Implement Dynamic Memory Protection Settings #4566
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
3 times, most recently
from
f4a4167
to
05837e8
Compare
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
3 times, most recently
from
8d94282
to
d8b967a
Compare
|
PR can not be merged due to conflict. Please rebase and resubmit |
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
8 times, most recently
from
92c7473
to
23a4ff9
Compare
|
PR can not be merged due to conflict. Please rebase and resubmit |
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
2 times, most recently
from
3f1581c
to
02fb39c
Compare
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
7 times, most recently
from
1741a01
to
aaef2da
Compare
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
from
aaef2da
to
e86f795
Compare
|
PR can not be merged due to conflict. Please rebase and resubmit |
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
2 times, most recently
from
ce5c92c
to
719f794
Compare
SetMemoryProtectionsLib is a PEIM which allows platforms to apply memory protection settings to the current boot. GetMemoryProtectionsLib has DXE and MM implementations to allow platforms to query the current memory protection settings via a global variable populated by the library Implementations. The global variable is a union of the MM and DXE settings. the DXE struct is only valid in a DXE module and the MM struct is only valid in an SMM or Stanalone MM module. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
The NULL instances for GetMemoryProtectionsLib and SetMemoryProtectionsLib just zero out the memory protections structure effectively disabling memory protections. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
…onsLib The SetMemoryProtectionsLib implementation has functionality for setting protections based on a preset profile or a custom DXE/MM profile passed in by the caller. The implementation also supports locking the protections (tracked via an extra boolean stored in the HOB entry) which prevents the protections from being changed by any other SetMemoryProtectionsLib calls. The GetMemoryProtectionsLib implementation populates the gMps global in the library consructor. For cases where the global needs to be accessed before the constructor is called, PopulateMpsGlobal() will manually fill out the gMps global. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
HOB memory should not be written to in DXE phase. This patch copies the PCD database from PEI into a new buffer so updates to dynamic PCDs don't write to HOB memory. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Dandan Bi <dandan.bi@intel.com>
Because the platform memory protection settings will be stored in the HOB, the HOB list should be marked read-only and non-executable as soon as possible in boot. This patch page-aligns the allocated HOB list in DXE and marks it RO/NX during memory protection initialization. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Dandan Bi <dandan.bi@intel.com>
When page/pool protections are active, the GCD sync process takes quite a bit longer than normal. This behavior is primarily due to a function which dumps the GCD memory map to the console. This dump function runs only on DEBUG builds but will iterate through the GCD memory map dozens of times even when the print level doesn't include DEBUG_GCD. This patch adds a check for the DEBUG_GCD print level before dumping the GCD memory map which saves several seconds during boot when page/pool protections are active. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Dandan Bi <dandan.bi@intel.com>
Memory protection is not set in PEI and ingested during and after DXE handoff. This paradigm means that the platform cannot reliably query the stack guard setting during MpInit. Because the execution path of PEI consistent and no third party code is executed, setting the stack guard in MpInit on every boot should be fine. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
Add library classes for SetMemoryProtectionsLib and GetMemoryProtectionsLib to ArmVirtPkg. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Julien Grall <julien@xen.org>
Add library classes for SetMemoryProtectionsLib and GetMemoryProtectionsLib to OvmfPkg platfomrs. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Peter Grehan <grehan@freebsd.org> Cc: Corvin Köhne <corvink@freebsd.org> Cc: Jianyong Wu <jianyong.wu@arm.com> Cc: Anatol Belski <anbelski@linux.microsoft.com> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Julien Grall <julien@xen.org>
Use SetMemoryProtectionsLib to set the memory protections for the platform in both normal and PEI-less boot. The protections set are equivalent to the PCD settings and the ability to set NxForStack via QemuCfg is preserved. Once the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete in the rest of EDK2, the mechanics of setting protections in OvmfPkg will be updated and the memory protection PCDs will be deleted. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
This patch updates the DXE Handoff in PEI-less Startup to use SetMemoryProtectionsLib to get the platform memory protection settings and build the page tables based on the applied protections. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
Update the DXE handoff logic in UefiPayloadPkg to use SetMemoryProtectionsLib to fetch the platform memory protection settings and reference them when creating the page tables. Because the protection profile is equivalent to the PCD settings even when the platform does not explicitly set a profile, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Guo Dong <guo.dong@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com>
Update the DXE handoff logic in MdeModulePkg to use SetMemoryProtectionsLib to fetch the platform memory protection settings and reference them when creating the page tables. Because the protection profile is equivalent to the PCD settings even when the platform does not explicitly set a profile, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Dandan Bi <dandan.bi@intel.com>
Replace references to the memory protection PCDs to instead check the platform protections via GetMemoryProtectionsLib. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Sami Mujawar <sami.mujawar@arm.com>
… PCDs Replace references to the memory protection PCDs to instead check the platform protections via GetMemoryProtectionsLib. Because the protection profile is equivalent to the PCD settings, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Andrew Fish <afish@apple.com> Cc: Ray Ni <ray.ni@intel.com>
Replace references to the memory protection PCDs to instead check the platform protections via GetMemoryProtectionsLib. Because the protection profile is equivalent to the PCD settings, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Abner Chang <abner.chang@amd.com>
…PCDs Replace references to the memory protection PCDs to instead check the platform protections via GetMemoryProtectionsLib. Because the protection profile is equivalent to the PCD settings, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
…n PCDs Replace references to the memory protection PCDs to instead check the platform protections via GetMemoryProtectionsLib. Because the protection profile is equivalent to the PCD settings, this updated does not cause a torn state. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Dandan Bi <dandan.bi@intel.com>
Now that the EDK2 tree uses GetMemoryProtectionsLib to query the platform memory protection settings, we can add additional profiles to SetMemoryProtectionsLib to give plaforms more options for setting memory protections. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
QemuFwCfgParseString allows reading strings from the fw_cfg file. This function is needed for parsing the memory protection profile name. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
MemoryProtectionConfigLib enables parsing the fw_cfg for the memory protection profile. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
Now that the EDK2 tree uses GetMemoryProtectionsLib to query the platform memory protection settings, OvmfPkg can be updated to use QemuCfg to set the entire memory protection profile instead of just SetNxForStack. For example, the following will set the DXE memory protection to the RELEASE preset. -fw_cfg name=opt/org.tianocore/DxeMemoryProtectionProfile,string=release The following will set the MM memory protection to the RELEASE preset. -fw_cfg name=opt/org.tianocore/MmMemoryProtectionProfile,string=release For users of Stuart, DXE_MEMORY_PROTECTION_PROFILE=release and MM_MEMORY_PROTECTION_PROFILE=release are equivalent to the above examples. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Peter Grehan <grehan@freebsd.org> Cc: Corvin Köhne <corvink@freebsd.org>
Set the memory protections on Arm virtual platforms. Because the QemuFg parser is not currently available in ArmVirtPkg, use the RELEASE profile by default. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
Now that the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete, delete the PCD profile to avoid confusing the interface. All memory protection settings will now be set and consumed via the libraries. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
Now that the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete, delete the memory protection PCDs to avoid confusing the interface. All memory protection settings will now be set and consumed via the libraries. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Peter Grehan <grehan@freebsd.org> Cc: Corvin Köhne <corvink@freebsd.org> Cc: Jianyong Wu <jianyong.wu@arm.com> Cc: Anatol Belski <anbelski@linux.microsoft.com> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Julien Grall <julien@xen.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Sunil V L <sunilvl@ventanamicro.com> Cc: Andrei Warkentin <andrei.warkentin@intel.com>
Now that the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete, delete the memory protection PCDs to avoid confusing the interface. All memory protection settings will now be set and consumed via the libraries. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com>
Now that the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete, delete the memory protection PCDs to avoid confusing the interface. All memory protection settings will now be set and consumed via the libraries. Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn>
TaylorBeebe
force-pushed
the
mem_prot_hob_patch_series
branch
from
719f794
to
4d64080
Compare
|
PR can not be merged due to conflict. Please rebase and resubmit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves tianocore/projects#9
Resolves tianocore/projects#10
Resolves tianocore/projects#11
Resolves tianocore/projects#12