• Subject: [edk2] [PATCH 0/5] MdeModulePkg ArmPkg: support for persistent capsules and progress reporting
  • Author: Ard Biesheuvel
  • Date: June 7, 2018, 11:08 a.m.
  • Patches: 5 / 5
Changeset
ArmPkg/ArmPkg.dec                             |  4 ++++
.../ArmSmcPsciResetSystemLib.c                | 21 +++++++++++++++++--
.../ArmSmcPsciResetSystemLib.inf              |  9 ++++++++
.../PlatformBootManagerLib/PlatformBm.c       | 15 -------------
.../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c  | 13 +++++++++---
.../DxeCapsuleLibFmp/DxeCapsuleProcessLib.c   | 20 +++++++++++-------
.../Universal/CapsulePei/CapsulePei.inf       |  1 +
.../CapsulePei/Common/CapsuleCoalesce.c       | 10 +++++++++
8 files changed, 65 insertions(+), 28 deletions(-)
Git apply log
Switched to a new branch '20180607110812.26778-1-ard.biesheuvel@linaro.org'
Applying: MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Using index info to reconstruct a base tree...
error: patch failed: MdeModulePkg/Universal/CapsulePei/CapsulePei.inf:48
error: MdeModulePkg/Universal/CapsulePei/CapsulePei.inf: patch does not apply
error: patch failed: MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c:27
error: MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c: patch does not apply
error: Did you hand edit your patch?
It does not apply to blobs recorded in its index.
Patch failed at 0001 MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
The copy of the patch that failed is found in: .git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Failed to apply patch:
[edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
[edk2] [PATCH 0/5] MdeModulePkg ArmPkg: support for persistent capsules and progress reporting
Posted by Ard Biesheuvel, 2 weeks ago
This is the delta of code required to implement PersistAcrossReset on ARM
systems, and to wire up the capsule handling routines in a way that makes
the new progress reporting code do something meaningful on such platforms.

Patch #1 ensures that the capsule data which is preserved in DRAM across
a reboot is written back to main memory before attempting to access it
with the caches off.

Patch #2 modifies the logic in DxeCapsuleLibFmp so it can deal with a
platform that chooses to call ProcessCapsules() only a single time after
EndOfDxe.

Patch #3 updates DxeCapsuleLibFmp so it does not pass down the progress
indication callback if its own attempt to invoke it has already failed.

Patch #4 updates ArmPkg's generic PlatformBootManagerLib implementation
to only call ProcessCapsules() after the [potentially non-trusted]
console is up and running, to ensure that firmware update progress can
be reported to the user.

Patch #5 modifies ArmSmcPsciResetSystemLib to emulate a proper warm reboot
by reentering PEI with interrupts, MMU and caches enabled. This works
around the lack of an architected warm reboot in most current implementations.
(The PSCI spec does cover warm reboot, but it was added recently and most
secure firmware implementations haven't caught up yet)

Note that these patches apply on top of Mike's pending changes to
DxeCapsuleLibFmp implementing progress reporting.

Ard Biesheuvel (5):
  MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
  MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called
    once
  MdeModulePkg/DxeCapsuleLibFmp: pass progress callback only if it works
  ArmPkg/PlatformBootManagerLib: call ProcessCapsules() only once
  ArmPkg/ArmSmcPsciResetSystemLib: implement fallback for warm reboot

 ArmPkg/ArmPkg.dec                             |  4 ++++
 .../ArmSmcPsciResetSystemLib.c                | 21 +++++++++++++++++--
 .../ArmSmcPsciResetSystemLib.inf              |  9 ++++++++
 .../PlatformBootManagerLib/PlatformBm.c       | 15 -------------
 .../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c  | 13 +++++++++---
 .../DxeCapsuleLibFmp/DxeCapsuleProcessLib.c   | 20 +++++++++++-------
 .../Universal/CapsulePei/CapsulePei.inf       |  1 +
 .../CapsulePei/Common/CapsuleCoalesce.c       | 10 +++++++++
 8 files changed, 65 insertions(+), 28 deletions(-)

-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Posted by Ard Biesheuvel, 2 weeks ago
When capsule updates are staged for processing after a warm reboot,
they are copied into memory with the MMU and caches enabled. When
the capsule PEI gets around to coalescing the capsule, the MMU and
caches may still be disabled, and so on architectures where uncached
accesses are incoherent with the caches (such as ARM and AARCH64),
we may read stale data if we don't clean the caches to memory first.

Note that this cache maintenance cannot be done during the invocation
of UpdateCapsule(), since the ScatterGatherList structures are only
identified by physical address, and at runtime, the firmware doesn't
know whether and where this memory is mapped, and cache maintenance
requires a virtual address.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 MdeModulePkg/Universal/CapsulePei/CapsulePei.inf           |  1 +
 MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
index c54bc21a95a8..594e110d1f8a 100644
--- a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
+++ b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
@@ -48,6 +48,7 @@ [Packages]
 
 [LibraryClasses]
   BaseLib
+  CacheMaintenanceLib
   HobLib
   BaseMemoryLib
   PeiServicesLib
diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
index 3e7054cd38a9..fb59f338f100 100644
--- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
+++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
@@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Guid/CapsuleVendor.h>
 
 #include <Library/BaseMemoryLib.h>
+#include <Library/CacheMaintenanceLib.h>
 #include <Library/DebugLib.h>
 #include <Library/PrintLib.h>
 #include <Library/BaseLib.h>
@@ -274,6 +275,7 @@ ValidateCapsuleByMemoryResource (
     //
     // No memory resource descriptor reported in HOB list before capsule Coalesce.
     //
+    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
     return TRUE;
   }
 
@@ -283,6 +285,14 @@ ValidateCapsuleByMemoryResource (
       DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
                           Address, Size,
                           Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
+
+      //
+      // At this point, we may still be running with the MMU and caches disabled,
+      // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
+      // into memory with the caches on is only guaranteed to be visible to the
+      // CPU running with the caches off after performing an explicit writeback.
+      //
+      WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
       return TRUE;
     }
   }
-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Posted by Zeng, Star, 2 weeks ago
I suggest to use goto/adjust code to have one place for both paths to perform cache maintenance (with comments).


