In the past, memory protection settings were configured via FixedAtBuild PCDs, which resulted in a build-time configuration of memory mitigations. This approach limited the flexibility of applying mitigations to the system and made it difficult to update or adjust the settings post-build.
In a design, the configuration interface has been revised to allow for dynamic configuration. This is achieved with HOBs that are published prior to invocation of the HandoffToDxe() function. OvmfPkg/PlatformPei/Platform.c contains an example of how to publish the HOB for DXE and MM. To check the memory protection settings after PEI, the HOB can be easily consumed, sanity checked, and put into a global for access via the inclusion of the DXE or MM HOB libraries. This patch series also increases the memory protection level for OvmfPkg and ArmVirtPkg. Reference: https://github.com/tianocore/edk2/pull/4566 Cc: Jian J Wang <jian.j.w...@intel.com> Cc: Liming Gao <gaolim...@byosoft.com.cn> Cc: Dandan Bi <dandan...@intel.com> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> Cc: Jiewen Yao <jiewen....@intel.com> Cc: Jordan Justen <jordan.l.jus...@intel.com> Cc: Gerd Hoffmann <kra...@redhat.com> Cc: Leif Lindholm <quic_llind...@quicinc.com> Cc: Sami Mujawar <sami.muja...@arm.com> Cc: Andrew Fish <af...@apple.com> Cc: Ray Ni <ray...@intel.com> Cc: Eric Dong <eric.d...@intel.com> Cc: Rahul Kumar <rahul1.ku...@intel.com> Cc: Guo Dong <guo.d...@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james...@intel.com> Cc: Gua Guo <gua....@intel.com> Taylor Beebe (14): MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib Implementations OvmfPkg: Create the memory protection settings HOB ArmVirtPkg: Create memory protection settings HOB ArmPkg: Update to use memory protection HOB EmulatorPkg: Update to use memory protection HOB MdeModulePkg: Update to use memory protection HOB OvmfPkg: Update to use memory protection HOB UefiCpuPkg: Update to use memory protection HOB UefiPayloadPkg: Update to use memory protection HOB OvmfPkg: Delete Memory Protection PCDs ArmVirtPkg: Delete Memory Protection PCDs MdeModulePkg: Delete Memory Protection PCDs ArmPkg/ArmPkg.dsc | 1 + ArmPkg/Drivers/CpuDxe/CpuDxe.c | 5 +- ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 2 +- ArmVirtPkg/ArmVirt.dsc.inc | 24 +- ArmVirtPkg/ArmVirtCloudHv.dsc | 5 - ArmVirtPkg/ArmVirtQemu.dsc | 5 - ArmVirtPkg/MemoryInitPei/MemoryInitPeim.c | 25 +- ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf | 2 + EmulatorPkg/EmulatorPkg.dsc | 2 +- MdeModulePkg/Core/Dxe/DxeMain.h | 1 + MdeModulePkg/Core/Dxe/DxeMain.inf | 9 +- MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 8 +- MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 88 ++-- MdeModulePkg/Core/Dxe/Mem/HeapGuard.h | 24 +- MdeModulePkg/Core/Dxe/Mem/Page.c | 4 +- MdeModulePkg/Core/Dxe/Mem/Pool.c | 6 +- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 338 +++++++------- MdeModulePkg/Core/DxeIplPeim/DxeHandoff.c | 4 +- MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 15 + MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 13 +- MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 26 ++ .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 57 +-- .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 20 +- .../Core/DxeIplPeim/X64/VirtualMemory.c | 87 ++-- .../Core/DxeIplPeim/X64/VirtualMemory.h | 23 +- MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 60 +-- MdeModulePkg/Core/PiSmmCore/HeapGuard.h | 20 +- MdeModulePkg/Core/PiSmmCore/Page.c | 6 +- MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 + MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 4 +- MdeModulePkg/Core/PiSmmCore/Pool.c | 9 +- .../Guid/DxeMemoryProtectionSettings.h | 413 ++++++++++++++++++ .../Include/Guid/MmMemoryProtectionSettings.h | 211 +++++++++ .../Library/DxeMemoryProtectionHobLib.h | 20 + .../Library/MmMemoryProtectionHobLib.h | 20 + .../DxeMemoryProtectionHobLib.c | 132 ++++++ .../DxeMemoryProtectionHobLib.inf | 34 ++ .../MmCommonMemoryProtectionHobLib.c | 89 ++++ .../SmmMemoryProtectionHobLib.c | 37 ++ .../SmmMemoryProtectionHobLib.inf | 35 ++ .../StandaloneMmMemoryProtectionHobLib.c | 37 ++ .../StandaloneMmMemoryProtectionHobLib.inf | 36 ++ .../DxeMemoryProtectionHobLibNull.c | 13 + .../DxeMemoryProtectionHobLibNull.inf | 28 ++ .../MmMemoryProtectionHobLibNull.c | 13 + .../MmMemoryProtectionHobLibNull.inf | 28 ++ MdeModulePkg/MdeModulePkg.dec | 187 +------- MdeModulePkg/MdeModulePkg.dsc | 11 + MdeModulePkg/MdeModulePkg.uni | 153 ------- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 +- OvmfPkg/Bhyve/BhyveX64.dsc | 5 +- OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 - OvmfPkg/CloudHv/CloudHvX64.dsc | 5 +- OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +- OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +- .../Dsc/MemoryProtectionLibraries.dsc.inc | 15 + OvmfPkg/Include/Library/PlatformInitLib.h | 13 - OvmfPkg/IntelTdx/IntelTdxX64.dsc | 5 +- OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 25 +- .../PeilessStartupLib/PeilessStartup.c | 3 - .../PeilessStartupLib/PeilessStartupLib.inf | 5 +- .../PeilessStartupLib/X64/PageTables.h | 23 +- .../PeilessStartupLib/X64/VirtualMemory.c | 107 ++--- OvmfPkg/Library/PlatformInitLib/Platform.c | 15 - OvmfPkg/Microvm/MicrovmX64.dsc | 5 +- OvmfPkg/OvmfPkgIa32.dsc | 5 +- OvmfPkg/OvmfPkgIa32X64.dsc | 5 +- OvmfPkg/OvmfPkgX64.dsc | 5 +- OvmfPkg/OvmfXen.dsc | 5 +- OvmfPkg/PlatformPei/IntelTdx.c | 2 - OvmfPkg/PlatformPei/Platform.c | 43 +- OvmfPkg/PlatformPei/PlatformPei.inf | 3 +- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +- OvmfPkg/QemuVideoDxe/VbeShim.c | 5 +- OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 - OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 1 + OvmfPkg/TdxDxe/TdxDxe.c | 7 +- OvmfPkg/TdxDxe/TdxDxe.inf | 1 - UefiCpuPkg/CpuDxe/CpuDxe.c | 2 +- UefiCpuPkg/CpuDxe/CpuDxe.h | 11 +- UefiCpuPkg/CpuDxe/CpuDxe.inf | 4 +- UefiCpuPkg/CpuDxe/CpuMp.c | 2 +- UefiCpuPkg/CpuDxeRiscV64/CpuDxeRiscV64.inf | 3 - UefiCpuPkg/CpuMpPei/CpuMpPei.c | 8 +- UefiCpuPkg/CpuMpPei/CpuMpPei.h | 3 +- UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 - UefiCpuPkg/CpuMpPei/CpuPaging.c | 14 +- .../DxeCpuExceptionHandlerLib.inf | 1 - .../PeiCpuExceptionHandlerLib.inf | 1 - .../SecPeiCpuExceptionHandlerLib.inf | 1 - .../SmmCpuExceptionHandlerLib.inf | 1 - .../UnitTest/CpuExceptionHandlerTest.h | 3 +- .../UnitTest/CpuExceptionHandlerTestCommon.c | 27 +- .../DxeCpuExceptionHandlerLibUnitTest.inf | 2 +- .../PeiCpuExceptionHandlerLibUnitTest.inf | 4 +- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 +- UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 3 +- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 2 +- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf | 3 +- .../PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c | 13 +- UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 2 +- .../PiSmmCpuDxeSmm/SmmProfileInternal.h | 10 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 2 +- UefiCpuPkg/UefiCpuPkg.dec | 7 +- UefiCpuPkg/UefiCpuPkg.dsc | 2 + UefiCpuPkg/UefiCpuPkg.uni | 10 +- .../UefiPayloadEntry/Ia32/DxeLoadFunc.c | 149 +------ UefiPayloadPkg/UefiPayloadEntry/LoadDxeCore.c | 26 ++ .../UefiPayloadEntry/UefiPayloadEntry.h | 15 + .../UefiPayloadEntry/UefiPayloadEntry.inf | 9 +- .../UniversalPayloadEntry.inf | 9 +- .../UefiPayloadEntry/X64/DxeLoadFunc.c | 25 +- .../UefiPayloadEntry/X64/VirtualMemory.c | 78 ++-- .../UefiPayloadEntry/X64/VirtualMemory.h | 23 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 1 + 115 files changed, 1888 insertions(+), 1321 deletions(-) create mode 100644 MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h create mode 100644 MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h create mode 100644 MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h create mode 100644 MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf create mode 100644 OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc -- 2.41.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106823): https://edk2.groups.io/g/devel/message/106823 Mute This Topic: https://groups.io/mt/100090629/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
