Skip to content

patina-v20.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 03 Feb 17:20
· 332 commits to refs/heads/main since this release
patina-v20.0.0
a62f178

What's Changed

  • Cargo.toml: Update ruint to 1.17.1 @makubacki (#1265)
    Change Details
      ## Description

    Ensure a version is used that patches a Rust security vulnerability.

    │ ruint 1.16.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2025-0137
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0137
    ├ The function `reciprocal_mg10` is marked as safe but can trigger
      undefined behavior (out-of-bounds access) because it relies on
      `debug_assert!` for safety checks instead of `assert!`.

      When compiled in release mode, the `debug_assert!` is optimized
      out, potentially allowing invalid inputs to cause memory
      corruption.
    ├ Announcement: https://github.com/recmo/uint/issues/550
    ├ Solution: Upgrade to >=1.17.1 (try `cargo update -p ruint`)
    ├ ruint v1.16.0
      └── (dev) patina_internal_collections v19.0.5
          └── patina_dxe_core v19.0.5
              ├── (dev) patina_adv_logger v19.0.5
              └── (dev) patina_mm v19.0.5
                  └── patina_performance v19.0.5
                      └── patina_dxe_core v19.0.5 (*)

    This will use ruint version 1.17.1 or later (up to 2.0.0), so the fix is included in future compatible updates.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    • cargo make all

    Integration Instructions

    • N/A

  • Add Guards for Test Cleanup [Rebase \& FF] @makubacki (#1266)
    Change Details
      ## Description

    Run test cleanup logic on panics

    Many tests in patina_dxe_core have standardized on wrapping unit tests
    with with_global_lock() to execute the test within a global lock.

    Modules have often added their own test support functions that wrap
    with_global_lock() to provide additional setup/teardown logic for
    tests such as with_locked_state() in allocator.rs.

    Teardown logic is less consistent. When tests manipulate global state,
    they are often relying on reset functionality in the "prelude" of
    their with_global_lock() closure to reset state. This works in most
    cases, but it still leaves state polluted across test execution.
    This can be become more of an issue depending on test order and what
    tests may execute later that rely on global state and if they cleanup
    state properly before they execute.

    In tpl_mutex specifially, the with_global_lock() implementation
    intends to ensure tests are run at TPL_APPLICATION and restore back
    to TPL_APPLICATION after the test executes.

    However, if a test panics (which many intentionally do), the TPL
    state is not restored. This can leave the TPL in an unexpected
    state depending on order that tests are run.

    The Drop trait is implemented for a simple guard struct that
    restores TPL to APPLICATION level when it goes out of scope. This
    executes and runs the TPL restoration code even if the test panics.

    patina_dxe_core/allocator: Standardize test init and cleanup

    The GCD is currently initialized in two different ways in the tests
    for the allocator module.

    1. When a HOB list is needed: gcd::init_gcd(physical_hob_list)
    2. When a HOB list is not needed: test_support::init_test_gcd(Some(gcd_size))

    This has led to tests for (1) not using with_locked_state and
    reimplementing test init and cleanup logic and tests for (2) using it.

    This adds unnecessary boilerplate to (1) and leads to inconsistencies
    for initializing and cleaning up the GCD between tests.

    This change allows with_locked_state() to be called in either case
    and simply returns a HOB list pointer for case (1).

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    • cargo make all

    • Please debug breakpoint on code that restores TPL in previous code in with_reset_state() in tpl_mutex.rs:

               raise_tpl(efi::TPL_HIGH_LEVEL);
         restore_tpl(efi::TPL_APPLICATION);
         f();
         raise_tpl(efi::TPL_HIGH_LEVEL); // -> Breakpoint here
         restore_tpl(efi::TPL_APPLICATIO);

      Confirm that breakpoint does not hit on test panic. Breakpoint in TPL guard runs on panic and restores TPL.

    Integration Instructions

    • N/A

  • .git-blame-ignore-revs: Add recent Safety -> SAFETY commit @makubacki (#1263)
    Change Details
      ## Description

    Prevent the word replacement from showing up in git blame instead of the original change that modified/added the safety comment.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Run git blame on a modified line:

    Before

    git blame -L 108,108 core\patina_internal_cpu\src\interrupts\aarch64\gic_manager.rs
db4636d3b3 (sherry fan 2026-01-22 09:51:17 -0800 108)         // SAFETY: function safety requirements guarantee exclusive access to the GICR registers.

    After

    git blame -L 108,108 core\patina_internal_cpu\src\interrupts\aarch64\gic_manager.rs
163e0a56de (John Schock 2025-11-17 16:43:49 -0800 108)         // SAFETY: function safety requirements guarantee exclusive access to the GICR registers.

    Integration Instructions

    • N/A

  • Remove expected error messages for performance logging @liqiqiii (#1261)
    Change Details
      ## Description

    Remove expected error messages for performance logging
    We are seeing ERROR - Failed to log performance measurement: Efi(NotReady) on all platforms.
    The NotReady errors observed during early boot are expected behavior. These errors occur because perf_function_begin() and perf_function_end() are called at function entry/exit points (such as core_dispatcher() and pi_dispatcher()) that execute before the Performance component has been dispatched and initialized. The Performance component's entry_point() calls set_static_state() to initialize the performance measurement subsystem and installs the EDKII_PERFORMANCE_MEASUREMENT_PROTOCOL, but this only happens inside the component_dispatcher.dispatch() loop after the Timer architectural protocol dependency is satisfied. Boot logs show 6 NotReady errors in non-perf-enabled builds and 3 errors in perf-enabled builds, with no further errors appearing after the Performance component loads. The Performance component is either not loaded at all in non-perf builds or loaded very late in the dispatch sequence due to its Timer dependency, which is the root cause of these initial measurement failures.
    Remove these perf entries as they will never work and provide error noise for platforms.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Tested on patina enabled platforms, no more errors seen.

      </blockquote>
  <hr>
</details>
  • Clean up component params tests @kat-perez (#1259)
    Change Details
      ## Summary - Rename `test_config_can_be_accessed_while_unlocked` to `test_config_can_be_accessed_when_locked` (configs are locked by default when using `Config::init_state()`) - Simplify `test_boot_services_can_be_retrieved` and `test_runtime_services_can_be_retrieved` to use `MaybeUninit::zeroed().as_mut_ptr()` for consistency with the rest of the codebase
  • Standardize SAFETY formatting @berlin-with0ut-return (#1257)
    Change Details
      ## Description `// Safety` -> `// SAFETY`

    Fix markdown formatting.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Passes formatting checks.

    Integration Instructions

    N/A.



  • Allow consumer to pass in Smbios handle (not FFFEh) as stated in PI spec EFI\_SMBIOS\_PROTOCOL.Add() @AnhDLuong (#1221)
    Change Details
      ## Description

    Allow consumer to pass in Smbios handle instead of always assigning a unique Smbios handle.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Boot to shell.

    Integration Instructions

    N/A

      </blockquote>
  <hr>
</details>
  • [patina\_dxe\_core] Add Missing Safety Comments @Raymond-MS (#1232)
    Change Details
      ## Description

    Added missing Safety comments to the following files in patina_dxe_core:

    allocator.rs
    config_tables.rs
    cpu.rs
    debugger_reload.rs
    driver_services.rs

    Relates to: #583

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Built SBSA successfully in patina-dxe-core-qemu.

    Integration Instructions

    N/A

      </blockquote>
  <hr>
</details>
  • patina\_internal\_collections: Fix bounds checking in Storage::resize() @garybeihl (#1247)
    Change Details
      ## Description

    Fixed resize() to prevent capacity shrinking and properly copy all nodes during resizing.

    The root issue was that resize() allowed shrinking to a buffer smaller than the current capacity. This caused out-of-bounds access when the resize loop tried to copy node pointers. The storage layout can have gaps like [VALID | VALID | INVALID | VALID | INVALID] where deleted nodes remain in the buffer at their original indices.

    Changes:

    1. Changed assert from buffer.len() >= self.len() to buffer.len() >= self.capacity() to prevent resizing to a buffer smaller than current capacity
    2. Changed loop from 0..self.len() to 0..self.capacity() to ensure all nodes including gaps are copied
    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    • Added test_resize_prevents_capacity_shrink(): Verifies assert prevents shrinking capacity
    • Added test_resize_copies_all_nodes_including_gaps(): Verifies all nodes copied including gaps
    • All 49 unit tests passing (cargo test --package patina_internal_collections)
    • Cargo clippy and fmt passing

    Integration Instructions

    • N/A

⚠️ Breaking Changes

  • [Rebase \& FF] Refactor System Tables implementation to add resilience around external modification. @joschock (#1236)
    Change Details
      ## Description

    In the present design, the system table stores &'static references to the System Table, Boot Services Table, and Runtime Services table. These refs imply to the rust compiler that these tables are immutable, but in fact, they are mutated under these references by drivers external to patina (e.g. when the variable service driver installs its APIs into the runtime services table).

    This refactor changes the underlying static immutable references to these tables into raw pointers to better reflect the reality of the table usage and minimize UB due to immutable ref covering a data structure that is potentially mutated. Note that it doesn't entirely eliminate the UB, since to do so would place requirements for synchronization on those external agents, none of which currently implement those requirements.

    This is a breaking change since it changes the instantiation of SDK boot services and runtime services wrapper to take raw pointers rather than references.

    This PR also brings in a secondary refactor of core_install_configuration_table to avoid an unnecessary "Box::from_raw" conversion on the table (this is a separate commit). This routine was being touched by the above refactor anyway so was convenient for the refactor. Rebase and FF to include these as two separate changes.

    Closes #1206.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Unit tests pass; live testing boots to OS without issues.

    Integration Instructions

    StandardBootServices and StandardRuntimeServices instantiations now take a raw pointer to the corresponding tables.

      </blockquote>
  <hr>
</details>

🐛 Bug Fixes

  • Fix AArch64 NUM\_EXCEPTION\_TYPES off-by-one bug @Nir3613 (#1268)
    Change Details
      Fixed an off-by-one bug in `NUM_EXCEPTION_TYPES` for AArch64. The constant was set to `3` but should be `4` to match the 4 exception types defined in `exception_handler.asm`:
    Index Exception Type
    0 Synchronous
    1 IRQ
    2 FIQ
    3 SError

    With the value of 3, SError exceptions (index 3) caused an array out-of-bounds panic:
    index out of bounds: the len is 3 but the index is 3

    This was observed during warm boot when UFS hardware triggered an SError.

    Fixes #1267

    • Impacts functionality

    How This Was Tested

    Verified that the constant now matches the assembly definition in core/patina_internal_cpu/src/interrupts/aarch64/exception_handler.asm (lines 109-112).

    Integration Instructions

    N/A



  • LocateHandle() search type ByRegisterNotify update @rogurr (#1250)
    Change Details
      ## Description

    The current EDK II implementation performs an immediate callback when registering through LocateHandle using ByRegisterNotify and will provide each handle normally for protocols installed prior to the registration. The Patina code was written to start caching handles only after the registration is performed. This change will seed the cache with prior registered protocols at the registration to match the EDK II implementation.

    During debug, found a location where locate_handle() was calling the underlying layer first for buffer size, but not handling the error paths. Updated that call to return an error if encountered.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Performing a port of a private UEFI to use Patina which requires the LocateHandle call to have knowledge of previously installed protocols. Tested with my current code and tested with the added test functions.

    Integration Instructions

    N/A

      </blockquote>
  <hr>
</details>

📖 Documentation Updates

  • Add Patina community call to readme @makubacki (#1271)
    Change Details
      ## Description

    Link to the Patina community call details in the main readme.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    • N/A

    Integration Instructions

    • N/A

  • device\_path: Add SATA, NVMe, HardDrive, and FilePath node types @kat-perez (#1258)
    Change Details
      ## Description

    Adds additional device path node types commonly needed for boot flows:

    • Sata: SATA device paths (Messaging type)
    • NvmExpress: NVMe namespace device paths (Messaging type)
    • HardDrive: GPT/MBR partition device paths (Media type)
    • FilePath: File paths on media devices (Media type)

    These nodes enable construction of complete boot device paths from storage controller through partition to boot loader file.

    Split out from #1225 (boot orchestration) as these are general SDK enhancements.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Existing device path tests. Node types follow established patterns in the file.

    Integration Instructions

    N/A - additive change



Full Changelog: patina-v19.0.5...v20.0.0

Contributors

makubacki, joschock, and 8 other contributors
Assets 2
Loading