Thanks,
Star
-----Original Message-----
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] 
Sent: Thursday, June 7, 2018 7:08 PM
To: edk2-devel@lists.01.org
Cc: leif.lindholm@linaro.org; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data

When capsule updates are staged for processing after a warm reboot, they are copied into memory with the MMU and caches enabled. When the capsule PEI gets around to coalescing the capsule, the MMU and caches may still be disabled, and so on architectures where uncached accesses are incoherent with the caches (such as ARM and AARCH64), we may read stale data if we don't clean the caches to memory first.

Note that this cache maintenance cannot be done during the invocation of UpdateCapsule(), since the ScatterGatherList structures are only identified by physical address, and at runtime, the firmware doesn't know whether and where this memory is mapped, and cache maintenance requires a virtual address.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 MdeModulePkg/Universal/CapsulePei/CapsulePei.inf           |  1 +
 MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
index c54bc21a95a8..594e110d1f8a 100644
--- a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
+++ b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
@@ -48,6 +48,7 @@ [Packages]
 
 [LibraryClasses]
   BaseLib
+  CacheMaintenanceLib
   HobLib
   BaseMemoryLib
   PeiServicesLib
diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
index 3e7054cd38a9..fb59f338f100 100644
--- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
+++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
@@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Guid/CapsuleVendor.h>
 
 #include <Library/BaseMemoryLib.h>
+#include <Library/CacheMaintenanceLib.h>
 #include <Library/DebugLib.h>
 #include <Library/PrintLib.h>
 #include <Library/BaseLib.h>
@@ -274,6 +275,7 @@ ValidateCapsuleByMemoryResource (
     //
     // No memory resource descriptor reported in HOB list before capsule Coalesce.
     //
+    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
     return TRUE;
   }
 
@@ -283,6 +285,14 @@ ValidateCapsuleByMemoryResource (
       DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
                           Address, Size,
                           Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
+
+      //
+      // At this point, we may still be running with the MMU and caches disabled,
+      // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
+      // into memory with the caches on is only guaranteed to be visible to the
+      // CPU running with the caches off after performing an explicit writeback.
+      //
+      WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
       return TRUE;
     }
   }
--
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Posted by Ard Biesheuvel, 2 weeks ago
On 8 June 2018 at 04:53, Zeng, Star <star.zeng@intel.com> wrote:
> I suggest to use goto/adjust code to have one place for both paths to perform cache maintenance (with comments).
>

Something like this?

@@ -253,6 +254,7 @@ ValidateCapsuleByMemoryResource (
   )
 {
   UINTN             Index;
+  BOOLEAN           Found;

   //
   // Sanity Check
@@ -274,19 +276,32 @@ ValidateCapsuleByMemoryResource (
     //
     // No memory resource descriptor reported in HOB list before
capsule Coalesce.
     //
-    return TRUE;
+    Found = TRUE;
+  } else {
+    Found = FALSE;
   }

-  for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
+  for (Index = 0; !Found && MemoryResource[Index].ResourceLength !=
0; Index++) {
     if ((Address >= MemoryResource[Index].PhysicalStart) &&
         ((Address + Size) <= (MemoryResource[Index].PhysicalStart +
MemoryResource[Index].ResourceLength))) {
       DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in
MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
                           Address, Size,
                           Index, MemoryResource[Index].PhysicalStart,
MemoryResource[Index].ResourceLength));
-      return TRUE;
+      Found = TRUE;
     }
   }

+  if (Found) {
+    //
+    // At this point, we may still be running with the MMU and caches disabled,
+    // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
+    // into memory with the caches on is only guaranteed to be visible to the
+    // CPU running with the caches off after performing an explicit writeback.
+    //
+    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
+    return TRUE;
+  }
+
   DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any
MemoryResource\n", Address, Size));
   return FALSE;
 }


>
> Thanks,
> Star
> -----Original Message-----
> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
> Sent: Thursday, June 7, 2018 7:08 PM
> To: edk2-devel@lists.01.org
> Cc: leif.lindholm@linaro.org; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Subject: [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
>
> When capsule updates are staged for processing after a warm reboot, they are copied into memory with the MMU and caches enabled. When the capsule PEI gets around to coalescing the capsule, the MMU and caches may still be disabled, and so on architectures where uncached accesses are incoherent with the caches (such as ARM and AARCH64), we may read stale data if we don't clean the caches to memory first.
>
> Note that this cache maintenance cannot be done during the invocation of UpdateCapsule(), since the ScatterGatherList structures are only identified by physical address, and at runtime, the firmware doesn't know whether and where this memory is mapped, and cache maintenance requires a virtual address.
>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  MdeModulePkg/Universal/CapsulePei/CapsulePei.inf           |  1 +
>  MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 10 ++++++++++
>  2 files changed, 11 insertions(+)
>
> diff --git a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> index c54bc21a95a8..594e110d1f8a 100644
> --- a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> +++ b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> @@ -48,6 +48,7 @@ [Packages]
>
>  [LibraryClasses]
>    BaseLib
> +  CacheMaintenanceLib
>    HobLib
>    BaseMemoryLib
>    PeiServicesLib
> diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> index 3e7054cd38a9..fb59f338f100 100644
> --- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> +++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> @@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
>  #include <Guid/CapsuleVendor.h>
>
>  #include <Library/BaseMemoryLib.h>
> +#include <Library/CacheMaintenanceLib.h>
>  #include <Library/DebugLib.h>
>  #include <Library/PrintLib.h>
>  #include <Library/BaseLib.h>
> @@ -274,6 +275,7 @@ ValidateCapsuleByMemoryResource (
>      //
>      // No memory resource descriptor reported in HOB list before capsule Coalesce.
>      //
> +    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>      return TRUE;
>    }
>
> @@ -283,6 +285,14 @@ ValidateCapsuleByMemoryResource (
>        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
>                            Address, Size,
>                            Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
> +
> +      //
> +      // At this point, we may still be running with the MMU and caches disabled,
> +      // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
> +      // into memory with the caches on is only guaranteed to be visible to the
> +      // CPU running with the caches off after performing an explicit writeback.
> +      //
> +      WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>        return TRUE;
>      }
>    }
> --
> 2.17.0
>
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Posted by Zeng, Star, 2 weeks ago
My thought is like below, FYR.

===================================================
8bf218e00d8bd5c4f01c83f3d16c636140d32fda
 .../Universal/CapsulePei/Common/CapsuleCoalesce.c  | 37 +++++++++++++++-------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
index 3e7054cd38a9..da047034c988 100644
--- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
+++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
@@ -253,6 +253,7 @@ ValidateCapsuleByMemoryResource (
   )
 {
   UINTN             Index;
+  BOOLEAN           Valid;
 
   //
   // Sanity Check
@@ -270,25 +271,39 @@ ValidateCapsuleByMemoryResource (
     return FALSE;
   }
 
+  Valid = FALSE;
   if (MemoryResource == NULL) {
     //
     // No memory resource descriptor reported in HOB list before capsule Coalesce.
     //
-    return TRUE;
+    Valid = TRUE;
+  } else {
+    for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
+      if ((Address >= MemoryResource[Index].PhysicalStart) &&
+          ((Address + Size) <= (MemoryResource[Index].PhysicalStart + MemoryResource[Index].ResourceLength))) {
+        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
+                            Address, Size,
+                            Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
+        Valid = TRUE;
+        break;
+      }
+    }
+    if (!Valid) {
+      DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
+    }
   }
 
-  for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
-    if ((Address >= MemoryResource[Index].PhysicalStart) &&
-        ((Address + Size) <= (MemoryResource[Index].PhysicalStart + MemoryResource[Index].ResourceLength))) {
-      DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
-                          Address, Size,
-                          Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
-      return TRUE;
-    }
+  if (Valid) {
+    //
+    // At this point, we may still be running with the MMU and caches disabled,
+    // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
+    // into memory with the caches on is only guaranteed to be visible to the
+    // CPU running with the caches off after performing an explicit writeback.
+    //
+    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
   }
 
-  DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
-  return FALSE;
+  return Valid;
 }
 
 /**
===================================================


Thanks,
Star
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ard Biesheuvel
Sent: Friday, June 8, 2018 2:07 PM
To: Zeng, Star <star.zeng@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel@lists.01.org; Yao, Jiewen <jiewen.yao@intel.com>; leif.lindholm@linaro.org
Subject: Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data

On 8 June 2018 at 04:53, Zeng, Star <star.zeng@intel.com> wrote:
> I suggest to use goto/adjust code to have one place for both paths to perform cache maintenance (with comments).
>

Something like this?

@@ -253,6 +254,7 @@ ValidateCapsuleByMemoryResource (
   )
 {
   UINTN             Index;
+  BOOLEAN           Found;

   //
   // Sanity Check
@@ -274,19 +276,32 @@ ValidateCapsuleByMemoryResource (
     //
     // No memory resource descriptor reported in HOB list before capsule Coalesce.
     //
-    return TRUE;
+    Found = TRUE;
+  } else {
+    Found = FALSE;
   }

-  for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
+  for (Index = 0; !Found && MemoryResource[Index].ResourceLength !=
0; Index++) {
     if ((Address >= MemoryResource[Index].PhysicalStart) &&
         ((Address + Size) <= (MemoryResource[Index].PhysicalStart +
MemoryResource[Index].ResourceLength))) {
       DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
                           Address, Size,
                           Index, MemoryResource[Index].PhysicalStart,
MemoryResource[Index].ResourceLength));
-      return TRUE;
+      Found = TRUE;
     }
   }

+  if (Found) {
+    //
+    // At this point, we may still be running with the MMU and caches disabled,
+    // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
+    // into memory with the caches on is only guaranteed to be visible to the
+    // CPU running with the caches off after performing an explicit writeback.
+    //
+    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
+    return TRUE;
+  }
+
   DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
   return FALSE;
 }


>
> Thanks,
> Star
> -----Original Message-----
> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
> Sent: Thursday, June 7, 2018 7:08 PM
> To: edk2-devel@lists.01.org
> Cc: leif.lindholm@linaro.org; Kinney, Michael D 
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; 
> Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel 
> <ard.biesheuvel@linaro.org>
> Subject: [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before 
> consuming capsule data
>
> When capsule updates are staged for processing after a warm reboot, they are copied into memory with the MMU and caches enabled. When the capsule PEI gets around to coalescing the capsule, the MMU and caches may still be disabled, and so on architectures where uncached accesses are incoherent with the caches (such as ARM and AARCH64), we may read stale data if we don't clean the caches to memory first.
>
> Note that this cache maintenance cannot be done during the invocation of UpdateCapsule(), since the ScatterGatherList structures are only identified by physical address, and at runtime, the firmware doesn't know whether and where this memory is mapped, and cache maintenance requires a virtual address.
>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  MdeModulePkg/Universal/CapsulePei/CapsulePei.inf           |  1 +
>  MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 10 
> ++++++++++
>  2 files changed, 11 insertions(+)
>
> diff --git a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf 
> b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> index c54bc21a95a8..594e110d1f8a 100644
> --- a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> +++ b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
> @@ -48,6 +48,7 @@ [Packages]
>
>  [LibraryClasses]
>    BaseLib
> +  CacheMaintenanceLib
>    HobLib
>    BaseMemoryLib
>    PeiServicesLib
> diff --git 
> a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c 
> b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> index 3e7054cd38a9..fb59f338f100 100644
> --- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> +++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> @@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
>  #include <Guid/CapsuleVendor.h>
>
>  #include <Library/BaseMemoryLib.h>
> +#include <Library/CacheMaintenanceLib.h>
>  #include <Library/DebugLib.h>
>  #include <Library/PrintLib.h>
>  #include <Library/BaseLib.h>
> @@ -274,6 +275,7 @@ ValidateCapsuleByMemoryResource (
>      //
>      // No memory resource descriptor reported in HOB list before capsule Coalesce.
>      //
> +    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>      return TRUE;
>    }
>
> @@ -283,6 +285,14 @@ ValidateCapsuleByMemoryResource (
>        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
>                            Address, Size,
>                            Index, MemoryResource[Index].PhysicalStart, 
> MemoryResource[Index].ResourceLength));
> +
> +      //
> +      // At this point, we may still be running with the MMU and caches disabled,
> +      // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
> +      // into memory with the caches on is only guaranteed to be visible to the
> +      // CPU running with the caches off after performing an explicit writeback.
> +      //
> +      WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>        return TRUE;
>      }
>    }
> --
> 2.17.0
>
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
Posted by Ard Biesheuvel, 2 weeks ago
On 8 June 2018 at 08:21, Zeng, Star <star.zeng@intel.com> wrote:
> My thought is like below, FYR.
>

Thanks. That works for me.

