From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Xie, Yuanhao" <yuanhao.xie@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Liming Gao <gaoliming@byosoft.com.cn>, "Ni, Ray" <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.
Date: Thu, 9 May 2024 03:42:03 +0000 [thread overview]
Message-ID: <MN0PR11MB6158E4FBCC6AB8513B0ABA08FEE62@MN0PR11MB6158.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20240507060910.1687-4-yuanhao.xie@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
> -----Original Message-----
> From: Xie, Yuanhao <yuanhao.xie@intel.com>
> Sent: Tuesday, May 7, 2024 2:09 PM
> To: devel@edk2.groups.io
> Cc: Liming Gao <gaoliming@byosoft.com.cn>; Wu, Jiaxin
> <jiaxin.wu@intel.com>; Ni, Ray <ray.ni@intel.com>; Xie, Yuanhao
> <yuanhao.xie@intel.com>
> Subject: [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.
>
> The Lockbox Driver allows sensitive data to be securely stored in a
> designated area, thus protected against unauthorized access.
>
> This patch adds a Standalone MM Lockbox Driver with main modifications:
> 1. Separating shared code between the Standalone MM driver and the
> DXE MM Driver.
> 2. Utilizing services from the SMM Services Table (gSmst) as opposed to
> relying on Boot Services.
>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
>
> Signed-off-by: Yuanhao Xie <yuanhao.xie@intel.com>
> ---
> MdeModulePkg/MdeModulePkg.dsc | 1 +
>
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM
> m.c | 84
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++
>
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM
> m.inf | 56
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM
> m.uni | 14 ++++++++++++++
>
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM
> mExtra.uni | 14 ++++++++++++++
> 5 files changed, 169 insertions(+)
>
> diff --git a/MdeModulePkg/MdeModulePkg.dsc
> b/MdeModulePkg/MdeModulePkg.dsc
> index 6bed9205ea..f0f02f180f 100644
> --- a/MdeModulePkg/MdeModulePkg.dsc
> +++ b/MdeModulePkg/MdeModulePkg.dsc
> @@ -500,6 +500,7 @@
>
> MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCode
> RouterSmm.inf
>
> MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCode
> RouterStandaloneMm.inf
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf
> +
> MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneM
> m.inf
>
> MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAlloc
> ationProfileLib.inf
>
> MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemo
> ryAllocationProfileLib.inf
>
> MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemo
> ryAllocationLib.inf
> diff --git
> a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.c
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.c
> new file mode 100644
> index 0000000000..503be7efa8
> --- /dev/null
> +++
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.c
> @@ -0,0 +1,84 @@
> +/** @file
> + LockBox MM driver.
> +
> +Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <PiSmm.h>
> +#include <Library/StandaloneMmDriverEntryPoint.h>
> +#include <Library/MmServicesTableLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/StandaloneMmMemLib.h>
> +#include <Library/LockBoxLib.h>
> +
> +#include <Protocol/SmmReadyToLock.h>
> +#include <Protocol/SmmCommunication.h>
> +#include <Protocol/LockBox.h>
> +#include <Guid/SmmLockBox.h>
> +
> +#include "SmmLockBoxCommon.h"
> +
> +/**
> + This function is an abstraction layer for implementation specific Mm buffer
> validation routine.
> +
> + @param Buffer The buffer start address to be checked.
> + @param Length The buffer length to be checked.
> +
> + @retval TRUE This buffer is valid per processor architecture and not overlap
> with SMRAM.
> + @retval FALSE This buffer is not valid per processor architecture or overlap
> with SMRAM.
> +**/
> +BOOLEAN
> +IsBufferOutsideMmValid (
> + IN EFI_PHYSICAL_ADDRESS Buffer,
> + IN UINT64 Length
> + )
> +{
> + return MmIsBufferOutsideMmValid (Buffer, Length);
> +}
> +
> +/**
> + Entry Point for LockBox MM driver.
> +
> + @param[in] ImageHandle Image handle of this driver.
> + @param[in] SystemTable A Pointer to the EFI System Table.
> +
> + @retval EFI_SUCEESS
> + @return Others Some error occurs.
> +**/
> +EFI_STATUS
> +EFIAPI
> +SmmLockBoxStandaloneMmEntryPoint (
> + IN EFI_HANDLE ImageHandle,
> + IN EFI_MM_SYSTEM_TABLE *SystemTable
> + )
> +{
> + EFI_STATUS Status;
> + EFI_HANDLE DispatchHandle;
> + VOID *Registration;
> +
> + //
> + // Register LockBox communication handler
> + //
> + Status = gMmst->MmiHandlerRegister (
> + SmmLockBoxHandler,
> + &gEfiSmmLockBoxCommunicationGuid,
> + &DispatchHandle
> + );
> + ASSERT_EFI_ERROR (Status);
> +
> + //
> + // Register SMM Ready To Lock Protocol notification
> + //
> + Status = gMmst->MmRegisterProtocolNotify (
> + &gEfiSmmReadyToLockProtocolGuid,
> + SmmReadyToLockEventNotify,
> + &Registration
> + );
> + ASSERT_EFI_ERROR (Status);
> + return Status;
> +}
> diff --git
> a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.inf
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.inf
> new file mode 100644
> index 0000000000..544c87790c
> --- /dev/null
> +++
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.inf
> @@ -0,0 +1,56 @@
> +## @file
> +# LockBox MM driver.
> +#
> +# Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = SmmLockBoxStandaloneMm
> + MODULE_UNI_FILE = SmmLockBoxStandaloneMm.uni
> + FILE_GUID = a83a87a0-8a3e-482d-86c8-84a139f6ded0
> + MODULE_TYPE = MM_STANDALONE
> + VERSION_STRING = 1.0
> + PI_SPECIFICATION_VERSION = 0x00010032
> + ENTRY_POINT = SmmLockBoxStandaloneMmEntryPoint
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + SmmLockBoxStandaloneMm.c
> + SmmLockBoxCommon.c
> + SmmLockBoxCommon.h
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + StandaloneMmPkg/StandaloneMmPkg.dec
> +
> +[LibraryClasses]
> + MmServicesTableLib
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + LockBoxLib
> + MemLib
> + StandaloneMmDriverEntryPoint
> +
> +[Guids]
> + gEfiSmmLockBoxCommunicationGuid ## PRODUCES ## GUID #
> SmiHandlerRegister
> +
> +[Protocols]
> + gEfiSmmReadyToLockProtocolGuid ## NOTIFY
> + gEfiLockBoxProtocolGuid ## PRODUCES
> +
> +[Depex]
> + TRUE
> +
> +[UserExtensions.TianoCore."ExtraFiles"]
> + SmmLockBoxStandaloneMm.uni
> diff --git
> a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.uni
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.uni
> new file mode 100644
> index 0000000000..7f6218102f
> --- /dev/null
> +++
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> Mm.uni
> @@ -0,0 +1,14 @@
> +// /** @file
> +// LockBox MM driver.
> +//
> +// Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "LockBox MM
> driver."
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "LockBox MM
> driver."
> +
> diff --git
> a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> MmExtra.uni
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> MmExtra.uni
> new file mode 100644
> index 0000000000..a5443ca5f9
> --- /dev/null
> +++
> b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandalone
> MmExtra.uni
> @@ -0,0 +1,14 @@
> +// /** @file
> +// SmmLockBox Localized Strings and Content
> +//
> +// Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +#string STR_PROPERTIES_MODULE_NAME
> +#language en-US
> +"MM Lock Box Driver"
> +
> +
> --
> 2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118710): https://edk2.groups.io/g/devel/message/118710
Mute This Topic: https://groups.io/mt/105955701/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2024-05-09 3:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 6:09 [edk2-devel] [PATCH 0/3] Add Standalone MM Lockbox Driver Yuanhao Xie
2024-05-07 6:09 ` [edk2-devel] [PATCH 1/3] StandaloneMmPkg: Add LockBox Dependency DXE Driver Yuanhao Xie
2024-05-08 2:46 ` Ni, Ray
2024-05-09 3:42 ` Wu, Jiaxin
2024-05-07 6:09 ` [edk2-devel] [PATCH 2/3] MdeModulePkg: Refactors SmmLockBox.c Yuanhao Xie
2024-05-08 2:50 ` Ni, Ray
2024-05-09 3:41 ` Wu, Jiaxin
2024-05-07 6:09 ` [edk2-devel] [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver Yuanhao Xie
2024-05-08 2:53 ` Ni, Ray
2024-05-09 3:42 ` Wu, Jiaxin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN0PR11MB6158E4FBCC6AB8513B0ABA08FEE62@MN0PR11MB6158.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox