[edk2-devel] [PATCH 09/14] OvmfPkg: Update to use memory protection HOB
Taylor Beebe
t at taylorbeebe.com
Tue Jul 11 23:52:46 UTC 2023
From: Taylor Beebe <tabeebe at microsoft.com>
Replace references to the memory protection PCDs with references
to the memory protection HOB.
The stack NX setting will no longer be fetched from the QEMU
configuration file and will instead be determined via the
HOB published in PlatformPei/Platform.c. PeilessStartup
will check the HOB when creating the page tables
at DXE handoff.
Signed-off-by: Taylor Beebe <t at taylorbeebe.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
---
OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +-
OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +-
OvmfPkg/Include/Library/PlatformInitLib.h | 13 ---
OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 25 ++--
.../PeilessStartupLib/PeilessStartup.c | 3 -
.../PeilessStartupLib/PeilessStartupLib.inf | 5 +-
.../PeilessStartupLib/X64/PageTables.h | 23 +---
.../PeilessStartupLib/X64/VirtualMemory.c | 107 ++++++------------
OvmfPkg/Library/PlatformInitLib/Platform.c | 15 ---
OvmfPkg/PlatformPei/IntelTdx.c | 2 -
OvmfPkg/PlatformPei/Platform.c | 16 ---
OvmfPkg/PlatformPei/PlatformPei.inf | 1 -
OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +-
OvmfPkg/QemuVideoDxe/VbeShim.c | 5 +-
OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 ---
OvmfPkg/TdxDxe/TdxDxe.c | 7 +-
OvmfPkg/TdxDxe/TdxDxe.inf | 1 -
18 files changed, 68 insertions(+), 180 deletions(-)
diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
index 739d63098b..27b4a595fe 100644
--- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf
@@ -88,7 +88,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
index 779bf5c827..93bce776a9 100644
--- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
+++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c
@@ -13,6 +13,7 @@
#include <Library/DxeServicesTableLib.h>
#include <Library/PcdLib.h>
#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DxeMemoryProtectionHobLib.h>
#include <Protocol/Cpu.h>
#include <Protocol/FdtClient.h>
@@ -148,9 +149,7 @@ InitializeHighMemDxe (
// on the page table mappings by going through the cpu arch protocol.
//
Attributes = EFI_MEMORY_WB;
- if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) &
- (1U << (UINT32)EfiConventionalMemory)) != 0)
- {
+ if (gDxeMps.ExecutionProtection.EnabledForType[EfiConventionalMemory]) {
Attributes |= EFI_MEMORY_XP;
}
diff --git a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
index c7dde9f455..2d3add492b 100644
--- a/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
+++ b/OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf
@@ -33,13 +33,11 @@
PcdLib
UefiBootServicesTableLib
UefiDriverEntryPoint
+ DxeMemoryProtectionHobLib
[Protocols]
gEfiCpuArchProtocolGuid ## CONSUMES
gFdtClientProtocolGuid ## CONSUMES
-[Pcd]
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy
-
[Depex]
gEfiCpuArchProtocolGuid AND gFdtClientProtocolGuid
diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h b/OvmfPkg/Include/Library/PlatformInitLib.h
index 57b18b94d9..b2468f2063 100644
--- a/OvmfPkg/Include/Library/PlatformInitLib.h
+++ b/OvmfPkg/Include/Library/PlatformInitLib.h
@@ -32,7 +32,6 @@ typedef struct {
UINT32 Uc32Base;
UINT32 Uc32Size;
- BOOLEAN PcdSetNxForStack;
UINT64 PcdTdxSharedBitMask;
UINT64 PcdPciMmio64Base;
@@ -182,18 +181,6 @@ PlatformMemMapInitialization (
IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
);
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- );
-
VOID
EFIAPI
PlatformMiscInitialization (
diff --git a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
index d34690eb8a..169b4931a6 100644
--- a/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
+++ b/OvmfPkg/Library/PeilessStartupLib/DxeLoad.c
@@ -11,18 +11,21 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/HobLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PcdLib.h>
#include <Guid/MemoryTypeInformation.h>
#include <Guid/MemoryAllocationHob.h>
#include <Guid/PcdDataBaseSignatureGuid.h>
+#include <Guid/DxeMemoryProtectionSettings.h>
#include <Register/Intel/Cpuid.h>
#include <Library/PrePiLib.h>
#include "X64/PageTables.h"
#include <Library/ReportStatusCodeLib.h>
#define STACK_SIZE 0x20000
-extern EFI_GUID gEfiNonCcFvGuid;
+extern EFI_GUID gEfiNonCcFvGuid;
+DXE_MEMORY_PROTECTION_SETTINGS mDxeMps;
/**
Transfers control to DxeCore.
@@ -41,13 +44,21 @@ HandOffToDxeCore (
VOID *BaseOfStack;
VOID *TopOfStack;
UINTN PageTables;
+ VOID *Ptr;
- //
- // Clear page 0 and mark it as allocated if NULL pointer detection is enabled.
- //
- if (IsNullDetectionEnabled ()) {
- ClearFirst4KPage (GetHobList ());
- BuildMemoryAllocationHob (0, EFI_PAGES_TO_SIZE (1), EfiBootServicesData);
+ Ptr = GetFirstGuidHob (&gDxeMemoryProtectionSettingsGuid);
+
+ if ((Ptr != NULL) && DXE_MPS_IS_STRUCT_VALID (GET_GUID_HOB_DATA (Ptr))) {
+ CopyMem (&mDxeMps, GET_GUID_HOB_DATA (Ptr), sizeof (DXE_MEMORY_PROTECTION_SETTINGS));
+ } else {
+ ZeroMem (&mDxeMps, sizeof (DXE_MEMORY_PROTECTION_SETTINGS));
+ }
+
+ if (mDxeMps.NullPointerDetection.Enabled) {
+ ASSERT (CanAllocateNullPage (GetHobList ()));
+ // Clear NULL page and mark it as allocated for NULL detection
+ SetMem (NULL, EFI_PAGE_SIZE, (UINTN)NULL);
+ BuildMemoryAllocationHob ((UINTN)NULL, EFI_PAGES_TO_SIZE (1), EfiBootServicesData);
}
//
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 164aa2d619..581413cd47 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -104,12 +104,9 @@ InitializePlatform (
PlatformMemMapInitialization (PlatformInfoHob);
- PlatformNoexecDxeInitialization (PlatformInfoHob);
-
if (TdIsEnabled ()) {
PlatformInfoHob->PcdConfidentialComputingGuestAttr = CCAttrIntelTdx;
PlatformInfoHob->PcdTdxSharedBitMask = TdSharedPageMask ();
- PlatformInfoHob->PcdSetNxForStack = TRUE;
}
PlatformMiscInitialization (PlatformInfoHob);
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index 7719b5031d..1e0879bb50 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -65,6 +65,7 @@
gPcdDataBaseHobGuid
gCcEventEntryHobGuid
gEfiNonCcFvGuid
+ gDxeMemoryProtectionSettingsGuid
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase
@@ -75,11 +76,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## SOMETIMES_CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ## SOMETIMES_CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIMES_CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ## CONSUMES
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
index a0d0d3547b..ab2ff8b38b 100644
--- a/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
+++ b/OvmfPkg/Library/PeilessStartupLib/X64/PageTables.h
@@ -179,28 +179,17 @@ CreateIdentityMappingPageTables (
);
/**
- Clear legacy memory located at the first 4K-page.
+ Returns TRUE if the NULL page has not been allocated.
- This function traverses the whole HOB list to check if memory from 0 to 4095
- exists and has not been allocated, and then clear it if so.
+ @param HobStart The start of HobList passed to DxeCore.
- @param HobStart The start of HobList passed to DxeCore.
+ @retval TRUE NULL page is unallocated
+ @retval FALSE NULL page cannot be allocated
**/
-VOID
-ClearFirst4KPage (
- IN VOID *HobStart
- );
-
-/**
- Return configure status of NULL pointer detection feature.
-
- @return TRUE NULL pointer detection feature is enabled
- @return FALSE NULL pointer detection feature is disabled
-**/
BOOLEAN
-IsNullDetectionEnabled (
- VOID
+CanAllocateNullPage (
+ IN VOID *HobStart
);
#endif
diff --git a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
index e2c1bac5e0..25187e730c 100644
--- a/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
+++ b/OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c
@@ -17,6 +17,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/PcdLib.h>
#include <Guid/MemoryTypeInformation.h>
#include <Guid/MemoryAllocationHob.h>
+#include <Guid/DxeMemoryProtectionSettings.h>
#include <Register/Intel/Cpuid.h>
#include <Library/PlatformInitLib.h>
#include "PageTables.h"
@@ -45,49 +46,37 @@ UINT64 mLevelSize[5] = {
SIZE_512GB
};
-BOOLEAN
-IsSetNxForStack (
- VOID
- )
-{
- EFI_HOB_GUID_TYPE *GuidHob;
- EFI_HOB_PLATFORM_INFO *PlatformInfo;
-
- GuidHob = GetFirstGuidHob (&gUefiOvmfPkgPlatformInfoGuid);
- if (GuidHob == NULL) {
- ASSERT (FALSE);
- return FALSE;
- }
-
- PlatformInfo = (EFI_HOB_PLATFORM_INFO *)GET_GUID_HOB_DATA (GuidHob);
-
- return PlatformInfo->PcdSetNxForStack;
-}
+extern DXE_MEMORY_PROTECTION_SETTINGS mDxeMps;
/**
- Clear legacy memory located at the first 4K-page, if available.
-
- This function traverses the whole HOB list to check if memory from 0 to 4095
- exists and has not been allocated, and then clear it if so.
+ Returns TRUE if the NULL page has not been allocated.
@param HobStart The start of HobList passed to DxeCore.
+ @retval TRUE NULL page is unallocated
+ @retval FALSE NULL page cannot be allocated
+
**/
-VOID
-ClearFirst4KPage (
+BOOLEAN
+CanAllocateNullPage (
IN VOID *HobStart
)
{
EFI_PEI_HOB_POINTERS RscHob;
EFI_PEI_HOB_POINTERS MemHob;
- BOOLEAN DoClear;
+ BOOLEAN CanAllocate;
+
+ if (HobStart == NULL) {
+ ASSERT (HobStart != NULL);
+ return FALSE;
+ }
- RscHob.Raw = HobStart;
- MemHob.Raw = HobStart;
- DoClear = FALSE;
+ RscHob.Raw = HobStart;
+ MemHob.Raw = HobStart;
+ CanAllocate = FALSE;
//
- // Check if page 0 exists and free
+ // Check if page 0 exists and is free
//
while ((RscHob.Raw = GetNextHob (
EFI_HOB_TYPE_RESOURCE_DESCRIPTOR,
@@ -95,9 +84,9 @@ ClearFirst4KPage (
)) != NULL)
{
if ((RscHob.ResourceDescriptor->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) &&
- (RscHob.ResourceDescriptor->PhysicalStart == 0))
+ (RscHob.ResourceDescriptor->PhysicalStart == (UINTN)NULL))
{
- DoClear = TRUE;
+ CanAllocate = TRUE;
//
// Make sure memory at 0-4095 has not been allocated.
//
@@ -106,10 +95,10 @@ ClearFirst4KPage (
MemHob.Raw
)) != NULL)
{
- if (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress
- < EFI_PAGE_SIZE)
+ if ((MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress >= (UINTN)NULL) &&
+ (MemHob.MemoryAllocation->AllocDescriptor.MemoryBaseAddress < (UINTN)NULL + EFI_PAGE_SIZE))
{
- DoClear = FALSE;
+ CanAllocate = FALSE;
break;
}
@@ -122,27 +111,7 @@ ClearFirst4KPage (
RscHob.Raw = GET_NEXT_HOB (RscHob);
}
- if (DoClear) {
- DEBUG ((DEBUG_INFO, "Clearing first 4K-page!\r\n"));
- SetMem (NULL, EFI_PAGE_SIZE, 0);
- }
-
- return;
-}
-
-/**
- Return configure status of NULL pointer detection feature.
-
- @return TRUE NULL pointer detection feature is enabled
- @return FALSE NULL pointer detection feature is disabled
-
-**/
-BOOLEAN
-IsNullDetectionEnabled (
- VOID
- )
-{
- return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
+ return CanAllocate;
}
/**
@@ -188,17 +157,7 @@ IsEnableNonExecNeeded (
VOID
)
{
- if (!IsExecuteDisableBitAvailable ()) {
- return FALSE;
- }
-
- //
- // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set.
- // Features controlled by Following PCDs need this feature to be enabled.
- //
- return (IsSetNxForStack () ||
- FixedPcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
- PcdGet32 (PcdImageProtectionPolicy) != 0);
+ return IsExecuteDisableBitAvailable ();
}
/**
@@ -237,17 +196,17 @@ ToSplitPageTable (
IN UINTN StackSize
)
{
- if (IsNullDetectionEnabled () && (Address == 0)) {
+ if (mDxeMps.NullPointerDetection.Enabled && (Address == (UINTN)NULL)) {
return TRUE;
}
- if (FixedPcdGetBool (PcdCpuStackGuard)) {
+ if (mDxeMps.CpuStackGuardEnabled) {
if ((StackBase >= Address) && (StackBase < (Address + Size))) {
return TRUE;
}
}
- if (IsSetNxForStack ()) {
+ if (mDxeMps.StackExecutionProtectionEnabled) {
if ((Address < StackBase + StackSize) && ((Address + Size) > StackBase)) {
return TRUE;
}
@@ -426,17 +385,17 @@ Split2MPageTo4K (
PageTableEntry->Uint64 = (UINT64)PhysicalAddress4K;
PageTableEntry->Bits.ReadWrite = 1;
- if ((IsNullDetectionEnabled () && (PhysicalAddress4K == 0)) ||
- (FixedPcdGetBool (PcdCpuStackGuard) && (PhysicalAddress4K == StackBase)))
+ if ((mDxeMps.NullPointerDetection.Enabled && (PhysicalAddress4K == (UINTN)NULL)) ||
+ (mDxeMps.CpuStackGuardEnabled && (PhysicalAddress4K == StackBase)))
{
PageTableEntry->Bits.Present = 0;
} else {
PageTableEntry->Bits.Present = 1;
}
- if ( IsSetNxForStack ()
- && (PhysicalAddress4K >= StackBase)
- && (PhysicalAddress4K < StackBase + StackSize))
+ if (mDxeMps.StackExecutionProtectionEnabled &&
+ (PhysicalAddress4K >= StackBase) &&
+ (PhysicalAddress4K < StackBase + StackSize))
{
//
// Set Nx bit for stack.
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c b/OvmfPkg/Library/PlatformInitLib/Platform.c
index f48bf16ae3..bc9becc401 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -249,21 +249,6 @@ PlatformMemMapInitialization (
PlatformInfoHob->PcdPciIoSize = PciIoSize;
}
-/**
- * Fetch "opt/ovmf/PcdSetNxForStack" from QEMU
- *
- * @param Setting The pointer to the setting of "/opt/ovmf/PcdSetNxForStack".
- * @return EFI_SUCCESS Successfully fetch the settings.
- */
-EFI_STATUS
-EFIAPI
-PlatformNoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- return QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &PlatformInfoHob->PcdSetNxForStack);
-}
-
VOID
PciExBarInitialization (
VOID
diff --git a/OvmfPkg/PlatformPei/IntelTdx.c b/OvmfPkg/PlatformPei/IntelTdx.c
index 3d625cabd8..1cb6729e56 100644
--- a/OvmfPkg/PlatformPei/IntelTdx.c
+++ b/OvmfPkg/PlatformPei/IntelTdx.c
@@ -48,7 +48,5 @@ IntelTdxInitialize (
PcdStatus = PcdSet64S (PcdTdxSharedBitMask, TdSharedPageMask ());
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, TRUE);
- ASSERT_RETURN_ERROR (PcdStatus);
#endif
}
diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 075de3fce6..2ed76f81a4 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -75,21 +75,6 @@ MemMapInitialization (
ASSERT_RETURN_ERROR (PcdStatus);
}
-STATIC
-VOID
-NoexecDxeInitialization (
- IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob
- )
-{
- RETURN_STATUS Status;
-
- Status = PlatformNoexecDxeInitialization (PlatformInfoHob);
- if (!RETURN_ERROR (Status)) {
- Status = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (Status);
- }
-}
-
static const UINT8 EmptyFdt[] = {
0xd0, 0x0d, 0xfe, 0xed, 0x00, 0x00, 0x00, 0x48,
0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x48,
@@ -377,7 +362,6 @@ InitializePlatform (
PeiFvInitialization (PlatformInfoHob);
MemTypeInfoInitialization (PlatformInfoHob);
MemMapInitialization (PlatformInfoHob);
- NoexecDxeInitialization (PlatformInfoHob);
}
InstallClearCacheCallback ();
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 9e30d616eb..d06ac422ac 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -104,7 +104,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase
diff --git a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
index 43a6e07faa..cb451b6211 100644
--- a/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+++ b/OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
@@ -55,6 +55,7 @@
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiLib
+ DxeMemoryProtectionHobLib
[Protocols]
gEfiGraphicsOutputProtocolGuid # PROTOCOL BY_START
@@ -64,6 +65,5 @@
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
gUefiOvmfPkgTokenSpaceGuid.PcdVideoResolutionSource
- gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution
diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.c b/OvmfPkg/QemuVideoDxe/VbeShim.c
index 8f151b96f9..aa042b2e97 100644
--- a/OvmfPkg/QemuVideoDxe/VbeShim.c
+++ b/OvmfPkg/QemuVideoDxe/VbeShim.c
@@ -19,6 +19,7 @@
#include <Library/DebugLib.h>
#include <Library/PciLib.h>
#include <Library/PrintLib.h>
+#include <Library/DxeMemoryProtectionHobLib.h>
#include <OvmfPlatforms.h>
#include "Qemu.h"
@@ -69,7 +70,9 @@ InstallVbeShim (
UINTN Printed;
VBE_MODE_INFO *VbeModeInfo;
- if ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & (BIT0|BIT7)) == BIT0) {
+ if (gDxeMps.NullPointerDetection.Enabled &&
+ !gDxeMps.NullPointerDetection.DisableEndOfDxe)
+ {
DEBUG ((
DEBUG_WARN,
"%a: page 0 protected, not installing VBE shim\n",
diff --git a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
index 731f54f73f..edb4782e2f 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
+++ b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc
@@ -270,19 +270,6 @@
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0
- #
- # Enable strict image permissions for all images. (This applies
- # only to images that were built with >= 4 KB section alignment.)
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
-
- #
- # Enable NX memory protection for all non-code regions, including OEM and OS
- # reserved ones, with the exception of LoaderData regions, of which OS loaders
- # (i.e., GRUB) may assume that its contents are executable.
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
-
[Components.common]
#
# Ramdisk support
diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c
index 30732f421b..5e497ba662 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.c
+++ b/OvmfPkg/TdxDxe/TdxDxe.c
@@ -131,15 +131,12 @@ SetPcdSettings (
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, PlatformInfoHob->PcdConfidentialComputingGuestAttr);
ASSERT_RETURN_ERROR (PcdStatus);
- PcdStatus = PcdSetBoolS (PcdSetNxForStack, PlatformInfoHob->PcdSetNxForStack);
- ASSERT_RETURN_ERROR (PcdStatus);
DEBUG ((
DEBUG_INFO,
- "HostBridgeDevId=0x%x, CCAttr=0x%x, SetNxForStack=%x\n",
+ "HostBridgeDevId=0x%x, CCAttr=0x%x\n",
PlatformInfoHob->HostBridgeDevId,
- PlatformInfoHob->PcdConfidentialComputingGuestAttr,
- PlatformInfoHob->PcdSetNxForStack
+ PlatformInfoHob->PcdConfidentialComputingGuestAttr
));
PcdStatus = PcdSet32S (PcdCpuBootLogicalProcessorNumber, PlatformInfoHob->PcdCpuBootLogicalProcessorNumber);
diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf
index 9793562884..42317228c1 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.inf
+++ b/OvmfPkg/TdxDxe/TdxDxe.inf
@@ -68,6 +68,5 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
--
2.41.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106833): https://edk2.groups.io/g/devel/message/106833
Mute This Topic: https://groups.io/mt/100090644/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list