| Age | Commit message (Collapse) | Author |
|---|
|
If OVMF was built with -D SMM_REQUIRE, that implies that the runtime OS is
not trusted and we should defend against it tampering with the firmware's
data.
One such datum is the PEI firmware volume (PEIFV). Normally PEIFV is
decompressed on the first boot by SEC, then the OS preserves it across S3
suspend-resume cycles; at S3 resume SEC just reuses the originally
decompressed PEIFV.
However, if we don't trust the OS, then SEC must decompress PEIFV from the
pristine flash every time, lest we execute OS-injected code or work with
OS-injected data.
Due to how FVMAIN_COMPACT is organized, we can't decompress just PEIFV;
the decompression brings DXEFV with itself, plus it uses a temporary
output buffer and a scratch buffer too, which even reach above the end of
the finally installed DXEFV. For this reason we must keep away a
non-malicious OS from DXEFV too, plus the memory up to
PcdOvmfDecomprScratchEnd.
The delay introduced by the LZMA decompression on S3 resume is negligible.
If -D SMM_REQUIRE is not specified, then PcdSmmSmramRequire remains FALSE
(from the DEC file), and then this patch has no effect (not counting some
changed debug messages).
If QEMU doesn't support S3 (or the user disabled it on the QEMU command
line), then this patch has no effect also.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19037 6f19259b-4bc3-4df7-8a09-765794883524
|
|
The DecompressMemFvs() function in "OvmfPkg/Sec/SecMain.c" uses more
memory, temporarily, than what PEIFV and DXEFV will ultimately need.
First, it uses an output buffer for decompression, second, the
decompression itself needs a scratch buffer (and this scratch buffer is
the highest area that SEC uses).
DecompressMemFvs() used to be called on normal boots only (ie. not on S3
resume), which is why the decompression output buffer and the scratch
buffer were allowed to scribble over RAM. However, we'll soon start to
worry during S3 resume that the runtime OS might tamper with the
pre-decompressed PEIFV, and we'll decompress the firmware volumes on S3
resume too, from pristine flash. For this we'll need to know the end of
the scratch buffer in advance, so we can prepare a non-malicious OS for
it.
Calculate the end of the scratch buffer statically in the FDF files, and
assert in DecompressMemFvs() that the runtime decompression will match it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19036 6f19259b-4bc3-4df7-8a09-765794883524
|
|
BaseExtractGuidedSectionLib uses a table at the static physical address
PcdGuidedExtractHandlerTableAddress, and modules that are linked against
BaseExtractGuidedSectionLib are expected to work together on that table.
Namely, some modules can register handlers for GUIDed sections, some other
modules can decode such sections with the pre-registered handlers. The
table carries persistent information between these modules.
BaseExtractGuidedSectionLib checks a table signature whenever it is used
(by whichever module that is linked against it), and at the first use
(identified by a signature mismatch) it initializes the table.
One of the module types that BaseExtractGuidedSectionLib can be used with
is SEC, if the SEC module in question runs with the platform's RAM already
available.
In such cases the question emerges whether the initial contents of the RAM
(ie. contents that predate the very first signature check) can be trusted.
Normally RAM starts out with all zeroes (leading to a signature mismatch
on the first check); however a malicious runtime OS can populate the area
with some payload, then force a warm platform reset or an S3
suspend-and-resume. In such cases the signature check in the SEC module
might not fire, and ExtractGuidedSectionDecode() might run code injected
by the runtime OS, as part of SEC (ie. with high privileges).
Therefore we clear the handler table in SEC.
See also git commit ad43bc6b2e (SVN rev 15433) -- this patch secures the
(d) and (e) code paths examined in that commit. Furthermore, a
non-malicious runtime OS will observe no change in behavior; see case (c)
in said commit.
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
[michael.d.kinney@intel.com: prevent VS20xx loop intrinsic with volatile]
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19035 6f19259b-4bc3-4df7-8a09-765794883524
|
|
The update to the LocalApicLib instances to make sure the Local APIC is
initialized before use (SVN r18595 / git commit 6d72ff7d9daf) generates an
ASSERT() when SOURCE_DEBUG_ENABLE is enabled for OVMF.
The fix is to initialize the Local APIC Timer and mask it before
initializing the DebugAgent.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
[lersek@redhat.com: rewrap code comment, rewrap commit msg, add precise
commit ref]
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18622 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Cc: Scott Duplichan <scott@notabs.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Reported-by: Scott Duplichan <scott@notabs.org>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Build-tested-by: Scott Duplichan <scott@notabs.org>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18095 6f19259b-4bc3-4df7-8a09-765794883524
|
|
The BaseTools/Scripts/ConvertMasmToNasm.py script was used to convert
X64/SecEntry.asm to X64/SecEntry.nasm
Note: Manually collapsed .inf sources
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16292 6f19259b-4bc3-4df7-8a09-765794883524
|
|
The BaseTools/Scripts/ConvertMasmToNasm.py script was used to convert
Ia32/SecEntry.asm to Ia32/SecEntry.nasm
Note: Manually collapsed .inf sources
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16291 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Since we marked the FV at PcdOvmfPeiMemFvBase as ACPI NVS memory,
we can use it on S3 resume.
The FV at PcdOvmfDxeMemFvBase may have been overwritten by the OS,
but we do not use it's contents on S3 resume.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15296 6f19259b-4bc3-4df7-8a09-765794883524
|
|
By splitting the PEI and DXE phases into separate FVs,
we can only reserve the PEI FV for ACPI S3 support.
This should save about 7MB.
Unfortunately, this all has to happen in a single commit.
DEC:
* Remove PcdOvmfMemFv(Base|Size)
* Add PcdOvmfPeiMemFv(Base|Size)
* Add PcdOvmfDxeMemFv(Base|Size)
FDF:
* Add new PEIFV. Move PEI modules here.
* Remove MAINFV
* Add PEIFV and DXEFV into FVMAIN_COMPACT
- They are added as 2 sections of a file, and compressed
together so they should retain good compression
* PcdOvmf(Pei|Dxe)MemFv(Base|Size) are set
SEC:
* Find both the PEI and DXE FVs after decompression.
- Copy them separately to their memory locations.
Platform PEI driver:
* Fv.c: Publish both FVs as appropriate
* MemDetect.c: PcdOvmfMemFv(Base|Size) =>
PcdOvmfDxeMemFv(Base|Size)
OVMF.fd before:
Non-volatile data storage
FVMAIN_COMPACT uncompressed
FV FFS file LZMA compressed
MAINFV uncompressed
individual PEI modules uncompressed
FV FFS file compressed with PI_NONE
DXEFV uncompressed
individual DXE modules uncompressed
SECFV uncompressed
OVMF.fd after:
Non-volatile data storage
FVMAIN_COMPACT uncompressed
FV FFS file LZMA compressed
PEIFV uncompressed
individual PEI modules uncompressed
DXEFV uncompressed
individual DXE modules uncompressed
SECFV uncompressed
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15151 6f19259b-4bc3-4df7-8a09-765794883524
|
|
This allow you to search for an 'instance' of a section
within a series of FFS sections.
For example, we will split the MAINFV into a PEI and DXE
FV, and then compress those two FV's together within a
FFS FV file. The DXE FV will appear as the second section
of the file, and therefore we will search for it using
an Instance=1 value.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15150 6f19259b-4bc3-4df7-8a09-765794883524
|
|
These are all internal functions that don't interface with
assembly code or other drivers. Therefore EFIAPI is not
required.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15149 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Remove some not-so-useful messages (during FV scanning).
Convert ERROR to INFO and vise versa where appropriate.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15148 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Note: The Temporary RAM memory size is being reduced from
64KB to 32KB. This still appears to be more than
adequate for OVMF's early PEI phase. We will be adding
another 32KB range of RAM just above this range for
use on S3 resume.
The range is declared as part of MEMFD, so it is easier
to identify the memory range.
We also now assign PCDs to the memory range.
The PCDs are used to set the initial SEC/PEI stack in
SEC's assembly code.
The PCDs are also used in the SEC C code to setup
the Temporary RAM PPI.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15147 6f19259b-4bc3-4df7-8a09-765794883524
|
|
To help consolidate OVMF fixed memory uses, we declare this
range in MEMFD and thereby move it to 8MB.
We also now declare the table range in the FDF to set
PCDs. This allows us to ASSERT that CR3 is set as expected
in OVMF SEC.
OvmfPkgIa32.fdf and OvmfPkgIa32X64.fdf are updated simply
for consistency.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15146 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15145 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Now for X64 we use a VTF0 ResetVector which puts the page
tables in RAM. Therefore SEC no longer needs to do this.
This reverts commit r14494.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14719 6f19259b-4bc3-4df7-8a09-765794883524
|
|
This is based on MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c.
Previously we would run using page tables built into the
firmware device.
If a flash memory is available, it is unsafe for the page
tables to be stored in memory since the processor may try
to write to the page table data structures.
Additionally, when KVM ROM support is enabled for the
firmware device, then PEI fails to boot when the page
tables are in the firmware device.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14494 6f19259b-4bc3-4df7-8a09-765794883524
|
|
GCC 4.6 generates a warning when a variable is set,
but never used.
Signed-off-by: jljusten
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12615 6f19259b-4bc3-4df7-8a09-765794883524
|
|
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@11385 6f19259b-4bc3-4df7-8a09-765794883524
|
|
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10770 6f19259b-4bc3-4df7-8a09-765794883524
|
|
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10439 6f19259b-4bc3-4df7-8a09-765794883524
|
|
2. Remove unnecessary .common] postfix on section.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10051 6f19259b-4bc3-4df7-8a09-765794883524
|
|
sections. These should only be used for PCDs that are used to pre-init global variables, pre-init global structures, or size arrays.
Do some minor clean ups to INF files
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9870 6f19259b-4bc3-4df7-8a09-765794883524
|
|
* FindPeiCore.c => FindFfsFileAndSection: remove unreachable code
* SecMain.c => SecCoreStartupWithStack: confirm 64-bit to 32-bit
conversion with IA32 builds.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9679 6f19259b-4bc3-4df7-8a09-765794883524
|
|
* Only SEC is uncompressed now
* The MAIN FV with PEI & DXE can easily shrink and grow as needed
* The final output will now be OVMF.Fv rather than OVMF.fd
* The final output size will be a multiple of 64kb
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9672 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Previously the interface to the SEC module was:
ESI/RSI - SEC Core entry point
EDI/RDI - PEI Core entry point
EBP/RBP - Start of BFV
Now it is:
RAX/EAX Initial value of the EAX register
(BIST: Built-in Self Test)
DI 'BP': boot-strap processor, or
'AP': application processor
RBP/EBP Address of Boot Firmware Volume (BFV)
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9572 6f19259b-4bc3-4df7-8a09-765794883524
|
|
point units in SEC phase.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9481 6f19259b-4bc3-4df7-8a09-765794883524
|
|
calling C function from X64 assembly code to follow x64 calling convention.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9303 6f19259b-4bc3-4df7-8a09-765794883524
|
|
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9080 6f19259b-4bc3-4df7-8a09-765794883524
|
|
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8398 6f19259b-4bc3-4df7-8a09-765794883524
|
