From nobody Sun Feb 8 14:22:52 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+108873+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+108873+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1695171493; cv=none; d=zohomail.com; s=zohoarc; b=BsRbCELmg10qEOlTLk4MAEYHyCUVpf6ls5LMOKX5nsC7IgOO6TDGoOIrpGN/6H6Hb/h7w+dfm7pJmueMGWFNfpGJEZBqY/h/2xLjEz3gUY3Jtmd1CdLj+rqoIMCPspeLGCq4UDRIgHr/vPwlnPwbkWQY2653awkUPZjQzWcCqXU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1695171493; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=VbvrEST92FoFAi4iK9cINy+DuToQwleLIk30Fs8ZtWo=; b=luOc9x4kVc2e/kjC9yCuEvVwF/wYSPmKCVJTh7uCDFnnUsyXQy5pfnLd4cIpr5zwYxm6tcNu+ASub2r38KGBnbU+xBuXuFDIILhzBmr8sMrD4/hxVLWPzuvp2rzRqV8yq1bwwOWsjtucFs2QhGd2KrV7h9q9wGPKSWp8icidHVI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+108873+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1695171493986614.7616537926507; Tue, 19 Sep 2023 17:58:13 -0700 (PDT) Return-Path: DKIM-Signature: a=rsa-sha256; bh=n5ZHV1wUMcSvdzhR6pHLPf79JuXzGO/eR6ybtf+m0xU=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1695171493; v=1; b=GDfohEJ3pXn/fCBiD8cShqzNb1BkS9jpG7LlpjUB5MFBu0kVyL+Jli3jBqlCak80oFFGIILz GNFodkywtJmYa0M1QqSk3fJwKxUBoWxo7ZP1WF6uMj5lMCjiBL8HLyFgZrv9j5XW7KLlTiBmTEt rJXomFB2dgbBaDINbIqA0w9A= X-Received: by 127.0.0.2 with SMTP id A6k0YY1788612xsQ4EnOeTkv; Tue, 19 Sep 2023 17:58:13 -0700 X-Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.26922.1695171493119287273 for ; Tue, 19 Sep 2023 17:58:13 -0700 X-Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-690bf8fdd1aso1523941b3a.2 for ; Tue, 19 Sep 2023 17:58:13 -0700 (PDT) X-Gm-Message-State: Ue1AwWnQdPINUaP6MGmxJwQZx1787277AA= X-Google-Smtp-Source: AGHT+IEohLE+bh4SK6H6o3bR3giXUx0mhmoU0axskQSfFPr9fvXpxe5FA7pL7LLM5+DvxTpb2QknaQ== X-Received: by 2002:a05:6a21:a597:b0:155:1a5a:9e31 with SMTP id gd23-20020a056a21a59700b001551a5a9e31mr1446208pzc.16.1695171492333; Tue, 19 Sep 2023 17:58:12 -0700 (PDT) X-Received: from localhost.localdomain ([50.46.253.1]) by smtp.gmail.com with ESMTPSA id 13-20020a170902c24d00b001bb988ac243sm10563576plg.297.2023.09.19.17.58.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Sep 2023 17:58:11 -0700 (PDT) From: "Taylor Beebe" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann Subject: [edk2-devel] [PATCH v4 11/28] OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib Date: Tue, 19 Sep 2023 17:57:34 -0700 Message-ID: <20230920005752.2041-12-taylor.d.beebe@gmail.com> In-Reply-To: <20230920005752.2041-1-taylor.d.beebe@gmail.com> References: <20230920005752.2041-1-taylor.d.beebe@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,taylor.d.beebe@gmail.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1695171496055100049 Content-Type: text/plain; charset="utf-8" Use SetMemoryProtectionsLib to set the memory protections for the platform in both normal and PEI-less boot. The protections set are equivalent to the PCD settings and the ability to set NxForStack via QemuCfg is preserved. Once the transition to use SetMemoryProtectionsLib and GetMemoryProtectionsLib is complete in the rest of EDK2, the mechanics of setting protections in OvmfPkg will be updated and the memory protection PCDs will be deleted. Signed-off-by: Taylor Beebe Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann --- OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 15 +++++++++++++= -- OvmfPkg/PlatformPei/Platform.c | 15 +++++++++++++= -- OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 3 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 1 + 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/L= ibrary/PeilessStartupLib/PeilessStartup.c index 1632a2317718..cf645aad3246 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c @@ -14,10 +14,13 @@ #include #include #include +#include #include #include #include #include +#include +#include #include #include #include @@ -42,7 +45,9 @@ InitializePlatform ( EFI_HOB_PLATFORM_INFO *PlatformInfoHob ) { - VOID *VariableStore; + VOID *VariableStore; + DXE_MEMORY_PROTECTION_SETTINGS DxeSettings; + MM_MEMORY_PROTECTION_SETTINGS MmSettings; =20 DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n")); PlatformDebugDumpCmos (); @@ -104,7 +109,13 @@ InitializePlatform ( =20 PlatformMemMapInitialization (PlatformInfoHob); =20 - PlatformNoexecDxeInitialization (PlatformInfoHob); + DxeSettings =3D DxeMemoryProtectionProfi= les[DxeMemoryProtectionSettingsPcd].Settings; + MmSettings =3D MmMemoryProtectionProfil= es[MmMemoryProtectionSettingsPcd].Settings; + DxeSettings.StackExecutionProtectionEnabled =3D PcdGetBool (PcdSetNxForS= tack); + QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecu= tionProtectionEnabled); + + SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSetting= sPcd); + SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPc= d); =20 if (TdIsEnabled ()) { PlatformInfoHob->PcdConfidentialComputingGuestAttr =3D CCAttrIntelTdx; diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c index f5dc41c3a8c4..bcd8d3a1be14 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -38,6 +38,7 @@ #include #include #include +#include =20 #include "Platform.h" =20 @@ -304,8 +305,10 @@ InitializePlatform ( IN CONST EFI_PEI_SERVICES **PeiServices ) { - EFI_HOB_PLATFORM_INFO *PlatformInfoHob; - EFI_STATUS Status; + EFI_HOB_PLATFORM_INFO *PlatformInfoHob; + EFI_STATUS Status; + DXE_MEMORY_PROTECTION_SETTINGS DxeSettings; + MM_MEMORY_PROTECTION_SETTINGS MmSettings; =20 DEBUG ((DEBUG_INFO, "Platform PEIM Loaded\n")); PlatformInfoHob =3D BuildPlatformInfoHob (); @@ -342,6 +345,14 @@ InitializePlatform ( =20 PublishPeiMemory (PlatformInfoHob); =20 + DxeSettings =3D DxeMemoryProtectionProfi= les[DxeMemoryProtectionSettingsPcd].Settings; + MmSettings =3D MmMemoryProtectionProfil= es[MmMemoryProtectionSettingsPcd].Settings; + DxeSettings.StackExecutionProtectionEnabled =3D PcdGetBool (PcdSetNxForS= tack); + QemuFwCfgParseBool ("opt/ovmf/PcdSetNxForStack", &DxeSettings.StackExecu= tionProtectionEnabled); + + SetDxeMemoryProtectionSettings (&DxeSettings, DxeMemoryProtectionSetting= sPcd); + SetMmMemoryProtectionSettings (&MmSettings, MmMemoryProtectionSettingsPc= d); + PlatformQemuUc32BaseInitialization (PlatformInfoHob); =20 InitializeRamRegions (PlatformInfoHob); diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/Ovmf= Pkg/Library/PeilessStartupLib/PeilessStartupLib.inf index 585d50463748..f0a8a5a56df4 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf @@ -56,6 +56,8 @@ [LibraryClasses] PrePiLib QemuFwCfgLib PlatformInitLib + SetMemoryProtectionsLib + QemuFwCfgSimpleParserLib =20 [Guids] gEfiHobMemoryAllocModuleGuid @@ -81,6 +83,7 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIM= ES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ##= CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask ##= CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##= CONSUMES gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 3934aeed9514..6b8442d12b2c 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -65,6 +65,7 @@ [LibraryClasses] PcdLib CcExitLib PlatformInitLib + SetMemoryProtectionsLib =20 [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase --=20 2.42.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108873): https://edk2.groups.io/g/devel/message/108873 Mute This Topic: https://groups.io/mt/101469949/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-