From nobody Sat May 4 07:55:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+46348+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46348+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1566773181; cv=none; d=zoho.com; s=zohoarc; b=fjqGDMaOqbrbhsEJqZwy229K6GMvSB49V4XncCqwdWKyWF3ZaP/Ja0WDLNBIcrcjLPPe9v4AAk5ES7PZQcf4Q+f/60bLar6Cfdx14Oe+Rbi08Sb0hIAFp8bVKj47RD+PouCMrmSKjfpVPiewbErNQA16rJusfgm2Ev89NgdE3lc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566773181; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=2dSeNxh2HWM51sQzmvmRdvS0L3M/AQ+cilCnWtYSiYc=; b=aXzMnAloRNK2zdB+mtvfkw2RAIK9uHxyB+3to5tSI7BCcjDw333pWhH2sXHDBLzJpVr3BTMrNPQ+FWOBmkK8zgKvKAhN6XXKYaTzw85TqHA4rqXOqT5OaSkNp5Tt8gdCyVvwTl/jWHu1zcmTvG+JjvIqsE0oZwow8zYzUUsnq84= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46348+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1566773181748384.04104761713415; Sun, 25 Aug 2019 15:46:21 -0700 (PDT) Return-Path: X-Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by groups.io with SMTP; Sun, 25 Aug 2019 15:46:20 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Aug 2019 15:46:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,431,1559545200"; d="scan'208";a="331277761" X-Received: from ray-dev.ccr.corp.intel.com ([10.239.9.9]) by orsmga004.jf.intel.com with ESMTP; 25 Aug 2019 15:46:04 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Eric Dong , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH 1/5] UefiCpuPkg: Add PcdCpuSmmRestrictedMemoryAccess Date: Mon, 26 Aug 2019 06:45:09 +0800 Message-Id: <20190825224513.171572-2-ray.ni@intel.com> In-Reply-To: <20190825224513.171572-1-ray.ni@intel.com> References: <20190825224513.171572-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1566773181; bh=zocSzR+9qxtjc/o/VEZ59cvjMmfkgiSxQHZVpTwMdCQ=; h=Cc:Date:From:Reply-To:Subject:To; b=IN/Jnb9i8udN15zGu8s+Cs73ohsN9mm/x+iridzfizvYd1LKGdEvvDhBfhB4VJeJOud 6WQHheNBYWlXLvaWssZUT0Hx1yw9DdaoUbNIbYZ6BZWwvnp9aQ66B9tI4veZuxJOndy+N nLDpqg7l9qcfBEXLyEulJDVKvYT7sE5xEuM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The patch adds a new X64 only PCD PcdCpuSmmRestrictedMemoryAccess. The PCD indicates access to non-SMRAM memory is restricted to reserved, runtime and ACPI NVS type after SmmReadyToLock. MMIO access is always allowed regardless of the value of this PCD. Loose of such restriction is only required by RAS components in X64 platforms. The PCD value is considered as constantly TRUE in IA32 platforms. When the PCD value is TRUE, page table is initialized to cover all memory spaces and the memory occupied by page table is protected by page table itself as read-only. Signed-off-by: Ray Ni Cc: Eric Dong Cc: Jiewen Yao Cc: Laszlo Ersek Reviewed-by: Eric Dong Reviewed-by: Laszlo Ersek --- UefiCpuPkg/UefiCpuPkg.dec | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 86ad61f64b..83acd33612 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -278,6 +278,18 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,= PcdsDynamicEx] # @Prompt Current boot is a power-on reset. gUefiCpuPkgTokenSpaceGuid.PcdIsPowerOnReset|FALSE|BOOLEAN|0x0000001B =20 +[PcdsFixedAtBuild.X64, PcdsPatchableInModule.X64, PcdsDynamic.X64, PcdsDyn= amicEx.X64] + ## Indicate access to non-SMRAM memory is restricted to reserved, runtim= e and ACPI NVS type after SmmReadyToLock. + # MMIO access is always allowed regardless of the value of this PCD. + # Loose of such restriction is only required by RAS components in X64 p= latforms. + # The PCD value is considered as constantly TRUE in IA32 platforms. + # When the PCD value is TRUE, page table is initialized to cover all me= mory spaces + # and the memory occupied by page table is protected by page table itse= lf as read-only. + # TRUE - Access to non-SMRAM memory is restricted to reserved, runtim= e and ACPI NVS type after SmmReadyToLock.
+ # FALSE - Access to any type of non-SMRAM memory after SmmReadyToLock = is allowed.
+ # @Prompt Access to non-SMRAM memory is restricted to reserved, runtime = and ACPI NVS type after SmmReadyToLock. + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmRestrictedMemoryAccess|TRUE|BOOLEAN|0= x3213210F + [PcdsDynamic, PcdsDynamicEx] ## Contains the pointer to a CPU S3 data buffer of structure ACPI_CPU_DA= TA. # @Prompt The pointer to a CPU S3 data buffer. --=20 2.21.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#46348): https://edk2.groups.io/g/devel/message/46348 Mute This Topic: https://groups.io/mt/33027102/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 07:55:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+46350+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46350+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1566773182; cv=none; d=zoho.com; s=zohoarc; b=Ri+eJaetldJ9kbKhUee0Zv/F4/7N2rXmeRZww9Rq7c9BB11PV2P62Hw2bYO+TIhTfKj0oVFj6mfhLpjih3pOClM1425c07XZxPv8m0Yz1Evy1K6g29epdssnDwHiTuDKSw63y5S1Zrm7s1Vew0pu192+XLygL9m24PDgafSJr4A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566773182; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=RCcyH72djqFlUCZSJ7oK+9dFQyDgneLeuskcBR+dDkk=; b=Wrr8j3C5oQ705urZfEABD/pWTBTqTqwb8AM5J1Ct9Z+08Yzka0htS30N2fvohNGoTSWbZXINS9xjS7oGAsSJuyKnIWy4LtI83DkcDXmWsfw2DhoQnKmLjMOtLNt7KWikG9sBogRdwT5fXj42g7JPLKE7JYtgvvh7ZbZBQtOFR+Q= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46350+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1566773182034563.8590145346901; Sun, 25 Aug 2019 15:46:22 -0700 (PDT) Return-Path: X-Received: from mga14.intel.com (mga14.intel.com []) by groups.io with SMTP; Sun, 25 Aug 2019 15:46:20 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Aug 2019 15:46:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,431,1559545200"; d="scan'208";a="331277766" X-Received: from ray-dev.ccr.corp.intel.com ([10.239.9.9]) by orsmga004.jf.intel.com with ESMTP; 25 Aug 2019 15:46:05 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Eric Dong , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH 2/5] UefiCpuPkg/PiSmmCpu: Use new PCD PcdCpuSmmRestrictedMemoryAccess Date: Mon, 26 Aug 2019 06:45:10 +0800 Message-Id: <20190825224513.171572-3-ray.ni@intel.com> In-Reply-To: <20190825224513.171572-1-ray.ni@intel.com> References: <20190825224513.171572-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1566773181; bh=a5bPe4iPYvRqCd6dLxb3JkfPkujmQBswSyv0ooCZHuI=; h=Cc:Date:From:Reply-To:Subject:To; b=d7+bdM+ER3z2DE7uEeigeQS5Kth27yt/gfkcRvGzdswu9cS03oPzaRGG/ChV+0wFnkN Uecos30NxhOqBhGOtbFNbjw3lnlK5wbvQk0IFX3N2amuw17q3leSaVNyjETk+23awV7tT vHis8MAv8ExspfGP67eKzc7x0hSrEtz2/5c= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The patch changes PiSmmCpu driver to consume PCD PcdCpuSmmRestrictedMemoryAccess. Because the behavior controlled by PcdCpuSmmStaticPageTable in original code is not changed after switching to PcdCpuSmmRestrictedMemoryAccess. The functionality is not impacted by this patch. Signed-off-by: Ray Ni Cc: Eric Dong Cc: Jiewen Yao Cc: Laszlo Ersek Reviewed-by: Eric Dong Reviewed-by: Laszlo Ersek --- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf | 4 +- UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 52 ++++++++++++-------- 2 files changed, 34 insertions(+), 22 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf b/UefiCpuPkg/PiSm= mCpuDxeSmm/PiSmmCpuDxeSmm.inf index da0308c47f..b12b2691f8 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf @@ -133,7 +133,6 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugDataAddress ## SOME= TIMES_PRODUCES gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmCodeAccessCheckEnable ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode ## CONS= UMES - gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStaticPageTable ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmShadowStackSize ## SOME= TIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable ## CONS= UMES gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ##= CONSUMES @@ -141,6 +140,9 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ##= CONSUMES gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask ##= CONSUMES =20 +[Pcd.X64] + gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmRestrictedMemoryAccess ## CONS= UMES + [Depex] gEfiMpServiceProtocolGuid =20 diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c b/UefiCpuPkg/PiSmmCpuD= xeSmm/X64/PageTbl.c index d60c404a3d..7516f35055 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c @@ -15,7 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 LIST_ENTRY mPagePool =3D INITIALIZE_LIST_HEAD_VAR= IABLE (mPagePool); BOOLEAN m1GPageTableSupport =3D FALSE; -BOOLEAN mCpuSmmStaticPageTable; +BOOLEAN mCpuSmmRestrictedMemoryAccess; BOOLEAN m5LevelPagingSupport; X86_ASSEMBLY_PATCH_LABEL gPatch5LevelPagingSupport; =20 @@ -334,15 +334,15 @@ SmmInitPageTable ( // InitializeSpinLock (mPFLock); =20 - mCpuSmmStaticPageTable =3D PcdGetBool (PcdCpuSmmStaticPageTable); - m1GPageTableSupport =3D Is1GPageSupport (); - m5LevelPagingSupport =3D Is5LevelPagingSupport (); - mPhysicalAddressBits =3D CalculateMaximumSupportAddress (); + mCpuSmmRestrictedMemoryAccess =3D PcdGetBool (PcdCpuSmmRestrictedMemoryA= ccess); + m1GPageTableSupport =3D Is1GPageSupport (); + m5LevelPagingSupport =3D Is5LevelPagingSupport (); + mPhysicalAddressBits =3D CalculateMaximumSupportAddress (); PatchInstructionX86 (gPatch5LevelPagingSupport, m5LevelPagingSupport, 1); - DEBUG ((DEBUG_INFO, "5LevelPaging Support - %d\n", m5LevelPagingSupp= ort)); - DEBUG ((DEBUG_INFO, "1GPageTable Support - %d\n", m1GPageTableSuppo= rt)); - DEBUG ((DEBUG_INFO, "PcdCpuSmmStaticPageTable - %d\n", mCpuSmmStaticPage= Table)); - DEBUG ((DEBUG_INFO, "PhysicalAddressBits - %d\n", mPhysicalAddressB= its)); + DEBUG ((DEBUG_INFO, "5LevelPaging Support - %d\n", m5LevelPag= ingSupport)); + DEBUG ((DEBUG_INFO, "1GPageTable Support - %d\n", m1GPageTab= leSupport)); + DEBUG ((DEBUG_INFO, "PcdCpuSmmRestrictedMemoryAccess - %d\n", mCpuSmmRes= trictedMemoryAccess)); + DEBUG ((DEBUG_INFO, "PhysicalAddressBits - %d\n", mPhysicalA= ddressBits)); // // Generate PAE page table for the first 4GB memory space // @@ -385,7 +385,11 @@ SmmInitPageTable ( PTEntry =3D Pml5Entry; } =20 - if (mCpuSmmStaticPageTable) { + if (mCpuSmmRestrictedMemoryAccess) { + // + // When access to non-SMRAM memory is restricted, create page table + // that covers all memory space. + // SetStaticPageTable ((UINTN)PTEntry); } else { // @@ -972,7 +976,7 @@ SmiPFHandler ( =20 PFAddress =3D AsmReadCr2 (); =20 - if (mCpuSmmStaticPageTable && (PFAddress >=3D LShiftU64 (1, (mPhysicalAd= dressBits - 1)))) { + if (mCpuSmmRestrictedMemoryAccess && (PFAddress >=3D LShiftU64 (1, (mPhy= sicalAddressBits - 1)))) { DumpCpuContext (InterruptType, SystemContext); DEBUG ((DEBUG_ERROR, "Do not support address 0x%lx by processor!\n", P= FAddress)); CpuDeadLoop (); @@ -1049,7 +1053,7 @@ SmiPFHandler ( goto Exit; } =20 - if (mCpuSmmStaticPageTable && IsSmmCommBufferForbiddenAddress (PFAddre= ss)) { + if (mCpuSmmRestrictedMemoryAccess && IsSmmCommBufferForbiddenAddress (= PFAddress)) { DumpCpuContext (InterruptType, SystemContext); DEBUG ((DEBUG_ERROR, "Access SMM communication forbidden address (0x= %lx)!\n", PFAddress)); DEBUG_CODE ( @@ -1100,26 +1104,26 @@ SetPageTableAttributes ( Enable5LevelPaging =3D (BOOLEAN) (Cr4.Bits.LA57 =3D=3D 1); =20 // - // Don't do this if - // - no static page table; or + // Don't mark page table memory as read-only if + // - no restriction on access to non-SMRAM memory; or // - SMM heap guard feature enabled; or // BIT2: SMM page guard enabled // BIT3: SMM pool guard enabled // - SMM profile feature enabled // - if (!mCpuSmmStaticPageTable || + if (!mCpuSmmRestrictedMemoryAccess || ((PcdGet8 (PcdHeapGuardPropertyMask) & (BIT3 | BIT2)) !=3D 0) || FeaturePcdGet (PcdCpuSmmProfileEnable)) { // - // Static paging and heap guard could not be enabled at the same time. + // Restriction on access to non-SMRAM memory and heap guard could not = be enabled at the same time. // - ASSERT (!(mCpuSmmStaticPageTable && + ASSERT (!(mCpuSmmRestrictedMemoryAccess && (PcdGet8 (PcdHeapGuardPropertyMask) & (BIT3 | BIT2)) !=3D 0)= ); =20 // - // Static paging and SMM profile could not be enabled at the same time. + // Restriction on access to non-SMRAM memory and SMM profile could not= be enabled at the same time. // - ASSERT (!(mCpuSmmStaticPageTable && FeaturePcdGet (PcdCpuSmmProfileEna= ble))); + ASSERT (!(mCpuSmmRestrictedMemoryAccess && FeaturePcdGet (PcdCpuSmmPro= fileEnable))); return ; } =20 @@ -1223,7 +1227,10 @@ SaveCr2 ( OUT UINTN *Cr2 ) { - if (!mCpuSmmStaticPageTable) { + if (!mCpuSmmRestrictedMemoryAccess) { + // + // On-demand paging is enabled when access to non-SMRAM is not restric= ted. + // *Cr2 =3D AsmReadCr2 (); } } @@ -1238,7 +1245,10 @@ RestoreCr2 ( IN UINTN Cr2 ) { - if (!mCpuSmmStaticPageTable) { + if (!mCpuSmmRestrictedMemoryAccess) { + // + // On-demand paging is enabled when access to non-SMRAM is not restric= ted. + // AsmWriteCr2 (Cr2); } } --=20 2.21.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#46350): https://edk2.groups.io/g/devel/message/46350 Mute This Topic: https://groups.io/mt/33027104/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 07:55:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+46349+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46349+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1566773181; cv=none; d=zoho.com; s=zohoarc; b=BMVbdc2tUyCiwDXg9cCkQq4uUown9PJM1CGFrz8JaCG5KtiOju0XrLtS5xmlQIwstMwCCWoFcHNDoYitnO65kybGAqblZZ/eD41E9x13YQzzkiZax645rpZhRXgdM8TR/MtpRQERI8OB9eiGCLjCdqI8hkqolmuypy3/TAy6lg4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566773181; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=PE6zKYxCEsf1a5PYpfKXJKSfdEXslQ52Ck0fAe4RvzE=; b=UWsUjpZgqodEOMqIncthygjNTqRnZ60yDRiLJ+ad5UjpkOiKQrjxaAXA/A4ffWAYaSRe9AeTpmRSGH06dQd6etNcg5PMREq4vGGCREsbXOUOgZyqFalESE5QmF76ap3RWoHOnPjNwDj9sIBfFf9t1Dyb7zt/O4OHRTvMdDeTRgk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46349+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15667731816931017.1914170393926; Sun, 25 Aug 2019 15:46:21 -0700 (PDT) Return-Path: X-Received: from mga14.intel.com (mga14.intel.com []) by groups.io with SMTP; Sun, 25 Aug 2019 15:46:20 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Aug 2019 15:46:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,431,1559545200"; d="scan'208";a="331277770" X-Received: from ray-dev.ccr.corp.intel.com ([10.239.9.9]) by orsmga004.jf.intel.com with ESMTP; 25 Aug 2019 15:46:07 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Eric Dong , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH 3/5] UefiCpuPkg/PiSmmCpu: Restrict access per PcdCpuSmmRestrictedMemoryAccess Date: Mon, 26 Aug 2019 06:45:11 +0800 Message-Id: <20190825224513.171572-4-ray.ni@intel.com> In-Reply-To: <20190825224513.171572-1-ray.ni@intel.com> References: <20190825224513.171572-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1566773181; bh=WRzUmwVqAoym1/J4EXBJgC3YWAQLfaNtjQxB3qAKziA=; h=Cc:Date:From:Reply-To:Subject:To; b=UnLFfyvuUJeYaw311OlsRCd1ruFJZkCJoO280BgGGqUFuk/55SI/fHtdww/vffFsG6U YcZ1x8YkDmJguFcgV0a5EgIJVjEx7zZuCT6Kr4ClD9hV0q/jQhC5m7k6WZxkQw4uRgoE7 hFbHQxtjWkX7MknVfeERYcu9R4BqNCyV/84= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Today's behavior is to always restrict access to non-SMRAM regardless the value of PcdCpuSmmRestrictedMemoryAccess. Because RAS components require to access all non-SMRAM memory, the patch changes the code logic to honor PcdCpuSmmRestrictedMemoryAccess so that only when the PCD is true, the restriction takes affect and page table memory is also protected. Because IA32 build doesn't reference this PCD, such restriction always takes affect in IA32 build. Signed-off-by: Ray Ni Cc: Eric Dong Cc: Jiewen Yao Cc: Laszlo Ersek Reviewed-by: Eric Dong Reviewed-by: Laszlo Ersek --- UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 14 ++++++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 18 ++++++++++-------- UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h | 11 +++++++++++ UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 14 ++++++++++++++ 4 files changed, 49 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c b/UefiCpuPkg/PiSmmCpu= DxeSmm/Ia32/PageTbl.c index 05fb455936..f891a81112 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c @@ -336,3 +336,17 @@ RestoreCr2 ( { return ; } + +/** + Return whether access to non-SMRAM is restricted. + + @retval TRUE Access to non-SMRAM is restricted. + @retval FALSE Access to non-SMRAM is not restricted. +*/ +BOOLEAN +IsRestrictedMemoryAccess ( + VOID + ) +{ + return TRUE; +} diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c b/UefiCpuPkg/PiSmmC= puDxeSmm/PiSmmCpuDxeSmm.c index 69a04dfb23..723fd5042f 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c @@ -1431,15 +1431,17 @@ PerformRemainingTasks ( // SetMemMapAttributes (); =20 - // - // For outside SMRAM, we only map SMM communication buffer or MMIO. - // - SetUefiMemMapAttributes (); + if (IsRestrictedMemoryAccess ()) { + // + // For outside SMRAM, we only map SMM communication buffer or MMIO. + // + SetUefiMemMapAttributes (); =20 - // - // Set page table itself to be read-only - // - SetPageTableAttributes (); + // + // Set page table itself to be read-only + // + SetPageTableAttributes (); + } =20 // // Configure SMM Code Access Check feature if available. diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h b/UefiCpuPkg/PiSmmC= puDxeSmm/PiSmmCpuDxeSmm.h index 8c29f1a558..daf977f654 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.h @@ -1450,4 +1450,15 @@ InitializeDataForMmMp ( VOID ); =20 +/** + Return whether access to non-SMRAM is restricted. + + @retval TRUE Access to non-SMRAM is restricted. + @retval FALSE Access to non-SMRAM is not restricted. +*/ +BOOLEAN +IsRestrictedMemoryAccess ( + VOID + ); + #endif diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c b/UefiCpuPkg/PiSmmCpuD= xeSmm/X64/PageTbl.c index 7516f35055..733d107efd 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c @@ -1252,3 +1252,17 @@ RestoreCr2 ( AsmWriteCr2 (Cr2); } } + +/** + Return whether access to non-SMRAM is restricted. + + @retval TRUE Access to non-SMRAM is restricted. + @retval FALSE Access to non-SMRAM is not restricted. +*/ +BOOLEAN +IsRestrictedMemoryAccess ( + VOID + ) +{ + return mCpuSmmRestrictedMemoryAccess; +} --=20 2.21.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#46349): https://edk2.groups.io/g/devel/message/46349 Mute This Topic: https://groups.io/mt/33027103/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 07:55:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+46347+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46347+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1566773181; cv=none; d=zoho.com; s=zohoarc; b=bUUtEZLZliXzRRjsPtb6SLNg+KlBseb3j2VGUdqwjz6bNTAu0E6twFygsyEOeC4TEg9aXj+I+cN/pUNWV9c/fz+du27BmkyzUX08x0sipTgPdJRICzpuNDhoVWFZVRU+zELyTzp8CkECUk/Fe3DWdUzp8r7U7PAkhjNwb+8Nofk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566773181; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=Khjm2tz+uTaARcpj+6t5EHZGORdlRjCzKdk6zCjSaB0=; b=lM7h2eXp+14aAsak1AVHmdjiP+6qE3at4J5da7UpoR41R2TEiX4jdysV505YVa07ib9cTnhTDEU67tUFGkHJxKEbOaohORAkmw9gAbKFbGabWgxa0ln/bZIM6leKkWe08McT9C6pgO2T3lWwmvCAi46eZjl8PtzCUUxyHb6S1R4= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46347+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 156677318150281.20077625114789; Sun, 25 Aug 2019 15:46:21 -0700 (PDT) Return-Path: X-Received: from mga14.intel.com (mga14.intel.com []) by groups.io with SMTP; Sun, 25 Aug 2019 15:46:19 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Aug 2019 15:46:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,431,1559545200"; d="scan'208";a="331277782" X-Received: from ray-dev.ccr.corp.intel.com ([10.239.9.9]) by orsmga004.jf.intel.com with ESMTP; 25 Aug 2019 15:46:08 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Eric Dong , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH 4/5] UefiCpuPkg: Explain relationship between several SMM PCDs Date: Mon, 26 Aug 2019 06:45:12 +0800 Message-Id: <20190825224513.171572-5-ray.ni@intel.com> In-Reply-To: <20190825224513.171572-1-ray.ni@intel.com> References: <20190825224513.171572-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1566773181; bh=lI7UaFFmcNHMFvKATDa9F4YRDvP1miuLxIyrZbDHpYQ=; h=Cc:Date:From:Reply-To:Subject:To; b=QrSmoBXA+rKVENfME3pHRu1+2DrU8Vn2bD6zOdf8CYFYNnLAZUYM2X4JWW62WTEztWb vxENBpfbMFhhf6EMcsoivQm1ZZPhEPrgkvi3abyeYU0iILhR4OzWLzOgDB1DfadrrIqvH l1/CSG+9DFpfCUa20gWWq7HNKRvywYyfu5c= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" There are three PCDs that may impact the behavior of each other in SMM environment: PcdCpuSmmProfileEnable PcdHeapGuardPropertyMask in MdeModulePkg PcdCpuSmmRestrictedMemoryAccess The patch updates the comments in DEC file to document it. Signed-off-by: Ray Ni Cc: Eric Dong Cc: Jiewen Yao Cc: Laszlo Ersek Reviewed-by: Eric Dong Reviewed-by: Laszlo Ersek --- UefiCpuPkg/UefiCpuPkg.dec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 83acd33612..9a03bdd716 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -81,7 +81,8 @@ [Ppis] [PcdsFeatureFlag] ## Indicates if SMM Profile will be enabled. # If enabled, instruction executions in and data accesses to memory out= side of SMRAM will be logged. - # It could not be enabled at the same time with SMM static page table f= eature (PcdCpuSmmStaticPageTable). + # In X64 build, it could not be enabled when PcdCpuSmmRestrictedMemoryA= ccess is TRUE. + # In IA32 build, the page table memory is not marked as read-only when = it is enabled. # This PCD is only for validation purpose. It should be set to false in= production.

# TRUE - SMM Profile will be enabled.
# FALSE - SMM Profile will be disabled.
@@ -285,6 +286,11 @@ [PcdsFixedAtBuild.X64, PcdsPatchableInModule.X64, Pcds= Dynamic.X64, PcdsDynamicEx # The PCD value is considered as constantly TRUE in IA32 platforms. # When the PCD value is TRUE, page table is initialized to cover all me= mory spaces # and the memory occupied by page table is protected by page table itse= lf as read-only. + # In X64 build, it cannot be enabled at the same time with SMM profile = feature (PcdCpuSmmProfileEnable). + # In X64 build, it could not be enabled also at the same time with heap= guard feature for SMM + # (PcdHeapGuardPropertyMask in MdeModulePkg). + # In IA32 build, page table memory is not marked as read-only when eith= er SMM profile feature (PcdCpuSmmProfileEnable) + # or heap guard feature for SMM (PcdHeapGuardPropertyMask in MdeModuleP= kg) is enabled. # TRUE - Access to non-SMRAM memory is restricted to reserved, runtim= e and ACPI NVS type after SmmReadyToLock.
