[MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Andrew Fish]

I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize.

When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. 

This adjustment does not seem right to me?
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768
      //
      // Heap Offset
      //
      BaseOfNewHeap = TopOfNewStack;
      if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
        Private->HeapOffsetPositive = TRUE;
        Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase);
      } else {
        Private->HeapOffsetPositive = FALSE;
        Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap);
      }


The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. 

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796

      //
      // Temporary Ram Support PPI is provided by platform, it will copy 
      // temporary memory to permenent memory and do stack switching.
      // After invoking Temporary Ram Support PPI, the following code's 
      // stack is in permanent memory.
      //
      TemporaryRamSupportPpi->TemporaryRamMigration (
                                PeiServices,
                                TemporaryRamBase,
                                (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
                                TemporaryRamSize
                                );


And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. 

The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path?

If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase;

Thanks,

Andrew Fish

PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen.


https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107

#if 0
  // Tell the PEI Core to not use our buffer in temp RAM
  SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase;
  SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize);
  SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize;
#else
  {
    //
    // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug
    // or I don't understand temp RAM correctly?
    //
    EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];

    SecPpiList = &PpiArray[0];
    ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
  }
#endif

Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Marvin H?user]

Hello Andrew,

Unfortunately I cannot test anything right now and I don't have a whole lot of knowledge in this area, though I might have a hint for you.

While PpiList is equal to the original TempRam base, the TempRam based passed to PEI is equal to the original TempRam base + the size of the PpiList, hence PpiList is smaller than the base address passed to PEI. The PpiList is then installed via the PeiServicesInstallPpi () function:

call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c#L386
implementation: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L183

The list is then added to PpiData.PpiListPtrs.

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L229

I am not sure at which point of time you are experiencing the crash, but after permanent memory is available, ConvertPpiPointers () is called, which then calls ConverSinglePpiPointer () for old heap, old stack and old hole (I'm afraid I do not know what TempRam Hole is and if it is related).

ConvertPpiPointers () call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c#L237
Old Heap ConverSinglePpiPointer () call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L127

The call for the old heap conversion passes the TempRam base, which has been incremented as we know, and thus the comparison to TempBottom will fail, as TempBottom is PeiTemporaryRamBase, which is larger than PpiList, which is one of the items in PpiListPtrs, which is the object of the conversion.

comparison to TempBottom: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L60

As the pointer to the PpiList passed by SecCore is probably not converted as detailed above, I assume something post-mem attempts to access this former PpiList by the old temporary RAM address and that somehow causes trouble; I assume the SEC PpiList being part of the PEI memory is an assumption made by the person who wrote this code. I'm not sure about why it crashes, as I do not know the entire PEI control flow, though I hope this can help you in some way.

Please excuse me if I have made a mistake in understanding the referenced code and wasted your time.

Regards,
Marvin.


> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Andrew Fish
> Sent: Saturday, August 13, 2016 1:25 AM
> To: edk2-devel <edk2-devel@lists.01.org>
> Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI
> Core by grabbing memory from PeiTemporaryRamBase?
> 
> I grabbed some memory between SEC and the PEI Core by adjusting
> SecCoreData-> PeiTemporaryRamBase and SecCoreData->
> PeiTemporaryRamSize.
> 
> When looking at the code I don't really understand the logic of the algorithm?
> So maybe I'm doing something wrong.
> 
> This adjustment does not seem right to me?
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Dispatcher/Dispatcher.c#L768
>       //
>       // Heap Offset
>       //
>       BaseOfNewHeap = TopOfNewStack;
>       if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
>         Private->HeapOffsetPositive = TRUE;
>         Private->HeapOffset = (UINTN)(BaseOfNewHeap -
> (UINTN)SecCoreData->PeiTemporaryRamBase);
>       } else {
>         Private->HeapOffsetPositive = FALSE;
>         Private->HeapOffset = (UINTN)((UINTN)SecCoreData-
> >PeiTemporaryRamBase - BaseOfNewHeap);
>       }
> 
> 
> The above code seems to be making a very strange adjustment. I noticed the
> adjustment in my failing case was off by 0xC0 which is the amount of
> memory I carved out prior to entering the PEI Core.
> 
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Dispatcher/Dispatcher.c#L796
> 
>       //
>       // Temporary Ram Support PPI is provided by platform, it will copy
>       // temporary memory to permenent memory and do stack switching.
>       // After invoking Temporary Ram Support PPI, the following code's
>       // stack is in permanent memory.
>       //
>       TemporaryRamSupportPpi->TemporaryRamMigration (
>                                 PeiServices,
>                                 TemporaryRamBase,
>                                 (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack -
> TemporaryStackSize),
>                                 TemporaryRamSize
>                                 );
> 
> 
> And this is also a case in which the stack got bigger. But it seems to me the
> shift if really defined by TemporaryRamBase, TopOfNewStack, and
> TemporaryStackSize in this case.
> 
> The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI
> was called the system crashed. Is this a bug in the
> gEfiTemporaryRamSupportPpiGuid path?
> 
> If I changed the HeadOffset algorithm my crash went away? Private-
> >HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) -
> TemporaryRamBase;
> 
> Thanks,
> 
> Andrew Fish
> 
> PS My failure case was the EmulatorPkg. I've not had a chance to verify this
> failure in the open source yet, but I'm guessing reversing this #if will make it
> happen.
> 
> 
> https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1
> 07
> 
> #if 0
>   // Tell the PEI Core to not use our buffer in temp RAM
>   SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData-
> >PeiTemporaryRamBase;
>   SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData-
> >PeiTemporaryRamBase + SecReseveredMemorySize);
>   SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else
>   {
>     //
>     // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core
> crashes? Either there is a bug
>     // or I don't understand temp RAM correctly?
>     //
>     EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];
> 
>     SecPpiList = &PpiArray[0];
>     ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
>   }
> #endif
> 
> 
> 
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Marvin H?user]

Sorry. For some reason, I didn't get to read the paragraph about TemporaryRamSupportPpi and shomehow skipped to the PS.
I suppose my hint is not related to the crash then, though I hope it was still helpful in some way, as it seems to assume that the PPI List is in the temporary heap nevertheless.

Regards,
Marvin.

