I have some questions for the feature.
Take OVMF as an example, can a platform enforce the memory protection setting *at build time*? Or will every configuration come from *runtime*, such as QEMU Config? What is the current default behavior?
In case of configuration from QEMU runtime, a malicious QEMU MAY purposely downgrade the protection in CC use case. In order to detect such scenario, the QEMU configuration MUST be measured. Is that done in this patch set?
Thank you
Yao, Jiewen
> -----Original Message-----
> From: Taylor Beebe <taylor.d.beebe@gmail.com>
> Sent: Monday, October 9, 2023 8:07 AM
> To: devel@edk2.groups.io
> Cc: Abner Chang <abner.chang@amd.com>; Warkentin, Andrei
> <andrei.warkentin@intel.com>; Anatol Belski <anbelski@linux.microsoft.com>;
> Andrew Fish <afish@apple.com>; Anthony Perard <anthony.perard@citrix.com>;
> Ard Biesheuvel <ardb+tianocore@kernel.org>; Corvin Köhne
> <corvink@freebsd.org>; Bi, Dandan <dandan.bi@intel.com>; Dong, Eric
> <eric.dong@intel.com>; Aktas, Erdem <erdemaktas@google.com>; Gerd
> Hoffmann <kraxel@redhat.com>; Dong, Guo <guo.dong@intel.com>; Guo, Gua
> <gua.guo@intel.com>; James Bottomley <jejb@linux.ibm.com>; Lu, James
> <james.lu@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Jianyong Wu
> <jianyong.wu@arm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Julien Grall <julien@xen.org>; Leif Lindholm
> <quic_llindhol@quicinc.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Michael
> Roth <michael.roth@amd.com>; Xu, Min M <min.m.xu@intel.com>; Peter
> Grehan <grehan@freebsd.org>; Kumar, Rahul R <rahul.r.kumar@intel.com>; Ni,
> Ray <ray.ni@intel.com>; Rebecca Cran <rebecca@bsdio.com>; Sami Mujawar
> <sami.mujawar@arm.com>; Rhodes, Sean <sean@starlabs.systems>; Sunil V L
> <sunilvl@ventanamicro.com>; Tom Lendacky <thomas.lendacky@amd.com>
> Subject: [PATCH v5 00/28] Implement Dynamic Memory Protection Settings
>
> Reference: https://github.com/tianocore/edk2/pull/4895
>
> v5:
> - Add a GrubCompat profile to SetMemoryProtectionsLib for compatibliity
> with older grub versions. This profile is now the default for ArmVirtPkg
> and OvmfPkg.
>
> -Add a FixedAtBuild PCD to ArmVirtPkg which is used to determine the memory
> protection profile used each boot. By default, the profile used is the
> GrubCompat profile.
>
> v4:
> -Update the memory protection profiles to align the allocated pools to the
> tail guard by default (patch 20).
>
> - Add a patch to create MemoryProtectionConfigLib which consolidates code
> for parsing the fw_cfg for the memory protection profile strings (patch 22).
>
> -Move the update to add QemuFwCfgParseString() to its own patch (patch 21).
>
> v3:
> - Fix incorrect ordering of the SetMemoryProtectionsLib profile definitions
> midway through the patch series by using C99 instantialization.
>
> - Update OvmfPkg to use the Release profile by default.
>
> - Update the method by which platform initialization in OvmfPkg associates
> the input FwCfg data with the platform memory protection settings. The new
> way will try to match the string in FwCfg with the profile name. If no match
> is found, the default profile is used.
>
> - SetMemoryProtectionsLib profile struct definition uses CHAR8 for the
> description and name strings instead of CHAR16.
>
> - A new patch has been added to copy the PEI PCD database from the HOB to a
> new buffer so HOB memory is not written to.
>
> - Move the call to protect HOB memory after NX and Heap Guard instantialization
> has occurred to avoid them overwritting the HOB protections.
>
> v2:
> - The previous version required the platform manage the HOB creation
> during PEI phase. v2 adds a new library, SetMemoryProtectionsLib, which
> offers an interface for setting, locking, and checking the memory protections
> for the boot. The settings are still backed by a HOB entry.
> SetMemoryProtectionsLib
> is a PEI/SEC only library as protections must be locked in by DxeHandoff().
>
> - The previous version had a separate MM and DXE library for getting the platform
> memory protection settings and populating the global for access. v2 consolidates
> these two libraries into a single GetMemoryProtectionsLib which has DXE and
> MM
> instances. The global populated is a union of the MM and DXE settings. The first
> 4 bytes of the union is the signature used to identify whether the global contains
> the DXE or MM settings.
>
> - Add a patch to page-align the DXE allocated HOB list and apply RO and NX
> to it during memory protection initialization.
>
> - Add a patch which checks the debug print level before executing the memory
> map dump routine. This saves several seconds of boot time on debug builds with
> memory protections active.
>
> - Remove unnecessary code consolidation from the patch series to make it easier
> to review. The code consolidation will be in a future patch series.
>
> - Add the ability to set the memory protection profile via the fw_cfg QEMU
> interface on OvmfPkg platforms. The cfg parsing library needs to be ported to
> ArmVirtPkg to enable the same functionality on ARM virtual platforms.
> ArmVirtPkg
> will use the Release protection profile by default.
>
> -Restructure the patch series to ensure bisectability as the memory logic
> is transitioned to use the Get and Set libraries one package at a time.
> The memory protection PCDs are still removed in this patch series to avoid
> confusing the interface and remove the ties to the legacy implementation.
>
> v1:
>
> In the past, memory protection settings were configured via FixedAtBuild PCDs,
> which resulted in a build-time configuration of memory mitigations. This
> approach limited the flexibility of applying mitigations to the
> system and made it difficult to update or adjust the settings post-build.
>
> In a design, the configuration interface has been revised to allow for dynamic
> configuration. This is achieved by setting memory protections via a library
> interface which stores/updates the memory protection settings in
> a GUIDed HOB, which is then consumed during and after DXE handoff.
>
> ArmVirtPkg will use the Release profile.
>
> Cc: Abner Chang <abner.chang@amd.com>
> Cc: Andrei Warkentin <andrei.warkentin@intel.com>
> Cc: Anatol Belski <anbelski@linux.microsoft.com>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Corvin Köhne <corvink@freebsd.org>
> Cc: Dandan Bi <dandan.bi@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Guo Dong <guo.dong@intel.com>
> Cc: Gua Guo <gua.guo@intel.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: James Lu <james.lu@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jianyong Wu <jianyong.wu@arm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien@xen.org>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Peter Grehan <grehan@freebsd.org>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Sean Rhodes <sean@starlabs.systems>
> Cc: Sunil V L <sunilvl@ventanamicro.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>
> Taylor Beebe (28):
> MdeModulePkg: Add DXE and MM Memory Protection Settings Definitions
> MdeModulePkg: Define SetMemoryProtectionsLib and
> GetMemoryProtectionsLib
> MdeModulePkg: Add NULL Instances for Get/SetMemoryProtectionsLib
> MdeModulePkg: Implement SetMemoryProtectionsLib and
> GetMemoryProtectionsLib
> MdeModulePkg: Copy PEI PCD Database Into New Buffer
> MdeModulePkg: Apply Protections to the HOB List
> MdeModulePkg: Check Print Level Before Dumping GCD Memory Map
> UefiCpuPkg: Always Set Stack Guard in MpPei Init
> ArmVirtPkg: Add Memory Protection Library Definitions to Platforms
> OvmfPkg: Add Memory Protection Library Definitions to Platforms
> OvmfPkg: Apply Memory Protections via SetMemoryProtectionsLib
> OvmfPkg: Update PeilessStartupLib to use SetMemoryProtectionsLib
> UefiPayloadPkg: Update DXE Handoff to use SetMemoryProtectionsLib
> MdeModulePkg: Update DXE Handoff to use SetMemoryProtectionsLib
> ArmPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs
> EmulatorPkg: Use GetMemoryProtectionsLib instead of Memory Protection
> PCDs
> OvmfPkg: Use GetMemoryProtectionsLib instead of Memory Protection PCDs
> UefiCpuPkg: Use GetMemoryProtectionsLib instead of Memory Protection
> PCDs
> MdeModulePkg: Use GetMemoryProtectionsLib instead of Memory Protection
> PCDs
> MdeModulePkg: Add Additional Profiles to SetMemoryProtectionsLib
> OvmfPkg: Add QemuFwCfgParseString to QemuFwCfgSimpleParserLib
> OvmfPkg: Add MemoryProtectionConfigLib
> OvmfPkg: Enable Choosing Memory Protection Profile via QemuCfg
> ArmVirtPkg: Apply Memory Protections via SetMemoryProtectionsLib
> MdeModulePkg: Delete PCD Profile from SetMemoryProtectionsLib
> OvmfPkg: Delete Memory Protection PCDs
> ArmVirtPkg: Delete Memory Protection PCDs
> MdeModulePkg: Delete Memory Protection PCDs
>
> ArmPkg/Drivers/CpuDxe/CpuDxe.c | 5 +-
> ArmVirtPkg/MemoryInitPei/MemoryInitPeim.c | 7 +
> MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 4
> +-
> MdeModulePkg/Core/Dxe/Gcd/Gcd.c | 22 +-
> MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 46
> +-
> MdeModulePkg/Core/Dxe/Mem/Page.c | 2 +-
> MdeModulePkg/Core/Dxe/Mem/Pool.c | 4 +-
> MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c |
> 96 ++-
> MdeModulePkg/Core/DxeIplPeim/DxeHandoff.c | 4
> +-
> MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 2 +
> MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c |
> 9 +-
> MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c |
> 6 +-
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c |
> 16 +-
> MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 29
> +-
> MdeModulePkg/Core/PiSmmCore/Pool.c | 4 +-
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLi
> b.c | 158 ++++
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNu
> ll.c | 29 +
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLi
> b.c | 124 +++
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.c
> | 860 ++++++++++++++++++++
>
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull
> .c | 144 ++++
> MdeModulePkg/Universal/PCD/Dxe/Service.c | 6 +-
> OvmfPkg/Fdt/HighMemDxe/HighMemDxe.c | 5 +-
> OvmfPkg/Library/MemoryProtectionConfigLib/MemoryProtectionConfigLib.c
> | 118 +++
> OvmfPkg/Library/PeilessStartupLib/DxeLoad.c | 6 +-
> OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 22 +-
> OvmfPkg/Library/PeilessStartupLib/X64/VirtualMemory.c |
> 26 +-
> OvmfPkg/Library/PlatformInitLib/Platform.c | 15 -
> OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParser.c
> | 11 +
> OvmfPkg/PlatformPei/IntelTdx.c | 2 -
> OvmfPkg/PlatformPei/Platform.c | 36 +-
> OvmfPkg/QemuVideoDxe/VbeShim.c | 3 +-
> OvmfPkg/TdxDxe/TdxDxe.c | 7 +-
> UefiCpuPkg/CpuDxe/CpuDxe.c | 2 +-
> UefiCpuPkg/CpuDxe/CpuMp.c | 2 +-
> UefiCpuPkg/CpuMpPei/CpuMpPei.c | 8 +-
> UefiCpuPkg/CpuMpPei/CpuPaging.c | 16 +-
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/CpuExceptionHandlerTest
> Common.c | 6 +-
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/DxeCpuExceptionHandler
> UnitTest.c | 15 +
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/PeiCpuExceptionHandlerU
> nitTest.c | 21 +
> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 3 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/Ia32/PageTbl.c | 2
> +-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmmCpuMemoryManagement.c
> | 13 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 2
> +-
> UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 2
> +-
> UefiPayloadPkg/UefiPayloadEntry/Ia32/DxeLoadFunc.c |
> 11 +-
> UefiPayloadPkg/UefiPayloadEntry/LoadDxeCore.c | 2 +
> UefiPayloadPkg/UefiPayloadEntry/X64/DxeLoadFunc.c | 8
> +-
> UefiPayloadPkg/UefiPayloadEntry/X64/VirtualMemory.c |
> 15 +-
> ArmPkg/ArmPkg.dsc | 1 +
> ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 2 +-
> ArmVirtPkg/ArmVirt.dsc.inc | 21 +-
> ArmVirtPkg/ArmVirtCloudHv.dsc | 5 -
> ArmVirtPkg/ArmVirtPkg.dec | 7 +
> ArmVirtPkg/ArmVirtQemu.dsc | 5 -
> ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf | 3 +
> EmulatorPkg/EmulatorPkg.dsc | 3 +-
> MdeModulePkg/Core/Dxe/DxeMain.h | 1 +
> MdeModulePkg/Core/Dxe/DxeMain.inf | 9 +-
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 3 +
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 11 +-
> MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1
> +
> MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 4
> +-
> MdeModulePkg/Include/Guid/MemoryProtectionSettings.h |
> 216 +++++
> MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
> | 83 ++
> MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
> | 158 ++++
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLi
> b.inf | 34 +
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNu
> ll.inf | 25 +
>
> MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLi
> b.inf | 34 +
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.inf
> | 37 +
>
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull
> .inf | 25 +
> MdeModulePkg/MdeModulePkg.dec | 182 +----
> MdeModulePkg/MdeModulePkg.dsc | 7 +
> MdeModulePkg/MdeModulePkg.uni | 153 ----
> OvmfPkg/AmdSev/AmdSevX64.dsc | 4 +-
> OvmfPkg/Bhyve/BhyveX64.dsc | 4 +-
> OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 -
> OvmfPkg/CloudHv/CloudHvX64.dsc | 4 +-
> OvmfPkg/Fdt/HighMemDxe/HighMemDxe.inf | 4 +-
> OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc |
> 16 +
> OvmfPkg/Include/Library/MemoryProtectionConfigLib.h |
> 49 ++
> OvmfPkg/Include/Library/PlatformInitLib.h | 13 -
> OvmfPkg/Include/Library/QemuFwCfgSimpleParserLib.h |
> 8 +
> OvmfPkg/IntelTdx/IntelTdxX64.dsc | 5 +-
> OvmfPkg/Library/MemoryProtectionConfigLib/MemoryProtectionConfigLib.inf
> | 35 +
> OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 6
> +-
> OvmfPkg/Microvm/MicrovmX64.dsc | 5 +-
> OvmfPkg/OvmfPkg.dec | 4 +
> OvmfPkg/OvmfPkgIa32.dsc | 4 +-
> OvmfPkg/OvmfPkgIa32X64.dsc | 4 +-
> OvmfPkg/OvmfPkgX64.dsc | 4 +-
> OvmfPkg/OvmfXen.dsc | 5 +-
> OvmfPkg/PlatformCI/PlatformBuildLib.py | 8 +
> OvmfPkg/PlatformPei/PlatformPei.inf | 3 +-
> OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf | 2 +-
> OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 -
> OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 2 +
> OvmfPkg/TdxDxe/TdxDxe.inf | 1 -
> UefiCpuPkg/CpuDxe/CpuDxe.h | 11 +-
> UefiCpuPkg/CpuDxe/CpuDxe.inf | 4 +-
> UefiCpuPkg/CpuDxeRiscV64/CpuDxeRiscV64.inf | 3 -
> UefiCpuPkg/CpuMpPei/CpuMpPei.h | 3 +-
> UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 -
> UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
> | 1 -
> UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
> | 1 -
> UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf
> | 1 -
> UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
> | 1 -
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/CpuExceptionHandlerTest.
> h | 13 +-
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/DxeCpuExceptionHandler
> LibUnitTest.inf | 2 +-
>
> UefiCpuPkg/Library/CpuExceptionHandlerLib/UnitTest/PeiCpuExceptionHandlerLi
> bUnitTest.inf | 2 +-
> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf
> | 3 +-
> UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfileInternal.h |
> 9 +-
> UefiCpuPkg/UefiCpuPkg.dec | 7 +-
> UefiCpuPkg/UefiCpuPkg.dsc | 2 +
> UefiCpuPkg/UefiCpuPkg.uni | 10 +-
> UefiPayloadPkg/UefiPayloadEntry/UefiPayloadEntry.h | 1
> +
> UefiPayloadPkg/UefiPayloadEntry/UefiPayloadEntry.inf | 9
> +-
> UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.inf |
> 9 +-
> UefiPayloadPkg/UefiPayloadPkg.dsc | 13 +
> 119 files changed, 2609 insertions(+), 690 deletions(-)
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLi
> b.c
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNu
> ll.c
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLi
> b.c
> create mode 100644
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.c
> create mode 100644
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull
> .c
> create mode 100644
> OvmfPkg/Library/MemoryProtectionConfigLib/MemoryProtectionConfigLib.c
> create mode 100644 MdeModulePkg/Include/Guid/MemoryProtectionSettings.h
> create mode 100644
> MdeModulePkg/Include/Library/GetMemoryProtectionsLib.h
> create mode 100644
> MdeModulePkg/Include/Library/SetMemoryProtectionsLib.h
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/DxeGetMemoryProtectionsLi
> b.inf
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/GetMemoryProtectionsLibNu
> ll.inf
> create mode 100644
> MdeModulePkg/Library/GetMemoryProtectionsLib/MmGetMemoryProtectionsLi
> b.inf
> create mode 100644
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLib.inf
> create mode 100644
> MdeModulePkg/Library/SetMemoryProtectionsLib/SetMemoryProtectionsLibNull
> .inf
> create mode 100644 OvmfPkg/Include/Dsc/MemoryProtectionLibraries.dsc.inc
> create mode 100644 OvmfPkg/Include/Library/MemoryProtectionConfigLib.h
> create mode 100644
> OvmfPkg/Library/MemoryProtectionConfigLib/MemoryProtectionConfigLib.inf
>
> --
> 2.42.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109454): https://edk2.groups.io/g/devel/message/109454
Mute This Topic: https://groups.io/mt/101843339/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-