# FALSE - Access to any type of non-SMRAM memory after SmmReadyToLock = is allowed.
# @Prompt Access to non-SMRAM memory is restricted to reserved, runtime = and ACPI NVS type after SmmReadyToLock. --=20 2.21.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#46347): https://edk2.groups.io/g/devel/message/46347 Mute This Topic: https://groups.io/mt/33027101/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 07:55:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+46351+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46351+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1566773181; cv=none; d=zoho.com; s=zohoarc; b=ZcS1sP3ALoQefPPJ8QZd+zzz8gGD4uE8M/upGtuxk4Mw82gzR6jE+GAndxr3LaETn1T9QI0cM4QTu3ymCD97/qu9lyd0YryHuWK9ETYOx/zxzZD4yBbnHWyH8BYrfwTAd2qkLHqpWC8LtMi/1icHErRXdj49U5WR9d3CmEGCCVQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566773181; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=3pi7CwEzekgdzoMfj5HtX5z/N5efKG1txSfXu4RROlU=; b=kU0fMjSSLlOQQLiKKdtj5GneF59A6TOJIokeEJSsjCrOGjO8pOa9iNOrj3nW5D7ijqQZE1S8IBjifLyEYNJClK+I5HWIcIOKdwAFEVggeoOKKhHsJa6d6P2QrhJ0pGSgyaTJlhnZL3lumfqdzBDo37A58iPlnwCVlkBb8FWdQpo= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+46351+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1566773181922465.86928354120175; Sun, 25 Aug 2019 15:46:21 -0700 (PDT) Return-Path: X-Received: from mga14.intel.com (mga14.intel.com []) by groups.io with SMTP; Sun, 25 Aug 2019 15:46:21 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Aug 2019 15:46:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,431,1559545200"; d="scan'208";a="331277784" X-Received: from ray-dev.ccr.corp.intel.com ([10.239.9.9]) by orsmga004.jf.intel.com with ESMTP; 25 Aug 2019 15:46:09 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Eric Dong , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH 5/5] UefiCpuPkg: Remove PcdCpuSmmStaticPageTable Date: Mon, 26 Aug 2019 06:45:13 +0800 Message-Id: <20190825224513.171572-6-ray.ni@intel.com> In-Reply-To: <20190825224513.171572-1-ray.ni@intel.com> References: <20190825224513.171572-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1566773181; bh=ymZs6J7hUjnM6ZggGZxF27XVSyXV3TyIEHIwJeYaYis=; h=Cc:Date:From:Reply-To:Subject:To; b=LbJRccODOrv5sgo/1vMaNyBuondquc6ET5XJyqhPtIlV6a/dOJ65Pa5dCaNl16IdaOd t5+oAojkCqZJo/QybFzGXRggbsMSGDm9bfxIQCdgnNOUDRPCsYN2aABv55SEGZ+QsW8xc /2oJS2d5MMqIoG7gJt5G6/DPhc1a4LJp1cI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" PcdCpuSmmRestrictedMemoryAccess is introduced to replace PcdCpuSmmStaticPageTable. Signed-off-by: Ray Ni Cc: Eric Dong Cc: Jiewen Yao Cc: Laszlo Ersek Reviewed-by: Eric Dong Reviewed-by: Laszlo Ersek --- UefiCpuPkg/UefiCpuPkg.dec | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 9a03bdd716..031a2ccd68 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -247,17 +247,6 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,= PcdsDynamicEx] # @Prompt The specified AP target C-state for Mwait. gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate|0|UINT8|0x00000007 =20 - ## Indicates if SMM uses static page table. - # If enabled, SMM will not use on-demand paging. SMM will build static = page table for all memory. - # This flag only impacts X64 build, because SMM always builds static pa= ge table for IA32. - # It could not be enabled at the same time with SMM profile feature (Pc= dCpuSmmProfileEnable). - # It could not be enabled also at the same time with heap guard feature= for SMM - # (PcdHeapGuardPropertyMask in MdeModulePkg).

- # TRUE - SMM uses static page table for all memory.
- # FALSE - SMM uses static page table for below 4G memory and use on-de= mand paging for above 4G memory.
- # @Prompt Use static page table for all memory in SMM. - gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStaticPageTable|TRUE|BOOLEAN|0x321321= 0D - ## Specifies timeout value in microseconds for the BSP in SMM to wait fo= r all APs to come into SMM. # @Prompt AP synchronization timeout value in SMM. gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|1000000|UINT64|0x321321= 04 --=20 2.21.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#46351): https://edk2.groups.io/g/devel/message/46351 Mute This Topic: https://groups.io/mt/33027105/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-