I will update the patch.

> ===================================================
> 8bf218e00d8bd5c4f01c83f3d16c636140d32fda
>  .../Universal/CapsulePei/Common/CapsuleCoalesce.c  | 37 +++++++++++++++-------
>  1 file changed, 26 insertions(+), 11 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> index 3e7054cd38a9..da047034c988 100644
> --- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> +++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
> @@ -253,6 +253,7 @@ ValidateCapsuleByMemoryResource (
>    )
>  {
>    UINTN             Index;
> +  BOOLEAN           Valid;
>
>    //
>    // Sanity Check
> @@ -270,25 +271,39 @@ ValidateCapsuleByMemoryResource (
>      return FALSE;
>    }
>
> +  Valid = FALSE;
>    if (MemoryResource == NULL) {
>      //
>      // No memory resource descriptor reported in HOB list before capsule Coalesce.
>      //
> -    return TRUE;
> +    Valid = TRUE;
> +  } else {
> +    for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
> +      if ((Address >= MemoryResource[Index].PhysicalStart) &&
> +          ((Address + Size) <= (MemoryResource[Index].PhysicalStart + MemoryResource[Index].ResourceLength))) {
> +        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
> +                            Address, Size,
> +                            Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
> +        Valid = TRUE;
> +        break;
> +      }
> +    }
> +    if (!Valid) {
> +      DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
> +    }
>    }
>
> -  for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
> -    if ((Address >= MemoryResource[Index].PhysicalStart) &&
> -        ((Address + Size) <= (MemoryResource[Index].PhysicalStart + MemoryResource[Index].ResourceLength))) {
> -      DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
> -                          Address, Size,
> -                          Index, MemoryResource[Index].PhysicalStart, MemoryResource[Index].ResourceLength));
> -      return TRUE;
> -    }
> +  if (Valid) {
> +    //
> +    // At this point, we may still be running with the MMU and caches disabled,
> +    // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
> +    // into memory with the caches on is only guaranteed to be visible to the
> +    // CPU running with the caches off after performing an explicit writeback.
> +    //
> +    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>    }
>
> -  DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
> -  return FALSE;
> +  return Valid;
>  }
>
>  /**
> ===================================================
>
>
> Thanks,
> Star
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ard Biesheuvel
> Sent: Friday, June 8, 2018 2:07 PM
> To: Zeng, Star <star.zeng@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel@lists.01.org; Yao, Jiewen <jiewen.yao@intel.com>; leif.lindholm@linaro.org
> Subject: Re: [edk2] [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before consuming capsule data
>
> On 8 June 2018 at 04:53, Zeng, Star <star.zeng@intel.com> wrote:
>> I suggest to use goto/adjust code to have one place for both paths to perform cache maintenance (with comments).
>>
>
> Something like this?
>
> @@ -253,6 +254,7 @@ ValidateCapsuleByMemoryResource (
>    )
>  {
>    UINTN             Index;
> +  BOOLEAN           Found;
>
>    //
>    // Sanity Check
> @@ -274,19 +276,32 @@ ValidateCapsuleByMemoryResource (
>      //
>      // No memory resource descriptor reported in HOB list before capsule Coalesce.
>      //
> -    return TRUE;
> +    Found = TRUE;
> +  } else {
> +    Found = FALSE;
>    }
>
> -  for (Index = 0; MemoryResource[Index].ResourceLength != 0; Index++) {
> +  for (Index = 0; !Found && MemoryResource[Index].ResourceLength !=
> 0; Index++) {
>      if ((Address >= MemoryResource[Index].PhysicalStart) &&
>          ((Address + Size) <= (MemoryResource[Index].PhysicalStart +
> MemoryResource[Index].ResourceLength))) {
>        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
>                            Address, Size,
>                            Index, MemoryResource[Index].PhysicalStart,
> MemoryResource[Index].ResourceLength));
> -      return TRUE;
> +      Found = TRUE;
>      }
>    }
>
> +  if (Found) {
> +    //
> +    // At this point, we may still be running with the MMU and caches disabled,
> +    // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
> +    // into memory with the caches on is only guaranteed to be visible to the
> +    // CPU running with the caches off after performing an explicit writeback.
> +    //
> +    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
> +    return TRUE;
> +  }
> +
>    DEBUG ((EFI_D_ERROR, "ERROR: Address(0x%lx) Size(0x%lx) not in any MemoryResource\n", Address, Size));
>    return FALSE;
>  }
>
>
>>
>> Thanks,
>> Star
>> -----Original Message-----
>> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
>> Sent: Thursday, June 7, 2018 7:08 PM
>> To: edk2-devel@lists.01.org
>> Cc: leif.lindholm@linaro.org; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
>> Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel
>> <ard.biesheuvel@linaro.org>
>> Subject: [PATCH 1/5] MdeModulePkg/CapsulePei: clean Dcache before
>> consuming capsule data
>>
>> When capsule updates are staged for processing after a warm reboot, they are copied into memory with the MMU and caches enabled. When the capsule PEI gets around to coalescing the capsule, the MMU and caches may still be disabled, and so on architectures where uncached accesses are incoherent with the caches (such as ARM and AARCH64), we may read stale data if we don't clean the caches to memory first.
>>
>> Note that this cache maintenance cannot be done during the invocation of UpdateCapsule(), since the ScatterGatherList structures are only identified by physical address, and at runtime, the firmware doesn't know whether and where this memory is mapped, and cache maintenance requires a virtual address.
>>
>> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
>> Contributed-under: TianoCore Contribution Agreement 1.1
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>>  MdeModulePkg/Universal/CapsulePei/CapsulePei.inf           |  1 +
>>  MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c | 10
>> ++++++++++
>>  2 files changed, 11 insertions(+)
>>
>> diff --git a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
>> b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
>> index c54bc21a95a8..594e110d1f8a 100644
>> --- a/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
>> +++ b/MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
>> @@ -48,6 +48,7 @@ [Packages]
>>
>>  [LibraryClasses]
>>    BaseLib
>> +  CacheMaintenanceLib
>>    HobLib
>>    BaseMemoryLib
>>    PeiServicesLib
>> diff --git
>> a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
>> b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
>> index 3e7054cd38a9..fb59f338f100 100644
>> --- a/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
>> +++ b/MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
>> @@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
>>  #include <Guid/CapsuleVendor.h>
>>
>>  #include <Library/BaseMemoryLib.h>
>> +#include <Library/CacheMaintenanceLib.h>
>>  #include <Library/DebugLib.h>
>>  #include <Library/PrintLib.h>
>>  #include <Library/BaseLib.h>
>> @@ -274,6 +275,7 @@ ValidateCapsuleByMemoryResource (
>>      //
>>      // No memory resource descriptor reported in HOB list before capsule Coalesce.
>>      //
>> +    WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>>      return TRUE;
>>    }
>>
>> @@ -283,6 +285,14 @@ ValidateCapsuleByMemoryResource (
>>        DEBUG ((EFI_D_INFO, "Address(0x%lx) Size(0x%lx) in MemoryResource[0x%x] - Start(0x%lx) Length(0x%lx)\n",
>>                            Address, Size,
>>                            Index, MemoryResource[Index].PhysicalStart,
>> MemoryResource[Index].ResourceLength));
>> +
>> +      //
>> +      // At this point, we may still be running with the MMU and caches disabled,
>> +      // and on architectures such as ARM or AARCH64, capsule [meta]data loaded
>> +      // into memory with the caches on is only guaranteed to be visible to the
>> +      // CPU running with the caches off after performing an explicit writeback.
>> +      //
>> +      WriteBackDataCacheRange ((VOID *)(UINTN)Address, (UINTN)Size);
>>        return TRUE;
>>      }
>>    }
>> --
>> 2.17.0
>>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once
Posted by Ard Biesheuvel, 2 weeks ago
Permit ProcessCapsules () to be called only a single time, after
EndOfDxe. This allows platforms that are able to update system
firmware after EndOfDxe (e.g., because the flash ROM is not locked
down) to do so at a time when a non-trusted console is up and running,
and progress can be reported to the user.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
index 26ca4e295f20..52691fa68be4 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
@@ -100,6 +100,7 @@ IsValidCapsuleHeader (
 
 extern BOOLEAN                   mDxeCapsuleLibEndOfDxe;
 BOOLEAN                          mNeedReset;
+BOOLEAN                          mFirstRound = TRUE;
 
 VOID                        **mCapsulePtr;
 EFI_STATUS                  *mCapsuleStatusArray;
@@ -364,8 +365,10 @@ PopulateCapsuleInConfigurationTable (
 
   Each individual capsule result is recorded in capsule record variable.
 
-  @param[in]  FirstRound         TRUE:  First round. Need skip the FMP capsules with non zero EmbeddedDriverCount.
-                                 FALSE: Process rest FMP capsules.
+  @param[in]  LastRound          FALSE:  First of multiple rounds. Need skip the
+                                         FMP capsules with non zero
+                                         EmbeddedDriverCount.
+                                 TRUE:   Process rest FMP capsules.
 
   @retval EFI_SUCCESS             There is no error when processing capsules.
   @retval EFI_OUT_OF_RESOURCES    No enough resource to process capsules.
@@ -373,7 +376,7 @@ PopulateCapsuleInConfigurationTable (
 **/
 EFI_STATUS
 ProcessTheseCapsules (
-  IN BOOLEAN  FirstRound
+  IN BOOLEAN  LastRound
   )
 {
   EFI_STATUS                  Status;
@@ -384,8 +387,9 @@ ProcessTheseCapsules (
 
   REPORT_STATUS_CODE(EFI_PROGRESS_CODE, (EFI_SOFTWARE | PcdGet32(PcdStatusCodeSubClassCapsule) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesBegin)));
 
-  if (FirstRound) {
+  if (mFirstRound) {
     InitCapsulePtr ();
+    mFirstRound = FALSE;
   }
 
   if (mCapsuleTotalNumber == 0) {
@@ -404,7 +408,7 @@ ProcessTheseCapsules (
   // Check the capsule flags,if contains CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE, install
   // capsuleTable to configure table with EFI_CAPSULE_GUID
   //
-  if (FirstRound) {
+  if (LastRound) {
     PopulateCapsuleInConfigurationTable ();
   }
 
@@ -453,7 +457,7 @@ ProcessTheseCapsules (
         continue;
       }
 
-      if ((!FirstRound) || (EmbeddedDriverCount == 0)) {
+      if (LastRound || (EmbeddedDriverCount == 0)) {
         DEBUG((DEBUG_INFO, "ProcessCapsuleImage - 0x%x\n", CapsuleHeader));
         Status = ProcessCapsuleImage (CapsuleHeader);
         mCapsuleStatusArray [Index] = Status;
@@ -546,7 +550,7 @@ ProcessCapsules (
   EFI_STATUS                    Status;
 
   if (!mDxeCapsuleLibEndOfDxe) {
-    Status = ProcessTheseCapsules(TRUE);
+    Status = ProcessTheseCapsules(FALSE);
 
     //
     // Reboot System if and only if all capsule processed.
@@ -556,7 +560,7 @@ ProcessCapsules (
       DoResetSystem();
     }
   } else {
-    Status = ProcessTheseCapsules(FALSE);
+    Status = ProcessTheseCapsules(TRUE);
     //
     // Reboot System if required after all capsule processed
     //
-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once
Posted by Zeng, Star, 2 weeks ago
Without the patch, PopulateCapsuleInConfigurationTable is only run at first round.
With the patch, PopulateCapsuleInConfigurationTable is only run at last round.

Is that expected?

Jiewen, could you help check whether the patch meets the original design purpose or any security concern?


Thanks,
Star
-----Original Message-----
From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] 
Sent: Thursday, June 7, 2018 7:08 PM
To: edk2-devel@lists.01.org
Cc: leif.lindholm@linaro.org; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once

Permit ProcessCapsules () to be called only a single time, after EndOfDxe. This allows platforms that are able to update system firmware after EndOfDxe (e.g., because the flash ROM is not locked
down) to do so at a time when a non-trusted console is up and running, and progress can be reported to the user.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
index 26ca4e295f20..52691fa68be4 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
@@ -100,6 +100,7 @@ IsValidCapsuleHeader (
 
 extern BOOLEAN                   mDxeCapsuleLibEndOfDxe;
 BOOLEAN                          mNeedReset;
+BOOLEAN                          mFirstRound = TRUE;
 
 VOID                        **mCapsulePtr;
 EFI_STATUS                  *mCapsuleStatusArray;
@@ -364,8 +365,10 @@ PopulateCapsuleInConfigurationTable (
 
   Each individual capsule result is recorded in capsule record variable.
 
-  @param[in]  FirstRound         TRUE:  First round. Need skip the FMP capsules with non zero EmbeddedDriverCount.
-                                 FALSE: Process rest FMP capsules.
+  @param[in]  LastRound          FALSE:  First of multiple rounds. Need skip the
+                                         FMP capsules with non zero
+                                         EmbeddedDriverCount.
+                                 TRUE:   Process rest FMP capsules.
 
   @retval EFI_SUCCESS             There is no error when processing capsules.
   @retval EFI_OUT_OF_RESOURCES    No enough resource to process capsules.
@@ -373,7 +376,7 @@ PopulateCapsuleInConfigurationTable (  **/  EFI_STATUS  ProcessTheseCapsules (
-  IN BOOLEAN  FirstRound
+  IN BOOLEAN  LastRound
   )
 {
   EFI_STATUS                  Status;
@@ -384,8 +387,9 @@ ProcessTheseCapsules (
 
   REPORT_STATUS_CODE(EFI_PROGRESS_CODE, (EFI_SOFTWARE | PcdGet32(PcdStatusCodeSubClassCapsule) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesBegin)));
 
-  if (FirstRound) {
+  if (mFirstRound) {
     InitCapsulePtr ();
+    mFirstRound = FALSE;
   }
 
   if (mCapsuleTotalNumber == 0) {
@@ -404,7 +408,7 @@ ProcessTheseCapsules (
   // Check the capsule flags,if contains CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE, install
   // capsuleTable to configure table with EFI_CAPSULE_GUID
   //
-  if (FirstRound) {
+  if (LastRound) {
     PopulateCapsuleInConfigurationTable ();
   }
 
@@ -453,7 +457,7 @@ ProcessTheseCapsules (
         continue;
       }
 
-      if ((!FirstRound) || (EmbeddedDriverCount == 0)) {
+      if (LastRound || (EmbeddedDriverCount == 0)) {
         DEBUG((DEBUG_INFO, "ProcessCapsuleImage - 0x%x\n", CapsuleHeader));
         Status = ProcessCapsuleImage (CapsuleHeader);
         mCapsuleStatusArray [Index] = Status; @@ -546,7 +550,7 @@ ProcessCapsules (
   EFI_STATUS                    Status;
 
   if (!mDxeCapsuleLibEndOfDxe) {
-    Status = ProcessTheseCapsules(TRUE);
+    Status = ProcessTheseCapsules(FALSE);
 
     //
     // Reboot System if and only if all capsule processed.
@@ -556,7 +560,7 @@ ProcessCapsules (
       DoResetSystem();
     }
   } else {
-    Status = ProcessTheseCapsules(FALSE);
+    Status = ProcessTheseCapsules(TRUE);
     //
     // Reboot System if required after all capsule processed
     //
--
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once
Posted by Ard Biesheuvel, 2 weeks ago
On 8 June 2018 at 04:57, Zeng, Star <star.zeng@intel.com> wrote:
> Without the patch, PopulateCapsuleInConfigurationTable is only run at first round.
> With the patch, PopulateCapsuleInConfigurationTable is only run at last round.
>
> Is that expected?
>

Yes. Otherwise, I need two global BOOLEANs to keep track of the state.

However, I just noticed that we may now end up in a situation where
PopulateCapsuleInConfigurationTable() never gets called if all
capsules are processed in the first pass.

I will fix and resend.

> Jiewen, could you help check whether the patch meets the original design purpose or any security concern?
>
>
> Thanks,
> Star
> -----Original Message-----
> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
> Sent: Thursday, June 7, 2018 7:08 PM
> To: edk2-devel@lists.01.org
> Cc: leif.lindholm@linaro.org; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Subject: [PATCH 2/5] MdeModulePkg/DxeCapsuleLibFmp: permit ProcessCapsules () to be called once
>
> Permit ProcessCapsules () to be called only a single time, after EndOfDxe. This allows platforms that are able to update system firmware after EndOfDxe (e.g., because the flash ROM is not locked
> down) to do so at a time when a non-trusted console is up and running, and progress can be reported to the user.
>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c | 20 ++++++++++++--------
>  1 file changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
> index 26ca4e295f20..52691fa68be4 100644
> --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
> +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleProcessLib.c
> @@ -100,6 +100,7 @@ IsValidCapsuleHeader (
>
>  extern BOOLEAN                   mDxeCapsuleLibEndOfDxe;
>  BOOLEAN                          mNeedReset;
> +BOOLEAN                          mFirstRound = TRUE;
>
>  VOID                        **mCapsulePtr;
>  EFI_STATUS                  *mCapsuleStatusArray;
> @@ -364,8 +365,10 @@ PopulateCapsuleInConfigurationTable (
>
>    Each individual capsule result is recorded in capsule record variable.
>
> -  @param[in]  FirstRound         TRUE:  First round. Need skip the FMP capsules with non zero EmbeddedDriverCount.
> -                                 FALSE: Process rest FMP capsules.
> +  @param[in]  LastRound          FALSE:  First of multiple rounds. Need skip the
> +                                         FMP capsules with non zero
> +                                         EmbeddedDriverCount.
> +                                 TRUE:   Process rest FMP capsules.
>
>    @retval EFI_SUCCESS             There is no error when processing capsules.
>    @retval EFI_OUT_OF_RESOURCES    No enough resource to process capsules.
> @@ -373,7 +376,7 @@ PopulateCapsuleInConfigurationTable (  **/  EFI_STATUS  ProcessTheseCapsules (
> -  IN BOOLEAN  FirstRound
> +  IN BOOLEAN  LastRound
>    )
>  {
>    EFI_STATUS                  Status;
> @@ -384,8 +387,9 @@ ProcessTheseCapsules (
>
>    REPORT_STATUS_CODE(EFI_PROGRESS_CODE, (EFI_SOFTWARE | PcdGet32(PcdStatusCodeSubClassCapsule) | PcdGet32(PcdCapsuleStatusCodeProcessCapsulesBegin)));
>
> -  if (FirstRound) {
> +  if (mFirstRound) {
>      InitCapsulePtr ();
> +    mFirstRound = FALSE;
>    }
>
>    if (mCapsuleTotalNumber == 0) {
> @@ -404,7 +408,7 @@ ProcessTheseCapsules (
>    // Check the capsule flags,if contains CAPSULE_FLAGS_POPULATE_SYSTEM_TABLE, install
>    // capsuleTable to configure table with EFI_CAPSULE_GUID
>    //
> -  if (FirstRound) {
> +  if (LastRound) {
>      PopulateCapsuleInConfigurationTable ();
>    }
>
> @@ -453,7 +457,7 @@ ProcessTheseCapsules (
>          continue;
>        }
>
> -      if ((!FirstRound) || (EmbeddedDriverCount == 0)) {
> +      if (LastRound || (EmbeddedDriverCount == 0)) {
>          DEBUG((DEBUG_INFO, "ProcessCapsuleImage - 0x%x\n", CapsuleHeader));
>          Status = ProcessCapsuleImage (CapsuleHeader);
>          mCapsuleStatusArray [Index] = Status; @@ -546,7 +550,7 @@ ProcessCapsules (
>    EFI_STATUS                    Status;
>
>    if (!mDxeCapsuleLibEndOfDxe) {
> -    Status = ProcessTheseCapsules(TRUE);
> +    Status = ProcessTheseCapsules(FALSE);
>
>      //
>      // Reboot System if and only if all capsule processed.
> @@ -556,7 +560,7 @@ ProcessCapsules (
>        DoResetSystem();
>      }
>    } else {
> -    Status = ProcessTheseCapsules(FALSE);
> +    Status = ProcessTheseCapsules(TRUE);
>      //
>      // Reboot System if required after all capsule processed
>      //
> --
> 2.17.0
>
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 3/5] MdeModulePkg/DxeCapsuleLibFmp: pass progress callback only if it works
Posted by Ard Biesheuvel, 2 weeks ago
If the first call to UpdateImageProgress() fails, there is no point
in passing a pointer to it to Fmp->SetImage(), since it is highly
unlikely to succeed on any subsequent calls.

This permits the FMP implementation to fall back to an alternate means
of providing feedback to the user, e.g., via the console.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
index f0226eafa576..ab41df0eb0a4 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
@@ -841,6 +841,7 @@ SetFmpImageData (
   UINT8                                         *Image;
   VOID                                          *VendorCode;
   CHAR16                                        *AbortReason;
+  EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS ProgressCallback;
 
   Status = gBS->HandleProtocol(
                   Handle,
@@ -892,7 +893,11 @@ SetFmpImageData (
   //
   // Before calling SetImage(), reset the progress bar to 0%
   //
-  UpdateImageProgress (0);
+  ProgressCallback = UpdateImageProgress;
+  Status = UpdateImageProgress (0);
+  if (EFI_ERROR (Status)) {
+    ProgressCallback = NULL;
+  }
 
   Status = Fmp->SetImage(
                   Fmp,
@@ -900,13 +905,15 @@ SetFmpImageData (
                   Image,                                  // Image
                   ImageHeader->UpdateImageSize,           // ImageSize
                   VendorCode,                             // VendorCode
-                  UpdateImageProgress,                    // Progress
+                  ProgressCallback,                       // Progress
                   &AbortReason                            // AbortReason
                   );
   //
   // Set the progress bar to 100% after returning from SetImage()
   //
-  UpdateImageProgress (100);
+  if (ProgressCallback != NULL) {
+    UpdateImageProgress (100);
+  }
 
   DEBUG((DEBUG_INFO, "Fmp->SetImage - %r\n", Status));
   if (AbortReason != NULL) {
-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 4/5] ArmPkg/PlatformBootManagerLib: call ProcessCapsules() only once
Posted by Ard Biesheuvel, 2 weeks ago
ARM platforms have no restriction on when a system firmware update
capsule can be applied, and so it is not necessary to call
ProcessCapsules() twice. So let's drop the first invocation that
occurs before EndOfDxe, so that capsule updates will be applied
when the console is up and able to provide progress feedback.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 3456a71fbb9c..8e1ecdc01564 100644
--- a/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -553,21 +553,6 @@ PlatformBootManagerBeforeConsole (
   VOID
   )
 {
-  EFI_STATUS                    Status;
-  ESRT_MANAGEMENT_PROTOCOL      *EsrtManagement;
-
-  if (GetBootModeHob() == BOOT_ON_FLASH_UPDATE) {
-    DEBUG ((DEBUG_INFO, "ProcessCapsules Before EndOfDxe ......\n"));
-    Status = ProcessCapsules ();
-    DEBUG ((DEBUG_INFO, "ProcessCapsules returned %r\n", Status));
-  } else {
-    Status = gBS->LocateProtocol (&gEsrtManagementProtocolGuid, NULL,
-                    (VOID **)&EsrtManagement);
-    if (!EFI_ERROR (Status)) {
-      EsrtManagement->SyncEsrtFmp ();
-    }
-  }
-
   //
   // Signal EndOfDxe PI Event
   //
-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 4/5] ArmPkg/PlatformBootManagerLib: call ProcessCapsules() only once
Posted by Leif Lindholm, 2 weeks ago
On Thu, Jun 07, 2018 at 01:08:11PM +0200, Ard Biesheuvel wrote:
> ARM platforms have no restriction on when a system firmware update
> capsule can be applied, and so it is not necessary to call
> ProcessCapsules() twice. So let's drop the first invocation that
> occurs before EndOfDxe, so that capsule updates will be applied
> when the console is up and able to provide progress feedback.
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>

