Improve OpalDriverGetDriverDeviceName function that gets device name
through the component name protocol. Currently the function searches for
all handles (as controller handle) to find the right GetControllerName
service for the child handle. The update improves the way to get device
name and supports better performance (e.g. 1681(μs) -> 3(μs) for 1 NVMe
device). This can prevent a compatibility issue for GetControllerName
service of some drivers, which is not flexible for handle parameter
information (e.g. it was found that an EFI driver caused an exception
error/hang when GetControllerName service for the driver is called in
OpalDriverGetDeviceNameByProtocol function).
Signed-off-by: Phil Noh <Phil.Noh@amd.com>
AmdSvsmLib currently doesn't check if SNP enabled, thus using AmdSvsmLib
may errantly cause the caller code to believe SVSM is present. This
leads to boot failure on non-SNP enabled VMs.
We use the PcdConfidentialComputingGuestAttr since it remains valid
after MpInitLib runs which invalidates PcdSevEsWorkArea's cached
sev-status msr which we use to check for SNP enabled in other places.
The added functions ConfidentialComputingGuestHas() and
AmdMemEncryptionAttrCheck() are copied from MpLib.c, which is intended
to be replaced later on with a more minimal library perhaps in MdePkg to
cleanup some of the circular dependencies currently surrounding SvsmLib.
Signed-off-by: Jacob Xu <jacobhxu@google.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
This commit adds the ability to skip the setting the Dbx variable if
the Default being provided is less than the size of the
EFI_SIGNATURE_LIST structure. This is to prevent the
setting of an invalid DBX which would cause the system to fail to boot.
Additionally, this can be used to signal that setting the DBX
should leave DBX undefined for Platforms that want to let the OS
be the sole servicer of the DBX.
Breakdown of the math is as follows:
1. **`sizeof(EFI_SIGNATURE_LIST)`**:
- This is the size of the `EFI_SIGNATURE_LIST` structure itself,
which includes:
- `EFI_GUID SignatureType` (16 bytes)
- `UINT32 SignatureListSize` (4 bytes)
- `UINT32 SignatureHeaderSize` (4 bytes)
- `UINT32 SignatureSize` (4 bytes)
- Total: `16 + 4 + 4 + 4 = 28 bytes`
2. **`SignatureHeaderSize`**:
- This is the size of the optional signature header. If no header is
provided, this value is `0`.
3. **`SignatureSize`**:
- This is the size of each `EFI_SIGNATURE_DATA` entry. For an empty
list, this value is `0`.
The total size of an empty `EFI_SIGNATURE_LIST` is:
```c
sizeof(EFI_SIGNATURE_LIST) + SignatureHeaderSize
```
1. **No Signature Header**:
- If `SignatureHeaderSize = 0`, the size is:
```c
28 + 0 = 28 bytes
```
2. **With a Signature Header**:
- If `SignatureHeaderSize = 16` (example size for a header), the
size is:
```c
28 + 16 = 44 bytes
```
- **Minimum Size**: `28 bytes` (if `SignatureHeaderSize = 0`).
- **Additional Size**: Add the value of `SignatureHeaderSize` if a
header is included.
Signed-off-by: Doug Flick <dougflick@microsoft.com>
RsaGetPublicKeyFromX509 allocates memory for RsaContext parameter
and the memory allocated earlier is not necessary
Signed-off-by: Anbazhagan Baraneedharan <anbazhagan@hp.com>
When a USB mass storage device is not ready (e.g., still powering up
or the hard disk has not reached the desired RPM), the ExecCommand
function fails.This failure is not a true error. Logging it as
DEBUG_ERROR will generate logs for properly functioning devices as
well, potentially flooding logs for older devices.
As mentioned in the command, proper error information retrieval
should occur in the sense request. The solution is to downgrade
the log level from DEBUG_ERROR to DEBUG_INFO.
Signed-off-by: Jack Pham <jackp@qti.qualcomm.com>
During USB mass storage enumeration, if a USB transfer fails due to any
other reason, UsbMassStorageDxe will attempt to reset the device.
With the commit ed07a2bb11 ("MdeModulePkg/UsbBusDxe: USB issue fix when
the port reset"), UsbIoPortReset now tears down the USB device context
and reinstalls it (via DisconnectController & ConnectController).
This process is not handled by the UsbMassDriver, causing the upper
layer to access an old pointer that has been freed during the teardown,
leading to a crash.
Example:
UsbMassReadBlocks (Failed)
-> UsbMassReset
-> UsbBotResetDevice
-> UsbIoPortReset (teardown + reinstall and return)
Now the UsbBot context pointer is invalidated and pointing to freed
memory.
