From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 78AF1D801DE for ; Fri, 3 Nov 2023 05:52:33 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=su7HWc98LmhsI4STv9obo8J8ZM3iauLuqp7Lxge1+rY=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type; s=20140610; t=1698990752; v=1; b=YyrC3CfOf/k1QP+75vlMUH+x33EniheBJsuIfBybyLiLV+Gcsm971RKvvSrEtNK8/DajKXqh /qYkq+F9kii8TDgoQNsq+6u46LcgTOsg7niAAExk64hVjQWKYX3N8lVsB9ZjdUQFbr+aB4DemwD 18zJCFmVA4JCtizy996JVkwM= X-Received: by 127.0.0.2 with SMTP id jGEgYY7687511xReHIU2zfSV; Thu, 02 Nov 2023 22:52:32 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web10.31450.1698990750577690579 for ; Thu, 02 Nov 2023 22:52:31 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10882"; a="455373857" X-IronPort-AV: E=Sophos;i="6.03,273,1694761200"; d="scan'208,217";a="455373857" X-Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Nov 2023 22:52:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10882"; a="878527979" X-IronPort-AV: E=Sophos;i="6.03,273,1694761200"; d="scan'208,217";a="878527979" X-Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga002.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 02 Nov 2023 22:52:29 -0700 X-Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Thu, 2 Nov 2023 22:52:28 -0700 X-Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Thu, 2 Nov 2023 22:52:28 -0700 X-Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34 via Frontend Transport; Thu, 2 Nov 2023 22:52:28 -0700 X-Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.40) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.34; Thu, 2 Nov 2023 22:52:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qobxz5zWHpQG+S4PPrfgOPr7lNMqa2qxOCJFCnFL/GX0YIj544vvpnm9x4Nh2yIHpDmF67QnORiDQPePnUnweCitx0XUBACm7sMmu0IYqDwPVo5dTdM7KEwK7FPmW2ub0SDEwCZCjebn9lEXeXNmhRE9RCLRwrG8qMJX1ZxP61yJAo6Y9Ufxod2FdFblmtbd2y6W3xSBub1l0Jh54Tq0pytu17OTzqQdkQwDr6/N6bybPqGjE4F9Er5LW4kMq0RWNcBENJfTpNIjJmWQ4JxgSwr2yD41i9VB8bUJ092lKTfATspdF+fp05z5WsKU2UBF9wp2z7tUut/Ash+bJQns/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x/eOPc0TyN2iBxQm068unQoEgsShYA+8+MjuP8A5rBI=; b=bnef/QBEYR6iUD5pJOFHC9h9oEqR+5r5k5n2PHm4Ucnjh6w/lGGxWi3hDAFEdkjRL4OwHN9HmEEQ6XQ2lHwZcyi/hRA0g1u0WfYX1kMV2pLoHD28CzHwF8zHV6YV17N8Xdy4kDNt/J0hQnkM7/C+T1Xn9fUf0ss+3jw2RuF7jvpDTIDd1+T/gQGXUiJXs2HW89eQ1LNctiWL1s/Kqyj2u05ZfY4Lc+jA6p1s4S89rh+eYHizA5RuypEP6CmVKsOyjK7oe/hP5vZ1kWbTdRPvxNcxrAwx+2EP8QF/VdeU4SlQcbR5rJ5FzGZECa2IkIZcFR7uoF61j+kOSh/qs6oY6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com (2603:10b6:208:470::14) by PH8PR11MB6611.namprd11.prod.outlook.com (2603:10b6:510:1ce::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.21; Fri, 3 Nov 2023 05:52:22 +0000 X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::b614:1f5e:8b0c:9858]) by MN6PR11MB8244.namprd11.prod.outlook.com ([fe80::b614:1f5e:8b0c:9858%4]) with mapi id 15.20.6954.019; Fri, 3 Nov 2023 05:52:22 +0000 From: "Ni, Ray" To: "devel@edk2.groups.io" , "taylor.d.beebe@gmail.com" CC: "Wang, Jian J" , "Gao, Liming" Subject: Re: [edk2-devel] [PATCH v5 01/28] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Thread-Topic: [edk2-devel] [PATCH v5 01/28] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Thread-Index: AQHZ+k0QhIf3bCO0akKZWa01uLV8sLBoNfC8 Date: Fri, 3 Nov 2023 05:52:21 +0000 Message-ID: References: <20231009000742.1792-1-taylor.d.beebe@gmail.com> <20231009000742.1792-2-taylor.d.beebe@gmail.com> In-Reply-To: <20231009000742.1792-2-taylor.d.beebe@gmail.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MN6PR11MB8244:EE_|PH8PR11MB6611:EE_ x-ms-office365-filtering-correlation-id: 4ca53975-8460-477c-27f0-08dbdc310c1c x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: sq2+AaM4RMWEUMHJPhMNiE4rp8EPQSVYwu69pem76YBfBTt6bsvskxRli4h5lXSHdj/8UCyRz8VS9JeEV4uyxJlngz/TJQu8co2EjcwH7QUp+YOzFd2HPgkRpgs+sO1D/Y4VYXXZIVIfz1njJTLAGgFeaB7shdcqHsvOqQ7E5Hhmo6X1NeRliNHe+5lNlvgkphY/oKvD17jgwEoiLNTyg3tqzEtlfsusP5JcVT3QBNaUjag7jx7/Yg4yIibV151ZnnPRdEMQbTcBxNh96dDZf05p6V3eQLXzGZX8S4l0Z+Pns1lp4hCd7qFV+UjeU4Csj3lAgcxnVT3H5rIpEBEoB4V7sotwxaaG6nraaM6QOT2rKxHgYCwVHkb7Kn/mzmIvdai8pGM9Cjyx5Tf40k2mYxMaUkwswu1kbnW1aVopE9IzzZNn1DNIihm6sCc4P/HQLZcMEdDsBNUWIABc4uQJnps8dKi5Y21u5EtgMR1sW/NNt00Ed6rEiTOSs67c4//VZbJnw5wVYeFKSgNGP/VVXaLHh0z1+ojRAjrCejYgPc5HRoWD/zwopYrSw8ry9IfFZrvNBbxoHb4gmeOWDYlW+KO+63CkrY3nka/cMjuky693y5B2+ZC7wykpLJWr+5AYnRpheHeD3SX+NVF5MyO2yQ== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?L5Ycx5Ju0UCqO8qN8t0F3asYVeYb0urMww2VR1xT8EetwDndrvGkOTDVDCOG?= =?us-ascii?Q?bwyl0uD3+kPTWo3PoN7AKWVlacOK1+0+dJu4WHMO7QRZzwnQUkJaw1h2PZjc?= =?us-ascii?Q?KT0GtN+/h6EkjrQpsv6uFVSk9YCfcw3rigwtOlqGLTYZb6zjcWKRNZeovw5O?= =?us-ascii?Q?+hxDgJjpijPimMhz/qmxT9dwppOIrcg3U9GBQpeemPGlKsy0F9WFRjlSOQc2?= =?us-ascii?Q?Hojt3OnJ2seQL6qOEI+FoJQXpOKyQKmklVQ+IakqrHclyJughOLdLaIhYzgQ?= =?us-ascii?Q?X8I4YEdq79vuM3gPMV+39cVNJCLyEOHsYjMRqG+5Dn4pkgVbkJbuUCVsJ7HK?= =?us-ascii?Q?TuoZ12IH0noRnnkxz58fkphh0tj63odezsq3lEzTSjcwtGbO5Uca1uNtTqRL?= =?us-ascii?Q?keVnf80GJCjANKB++9H1uUJBlq5WndaK08eBcz97WyZ4b5eA+x8uQzYxQOgQ?= =?us-ascii?Q?ukdNDPTzZj+X+BRQBgzeRzPjCcXROdYNU9pCjbark+o7ZyOw4ZB9Eh/Vc8jN?= =?us-ascii?Q?9cYhBCWZ/0BwnclTpgSefrquonmh5N9gMrrDhxAyPE+930VEn4pK+Atvihw5?= =?us-ascii?Q?xPkoulHbuzmb/il0xcXRhhyqXf5OARx5+vc47eg/gVAXMdtYFenumEw/13EJ?= =?us-ascii?Q?gE+FlGpuZv5wh5Y+KFsaPxaHnY6ljLbPIo5z9YNYGTc72iYIMTQPOF9njSbM?= =?us-ascii?Q?CbC1tX4StHRhpl5dQWkyDdM6aImo0ux9aKvzqhoEr5beIEkTcvfoDsUh9dow?= =?us-ascii?Q?ZkePuuzK+ctEe29xA7khJsCGZ+xf62Dme1Wn47H7LsqL8GWHZzTpAqCS3u4P?= =?us-ascii?Q?kb6f8xxCYC+gwns9USG/cwhVrPJNkHToPzmwSnzSKjsQ659RRT+RlpAEoDzr?= =?us-ascii?Q?i+/LptLx4Ion2VneZAlW5UjiJ+InqI48pHjVIDRl6NFb2w6NjYKYwZWzrAFR?= =?us-ascii?Q?PeU0AkOakMMnzK8YBwNZPCHRIv2QuYQOAyfOsCMf5f8G3el8bm25Qg+UayKC?= =?us-ascii?Q?la3Xpeh5AZc2JoneK6lUUP7vjTqPJm4U5Z255hjGRpg5VpcrlHI6idJmqnKO?= =?us-ascii?Q?dtDaTLs121+38RVNPKt7ZuVbzuV9JxCGVwdt8pgx+kcsKSd+33mDTy6RQBgn?= =?us-ascii?Q?+DVgZ+d6LpnCy24tLfQNcl4phdn0q5m0cnhZqpSbxFH1tksqFHaCOrMFoyin?= =?us-ascii?Q?D1nRz6ACdIYr6awB8EgL6n4qZ5mYJyLq2aJu+YxCQ1vxn/eS9pdh1NPfhNlT?= =?us-ascii?Q?Rz5XVXdrVOy9WNMvEEbEGSgVjQSoOExjxjrttl7I/gJzUJMg/dTcQh2ZVaAt?= =?us-ascii?Q?sXrvgsKHyRijlcw8t1uDDrJiHL0Q+Koms0ZSpQxNch/F0KNgKF6LoxgUtWwt?= =?us-ascii?Q?ue0YvuswrUSmvuyX9S6vkFIKZA5yrdtK4mIjdhuWtA00fLVBQZVvDEjPChHj?= =?us-ascii?Q?WXz+Jsk0DEiJ7mxmgkVaPT/NUswLtWF7v2DGO/WxeVGn/U74dAR4BLSKqOho?= =?us-ascii?Q?fzAFpedGsaoH3vJr1uEaXfpiyfevXkWkfBqcgZ7PLQSVzNsejOcP7WbSTvbw?= =?us-ascii?Q?IbqwgQ5tUMJiYHiTnso=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN6PR11MB8244.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4ca53975-8460-477c-27f0-08dbdc310c1c X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2023 05:52:21.7146 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: qzxzNzXCmOnaQJ7cmf62XR70Kyp+CYqldLiWm/Jz83QedcfS6HSBXAKVOaSiMp88+VUk3jTObCI4jHvYiif/uA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6611 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: zIVR0cpNwZNSdAqvyqycw5YYx7686176AA= Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MN6PR11MB8244945228935FDB6A3592388CA5AMN6PR11MB8244namp_" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=YyrC3CfO; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") --_000_MN6PR11MB8244945228935FDB6A3592388CA5AMN6PR11MB8244namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I don't quite understand the lib interfaces. For GetMemoryProtectionsLib, it only exposes PopulateMpsGlobal(). The comme= nts say it's called by lib constructor. Then can we avoid adding the API? W= e could just declare it as the lib constructor in INF. For SetMemoryProtectionsLib, it introduces a concept "Profile" and only one= profile "Pcd" is defined. But I am not quite sure what it means. And this lib exposes GetCurrentMemoryProtectionSettings() API. Should this = API be exposed by the GetxxxLib? Thanks, Ray ________________________________ From: devel@edk2.groups.io on behalf of Taylor Beebe= Sent: Monday, October 9, 2023 8:07 AM To: devel@edk2.groups.io Cc: Wang, Jian J ; Gao, Liming Subject: [edk2-devel] [PATCH v5 01/28] MdeModulePkg: Add DXE and MM Memory = Protection Settings Definitions These headers provide settings definitions for memory protections, settings profiles for easily enabling memory protections, and the GUIDs used for producing the memory protection HOB entry. The settings options are functionally 1:1 with the existing PCD bitfield definitions. Instead of setting a fixed at build PCD, memory protections will be set via a HOB at runtime. Signed-off-by: Taylor Beebe Cc: Jian J Wang Cc: Liming Gao --- MdeModulePkg/Include/Guid/MemoryProtectionSettings.h | 216 +++++++++++++++= +++++ MdeModulePkg/MdeModulePkg.dec | 5 + 2 files changed, 221 insertions(+) diff --git a/MdeModulePkg/Include/Guid/MemoryProtectionSettings.h b/MdeModu= lePkg/Include/Guid/MemoryProtectionSettings.h new file mode 100644 index 000000000000..889e87011fbf --- /dev/null +++ b/MdeModulePkg/Include/Guid/MemoryProtectionSettings.h @@ -0,0 +1,216 @@ +/** @file +Defines memory protection settings guid and struct for DXE and MM. + +Copyright (C) Microsoft Corporation. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef MEMORY_PROTECTION_SETTINGS_H_ +#define MEMORY_PROTECTION_SETTINGS_H_ + +#define OEM_RESERVED_MPS_MEMORY_TYPE EfiMaxMemoryType +#define OS_RESERVED_MPS_MEMORY_TYPE (EfiMaxMemoryType + 1) +#define MAX_MPS_MEMORY_TYPE (EfiMaxMemoryType + 2) +#define MPS_MEMORY_TYPE_BUFFER_SIZE (MAX_MPS_MEMORY_TYPE * sizeof (BOOLE= AN)) + +// Current DXE iteration of MEMORY_PROTECTION_SETTINGS +#define DXE_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION 1 + +// Current MM iteration of MEMORY_PROTECTION_SETTINGS +#define MM_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION 1 + +#define DXE_MEMORY_PROTECTION_SIGNATURE SIGNATURE_32('D', 'M', 'P', 'S') +#define MM_MEMORY_PROTECTION_SIGNATURE SIGNATURE_32('M', 'M', 'P', 'S') + +typedef UINT8 MEMORY_PROTECTION_SETTINGS_VERSION; +typedef UINT32 MEMORY_PROTECTION_SETTINGS_SIGNATURE; + +typedef struct { + BOOLEAN Enabled : 1; + BOOLEAN DisableEndOfDxe : 1; + BOOLEAN NonstopModeEnabled : 1; +} DXE_NULL_DETECTION_POLICY; + +typedef struct { + BOOLEAN ProtectImageFromUnknown : 1; + BOOLEAN ProtectImageFromFv : 1; +} DXE_IMAGE_PROTECTION_POLICY; + +typedef struct { + BOOLEAN PageGuardEnabled : 1; + BOOLEAN PoolGuardEnabled : 1; + BOOLEAN FreedMemoryGuardEnabled : 1; + BOOLEAN NonstopModeEnabled : 1; + BOOLEAN GuardAlignedToTail : 1; +} DXE_HEAP_GUARD_POLICY; + +typedef struct { + BOOLEAN Enabled : 1; + BOOLEAN NonstopModeEnabled : 1; +} MM_NULL_DETECTION_POLICY; + +typedef struct { + BOOLEAN PageGuardEnabled : 1; + BOOLEAN PoolGuardEnabled : 1; + BOOLEAN NonstopModeEnabled : 1; + BOOLEAN GuardAlignedToTail : 1; +} MM_HEAP_GUARD_POLICY; + +typedef struct { + BOOLEAN EnabledForType[MAX_MPS_MEMORY_TYPE]; +} MPS_MEMORY_TYPES; + +// +// Memory Protection Settings struct +// +typedef struct { + // This signature is used to identify the memory protection settings str= ucture. + MEMORY_PROTECTION_SETTINGS_SIGNATURE Signature; + + // The current version of the structure definition. This is used to ensu= re there isn't a + // definition mismatch if modules have differing iterations of this head= er. When creating + // this struct, use the DXE_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION m= acro. + MEMORY_PROTECTION_SETTINGS_VERSION StructVersion; + + // If enabled, the page at the top of the stack will be invalidated to c= atch stack overflow. + BOOLEAN CpuStackGuardEnabled; + + // If enabled, the stack will be marked non-executable. + BOOLEAN StackExecutionProtectionEnabled; + + // If enabled, accessing the NULL address in UEFI will be caught by mark= ing + // the NULL page as not present. + // .NullDetectionEnabled : Enable NULL pointer detection. + // .DisableEndOfDxe : Disable NULL pointer detection just afte= r EndOfDxe. + // This is a workaround for those unsolvabl= e NULL access issues in + // OptionROM, boot loader, etc. It can also= help to avoid unnecessary + // exception caused by legacy memory (0-409= 5) access after EndOfDxe, + // such as Windows 7 boot on Qemu. + // .NonstopModeEnabled : If enabled the debug flag will be raised= when a fault occurs + // to break into debugger. + DXE_NULL_DETECTION_POLICY NullPointerDetection; + + // Set image protection policy. + // + // .ProtectImageFromUnknown : If set, images from unknown devi= ces will be protected by + // DxeCore if they are aligned. The= code section becomes + // read-only, and the data section = becomes non-executable. + // .ProtectImageFromFv : If set, images from firmware vol= umes will be protected by + // DxeCore if they are aligned. The= code section becomes + // read-only, and the data section = becomes non-executable. + DXE_IMAGE_PROTECTION_POLICY ImageProtection; + + // If a bit is set, memory regions of the associated type will be mapped= non-executable. + // + // The execution protection setting for EfiBootServicesData and EfiConve= ntionalMemory must + // be the same. + MPS_MEMORY_TYPES ExecutionProtection; + + // Configures general heap guard behavior. + // + // .PageGuardEnabled : Enable page guard. + // .PoolGuardEnabled : Enable pool guard. + // .FreedMemoryGuardEnabled : Enable freed-memory guard (Use-After-Fre= e memory detection). + // .NonstopModeEnabled : If enabled the debug flag will be raised= when a fault occurs + // to break into debugger. + // .GuardAlignedToTail : TRUE if the pool is aligned to tail guar= d page. If FALSE, the + // pool is aligned to head guard page. + // + // Note: + // a) Due to the limit of pool memory implementation and the alignment + // requirement of UEFI spec, HeapGuard.GuardAlignedToTail is a try-b= est + // setting which cannot guarantee that the returned pool is exactly + // adjacent to head or tail guard page. + // b) Freed-memory guard and pool/page guard cannot be enabled + // at the same time. + DXE_HEAP_GUARD_POLICY HeapGuard; + + // Indicates which type allocation need guard page. + // + // If bit is set, a head guard page and a tail guard page will be added = just + // before and after corresponding type of pages which the allocated pool= occupies, + // if there's enough free memory for all of them. + // + // These settings are only valid if HeapGuard.PoolGuardEnabled is TRUE. + MPS_MEMORY_TYPES PoolGuard; + + // Indicates which type allocation need guard page. + // + // If a bit is set, a head guard page and a tail guard page will be adde= d just + // before and after corresponding type of pages allocated if there's eno= ugh + // free pages for all of them. + // + // These settings are only valid if HeapGuard.PageGuardEnabled is TRUE. + MPS_MEMORY_TYPES PageGuard; +} DXE_MEMORY_PROTECTION_SETTINGS; + +// +// Memory Protection Settings struct +// +typedef struct { + // This signature is used to identify the memory protection settings str= ucture. + MEMORY_PROTECTION_SETTINGS_SIGNATURE Signature; + + // The current version of the structure definition. This is used to ensu= re there isn't a + // definition mismatch if modules have differing iterations of this head= er. When creating + // this struct, use the MM_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION ma= cro. + MEMORY_PROTECTION_SETTINGS_VERSION StructVersion; + + // If enabled, accessing the NULL address in MM will be caught by markin= g + // the NULL page as not present. + // .NullDetectionEnabled : Enable NULL pointer detection. + // .NonstopModeEnabled : If enabled the debug flag will be raised= when a fault occurs + // to break into debugger. + MM_NULL_DETECTION_POLICY NullPointerDetection; + + // Configures general heap guard behavior. + // + // Note: + // a) Due to the limit of pool memory implementation and the alignment + // requirement of UEFI spec, HeapGuard.GuardAlignedToTail is a try-b= est + // setting which cannot guarantee that the returned pool is exactly + // adjacent to head or tail guard page. + // + // .PageGuardEnabled : Enable page guard. + // .PoolGuardEnabled : Enable pool guard. + // .NonstopModeEnabled : If enabled the debug flag will be raise= d when a fault occurs + // to break into debugger. + // .GuardAlignedToTail : TRUE if the pool is aligned to tail gua= rd page. If FALSE, the + // pool is aligned to head guard page. + MM_HEAP_GUARD_POLICY HeapGuard; + + // Indicates which type allocation need guard page. + // + // If bit is set, a head guard page and a tail guard page will be added = just + // before and after corresponding type of pages which the allocated pool= occupies, + // if there's enough free memory for all of them. + // + // These settings are only valid if PoolGuardEnabled is TRUE in HeapGuar= d. + MPS_MEMORY_TYPES PoolGuard; + + // Indicates which type allocation need guard page. + // + // If a bit is set, a head guard page and a tail guard page will be adde= d just + // before and after corresponding type of pages allocated if there's eno= ugh + // free pages for all of them. + // + // This bitfield is only valid if PageGuardEnabled is TRUE in HeapGuard. + MPS_MEMORY_TYPES PageGuard; +} MM_MEMORY_PROTECTION_SETTINGS; + +typedef struct { + // The memory protection settings in the SMM and Standalone MM environme= nt + MM_MEMORY_PROTECTION_SETTINGS Mm; + // The memory protection settings in the DXE environment + DXE_MEMORY_PROTECTION_SETTINGS Dxe; +} MEMORY_PROTECTION_SETTINGS; + +#define MEMORY_PROTECTION_SETTINGS_GUID \ + { \ + { 0x9ABFD639, 0xD1D0, 0x4EFF, { 0xBD, 0xB6, 0x7E, 0xC4, 0x19, 0x0D, 0x= 17, 0xD5 } } \ + } + +extern GUID gMemoryProtectionSettingsGuid; + +#endif diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index dd182c02fdf6..5e1a0388bed3 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -399,6 +399,11 @@ [Guids] ## Include/Guid/EndofS3Resume.h gEdkiiEndOfS3ResumeGuid =3D { 0x96f5296d, 0x05f7, 0x4f3c, {0x84, 0x67, 0= xe4, 0x56, 0x89, 0x0e, 0x0c, 0xb5 } } + ## Memory Protection Settings Guid. Used to create and fetch the memory = protection settings HOB entry. + # + # Include/Guid/MemoryProtectionSettings + gMemoryProtectionSettingsGuid =3D { 0x9ABFD639, 0xD1D0, 0x4EFF, { 0xBD, = 0xB6, 0x7E, 0xC4, 0x19, 0x0D, 0x17, 0xD5 }} + ## Used (similar to Variable Services) to communicate policies to the en= forcement engine. # {DA1B0D11-D1A7-46C4-9DC9-F3714875C6EB} gVarCheckPolicyLibMmiHandlerGuid =3D { 0xda1b0d11, 0xd1a7, 0x46c4, { 0x9= d, 0xc9, 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb }} -- 2.42.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110606): https://edk2.groups.io/g/devel/message/110606 Mute This Topic: https://groups.io/mt/101843341/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --_000_MN6PR11MB8244945228935FDB6A3592388CA5AMN6PR11MB8244namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
I don't quite understand the lib interfaces.

For GetMemoryProtectionsLib, it only exposes PopulateMpsGlobal(). The comme= nts say it's called by lib constructor. Then can we avoid adding the API? W= e could just declare it as the lib constructor in INF.
For SetMemoryProtectionsLib, it introduces a concept "Profile" an= d only one profile "Pcd" is defined. But I am not quite sure what= it means.
And this lib exposes GetCurrentMemoryProtectionS= ettings() API. Should this API be exposed by the GetxxxLib?



Thanks,
Ray

From: devel@edk2.groups.io = <devel@edk2.groups.io> on behalf of Taylor Beebe <taylor.d.beebe@g= mail.com>
Sent: Monday, October 9, 2023 8:07 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Gao, Liming <gaol= iming@byosoft.com.cn>
Subject: [edk2-devel] [PATCH v5 01/28] MdeModulePkg: Add DXE and MM = Memory Protection Settings Definitions
 
These headers provide settings definitions for mem= ory protections,
settings profiles for easily enabling memory protections,
and the GUIDs used for producing the memory protection HOB entry.

The settings options are functionally 1:1 with the existing
PCD bitfield definitions. Instead of setting a fixed at build
PCD, memory protections will be set via a HOB
at runtime.

Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
---
 MdeModulePkg/Include/Guid/MemoryProtectionSettings.h | 216 ++++++++++= ++++++++++
 MdeModulePkg/MdeModulePkg.dec      &nbs= p;            &= nbsp;    |   5 +
 2 files changed, 221 insertions(+)

diff --git a/MdeModulePkg/Include/Guid/MemoryProtectionSettings.h b/MdeModu= lePkg/Include/Guid/MemoryProtectionSettings.h
new file mode 100644
index 000000000000..889e87011fbf
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/MemoryProtectionSettings.h
@@ -0,0 +1,216 @@
+/** @file
+Defines memory protection settings guid and struct for DXE and MM.
+
+Copyright (C) Microsoft Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef MEMORY_PROTECTION_SETTINGS_H_
+#define MEMORY_PROTECTION_SETTINGS_H_
+
+#define OEM_RESERVED_MPS_MEMORY_TYPE  EfiMaxMemoryType
+#define OS_RESERVED_MPS_MEMORY_TYPE   (EfiMaxMemoryType + 1)
+#define MAX_MPS_MEMORY_TYPE        = ;   (EfiMaxMemoryType + 2)
+#define MPS_MEMORY_TYPE_BUFFER_SIZE   (MAX_MPS_MEMORY_TYPE * siz= eof (BOOLEAN))
+
+// Current DXE iteration of MEMORY_PROTECTION_SETTINGS
+#define DXE_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION  1
+
+// Current MM iteration of MEMORY_PROTECTION_SETTINGS
+#define MM_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSION  1
+
+#define DXE_MEMORY_PROTECTION_SIGNATURE  SIGNATURE_32('D', 'M', 'P', = 'S')
+#define MM_MEMORY_PROTECTION_SIGNATURE   SIGNATURE_32('M', 'M', = 'P', 'S')
+
+typedef UINT8   MEMORY_PROTECTION_SETTINGS_VERSION;
+typedef UINT32  MEMORY_PROTECTION_SETTINGS_SIGNATURE;
+
+typedef struct {
+  BOOLEAN    Enabled     &nbs= p;      : 1;
+  BOOLEAN    DisableEndOfDxe    : 1; +  BOOLEAN    NonstopModeEnabled : 1;
+} DXE_NULL_DETECTION_POLICY;
+
+typedef struct {
+  BOOLEAN    ProtectImageFromUnknown : 1;
+  BOOLEAN    ProtectImageFromFv    = ;  : 1;
+} DXE_IMAGE_PROTECTION_POLICY;
+
+typedef struct {
+  BOOLEAN    PageGuardEnabled    &= nbsp;   : 1;
+  BOOLEAN    PoolGuardEnabled    &= nbsp;   : 1;
+  BOOLEAN    FreedMemoryGuardEnabled : 1;
+  BOOLEAN    NonstopModeEnabled    = ;  : 1;
+  BOOLEAN    GuardAlignedToTail    = ;  : 1;
+} DXE_HEAP_GUARD_POLICY;
+
+typedef struct {
+  BOOLEAN    Enabled     &nbs= p;      : 1;
+  BOOLEAN    NonstopModeEnabled : 1;
+} MM_NULL_DETECTION_POLICY;
+
+typedef struct {
+  BOOLEAN    PageGuardEnabled   : 1;
+  BOOLEAN    PoolGuardEnabled   : 1;
+  BOOLEAN    NonstopModeEnabled : 1;
+  BOOLEAN    GuardAlignedToTail : 1;
+} MM_HEAP_GUARD_POLICY;
+
+typedef struct {
+  BOOLEAN    EnabledForType[MAX_MPS_MEMORY_TYPE];
+} MPS_MEMORY_TYPES;
+
+//
+// Memory Protection Settings struct
+//
+typedef struct {
+  // This signature is used to identify the memory protection setting= s structure.
+  MEMORY_PROTECTION_SETTINGS_SIGNATURE    Signature; +
+  // The current version of the structure definition. This is used to= ensure there isn't a
+  // definition mismatch if modules have differing iterations of this= header. When creating
+  // this struct, use the DXE_MEMORY_PROTECTION_SETTINGS_CURRENT_VERS= ION macro.
+  MEMORY_PROTECTION_SETTINGS_VERSION      St= ructVersion;
+
+  // If enabled, the page at the top of the stack will be invalidated= to catch stack overflow.
+  BOOLEAN          =             &nb= sp;          CpuStackGuardEnab= led;
+
+  // If enabled, the stack will be marked non-executable.
+  BOOLEAN          =             &nb= sp;          StackExecutionPro= tectionEnabled;
+
+  // If enabled, accessing the NULL address in UEFI will be caught by= marking
+  // the NULL page as not present.
+  //   .NullDetectionEnabled    : Enable NUL= L pointer detection.
+  //   .DisableEndOfDxe      =    : Disable NULL pointer detection just after EndOfDxe.
+  //           = ;            &n= bsp;      This is a workaround for those unsolvabl= e NULL access issues in
+  //           = ;            &n= bsp;      OptionROM, boot loader, etc. It can also= help to avoid unnecessary
+  //           = ;            &n= bsp;      exception caused by legacy memory (0-409= 5) access after EndOfDxe,
+  //           = ;            &n= bsp;      such as Windows 7 boot on Qemu.
+  //   .NonstopModeEnabled      : = If enabled the debug flag will be raised when a fault occurs
+  //           = ;            &n= bsp;      to break into debugger.
+  DXE_NULL_DETECTION_POLICY    NullPointerDetection; +
+  // Set image protection policy.
+  //
+  //  .ProtectImageFromUnknown     &nbs= p;    : If set, images from unknown devices will be protecte= d by
+  //           = ;            &n= bsp;            = ;  DxeCore if they are aligned. The code section becomes
+  //           = ;            &n= bsp;            = ;  read-only, and the data section becomes non-executable.
+  //  .ProtectImageFromFv      &nb= sp;        : If set, images from firmwar= e volumes will be protected by
+  //           = ;            &n= bsp;            = ;  DxeCore if they are aligned. The code section becomes
+  //           = ;            &n= bsp;            = ;  read-only, and the data section becomes non-executable.
+  DXE_IMAGE_PROTECTION_POLICY    ImageProtection;
+
+  // If a bit is set, memory regions of the associated type will be m= apped non-executable.
+  //
+  // The execution protection setting for EfiBootServicesData and Efi= ConventionalMemory must
+  // be the same.
+  MPS_MEMORY_TYPES        &nb= sp;      ExecutionProtection;
+
+  //  Configures general heap guard behavior.
+  //
+  //  .PageGuardEnabled       = ;  : Enable page guard.
+  //  .PoolGuardEnabled       = ;  : Enable pool guard.
+  //  .FreedMemoryGuardEnabled  : Enable freed-memory guard= (Use-After-Free memory detection).
+  //  .NonstopModeEnabled       : = If enabled the debug flag will be raised when a fault occurs
+  //           = ;            &n= bsp;      to break into debugger.
+  //  .GuardAlignedToTail       : = TRUE if the pool is aligned to tail guard page. If FALSE, the
+  //           = ;            &n= bsp;      pool is aligned to head guard page.
+  //
+  //  Note:
+  //  a) Due to the limit of pool memory implementation and the = alignment
+  //     requirement of UEFI spec, HeapGuard.Guar= dAlignedToTail is a try-best
+  //     setting which cannot guarantee that the = returned pool is exactly
+  //     adjacent to head or tail guard page.
+  //  b) Freed-memory guard and pool/page guard cannot be enable= d
+  //     at the same time.
+  DXE_HEAP_GUARD_POLICY    HeapGuard;
+
+  // Indicates which type allocation need guard page.
+  //
+  // If bit is set, a head guard page and a tail guard page will be a= dded just
+  // before and after corresponding type of pages which the allocated= pool occupies,
+  // if there's enough free memory for all of them.
+  //
+  // These settings are only valid if HeapGuard.PoolGuardEnabled is T= RUE.
+  MPS_MEMORY_TYPES    PoolGuard;
+
+  // Indicates which type allocation need guard page.
+  //
+  // If a bit is set, a head guard page and a tail guard page will be= added just
+  // before and after corresponding type of pages allocated if there'= s enough
+  // free pages for all of them.
+  //
+  // These settings are only valid if HeapGuard.PageGuardEnabled is T= RUE.
+  MPS_MEMORY_TYPES    PageGuard;
+} DXE_MEMORY_PROTECTION_SETTINGS;
+
+//
+// Memory Protection Settings struct
+//
+typedef struct {
+  // This signature is used to identify the memory protection setting= s structure.
+  MEMORY_PROTECTION_SETTINGS_SIGNATURE    Signature; +
+  // The current version of the structure definition. This is used to= ensure there isn't a
+  // definition mismatch if modules have differing iterations of this= header. When creating
+  // this struct, use the MM_MEMORY_PROTECTION_SETTINGS_CURRENT_VERSI= ON macro.
+  MEMORY_PROTECTION_SETTINGS_VERSION      St= ructVersion;
+
+  // If enabled, accessing the NULL address in MM will be caught by m= arking
+  // the NULL page as not present.
+  //   .NullDetectionEnabled    : Enable NUL= L pointer detection.
+  //   .NonstopModeEnabled      : = If enabled the debug flag will be raised when a fault occurs
+  //           = ;            &n= bsp;      to break into debugger.
+  MM_NULL_DETECTION_POLICY       &= nbsp;        NullPointerDetection;
+
+  //  Configures general heap guard behavior.
+  //
+  // Note:
+  //  a) Due to the limit of pool memory implementation and the = alignment
+  //     requirement of UEFI spec, HeapGuard.Guar= dAlignedToTail is a try-best
+  //     setting which cannot guarantee that the = returned pool is exactly
+  //     adjacent to head or tail guard page.
+  //
+  //  .PageGuardEnabled       = ;   : Enable page guard.
+  //  .PoolGuardEnabled       = ;   : Enable pool guard.
+  //  .NonstopModeEnabled      &nb= sp; : If enabled the debug flag will be raised when a fault occurs
+  //           = ;            &n= bsp;       to break into debugger.
+  //  .GuardAlignedToTail      &nb= sp; : TRUE if the pool is aligned to tail guard page. If FALSE, the
+  //           = ;            &n= bsp;       pool is aligned to head guard page= .
+  MM_HEAP_GUARD_POLICY    HeapGuard;
+
+  // Indicates which type allocation need guard page.
+  //
+  // If bit is set, a head guard page and a tail guard page will be a= dded just
+  // before and after corresponding type of pages which the allocated= pool occupies,
+  // if there's enough free memory for all of them.
+  //
+  // These settings are only valid if PoolGuardEnabled is TRUE in Hea= pGuard.
+  MPS_MEMORY_TYPES    PoolGuard;
+
+  // Indicates which type allocation need guard page.
+  //
+  // If a bit is set, a head guard page and a tail guard page will be= added just
+  // before and after corresponding type of pages allocated if there'= s enough
+  // free pages for all of them.
+  //
+  // This bitfield is only valid if PageGuardEnabled is TRUE in HeapG= uard.
+  MPS_MEMORY_TYPES    PageGuard;
+} MM_MEMORY_PROTECTION_SETTINGS;
+
+typedef struct {
+  // The memory protection settings in the SMM and Standalone MM envi= ronment
+  MM_MEMORY_PROTECTION_SETTINGS     Mm;
+  // The memory protection settings in the DXE environment
+  DXE_MEMORY_PROTECTION_SETTINGS    Dxe;
+} MEMORY_PROTECTION_SETTINGS;
+
+#define MEMORY_PROTECTION_SETTINGS_GUID  \
+  { \
+    { 0x9ABFD639, 0xD1D0, 0x4EFF, { 0xBD, 0xB6, 0x7E, 0xC4,= 0x19, 0x0D, 0x17, 0xD5 } } \
+  }
+
+extern GUID  gMemoryProtectionSettingsGuid;
+
+#endif
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec<= br> index dd182c02fdf6..5e1a0388bed3 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -399,6 +399,11 @@ [Guids]
   ## Include/Guid/EndofS3Resume.h
   gEdkiiEndOfS3ResumeGuid =3D { 0x96f5296d, 0x05f7, 0x4f3c, {0x8= 4, 0x67, 0xe4, 0x56, 0x89, 0x0e, 0x0c, 0xb5 } }
 
+  ## Memory Protection Settings Guid. Used to create and fetch the me= mory protection settings HOB entry.
+  #
+  # Include/Guid/MemoryProtectionSettings
+  gMemoryProtectionSettingsGuid =3D { 0x9ABFD639, 0xD1D0, 0x4EFF, { 0= xBD, 0xB6, 0x7E, 0xC4, 0x19, 0x0D, 0x17, 0xD5 }}
+
   ## Used (similar to Variable Services) to communicate policies= to the enforcement engine.
   # {DA1B0D11-D1A7-46C4-9DC9-F3714875C6EB}
   gVarCheckPolicyLibMmiHandlerGuid =3D { 0xda1b0d11, 0xd1a7, 0x4= 6c4, { 0x9d, 0xc9, 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb }}
--
2.42.0.windows.2






_._,_._,_

Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#110606) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--_000_MN6PR11MB8244945228935FDB6A3592388CA5AMN6PR11MB8244namp_--