Memory protection settings are currently configured via FixedAtBuild
PCDs which resulted in a build-time configuration of memory mitigations.
To improve flexibility and compatibility, this patchset adds HOB definitions
and libraries required for configuring memory protection settings at runtime.

Once the PCD references in the codebase are replaced with references to the
memory protection HOB entries, platforms will need to produce a HOB of the format
defined in DxeMemoryProtectionSettings.h and MmMemoryProtectionSettings.h.
For example, to enable strict protections in DXE the platform could do the
following:

DXE_MEMORY_PROTECTION_SETTINGS DxeSettings = (DXE_MEMORY_PROTECTION_SETTINGS)DXE_MEMORY_PROTECTION_SETTINGS_DEBUG;
BuildGuidDataHob (&gDxeMemoryProtectionSettingsGuid, &DxeSettings, sizeof (DxeSettings));

Deviations from the preset configurations are also easy, and analogous profiles are
provided for SMM and Standalone MM. A future patch series will replace
references to the memory protection PCDs with references to the HOB entry in the
codebase.

With the PCDs, the NX setting for EfiConventionalMemory
is checked with a call like:
PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & (1 << EfiConventionalMemory) != 0

Using the HOB, the NX setting for EfiConventionalMemory in the DXE environment
will be checked with a call like:
gDxeMps.NxProtectionPolicy.Fields.EfiConventionalMemory != 0

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Oliver Smith-Denny <osd@smith-denny.com>
Cc: Michael Kubacki <mikuback@linux.microsoft.com>
Cc: Kun Qin <kuqin12@gmail.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Taylor Beebe (3):
  MdeModulePkg: Add DXE and MM Memory Protection Settings HOB
    Definitions
  MdeModulePkg: Add MemoryProtectionHobLib Definitions and NULL Libs
  MdeModulePkg: Add Phase-Specific MemoryProtectionHobLib
    Implementations

 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c            | 182 +++++++
 MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c       | 139 ++++++
 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c            |  37 ++
 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c   |  37 ++
 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c    |  33 ++
 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c     |  33 ++
 MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h                            | 503 ++++++++++++++++++++
 MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h                             | 239 ++++++++++
 MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h                           |  36 ++
 MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h                            |  36 ++
 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf          |  34 ++
 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf          |  35 ++
 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf |  36 ++
 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf  |  25 +
 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf   |  26 +
 MdeModulePkg/MdeModulePkg.dec                                                      |  18 +
 MdeModulePkg/MdeModulePkg.dsc                                                      |  11 +
 17 files changed, 1460 insertions(+)
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/MmCommonMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.c
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.c
 create mode 100644 MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h
 create mode 100644 MdeModulePkg/Include/Guid/MmMemoryProtectionSettings.h
 create mode 100644 MdeModulePkg/Include/Library/DxeMemoryProtectionHobLib.h
 create mode 100644 MdeModulePkg/Include/Library/MmMemoryProtectionHobLib.h
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/DxeMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/SmmMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLib/StandaloneMmMemoryProtectionHobLib.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/DxeMemoryProtectionHobLibNull.inf
 create mode 100644 MdeModulePkg/Library/MemoryProtectionHobLibNull/MmMemoryProtectionHobLibNull.inf

-- 
2.36.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#105986): https://edk2.groups.io/g/devel/message/105986
Mute This Topic: https://groups.io/mt/99437074/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-