2023 00:17:31 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH 2/2] UefiCpuPkg/CpuMpPei X64: Reallocate page tables in permanent DRAM To: Michael Kubacki Cc: devel@edk2.groups.io, spbrogan@outlook.com, Oliver Smith-Denny , Ray Ni , Jiewen Yao , Gerd Hoffmann , Taylor Beebe , Oliver Smith-Denny , Dandan Bi , Dun Tan , Liming Gao , "Kinney, Michael D" , Eric Dong , Rahul Kumar , Kun Qin Content-Type: text/plain; charset="UTF-8" On Thu, 8 Jun 2023 at 21:32, Michael Kubacki wrote: > > I think Sean's point aligns more closely with traditional PI boot phase > separation goals. Btw, in the project we discussed, this issue was meant > to capture the DXE memory protection init dependencies - > https://github.com/tianocore/edk2/issues/4502 if someone would like to > update that at some point. > Yeah, I think that makes sense. But the current status quo (on X64) is to remove *all* protections when handing over to DXE, and so dropping that and running with whatever PEI left behind is hardly going to be worse. (and this is what we do on ARM) But I agree that it makes sense for these manipulations to be scoped. So we might manage a separate set of shadow page tables in the CPU PEIM that also produces the memattr PPI, and manipulations can apply to the active set only or to both sets (for, e.g., the DXE core, DXE IPL and DXE mode stack). That would at least permit use to drop the current kludge in DxeIpl, which only knows how to create an unrestricted 1:1 mapping of the entire address space, with 1x a NX mapping (for the stack) and 1x a non-encrypted mapping (for the GHCB page on confidential VMs). It also provides a better basis for architectures to carry their own specific logic for this, instead of having a subdirectory for each arch under DxeIpl/ > On 6/8/2023 2:27 PM, Sean wrote: > > On 6/8/2023 10:48 AM, Ard Biesheuvel wrote: > >> On Thu, 8 Jun 2023 at 19:39, Oliver Smith-Denny > >> wrote: > >>> On 6/8/2023 10:23 AM, Ard Biesheuvel wrote: > >>>> Currently, we rely on the logic in DXE IPL to create new page tables > >>>> from scratch when executing in X64 mode, which means that we run with > >>>> the initial page tables all throughout PEI, and never enable > >>>> protections > >>>> such as the CPU stack guard, even though the logic is already in place > >>>> for IA32. > >>>> > >>>> So let's enable the existing logic for X64 as well. This will permit us > >>>> to apply stricter memory permissions to code and data allocations, as > >>>> well as the stack, when executing in PEI. It also makes the DxeIpl > >>>> logic > >>>> redundant, and should allow us to make the PcdDxeIplBuildPageTables > >>>> feature PCD limited to IA32 DxeIpl loading the x64 DXE core. > >>>> > >>>> When running in long mode, use the same logic that DxeIpl uses to > >>>> determine the size of the address space, whether or not to use 1 GB > >>>> leaf > >>>> entries and whether or not to use 5 level paging. Note that in long > >>>> mode, PEI is entered with paging enabled, and given that switching > >>>> between 4 and 5 levels of paging is not currently supported without > >>>> dropping out of 64-bit mode temporarily, all we can do is carry on > >>>> without changing the number of levels. > >>>> > >>> I certainly agree with extending the ability to have memory protections > >>> in PEI (and trying to unify across x86 and ARM (and beyond :)). > >>> > >>> A few things I am trying to understand: > >>> > >>> Does ARM today rebuild the page table in DxeIpl? Or is it using an > >>> earlier built page table? > >>> > >> No. Most platforms run without any page tables until the permanent > >> memory is installed, at which point it essentially maps what the > >> platform describes as device memory and as normal memory. > >> > >> > >>> If I understand your proposal correctly, with the addition of this > >>> patch, you are suggesting we can drop creating new page tables in DxeIpl > >>> and use only one page table throughout. > >> Yes. > >> > >>> Again, I like the idea of having > >>> mapped memory protections that continue through, but do you have > >>> concerns that we may end up with garbage from PEI in DXE in the page > >>> table? For OEMs, they may not control PEI and therefore be at the whim > >>> of another's PEI page table. Would you envision the GCD gets built from > >>> the existing page table or that the GCD gets built according to resource > >>> descriptor HOBs and DxeCore ensures that the page table reflects what > >>> the HOBs indicated? > >>> > >> If there is a reason to start with a clean slate when DxeIpl hands > >> over to DXE core, I'd prefer that to be a conscious decision rather > >> than a consequence of the X64 vs IA32 legacy. > >> > >> I think you can make a case for priming the GCD map based on resource > >> descriptors rather than current mappings, with the exception of DXE > >> core itself and the DXE mode stack. But I'd like to understand better > >> what we think might be wrong with the page tables as PEI leaves them. > > > > > > On many platforms there are different "owners" for these different parts > > of firmware code. The PEI phase is a place where the Silicon vendor and > > Platform teams must work together. The Dxe Phase may have a different > > set of partners. Industry trends definitely show more silicon vendor > > driven diversity in the PEI phase of the boot process and with this > > diversity it is much harder to make solid assumptions about the > > execution environment. We have also discussed in the past meeting that > > PEI should be configurable using different solutions given it isn't a > > place where unknown 3rd party compatibility is critical. This means > > that PEI might have different requirements than DXE and thus the > > configuration inherited from PEI may not be compliant. Additionally, the > > code and driver mappings from PEI phase should not be relevant in DXE. > > Even with the same architecture being used these are different execution > > phases with different constructs. Keeping the PEI code mapped will only > > lead to additional security and correctness challenges. Finally, as an > > overarching theme of this project we have suggested we should not be > > coupling the various phases, their requirements, and their assumptions > > together. You could just as easily apply this to DXE and SMM/MM. These > > are all independent execution environments and the more we can provide > > simplification and consistency the better our chances are of getting > > correct implementations across the ecosystem. > > > >> > >> > >> > >> > >> > > > > > > > >