public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Taylor Beebe" <t@taylorbeebe.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Dandan Bi <dandan.bi@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Sami Mujawar <sami.mujawar@arm.com>,
	Andrew Fish <afish@apple.com>, Ray Ni <ray.ni@intel.com>,
	Eric Dong <eric.dong@intel.com>,
	Rahul Kumar <rahul1.kumar@intel.com>,
	Guo Dong <guo.dong@intel.com>,
	Sean Rhodes <sean@starlabs.systems>,
	James Lu <james.lu@intel.com>, Gua Guo <gua.guo@intel.com>
Subject: [PATCH 00/14] Implement Dynamic Memory Protections
Date: Tue, 11 Jul 2023 16:52:37 -0700	[thread overview]
Message-ID: <cover.1689101263.git.t@taylorbeebe.com> (raw)

In the past, memory protection settings were configured via FixedAtBuild PCDs,
which resulted in a build-time configuration of memory mitigations. This
approach limited the flexibility of applying mitigations to the
system and made it difficult to update or adjust the settings post-build.

In a design, the configuration interface has been revised to allow for dynamic
configuration. This is achieved with HOBs that are published prior to invocation
of the HandoffToDxe() function.

OvmfPkg/PlatformPei/Platform.c contains an example of how to publish the HOB
for DXE and MM.

To check the memory protection settings after PEI, the HOB can be easily consumed,
sanity checked, and put into a global for access via the inclusion of the DXE
or MM HOB libraries.

This patch series also increases the memory protection level for OvmfPkg and
ArmVirtPkg.

Reference: https://github.com/tianocore/edk2/pull/4566

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>
Cc: Gua Guo <gua.guo@intel.com>

Taylor Beebe (14):
  MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions
  MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs
  MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib
    Implementations
  OvmfPkg: Create the memory protection settings HOB
  ArmVirtPkg: Create memory protection settings HOB
  ArmPkg: Update to use memory protection HOB
  EmulatorPkg: Update to use memory protection HOB
  MdeModulePkg: Update to use memory protection HOB
  OvmfPkg: Update to use memory protection HOB
  UefiCpuPkg: Update to use memory protection HOB
  UefiPayloadPkg: Update to use memory protection HOB
  OvmfPkg: Delete Memory Protection PCDs
  ArmVirtPkg: Delete Memory Protection PCDs
  MdeModulePkg: Delete Memory Protection PCDs

 ArmPkg/ArmPkg.dsc                             |   1 +
 ArmPkg/Drivers/CpuDxe/CpuDxe.c                |   5 +-
 ArmPkg/Drivers/CpuDxe/CpuDxe.inf              |   2 +-
 ArmVirtPkg/ArmVirt.dsc.inc                    |  24 +-
 ArmVirtPkg/ArmVirtCloudHv.dsc                 |   5 -
 ArmVirtPkg/ArmVirtQemu.dsc                    |   5 -
 ArmVirtPkg/MemoryInitPei/MemoryInitPeim.c     |  25 +-
 ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf   |   2 +
 EmulatorPkg/EmulatorPkg.dsc                   |   2 +-
 MdeModulePkg/Core/Dxe/DxeMain.h               |   1 +
 MdeModulePkg/Core/Dxe/DxeMain.inf             |   9 +-
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c       |   8 +-
 MdeModulePkg/Core/Dxe/Mem/HeapGuard.c         |  88 ++--
 MdeModulePkg/Core/Dxe/Mem/HeapGuard.h         |  24 +-
 MdeModulePkg/Core/Dxe/Mem/Page.c              |   4 +-
 MdeModulePkg/Core/Dxe/Mem/Pool.c              |   6 +-
 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 338 +++++++-------
 MdeModulePkg/Core/DxeIplPeim/DxeHandoff.c     |   4 +-
 MdeModulePkg/Core/DxeIplPeim/DxeIpl.h         |  15 +
 MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf       |  13 +-
 MdeModulePkg/Core/DxeIplPeim/DxeLoad.c        |  26 ++
 .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c        |  57 +--
 .../Core/DxeIplPeim/X64/DxeLoadFunc.c         |  20 +-
 .../Core/DxeIplPeim/X64/VirtualMemory.c       |  87 ++--
 .../Core/DxeIplPeim/X64/VirtualMemory.h       |  23 +-
 MdeModulePkg/Core/PiSmmCore/HeapGuard.c       |  60 +--
 MdeModulePkg/Core/PiSmmCore/HeapGuard.h       |  20 +-
 MdeModulePkg/Core/PiSmmCore/Page.c            |   6 +-
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.h       |   1 +
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf     |   4 +-
 MdeModulePkg/Core/PiSmmCore/Pool.c            |   9 +-
 .../Guid/DxeMemoryProtectionSettings.h        | 413 ++++++++++++++++++
 .../Include/Guid/MmMemoryProtectionSettings.h | 211 +++++++++
 .../Library/DxeMemoryProtectionHobLib.h       |  20 +
 .../Library/MmMemoryProtectionHobLib.h        |  20 +
 .../DxeMemoryProtectionHobLib.c               | 132 ++++++
 .../DxeMemoryProtectionHobLib.inf             |  34 ++
 .../MmCommonMemoryProtectionHobLib.c          |  89 ++++
 .../SmmMemoryProtectionHobLib.c               |  37 ++
 .../SmmMemoryProtectionHobLib.inf             |  35 ++
 .../StandaloneMmMemoryProtectionHobLib.c      |  37 ++
 .../StandaloneMmMemoryProtectionHobLib.inf    |  36 ++
 .../DxeMemoryProtectionHobLibNull.c           |  13 +
 .../DxeMemoryProtectionHobLibNull.inf         |  28 ++
 .../MmMemoryProtectionHobLibNull.c            |  13 +
 .../MmMemoryProtectionHobLibNull.inf          |  28 ++
 MdeModulePkg/MdeModulePkg.dec                 | 187 +-------
 MdeModulePkg/MdeModulePkg.dsc                 |  11 +
 MdeModulePkg/MdeModulePkg.uni                 | 153 -------
 OvmfPkg/AmdSev/AmdSevX64.dsc                  |   5 +-
 OvmfPkg/Bhyve/BhyveX64.dsc                    |   5 +-
 OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf     |   1 -
 OvmfPkg/CloudHv/CloudHvX64.dsc                |   5 +-
 OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c           |   5 +-
 OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf         |   4 +-
 .../Dsc/MemoryProtectionLibraries.dsc.inc     |  15 +
 OvmfPkg/Include/Library/PlatformInitLib.h     |  13 -
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   5 +-
 OvmfPkg/Library/PeilessStartupLib/DxeLoad.c   |  25 +-
 .../PeilessStartupLib/PeilessStartup.c        |   3 -
 .../PeilessStartupLib/PeilessStartupLib.inf   |   5 +-
 .../PeilessStartupLib/X64/PageTables.h        |  23 +-
 .../PeilessStartupLib/X64/VirtualMemory.c     | 107 ++---
 OvmfPkg/Library/PlatformInitLib/Platform.c    |  15 -
 OvmfPkg/Microvm/MicrovmX64.dsc                |   5 +-
 OvmfPkg/OvmfPkgIa32.dsc                       |   5 +-
 OvmfPkg/OvmfPkgIa32X64.dsc                    |   5 +-
 OvmfPkg/OvmfPkgX64.dsc                        |   5 +-
 OvmfPkg/OvmfXen.dsc                           |   5 +-
 OvmfPkg/PlatformPei/IntelTdx.c                |   2 -
 OvmfPkg/PlatformPei/Platform.c                |  43 +-
 OvmfPkg/PlatformPei/PlatformPei.inf           |   3 +-
 OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf         |   2 +-
 OvmfPkg/QemuVideoDxe/VbeShim.c                |   5 +-
 OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc           |  13 -
 OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc           |   1 +
 OvmfPkg/TdxDxe/TdxDxe.c                       |   7 +-
 OvmfPkg/TdxDxe/TdxDxe.inf                     |   1 -
 UefiCpuPkg/CpuDxe/CpuDxe.c                    |   2 +-
 UefiCpuPkg/CpuDxe/CpuDxe.h                    |  11 +-
 UefiCpuPkg/CpuDxe/CpuDxe.inf                  |   4 +-
 UefiCpuPkg/CpuDxe/CpuMp.c                     |   2 +-
 UefiCpuPkg/CpuDxeRiscV64/CpuDxeRiscV64.inf    |   3 -
 UefiCpuPkg/CpuMpPei/CpuMpPei.c                |   8 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.h                |   3 +-
 UefiCpuPkg/CpuMpPei/CpuMpPei.inf              |   1 -
 UefiCpuPkg/CpuMpPei/CpuPaging.c               |  14 +-
 .../DxeCpuExceptionHandlerLib.inf             |   1 -
 .../PeiCpuExceptionHandlerLib.inf             |   1 -
 .../SecPeiCpuExceptionHandlerLib.inf          |   1 -
 .../SmmCpuExceptionHandlerLib.inf             |   1 -
 .../UnitTest/CpuExceptionHandlerTest.h        |   3 +-
 .../UnitTest/CpuExceptionHandlerTestCommon.c  |  27 +-
 .../DxeCpuExceptionHandlerLibUnitTest.inf     |   2 +-
 .../PeiCpuExceptionHandlerLibUnitTest.inf     |   4 +-
 UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf |   3 +-
 UefiCpuPkg/Library/MpInitLib/DxeMpLib.c       |   3 +-
 UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c      |   2 +-
 UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf  |   3 +-
 .../PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c   |  13 +-
 UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c        |   2 +-
 .../PiSmmCpuDxeSmm/SmmProfileInternal.h       |  10 +-
 UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c       |   2 +-
 UefiCpuPkg/UefiCpuPkg.dec                     |   7 +-
 UefiCpuPkg/UefiCpuPkg.dsc                     |   2 +
 UefiCpuPkg/UefiCpuPkg.uni                     |  10 +-
 .../UefiPayloadEntry/Ia32/DxeLoadFunc.c       | 149 +------
 UefiPayloadPkg/UefiPayloadEntry/LoadDxeCore.c |  26 ++
 .../UefiPayloadEntry/UefiPayloadEntry.h       |  15 +
 .../UefiPayloadEntry/UefiPayloadEntry.inf     |   9 +-
 .../UniversalPayloadEntry.inf                 |   9 +-
 .../UefiPayloadEntry/X64/DxeLoadFunc.c        |  25 +-
 .../UefiPayloadEntry/X64/VirtualMemory.c      |  78 ++--
 .../UefiPayloadEntry/X64/VirtualMemory.h      |  23 +-
 UefiPayloadPkg/UefiPayloadPkg.dsc             |   1 +
 115 files changed, 1888 insertions(+), 1321 deletions(-)
 create mode 100644 MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h
 create mode 100644 MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h
 create mode 100644 MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h
 create mode 100644 MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf
 create mode 100644 OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc

-- 
2.41.0.windows.2


             reply	other threads:[~2023-07-11 23:53 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-11 23:52 Taylor Beebe [this message]
2023-07-11 23:52 ` [PATCH 01/14] MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions Taylor Beebe
2023-07-11 23:52 ` [PATCH 02/14] MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs Taylor Beebe
2023-07-11 23:52 ` [PATCH 03/14] MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib Implementations Taylor Beebe
2023-07-11 23:52 ` [PATCH 04/14] OvmfPkg: Create the memory protection settings HOB Taylor Beebe
2023-07-11 23:52 ` [PATCH 05/14] ArmVirtPkg: Create " Taylor Beebe
2023-07-11 23:52 ` [PATCH 06/14] ArmPkg: Update to use memory protection HOB Taylor Beebe
2023-07-11 23:52 ` [PATCH 07/14] EmulatorPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 08/14] MdeModulePkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 09/14] OvmfPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 10/14] UefiCpuPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 11/14] UefiPayloadPkg: " Taylor Beebe
2023-07-11 23:52 ` [PATCH 12/14] OvmfPkg: Delete Memory Protection PCDs Taylor Beebe
2023-07-11 23:52 ` [PATCH 14/14] MdeModulePkg: " Taylor Beebe
2023-07-11 23:52 ` Taylor Beebe
     [not found] ` <1770F551E2E594C0.16575@groups.io>
2023-07-12  0:01   ` [edk2-devel] " Taylor Beebe
2023-07-12 10:05 ` [PATCH 00/14] Implement Dynamic Memory Protections Gerd Hoffmann
2023-07-12 21:54   ` Taylor Beebe
2023-07-17 11:14     ` [edk2-devel] " Gerd Hoffmann
2023-07-17 16:15 ` Pedro Falcato
2023-07-17 16:25   ` Ard Biesheuvel
2023-07-17 16:49     ` Pedro Falcato
2023-07-18  2:45       ` Taylor Beebe
2023-07-18  6:11     ` Ni, Ray

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1689101263.git.t@taylorbeebe.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox