SetMemoryProtectionsLib is a PEIM which allows platforms to
apply memory protection settings to the current boot.
GetMemoryProtectionsLib has DXE and MM implementations to allow
platforms to query the current memory protection settings via a
global variable populated by the library Implementations.
The global variable is a union of the MM and DXE settings. the
DXE struct is only valid in a DXE module and the MM struct is
only valid in an SMM or Stanalone MM module.
Signed-off-by: Taylor Beebe <taylor.d.be...@gmail.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Liming Gao <gaolim...@byosoft.com.cn>
---
MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h | 83 +++++++++++
MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h | 152
++++++++++++++++++++
MdeModulePkg/MdeModulePkg.dec | 8 ++
3 files changed, 243 insertions(+)
diff --git a/MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
b/MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
new file mode 100644
index 000000000000..c8f7084e9c80
--- /dev/null
+++ b/MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
@@ -0,0 +1,83 @@
+/** @file
+Library for accessing the platform memory protection settings.
+
+Copyright (c) Microsoft Corporation.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef GET_MEMORY_PROTECTION_SETTINGS_LIB_H_
+#define GET_MEMORY_PROTECTION_SETTINGS_LIB_H_
+
+#include <Library/BaseMemoryLib.h>
+#include <Guid/MemoryProtectionSettings.h>
+
+#pragma pack(1)
+
+typedef union {
+ DXE_MEMORY_PROTECTION_SETTINGS Dxe;
+ MM_MEMORY_PROTECTION_SETTINGS Mm;
+} MEMORY_PROTECTION_SETTINGS_UNION;
+
+#pragma pack()
+
+// The global used to access current Memory Protection Settings
+extern MEMORY_PROTECTION_SETTINGS_UNION gMps;
+
+#define MPS_IS_DXE_SIGNATURE_VALID (gMps.Dxe.Signature ==
DXE_MEMORY_PROTECTION_SIGNATURE)
+#define MPS_IS_MM_SIGNATURE_VALID (gMps.Mm.Signature ==
MM_MEMORY_PROTECTION_SIGNATURE)
+
+#define IS_DXE_PAGE_GUARD_ACTIVE (MPS_IS_DXE_SIGNATURE_VALID
&& \
+ !IsZeroBuffer
(&gMps.Dxe.PageGuard.EnabledForType, MPS_MEMORY_TYPE_BUFFER_SIZE) && \
+ gMps.Dxe.HeapGuard.PageGuardEnabled)
+
+#define IS_DXE_POOL_GUARD_ACTIVE (MPS_IS_DXE_SIGNATURE_VALID
&& \
+ !IsZeroBuffer
(&gMps.Dxe.PoolGuard.EnabledForType, MPS_MEMORY_TYPE_BUFFER_SIZE) && \
+ gMps.Dxe.HeapGuard.PoolGuardEnabled)
+
+#define IS_DXE_EXECUTION_PROTECTION_ACTIVE (MPS_IS_DXE_SIGNATURE_VALID
&& \
+ !IsZeroBuffer
(&gMps.Dxe.ExecutionProtection.EnabledForType, MPS_MEMORY_TYPE_BUFFER_SIZE))
+
+#define IS_DXE_IMAGE_PROTECTION_ACTIVE (MPS_IS_DXE_SIGNATURE_VALID
&& \
+
(gMps.Dxe.ImageProtection.ProtectImageFromFv || \
+
gMps.Dxe.ImageProtection.ProtectImageFromUnknown))
+
+#define IS_DXE_MEMORY_PROTECTION_ACTIVE (MPS_IS_DXE_SIGNATURE_VALID
&& \
+ (IS_DXE_PAGE_GUARD_ACTIVE
|| \
+ IS_DXE_POOL_GUARD_ACTIVE
|| \
+ IS_DXE_EXECUTION_PROTECTION_ACTIVE
|| \
+ IS_DXE_IMAGE_PROTECTION_ACTIVE
|| \
+ gMps.Dxe.CpuStackGuardEnabled
|| \
+
gMps.Dxe.StackExecutionProtectionEnabled || \
+
gMps.Dxe.NullPointerDetection.Enabled || \
+
gMps.Dxe.HeapGuard.FreedMemoryGuardEnabled))
+
+#define IS_MM_PAGE_GUARD_ACTIVE (MPS_IS_MM_SIGNATURE_VALID
&& \
+ gMps.Mm.HeapGuard.PageGuardEnabled
&& \
+ !IsZeroBuffer
(&gMps.Mm.PageGuard.EnabledForType, MPS_MEMORY_TYPE_BUFFER_SIZE))
+
+#define IS_MM_POOL_GUARD_ACTIVE (MPS_IS_MM_SIGNATURE_VALID
&& \
+ gMps.Mm.HeapGuard.PoolGuardEnabled
&& \
+ !IsZeroBuffer
(&gMps.Mm.PoolGuard.EnabledForType, MPS_MEMORY_TYPE_BUFFER_SIZE))
+
+#define IS_MM_MEMORY_PROTECTION_ACTIVE (MPS_IS_MM_SIGNATURE_VALID
&& \
+ (IS_MM_PAGE_GUARD_ACTIVE
|| \
+ IS_MM_POOL_GUARD_ACTIVE
|| \
+
gMps.Mm.NullPointerDetection.Enabled));
+
+/**
+ Populates gMps global. This function is invoked by the library constructor
and only needs to be
+ called if library contructors have not yet been invoked.
+
+ @retval EFI_SUCCESS gMps global was populated.
+ @retval EFI_NOT_FOUND The gMemoryProtectionSettingsGuid HOB was not
found.
+ @retval EFI_ABORTED The version number of the DXE or MM memory
protection settings was invalid.
+ @retval EFI_UNSUPPORTED NULL implementation called.
+**/
+EFI_STATUS
+EFIAPI
+PopulateMpsGlobal (
+ VOID
+ );
+
+#endif
diff --git a/MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
b/MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
new file mode 100644
index 000000000000..023c987c3c7e
--- /dev/null
+++ b/MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
@@ -0,0 +1,152 @@
+/** @file
+Library for creating the MM and DXE memory protection HOB entries.
+
+Copyright (c) Microsoft Corporation.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef SET_MEMORY_PROTECTION_SETTINGS_LIB_H_
+#define SET_MEMORY_PROTECTION_SETTINGS_LIB_H_
+
+#include <Guid/MemoryProtectionSettings.h>
+
+typedef struct {
+ CHAR8 *Name;
+ CHAR8 *Description;
+ DXE_MEMORY_PROTECTION_SETTINGS Settings;
+} DXE_MEMORY_PROTECTION_PROFILES;
+
+typedef enum {
+ DxeMemoryProtectionSettingsPcd,
+ DxeMemoryProtectionSettingsMax
+} DXE_MEMORY_PROTECTION_PROFILE_INDEX;
+
+typedef struct {
+ CHAR8 *Name;
+ CHAR8 *Description;
+ MM_MEMORY_PROTECTION_SETTINGS Settings;
+} MM_MEMORY_PROTECTION_PROFILES;
+
+typedef enum {
+ MmMemoryProtectionSettingsPcd,
+ MmMemoryProtectionSettingsMax
+} MM_MEMORY_PROTECTION_PROFILE_INDEX;
+
+extern DXE_MEMORY_PROTECTION_PROFILES
DxeMemoryProtectionProfiles[DxeMemoryProtectionSettingsMax];
+extern MM_MEMORY_PROTECTION_PROFILES
MmMemoryProtectionProfiles[MmMemoryProtectionSettingsMax];
+
+/**
+ Prevent further changes to the memory protection settings via this
+ library API.
+
+ @retval EFI_SUCCESS The memory protection settings are locked.
+ @retval EFI_ABORTED Unable to get/create the memory protection
settings.
+ @retval EFI_UNSUPPORTED NULL implementation called.
+**/
+EFI_STATUS
+EFIAPI
+LockMemoryProtectionSettings (
+ VOID
+ );
+
+/**
+ Sets the DXE memory protection settings. If DxeMps is NULL, the settings
will be set based
+ on ProfileIndex.
+
+ @param[in] DxeMps Pointer to the memory protection settings to
publish. If NULL, the
+ settings will be created based on ProfileIndex.
+ @param[in] ProfileIndex The index of the memory protection profile to use
if DxeMps is NULL.
+
+ @retval EFI_SUCCESS The memory protection HOB was successfully
created.
+ @retval EFI_INVALID_PARAMETER The ProfileIndex was invalid or the version
number of the
+ input DxeMps was not equal to the version
currently present
+ in the settings.
+ @retval EFI_ABORTED Unable to get/create the memory protection
settings.
+ @retval EFI_ACCESS_DENIED The memory protection settings are locked.
+ @retval EFI_UNSUPPORTED NULL implementation called.
+**/
+EFI_STATUS
+EFIAPI
+SetDxeMemoryProtectionSettings (
+ IN DXE_MEMORY_PROTECTION_SETTINGS *DxeMps OPTIONAL,
+ IN DXE_MEMORY_PROTECTION_PROFILE_INDEX ProfileIndex
+ );
+
+/**
+ Sets the MM memory protection HOB entry. If MmMps is NULL, the settings will
be set based
+ on ProfileIndex.
+
+ @param[in] MmMps Pointer to the memory protection settings to
publish. If NULL, the
+ settings will be created based on ProfileIndex.
+ @param[in] ProfileIndex The index of the memory protection profile to use
if MmMps is NULL.
+
+ @retval EFI_SUCCESS The memory protection HOB was successfully
created.
+ @retval EFI_OUT_OF_RESOURCES There was insufficient memory to create the
HOB.
+ @retval EFI_INVALID_PARAMETER The ProfileIndex was invalid or the version
number of the
+ input MmMps was not equal to the version
currently present
+ in the settings.
+ @retval EFI_ABORTED Unable to get/create the memory protection
settings.
+ @retval EFI_ACCESS_DENIED The memory protection settings are locked.
+ @retval EFI_UNSUPPORTED NULL implementation called.
+**/
+EFI_STATUS
+EFIAPI
+SetMmMemoryProtectionSettings (
+ IN MM_MEMORY_PROTECTION_SETTINGS *MmMps OPTIONAL,
+ IN MM_MEMORY_PROTECTION_PROFILE_INDEX ProfileIndex
+ );
+
+/**
+ Copies the current memory protection settings into the input buffer.
+
+ NOTE: The returned settings may not be the final settings used by the
+ platform on this boot. Unless LockMemoryProtectionSettings() has
+ been called, settings may be modified by drivers until DXE handoff.
+
+ @param[out] Mps The memory protection settings pointer to populate.
+
+ @retval EFI_SUCCESS The memory protection settings were copied
+ into the input buffer.
+ @retval EFI_INVALID_PARAMETER Mps was NULL.
+ @retval EFI_ABORTED Unable to get/create the memory protection
settings.
+ @retval EFI_UNSUPPORTED NULL implementation called.
+**/
+EFI_STATUS
+EFIAPI
+GetCurrentMemoryProtectionSettings (
+ OUT MEMORY_PROTECTION_SETTINGS *Mps
+ );
+
+/**
+ Returns TRUE any form of DXE memory protection is currently active.
+
+ NOTE: The returned value may reflect the final settings used by the
+ platform on this boot. Unless LockMemoryProtectionSettings() has
+ been called, settings may be modified by drivers until DXE handoff.
+
+ @retval TRUE DXE Memory protection is active.
+ @retval FALSE DXE Memory protection is not active.
+**/
+BOOLEAN
+EFIAPI
+IsDxeMemoryProtectionActive (
+ VOID
+ );
+
+/**
+ Returns TRUE any form of MM memory protection is currently active.
+
+ NOTE: The returned value may reflect the final settings used by the
+ platform on this boot. Unless LockMemoryProtectionSettings() has
+ been called, settings may be modified by drivers until DXE handoff.
+
+ @retval TRUE MM Memory protection is active.
+ @retval FALSE MM Memory protection is not active.
+**/
+BOOLEAN
+EFIAPI
+IsMmMemoryProtectionActive (
+ VOID
+ );
+
+#endif
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 5e1a0388bed3..6ad0902a1bff 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -164,6 +164,14 @@ [LibraryClasses]
#
VariableFlashInfoLib|Include/Library/VariableFlashInfoLib.h
+ ## @libraryclass Provides a global for consuming memory protection settings
+ #
+ GetMemoryProtectionsLib|Include/Library/GetMemoryProtectionsLib.h
+
+ ## @libraryclass Library for creating the memory protection settings HOB
+ #
+ SetMemoryProtectionsLib|Include/Library/SetMemoryProtectionsLib.h
+
[Guids]
## MdeModule package token space guid
# Include/Guid/MdeModulePkgTokenSpace.h
--
2.42.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108864): https://edk2.groups.io/g/devel/message/108864
Mute This Topic: https://groups.io/mt/101469939/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