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Marvin H?user
> Sent: Saturday, August 13, 2016 3:47 AM
> To: edk2-devel@lists.01.org
> Cc: Andrew Fish <afish@apple.com>
> Subject: Re: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the
> PEI Core by grabbing memory from PeiTemporaryRamBase?
> 
> Hello Andrew,
> 
> Unfortunately I cannot test anything right now and I don't have a whole lot of
> knowledge in this area, though I might have a hint for you.
> 
> While PpiList is equal to the original TempRam base, the TempRam based
> passed to PEI is equal to the original TempRam base + the size of the PpiList,
> hence PpiList is smaller than the base address passed to PEI. The PpiList is
> then installed via the PeiServicesInstallPpi () function:
> 
> call:
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> PeiMain/PeiMain.c#L386
> implementation:
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Ppi/Ppi.c#L183
> 
> The list is then added to PpiData.PpiListPtrs.
> 
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Ppi/Ppi.c#L229
> 
> I am not sure at which point of time you are experiencing the crash, but after
> permanent memory is available, ConvertPpiPointers () is called, which then
> calls ConverSinglePpiPointer () for old heap, old stack and old hole (I'm afraid
> I do not know what TempRam Hole is and if it is related).
> 
> ConvertPpiPointers () call:
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> PeiMain/PeiMain.c#L237
> Old Heap ConverSinglePpiPointer () call:
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Ppi/Ppi.c#L127
> 
> The call for the old heap conversion passes the TempRam base, which has
> been incremented as we know, and thus the comparison to TempBottom will
> fail, as TempBottom is PeiTemporaryRamBase, which is larger than PpiList,
> which is one of the items in PpiListPtrs, which is the object of the conversion.
> 
> comparison to TempBottom:
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> Ppi/Ppi.c#L60
> 
> As the pointer to the PpiList passed by SecCore is probably not converted as
> detailed above, I assume something post-mem attempts to access this
> former PpiList by the old temporary RAM address and that somehow causes
> trouble; I assume the SEC PpiList being part of the PEI memory is an
> assumption made by the person who wrote this code. I'm not sure about
> why it crashes, as I do not know the entire PEI control flow, though I hope
> this can help you in some way.
> 
> Please excuse me if I have made a mistake in understanding the referenced
> code and wasted your time.
> 
> Regards,
> Marvin.
> 
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Andrew Fish
> > Sent: Saturday, August 13, 2016 1:25 AM
> > To: edk2-devel <edk2-devel@lists.01.org>
> > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the
> > PEI Core by grabbing memory from PeiTemporaryRamBase?
> >
> > I grabbed some memory between SEC and the PEI Core by adjusting
> > SecCoreData-> PeiTemporaryRamBase and SecCoreData->
> > PeiTemporaryRamSize.
> >
> > When looking at the code I don't really understand the logic of the
> algorithm?
> > So maybe I'm doing something wrong.
> >
> > This adjustment does not seem right to me?
> >
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> > Dispatcher/Dispatcher.c#L768
> >       //
> >       // Heap Offset
> >       //
> >       BaseOfNewHeap = TopOfNewStack;
> >       if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
> >         Private->HeapOffsetPositive = TRUE;
> >         Private->HeapOffset = (UINTN)(BaseOfNewHeap -
> > (UINTN)SecCoreData->PeiTemporaryRamBase);
> >       } else {
> >         Private->HeapOffsetPositive = FALSE;
> >         Private->HeapOffset = (UINTN)((UINTN)SecCoreData-
> > >PeiTemporaryRamBase - BaseOfNewHeap);
> >       }
> >
> >
> > The above code seems to be making a very strange adjustment. I noticed
> > the adjustment in my failing case was off by 0xC0 which is the amount
> > of memory I carved out prior to entering the PEI Core.
> >
> >
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/
> > Dispatcher/Dispatcher.c#L796
> >
> >       //
> >       // Temporary Ram Support PPI is provided by platform, it will copy
> >       // temporary memory to permenent memory and do stack switching.
> >       // After invoking Temporary Ram Support PPI, the following code's
> >       // stack is in permanent memory.
> >       //
> >       TemporaryRamSupportPpi->TemporaryRamMigration (
> >                                 PeiServices,
> >                                 TemporaryRamBase,
> >
> > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
> >                                 TemporaryRamSize
> >                                 );
> >
> >
> > And this is also a case in which the stack got bigger. But it seems to
> > me the shift if really defined by TemporaryRamBase, TopOfNewStack, and
> > TemporaryStackSize in this case.
> >
> > The failure I hit was OldCoreData->Fv pointer was shifted so when the
> > PPI was called the system crashed. Is this a bug in the
> > gEfiTemporaryRamSupportPpiGuid path?
> >
> > If I changed the HeadOffset algorithm my crash went away? Private-
> > >HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) -
> > TemporaryRamBase;
> >
> > Thanks,
> >
> > Andrew Fish
> >
> > PS My failure case was the EmulatorPkg. I've not had a chance to
> > verify this failure in the open source yet, but I'm guessing reversing
> > this #if will make it happen.
> >
> >
> >
> https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1
> > 07
> >
> > #if 0
> >   // Tell the PEI Core to not use our buffer in temp RAM
> >   SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData-
> > >PeiTemporaryRamBase;
> >   SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData-
> > >PeiTemporaryRamBase + SecReseveredMemorySize);
> >   SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else
> >   {
> >     //
> >     // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core
> > crashes? Either there is a bug
> >     // or I don't understand temp RAM correctly?
> >     //
> >     EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];
> >
> >     SecPpiList = &PpiArray[0];
> >     ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
> >   }
> > #endif
> >
> >
> >
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Gao, Liming]

Andrew:
  In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC. 