-> UsbBot->UsbIo->UsbControlTransfer() therefore accesses a invalid
pointer and crashes.
The fix is to ignore the ExtendedVerification, which is supposed to
perform a more exhaustive verification operation during the reset. In
MassStorageDxe, ExtendedVerification perform the parent port reset
(UsbIoPortReset). Ultimately, the MassStorage device should not reset
the parent port due to a transfer error. By not performing any extended
verification, the teardown is prevented, thereby avoiding the crash.
Signed-off-by: Jack Pham <jackp@qti.qualcomm.com>
The following example fails to be parsed correctly due to Size
being used in the outer scope but initialized in the inner
scope
```
gPlatformPkgTokenSpaceGuid.PcdSecureBootDbxBinaryFile|{}
```
Problematic code:
```python
for Item in NewPcdValueList:
Size = 0
# ....
if Size > 0:
PcdValue = '{' + ', '.join(AllPcdValueList) + '}'
````
Signed-off-by: Doug Flick <dougflick@microsoft.com>
In general, for all HOB related content, the HOB structures must be designed so that natural alignment across all execution modes and byte-packed alignment are the same. Ensure ReturnStatus is aligned on 64 bit to achieve the same.
Signed-off-by: Dhaval Sharma <dhaval@rivosinc.com>
IntelMmSaveStateLib and SmmCpuPlatformHookLibNull were limited to
DXE_SMM_DRIVER MM_STANDALONE, where as previously not supported module
types were listed.
Add MM_CORE_STANDALONE as a supported module type for these libraries.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
AArch64 no longer uses PcdVFPEnabled, so make the definition ARM-specific
and stop explicitly setting it for AArch64 platforms.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
CpuDxe no longer uses PcdVFPEnabled, so drop the dependency
declaration before turning that Pcd ARM-only.
Signed-off-by: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
UEFI defines that FP support is required on AArch64, whereas many
platforms enable it anyway on Arm. But when it's enabled, C code can
generate instructions targeting FP registers, so:
- move ArmEnableVFP call to asm
- make it unconditional on AArch64
Signed-off-by: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
UEFI defines that FP support is required on AArch64, whereas ArmVirtPkg
enables it anyway on Arm. But when it's enabled, C code can generate
instructions targeting FP registers, so:
- move ArmEnableVFP call to asm
- make it unconditional on AArch64
Signed-off-by: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
After d433b4c8e4 ("OvmfPkg/PlatformBootManagerLib: Register UiApp as
an optional boot option") UiApp can be found among the boot options
without the LOAD_OPTION_HIDDEN flag set. This means that it can appear
in the list of available entries. This can be confusing.
Starting from the UiApp guid, add a check on the Device Path on all the
available entries, if it matches, skip the entry.
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
When using the replace function, if the replaced file
located in a compress section, then the tool will re-build
the section. As the compress status set in the wrong place,
in some situation, the compress will do twice times which is
a wrong behavior.
This patch is used to fix this issue.
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Ashraf Ali S <ashraf.ali.s@intel.com>
Signed-off-by: Yuwei Chen <yuwei.chen@intel.com>
Currently, ArmFfaLib uses an internally defined Guided HOB to pass
information about the Rx/Tx buffer set up by the first executing agent.
However, the GUID definition is solely specified in the DEC file, which
is inconsistent with other GUID definitions in MdeModulePkg. This change
relocates the GUID definition to the Include/Guid folder to ensure
consistency across the package.
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
ArmFfaLib is an implementation of an industry specification-defined
interface with UEFI specific method of handling Rx/Tx buffer sharing
across multiple boot phases, which is more appropriately placed in
MdeModulePkg.
This update relocates the implementation of ArmFfaLib to MdeModulePkg,
thereby supporting the FFA call primitives for all other packages that
depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
As a set of definitions from an industry specification-defined interface,
ArmFfaLib.h is more appropriately placed in MdePkg.
This update relocates both the header definition of ArmFfaLib to MdePkg,
thereby supporting the monitor call primitives for all other packages
that depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
As an implementation of an industry specification-defined interface,
ArmSvcLib is more appropriately placed in MdePkg.
This update relocates both the header definition and the implementation
of ArmSvcLib to MdePkg, thereby supporting the supervisor call primitives
for all other packages that depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
ArmSmcLibNull is a null implementation of an industry specification-
defined interface, which is defined in MdePkg.
This update relocates the null implementation of ArmSmcLib to MdePkg,
thereby supporting the monitor call primitives for ARM platforms that
does not have SMC capabilities.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
As an implementation of an industry specification-defined interface,
ArmSmcLib is more appropriately placed in MdePkg.
This update relocates both the header definition and the implementation
of ArmSmcLib to MdePkg, thereby supporting the monitor call primitives
for all other packages that depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
ArmFfaBootInfo.h, ArmFfaPartInfo.h and ArmFfaSvc.h comprise a set of
definitions established by industry standard specifications:
https://developer.arm.com/documentation/den0077/latest
This update relocates the header definitions from ArmPkg to MdePkg to
maintain consistency within the EDK2 layout.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
ArmStdSmc.h comprises a set of definitions established by an industry
standard specification:
https://developer.arm.com/documentation/den0028/latest/
This update relocates the header definition from ArmPkg to MdePkg to
maintain consistency within the EDK2 repo layout.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
This adds support for FVB in order to support a platform-independent
non-volatile variable store on UefiPayloadPkg. The variable store makes
use of the SmmStoreLib to provide an unauthenticated variable store.
Since commit bc744f5893fc4d53275ed26dd8d968011c6a09c1 coreboot supports
the SMMSTORE v2 feature. It implements an SMI handler that is able to
write, read and erase pages in the boot media (SPI flash).
The communication is done using a fixed communication buffer that is
allocated in CBMEM. The existence of this optional feature is advertised
by a coreboot table. When the SMMSTORE feature is not available, the
variable emulation is used by setting PcdEmuVariableNvModeEnable to
TRUE.
The DXE component provides runtime services and takes care of virtual to
physical mapping the communication buffers between SMM and OS.
The contents of the variable store can be accessed and modified by any
privileged application. As authentication is done by runtime services
only the store shouldn't be used to store authenticated variables.
Tested on Linux and Windows on a variety of real hardware.
This can also be tested in QEMU starting with coreboot 24.12 using
qemu-q35 board.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Implement all of the FVB protocol functions on top of the SmmStore
as a library. The library consumes the introduced
gEfiSmmStoreInfoHobGuid.
The SMI handler uses a fixed communication buffer in reserved DRAM.
To initiate a transaction you must write to the I/O APM_CNT port.
Tests on Intel(R) Xeon(R) E-2288G CPU @ 3.70G showed that the SMI isn't
triggered with a probability of 1:40 of all cases when called in a tight
loop. The CPU continues running and the SMI is triggered asynchronously
a few clock cycles later. coreboot only handles synchronous APM request
and does nothing on asynchronous APM triggers.
As there's no livesign from SMM it's impossible to tell if the handler
has run. Just wait a bit and try again to trigger a synchronous SMI.
Tests confirmed that out of 5 million tries the SMI is now always
handled.
When a synchronous SMI happens with the correct write to the APM_CNT
port, the ebx register is checked first that it doesn't point to SMRAM.
If it doesn't it's used to read in the arguments that define an SmmStore
transaction.
The SMI handler will only operate on a predefined and memory mapped
region in the boot media.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Add a new InfoHob that contains the SmmStore information passed from
coreboot tables when the SMMSTOREV2 feature is enabled.
This will be used to implement the FVB on top of the SMI installed by
coreboot.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Since commit bc744f5893fc4d53275ed26dd8d968011c6a09c1 coreboot supports
the SMMSTORE v2 feature. It implements an SMI handler that is able to
write, read and erase pages in the boot media (SPI flash).
The existence of this optional feature is advertised by a coreboot
table.
Add the tag and header definition to be able to parse the table.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
In edk2-stable202502, the increase in code space caused an increase in
size, leading to build failures for OVMF under the 2MB size limit due
to insufficient space, because FVMAIN_COMPACT had insufficient space.
This patch adjusts the memory layout by reducing SEVFV size by 0x10000,
as its usage is below 50%, and reallocates the freed 0x10000 space to
FVMAIN_COMPACT. This ensures sufficient space to accommodate all code
within the FD_SIZE_2MB.
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
Include PerformanceLib for StandaloneMmCore, add performance logging for
MM driver loading and starting.
Add FV_FILEPATH_DEVICE_PATH into Loaded Image protocol for MM driver,
then StandaloneMmCorePerformanceLib can get the FILE_GUID from the device
path.
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
OVMF SmbiosVersionLib applies to QEMU SMBIOS only, it does not
work on Bare Metal platform. Drop SmbiosVersionLib dependency
for SmbiosDxe on AArch64 architecture.
Signed-off-by: Ajan Zhong <ajan.zhong@newfw.com>
This commit updates the SecurityFixes.yaml file to include
information about the CVE-2024-38797 vulnerability.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
Namely:
(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
to TRUE for Index==0, then it will evaluate to TRUE for all other
Index values as well. As a result, the (Index == HASHALG_MAX)
condition will fire after the loop, and we'll return
EFI_UNSUPPORTED.
While this is correct, functionally speaking, it is wasteful to
keep re-checking TWO_BYTE_ENCODE in the loop body. The check
should be made at the top of the function, and EFI_UNSUPPORTED
should be returned at once, if appropriate.
(2) If the hash algorithm selected by Index has such a large OID that
the OID comparison cannot even be performed (because AuthDataSize
is not large enough for containing the OID in question, starting
at offset 32), then the function returns EFI_UNSUPPORTED at once.
This is bogus; this case should simply be treated as an OID
mismatch, and the loop should advance to the next Index value /
hash algorithm candidate. A remaining hash algo may have a shorter
OID and yield an OID match.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
Namely:
(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
to TRUE for Index==0, then it will evaluate to TRUE for all other
Index values as well. As a result, the (Index == HASHALG_MAX)
condition will fire after the loop, and we'll return
EFI_UNSUPPORTED.
While this is correct, functionally speaking, it is wasteful to
keep re-checking TWO_BYTE_ENCODE in the loop body. The check
should be made at the top of the function, and EFI_UNSUPPORTED
should be returned at once, if appropriate.
(2) If the hash algorithm selected by Index has such a large OID that
the OID comparison cannot even be performed (because AuthDataSize
is not large enough for containing the OID in question, starting
at offset 32), then the function returns EFI_UNSUPPORTED at once.
This is bogus; this case should simply be treated as an OID
mismatch, and the loop should advance to the next Index value /
hash algorithm candidate. A remaining hash algo may have a shorter
OID and yield an OID match.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
In HashPeImageByType(), the hash of PE/COFF image is calculated.
This function may get untrusted input.
Inside this function, the following code verifies the loaded image has
the correct format, by reading the second byte of the buffer.
```c
if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
...
}
```
The input image is not trusted and that may not have the second byte to
read. So this poses an out of bound read error.
With below fix we are assuring that we don't do out of bound read. i.e,
we make sure that AuthDataSize is greater than 1.
```c
if (AuthDataSize > 1
&& (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
...
}
```
AuthDataSize size is verified before reading the second byte.
So if AuthDataSize is less than 2, the second byte will not be read, and
the out of bound read situation won't occur.
Tested the patch on real platform with and without TPM connected and
verified image is booting fine.
Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
Added switch case for ArmV9 processor family inside function
DisplayProcessorFamily2 in PrintInfo.c to avoid inappropriate data
shown while accessing Type 4 Smbios table. ArmV9 processor family
is added in Smbios Spec 3.8 which should be noted.
Signed-off-by: Praveen Sankar N <praveensankarn@ami.com>
When a module M depends on L1, which depends on L2,
which depends on L3, the build fails when the library instance
of L3 cannot be found according to the library class-instance
mapping configuration specified in the DSC file.
When such failure happens, the build tool only prints that the
instance of L3 required by module M cannot be found. But it
does not tell how L3 is required by M.
The change enhances build tool to print the entire dependency
chain when such failure happens.
With the change, the new error message will be as follows:
<dsc-path>(...): error 4000: Instance of library class [L3] is not
found for module [M], [L3] is:
consumed by <instance of L2>
consumed by <instance of L1>
Signed-off-by: Ray Ni <ray.ni@intel.com>
Recent AMD platforms reserve parts of the lower DRAM where UefiPayload is
being loaded to and since UefiPayloadEntry doesn't care, it uses the reserved
memory for HOB and memory allocation.
The bootloader cannot prevent this, as it can only place the UEFI FV in
usable DRAM, but it has no control over EfiBootService memory allocations.
This issue prevents boot on those platforms without any specific error message.
It's not vendor specific and can happen on every platform.
Add the same logic as used on UniversalPayload and do the following:
- Walk bootloader provided memory information
- Skip everything that's not marked as usable DRAM
- Align entries to 1MiB boundary
- Don't use memory above 4GiB on x86_32
- Skip memory ranges too small
- Don't use memory currently occupied by the UEFI FV itself
Once a useable memory range is found pass it to HobConstructor().
TEST: Fixes boot on AMD/glinda, that reserved memory at 2000000h.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
