[edk2-devel] [PATCH v2 00/25] Implement Dynamic Memory Protections
Taylor Beebe
taylor.d.beebe at gmail.com
Fri Aug 18 22:31:32 UTC 2023
In the past, memory protection settings were configured via FixedAtBuild PCDs,
which resulted in a build-time configuration of memory mitigations. This
approach limited the flexibility of applying mitigations to the
system and made it difficult to update or adjust the settings post-build.
In a design, the configuration interface has been revised to allow for dynamic
configuration. This is achieved by setting memory protections via a library
interface which stores/updates the memory protection settings in
a GUIDed HOB, which is then consumed during and after DXE handoff.
This patch series adds two libraries:
SetMemoryProtectionsLib: A PEIM that allows for setting/fetching memory
protections and "locking" to prevent further updates via the library interface.
The backing for the settings are a GUIDed HOB that is created by the library
whenever its API is invoked.
GetMemoryProtectionsLib: A DXE library that allows for getting the memory
protection settings for the current boot. This library populates a global
with the settings from the HOB entry (if present) for access in the module.
Previous references to the PCDs are replaced with references to the global.
OvmfPkg has been updated to allow the setting of the memory protection profile
via QemuCfg instead of just the NxForStack setting. If no profile is passed,
the platform will default to the Debug profile for DXE and Off profile for MM.
ArmVirtPkg will use the Release profile.
Reference: https://github.com/tianocore/edk2/pull/4566
Cc: Abner Chang <abner.chang at amd.com>
Cc: Andrei Warkentin <andrei.warkentin at intel.com>
Cc: Anatol Belski <anbelski at linux.microsoft.com>
Cc: Andrew Fish <afish at apple.com>
Cc: Anthony Perard <anthony.perard at citrix.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Corvin Köhne <corvink at freebsd.org>
Cc: Dandan Bi <dandan.bi at intel.com>
Cc: Eric Dong <eric.dong at intel.com>
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Cc: Guo Dong <guo.dong at intel.com>
Cc: Gua Guo <gua.guo at intel.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: James Lu <james.lu at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Jianyong Wu <jianyong.wu at arm.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Julien Grall <julien at xen.org>
Cc: Leif Lindholm <quic_llindhol at quicinc.com>
Cc: Liming Gao <gaoliming at byosoft.com.cn>
Cc: Michael Roth <michael.roth at amd.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Peter Grehan <grehan at freebsd.org>
Cc: Rahul Kumar <rahul1.kumar at intel.com>
Cc: Ray Ni <ray.ni at intel.com>
Cc: Rebecca Cran <rebecca at bsdio.com>
Cc: Sami Mujawar <sami.mujawar at arm.com>
Cc: Sean Rhodes <sean at starlabs.systems>
Cc: Sunil V L <sunilvl at ventanamicro.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Taylor Beebe (25):
MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions
MdeModulePkg: Define SetMemoryProtectionsLib and
GetMemoryProtectionsLib
MdeModulePkg: Add NULL Instances for Get/SetMemoryProtectionsLib
MdeModulePkg: Implement SetMemoryProtectionsLib and
GetMemoryProtectionsLib
MdeModulePkg: Apply Protections to the HOB List
MdeModulePkg: Check Print Level Before Dumping GCD Memory Map
UefiCpuPkg: Always Set Stack Guard in MpPei Init
ArmVirtPkg: Add Memory Protection Library Definitions to Platforms
OvmfPkg: Add Memory Protection Library Definitions to Platforms
OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib
OvmfPkg: Update PeilessStartupLib to use SetMemoryProtectionsLib
UefiPayloadPkg: Update DXE Handoff to use SetMemoryProtectionsLib
MdeModulePkg: Update DXE Handoff to use SetMemoryProtectionsLib
ArmPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs
EmulatorPkg: Use GetMemoryProtectionsLib instead of Memory Protection
PCDs
OvmfPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs
UefiCpuPkg: Use GetMemoryProtectionsLib instead of Memory Protection
PCDs
MdeModulePkg: Use GetMemoryProtectionsLib instead of Memory Protection
PCDs
MdeModulePkg: Add Additional Profiles to SetMemoryProtectionsLib
OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg
ArmVirtPkg: Apply Memory Protections via SetMemoryProtectionsLib
MdeModulePkg: Delete PCD Profile from SetMemoryProtectionsLib
OvmfPkg: Delete Memory Protection PCDs
ArmVirtPkg: Delete Memory Protection PCDs
MdeModulePkg: Delete Memory Protection PCDs
ArmPkg/Drivers/CpuDxe/CpuDxe.c | 5 +-
ArmVirtPkg/MemoryInitPei/MemoryInitPeim.c | 11 +-
MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 4 +-
MdeModulePkg/Core/Dxe/Gcd/Gcd.c | 22 +-
MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 46 +-
MdeModulePkg/Core/Dxe/Mem/Page.c | 2 +-
MdeModulePkg/Core/Dxe/Mem/Pool.c | 4 +-
MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 96 ++-
MdeModulePkg/Core/DxeIplPeim/DxeHandoff.c | 4 +-
MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 2 +
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 9 +-
MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c | 6 +-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 16 +-
MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 29 +-
MdeModulePkg/Core/PiSmmCore/Pool.c | 4 +-
MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLib.c | 158 ++++
MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNull.c | 29 +
MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLib.c | 124 ++++
MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.c | 781 ++++++++++++++++++++
MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull.c | 144 ++++
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +-
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 6 +-
OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 59 +-
OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c | 26 +-
OvmfPkg/Library/PlatformInitLib/Platform.c | 15 -
OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c | 11 +
OvmfPkg/PlatformPei/IntelTdx.c | 2 -
OvmfPkg/PlatformPei/Platform.c | 73 +-
OvmfPkg/QemuVideoDxe/VbeShim.c | 3 +-
OvmfPkg/TdxDxe/TdxDxe.c | 7 +-
UefiCpuPkg/CpuDxe/CpuDxe.c | 2 +-
UefiCpuPkg/CpuDxe/CpuMp.c | 2 +-
UefiCpuPkg/CpuMpPei/CpuMpPei.c | 8 +-
UefiCpuPkg/CpuMpPei/CpuPaging.c | 16 +-
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/CpuExceptionHandlerTestCommon.c | 6 +-
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/DxeCpuExceptionHandlerUnitTest.c | 15 +
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/PeiCpuExceptionHandlerUnitTest.c | 21 +
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 3 +-
UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 2 +-
UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 13 +-
UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 2 +-
UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 2 +-
UefiPayloadPkg/UefiPayloadEntry/Ia32/DxeLoadFunc.c | 11 +-
UefiPayloadPkg/UefiPayloadEntry/LoadDxeCore.c | 2 +
UefiPayloadPkg/UefiPayloadEntry/X64/DxeLoadFunc.c | 8 +-
UefiPayloadPkg/UefiPayloadEntry/X64/VirtualMemory.c | 15 +-
ArmPkg/ArmPkg.dsc | 1 +
ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 2 +-
ArmVirtPkg/ArmVirt.dsc.inc | 21 +-
ArmVirtPkg/ArmVirtCloudHv.dsc | 5 -
ArmVirtPkg/ArmVirtQemu.dsc | 5 -
ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf | 1 +
EmulatorPkg/EmulatorPkg.dsc | 3 +-
MdeModulePkg/Core/Dxe/DxeMain.h | 1 +
MdeModulePkg/Core/Dxe/DxeMain.inf | 9 +-
MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 3 +
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 11 +-
MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 +
MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 4 +-
MdeModulePkg/Include/Guid/MemoryProtectionSettings.h | 216 ++++++
MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h | 83 +++
MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h | 157 ++++
MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLib.inf | 34 +
MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNull.inf | 25 +
MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLib.inf | 34 +
MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.inf | 37 +
MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull.inf | 25 +
MdeModulePkg/MdeModulePkg.dec | 182 +----
MdeModulePkg/MdeModulePkg.dsc | 7 +
MdeModulePkg/MdeModulePkg.uni | 153 ----
OvmfPkg/AmdSev/AmdSevX64.dsc | 4 +-
OvmfPkg/Bhyve/BhyveX64.dsc | 4 +-
OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/CloudHv/CloudHvX64.dsc | 4 +-
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +-
OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc | 15 +
OvmfPkg/Include/Library/PlatformInitLib.h | 13 -
OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h | 8 +
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 5 +-
OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 6 +-
OvmfPkg/Microvm/MicrovmX64.dsc | 5 +-
OvmfPkg/OvmfPkgIa32.dsc | 4 +-
OvmfPkg/OvmfPkgIa32X64.dsc | 4 +-
OvmfPkg/OvmfPkgX64.dsc | 4 +-
OvmfPkg/OvmfXen.dsc | 5 +-
OvmfPkg/PlatformCI/PlatformBuildLib.py | 31 +-
OvmfPkg/PlatformPei/PlatformPei.inf | 2 +-
OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +-
OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 -
OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 2 +
OvmfPkg/TdxDxe/TdxDxe.inf | 1 -
UefiCpuPkg/CpuDxe/CpuDxe.h | 11 +-
UefiCpuPkg/CpuDxe/CpuDxe.inf | 4 +-
UefiCpuPkg/CpuDxeRiscV64/CpuDxeRiscV64.inf | 3 -
UefiCpuPkg/CpuMpPei/CpuMpPei.h | 3 +-
UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 -
UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf | 1 -
UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf | 1 -
UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf | 1 -
UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf | 1 -
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/CpuExceptionHandlerTest.h | 13 +-
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/DxeCpuExceptionHandlerLibUnitTest.inf | 2 +-
UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/PeiCpuExceptionHandlerLibUnitTest.inf | 2 +-
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 +-
UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf | 3 +-
UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfileInternal.h | 9 +-
UefiCpuPkg/UefiCpuPkg.dec | 7 +-
UefiCpuPkg/UefiCpuPkg.dsc | 2 +
UefiCpuPkg/UefiCpuPkg.uni | 10 +-
UefiPayloadPkg/UefiPayloadEntry/UefiPayloadEntry.h | 1 +
UefiPayloadPkg/UefiPayloadEntry/UefiPayloadEntry.inf | 9 +-
UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.inf | 9 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 12 +
113 files changed, 2404 insertions(+), 692 deletions(-)
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLib.c
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNull.c
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLib.c
create mode 100644 MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.c
create mode 100644 MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull.c
create mode 100644 MdeModulePkg/Include/Guid/MemoryProtectionSettings.h
create mode 100644 MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
create mode 100644 MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLib.inf
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNull.inf
create mode 100644 MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLib.inf
create mode 100644 MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.inf
create mode 100644 MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull.inf
create mode 100644 OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc
--
2.41.0.windows.3
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107855): https://edk2.groups.io/g/devel/message/107855
Mute This Topic: https://groups.io/mt/100830898/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list