MdeModulePkg/NvmExpressDxe: Add NVMe namespace filtering PCD

[eeshanl]

Description

Add PcdNvmeNamespaceFilterId to control NVMe namespace enumeration.
When != 0, only the specified NSID is discovered and enumerated. When 0 (default), all namespaces are enumerated as before.

This improves security on NVMe devices with multiple namespaces.
Without filtering, UEFI enumerates all namespaces and an attacker could place malicious boot media in a secondary namespace. By restricting enumeration to only the first namespace, we ensure the system boots exclusively from the intended namespace and prevents exploitation of additional namespaces as an attack vector.

Changes:

• NvmExpress.c: Add FilteringEnabled parameter to DiscoverAllNamespaces, EnumerateNvmeDevNamespace with namespace ID check when filtering
• NvmExpressDxe.inf: Add PcdNvmeNamespaceFilterId to [Pcd] section
• MdeModulePkg.dec: Define PcdNvmeNamespaceFilterId (default 0)

Ref: microsoft/mu_msvm@9337285

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

• Impacts functionality?
• Impacts security?
• Breaking change?
• Includes tests?
• Includes documentation?

How This Was Tested

Tested on:

• OpenVMM platform where namespace filtering is required and successfully booted to OS via DDA NVMe with Namespace filtering on & off.

• Physical platform and booted to OS with physical NVMe with Namespace filtering on & off.

• Qemu Q35 by booting to OS via NVMe with Namespace filtering on & off:

  Modified QemuCommandBuilder.py with the following:

  elif device == "ssd" and self._architecture == QemuArchitecture.Q35:
      # Create NVMe controller with 2 namespaces for testing namespace filtering
      # NS1: boot media, NS2: empty 1GB drive
      self._args.extend([
          "-drive",
          f"file={path},format={format},if=none,id=nvme_ns1",
          "-drive",
          "if=none,id=nvme_ns2,format=raw,file.driver=null-co,file.size=1G",
          "-device",
          "nvme,id=nvme0,serial=nvme-1",
          "-device",
          "nvme-ns,drive=nvme_ns1,bus=nvme0,nsid=1",
          "-device",
          "nvme-ns,drive=nvme_ns2,bus=nvme0,nsid=2",
      ])
  

With this change, we have added 2 NVMe namespaces nsid 1 & 2, and we have added 2 boot media, 1 with the real OS and 2 with an empty drive. Also, I tried to put the real boot media on nsid 2, and emptry drive in nsid 1, selected nsid 2 as the filter, and was able to successfully boot to OS.

With PcdNvmeNamespaceFilterId == 1 || PcdNvmeNamespaceFilterId == 2 we only enumerate target NSID and successfully boot to OS.

With PcdNvmeNamespaceFilterId == 0 we enumerate both the namespaces as defined above and also successfully boot to OS.

Integration Instructions

Set PcdNvmeNamespaceFilterId to the desired NSID when required at the platform dsc.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 27 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release/202511@516de5d). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c	0.00%	27 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             release/202511    #1754   +/-   ##
=================================================
  Coverage                  ?    1.84%           
=================================================
  Files                     ?     1151           
  Lines                     ?   376652           
  Branches                  ?     3196           
=================================================
  Hits                      ?     6936           
  Misses                    ?   369660           
  Partials                  ?       56           

Flag	Coverage Δ
FmpDevicePkg	9.53% <ø> (?)
MdeModulePkg	1.58% <0.00%> (?)
NetworkPkg	0.55% <ø> (?)
PolicyServicePkg	30.42% <ø> (?)
SecurityPkg	1.59% <ø> (?)
UefiCpuPkg	4.78% <ø> (?)
UnitTestFrameworkPkg	11.70% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mu-automation]

✅ QEMU Validation Passed

Source Dependencies

Repository	Commit
mu_basecore	632b187
mu_tiano_platforms	c7453e8

Results

Platform	Target	Build	Boot	Overall Boot Time	Build Logs	Boot Logs
Q35	DEBUG	✅ success	✅ success	0m 18s	Build Logs	Boot Logs
SBSA	DEBUG	✅ success	✅ success	0m 31s	Build Logs	Boot Logs

Workflow run: https://github.com/microsoft/mu_basecore/actions/runs/25009154152

This comment was automatically generated by the Mu QEMU PR Validation workflow.

[eeshanl]

Disclaimer: Readme.md is AI generated

[os-d]

Can you take this directly to edk2 or do we have a platform need to get this into Mu now? If so, please take it to edk2 in parallel. Obviously dropping the MU_CHANGEs part of the readme.