[edk2-devel] [PATCH v4 3/6] OvmfPkg: set PcdEnableUnacceptedMemory to FALSE

Dionna Glaze via groups.io posted 6 patches 2 years, 1 month ago
There is a newer version of this series
[edk2-devel] [PATCH v4 3/6] OvmfPkg: set PcdEnableUnacceptedMemory to FALSE
Posted by Dionna Glaze via groups.io 2 years, 1 month ago
The default value of PcdEnableUnacceptedMemory should be FALSE in order
for default safe behavior. If the next started image does not yet
understand UEFI v2.9's new memory type, then it's stuck with most of its
memory inaccessible.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb@kernel.org>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc     | 1 +
 OvmfPkg/Bhyve/BhyveX64.dsc       | 2 ++
 OvmfPkg/CloudHv/CloudHvX64.dsc   | 2 ++
 OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 ++
 OvmfPkg/OvmfPkgIa32X64.dsc       | 2 ++
 OvmfPkg/OvmfPkgX64.dsc           | 2 ++
 OvmfPkg/OvmfXen.dsc              | 2 ++
 7 files changed, 13 insertions(+)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 90e8a213ef..23086748c5 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -526,6 +526,7 @@
 
   # Set ConfidentialComputing defaults
   gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
 
 !include OvmfPkg/OvmfTpmPcds.dsc.inc
 
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index 475b88b21a..004be8b019 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -559,6 +559,8 @@
   # Set Tdx shared bit mask
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
   # MdeModulePkg resolution sets up the system display resolution
diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index 10b16104ac..41f43a2631 100644
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -618,6 +618,8 @@
   # Set Tdx shared bit mask
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   # Set SEV-ES defaults
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index c0c1a15b09..55b6a2a845 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -514,6 +514,8 @@
   # Set Tdx shared bit mask
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   # Set SEV-ES defaults
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index af566b953f..aebe1c3192 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -655,6 +655,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   # Set SEV-ES defaults
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f39d9cd117..6e4418388e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -679,6 +679,8 @@
   # Set Tdx shared bit mask
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   # Set SEV-ES defaults
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
   gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 58a7c97cdd..0f57e22a2b 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -505,6 +505,8 @@
   # Set Tdx shared bit mask
   gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
 ################################################################################
-- 
2.37.3.998.g577e59143f-goog



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94471): https://edk2.groups.io/g/devel/message/94471
Mute This Topic: https://groups.io/mt/93975248/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 3/6] OvmfPkg: set PcdEnableUnacceptedMemory to FALSE
Posted by Ard Biesheuvel 2 years, 1 month ago
On Wed, 28 Sept 2022 at 17:33, Dionna Glaze <dionnaglaze@google.com> wrote:
>
> The default value of PcdEnableUnacceptedMemory should be FALSE in order
> for default safe behavior. If the next started image does not yet
> understand UEFI v2.9's new memory type, then it's stuck with most of its
> memory inaccessible.
>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
>
> Signed-off-by: Dionna Glaze <dionnaglaze@google.com>

Generally, we tend to rely on the DEC default for new PCDs if we're
not deviating from it.
If there is no specific reason to deviate from this here, I think we
can drop this patch.

Or is this also needed to declare them as the right type? In that
case, I think you can drop the hunks that touch non-CC platforms.




> ---
>  OvmfPkg/AmdSev/AmdSevX64.dsc     | 1 +
>  OvmfPkg/Bhyve/BhyveX64.dsc       | 2 ++
>  OvmfPkg/CloudHv/CloudHvX64.dsc   | 2 ++
>  OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 ++
>  OvmfPkg/OvmfPkgIa32X64.dsc       | 2 ++
>  OvmfPkg/OvmfPkgX64.dsc           | 2 ++
>  OvmfPkg/OvmfXen.dsc              | 2 ++
>  7 files changed, 13 insertions(+)
>
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 90e8a213ef..23086748c5 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -526,6 +526,7 @@
>
>    # Set ConfidentialComputing defaults
>    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
>
>  !include OvmfPkg/OvmfTpmPcds.dsc.inc
>
> diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
> index 475b88b21a..004be8b019 100644
> --- a/OvmfPkg/Bhyve/BhyveX64.dsc
> +++ b/OvmfPkg/Bhyve/BhyveX64.dsc
> @@ -559,6 +559,8 @@
>    # Set Tdx shared bit mask
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>
>    # MdeModulePkg resolution sets up the system display resolution
> diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
> index 10b16104ac..41f43a2631 100644
> --- a/OvmfPkg/CloudHv/CloudHvX64.dsc
> +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
> @@ -618,6 +618,8 @@
>    # Set Tdx shared bit mask
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    # Set SEV-ES defaults
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
> diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> index c0c1a15b09..55b6a2a845 100644
> --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> @@ -514,6 +514,8 @@
>    # Set Tdx shared bit mask
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    # Set SEV-ES defaults
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index af566b953f..aebe1c3192 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -655,6 +655,8 @@
>    gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    # Set SEV-ES defaults
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index f39d9cd117..6e4418388e 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -679,6 +679,8 @@
>    # Set Tdx shared bit mask
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    # Set SEV-ES defaults
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
>    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
> diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
> index 58a7c97cdd..0f57e22a2b 100644
> --- a/OvmfPkg/OvmfXen.dsc
> +++ b/OvmfPkg/OvmfXen.dsc
> @@ -505,6 +505,8 @@
>    # Set Tdx shared bit mask
>    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
>
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
> +
>    gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>
>  ################################################################################
> --
> 2.37.3.998.g577e59143f-goog
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94478): https://edk2.groups.io/g/devel/message/94478
Mute This Topic: https://groups.io/mt/93975248/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 3/6] OvmfPkg: set PcdEnableUnacceptedMemory to FALSE
Posted by Dionna Glaze via groups.io 2 years, 1 month ago
> Generally, we tend to rely on the DEC default for new PCDs if we're
> not deviating from it.
> If there is no specific reason to deviate from this here, I think we
> can drop this patch.
>
> Or is this also needed to declare them as the right type? In that
> case, I think you can drop the hunks that touch non-CC platforms.
>

I probably did something wrong. Without this patch, the protocol patch
with PcdSetBoolS fails to build.

INFO - In file included from
/usr/local/google/home/dionnaglaze/gitrepos/edk2/Build/OvmfX64/DEBUG_GCC5/X64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/AutoGen.h:17,
INFO -                  from <command-line>:
INFO - /usr/local/google/home/dionnaglaze/gitrepos/edk2/MdeModulePkg/Core/Dxe/Mem/Page.c:
In function ‘CoreEnableUnacceptedMemory’:
INFO - /usr/local/google/home/dionnaglaze/gitrepos/edk2/MdePkg/Include/Library/PcdLib.h:549:40:
error: implicit declaration of function
‘_PCD_SET_MODE_BOOL_S_PcdAcceptAllUnacceptedMemory’
[-Werror=implicit-function-declaration]
INFO -   549 | #define PcdSetBoolS(TokenName, Value)
_PCD_SET_MODE_BOOL_S_##TokenName    ((Value))
INFO -       |                                        ^~~~~~~~~~~~~~~~~~~~~
INFO - /usr/local/google/home/dionnaglaze/gitrepos/edk2/MdeModulePkg/Core/Dxe/Mem/Page.c:2232:10:
note: in expansion of macro ‘PcdSetBoolS’
INFO -  2232 |   return PcdSetBoolS(PcdAcceptAllUnacceptedMemory, FALSE);
INFO -       |          ^~~~~~~~~~~
INFO - cc1: all warnings being treated as errors
INFO - make: *** [GNUmakefile:452:
/usr/local/google/home/dionnaglaze/gitrepos/edk2/Build/OvmfX64/DEBUG_GCC5/X64/MdeModulePkg/Core/Dxe/DxeMain/OUTPUT/Mem/Page.obj]
Error 1
INFO -

What's the right way to do this?

-- 
-Dionna Glaze, PhD (she/her)


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94530): https://edk2.groups.io/g/devel/message/94530
Mute This Topic: https://groups.io/mt/93975248/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-