Thanks
Liming
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish
Sent: Saturday, August 13, 2016 7:25 AM
To: edk2-devel <edk2-devel@lists.01.org>
Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize.

When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. 

This adjustment does not seem right to me?
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768
      //
      // Heap Offset
      //
      BaseOfNewHeap = TopOfNewStack;
      if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
        Private->HeapOffsetPositive = TRUE;
        Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase);
      } else {
        Private->HeapOffsetPositive = FALSE;
        Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap);
      }


The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. 

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796

      //
      // Temporary Ram Support PPI is provided by platform, it will copy 
      // temporary memory to permenent memory and do stack switching.
      // After invoking Temporary Ram Support PPI, the following code's 
      // stack is in permanent memory.
      //
      TemporaryRamSupportPpi->TemporaryRamMigration (
                                PeiServices,
                                TemporaryRamBase,
                                (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
                                TemporaryRamSize
                                );


And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. 

The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path?

If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase;

Thanks,

Andrew Fish

PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen.


https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107

#if 0
  // Tell the PEI Core to not use our buffer in temp RAM
  SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase;
  SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize);
  SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize;
#else
  {
    //
    // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug
    // or I don't understand temp RAM correctly?
    //
    EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];

    SecPpiList = &PpiArray[0];
    ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
  }
#endif




_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Andrew Fish]

> On Aug 15, 2016, at 8:54 AM, Gao, Liming <liming.gao@intel.com> wrote:
> 
> Andrew:
>  In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC. 
> 

Limiing,

I don't see any info in the PPI definition or the PI spec that defines the heap and stack are copied separately? The PPI just passes the entire ranges? That is why I assumes in the PPI case the offsets should be relative to the big shift?

/**
  This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into
  permanent memory.

  @param PeiServices            Pointer to the PEI Services Table.
  @param TemporaryMemoryBase    Source Address in temporary memory from which the SEC or PEIM will copy the
                                Temporary RAM contents.
  @param PermanentMemoryBase    Destination Address in permanent memory into which the SEC or PEIM will copy the
                                Temporary RAM contents.
  @param CopySize               Amount of memory to migrate from temporary to permanent memory.

  @retval EFI_SUCCESS           The data was successfully returned.
  @retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when
                                TemporaryMemoryBase > PermanentMemoryBase.

**/
typedef
EFI_STATUS
(EFIAPI * TEMPORARY_RAM_MIGRATION)(
  IN CONST EFI_PEI_SERVICES   **PeiServices,
  IN EFI_PHYSICAL_ADDRESS     TemporaryMemoryBase,
  IN EFI_PHYSICAL_ADDRESS     PermanentMemoryBase,
  IN UINTN                    CopySize
);


Thanks,

Andrew Fish

> Thanks
> Liming
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish
> Sent: Saturday, August 13, 2016 7:25 AM
> To: edk2-devel <edk2-devel@lists.01.org>
> Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?
> 
> I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize.
> 
> When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. 
> 
> This adjustment does not seem right to me?
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768
>      //
>      // Heap Offset
>      //
>      BaseOfNewHeap = TopOfNewStack;
>      if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
>        Private->HeapOffsetPositive = TRUE;
>        Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase);
>      } else {
>        Private->HeapOffsetPositive = FALSE;
>        Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap);
>      }
> 
> 
> The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. 
> 
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796
> 
>      //
>      // Temporary Ram Support PPI is provided by platform, it will copy 
>      // temporary memory to permenent memory and do stack switching.
>      // After invoking Temporary Ram Support PPI, the following code's 
>      // stack is in permanent memory.
>      //
>      TemporaryRamSupportPpi->TemporaryRamMigration (
>                                PeiServices,
>                                TemporaryRamBase,
>                                (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
>                                TemporaryRamSize
>                                );
> 
> 
> And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. 
> 
> The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path?
> 
> If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase;
> 
> Thanks,
> 
> Andrew Fish
> 
> PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen.
> 
> 
> https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107
> 
> #if 0
>  // Tell the PEI Core to not use our buffer in temp RAM
>  SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase;
>  SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize);
>  SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize;
> #else
>  {
>    //
>    // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug
>    // or I don't understand temp RAM correctly?
>    //
>    EFI_PEI_PPI_DESCRIPTOR    PpiArray[10];
> 
>    SecPpiList = &PpiArray[0];
>    ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
>  }
> #endif
> 
> 
> 
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?

[Gao, Liming]

Andrew:
  PI spec has not defined such information. But, PPI implementation and PeiCore needs to align new heap and stack layout. The full PPI should include new heap base and new stack base. Current PPI has only one Base. Then, PPI implementation needs mach PeiCore implementation.

Thanks
Liming
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish
Sent: Tuesday, August 16, 2016 12:12 AM
To: Gao, Liming <liming.gao@intel.com>
Cc: edk2-devel <edk2-devel@lists.01.org>
Subject: Re: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?


> On Aug 15, 2016, at 8:54 AM, Gao, Liming wrote:
>
> Andrew:
> In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC.
>

Limiing,

I don't see any info in the PPI definition or the PI spec that defines the heap and stack are copied separately? The PPI just passes the entire ranges? That is why I assumes in the PPI case the offsets should be relative to the big shift?

/**
This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into
permanent memory.

@param PeiServices Pointer to the PEI Services Table.
@param TemporaryMemoryBase Source Address in temporary memory from which the SEC or PEIM will copy the
Temporary RAM contents.
@param PermanentMemoryBase Destination Address in permanent memory into which the SEC or PEIM will copy the
Temporary RAM contents.
@param CopySize Amount of memory to migrate from temporary to permanent memory.

@retval EFI_SUCCESS The data was successfully returned.
@retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when
TemporaryMemoryBase > PermanentMemoryBase.

**/
typedef
EFI_STATUS
(EFIAPI * TEMPORARY_RAM_MIGRATION)(
IN CONST EFI_PEI_SERVICES **PeiServices,
IN EFI_PHYSICAL_ADDRESS TemporaryMemoryBase,
IN EFI_PHYSICAL_ADDRESS PermanentMemoryBase,
IN UINTN CopySize
);


Thanks,

Andrew Fish

> Thanks
> Liming
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish
> Sent: Saturday, August 13, 2016 7:25 AM
> To: edk2-devel
> Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase?
>
> I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize.
>
> When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong.
>
> This adjustment does not seem right to me?
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768
> //
> // Heap Offset
> //
> BaseOfNewHeap = TopOfNewStack;
> if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) {
> Private->HeapOffsetPositive = TRUE;
> Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase);
> } else {
> Private->HeapOffsetPositive = FALSE;
> Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap);
> }
>
>
> The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core.
>
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796
>
> //
> // Temporary Ram Support PPI is provided by platform, it will copy
> // temporary memory to permenent memory and do stack switching.
> // After invoking Temporary Ram Support PPI, the following code's
> // stack is in permanent memory.
> //
> TemporaryRamSupportPpi->TemporaryRamMigration (
> PeiServices,
> TemporaryRamBase,
> (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize),
> TemporaryRamSize
> );
>
>
> And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case.
>
> The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path?
>
> If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase;
>
> Thanks,
>
> Andrew Fish
>
> PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen.
>
>
> https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107
>
> #if 0
> // Tell the PEI Core to not use our buffer in temp RAM
> SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase;
> SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize);
> SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize;
> #else
> {
> //
> // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug
> // or I don't understand temp RAM correctly?
> //
> EFI_PEI_PPI_DESCRIPTOR PpiArray[10];
>
> SecPpiList = &PpiArray[0];
> ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize);
> }
> #endif
>
>
>
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> https://lists.01.org/mailman/listinfo/edk2-devel

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel