Reviewed-by: Ray Ni <ray.ni@intel.com>

Thanks,
Ray
________________________________
From: Xie, Yuanhao <yuanhao.xie@intel.com>
Sent: Tuesday, May 7, 2024 14:09
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Liming Gao <gaoliming@byosoft.com.cn>; Wu, Jiaxin <jiaxin.wu@intel.com>; Ni, Ray <ray.ni@intel.com>; Xie, Yuanhao <yuanhao.xie@intel.com>
Subject: [PATCH 3/3] MdeModulePkg: Add Standalone MM Lockbox Driver.

The Lockbox Driver allows sensitive data to be securely stored in a
designated area, thus protected against unauthorized access.

This patch adds a Standalone MM Lockbox Driver with main modifications:
1. Separating shared code between the Standalone MM driver and the
DXE MM Driver.
2. Utilizing services from the SMM Services Table (gSmst) as opposed to
 relying on Boot Services.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>

Signed-off-by: Yuanhao Xie <yuanhao.xie@intel.com>
---
 MdeModulePkg/MdeModulePkg.dsc                                             |  1 +
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c        | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf      | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni      | 14 ++++++++++++++
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni | 14 ++++++++++++++
 5 files changed, 169 insertions(+)

diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 6bed9205ea..f0f02f180f 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -500,6 +500,7 @@
   MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterSmm.inf
   MdeModulePkg/Universal/ReportStatusCodeRouter/Smm/ReportStatusCodeRouterStandaloneMm.inf
   MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf
+  MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf
   MdeModulePkg/Library/SmmMemoryAllocationProfileLib/SmmMemoryAllocationProfileLib.inf
   MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationProfileLib.inf
   MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf
diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c
new file mode 100644
index 0000000000..503be7efa8
--- /dev/null
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.c
@@ -0,0 +1,84 @@
+/** @file
+  LockBox MM driver.
+
+Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiSmm.h>
+#include <Library/StandaloneMmDriverEntryPoint.h>
+#include <Library/MmServicesTableLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/StandaloneMmMemLib.h>
+#include <Library/LockBoxLib.h>
+
+#include <Protocol/SmmReadyToLock.h>
+#include <Protocol/SmmCommunication.h>
+#include <Protocol/LockBox.h>
+#include <Guid/SmmLockBox.h>
+
+#include "SmmLockBoxCommon.h"
+
+/**
+  This function is an abstraction layer for implementation specific Mm buffer validation routine.
+
+  @param Buffer  The buffer start address to be checked.
+  @param Length  The buffer length to be checked.
+
+  @retval TRUE  This buffer is valid per processor architecture and not overlap with SMRAM.
+  @retval FALSE This buffer is not valid per processor architecture or overlap with SMRAM.
+**/
+BOOLEAN
+IsBufferOutsideMmValid (
+  IN EFI_PHYSICAL_ADDRESS  Buffer,
+  IN UINT64                Length
+  )
+{
+  return MmIsBufferOutsideMmValid (Buffer, Length);
+}
+
+/**
+  Entry Point for LockBox MM driver.
+
+  @param[in] ImageHandle  Image handle of this driver.
+  @param[in] SystemTable  A Pointer to the EFI System Table.
+
+  @retval EFI_SUCEESS
+  @return Others          Some error occurs.
+**/
+EFI_STATUS
+EFIAPI
+SmmLockBoxStandaloneMmEntryPoint (
+  IN EFI_HANDLE           ImageHandle,
+  IN EFI_MM_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+  EFI_HANDLE  DispatchHandle;
+  VOID        *Registration;
+
+  //
+  // Register LockBox communication handler
+  //
+  Status = gMmst->MmiHandlerRegister (
+                    SmmLockBoxHandler,
+                    &gEfiSmmLockBoxCommunicationGuid,
+                    &DispatchHandle
+                    );
+  ASSERT_EFI_ERROR (Status);
+
+  //
+  // Register SMM Ready To Lock Protocol notification
+  //
+  Status = gMmst->MmRegisterProtocolNotify (
+                    &gEfiSmmReadyToLockProtocolGuid,
+                    SmmReadyToLockEventNotify,
+                    &Registration
+                    );
+  ASSERT_EFI_ERROR (Status);
+  return Status;
+}
diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf
new file mode 100644
index 0000000000..544c87790c
--- /dev/null
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.inf
@@ -0,0 +1,56 @@
+## @file
+#  LockBox MM driver.
+#
+# Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SmmLockBoxStandaloneMm
+  MODULE_UNI_FILE                = SmmLockBoxStandaloneMm.uni
+  FILE_GUID                      = a83a87a0-8a3e-482d-86c8-84a139f6ded0
+  MODULE_TYPE                    = MM_STANDALONE
+  VERSION_STRING                 = 1.0
+  PI_SPECIFICATION_VERSION       = 0x00010032
+  ENTRY_POINT                    = SmmLockBoxStandaloneMmEntryPoint
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64
+#
+
+[Sources]
+  SmmLockBoxStandaloneMm.c
+  SmmLockBoxCommon.c
+  SmmLockBoxCommon.h
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  StandaloneMmPkg/StandaloneMmPkg.dec
+
+[LibraryClasses]
+  MmServicesTableLib
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  LockBoxLib
+  MemLib
+  StandaloneMmDriverEntryPoint
+
+[Guids]
+  gEfiSmmLockBoxCommunicationGuid   ## PRODUCES ## GUID # SmiHandlerRegister
+
+[Protocols]
+  gEfiSmmReadyToLockProtocolGuid    ## NOTIFY
+  gEfiLockBoxProtocolGuid           ## PRODUCES
+
+[Depex]
+  TRUE
+
+[UserExtensions.TianoCore."ExtraFiles"]
+  SmmLockBoxStandaloneMm.uni
diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni
new file mode 100644
index 0000000000..7f6218102f
--- /dev/null
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMm.uni
@@ -0,0 +1,14 @@
+// /** @file
+// LockBox MM driver.
+//
+// Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "LockBox MM driver."
+
+#string STR_MODULE_DESCRIPTION          #language en-US "LockBox MM driver."
+
diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni
new file mode 100644
index 0000000000..a5443ca5f9
--- /dev/null
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBoxStandaloneMmExtra.uni
@@ -0,0 +1,14 @@
+// /** @file
+// SmmLockBox Localized Strings and Content
+//
+// Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+#string STR_PROPERTIES_MODULE_NAME
+#language en-US
+"MM Lock Box Driver"
+
+
--
2.39.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118655): https://edk2.groups.io/g/devel/message/118655
Mute This Topic: https://groups.io/mt/105955701/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-