> ---
>  ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c | 15 ---------------
>  1 file changed, 15 deletions(-)
> 
> diff --git a/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
> index 3456a71fbb9c..8e1ecdc01564 100644
> --- a/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
> +++ b/ArmPkg/Library/PlatformBootManagerLib/PlatformBm.c
> @@ -553,21 +553,6 @@ PlatformBootManagerBeforeConsole (
>    VOID
>    )
>  {
> -  EFI_STATUS                    Status;
> -  ESRT_MANAGEMENT_PROTOCOL      *EsrtManagement;
> -
> -  if (GetBootModeHob() == BOOT_ON_FLASH_UPDATE) {
> -    DEBUG ((DEBUG_INFO, "ProcessCapsules Before EndOfDxe ......\n"));
> -    Status = ProcessCapsules ();
> -    DEBUG ((DEBUG_INFO, "ProcessCapsules returned %r\n", Status));
> -  } else {
> -    Status = gBS->LocateProtocol (&gEsrtManagementProtocolGuid, NULL,
> -                    (VOID **)&EsrtManagement);
> -    if (!EFI_ERROR (Status)) {
> -      EsrtManagement->SyncEsrtFmp ();
> -    }
> -  }
> -
>    //
>    // Signal EndOfDxe PI Event
>    //
> -- 
> 2.17.0
> 
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 5/5] ArmPkg/ArmSmcPsciResetSystemLib: implement fallback for warm reboot
Posted by Ard Biesheuvel, 2 weeks ago
Implement ResetSystemLib's EnterS3WithImmediateWake() routine using
a jump back to the PEI entry point with interrupts and MMU+caches
disabled. This is only possible at boot time, when we are sure that
the current CPU is the only one up and running. Also, it depends on
the platform whether the PEI code is preserved in memory (it may be
copied to DRAM rather than execute in place), so also add a feature
PCD to selectively enable this feature.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
---
 ArmPkg/ArmPkg.dec                                                    |  4 ++++
 ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.c   | 21 ++++++++++++++++++--
 ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf |  9 +++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/ArmPkg/ArmPkg.dec b/ArmPkg/ArmPkg.dec
index debe066b6f7b..3aa229fe2ec9 100644
--- a/ArmPkg/ArmPkg.dec
+++ b/ArmPkg/ArmPkg.dec
@@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
   # Define if the GICv3 controller should use the GICv2 legacy
   gArmTokenSpaceGuid.PcdArmGicV3WithV2Legacy|FALSE|BOOLEAN|0x00000042
 
+  # Whether to implement warm reboot for capsule update using a jump back to the
+  # PEI entry point with caches and interrupts disabled.
+  gArmTokenSpaceGuid.PcdArmReenterPeiForCapsuleWarmReboot|FALSE|BOOLEAN|0x0000001F
+
 [PcdsFeatureFlag.ARM]
   # Whether to map normal memory as non-shareable. FALSE is the safe choice, but
   # TRUE may be appropriate to fix performance problems if you don't care about
diff --git a/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.c b/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.c
index d6d26bce5009..10ceafd14d5d 100644
--- a/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.c
+++ b/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.c
@@ -15,10 +15,13 @@
 
 #include <PiDxe.h>
 
+#include <Library/ArmMmuLib.h>
+#include <Library/ArmSmcLib.h>
 #include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
 #include <Library/ResetSystemLib.h>
-#include <Library/ArmSmcLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeLib.h>
 
 #include <IndustryStandard/ArmStdSmc.h>
 
@@ -89,7 +92,21 @@ EnterS3WithImmediateWake (
   VOID
   )
 {
-  // Not implemented
+  VOID (*Reset)(VOID);
+
+  if (FeaturePcdGet (PcdArmReenterPeiForCapsuleWarmReboot) &&
+      !EfiAtRuntime ()) {
+    //
+    // At boot time, we are the only core running, so we can implement the
+    // immediate wake (which is used by capsule update) by disabling the MMU
+    // and interrupts, and jumping to the PEI entry point.
+    //
+    Reset = (VOID (*)(VOID))(UINTN)FixedPcdGet64 (PcdFvBaseAddress);
+
+    gBS->RaiseTPL (TPL_HIGH_LEVEL);
+    ArmDisableMmu ();
+    Reset ();
+  }
 }
 
 /**
diff --git a/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf b/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
index 5a1ee976e5bc..19021cd1e8b6 100644
--- a/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
+++ b/ArmPkg/Library/ArmSmcPsciResetSystemLib/ArmSmcPsciResetSystemLib.inf
@@ -30,6 +30,15 @@ [Packages]
   MdePkg/MdePkg.dec
 
 [LibraryClasses]
+  ArmMmuLib
   ArmSmcLib
   BaseLib
   DebugLib
+  UefiBootServicesTableLib
+  UefiRuntimeLib
+
+[FeaturePcd]
+  gArmTokenSpaceGuid.PcdArmReenterPeiForCapsuleWarmReboot
+
+[FixedPcd]
+  gArmTokenSpaceGuid.PcdFvBaseAddress
-- 
2.17.0

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel