public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"lersek@redhat.com" <lersek@redhat.com>,
	"vanjeff_919@hotmail.com" <vanjeff_919@hotmail.com>,
	"Dong, Eric" <eric.dong@intel.com>, "Ni, Ray" <ray.ni@intel.com>
Cc: "Lou, Yun" <yun.lou@intel.com>
Subject: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.
Date: Sat, 5 Sep 2020 12:30:48 +0000	[thread overview]
Message-ID: <CY4PR11MB1288E41650A6B29CF6E6F9E08C2A0@CY4PR11MB1288.namprd11.prod.outlook.com> (raw)
In-Reply-To: <ecf196b9-e13c-fc84-950b-b185a3281c7f@redhat.com>

Thank you Laszlo.

Eric and I communicated with internal team. They understand that CPU is the only owner of the CPU state (CR3/DGT/IDT) and MP_SERVICE_PROTOCOL. Then we agree that the original test is invalid.

As conclusion, we can withdraw this patch and close the Bugzilla with "not a defect". 😊

Thank you
Yao Jiewen

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Ersek
> Sent: Friday, September 4, 2020 4:37 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
> vanjeff_919@hotmail.com; Dong, Eric <eric.dong@intel.com>; Ni, Ray
> <ray.ni@intel.com>
> Cc: Lou, Yun <yun.lou@intel.com>
> Subject: Re: 回复: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for
> CR3/GDT/IDT.
> 
> On 09/04/20 10:06, Yao, Jiewen wrote:
> > When we say “validate”, we need get clear on what is the contract between
> caller and callee, and what is the expectation of the validation.
> >
> > For example, in this case, the validation is limited to 4G or not 4G. Why?
> > This function does not verify following, why?
> >
> >   1.  if the GDT table is valid.
> >   2.  if the IDT table is valid
> >   3.  if the exception handler is valid
> >   4.  if the timer handler still works
> >   5.  if the page table is valid
> >   6.  if the page table is 1:1 mapping
> >   7.  if the page table still enforce the expected protection, such as RO, NX
> >   8.  ……
> 
> Yes, very good point; it has crossed my mind before too. The currently
> proposed checks verify the CR3 (but not the end of the root page
> directory). They also don't try to walk the whole forest of page tables
> and check every entry against 4GB (or, as you say, for 1:1 mapping). The
> check covers the GDT and the IDT, but not the GDT and IDT entries
> (segment granularity? direction of growth?)
> 
> I'm OK with the proposed rudimentary checks because in my mind they are
> supposed to catch only one idiosyncratic UEFI application.
> 
> > If an application creates a crazy state, CpuDxe may pass the validation with
> below 4G page table, but still fail to wake up APs.
> 
> Yes, absolutely.
> 
> >
> > If it is the app’s responsibility to ensure the system in good state, the
> validation is unnecessary.
> > If it is the CpuDxe’s responsibility to ensure the system in good state, the
> validation is insufficient.
> 
> Agreed on both counts.
> 
> I'm just under the impression that Eric has some internal use case that
> doesn't let him fix the application -- or maybe there's no time left for
> them for fixing the application.
> 
> >
> > I think we should wait. I am working with Eric to collect the requirement on
> why test case is designed in this way.
> 
> Sounds good, thanks!
> 
> >
> > DebugAgentDxe is a good case. It is for debug purpose.
> > I believe there must be contract between CPU driver and DebugAgentDxe that
> which status DebugAgentDxe may modify and which state DebugAgentDxe may
> not.
> > It is DebugAgentDxe’s responsibility to ensure the new system state is correct
> and compatible with the CPU driver.
> 
> Agreed 100%
> 
> > With the contract, I don’t think CPU driver need validate the system state
> changed by DebugAgentDxe.
> > If DebugAgentDxe put system in a wrong state, CPUDriver has no chance to
> run.
> 
> Agreed again.
> 
> Thanks
> Laszlo
> 
> 
> 


  reply	other threads:[~2020-09-05 12:30 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-03 15:11 [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT Dong, Eric
2020-09-03 19:00 ` Laszlo Ersek
2020-09-03 19:55   ` Laszlo Ersek
2020-09-04  1:34     ` [edk2-devel] " Ni, Ray
2020-09-04  2:00       ` Dong, Eric
2020-09-04  2:18         ` 回复: " vanjeff_919
2020-09-04  2:27           ` Dong, Eric
2020-09-04  3:09             ` Yao, Jiewen
2020-09-04  6:50               ` Laszlo Ersek
2020-09-04  6:58           ` 回复: " Laszlo Ersek
2020-09-04  7:32             ` 回复: " Fan Jeff
2020-09-04  8:06               ` Yao, Jiewen
2020-09-04  8:36                 ` Laszlo Ersek
2020-09-05 12:30                   ` Yao, Jiewen [this message]
2020-09-05 13:50                     ` Dong, Eric
2020-09-07  9:22                       ` Laszlo Ersek
2020-09-04  8:43                 ` 回复: " Fan Jeff
2020-09-04  8:23               ` Laszlo Ersek
2020-09-04  6:47       ` Laszlo Ersek
2020-09-04  2:00   ` Dong, Eric

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CY4PR11MB1288E41650A6B29CF6E6F9E08C2A0@CY4PR11MB1288.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox