From 0b1fdeb4c8a962f6b7649bd91bea70207dd7eb49 Mon Sep 17 00:00:00 2001 From: PKumarAditya Date: Thu, 21 Aug 2025 13:31:31 +0530 Subject: [PATCH] Support for AMD SEV-SNP Signed-off-by: PrithivishS --- ...tLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch | 46 + ...tLib-Copy-SEV-ES-save-area-pointer-d.patch | 61 + ...ptSevLib-Fix-address-overflow-during.patch | 48 + ...-Provide-an-implementation-for-SetAt.patch | 103 ++ ...tor-Fix-SNP-CPUID-table-processing-r.patch | 43 + ...Vector-improve-page-table-flag-names.patch | 119 ++ ...Vector-add-ClearOvmfPageTables-macro.patch | 84 + ...tor-add-CreatePageTables4Level-macro.patch | 119 ++ ...g-ResetVector-split-TDX-BSP-workflow.patch | 91 + ...tor-split-SEV-and-non-CoCo-workflows.patch | 108 ++ ...setVector-add-5-level-paging-support.patch | 179 ++ ...tor-print-post-codes-for-4-5-level-p.patch | 55 + ...ector-wire-up-5-level-paging-for-TDX.patch | 112 ++ ...tor-Clear-SEV-encryption-bit-for-non.patch | 118 ++ ...eorder-MEMFD-pages-to-match-the-orde.patch | 113 ++ ...Pkg-exclude-NullMemoryTestDxe-driver.patch | 295 +++ ...AmdSevX64-to-new-shell-include-files.patch | 111 ++ ...tor-send-post-codes-to-qemu-debug-co.patch | 84 + ...tor-Define-SNP-metadata-for-kernel-h.patch | 91 + ...ke-APIC-MMIO-accesses-with-encryptio.patch | 298 ++++ ...b-Drop-special-handling-for-Encrypte.patch | 62 + 0137-OvmfPkg-add-ShellLibs.dsc.inc.patch | 62 + ...-OvmfPkg-Add-varpolicy-shell-command.patch | 137 ++ ...xclude-the-CSM-based-VideoDxe-driver.patch | 290 +++ 0140-OvmfPkg-exclude-LegacyBiosDxe.patch | 166 ++ ...-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch | 201 +++ ...-OvmfPkg-add-ShellComponents.dsc.inc.patch | 133 ++ 0143-OvmfPkg-add-ShellDxe.fdf.inc.patch | 73 + ...nc-allow-building-without-network-su.patch | 73 + ...policy-dynamic-shell-command-and-app.patch | 1580 +++++++++++++++++ ...iablePolicy-Add-more-granular-variab.patch | 1372 ++++++++++++++ edk2.spec | 38 +- 32 files changed, 6464 insertions(+), 1 deletion(-) create mode 100644 0116-UefiCpuPkg-MpInitLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch create mode 100644 0117-UefiCpuPkg-MpInitLib-Copy-SEV-ES-save-area-pointer-d.patch create mode 100644 0118-OvmfPkg-MemEncryptSevLib-Fix-address-overflow-during.patch create mode 100644 0119-OvmfPkg-IoMmuDxe-Provide-an-implementation-for-SetAt.patch create mode 100644 0120-OvmfPkg-ResetVector-Fix-SNP-CPUID-table-processing-r.patch create mode 100644 0121-OvmfPkg-ResetVector-improve-page-table-flag-names.patch create mode 100644 0122-OvmfPkg-ResetVector-add-ClearOvmfPageTables-macro.patch create mode 100644 0123-OvmfPkg-ResetVector-add-CreatePageTables4Level-macro.patch create mode 100644 0124-OvmfPkg-ResetVector-split-TDX-BSP-workflow.patch create mode 100644 0125-OvmfPkg-ResetVector-split-SEV-and-non-CoCo-workflows.patch create mode 100644 0126-OvmfPkg-ResetVector-add-5-level-paging-support.patch create mode 100644 0127-OvmfPkg-ResetVector-print-post-codes-for-4-5-level-p.patch create mode 100644 0128-OvmfPkg-ResetVector-wire-up-5-level-paging-for-TDX.patch create mode 100644 0129-OvmfPkg-ResetVector-Clear-SEV-encryption-bit-for-non.patch create mode 100644 0130-OvmfPkg-AmdSev-Reorder-MEMFD-pages-to-match-the-orde.patch create mode 100644 0131-OvmfPkg-exclude-NullMemoryTestDxe-driver.patch create mode 100644 0132-OvmfPkg-switch-AmdSevX64-to-new-shell-include-files.patch create mode 100644 0133-OvmfPkg-ResetVector-send-post-codes-to-qemu-debug-co.patch create mode 100644 0134-OvmfPkg-ResetVector-Define-SNP-metadata-for-kernel-h.patch create mode 100644 0135-OvmfPkg-Don-t-make-APIC-MMIO-accesses-with-encryptio.patch create mode 100644 0136-OvmfPkg-CcExitLib-Drop-special-handling-for-Encrypte.patch create mode 100644 0137-OvmfPkg-add-ShellLibs.dsc.inc.patch create mode 100644 0138-OvmfPkg-Add-varpolicy-shell-command.patch create mode 100644 0139-OvmfPkg-exclude-the-CSM-based-VideoDxe-driver.patch create mode 100644 0140-OvmfPkg-exclude-LegacyBiosDxe.patch create mode 100644 0141-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch create mode 100644 0142-OvmfPkg-add-ShellComponents.dsc.inc.patch create mode 100644 0143-OvmfPkg-add-ShellDxe.fdf.inc.patch create mode 100644 0144-OvmfPkg-Shell-.inc-allow-building-without-network-su.patch create mode 100644 0145-ShellPkg-Add-varpolicy-dynamic-shell-command-and-app.patch create mode 100644 0146-MdeModulePkg-VariablePolicy-Add-more-granular-variab.patch diff --git a/0116-UefiCpuPkg-MpInitLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch b/0116-UefiCpuPkg-MpInitLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch new file mode 100644 index 0000000..71cbbff --- /dev/null +++ b/0116-UefiCpuPkg-MpInitLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch @@ -0,0 +1,46 @@ +From 8949a80ceee16d55477c822be1e435c35035b33e Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 7 Nov 2023 06:45:30 +0800 +Subject: [PATCH 01/31] UefiCpuPkg/MpInitLib: Use AsmCpuidEx() for + CPUID_EXTENDED_TOPOLOGY leaf + +commit 447798cd3a78c8bfc5adb90254d50d22a838b301 upstream + +The CPUID_EXTENDED_TOPOLOGY CPUID leaf takes a subleaf as input when +returning CPUID information. However, the AsmCpuid() function does not +zero out ECX before the CPUID instruction, so the input leaf is used as +the sub-leaf for the CPUID request and returns erroneous/invalid CPUID +data, since the intent of the request was to get data related to sub-leaf +0. Instead, use AsmCpuidEx() for the CPUID_EXTENDED_TOPOLOGY leaf. + +Fixes: d4d7c9ad5fe5 ("UefiCpuPkg/MpInitLib: use BSP to do extended ...") +Signed-off-by: Tom Lendacky +Reviewed-by: Ray Ni +Signed-off-by: Jeevan deep J +--- + UefiCpuPkg/Library/MpInitLib/AmdSev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c +index bda4960f6fd3..d34f9513e002 100644 +--- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c ++++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c +@@ -256,7 +256,14 @@ FillExchangeInfoDataSevEs ( + if (StdRangeMax >= CPUID_EXTENDED_TOPOLOGY) { + CPUID_EXTENDED_TOPOLOGY_EBX ExtTopoEbx; + +- AsmCpuid (CPUID_EXTENDED_TOPOLOGY, NULL, &ExtTopoEbx.Uint32, NULL, NULL); ++ AsmCpuidEx ( ++ CPUID_EXTENDED_TOPOLOGY, ++ 0, ++ NULL, ++ &ExtTopoEbx.Uint32, ++ NULL, ++ NULL ++ ); + ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors; + } + } +-- +2.43.0 + diff --git a/0117-UefiCpuPkg-MpInitLib-Copy-SEV-ES-save-area-pointer-d.patch b/0117-UefiCpuPkg-MpInitLib-Copy-SEV-ES-save-area-pointer-d.patch new file mode 100644 index 0000000..e89bdd9 --- /dev/null +++ b/0117-UefiCpuPkg-MpInitLib-Copy-SEV-ES-save-area-pointer-d.patch @@ -0,0 +1,61 @@ +From 6f204968381a54b76bf8a362baecc302e5ab9879 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 7 Nov 2023 06:45:31 +0800 +Subject: [PATCH 02/31] UefiCpuPkg/MpInitLib: Copy SEV-ES save area pointer + during APIC ID sorting + +commit 3c5f9ac5c3b92bf63b3c0a39658f0ae991e8436d upstream + +With SEV-SNP, the SEV-ES save area for a vCPU should be unique to that +vCPU. After commit 3323359a811a, the VMSA allocation was re-used, but when +sorting the CPUs by APIC ID, the save area was not updated to follow the +original CPU. Similar to the StartupApSignal address, the SevEsSaveArea +address should be updated when sorting the CPUs. + +This does not cause an issue at this time because all APs are in HLT state +and then are (re)started at the same time, with the same VMSA contents. +However, this should be fixed to account for any change in future +behavior. + +Fixes: 3323359a811a ("UefiCpuPkg/MpInitLib: Reuse VMSA allocation to ...") +Signed-off-by: Tom Lendacky +Reviewed-by: Ray Ni +Signed-off-by: Jeevan deep J +--- + UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c +index 6f1456cfe168..946c9d632868 100644 +--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c ++++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c +@@ -370,6 +370,7 @@ SortApicId ( + UINT32 ApCount; + CPU_INFO_IN_HOB *CpuInfoInHob; + volatile UINT32 *StartupApSignal; ++ VOID *SevEsSaveArea; + + ApCount = CpuMpData->CpuCount - 1; + CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob; +@@ -397,12 +398,17 @@ SortApicId ( + CopyMem (&CpuInfoInHob[Index1], &CpuInfo, sizeof (CPU_INFO_IN_HOB)); + + // +- // Also exchange the StartupApSignal. ++ // Also exchange the StartupApSignal and SevEsSaveArea. + // + StartupApSignal = CpuMpData->CpuData[Index3].StartupApSignal; + CpuMpData->CpuData[Index3].StartupApSignal = + CpuMpData->CpuData[Index1].StartupApSignal; + CpuMpData->CpuData[Index1].StartupApSignal = StartupApSignal; ++ ++ SevEsSaveArea = CpuMpData->CpuData[Index3].SevEsSaveArea; ++ CpuMpData->CpuData[Index3].SevEsSaveArea = ++ CpuMpData->CpuData[Index1].SevEsSaveArea; ++ CpuMpData->CpuData[Index1].SevEsSaveArea = SevEsSaveArea; + } + } + +-- +2.43.0 + diff --git a/0118-OvmfPkg-MemEncryptSevLib-Fix-address-overflow-during.patch b/0118-OvmfPkg-MemEncryptSevLib-Fix-address-overflow-during.patch new file mode 100644 index 0000000..11a8e59 --- /dev/null +++ b/0118-OvmfPkg-MemEncryptSevLib-Fix-address-overflow-during.patch @@ -0,0 +1,48 @@ +From 0951e02e90428fd41dbabaaf6afd2484789aaddf Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Wed, 15 Nov 2023 11:51:53 -0600 +Subject: [PATCH 03/31] OvmfPkg/MemEncryptSevLib: Fix address overflow during + PVALIDATE + +commit e8c23d1e27f70dcb2e59010ded6df32374eaa84a upstream + +The struct used for GHCB-based page-state change requests uses a 40-bit +bit-field for the GFN, which is shifted by PAGE_SHIFT to generate a +64-bit address. However, anything beyond 40-bits simply gets shifted off +when doing this, which will cause issues when dealing with 1TB+ +addresses. Fix this by casting the 40-bit GFN values to 64-bit ones +prior to shifting it by PAGE_SHIFT. + +Fixes: ade62c18f474 ("OvmfPkg/MemEncryptSevLib: add support to validate system RAM") +Signed-off-by: Michael Roth +Message-Id: <20231115175153.813213-1-michael.roth@amd.com> +Reviewed-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + .../BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c +index 85eb41585b91..46c6682760d5 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c +@@ -78,13 +78,14 @@ PvalidateRange ( + IN BOOLEAN Validate + ) + { +- UINTN Address, RmpPageSize, Ret, i; ++ UINTN RmpPageSize, Ret, i; ++ EFI_PHYSICAL_ADDRESS Address; + + for ( ; StartIndex <= EndIndex; StartIndex++) { + // + // Get the address and the page size from the Info. + // +- Address = Info->Entry[StartIndex].GuestFrameNumber << EFI_PAGE_SHIFT; ++ Address = ((EFI_PHYSICAL_ADDRESS)Info->Entry[StartIndex].GuestFrameNumber) << EFI_PAGE_SHIFT; + RmpPageSize = Info->Entry[StartIndex].PageSize; + + Ret = AsmPvalidate (RmpPageSize, Validate, Address); +-- +2.43.0 + diff --git a/0119-OvmfPkg-IoMmuDxe-Provide-an-implementation-for-SetAt.patch b/0119-OvmfPkg-IoMmuDxe-Provide-an-implementation-for-SetAt.patch new file mode 100644 index 0000000..a6f764a --- /dev/null +++ b/0119-OvmfPkg-IoMmuDxe-Provide-an-implementation-for-SetAt.patch @@ -0,0 +1,103 @@ +From d2400d4ed64f9133f8dfc9f8536fae8bd6623abc Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 30 Jan 2024 11:15:33 -0600 +Subject: [PATCH 04/31] OvmfPkg/IoMmuDxe: Provide an implementation for + SetAttribute + +commit 97c3f5b8d27230acfc20f479adea64c348750612 upstream + +A recent change to the PciIoMap() function now propagates the return code +from the IoMmu protocol SetAttribute() operation. The implementation of +this operation in OvmfPkg/IoMmuDxe/CcIoMmu.c returns EFI_UNSUPPORTED, +resulting in a failure to boot the guest. + +Provide an implementation for SetAttribute() that validates the IoMmu +access method being requested against the IoMmu mapping operation. + +Suggested-by: Laszlo Ersek +Reviewed-by: Laszlo Ersek +Signed-off-by: Tom Lendacky +Message-Id: +Tested-by: Min Xu +Reviewed-by: Min Xu +Signed-off-by: Jeevan deep J +--- + OvmfPkg/IoMmuDxe/CcIoMmu.c | 55 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 53 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/IoMmuDxe/CcIoMmu.c b/OvmfPkg/IoMmuDxe/CcIoMmu.c +index b83a9690062b..795b945dacb0 100644 +--- a/OvmfPkg/IoMmuDxe/CcIoMmu.c ++++ b/OvmfPkg/IoMmuDxe/CcIoMmu.c +@@ -5,7 +5,7 @@ + operations must be performed on unencrypted buffer hence we use a bounce + buffer to map the guest buffer into an unencrypted DMA buffer. + +- Copyright (c) 2017, AMD Inc. All rights reserved.
++ Copyright (c) 2017 - 2024, AMD Inc. All rights reserved.
+ Copyright (c) 2017, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -751,7 +751,58 @@ IoMmuSetAttribute ( + IN UINT64 IoMmuAccess + ) + { +- return EFI_UNSUPPORTED; ++ MAP_INFO *MapInfo; ++ EFI_STATUS Status; ++ ++ DEBUG ((DEBUG_VERBOSE, "%a: Mapping=0x%p Access=%lu\n", __func__, Mapping, IoMmuAccess)); ++ ++ if (Mapping == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ Status = EFI_SUCCESS; ++ ++ // ++ // An IoMmuAccess value of 0 is always accepted, validate any non-zero value. ++ // ++ if (IoMmuAccess != 0) { ++ MapInfo = (MAP_INFO *)Mapping; ++ ++ // ++ // The mapping operation already implied the access mode. Validate that ++ // the supplied access mode matches operation access mode. ++ // ++ switch (MapInfo->Operation) { ++ case EdkiiIoMmuOperationBusMasterRead: ++ case EdkiiIoMmuOperationBusMasterRead64: ++ if (IoMmuAccess != EDKII_IOMMU_ACCESS_READ) { ++ Status = EFI_INVALID_PARAMETER; ++ } ++ ++ break; ++ ++ case EdkiiIoMmuOperationBusMasterWrite: ++ case EdkiiIoMmuOperationBusMasterWrite64: ++ if (IoMmuAccess != EDKII_IOMMU_ACCESS_WRITE) { ++ Status = EFI_INVALID_PARAMETER; ++ } ++ ++ break; ++ ++ case EdkiiIoMmuOperationBusMasterCommonBuffer: ++ case EdkiiIoMmuOperationBusMasterCommonBuffer64: ++ if (IoMmuAccess != (EDKII_IOMMU_ACCESS_READ | EDKII_IOMMU_ACCESS_WRITE)) { ++ Status = EFI_INVALID_PARAMETER; ++ } ++ ++ break; ++ ++ default: ++ Status = EFI_UNSUPPORTED; ++ } ++ } ++ ++ return Status; + } + + EDKII_IOMMU_PROTOCOL mIoMmu = { +-- +2.43.0 + diff --git a/0120-OvmfPkg-ResetVector-Fix-SNP-CPUID-table-processing-r.patch b/0120-OvmfPkg-ResetVector-Fix-SNP-CPUID-table-processing-r.patch new file mode 100644 index 0000000..13b2206 --- /dev/null +++ b/0120-OvmfPkg-ResetVector-Fix-SNP-CPUID-table-processing-r.patch @@ -0,0 +1,43 @@ +From f699d1e3e7fa83fb80df233cf37762a59d357a1e Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 2 Feb 2024 13:18:37 -0600 +Subject: [PATCH 05/31] OvmfPkg/ResetVector: Fix SNP CPUID table processing + results for ECX/EDX + +commit cd6f2152237713d12723a55aa258c7ae91577dff upstream + +The current support within the boot SNP CPUID table processing mistakenly +swaps the ECX and EDX results. It does not have an effect at this time +because current CPUID results checking does not check ECX or EDX. However, +any future CPUID checks that need to check ECX or EDX may have erroneous +behavior. + +Fix the assembler code to save ECX and EDX to the proper locations. + +Fixes: 34819f2caccb ("OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values") +Signed-off-by: Tom Lendacky +Reviewed-by: Michael Roth +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/AmdSev.asm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +index 8f6de37cbb27..e0433cecad57 100644 +--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm ++++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +@@ -404,9 +404,9 @@ SnpCpuidEntryFound: + mov [esp + VC_CPUID_RESULT_EAX], eax + mov eax, [ecx + SNP_CPUID_ENTRY_EBX] + mov [esp + VC_CPUID_RESULT_EBX], eax +- mov eax, [ecx + SNP_CPUID_ENTRY_EDX] +- mov [esp + VC_CPUID_RESULT_ECX], eax + mov eax, [ecx + SNP_CPUID_ENTRY_ECX] ++ mov [esp + VC_CPUID_RESULT_ECX], eax ++ mov eax, [ecx + SNP_CPUID_ENTRY_EDX] + mov [esp + VC_CPUID_RESULT_EDX], eax + jmp VmmDoneSnpCpuid + +-- +2.43.0 + diff --git a/0121-OvmfPkg-ResetVector-improve-page-table-flag-names.patch b/0121-OvmfPkg-ResetVector-improve-page-table-flag-names.patch new file mode 100644 index 0000000..e0daca9 --- /dev/null +++ b/0121-OvmfPkg-ResetVector-improve-page-table-flag-names.patch @@ -0,0 +1,119 @@ +From ec55dbf92c9a3341d979c06d274602b66b7be544 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:53 +0100 +Subject: [PATCH 06/31] OvmfPkg/ResetVector: improve page table flag names + +commit fded08e74400fd0b76ad4733111e946f3ecea244 upstream + +Add comments, rename some of the PAGE_* flags and combined attributes. +Specifically use "LARGEPAGE" instead of "2M" because that bit is used +for both 2M and 1G large pages. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-2-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 39 +++++++++++++---------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 317cad430f29..6fec6f2beeea 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -10,6 +10,7 @@ + + BITS 32 + ++; common for all levels + %define PAGE_PRESENT 0x01 + %define PAGE_READ_WRITE 0x02 + %define PAGE_USER_SUPERVISOR 0x04 +@@ -17,25 +18,29 @@ BITS 32 + %define PAGE_CACHE_DISABLE 0x010 + %define PAGE_ACCESSED 0x020 + %define PAGE_DIRTY 0x040 +-%define PAGE_PAT 0x080 + %define PAGE_GLOBAL 0x0100 +-%define PAGE_2M_MBO 0x080 +-%define PAGE_2M_PAT 0x01000 ++ ++; page table entries (level 1) ++%define PAGE_PTE_PAT 0x080 ++ ++; page directory entries (level 2+) ++%define PAGE_PDE_LARGEPAGE 0x080 ++%define PAGE_PDE_PAT 0x01000 + + %define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \ + PAGE_DIRTY + \ + PAGE_READ_WRITE + \ + PAGE_PRESENT) + +-%define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ +- PAGE_ACCESSED + \ +- PAGE_DIRTY + \ +- PAGE_READ_WRITE + \ +- PAGE_PRESENT) ++%define PAGE_PDE_LARGEPAGE_ATTR (PAGE_PDE_LARGEPAGE + \ ++ PAGE_ACCESSED + \ ++ PAGE_DIRTY + \ ++ PAGE_READ_WRITE + \ ++ PAGE_PRESENT) + +-%define PAGE_PDP_ATTR (PAGE_ACCESSED + \ +- PAGE_READ_WRITE + \ +- PAGE_PRESENT) ++%define PAGE_PDE_DIRECTORY_ATTR (PAGE_ACCESSED + \ ++ PAGE_READ_WRITE + \ ++ PAGE_PRESENT) + + %define TDX_BSP 1 + %define TDX_AP 2 +@@ -84,19 +89,19 @@ clearPageTablesMemoryLoop: + ; + ; Top level Page Directory Pointers (1 * 512GB entry) + ; +- mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR ++ mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (4)], edx + + ; + ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) + ; +- mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR ++ mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (0x1004)], edx +- mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR ++ mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (0x100C)], edx +- mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR ++ mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (0x1014)], edx +- mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR ++ mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (0x101C)], edx + + ; +@@ -107,7 +112,7 @@ pageTableEntriesLoop: + mov eax, ecx + dec eax + shl eax, 21 +- add eax, PAGE_2M_PDE_ATTR ++ add eax, PAGE_PDE_LARGEPAGE_ATTR + mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx + loop pageTableEntriesLoop +-- +2.43.0 + diff --git a/0122-OvmfPkg-ResetVector-add-ClearOvmfPageTables-macro.patch b/0122-OvmfPkg-ResetVector-add-ClearOvmfPageTables-macro.patch new file mode 100644 index 0000000..f8ed9ab --- /dev/null +++ b/0122-OvmfPkg-ResetVector-add-ClearOvmfPageTables-macro.patch @@ -0,0 +1,84 @@ +From c3180be1c8886b70fe1a04e6a050c2aeb157d641 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:54 +0100 +Subject: [PATCH 07/31] OvmfPkg/ResetVector: add ClearOvmfPageTables macro + +commit 52e44713d23de600ac7eb12bdfa0600abd2294eb upstream + +Move code to clear the page tables to a nasm macro. +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-3-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 35 ++++++++++++----------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 6fec6f2beeea..378ba2feeb4f 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -45,6 +45,24 @@ BITS 32 + %define TDX_BSP 1 + %define TDX_AP 2 + ++; ++; For OVMF, build some initial page tables at ++; PcdOvmfSecPageTablesBase - (PcdOvmfSecPageTablesBase + 0x6000). ++; ++; This range should match with PcdOvmfSecPageTablesSize which is ++; declared in the FDF files. ++; ++; At the end of PEI, the pages tables will be rebuilt into a ++; more permanent location by DxeIpl. ++; ++%macro ClearOvmfPageTables 0 ++ mov ecx, 6 * 0x1000 / 4 ++ xor eax, eax ++.clearPageTablesMemoryLoop: ++ mov dword[ecx * 4 + PT_ADDR (0) - 4], eax ++ loop .clearPageTablesMemoryLoop ++%endmacro ++ + ; + ; Modified: EAX, EBX, ECX, EDX + ; +@@ -69,22 +87,7 @@ SetCr3ForPageTables64: + OneTimeCall GetSevCBitMaskAbove31 + + ClearOvmfPageTables: +- ; +- ; For OVMF, build some initial page tables at +- ; PcdOvmfSecPageTablesBase - (PcdOvmfSecPageTablesBase + 0x6000). +- ; +- ; This range should match with PcdOvmfSecPageTablesSize which is +- ; declared in the FDF files. +- ; +- ; At the end of PEI, the pages tables will be rebuilt into a +- ; more permanent location by DxeIpl. +- ; +- +- mov ecx, 6 * 0x1000 / 4 +- xor eax, eax +-clearPageTablesMemoryLoop: +- mov dword[ecx * 4 + PT_ADDR (0) - 4], eax +- loop clearPageTablesMemoryLoop ++ ClearOvmfPageTables + + ; + ; Top level Page Directory Pointers (1 * 512GB entry) +-- +2.43.0 + diff --git a/0123-OvmfPkg-ResetVector-add-CreatePageTables4Level-macro.patch b/0123-OvmfPkg-ResetVector-add-CreatePageTables4Level-macro.patch new file mode 100644 index 0000000..e25eb6a --- /dev/null +++ b/0123-OvmfPkg-ResetVector-add-CreatePageTables4Level-macro.patch @@ -0,0 +1,119 @@ +From 4255492ea6b7c41d9edb7042feba3f02fff07bc1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:55 +0100 +Subject: [PATCH 08/31] OvmfPkg/ResetVector: add CreatePageTables4Level macro + +commit 4329b5b0cd58891e1385c90a5e509c91ba0eb891 upstream + +Move code to create 4-level page tables to a nasm macro. +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-4-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 70 +++++++++++++---------- + 1 file changed, 39 insertions(+), 31 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 378ba2feeb4f..14cc2c33aa3d 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -63,6 +63,44 @@ BITS 32 + loop .clearPageTablesMemoryLoop + %endmacro + ++; ++; Create page tables for 4-level paging ++; ++; Argument: upper 32 bits of the page table entries ++; ++%macro CreatePageTables4Level 1 ++ ; ++ ; Top level Page Directory Pointers (1 * 512GB entry) ++ ; ++ mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (4)], %1 ++ ++ ; ++ ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) ++ ; ++ mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x1004)], %1 ++ mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x100C)], %1 ++ mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x1014)], %1 ++ mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x101C)], %1 ++ ++ ; ++ ; Page Table Entries (2048 * 2MB entries => 4GB) ++ ; ++ mov ecx, 0x800 ++.pageTableEntriesLoop4Level: ++ mov eax, ecx ++ dec eax ++ shl eax, 21 ++ add eax, PAGE_PDE_LARGEPAGE_ATTR ++ mov dword[ecx * 8 + PT_ADDR (0x2000 - 8)], eax ++ mov dword[(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], %1 ++ loop .pageTableEntriesLoop4Level ++%endmacro ++ + ; + ; Modified: EAX, EBX, ECX, EDX + ; +@@ -88,37 +126,7 @@ SetCr3ForPageTables64: + + ClearOvmfPageTables: + ClearOvmfPageTables +- +- ; +- ; Top level Page Directory Pointers (1 * 512GB entry) +- ; +- mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (4)], edx +- +- ; +- ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) +- ; +- mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x1004)], edx +- mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x100C)], edx +- mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x1014)], edx +- mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x101C)], edx +- +- ; +- ; Page Table Entries (2048 * 2MB entries => 4GB) +- ; +- mov ecx, 0x800 +-pageTableEntriesLoop: +- mov eax, ecx +- dec eax +- shl eax, 21 +- add eax, PAGE_PDE_LARGEPAGE_ATTR +- mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax +- mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx +- loop pageTableEntriesLoop ++ CreatePageTables4Level edx + + ; Clear the C-bit from the GHCB page if the SEV-ES is enabled. + OneTimeCall SevClearPageEncMaskForGhcbPage +-- +2.43.0 + diff --git a/0124-OvmfPkg-ResetVector-split-TDX-BSP-workflow.patch b/0124-OvmfPkg-ResetVector-split-TDX-BSP-workflow.patch new file mode 100644 index 0000000..9ddffc6 --- /dev/null +++ b/0124-OvmfPkg-ResetVector-split-TDX-BSP-workflow.patch @@ -0,0 +1,91 @@ +From 193e07cf5f03aac5ba39783646f549d5488aaca7 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:56 +0100 +Subject: [PATCH 09/31] OvmfPkg/ResetVector: split TDX BSP workflow + +commit b7a97bfac52819d37310106e467623b0ed4a8f87 upstream + +Create a separate control flow for TDX BSP. + +TdxPostBuildPageTables will now only be called when running in TDX +mode, so the TDX check in that function is not needed any more. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-5-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/IntelTdx.asm | 4 ---- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 15 ++++++++++----- + 2 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/IntelTdx.asm b/OvmfPkg/ResetVector/Ia32/IntelTdx.asm +index 06794baef81d..c6b86019dfb9 100644 +--- a/OvmfPkg/ResetVector/Ia32/IntelTdx.asm ++++ b/OvmfPkg/ResetVector/Ia32/IntelTdx.asm +@@ -197,11 +197,7 @@ NotTdx: + ; Set byte[TDX_WORK_AREA_PGTBL_READY] to 1 + ; + TdxPostBuildPageTables: +- cmp byte[WORK_AREA_GUEST_TYPE], VM_GUEST_TDX +- jne ExitTdxPostBuildPageTables + mov byte[TDX_WORK_AREA_PGTBL_READY], 1 +- +-ExitTdxPostBuildPageTables: + OneTimeCallRet TdxPostBuildPageTables + + ; +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 14cc2c33aa3d..166e80293c89 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -112,7 +112,7 @@ SetCr3ForPageTables64: + ; is set. + OneTimeCall CheckTdxFeaturesBeforeBuildPagetables + cmp eax, TDX_BSP +- je ClearOvmfPageTables ++ je TdxBspInit + cmp eax, TDX_AP + je SetCr3 + +@@ -124,16 +124,21 @@ SetCr3ForPageTables64: + ; the page table build below. + OneTimeCall GetSevCBitMaskAbove31 + +-ClearOvmfPageTables: + ClearOvmfPageTables + CreatePageTables4Level edx + + ; Clear the C-bit from the GHCB page if the SEV-ES is enabled. + OneTimeCall SevClearPageEncMaskForGhcbPage ++ jmp SetCr3 + +- ; TDX will do some PostBuildPages task, such as setting +- ; byte[TDX_WORK_AREA_PGTBL_READY]. +- OneTimeCall TdxPostBuildPageTables ++TdxBspInit: ++ ; ++ ; TDX BSP workflow ++ ; ++ ClearOvmfPageTables ++ CreatePageTables4Level 0 ++ OneTimeCall TdxPostBuildPageTables ++ jmp SetCr3 + + SetCr3: + ; +-- +2.43.0 + diff --git a/0125-OvmfPkg-ResetVector-split-SEV-and-non-CoCo-workflows.patch b/0125-OvmfPkg-ResetVector-split-SEV-and-non-CoCo-workflows.patch new file mode 100644 index 0000000..ce53efc --- /dev/null +++ b/0125-OvmfPkg-ResetVector-split-SEV-and-non-CoCo-workflows.patch @@ -0,0 +1,108 @@ +From f9c2c8e410a8de13e520743f12a5d88fb6266b87 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:57 +0100 +Subject: [PATCH 10/31] OvmfPkg/ResetVector: split SEV and non-CoCo workflows + +commit e3bd782373d87872c359939462a66d9bc2f2a252 upstream + +Use separate control flows for SEV and non-CoCo cases. + +SevClearPageEncMaskForGhcbPage and GetSevCBitMaskAbove31 will now only +be called when running in SEV mode, so the SEV check in these functions +is not needed any more. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-6-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/AmdSev.asm | 14 +------------- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 17 ++++++++++++++--- + 2 files changed, 15 insertions(+), 16 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +index e0433cecad57..16ba5833ffcf 100644 +--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm ++++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +@@ -154,10 +154,6 @@ SevEsUnexpectedRespTerminate: + + ; If SEV-ES is enabled then initialize and make the GHCB page shared + SevClearPageEncMaskForGhcbPage: +- ; Check if SEV is enabled +- cmp byte[WORK_AREA_GUEST_TYPE], 1 +- jnz SevClearPageEncMaskForGhcbPageExit +- + ; Check if SEV-ES is enabled + mov ecx, 1 + bt [SEV_ES_WORK_AREA_STATUS_MSR], ecx +@@ -204,20 +200,12 @@ pageTableEntries4kLoop: + SevClearPageEncMaskForGhcbPageExit: + OneTimeCallRet SevClearPageEncMaskForGhcbPage + +-; Check if SEV is enabled, and get the C-bit mask above 31. ++; Get the C-bit mask above 31. + ; Modified: EDX + ; + ; The value is returned in the EDX + GetSevCBitMaskAbove31: +- xor edx, edx +- +- ; Check if SEV is enabled +- cmp byte[WORK_AREA_GUEST_TYPE], 1 +- jnz GetSevCBitMaskAbove31Exit +- + mov edx, dword[SEV_ES_WORK_AREA_ENC_MASK + 4] +- +-GetSevCBitMaskAbove31Exit: + OneTimeCallRet GetSevCBitMaskAbove31 + + %endif +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 166e80293c89..84a7b4efc019 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -118,15 +118,26 @@ SetCr3ForPageTables64: + + ; Check whether the SEV is active and populate the SevEsWorkArea + OneTimeCall CheckSevFeatures ++ cmp byte[WORK_AREA_GUEST_TYPE], 1 ++ jz SevInit + ++ ; ++ ; normal (non-CoCo) workflow ++ ; ++ ClearOvmfPageTables ++ CreatePageTables4Level 0 ++ jmp SetCr3 ++ ++SevInit: ++ ; ++ ; SEV workflow ++ ; ++ ClearOvmfPageTables + ; If SEV is enabled, the C-bit position is always above 31. + ; The mask will be saved in the EDX and applied during the + ; the page table build below. + OneTimeCall GetSevCBitMaskAbove31 +- +- ClearOvmfPageTables + CreatePageTables4Level edx +- + ; Clear the C-bit from the GHCB page if the SEV-ES is enabled. + OneTimeCall SevClearPageEncMaskForGhcbPage + jmp SetCr3 +-- +2.43.0 + diff --git a/0126-OvmfPkg-ResetVector-add-5-level-paging-support.patch b/0126-OvmfPkg-ResetVector-add-5-level-paging-support.patch new file mode 100644 index 0000000..7ee668f --- /dev/null +++ b/0126-OvmfPkg-ResetVector-add-5-level-paging-support.patch @@ -0,0 +1,179 @@ +From 9b2b1567fb0229b4744b2a8ec9c4586816be36da Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:58 +0100 +Subject: [PATCH 11/31] OvmfPkg/ResetVector: add 5-level paging support + +commit 49b7faba1d6e29bd6238d6b85de22b2c3fca4d12 upstream + +Add macros to check for 5-level paging and gigabyte page support. +Enable 5-level paging for the non-confidential-computing case. + +Signed-off-by: Gerd Hoffmann +Message-Id: <20240301074402.98625-7-kraxel@redhat.com> +Reviewed-by: Laszlo Ersek +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 100 ++++++++++++++++++++++ + OvmfPkg/ResetVector/ResetVector.inf | 1 + + OvmfPkg/ResetVector/ResetVector.nasmb | 1 + + 3 files changed, 102 insertions(+) + +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 84a7b4efc019..2d7fd523e4b1 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -101,6 +101,97 @@ BITS 32 + loop .pageTableEntriesLoop4Level + %endmacro + ++; ++; Check whenever 5-level paging can be used ++; ++; Argument: jump label for 4-level paging ++; ++%macro Check5LevelPaging 1 ++ ; check for cpuid leaf 0x07 ++ mov eax, 0x00 ++ cpuid ++ cmp eax, 0x07 ++ jb %1 ++ ++ ; check for la57 (aka 5-level paging) ++ mov eax, 0x07 ++ mov ecx, 0x00 ++ cpuid ++ bt ecx, 16 ++ jnc %1 ++ ++ ; check for cpuid leaf 0x80000001 ++ mov eax, 0x80000000 ++ cpuid ++ cmp eax, 0x80000001 ++ jb %1 ++ ++ ; check for 1g pages ++ mov eax, 0x80000001 ++ cpuid ++ bt edx, 26 ++ jnc %1 ++%endmacro ++ ++; ++; Create page tables for 5-level paging with gigabyte pages ++; ++; Argument: upper 32 bits of the page table entries ++; ++; We have 6 pages available for the early page tables, ++; we use four of them: ++; PT_ADDR(0) - level 5 directory ++; PT_ADDR(0x1000) - level 4 directory ++; PT_ADDR(0x2000) - level 2 directory (0 -> 1GB) ++; PT_ADDR(0x3000) - level 3 directory ++; ++; The level 2 directory for the first gigabyte has the same ++; physical address in both 4-level and 5-level paging mode, ++; SevClearPageEncMaskForGhcbPage depends on this. ++; ++; The 1 GB -> 4 GB range is mapped using 1G pages in the ++; level 3 directory. ++; ++%macro CreatePageTables5Level 1 ++ ; level 5 ++ mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (4)], %1 ++ ++ ; level 4 ++ mov dword[PT_ADDR (0x1000)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x1004)], %1 ++ ++ ; level 3 (1x -> level 2, 3x 1GB) ++ mov dword[PT_ADDR (0x3000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR ++ mov dword[PT_ADDR (0x3004)], %1 ++ mov dword[PT_ADDR (0x3008)], (1 << 30) + PAGE_PDE_LARGEPAGE_ATTR ++ mov dword[PT_ADDR (0x300c)], %1 ++ mov dword[PT_ADDR (0x3010)], (2 << 30) + PAGE_PDE_LARGEPAGE_ATTR ++ mov dword[PT_ADDR (0x3014)], %1 ++ mov dword[PT_ADDR (0x3018)], (3 << 30) + PAGE_PDE_LARGEPAGE_ATTR ++ mov dword[PT_ADDR (0x301c)], %1 ++ ++ ; ++ ; level 2 (512 * 2MB entries => 1GB) ++ ; ++ mov ecx, 0x200 ++.pageTableEntriesLoop5Level: ++ mov eax, ecx ++ dec eax ++ shl eax, 21 ++ add eax, PAGE_PDE_LARGEPAGE_ATTR ++ mov dword[ecx * 8 + PT_ADDR (0x2000 - 8)], eax ++ mov dword[(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], %1 ++ loop .pageTableEntriesLoop5Level ++%endmacro ++ ++%macro Enable5LevelPaging 0 ++ ; set la57 bit in cr4 ++ mov eax, cr4 ++ bts eax, 12 ++ mov cr4, eax ++%endmacro ++ + ; + ; Modified: EAX, EBX, ECX, EDX + ; +@@ -125,6 +216,13 @@ SetCr3ForPageTables64: + ; normal (non-CoCo) workflow + ; + ClearOvmfPageTables ++%if PG_5_LEVEL ++ Check5LevelPaging Paging4Level ++ CreatePageTables5Level 0 ++ Enable5LevelPaging ++ jmp SetCr3 ++Paging4Level: ++%endif + CreatePageTables4Level 0 + jmp SetCr3 + +@@ -152,6 +250,8 @@ TdxBspInit: + jmp SetCr3 + + SetCr3: ++ ; ++ ; common workflow + ; + ; Set CR3 now that the paging structures are available + ; +diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf +index 5dfba883f349..8b2053819159 100644 +--- a/OvmfPkg/ResetVector/ResetVector.inf ++++ b/OvmfPkg/ResetVector/ResetVector.inf +@@ -68,3 +68,4 @@ + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize ++ gEfiMdeModulePkgTokenSpaceGuid.PcdUse5LevelPageTable +diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb +index da4068b7c582..d0878e855b3b 100644 +--- a/OvmfPkg/ResetVector/ResetVector.nasmb ++++ b/OvmfPkg/ResetVector/ResetVector.nasmb +@@ -49,6 +49,7 @@ + + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) + %define PT_ADDR(Offset) (FixedPcdGet32 (PcdOvmfSecPageTablesBase) + (Offset)) ++%define PG_5_LEVEL (FixedPcdGetBool (PcdUse5LevelPageTable)) + + %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) + %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) +-- +2.43.0 + diff --git a/0127-OvmfPkg-ResetVector-print-post-codes-for-4-5-level-p.patch b/0127-OvmfPkg-ResetVector-print-post-codes-for-4-5-level-p.patch new file mode 100644 index 0000000..663a170 --- /dev/null +++ b/0127-OvmfPkg-ResetVector-print-post-codes-for-4-5-level-p.patch @@ -0,0 +1,55 @@ +From b9affbe53df779bb1e6513462824b1f18cf851cb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:43:59 +0100 +Subject: [PATCH 12/31] OvmfPkg/ResetVector: print post codes for 4/5 level + paging + +commit 318b0d714a7ef184ceb445d16f63c9687e89b10e upstream + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Message-Id: <20240301074402.98625-8-kraxel@redhat.com> +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 2d7fd523e4b1..e15945da0476 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -69,6 +69,10 @@ BITS 32 + ; Argument: upper 32 bits of the page table entries + ; + %macro CreatePageTables4Level 1 ++ ++ ; indicate 4-level paging ++ debugShowPostCode 0x41 ++ + ; + ; Top level Page Directory Pointers (1 * 512GB entry) + ; +@@ -153,6 +157,10 @@ BITS 32 + ; level 3 directory. + ; + %macro CreatePageTables5Level 1 ++ ++ ; indicate 5-level paging ++ debugShowPostCode 0x51 ++ + ; level 5 + mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR + mov dword[PT_ADDR (4)], %1 +-- +2.43.0 + diff --git a/0128-OvmfPkg-ResetVector-wire-up-5-level-paging-for-TDX.patch b/0128-OvmfPkg-ResetVector-wire-up-5-level-paging-for-TDX.patch new file mode 100644 index 0000000..72c3b27 --- /dev/null +++ b/0128-OvmfPkg-ResetVector-wire-up-5-level-paging-for-TDX.patch @@ -0,0 +1,112 @@ +From f6415e3c9410982a1a5077aab5e21164412a5b9c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 1 Mar 2024 08:44:00 +0100 +Subject: [PATCH 13/31] OvmfPkg/ResetVector: wire up 5-level paging for TDX + +commit 275d0a39c42ad73a6e4929822f56f5d8c16ede96 upstream + +BSP workflow is quite simliar to the non-coco case. + +TDX_WORK_AREA_PGTBL_READY is used to record the paging mode: + 1 == 4-level paging + 2 == 5-level paging + +APs will look at TDX_WORK_AREA_PGTBL_READY to figure whenever +they should enable 5-level paging or not. + +Signed-off-by: Gerd Hoffmann +Message-Id: <20240301074402.98625-9-kraxel@redhat.com> +Reviewed-by: Laszlo Ersek +[lersek@redhat.com: move "CheckForSev:" label into "%if PG_5_LEVEL" scope, + as discussed with Gerd] +Cc: Jiewen Yao +Cc: Oliver Steffen +Cc: Michael Roth +Cc: Erdem Aktas +Cc: Min Xu +Cc: Ard Biesheuvel +Cc: Tom Lendacky +[lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list + posting into "Cc:" tags in the commit message, in order to pacify + "PatchCheck.py"] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/IntelTdx.asm | 13 ++++++++++++- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 16 ++++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/IntelTdx.asm b/OvmfPkg/ResetVector/Ia32/IntelTdx.asm +index c6b86019dfb9..7d775591a05b 100644 +--- a/OvmfPkg/ResetVector/Ia32/IntelTdx.asm ++++ b/OvmfPkg/ResetVector/Ia32/IntelTdx.asm +@@ -179,7 +179,7 @@ InitTdx: + ; + ; Modified: EAX, EDX + ; +-; 0-NonTdx, 1-TdxBsp, 2-TdxAps ++; 0-NonTdx, 1-TdxBsp, 2-TdxAps, 3-TdxAps5Level + ; + CheckTdxFeaturesBeforeBuildPagetables: + xor eax, eax +@@ -200,6 +200,17 @@ TdxPostBuildPageTables: + mov byte[TDX_WORK_AREA_PGTBL_READY], 1 + OneTimeCallRet TdxPostBuildPageTables + ++%if PG_5_LEVEL ++ ++; ++; Set byte[TDX_WORK_AREA_PGTBL_READY] to 2 ++; ++TdxPostBuildPageTables5Level: ++ mov byte[TDX_WORK_AREA_PGTBL_READY], 2 ++ OneTimeCallRet TdxPostBuildPageTables5Level ++ ++%endif ++ + ; + ; Check if TDX is enabled + ; +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index e15945da0476..474d22dbfa48 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -44,6 +44,7 @@ BITS 32 + + %define TDX_BSP 1 + %define TDX_AP 2 ++%define TDX_AP_5_LEVEL 3 + + ; + ; For OVMF, build some initial page tables at +@@ -214,6 +215,13 @@ SetCr3ForPageTables64: + je TdxBspInit + cmp eax, TDX_AP + je SetCr3 ++%if PG_5_LEVEL ++ cmp eax, TDX_AP_5_LEVEL ++ jne CheckForSev ++ Enable5LevelPaging ++ jmp SetCr3 ++CheckForSev: ++%endif + + ; Check whether the SEV is active and populate the SevEsWorkArea + OneTimeCall CheckSevFeatures +@@ -253,6 +261,14 @@ TdxBspInit: + ; TDX BSP workflow + ; + ClearOvmfPageTables ++%if PG_5_LEVEL ++ Check5LevelPaging Tdx4Level ++ CreatePageTables5Level 0 ++ OneTimeCall TdxPostBuildPageTables5Level ++ Enable5LevelPaging ++ jmp SetCr3 ++Tdx4Level: ++%endif + CreatePageTables4Level 0 + OneTimeCall TdxPostBuildPageTables + jmp SetCr3 +-- +2.43.0 + diff --git a/0129-OvmfPkg-ResetVector-Clear-SEV-encryption-bit-for-non.patch b/0129-OvmfPkg-ResetVector-Clear-SEV-encryption-bit-for-non.patch new file mode 100644 index 0000000..5360274 --- /dev/null +++ b/0129-OvmfPkg-ResetVector-Clear-SEV-encryption-bit-for-non.patch @@ -0,0 +1,118 @@ +From 8429651cee6cbd858013cf706d1b9fec0c4e6aca Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Thu, 2 May 2024 13:49:21 +0200 +Subject: [PATCH 14/31] OvmfPkg/ResetVector: Clear SEV encryption bit for + non-leaf PTEs + +commit fd290ab8628478c62c32c972fc16b86b6c3372ce upstream + +Future changes will make use of CpuPageTableLib to handle splitting +page table mappings during SEC phase. While it's not strictly required +by hardware, CpuPageTableLib relies on non-leaf PTEs never having the +encryption bit set, so go ahead change the page table setup code to +satisfy this expectation. + +Suggested-by: Tom Lendacky +Cc: Ard Biesheuvel +Cc: Gerd Hoffmann +Cc: Erdem Aktas +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Signed-off-by: Michael Roth +Reviewed-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/Ia32/AmdSev.asm | 5 ++++- + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 20 ++++++++++---------- + 2 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +index 16ba5833ffcf..7f942178d50f 100644 +--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm ++++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm +@@ -162,11 +162,14 @@ SevClearPageEncMaskForGhcbPage: + ; + ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. + ; This requires the 2MB page for this range be broken down into 512 4KB +- ; pages. All will be marked encrypted, except for the GHCB. ++ ; pages. All will be marked encrypted, except for the GHCB. Since the ++ ; original PMD entry is no longer a leaf entry, remove the encryption ++ ; bit when pointing to the PTE page. + ; + mov ecx, (GHCB_BASE >> 21) + mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR + mov [ecx * 8 + PT_ADDR (0x2000)], eax ++ mov [ecx * 8 + PT_ADDR (0x2000) + 4], strict dword 0 + + ; + ; Page Table Entries (512 * 4KB entries => 2MB) +diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +index 474d22dbfa48..d913a39d4693 100644 +--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm ++++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm +@@ -67,7 +67,7 @@ BITS 32 + ; + ; Create page tables for 4-level paging + ; +-; Argument: upper 32 bits of the page table entries ++; Argument: upper 32 bits of the leaf page table entries + ; + %macro CreatePageTables4Level 1 + +@@ -78,19 +78,19 @@ BITS 32 + ; Top level Page Directory Pointers (1 * 512GB entry) + ; + mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (4)], %1 ++ mov dword[PT_ADDR (4)], 0 + + ; + ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) + ; + mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x1004)], %1 ++ mov dword[PT_ADDR (0x1004)], 0 + mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x100C)], %1 ++ mov dword[PT_ADDR (0x100C)], 0 + mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x1014)], %1 ++ mov dword[PT_ADDR (0x1014)], 0 + mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x101C)], %1 ++ mov dword[PT_ADDR (0x101C)], 0 + + ; + ; Page Table Entries (2048 * 2MB entries => 4GB) +@@ -141,7 +141,7 @@ BITS 32 + ; + ; Create page tables for 5-level paging with gigabyte pages + ; +-; Argument: upper 32 bits of the page table entries ++; Argument: upper 32 bits of the leaf page table entries + ; + ; We have 6 pages available for the early page tables, + ; we use four of them: +@@ -164,15 +164,15 @@ BITS 32 + + ; level 5 + mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (4)], %1 ++ mov dword[PT_ADDR (4)], 0 + + ; level 4 + mov dword[PT_ADDR (0x1000)], PT_ADDR (0x3000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x1004)], %1 ++ mov dword[PT_ADDR (0x1004)], 0 + + ; level 3 (1x -> level 2, 3x 1GB) + mov dword[PT_ADDR (0x3000)], PT_ADDR (0x2000) + PAGE_PDE_DIRECTORY_ATTR +- mov dword[PT_ADDR (0x3004)], %1 ++ mov dword[PT_ADDR (0x3004)], 0 + mov dword[PT_ADDR (0x3008)], (1 << 30) + PAGE_PDE_LARGEPAGE_ATTR + mov dword[PT_ADDR (0x300c)], %1 + mov dword[PT_ADDR (0x3010)], (2 << 30) + PAGE_PDE_LARGEPAGE_ATTR +-- +2.43.0 + diff --git a/0130-OvmfPkg-AmdSev-Reorder-MEMFD-pages-to-match-the-orde.patch b/0130-OvmfPkg-AmdSev-Reorder-MEMFD-pages-to-match-the-orde.patch new file mode 100644 index 0000000..178da72 --- /dev/null +++ b/0130-OvmfPkg-AmdSev-Reorder-MEMFD-pages-to-match-the-orde.patch @@ -0,0 +1,113 @@ +From f6c0f03bd9719975eccfeec5bf7eb0fb07f1da1b Mon Sep 17 00:00:00 2001 +From: Dov Murik +Date: Mon, 28 Mar 2022 18:00:02 +0000 +Subject: [PATCH 15/31] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order + in OvmfPkgX64.fdf + +commit 6436d9b6939ab2e390b5de71798b288e17d85a3a upstream + +Resize the MEMFD section of AmdSevX64.fdf and reorder its pages so that +it matches the same size and order used in OvmfPkgX64.fdf. + +After this change, this is the difference in the MEMFD of the two +targets: + +\$ diff -u \ +\ <(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/OvmfPkgX64.fdf) \ +\ <(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf) +\--- /dev/fd/63 2023-02-16 07:06:15.365308683 +0000 +\+++ /dev/fd/62 2023-02-16 07:06:15.365308683 +0000 +\@@ -32,6 +32,12 @@ +\ 0x00E000|0x001000 +\ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize +\ +\+0x00F000|0x000C00 +\+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize +\+ +\+0x00FC00|0x000400 +\+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize +\+ +\ 0x010000|0x010000 +\ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + +[Backport Changes] +The current upstream commit message contains contextual diff information (lines 11-27) that is incorrectly +interpreted as actual patch data by the patch command during edk2.spec file build, causing build failure. +To resolve this, the problematic lines have been commented out by adding "\" at the beginning of each line, +preventing misinterpretation while preserving the original commit message. + +Signed-off-by: Dov Murik +Acked-by: Tom Lendacky +Acked-by: Gerd Hoffmann +Signed-off-by: PKumarAditya +--- + OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 0bf87be2e336..609e24164b16 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -36,10 +36,10 @@ FV = SECFV + + [FD.MEMFD] + BaseAddress = $(MEMFD_BASE_ADDRESS) +-Size = 0xD00000 ++Size = 0xE00000 + ErasePolarity = 1 + BlockSize = 0x10000 +-NumBlocks = 0xD0 ++NumBlocks = 0xE0 + + 0x000000|0x006000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize +@@ -59,21 +59,21 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmf + 0x00B000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + +-0x00C000|0x000C00 +-gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize +- +-0x00CC00|0x000400 +-gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize +- +-0x00D000|0x001000 ++0x00C000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + +-0x00E000|0x001000 ++0x00D000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + +-0x00F000|0x001000 ++0x00E000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + ++0x00F000|0x000C00 ++gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize ++ ++0x00FC00|0x000400 ++gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize ++ + 0x010000|0x002000 + gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase|gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallSize + +@@ -90,12 +90,13 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize + FV = PEIFV + +-0x100000|0xC00000 ++0x100000|0xD00000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize + FV = DXEFV + + ########################################################################################## +-# Set the SEV-ES specific work area PCDs ++# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the ++# the SEV STATUS MSR is now saved in the work area) + # + SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader + SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader +-- +2.43.0 + diff --git a/0131-OvmfPkg-exclude-NullMemoryTestDxe-driver.patch b/0131-OvmfPkg-exclude-NullMemoryTestDxe-driver.patch new file mode 100644 index 0000000..87e0d43 --- /dev/null +++ b/0131-OvmfPkg-exclude-NullMemoryTestDxe-driver.patch @@ -0,0 +1,295 @@ +From 05b8bf0f3c4060b6aa4622e9c4d1fa23ad083b68 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 11 Nov 2023 00:57:59 +0100 +Subject: [PATCH 16/31] OvmfPkg: exclude NullMemoryTestDxe driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit d7e41ce3409366f1faed7016fdc4a2cd2ed61918 upstream. + +NullMemoryTestDxe was included in the OVMF platforms in historical commit +999a815e9ff3 ("OvmfPkg: Add NullMemoryTestDxe driver", 2011-01-21). It +produces gEfiGenericMemTestProtocolGuid. With LegacyBiosDxe gone, the only +consumer of this protocol in all of edk2 is +"EmulatorPkg/Library/PlatformBmLib/PlatformBmMemoryTest.c". Thus, exclude +NullMemoryTestDxe from all OVMF platforms. + +(Notably, ArmVirtPkg platforms don't include NullMemoryTestDxe either.) + +Cc: Anatol Belski +Cc: Andrei Warkentin +Cc: Anthony Perard +Cc: Ard Biesheuvel +Cc: Corvin Köhne +Cc: Erdem Aktas +Cc: Gerd Hoffmann +Cc: Jianyong Wu +Cc: Jiewen Yao +Cc: Michael Roth +Cc: Min Xu +Cc: Rebecca Cran +Cc: Sunil V L +Cc: Tom Lendacky +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4588 +Signed-off-by: Laszlo Ersek +Message-Id: <20231110235820.644381-17-lersek@redhat.com> +Reviewed-by: Jiewen Yao +Reviewed-by: Ard Biesheuvel +Acked-by: Corvin Köhne +Acked-by: Gerd Hoffmann +Signed-off-by: Jeevan Deep J +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/Bhyve/BhyveX64.dsc | 1 - + OvmfPkg/Bhyve/BhyveX64.fdf | 1 - + OvmfPkg/CloudHv/CloudHvX64.dsc | 1 - + OvmfPkg/CloudHv/CloudHvX64.fdf | 1 - + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 - + OvmfPkg/IntelTdx/IntelTdxX64.fdf | 1 - + OvmfPkg/Microvm/MicrovmX64.dsc | 1 - + OvmfPkg/Microvm/MicrovmX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + OvmfPkg/OvmfXen.dsc | 1 - + OvmfPkg/OvmfXen.fdf | 1 - + OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf | 2 -- + 19 files changed, 20 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 29705131d424..2f900f83a2e1 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -692,7 +692,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 609e24164b16..e0e9d49cd3d7 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -267,7 +267,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf + !if $(SOURCE_DEBUG_ENABLE) == FALSE +diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc +index 82c60ace1bbd..f313c430f425 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.dsc ++++ b/OvmfPkg/Bhyve/BhyveX64.dsc +@@ -715,7 +715,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + OvmfPkg/Bhyve/BhyveRfbDxe/BhyveRfbDxe.inf { + +diff --git a/OvmfPkg/Bhyve/BhyveX64.fdf b/OvmfPkg/Bhyve/BhyveX64.fdf +index 282586fa81ec..157c85ab483c 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.fdf ++++ b/OvmfPkg/Bhyve/BhyveX64.fdf +@@ -249,7 +249,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf +diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc +index e000deed9e4d..65fdf4aed73d 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.dsc ++++ b/OvmfPkg/CloudHv/CloudHvX64.dsc +@@ -795,7 +795,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + # + # Serial Support +diff --git a/OvmfPkg/CloudHv/CloudHvX64.fdf b/OvmfPkg/CloudHv/CloudHvX64.fdf +index 387f305ed8cf..eac6557e6b74 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.fdf ++++ b/OvmfPkg/CloudHv/CloudHvX64.fdf +@@ -269,7 +269,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF MdeModulePkg/Universal/SerialDxe/SerialDxe.inf + +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index 020d12e28a65..3c76682dda2d 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -683,7 +683,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf +index 69ed7a9bc6f4..69074cfb1e73 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf +@@ -300,7 +300,6 @@ INF MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf + INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + INF MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KeyboardDxe.inf + INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf + INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index d2ef1e00a5c2..93bb96d763bb 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -787,7 +787,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf +index eda24a3ec9bc..a9b6618ca811 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.fdf ++++ b/OvmfPkg/Microvm/MicrovmX64.fdf +@@ -236,7 +236,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !if $(SOURCE_DEBUG_ENABLE) == FALSE + INF MdeModulePkg/Universal/SerialDxe/SerialDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 6e561690a7f0..1582e2b8b6cf 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -848,7 +848,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 4c9be963a74d..41f7c5ceafc4 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -278,7 +278,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf + !if $(SOURCE_DEBUG_ENABLE) == FALSE +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 577583d056a5..3d37a05cbea0 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -866,7 +866,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 429c0eb29053..75f58a2bdf2c 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -279,7 +279,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf + !if $(SOURCE_DEBUG_ENABLE) == FALSE +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 9e0184854318..290c22c68816 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -933,7 +933,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + !ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index a34b9f574d14..a72a906f3357 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -313,7 +313,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf + !if $(SOURCE_DEBUG_ENABLE) == FALSE +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index dcb99d1f0bce..a748e4d58e21 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -652,7 +652,6 @@ + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +- MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf +index bdff7c52d80a..cf3d63c8a68b 100644 +--- a/OvmfPkg/OvmfXen.fdf ++++ b/OvmfPkg/OvmfXen.fdf +@@ -286,7 +286,6 @@ INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf + INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +-INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf + + INF OvmfPkg/SioBusDxe/SioBusDxe.inf + !if $(SOURCE_DEBUG_ENABLE) == FALSE +diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf +index 40d12e0f4c46..8121b9e57967 100644 +--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf ++++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf +@@ -218,8 +218,6 @@ INF MdeModulePkg/Logo/LogoDxe.inf + # + INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + +-#INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf +- + ################################################################################ + + [FV.FVMAIN_COMPACT] +-- +2.43.0 + diff --git a/0132-OvmfPkg-switch-AmdSevX64-to-new-shell-include-files.patch b/0132-OvmfPkg-switch-AmdSevX64-to-new-shell-include-files.patch new file mode 100644 index 0000000..a3e22ee --- /dev/null +++ b/0132-OvmfPkg-switch-AmdSevX64-to-new-shell-include-files.patch @@ -0,0 +1,111 @@ +From 3ad757261d910843a6e7b1c19f0c72c2e8629b67 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Feb 2024 11:13:54 +0100 +Subject: [PATCH 17/31] OvmfPkg: switch AmdSevX64 to new shell include files + +commit a7a04437511b325f8d7500145a40882b997f189b upstream. + +Note that AmdSevX64 is compiled without network support, so thanks to +the network conditionals in the include files the build result (network +shell commands excluded) should be identical before and after the patch. + +Signed-off-by: Gerd Hoffmann +Acked-by: Laszlo Ersek +Acked-by: Jiewen Yao +Message-Id: <20240222101358.67818-9-kraxel@redhat.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 32 +++----------------------------- + OvmfPkg/AmdSev/AmdSevX64.fdf | 8 ++------ + 2 files changed, 5 insertions(+), 35 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 2f900f83a2e1..07273c81a5c4 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -194,16 +194,14 @@ + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf + VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf + +-!if $(BUILD_SHELL) == TRUE +- ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf +-!endif + + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf + + !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc ++!include OvmfPkg/Include/Dsc/ShellLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -732,34 +730,10 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +-!endif + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf + OvmfPkg/AmdSev/Grub/Grub.inf +-!if $(BUILD_SHELL) == TRUE +- ShellPkg/Application/Shell/Shell.inf { +- +- ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf +- NULL|ShellPkg/Library/UefiShellLevel2CommandsLib/UefiShellLevel2CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellLevel1CommandsLib/UefiShellLevel1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellLevel3CommandsLib/UefiShellLevel3CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellDriver1CommandsLib/UefiShellDriver1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellInstall1CommandsLib/UefiShellInstall1CommandsLib.inf +- HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf +- PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf +- BcfgCommandLib|ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.inf +- +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 +- } +-!endif ++ ++!include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + + OvmfPkg/PlatformDxe/Platform.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index e0e9d49cd3d7..b9e62697b5fb 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -286,14 +286,8 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + +-!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf +-!endif + INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf + INF OvmfPkg/AmdSev/Grub/Grub.inf +-!if $(BUILD_SHELL) == TRUE +-INF ShellPkg/Application/Shell/Shell.inf +-!endif + + INF MdeModulePkg/Logo/LogoDxe.inf + +@@ -330,6 +324,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + ++!include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++ + ################################################################################ + + [FV.FVMAIN_COMPACT] +-- +2.43.0 + diff --git a/0133-OvmfPkg-ResetVector-send-post-codes-to-qemu-debug-co.patch b/0133-OvmfPkg-ResetVector-send-post-codes-to-qemu-debug-co.patch new file mode 100644 index 0000000..af45244 --- /dev/null +++ b/0133-OvmfPkg-ResetVector-send-post-codes-to-qemu-debug-co.patch @@ -0,0 +1,84 @@ +From 6f5ebea26ac3b9a4dd07925ff210c90d8576e9bf Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 29 Jan 2024 13:29:29 +0100 +Subject: [PATCH 18/31] OvmfPkg/ResetVector: send post codes to qemu debug + console + +commit 98c7cb3be73d0f15151133abe91bc880a4400794 upstream. + +Neat when doing ResetVector coding. +Incompatible with TDX and SEV, therefore not enabled by default. + +Signed-off-by: Gerd Hoffmann +Acked-by: Tom Lendacky +Acked-by: Erdem Aktas +Reviewed-by: Laszlo Ersek +Message-Id: <20240129122929.349726-1-kraxel@redhat.com> +[lersek@redhat.com: replace "SEV" with "SEV-ES/SEV-SNP" in comment] +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/QemuDebugCon.asm | 36 +++++++++++++++++++++++++++ + OvmfPkg/ResetVector/ResetVector.nasmb | 4 +++ + 2 files changed, 40 insertions(+) + create mode 100644 OvmfPkg/ResetVector/QemuDebugCon.asm + +diff --git a/OvmfPkg/ResetVector/QemuDebugCon.asm b/OvmfPkg/ResetVector/QemuDebugCon.asm +new file mode 100644 +index 000000000000..8729fc2ffc0a +--- /dev/null ++++ b/OvmfPkg/ResetVector/QemuDebugCon.asm +@@ -0,0 +1,36 @@ ++;------------------------------------------------------------------------------ ++; @file ++; qemu debug console support macros (based on serial port macros) ++; ++; Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.
++; Copyright (c) 2024, Red Hat, Inc.
++; SPDX-License-Identifier: BSD-2-Clause-Patent ++; ++;------------------------------------------------------------------------------ ++ ++%macro debugShowCharacter 1 ++ mov dx, 0x402 ++ mov al, %1 ++ out dx, al ++%endmacro ++ ++%macro debugShowHexDigit 1 ++ %if (%1 < 0xa) ++ debugShowCharacter BYTE ('0' + (%1)) ++ %else ++ debugShowCharacter BYTE ('a' + ((%1) - 0xa)) ++ %endif ++%endmacro ++ ++%macro debugShowPostCode 1 ++ debugShowHexDigit (((%1) >> 4) & 0xf) ++ debugShowHexDigit ((%1) & 0xf) ++ debugShowCharacter `\r` ++ debugShowCharacter `\n` ++%endmacro ++ ++BITS 16 ++ ++%macro debugInitialize 0 ++ ; not required ++%endmacro +diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb +index d0878e855b3b..ba93d2804f0e 100644 +--- a/OvmfPkg/ResetVector/ResetVector.nasmb ++++ b/OvmfPkg/ResetVector/ResetVector.nasmb +@@ -40,6 +40,10 @@ + %include "Port80Debug.asm" + %elifdef DEBUG_SERIAL + %include "SerialDebug.asm" ++%elif 0 ++; Set ^ this to 1 to enable postcodes on the qemu debug console. ++; Disabled by default because it is incompatible with SEV-ES/SEV-SNP and TDX. ++ %include "QemuDebugCon.asm" + %else + %include "DebugDisabled.asm" + %endif +-- +2.43.0 + diff --git a/0134-OvmfPkg-ResetVector-Define-SNP-metadata-for-kernel-h.patch b/0134-OvmfPkg-ResetVector-Define-SNP-metadata-for-kernel-h.patch new file mode 100644 index 0000000..a91d74f --- /dev/null +++ b/0134-OvmfPkg-ResetVector-Define-SNP-metadata-for-kernel-h.patch @@ -0,0 +1,91 @@ +From 494f4be6635413b48255e8c9e9087b76e15aba02 Mon Sep 17 00:00:00 2001 +From: Dov Murik +Date: Mon, 28 Mar 2022 18:11:09 +0000 +Subject: [PATCH 19/31] OvmfPkg/ResetVector: Define SNP metadata for kernel + hashes + +commit 9eec96bd4fc53d7836b5606f2a8bbb10713cc8f5 upstream. + +In order to allow the VMM (such as QEMU) to add a page with hashes of +kernel/initrd/cmdline for measured direct boot on SNP, add it explicitly +to the SNP metadata list report to the VMM. + +In such case, VMM should fill the page with the hashes content, or +explicitly update it as a zero page (if kernel hashes are not used). + +Note that for SNP, the launch secret part of the page (lower 3KB) are +not relevant and will remain zero. The last 1KB is used for the hashes. + +This should have no effect on OvmfPkgX64 targets (which don't define +PcdSevLaunchSecretBase). + +Signed-off-by: Dov Murik +Acked-by: Tom Lendacky +Acked-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/ResetVector/ResetVector.nasmb | 11 ++++++++++- + OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 +++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb +index ba93d2804f0e..d67bbca034be 100644 +--- a/OvmfPkg/ResetVector/ResetVector.nasmb ++++ b/OvmfPkg/ResetVector/ResetVector.nasmb +@@ -69,6 +69,15 @@ + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) + %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) ++%if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0) ++ ; There's a reserved page for SEV secrets and hashes; the VMM will fill and ++ ; validate the page, or mark it as a zero page. ++ %define SEV_SNP_KERNEL_HASHES_BASE (FixedPcdGet32 (PcdSevLaunchSecretBase)) ++ %define SEV_SNP_KERNEL_HASHES_SIZE (FixedPcdGet32 (PcdSevLaunchSecretSize) + FixedPcdGet32 (PcdQemuHashTableSize)) ++%else ++ %define SEV_SNP_KERNEL_HASHES_BASE 0 ++ %define SEV_SNP_KERNEL_HASHES_SIZE 0 ++%endif + %define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) + %define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1) + ; +@@ -80,7 +89,7 @@ + ; + %define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000) + %define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2) +-%define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) ++%define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE + SEV_SNP_KERNEL_HASHES_SIZE) + %define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3) + + %ifdef ARCH_X64 +diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +index d03fc6d45175..8aa77d870123 100644 +--- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm ++++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +@@ -26,6 +26,8 @@ BITS 64 + ; + %define OVMF_SECTION_TYPE_CPUID 0x3 + ++; Kernel hashes section for measured direct boot ++%define OVMF_SECTION_TYPE_KERNEL_HASHES 0x10 + + ALIGN 16 + +@@ -65,6 +67,15 @@ CpuidSec: + DD CPUID_SIZE + DD OVMF_SECTION_TYPE_CPUID + ++%if (SEV_SNP_KERNEL_HASHES_BASE > 0) ++; Kernel hashes for measured direct boot, or zero page if ++; there are no kernel hashes / SEV secrets ++SevSnpKernelHashes: ++ DD SEV_SNP_KERNEL_HASHES_BASE ++ DD SEV_SNP_KERNEL_HASHES_SIZE ++ DD OVMF_SECTION_TYPE_KERNEL_HASHES ++%endif ++ + ; Region need to be pre-validated by the hypervisor + PreValidate3: + DD SNP_SEC_MEM_BASE_DESC_3 +-- +2.43.0 + diff --git a/0135-OvmfPkg-Don-t-make-APIC-MMIO-accesses-with-encryptio.patch b/0135-OvmfPkg-Don-t-make-APIC-MMIO-accesses-with-encryptio.patch new file mode 100644 index 0000000..355e46c --- /dev/null +++ b/0135-OvmfPkg-Don-t-make-APIC-MMIO-accesses-with-encryptio.patch @@ -0,0 +1,298 @@ +From ecb3e0880ca8e6de687d4161a1e02a1decd762b8 Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Thu, 2 May 2024 13:49:26 +0200 +Subject: [PATCH 20/31] OvmfPkg: Don't make APIC MMIO accesses with encryption + bit set + +commit f0ed194236b1fe55199ee82c014b70119ee3f227 upstream + +For the most part, OVMF will clear the encryption bit for MMIO regions, +but there is currently one known exception during SEC when the APIC +base address is accessed via MMIO with the encryption bit set for +SEV-ES/SEV-SNP guests. In the case of SEV-SNP, this requires special +handling on the hypervisor side which may not be available in the +future[1], so make the necessary changes in the SEC-configured page +table to clear the encryption bit for 4K region containing the APIC +base address. + +[1] https://lore.kernel.org/lkml/20240208002420.34mvemnzrwwsaesw@amd.com/#t + +[Backport Changes] + +1) In the upstream code of `OvmfPkg/AmdSev/AmdSevX64.fdf`, the base address +for the PCD token `PcdOvmfSecApicPageTableBase` is `0x011000` with a block +size of `0x001000`. However, this base address is already occupied by the +PCD token `PcdCsvDefaultSecureCallBase`, introduced as part of CSV +support for Hygon VMs in Euler edk2. To resolve this conflict, the next +available base address `0x014000` with the same block size was assigned. +This change ensures proper allocation while maintaining compatibility +with both upstream and CSV-specific implementations. + +2) In the upstream code of `OvmfPkg/OvmfPkgX64.fdf`, the base address +for the PCD token `PcdOvmfSecApicPageTableBase` is `0x011000` with a +block size of `0x001000`. However, this base address is already occupied +by the PCD token `PcdOvmfCsvCpuidBase`, introduced as part of CSV support +for Hygon VMs in Euler edk2. To resolve this conflict, the next available +base address `0x013000` with the same block size was assigned. This change +ensures proper allocation while maintaining compatibility with both +upstream and CSV-specific implementations. + +3) In the upstream code of `OvmfPkg/OvmfPkg.dec`, PCD tokens +`PcdOvmfSecApicPageTableBase` and `PcdOvmfSecApicPageTableSize` are +assigned with token numbers `0x72` and `0x73`, respectively. However, +these token numbers are already occupied in the Euler edk2 by PCD tokens +`PcdOvmfCsvCpuidBase` and `PcdOvmfCsvCpuidSize`, introduced as part of CSV +support for Hygon VMs. To resolve this conflict, using the next available +tokens `0x76` and `0x77` respectively for PCD tokens +`PcdOvmfSecApicPageTableBase` and `PcdOvmfSecApicPageTableSize`. +This ensures proper allocation while maintaining compatibility with both +upstream and Euler-specific CSV implementations. + +Suggested-by: Tom Lendacky +Cc: Ard Biesheuvel +Cc: Gerd Hoffmann +Cc: Erdem Aktas +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Cc: Jianyong Wu +Cc: Anatol Belski +Signed-off-by: Michael Roth +Reviewed-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/AmdSev/AmdSevX64.fdf | 5 ++- + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + + OvmfPkg/CloudHv/CloudHvX64.fdf | 5 ++- + OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++ + OvmfPkg/OvmfPkg.dec | 5 +++ + OvmfPkg/OvmfPkgX64.fdf | 5 ++- + OvmfPkg/Sec/AmdSev.c | 58 ++++++++++++++++++++++++++++++++++ + OvmfPkg/Sec/AmdSev.h | 14 ++++++++ + OvmfPkg/Sec/SecMain.c | 1 + + OvmfPkg/Sec/SecMain.inf | 3 ++ + 10 files changed, 97 insertions(+), 3 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index b9e62697b5fb..2520c5ddedf0 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -83,7 +83,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvm + 0x013000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize + +-0x014000|0x00C000 ++0x014000|0x001000 ++gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize ++ ++0x015000|0x00B000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + + 0x020000|0x0E0000 +diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc +index f313c430f425..f493a0aa32a9 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.dsc ++++ b/OvmfPkg/Bhyve/BhyveX64.dsc +@@ -173,6 +173,7 @@ + MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf + DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf ++ CpuPageTableLib|UefiCpuPkg/Library/CpuPageTableLib/CpuPageTableLib.inf + + CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf + FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf +diff --git a/OvmfPkg/CloudHv/CloudHvX64.fdf b/OvmfPkg/CloudHv/CloudHvX64.fdf +index eac6557e6b74..507fda2ab897 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.fdf ++++ b/OvmfPkg/CloudHv/CloudHvX64.fdf +@@ -76,7 +76,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCp + 0x00F000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtr|gUefiOvmfPkgTokenSpaceGuid.PcdXenPvhStartOfDayStructPtrSize + +-0x010000|0x010000 ++0x010000|0x001000 ++gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize ++ ++0x011000|0x00F000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + + 0x020000|0x0E0000 +diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf +index a9b6618ca811..ae980c7ad297 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.fdf ++++ b/OvmfPkg/Microvm/MicrovmX64.fdf +@@ -62,6 +62,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvm + 0x00C000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + ++0x00D000|0x001000 ++gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize ++ + 0x010000|0x010000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + +diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec +index 232e6b11a905..1ba05f25dc22 100644 +--- a/OvmfPkg/OvmfPkg.dec ++++ b/OvmfPkg/OvmfPkg.dec +@@ -375,6 +375,11 @@ + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|0|UINT32|0x44 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize|0|UINT32|0x45 + ++ ## Specify the extra page table needed to mark the APIC MMIO range as unencrypted. ++ # The value should be a multiple of 4KB for each. ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase|0x0|UINT32|0x76 ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize|0x0|UINT32|0x77 ++ + ## The base address and size of the SEV Launch Secret Area provisioned + # after remote attestation. If this is set in the .fdf, the platform + # is responsible for protecting the area from DXE phase overwrites. +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index a72a906f3357..d8400061f245 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -103,7 +103,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvm + 0x012000|0x001000 + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize + +-0x013000|0x00D000 ++0x013000|0x001000 ++gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize ++ ++0x014000|0x00C000 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + + 0x020000|0x0E0000 +diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c +index 520b1251321b..89fba2fd18ca 100644 +--- a/OvmfPkg/Sec/AmdSev.c ++++ b/OvmfPkg/Sec/AmdSev.c +@@ -8,7 +8,10 @@ + **/ + + #include ++#include ++#include + #include ++#include + #include + #include + #include +@@ -301,3 +304,58 @@ SecValidateSystemRam ( + MemEncryptSevSnpPreValidateSystemRam (Start, EFI_SIZE_TO_PAGES ((UINTN)(End - Start))); + } + } ++ ++/** ++ Map known MMIO regions unencrypted if SEV-ES is active. ++ ++ During early booting, page table entries default to having the encryption bit ++ set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the ++ encryption bit should be cleared. Clear it here for any known MMIO accesses ++ during SEC, which is currently just the APIC base address. ++ ++**/ ++VOID ++SecMapApicBaseUnencrypted ( ++ VOID ++ ) ++{ ++ PHYSICAL_ADDRESS Cr3; ++ UINT64 ApicAddress; ++ VOID *Buffer; ++ UINTN BufferSize; ++ IA32_MAP_ATTRIBUTE MapAttribute; ++ IA32_MAP_ATTRIBUTE MapMask; ++ RETURN_STATUS Status; ++ ++ if (!SevEsIsEnabled ()) { ++ return; ++ } ++ ++ ApicAddress = (UINT64)GetLocalApicBaseAddress (); ++ Buffer = (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecApicPageTableBase); ++ Cr3 = AsmReadCr3 (); ++ ++ MapAttribute.Uint64 = ApicAddress; ++ MapAttribute.Bits.Present = 1; ++ MapAttribute.Bits.ReadWrite = 1; ++ MapMask.Uint64 = MAX_UINT64; ++ BufferSize = SIZE_4KB; ++ ++ Status = PageTableMap ( ++ (UINTN *)&Cr3, ++ Paging4Level, ++ Buffer, ++ &BufferSize, ++ ApicAddress, ++ SIZE_4KB, ++ &MapAttribute, ++ &MapMask, ++ NULL ++ ); ++ if (RETURN_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Failed to map APIC MMIO region as unencrypted: %d\n", Status)); ++ ASSERT (FALSE); ++ } ++ ++ CpuFlushTlb (); ++} +diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h +index f75877096e11..c5ab0d5a0b5a 100644 +--- a/OvmfPkg/Sec/AmdSev.h ++++ b/OvmfPkg/Sec/AmdSev.h +@@ -91,4 +91,18 @@ SevSnpIsEnabled ( + VOID + ); + ++/** ++ Map MMIO regions unencrypted if SEV-ES is active. ++ ++ During early booting, page table entries default to having the encryption bit ++ set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the ++ encryption bit should be cleared. Clear it here for any known MMIO accesses ++ during SEC, which is currently just the APIC base address. ++ ++**/ ++VOID ++SecMapApicBaseUnencrypted ( ++ VOID ++ ); ++ + #endif +diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c +index 31da5d0ace51..f3ea0e42dc44 100644 +--- a/OvmfPkg/Sec/SecMain.c ++++ b/OvmfPkg/Sec/SecMain.c +@@ -939,6 +939,7 @@ SecCoreStartupWithStack ( + // interrupts before initializing the Debug Agent and the debug timer is + // enabled. + // ++ SecMapApicBaseUnencrypted (); + InitializeApicTimer (0, MAX_UINT32, TRUE, 5); + DisableApicTimerInterrupt (); + +diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf +index 3c47a664a95d..d90ebce531b6 100644 +--- a/OvmfPkg/Sec/SecMain.inf ++++ b/OvmfPkg/Sec/SecMain.inf +@@ -55,6 +55,7 @@ + MemEncryptSevLib + CpuExceptionHandlerLib + CcProbeLib ++ CpuPageTableLib + + [Ppis] + gEfiTemporaryRamSupportPpiGuid # PPI ALWAYS_PRODUCED +@@ -83,6 +84,8 @@ + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase + gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize + + [FeaturePcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire +-- +2.43.0 + diff --git a/0136-OvmfPkg-CcExitLib-Drop-special-handling-for-Encrypte.patch b/0136-OvmfPkg-CcExitLib-Drop-special-handling-for-Encrypte.patch new file mode 100644 index 0000000..a7e6a3f --- /dev/null +++ b/0136-OvmfPkg-CcExitLib-Drop-special-handling-for-Encrypte.patch @@ -0,0 +1,62 @@ +From a029f36a6b605feda28500a409bb736c3f9def8c Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Thu, 2 May 2024 13:49:29 +0200 +Subject: [PATCH 21/31] OvmfPkg/CcExitLib: Drop special handling for Encrypted + MMIO to APIC + +commit fecf55a66a1cf908c2f906bedb79fe2e8362d50f upstream + +The current #VC handler guards against MMIO to addresses that are mapped +with the encryption bit set, but has an special exception for MMIO +accesses to the APIC base address so allow for early access during SEC. + +Now that the SEC page table has the encryption bit cleared for the APIC +base address range, there is no longer any need for this special +handling. Go ahead and remove it. + +Cc: Ard Biesheuvel +Cc: Gerd Hoffmann +Cc: Erdem Aktas +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Signed-off-by: Michael Roth +Reviewed-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c +index 5c9a90856e85..cb8aee2e937e 100644 +--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c ++++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c +@@ -97,7 +97,7 @@ UnsupportedExit ( + Validate that the MMIO memory access is not to encrypted memory. + + Examine the pagetable entry for the memory specified. MMIO should not be +- performed against encrypted memory. MMIO to the APIC page is always allowed. ++ performed against encrypted memory. + + @param[in] Ghcb Pointer to the Guest-Hypervisor Communication Block + @param[in] MemoryAddress Memory address to validate +@@ -117,16 +117,6 @@ ValidateMmioMemory ( + { + MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE State; + GHCB_EVENT_INJECTION GpEvent; +- UINTN Address; +- +- // +- // Allow APIC accesses (which will have the encryption bit set during +- // SEC and PEI phases). +- // +- Address = MemoryAddress & ~(SIZE_4KB - 1); +- if (Address == GetLocalApicBaseAddress ()) { +- return 0; +- } + + State = MemEncryptSevGetAddressRangeState ( + 0, +-- +2.43.0 + diff --git a/0137-OvmfPkg-add-ShellLibs.dsc.inc.patch b/0137-OvmfPkg-add-ShellLibs.dsc.inc.patch new file mode 100644 index 0000000..fffafc2 --- /dev/null +++ b/0137-OvmfPkg-add-ShellLibs.dsc.inc.patch @@ -0,0 +1,62 @@ +From ec3408a73d76d47f1b6444308a1b7ca3329944ff Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Feb 2024 11:13:48 +0100 +Subject: [PATCH 22/31] OvmfPkg: add ShellLibs.dsc.inc + +commit efca2c6cfc9f3d87a38a3eb3f89adbe06bef13d3 upstream. + +Move EFI Shell libraries from OvmfPkgX64.dsc to +the new ShellComponents.dsc.inc include file. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Acked-by: Jiewen Yao +Message-Id: <20240222101358.67818-3-kraxel@redhat.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Include/Dsc/ShellLibs.dsc.inc | 10 ++++++++++ + OvmfPkg/OvmfPkgX64.dsc | 4 +--- + 2 files changed, 11 insertions(+), 3 deletions(-) + create mode 100644 OvmfPkg/Include/Dsc/ShellLibs.dsc.inc + +diff --git a/OvmfPkg/Include/Dsc/ShellLibs.dsc.inc b/OvmfPkg/Include/Dsc/ShellLibs.dsc.inc +new file mode 100644 +index 000000000000..f4551ec84aeb +--- /dev/null ++++ b/OvmfPkg/Include/Dsc/ShellLibs.dsc.inc +@@ -0,0 +1,10 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(BUILD_SHELL) == TRUE ++ ++[LibraryClasses] ++ ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf ++ ++!endif +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 290c22c68816..e66821a6d2c2 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -258,9 +258,6 @@ + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf + !endif + +-!if $(BUILD_SHELL) == TRUE +- ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf +-!endif + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf + + S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf +@@ -268,6 +265,7 @@ + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + + !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc ++!include OvmfPkg/Include/Dsc/ShellLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +-- +2.43.0 + diff --git a/0138-OvmfPkg-Add-varpolicy-shell-command.patch b/0138-OvmfPkg-Add-varpolicy-shell-command.patch new file mode 100644 index 0000000..1ef7971 --- /dev/null +++ b/0138-OvmfPkg-Add-varpolicy-shell-command.patch @@ -0,0 +1,137 @@ +From 3db033fc85d472692a53c4fa448d38ee6a1db515 Mon Sep 17 00:00:00 2001 +From: Michael Kubacki +Date: Mon, 30 Oct 2023 16:31:11 -0400 +Subject: [PATCH 23/31] OvmfPkg: Add varpolicy shell command + +commit fe6cd1c1872132160ddd156c963e1a568d098225 upstream. + +Adds the varpolicy EFI shell command to all DSC files that +currently include other dynamic shell commands from ShellPkg. + +This command allows variable policies to be dumped in the EFI +shell for convenient auditing and debug. + +Use the command in QEMU EFI shell as follows: + +- `"varpolicy"` dumps platform variables +- `"varpolicy -?"` shows help text +- `"varpolicy -b"` pages output as expected +- `"varpolicy -s"` shows accurate variable statistic information +- `"varpolicy -p"` shows accurate UEFI variable policy information +- `"varpolicy-v -b"` dumps all information including variable data hex dump + +Cc: Anatol Belski +Cc: Anthony Perard +Cc: Gerd Hoffmann +Cc: Jianyong Wu +Cc: Jiewen Yao +Cc: Jordan Justen +Cc: Julien Grall +Signed-off-by: Michael Kubacki +Acked-by: Jiewen Yao +Reviewed-by: Ard Biesheuvel +Reviewed-by: Michael D Kinney +Message-Id: <20231030203112.736-4-mikuback@linux.microsoft.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/CloudHv/CloudHvX64.dsc | 4 ++++ + OvmfPkg/Microvm/MicrovmX64.dsc | 4 ++++ + OvmfPkg/OvmfPkgIa32.dsc | 4 ++++ + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++ + OvmfPkg/OvmfPkgX64.dsc | 4 ++++ + OvmfPkg/OvmfXen.dsc | 4 ++++ + 6 files changed, 24 insertions(+) + +diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc +index 65fdf4aed73d..275bdbd96f32 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.dsc ++++ b/OvmfPkg/CloudHv/CloudHvX64.dsc +@@ -836,6 +836,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 93bb96d763bb..98a35ed162f9 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -848,6 +848,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 1582e2b8b6cf..2d7f652fc325 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -916,6 +916,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 3d37a05cbea0..3791a4d0f8af 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -934,6 +934,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index e66821a6d2c2..65e394b5b9aa 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -999,6 +999,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index a748e4d58e21..1059c5646fe2 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -721,6 +721,10 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } + OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +-- +2.43.0 + diff --git a/0139-OvmfPkg-exclude-the-CSM-based-VideoDxe-driver.patch b/0139-OvmfPkg-exclude-the-CSM-based-VideoDxe-driver.patch new file mode 100644 index 0000000..ac876da --- /dev/null +++ b/0139-OvmfPkg-exclude-the-CSM-based-VideoDxe-driver.patch @@ -0,0 +1,290 @@ +From 75fc2386d7ee1b91b1d6b4622be635049c35132e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 11 Nov 2023 00:57:51 +0100 +Subject: [PATCH 24/31] OvmfPkg: exclude the CSM-based VideoDxe driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ac79397267fe3b9e010549ace38a1e4c8c360d54 upstream. + +The CSM-based VideoDxe driver is a special UEFI_DRIVER module that both +follows and doesn't follow the UEFI driver model. + +Namely, in the Supported and Start members of its Driver Binding Protocol +instance, it consumes the Legacy Bios Protocol directly from the UEFI +protocol database, as opposed to (only) opening protocols on the handle +that it is supposed to bind. + +Furthermore, the driver "marks" its own image handle with the +NULL-interface "Legacy Bios" (pseudo-protocol) GUID, in order to "inform +back" the provider of the Legacy Bios Protocol, i.e., LegacyBiosDxe, that +VideoDxe is a "BIOS Thunk Driver" in the system. + +Quoting "OvmfPkg/Csm/Include/Guid/LegacyBios.h", such a driver follows the +UEFI Driver Model, but still uses the Int86() or FarCall() services of the +Legacy Bios Protocol as the basis for the UEFI protocol it produces. + +In a sense, there is a circular dependency between VideoDxe and +LegacyBiosDxe; each knows about the other. However, VideoDxe is a +UEFI_DRIVER, while LegacyBiosDxe is a platform DXE_DRIVER with a very long +DEPEX. Therefore, for keeping dependencies conceptually intact, first +exclude VideoDxe from the OVMF platforms. Always include the +hypervisor-specific real UEFI video driver. + +--*-- + +Note that the pathname +"IntelFrameworkModulePkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf" in the bhyve +platform DSC and FDF files is bogus anyway. + +Cc: Anthony Perard +Cc: Ard Biesheuvel +Cc: Corvin Köhne +Cc: Gerd Hoffmann +Cc: Jiewen Yao +Cc: Rebecca Cran +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4588 +Signed-off-by: Laszlo Ersek +Message-Id: <20231110235820.644381-9-lersek@redhat.com> +Reviewed-by: Jiewen Yao +Reviewed-by: Ard Biesheuvel +Acked-by: Corvin Köhne +Acked-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Bhyve/BhyveRfbDxe/GopDriver.c | 2 -- + OvmfPkg/Bhyve/BhyveX64.dsc | 6 ------ + OvmfPkg/Bhyve/BhyveX64.fdf | 3 --- + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 -- + OvmfPkg/OvmfPkgIa32.dsc | 6 ------ + OvmfPkg/OvmfPkgIa32.fdf | 4 +--- + OvmfPkg/OvmfPkgIa32X64.dsc | 6 ------ + OvmfPkg/OvmfPkgIa32X64.fdf | 4 +--- + OvmfPkg/OvmfPkgX64.dsc | 6 ------ + OvmfPkg/OvmfPkgX64.fdf | 4 +--- + OvmfPkg/OvmfXen.dsc | 4 ---- + OvmfPkg/OvmfXen.fdf | 1 - + 12 files changed, 3 insertions(+), 45 deletions(-) + +diff --git a/OvmfPkg/Bhyve/BhyveRfbDxe/GopDriver.c b/OvmfPkg/Bhyve/BhyveRfbDxe/GopDriver.c +index bd8a0d804b6b..8291601cb6da 100644 +--- a/OvmfPkg/Bhyve/BhyveRfbDxe/GopDriver.c ++++ b/OvmfPkg/Bhyve/BhyveRfbDxe/GopDriver.c +@@ -302,9 +302,7 @@ EmuGopDriverBindingStart ( + // + // Install int10 handler + // +- #ifndef CSM_ENABLE + InstallVbeShim (L"Framebuffer", Private->FbAddr); +- #endif + + Done: + if (EFI_ERROR (Status)) { +diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc +index f493a0aa32a9..232a5452bbd4 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.dsc ++++ b/OvmfPkg/Bhyve/BhyveX64.dsc +@@ -768,12 +768,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- IntelFrameworkModulePkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf { +- +- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +- } +-!endif + # OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + !ifdef $(CSM_ENABLE) + OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf +diff --git a/OvmfPkg/Bhyve/BhyveX64.fdf b/OvmfPkg/Bhyve/BhyveX64.fdf +index 157c85ab483c..7cab821e7c8f 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.fdf ++++ b/OvmfPkg/Bhyve/BhyveX64.fdf +@@ -295,9 +295,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF IntelFrameworkModulePkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf +-!endif + #INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + !ifdef $(CSM_ENABLE) + INF RuleOverride=CSM OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index 3c76682dda2d..6f13228c1239 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -684,9 +684,7 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +-!ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +-!endif + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 2d7f652fc325..d38583e6a970 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -849,9 +849,7 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +-!ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +-!endif + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + +@@ -899,10 +897,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf { +- +- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +- } + OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 41f7c5ceafc4..79f2bec797ea 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -326,13 +326,11 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf + INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!else +-INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + ++INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 3791a4d0f8af..0a9fb8ae90a5 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -867,9 +867,7 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +-!ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +-!endif + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + +@@ -917,10 +915,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf { +- +- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +- } + OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 75f58a2bdf2c..57b458ba3dea 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -332,13 +332,11 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf + INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!else +-INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + ++INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 65e394b5b9aa..f233b6b223dc 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -932,9 +932,7 @@ + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + +-!ifndef $(CSM_ENABLE) + OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf +-!endif + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + +@@ -982,10 +980,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf { +- +- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +- } + OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index d8400061f245..3b7c48415f82 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -371,13 +371,11 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf + INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!else +-INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + !endif + ++INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF OvmfPkg/PlatformDxe/Platform.inf +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index 1059c5646fe2..2848981459c3 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -704,10 +704,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf { +- +- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +- } + OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif +diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf +index cf3d63c8a68b..eb537f44a462 100644 +--- a/OvmfPkg/OvmfXen.fdf ++++ b/OvmfPkg/OvmfXen.fdf +@@ -335,7 +335,6 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf + INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + !endif +-- +2.43.0 + diff --git a/0140-OvmfPkg-exclude-LegacyBiosDxe.patch b/0140-OvmfPkg-exclude-LegacyBiosDxe.patch new file mode 100644 index 0000000..58e3f83 --- /dev/null +++ b/0140-OvmfPkg-exclude-LegacyBiosDxe.patch @@ -0,0 +1,166 @@ +From 4d1814458ca8d3aa14d623e25616dfcaca69cd96 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 11 Nov 2023 00:57:55 +0100 +Subject: [PATCH 25/31] OvmfPkg: exclude LegacyBiosDxe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 934b7f5a730f69ee59144ffc264347956411c9bf upstream. + +LegacyBiosDxe is the core CSM driver. It procudes +gEfiLegacyBiosProtocolGuid, on top of several smaller, more foundational +legacy BIOS protocols, whose drivers we've not excluded yet. In the course +of tearing down CSM support in (reverse) dependency order, exclude +LegacyBiosDxe at this point. + +Cc: Anthony Perard +Cc: Ard Biesheuvel +Cc: Corvin Köhne +Cc: Gerd Hoffmann +Cc: Jiewen Yao +Cc: Rebecca Cran +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4588 +Signed-off-by: Laszlo Ersek +Message-Id: <20231110235820.644381-13-lersek@redhat.com> +Reviewed-by: Jiewen Yao +Reviewed-by: Ard Biesheuvel +Acked-by: Corvin Köhne +Acked-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Bhyve/BhyveX64.dsc | 1 - + OvmfPkg/Bhyve/BhyveX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc | 1 - + OvmfPkg/OvmfPkgIa32.fdf | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc | 1 - + OvmfPkg/OvmfPkgX64.fdf | 1 - + OvmfPkg/OvmfXen.dsc | 1 - + OvmfPkg/OvmfXen.fdf | 1 - + 10 files changed, 10 deletions(-) + +diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc +index 232a5452bbd4..089434a7ec74 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.dsc ++++ b/OvmfPkg/Bhyve/BhyveX64.dsc +@@ -768,7 +768,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-# OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + !ifdef $(CSM_ENABLE) + OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf + !endif +diff --git a/OvmfPkg/Bhyve/BhyveX64.fdf b/OvmfPkg/Bhyve/BhyveX64.fdf +index 7cab821e7c8f..8b5aa46a1e33 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.fdf ++++ b/OvmfPkg/Bhyve/BhyveX64.fdf +@@ -295,7 +295,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-#INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + !ifdef $(CSM_ENABLE) + INF RuleOverride=CSM OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf + !endif +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d38583e6a970..82dad87e9b32 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -897,7 +897,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 79f2bec797ea..f5e24362c86c 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -326,7 +326,6 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 0a9fb8ae90a5..8a673e6a169a 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -915,7 +915,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 57b458ba3dea..ccb99900490c 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -332,7 +332,6 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index f233b6b223dc..017a026d63cd 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -980,7 +980,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 3b7c48415f82..841e24a354c3 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -371,7 +371,6 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index 2848981459c3..8cb4b880ac84 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -704,7 +704,6 @@ + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf +index eb537f44a462..46b688d1d05b 100644 +--- a/OvmfPkg/OvmfXen.fdf ++++ b/OvmfPkg/OvmfXen.fdf +@@ -335,7 +335,6 @@ INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + + !ifdef $(CSM_ENABLE) +-INF OvmfPkg/Csm/LegacyBiosDxe/LegacyBiosDxe.inf + INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf + !endif + +-- +2.43.0 + diff --git a/0141-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch b/0141-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch new file mode 100644 index 0000000..44b4400 --- /dev/null +++ b/0141-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch @@ -0,0 +1,201 @@ +From 6743149fd049a1d554dbf892d420128014773178 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sat, 11 Nov 2023 00:58:11 +0100 +Subject: [PATCH 26/31] OvmfPkg: exclude Csm16.inf / Csm16.bin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit e8f860d92437dd202941c74cf7dfc11929164051 upstream. + +The Csm16 module wraps the CONFIG_CSM build of SeaBIOS. "Csm16.inf" has +FILE_GUID 1547B4F3-3E8A-4FEF-81C8-328ED647AB1A, which was previously +referenced by the (now removed) CsmSupportLib, under the name +SYSTEM_ROM_FILE_GUID. + +Nothing relies on the SeaBIOS binary any longer, so exclude the Csm16 +module from all OVMF platforms. + +(Note that the "OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf" pathname that +the BhyveX64 platform refers to is bogus anyway.) + +Cc: Anthony Perard +Cc: Ard Biesheuvel +Cc: Corvin Köhne +Cc: Gerd Hoffmann +Cc: Jiewen Yao +Cc: Rebecca Cran +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4588 +Signed-off-by: Laszlo Ersek +Message-Id: <20231110235820.644381-29-lersek@redhat.com> +Reviewed-by: Jiewen Yao +Reviewed-by: Ard Biesheuvel +Acked-by: Corvin Köhne +Acked-by: Gerd Hoffmann +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Bhyve/BhyveX64.dsc | 4 ---- + OvmfPkg/Bhyve/BhyveX64.fdf | 4 ---- + OvmfPkg/OvmfPkgIa32.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32.fdf | 4 ---- + OvmfPkg/OvmfPkgIa32X64.dsc | 4 ---- + OvmfPkg/OvmfPkgIa32X64.fdf | 4 ---- + OvmfPkg/OvmfPkgX64.dsc | 4 ---- + OvmfPkg/OvmfPkgX64.fdf | 4 ---- + OvmfPkg/OvmfXen.dsc | 4 ---- + OvmfPkg/OvmfXen.fdf | 4 ---- + 10 files changed, 40 deletions(-) + +diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc +index 089434a7ec74..56ee6fab204e 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.dsc ++++ b/OvmfPkg/Bhyve/BhyveX64.dsc +@@ -768,10 +768,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf +-!endif +- + !if $(TOOL_CHAIN_TAG) != "XCODE5" + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + +diff --git a/OvmfPkg/Bhyve/BhyveX64.fdf b/OvmfPkg/Bhyve/BhyveX64.fdf +index 8b5aa46a1e33..9cd059de159f 100644 +--- a/OvmfPkg/Bhyve/BhyveX64.fdf ++++ b/OvmfPkg/Bhyve/BhyveX64.fdf +@@ -295,10 +295,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF RuleOverride=CSM OvmfPkg/Bhyve/Csm/BhyveCsm16/BhyveCsm16.inf +-!endif +- + INF OvmfPkg/PlatformDxe/Platform.inf + INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf + INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 82dad87e9b32..1c2a07e3b607 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -896,10 +896,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index f5e24362c86c..705a8beb8c0f 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -325,10 +325,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 8a673e6a169a..253cde669ece 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -914,10 +914,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index ccb99900490c..d7ee54514d83 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -331,10 +331,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 017a026d63cd..675cf875728b 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -979,10 +979,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 841e24a354c3..fddf740bafcb 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -370,10 +370,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index 8cb4b880ac84..3ed20f7c4709 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -703,10 +703,6 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +- OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + !if $(TOOL_CHAIN_TAG) != "XCODE5" + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + +diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf +index 46b688d1d05b..18f8c81b0ef7 100644 +--- a/OvmfPkg/OvmfXen.fdf ++++ b/OvmfPkg/OvmfXen.fdf +@@ -334,10 +334,6 @@ INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf + INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!ifdef $(CSM_ENABLE) +-INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf +-!endif +- + INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf + INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf + INF OvmfPkg/PlatformDxe/Platform.inf +-- +2.43.0 + diff --git a/0142-OvmfPkg-add-ShellComponents.dsc.inc.patch b/0142-OvmfPkg-add-ShellComponents.dsc.inc.patch new file mode 100644 index 0000000..23fb31c --- /dev/null +++ b/0142-OvmfPkg-add-ShellComponents.dsc.inc.patch @@ -0,0 +1,133 @@ +From baf34528eeae7097b48e39bdc7926f9492a24a08 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Feb 2024 11:13:47 +0100 +Subject: [PATCH 27/31] OvmfPkg: add ShellComponents.dsc.inc + +commit 2cb466cc2cbf287e8905192379265a0dcb6db623 upstream. + +Move EFI Shell components from OvmfPkgX64.dsc to +the new ShellComponents.dsc.inc include file. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Acked-by: Jiewen Yao +Message-Id: <20240222101358.67818-2-kraxel@redhat.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 49 +++++++++++++++++++++ + OvmfPkg/OvmfPkgX64.dsc | 43 +----------------- + 2 files changed, 50 insertions(+), 42 deletions(-) + create mode 100644 OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +new file mode 100644 +index 000000000000..1a3a349a9de5 +--- /dev/null ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -0,0 +1,49 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(BUILD_SHELL) == TRUE ++ ++!if $(TOOL_CHAIN_TAG) != "XCODE5" ++ ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } ++ ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } ++ OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } ++!endif ++ ++ ShellPkg/Application/Shell/Shell.inf { ++ ++ ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf ++ NULL|ShellPkg/Library/UefiShellLevel2CommandsLib/UefiShellLevel2CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellLevel1CommandsLib/UefiShellLevel1CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellLevel3CommandsLib/UefiShellLevel3CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellDriver1CommandsLib/UefiShellDriver1CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellInstall1CommandsLib/UefiShellInstall1CommandsLib.inf ++ NULL|ShellPkg/Library/UefiShellNetwork1CommandsLib/UefiShellNetwork1CommandsLib.inf ++!if $(NETWORK_IP6_ENABLE) == TRUE ++ NULL|ShellPkg/Library/UefiShellNetwork2CommandsLib/UefiShellNetwork2CommandsLib.inf ++!endif ++ HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf ++ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf ++ BcfgCommandLib|ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.inf ++ ++ ++ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 ++ } ++ ++!endif +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 675cf875728b..e4aa59061810 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -979,48 +979,7 @@ + MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf + MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + +-!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE +- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +- ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf { +- +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- } +-!endif +-!if $(BUILD_SHELL) == TRUE +- ShellPkg/Application/Shell/Shell.inf { +- +- ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf +- NULL|ShellPkg/Library/UefiShellLevel2CommandsLib/UefiShellLevel2CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellLevel1CommandsLib/UefiShellLevel1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellLevel3CommandsLib/UefiShellLevel3CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellDriver1CommandsLib/UefiShellDriver1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellInstall1CommandsLib/UefiShellInstall1CommandsLib.inf +- NULL|ShellPkg/Library/UefiShellNetwork1CommandsLib/UefiShellNetwork1CommandsLib.inf +-!if $(NETWORK_IP6_ENABLE) == TRUE +- NULL|ShellPkg/Library/UefiShellNetwork2CommandsLib/UefiShellNetwork2CommandsLib.inf +-!endif +- HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf +- PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf +- BcfgCommandLib|ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.inf +- +- +- gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF +- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +- gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 +- } +-!endif ++!include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc + + !if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +-- +2.43.0 + diff --git a/0143-OvmfPkg-add-ShellDxe.fdf.inc.patch b/0143-OvmfPkg-add-ShellDxe.fdf.inc.patch new file mode 100644 index 0000000..46571d9 --- /dev/null +++ b/0143-OvmfPkg-add-ShellDxe.fdf.inc.patch @@ -0,0 +1,73 @@ +From 9ddaf8312f8aa13108b231bb72f7f2381d5c7069 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Feb 2024 11:13:49 +0100 +Subject: [PATCH 28/31] OvmfPkg: add ShellDxe.fdf.inc + +commit b25f84d7b3d8c93db459aa3eb39a644907eda85e upstream. + +Move EFI Shell firmware volume files to +the new ShellDxe.fdf.inc file. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Acked-by: Jiewen Yao +Message-Id: <20240222101358.67818-4-kraxel@redhat.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 14 ++++++++++++++ + OvmfPkg/OvmfPkgX64.fdf | 11 ++--------- + 2 files changed, 16 insertions(+), 9 deletions(-) + create mode 100644 OvmfPkg/Include/Fdf/ShellDxe.fdf.inc + +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +new file mode 100644 +index 000000000000..0935f06fa368 +--- /dev/null ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -0,0 +1,14 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(BUILD_SHELL) == TRUE ++ ++!if $(TOOL_CHAIN_TAG) != "XCODE5" ++INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf ++INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf ++INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf ++!endif ++ ++INF ShellPkg/Application/Shell/Shell.inf ++!endif +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index fddf740bafcb..552b1864939b 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -336,15 +336,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf + INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf + INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf + +-!if $(BUILD_SHELL) == TRUE && $(TOOL_CHAIN_TAG) != "XCODE5" +-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf +-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf +-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf +-!endif +-!if $(BUILD_SHELL) == TRUE +-INF ShellPkg/Application/Shell/Shell.inf +-!endif +- + INF MdeModulePkg/Logo/LogoDxe.inf + + INF OvmfPkg/TdxDxe/TdxDxe.inf +@@ -420,6 +411,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + # + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + ++!include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++ + ################################################################################ + + [FV.FVMAIN_COMPACT] +-- +2.43.0 + diff --git a/0144-OvmfPkg-Shell-.inc-allow-building-without-network-su.patch b/0144-OvmfPkg-Shell-.inc-allow-building-without-network-su.patch new file mode 100644 index 0000000..a9cd0e4 --- /dev/null +++ b/0144-OvmfPkg-Shell-.inc-allow-building-without-network-su.patch @@ -0,0 +1,73 @@ +From de2c3d01e54151ec0ef7d7d308d7b526c71eeea6 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Feb 2024 11:13:50 +0100 +Subject: [PATCH 29/31] OvmfPkg: Shell*.inc: allow building without network + support + +commit 7f17a155640a2a9e1f7b0f3522628ee2c6f62624 upstream. + +Add NETWORK_ENABLE conditionals for the components +which need network support. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Laszlo Ersek +Acked-by: Jiewen Yao +Message-Id: <20240222101358.67818-5-kraxel@redhat.com> +Signed-off-by: Jeevan deep J +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 6 ++++++ + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index 1a3a349a9de5..4075688e416d 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -5,6 +5,7 @@ + !if $(BUILD_SHELL) == TRUE + + !if $(TOOL_CHAIN_TAG) != "XCODE5" ++!if $(NETWORK_ENABLE) == TRUE + ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +@@ -13,6 +14,7 @@ + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } ++!endif + ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE +@@ -32,9 +34,13 @@ + NULL|ShellPkg/Library/UefiShellDriver1CommandsLib/UefiShellDriver1CommandsLib.inf + NULL|ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.inf + NULL|ShellPkg/Library/UefiShellInstall1CommandsLib/UefiShellInstall1CommandsLib.inf ++!if $(NETWORK_ENABLE) == TRUE ++!if $(NETWORK_IP4_ENABLE) == TRUE + NULL|ShellPkg/Library/UefiShellNetwork1CommandsLib/UefiShellNetwork1CommandsLib.inf ++!endif + !if $(NETWORK_IP6_ENABLE) == TRUE + NULL|ShellPkg/Library/UefiShellNetwork2CommandsLib/UefiShellNetwork2CommandsLib.inf ++!endif + !endif + HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf + PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index 0935f06fa368..6536c30c5413 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -5,8 +5,10 @@ + !if $(BUILD_SHELL) == TRUE + + !if $(TOOL_CHAIN_TAG) != "XCODE5" ++!if $(NETWORK_ENABLE) == TRUE + INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf + INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf ++!endif + INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf + !endif + +-- +2.43.0 + diff --git a/0145-ShellPkg-Add-varpolicy-dynamic-shell-command-and-app.patch b/0145-ShellPkg-Add-varpolicy-dynamic-shell-command-and-app.patch new file mode 100644 index 0000000..fcd5731 --- /dev/null +++ b/0145-ShellPkg-Add-varpolicy-dynamic-shell-command-and-app.patch @@ -0,0 +1,1580 @@ +From 8120f679d9ef51e67f869db7b5631028061560ff Mon Sep 17 00:00:00 2001 +From: Michael Kubacki +Date: Mon, 30 Oct 2023 16:31:10 -0400 +Subject: [PATCH 30/31] ShellPkg: Add varpolicy dynamic shell command and app + +commit d4358a7f7629c996f80236588c95b62cd9c93584 upstream. + +Adds a new module (dynamic shell command) to ShellPkg that lists +variable policy information for all UEFI variables on the system. + +Some other UEFI variable related functionality is also included to +give a greater sense of platform UEFI variable state. This command +is intended to help make variable policies more transparent and +easier to understand and configure on a platform. + +Like all dynamic shell commands, a platform only needs to include +`VariablePolicyDynamicCommand.inf` in their flash image to have +the command registered in their UEFI shell. + +Include the following lines in platform DSC (in DXE components section): + +``` + ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { + + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } +``` + +Include the following line in platform FDF: + +``` +INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf +``` + +A standalone UEFI application can also be built that uses the same +underlying functional code as the dynamic shell command. + +The path to use in the DSC and FDF for the app: + +``` + ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf +``` + +Cc: Zhichao Gao +Cc: Michael D Kinney +Signed-off-by: Michael Kubacki +Reviewed-by: Ard Biesheuvel +Reviewed-by: Zhichao Gao +Message-Id: <20231030203112.736-3-mikuback@linux.microsoft.com> +Signed-off-by: Jeevan deep J +--- + .../VariablePolicy.c | 897 ++++++++++++++++++ + .../VariablePolicy.h | 129 +++ + .../VariablePolicy.uni | 86 ++ + .../VariablePolicyApp.c | 59 ++ + .../VariablePolicyApp.inf | 62 ++ + .../VariablePolicyDynamicCommand.c | 157 +++ + .../VariablePolicyDynamicCommand.inf | 61 ++ + ShellPkg/ShellPkg.dsc | 5 + + 8 files changed, 1456 insertions(+) + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c + create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf + +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c +new file mode 100644 +index 000000000000..ed991be4ed00 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c +@@ -0,0 +1,897 @@ ++/** @file ++ Main file for the "varpolicy" dynamic UEFI shell command and application. ++ ++ This feature can provide detailed UEFI variable policy configuration ++ information in the UEFI shell. ++ ++ Copyright (c) Microsoft Corporation. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include "VariablePolicy.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#define VAR_POLICY_FLAG_STATS_STR L"-s" ++#define VAR_POLICY_FLAG_POLICY_STR L"-p" ++#define VAR_POLICY_FLAG_VERBOSE_STR L"-v" ++ ++#define VAR_POLICY_CMD_MIN_ATTR_STR_LEN 64 ++ ++EFI_HII_HANDLE mVarPolicyShellCommandHiiHandle = NULL; ++ ++STATIC CONST SHELL_PARAM_ITEM ParamList[] = { ++ { VAR_POLICY_FLAG_POLICY_STR, TypeFlag }, ++ { VAR_POLICY_FLAG_STATS_STR, TypeFlag }, ++ { VAR_POLICY_FLAG_VERBOSE_STR, TypeFlag }, ++ { NULL, TypeMax } ++}; ++ ++STATIC CONST VAR_POLICY_CMD_VAR_NAMESPACE mVarNamespaces[] = { ++ { ++ VariableVendorCapsule, ++ &gEfiCapsuleVendorGuid, ++ L"Capsule" ++ }, ++ { ++ VariableVendorCapsuleReport, ++ &gEfiCapsuleReportGuid, ++ L"Capsule Reporting" ++ }, ++ { ++ VariableVendorGlobal, ++ &gEfiGlobalVariableGuid, ++ L"UEFI Global" ++ }, ++ { ++ VariableVendorMemoryTypeInfo, ++ &gEfiMemoryTypeInformationGuid, ++ L"Memory Type Information" ++ }, ++ { ++ VariableVendorMonotonicCounter, ++ &gMtcVendorGuid, ++ L"Monotonic Counter" ++ }, ++ { ++ VariableVendorMorControl, ++ &gEfiMemoryOverwriteRequestControlLockGuid, ++ L"Memory Overwrite Request (MOR) Control Lock" ++ }, ++ { ++ VariableVendorShell, ++ &gShellVariableGuid, ++ L"UEFI Shell" ++ }, ++ { ++ VariableVendorShell, ++ &gShellAliasGuid, ++ L"UEFI Shell Alias" ++ } ++}; ++ ++/** ++ Returns UEFI variable attribute information in a string. ++ ++ AttributesStrSize must at least be VAR_POLICY_CMD_MIN_ATTR_STR_LEN in length ++ or EFI_INVALID_PARAMETER will be returned. ++ ++ @param[in] Attributes The UEFI variable attributes. ++ @param[in] AttributesStrSize The size, in bytes, of AttributesStr. ++ @param[out] AttributesStr The Unicode string for the given attributes. ++ ++ @retval EFI_SUCCESS The attributes were converted to a string successfully. ++ @retval EFI_INVALID_PARAMETER The AttributesStr pointer is NULL. ++ ++**/ ++EFI_STATUS ++GetAttributesString ( ++ IN UINT32 Attributes, ++ IN UINTN AttributesStrSize, ++ OUT CHAR16 *AttributesStr ++ ) ++{ ++ if ((AttributesStr == NULL) || (AttributesStrSize < VAR_POLICY_CMD_MIN_ATTR_STR_LEN)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ AttributesStr[0] = L'0'; ++ AttributesStr[1] = L'x'; ++ AttributesStr[2] = L'\0'; ++ ++ UnicodeValueToStringS (AttributesStr + 2, AttributesStrSize - 2, (RADIX_HEX), (INT64)Attributes, 30); ++ ++ if (Attributes == 0) { ++ StrCatS (AttributesStr, AttributesStrSize, L" No Attributes"); ++ } else { ++ if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == EFI_VARIABLE_NON_VOLATILE) { ++ StrCatS (AttributesStr, AttributesStrSize, L" NV"); ++ Attributes ^= EFI_VARIABLE_NON_VOLATILE; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS) == EFI_VARIABLE_BOOTSERVICE_ACCESS) { ++ StrCatS (AttributesStr, AttributesStrSize, L" BS"); ++ Attributes ^= EFI_VARIABLE_BOOTSERVICE_ACCESS; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == EFI_VARIABLE_RUNTIME_ACCESS) { ++ StrCatS (AttributesStr, AttributesStrSize, L" RT"); ++ Attributes ^= EFI_VARIABLE_RUNTIME_ACCESS; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { ++ StrCatS (AttributesStr, AttributesStrSize, L" HW-Error"); ++ Attributes ^= EFI_VARIABLE_HARDWARE_ERROR_RECORD; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) { ++ StrCatS (AttributesStr, AttributesStrSize, L" Auth-WA"); ++ Attributes ^= EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { ++ StrCatS (AttributesStr, AttributesStrSize, L" Auth-TIME-WA"); ++ Attributes ^= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; ++ } ++ ++ if ((Attributes & EFI_VARIABLE_APPEND_WRITE) == EFI_VARIABLE_APPEND_WRITE) { ++ StrCatS (AttributesStr, AttributesStrSize, L" APPEND-W"); ++ Attributes ^= EFI_VARIABLE_APPEND_WRITE; ++ } ++ ++ if (Attributes != 0) { ++ StrCatS (AttributesStr, AttributesStrSize, L" "); ++ } ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Prints UEFI variable statistics information. ++ ++ @param[in] TotalVariables Total number of UEFI variables discovered. ++ @param[in] TotalVariablesSize Total size of UEFI variables discovered. ++ ++**/ ++VOID ++PrintStats ( ++ IN UINTN TotalVariables, ++ IN UINTN TotalVariablesSize ++ ) ++{ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_HEADER_1), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_HEADER_2), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_HEADER_1), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_TOTAL_VARS), mVarPolicyShellCommandHiiHandle, TotalVariables); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_TOTAL_SIZE), mVarPolicyShellCommandHiiHandle, TotalVariablesSize, TotalVariablesSize); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_STATS_HEADER_1), mVarPolicyShellCommandHiiHandle); ++} ++ ++/** ++ Returns information for the given variable namespace if available. ++ ++ @param[in] VariableGuid The UEFI variable vendor (namespace) GUID. ++ ++ @return Pointer to a namespace info structure on a GUID match. ++ @return NULL on lack of a GUID match. ++ ++**/ ++CONST VAR_POLICY_CMD_VAR_NAMESPACE * ++GetNameSpaceInfo ( ++ IN EFI_GUID *VariableGuid ++ ) ++{ ++ UINTN Index; ++ ++ if (VariableGuid == NULL) { ++ ASSERT (VariableGuid != NULL); ++ return NULL; ++ } ++ ++ for (Index = 0; Index < ARRAY_SIZE (mVarNamespaces); Index++) { ++ if (CompareGuid (mVarNamespaces[Index].VendorGuid, VariableGuid)) { ++ return &mVarNamespaces[Index]; ++ } ++ } ++ ++ return NULL; ++} ++ ++/** ++ Print non-verbose information about the variable. ++ ++ @param[in] VariableName A pointer the Unicode variable name. ++ @param[in] VariableGuid A pointer to the variable vendor GUID. ++ @param[in] VariableSize The size of the UEFI variable in bytes. ++ @param[in] VariableAttributes The UEFI variable attributes. ++ ++ @retval EFI_SUCCESS The non-verbose variable information was printed successfully. ++ @retval EFI_INVALID_PARAMETER A pointer argument passed to the function was NULL. ++ @retval EFI_OUT_OF_RESOURCES Insufficient memory resources to print the attributes. ++ ++**/ ++EFI_STATUS ++PrintNonVerboseVarInfo ( ++ IN CHAR16 *VariableName, ++ IN EFI_GUID *VariableGuid, ++ IN UINTN VariableSize, ++ IN UINT32 VariableAttributes ++ ) ++{ ++ EFI_STATUS Status; ++ CHAR16 *AttributesStr; ++ CHAR16 *DescriptionStr; ++ CONST VAR_POLICY_CMD_VAR_NAMESPACE *CmdVarNamespace; ++ ++ AttributesStr = NULL; ++ DescriptionStr = NULL; ++ ++ if ((VariableName == NULL) || (VariableGuid == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ CmdVarNamespace = GetNameSpaceInfo (VariableGuid); ++ ++ if (CmdVarNamespace == NULL) { ++ DescriptionStr = AllocatePages (1); ++ if (DescriptionStr == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ goto Exit; ++ } ++ ++ ZeroMem ((VOID *)DescriptionStr, EFI_PAGES_TO_SIZE (1)); ++ UnicodeSPrint (DescriptionStr, EFI_PAGES_TO_SIZE (1), L"Unknown Vendor (%g)", VariableGuid); ++ } else { ++ DescriptionStr = CmdVarNamespace->Description; ++ } ++ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_VAR_TYPE), mVarPolicyShellCommandHiiHandle, DescriptionStr); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_VAR_NAME), mVarPolicyShellCommandHiiHandle, VariableName); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_VAR_SIZE), mVarPolicyShellCommandHiiHandle, VariableSize, VariableSize); ++ ++ AttributesStr = AllocatePages (1); ++ if (AttributesStr == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ goto Exit; ++ } ++ ++ ZeroMem ((VOID *)AttributesStr, EFI_PAGES_TO_SIZE (1)); ++ Status = GetAttributesString (VariableAttributes, EFI_PAGES_TO_SIZE (1), AttributesStr); ++ if (Status == EFI_SUCCESS) { ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_VAR_ATTR), ++ mVarPolicyShellCommandHiiHandle, ++ AttributesStr ++ ); ++ } ++ ++ Status = EFI_SUCCESS; ++ ++Exit: ++ if (AttributesStr != NULL) { ++ FreePages (AttributesStr, 1); ++ } ++ ++ if ((CmdVarNamespace == NULL) && (DescriptionStr != NULL)) { ++ FreePages (DescriptionStr, 1); ++ } ++ ++ return Status; ++} ++ ++/** ++ Print verbose information about the variable. ++ ++ @param[in] Data A pointer to the variable data buffer. ++ @param[in] DataSize The size of data, in bytes, in the variable data buffer. ++ ++ @retval EFI_SUCCESS The verbose variable information was printed successfully. ++ @retval EFI_INVALID_PARAMETER A pointer argument passed to the function was NULL. ++ ++**/ ++EFI_STATUS ++PrintVerboseVarInfo ( ++ IN VOID *Data, ++ IN UINTN DataSize ++ ) ++{ ++ if ((DataSize == 0) || (Data == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ VAR_POLICY_CMD_SHELL_DUMP_HEX (0, Data, DataSize); ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Prints variable policy information for the given variable. ++ ++ @param[in] VariableName A pointer to the Unicode string of the UEFI variable name. ++ @param[in] VendorGuid A pointer to the UEFI variable vendor GUID. ++ ++ @return TRUE if a variable policy was found and printed for the variable. ++ @return FALSE if an error occurred and/or a variable policy was not found and ++ printed for the variable. ++ ++**/ ++BOOLEAN ++PrintVariablePolicyInfo ( ++ IN CHAR16 *VariableName, ++ IN EFI_GUID *VendorGuid ++ ) ++{ ++ EFI_STATUS Status; ++ VARIABLE_POLICY_ENTRY VariablePolicyEntry; ++ VARIABLE_LOCK_ON_VAR_STATE_POLICY LockOnVarStatePolicy; ++ UINTN VariablePolicyVariableNameBufferSize; ++ UINTN ReturnedVariableNameSize; ++ BOOLEAN PolicyHeaderPresent; ++ CHAR16 *VariablePolicyVariableName; ++ CHAR16 *VariableAttributesStr; ++ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; ++ ++ PolicyHeaderPresent = FALSE; ++ VariableAttributesStr = NULL; ++ VariablePolicyVariableName = NULL; ++ ++ if ((VariableName == NULL) || (VendorGuid == NULL)) { ++ ASSERT ((VariableName != NULL) && (VendorGuid != NULL)); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_INT_ERR), mVarPolicyShellCommandHiiHandle); ++ return FALSE; ++ } ++ ++ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy); ++ if (EFI_ERROR (Status)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_NO_PROT), mVarPolicyShellCommandHiiHandle); ++ return FALSE; ++ } ++ ++ VariablePolicyVariableNameBufferSize = EFI_PAGES_TO_SIZE (1); ++ VariablePolicyVariableName = AllocatePages (EFI_SIZE_TO_PAGES (VariablePolicyVariableNameBufferSize)); ++ if (VariablePolicyVariableName == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ ASSERT_EFI_ERROR (Status); ++ goto Done; ++ } ++ ++ ZeroMem (VariablePolicyVariableName, VariablePolicyVariableNameBufferSize); ++ ReturnedVariableNameSize = VariablePolicyVariableNameBufferSize; ++ Status = VariablePolicy->GetVariablePolicyInfo ( ++ VariableName, ++ VendorGuid, ++ &ReturnedVariableNameSize, ++ &VariablePolicyEntry, ++ VariablePolicyVariableName ++ ); ++ if (Status == EFI_NOT_READY) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_NOT_INIT), mVarPolicyShellCommandHiiHandle); ++ } else if (Status == EFI_NOT_FOUND) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_NOT_FOUND), mVarPolicyShellCommandHiiHandle); ++ } else if (EFI_ERROR (Status)) { ++ // A different error return code is not expected ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_UNEXP_ERR), mVarPolicyShellCommandHiiHandle, Status); ++ } else { ++ PolicyHeaderPresent = TRUE; ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_HEADER_1), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_HEADER_2), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_HEADER_1), mVarPolicyShellCommandHiiHandle); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_VERSION), mVarPolicyShellCommandHiiHandle, VariablePolicyEntry.Version); ++ ++ if ((ReturnedVariableNameSize > 0) && (VariablePolicyVariableName[0] != CHAR_NULL)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_VARIABLE), mVarPolicyShellCommandHiiHandle, VariablePolicyVariableName); ++ } else { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_VARIABLE), mVarPolicyShellCommandHiiHandle, L""); ++ } ++ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_NAMESPACE), mVarPolicyShellCommandHiiHandle, &VariablePolicyEntry.Namespace); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_MIN_SIZE), mVarPolicyShellCommandHiiHandle, VariablePolicyEntry.MinSize); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_MAX_SIZE), mVarPolicyShellCommandHiiHandle, VariablePolicyEntry.MaxSize); ++ ++ switch (VariablePolicyEntry.LockPolicyType) { ++ case VARIABLE_POLICY_TYPE_NO_LOCK: ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_LOCK_TYPE), mVarPolicyShellCommandHiiHandle, L"No Lock"); ++ break; ++ case VARIABLE_POLICY_TYPE_LOCK_NOW: ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_LOCK_TYPE), mVarPolicyShellCommandHiiHandle, L"Lock Now"); ++ break; ++ case VARIABLE_POLICY_TYPE_LOCK_ON_CREATE: ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_LOCK_TYPE), mVarPolicyShellCommandHiiHandle, L"On Create"); ++ break; ++ case VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE: ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_LOCK_TYPE), mVarPolicyShellCommandHiiHandle, L"On Variable State"); ++ ++ ZeroMem (VariablePolicyVariableName, VariablePolicyVariableNameBufferSize); ++ ReturnedVariableNameSize = VariablePolicyVariableNameBufferSize; ++ Status = VariablePolicy->GetLockOnVariableStateVariablePolicyInfo ( ++ VariableName, ++ VendorGuid, ++ &ReturnedVariableNameSize, ++ &LockOnVarStatePolicy, ++ VariablePolicyVariableName ++ ); ++ if (EFI_ERROR (Status)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_UNEXP_ERR), mVarPolicyShellCommandHiiHandle, Status); ++ goto Done; ++ } else { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_STATE_NS), mVarPolicyShellCommandHiiHandle, &LockOnVarStatePolicy.Namespace); ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_STATE_VAL), mVarPolicyShellCommandHiiHandle, LockOnVarStatePolicy.Value); ++ if ((ReturnedVariableNameSize > 0) && (VariablePolicyVariableName[0] != CHAR_NULL)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_STATE_NAME), mVarPolicyShellCommandHiiHandle, VariablePolicyVariableName); ++ } else { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_STATE_NAME), mVarPolicyShellCommandHiiHandle, L""); ++ } ++ } ++ ++ break; ++ default: ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_LOCK_TYPE), mVarPolicyShellCommandHiiHandle, L"Unknown"); ++ break; ++ } ++ ++ VariableAttributesStr = AllocatePages (1); ++ if (VariableAttributesStr == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ ASSERT_EFI_ERROR (Status); ++ goto Done; ++ } ++ ++ ZeroMem (VariableAttributesStr, EFI_PAGES_TO_SIZE (1)); ++ Status = GetAttributesString (VariablePolicyEntry.AttributesMustHave, EFI_PAGES_TO_SIZE (1), VariableAttributesStr); ++ if (Status == EFI_SUCCESS) { ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_ATTR_MUST), ++ mVarPolicyShellCommandHiiHandle ++ ); ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_ATTR_GEN), ++ mVarPolicyShellCommandHiiHandle, ++ VariableAttributesStr ++ ); ++ } ++ ++ ZeroMem (VariableAttributesStr, EFI_PAGES_TO_SIZE (1)); ++ Status = GetAttributesString (VariablePolicyEntry.AttributesCantHave, EFI_PAGES_TO_SIZE (1), VariableAttributesStr); ++ if (Status == EFI_SUCCESS) { ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_ATTR_NOT), ++ mVarPolicyShellCommandHiiHandle ++ ); ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_ATTR_GEN), ++ mVarPolicyShellCommandHiiHandle, ++ VariableAttributesStr ++ ); ++ } ++ } ++ ++Done: ++ if (PolicyHeaderPresent) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_VAR_POL_POLICY_HEADER_1), mVarPolicyShellCommandHiiHandle); ++ } ++ ++ if (VariableAttributesStr != NULL) { ++ FreePages (VariableAttributesStr, 1); ++ } ++ ++ if (VariablePolicyVariableName != NULL) { ++ FreePages (VariablePolicyVariableName, 1); ++ } ++ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_LINE_BREAK), mVarPolicyShellCommandHiiHandle); ++ ++ return Status == EFI_SUCCESS; ++} ++ ++/** ++ Gets the next UEFI variable name. ++ ++ This buffer manages the UEFI variable name buffer, performing memory reallocations as necessary. ++ ++ Note: The first time this function is called, VariableNameBufferSize must be 0 and ++ the VariableName buffer pointer must point to NULL. ++ ++ @param[in,out] VariableNameBufferSize On input, a pointer to a buffer that holds the current ++ size of the VariableName buffer in bytes. ++ On output, a pointer to a buffer that holds the updated ++ size of the VariableName buffer in bytes. ++ @param[in,out] VariableName On input, a pointer to a pointer to a buffer that holds the ++ current UEFI variable name. ++ On output, a pointer to a pointer to a buffer that holds the ++ next UEFI variable name. ++ @param[in,out] VariableGuid On input, a pointer to a buffer that holds the current UEFI ++ variable GUID. ++ On output, a pointer to a buffer that holds the next UEFI ++ variable GUID. ++ ++ @retval EFI_SUCCESS The next UEFI variable name was found successfully. ++ @retval EFI_INVALID_PARAMETER A pointer argument is NULL or initial input values are invalid. ++ @retval EFI_OUT_OF_RESOURCES Insufficient memory resources to allocate a required buffer. ++ @retval Others Return status codes from the UEFI spec define GetNextVariableName() interface. ++ ++**/ ++EFI_STATUS ++GetNextVariableNameWithDynamicReallocation ( ++ IN OUT UINTN *VariableNameBufferSize, ++ IN OUT CHAR16 **VariableName, ++ IN OUT EFI_GUID *VariableGuid ++ ) ++{ ++ EFI_STATUS Status; ++ UINTN NextVariableNameBufferSize; ++ ++ if ((VariableNameBufferSize == NULL) || (VariableName == NULL) || (VariableGuid == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (*VariableNameBufferSize == 0) { ++ if (*VariableName != NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // Allocate a buffer to temporarily hold variable names. To reduce memory ++ // allocations, the default buffer size is 256 characters. The buffer can ++ // be reallocated if expansion is necessary (should be very rare). ++ // ++ *VariableNameBufferSize = sizeof (CHAR16) * 256; ++ *VariableName = AllocateZeroPool (*VariableNameBufferSize); ++ if (*VariableName == NULL) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ ZeroMem ((VOID *)VariableGuid, sizeof (EFI_GUID)); ++ } ++ ++ NextVariableNameBufferSize = *VariableNameBufferSize; ++ Status = gRT->GetNextVariableName ( ++ &NextVariableNameBufferSize, ++ *VariableName, ++ VariableGuid ++ ); ++ if (Status == EFI_BUFFER_TOO_SMALL) { ++ *VariableName = ReallocatePool ( ++ *VariableNameBufferSize, ++ NextVariableNameBufferSize, ++ *VariableName ++ ); ++ if (*VariableName == NULL) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ *VariableNameBufferSize = NextVariableNameBufferSize; ++ ++ Status = gRT->GetNextVariableName ( ++ &NextVariableNameBufferSize, ++ *VariableName, ++ VariableGuid ++ ); ++ ASSERT (Status != EFI_BUFFER_TOO_SMALL); ++ } ++ ++ return Status; ++} ++ ++/** ++ Dumps UEFI variable information. ++ ++ This is the main function that enumerates UEFI variables and prints the information ++ selected by the user. ++ ++ @param[in] Verbose Whether to print verbose information. ++ @param[in] Stats Whether to print statistical information. ++ @param[in] PolicyCheck Whether to print variable policy related information. ++ ++ ++ @retval EFI_SUCCESS The UEFI variable information was dumped successfully. ++ @retval EFI_DEVICE_ERROR An error occurred attempting to get UEFI variable information. ++ @retval EFI_OUT_OF_RESOURCES Insufficient memory resources to allocate a required buffer. ++ ++**/ ++EFI_STATUS ++DumpVars ( ++ IN BOOLEAN Verbose, ++ IN BOOLEAN Stats, ++ IN BOOLEAN PolicyCheck ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_STATUS GetNextVariableStatus; ++ UINT32 Attributes; ++ UINTN CurrentVariableDataBufferSize; ++ UINTN DataSize; ++ UINTN TotalDataSize; ++ UINTN TotalVariables; ++ UINTN TotalVariablesWithPolicy; ++ UINTN VariableNameBufferSize; ++ EFI_GUID VariableGuid; ++ CHAR16 *VariableName; ++ VOID *Data; ++ ++ Status = EFI_SUCCESS; ++ Data = NULL; ++ VariableName = NULL; ++ CurrentVariableDataBufferSize = 0; ++ TotalDataSize = 0; ++ TotalVariables = 0; ++ TotalVariablesWithPolicy = 0; ++ VariableNameBufferSize = 0; ++ ++ do { ++ GetNextVariableStatus = GetNextVariableNameWithDynamicReallocation ( ++ &VariableNameBufferSize, ++ &VariableName, ++ &VariableGuid ++ ); ++ ++ if (!EFI_ERROR (GetNextVariableStatus)) { ++ DataSize = 0; ++ Status = gRT->GetVariable ( ++ VariableName, ++ &VariableGuid, ++ &Attributes, ++ &DataSize, ++ NULL ++ ); ++ if (Status != EFI_BUFFER_TOO_SMALL) { ++ // If the variable exists, a zero size buffer should be too small ++ Status = EFI_DEVICE_ERROR; ++ goto DeallocateAndExit; ++ } ++ ++ TotalDataSize += DataSize; ++ TotalVariables++; ++ ++ if (!Stats || Verbose) { ++ Status = PrintNonVerboseVarInfo (VariableName, &VariableGuid, DataSize, Attributes); ++ if (!EFI_ERROR (Status)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_LINE_BREAK), mVarPolicyShellCommandHiiHandle); ++ } ++ } ++ ++ if (PolicyCheck || Verbose) { ++ if (PrintVariablePolicyInfo (VariableName, &VariableGuid)) { ++ TotalVariablesWithPolicy++; ++ } ++ } ++ ++ if (Verbose) { ++ if (CurrentVariableDataBufferSize < DataSize) { ++ if (Data != NULL) { ++ FreePool (Data); ++ } ++ ++ Data = AllocateZeroPool (DataSize); ++ if (Data == NULL) { ++ Status = EFI_OUT_OF_RESOURCES; ++ goto DeallocateAndExit; ++ } ++ ++ CurrentVariableDataBufferSize = DataSize; ++ } ++ ++ Status = gRT->GetVariable ( ++ VariableName, ++ &VariableGuid, ++ NULL, ++ &DataSize, ++ Data ++ ); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_DEVICE_ERROR; ++ goto DeallocateAndExit; ++ } ++ ++ Status = PrintVerboseVarInfo (Data, DataSize); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_DEVICE_ERROR; ++ goto DeallocateAndExit; ++ } ++ } ++ } ++ } while (!EFI_ERROR (GetNextVariableStatus)); ++ ++ if (TotalVariables == 0) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_NO_VARS), mVarPolicyShellCommandHiiHandle); ++ } else { ++ if (Verbose || Stats) { ++ PrintStats (TotalVariables, TotalDataSize); ++ } ++ ++ if (Verbose || PolicyCheck) { ++ ASSERT (TotalVariablesWithPolicy <= TotalVariables); ++ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_LINE_BREAK), mVarPolicyShellCommandHiiHandle); ++ if (TotalVariablesWithPolicy == TotalVariables) { ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_STATS_PASS), ++ mVarPolicyShellCommandHiiHandle, ++ TotalVariablesWithPolicy, ++ TotalVariables ++ ); ++ } else { ++ ShellPrintHiiEx ( ++ -1, ++ -1, ++ NULL, ++ STRING_TOKEN (STR_VAR_POL_POLICY_STATS_FAIL), ++ mVarPolicyShellCommandHiiHandle, ++ TotalVariablesWithPolicy, ++ TotalVariables ++ ); ++ } ++ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_LINE_BREAK), mVarPolicyShellCommandHiiHandle); ++ } ++ } ++ ++ Status = EFI_SUCCESS; ++ ++DeallocateAndExit: ++ if (VariableName != NULL) { ++ FreePool (VariableName); ++ } ++ ++ if (Data != NULL) { ++ FreePool (Data); ++ } ++ ++ ASSERT_EFI_ERROR (Status); ++ ++ return Status; ++} ++ ++/** ++ Main entry function for the "varpolicy" command/app. ++ ++ @param[in] ImageHandle Handle to the Image (NULL if Internal). ++ @param[in] SystemTable Pointer to the System Table (NULL if Internal). ++ ++ @retval SHELL_SUCCESS The "varpolicy" shell command executed successfully. ++ @retval SHELL_ABORTED Failed to initialize the shell library. ++ @retval SHELL_INVALID_PARAMETER An argument passed to the shell command is invalid. ++ @retval Others A different error occurred. ++ ++**/ ++SHELL_STATUS ++EFIAPI ++RunVarPolicy ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ) ++{ ++ EFI_STATUS Status; ++ SHELL_STATUS ShellStatus; ++ BOOLEAN PolicyCheck; ++ BOOLEAN StatsDump; ++ BOOLEAN VerboseDump; ++ LIST_ENTRY *Package; ++ CHAR16 *ProblemParam; ++ ++ Package = NULL; ++ ShellStatus = SHELL_INVALID_PARAMETER; ++ Status = EFI_SUCCESS; ++ PolicyCheck = FALSE; ++ StatsDump = FALSE; ++ VerboseDump = FALSE; ++ ++ Status = ShellInitialize (); ++ if (EFI_ERROR (Status)) { ++ ASSERT_EFI_ERROR (Status); ++ return SHELL_ABORTED; ++ } ++ ++ Status = ShellCommandLineParse (ParamList, &Package, &ProblemParam, TRUE); ++ if (EFI_ERROR (Status)) { ++ if ((Status == EFI_VOLUME_CORRUPTED) && (ProblemParam != NULL)) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_PROBLEM), mVarPolicyShellCommandHiiHandle, VAR_POLICY_COMMAND_NAME, ProblemParam); ++ FreePool (ProblemParam); ++ ShellStatus = SHELL_INVALID_PARAMETER; ++ goto Done; ++ } else { ++ ASSERT (FALSE); ++ } ++ } else { ++ if (ShellCommandLineGetCount (Package) > 1) { ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_TOO_MANY), mVarPolicyShellCommandHiiHandle, VAR_POLICY_COMMAND_NAME); ++ ShellStatus = SHELL_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ PolicyCheck = ShellCommandLineGetFlag (Package, VAR_POLICY_FLAG_POLICY_STR); ++ StatsDump = ShellCommandLineGetFlag (Package, VAR_POLICY_FLAG_STATS_STR); ++ VerboseDump = ShellCommandLineGetFlag (Package, VAR_POLICY_FLAG_VERBOSE_STR); ++ ++ Status = DumpVars (VerboseDump, StatsDump, PolicyCheck); ++ ASSERT_EFI_ERROR (Status); ++ } ++ ++Done: ++ if (Package != NULL) { ++ ShellCommandLineFreeVarList (Package); ++ } ++ ++ return ShellStatus; ++} ++ ++/** ++ Retrieve HII package list from ImageHandle and publish to HII database. ++ ++ @param[in] ImageHandle The image handle of the process. ++ ++ @return HII handle. ++ ++**/ ++EFI_HII_HANDLE ++InitializeHiiPackage ( ++ IN EFI_HANDLE ImageHandle ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_HII_PACKAGE_LIST_HEADER *PackageList; ++ EFI_HII_HANDLE HiiHandle; ++ ++ // ++ // Retrieve HII package list from ImageHandle ++ // ++ Status = gBS->OpenProtocol ( ++ ImageHandle, ++ &gEfiHiiPackageListProtocolGuid, ++ (VOID **)&PackageList, ++ ImageHandle, ++ NULL, ++ EFI_OPEN_PROTOCOL_GET_PROTOCOL ++ ); ++ ASSERT_EFI_ERROR (Status); ++ if (EFI_ERROR (Status)) { ++ return NULL; ++ } ++ ++ // ++ // Publish HII package list to HII Database. ++ // ++ Status = gHiiDatabase->NewPackageList ( ++ gHiiDatabase, ++ PackageList, ++ NULL, ++ &HiiHandle ++ ); ++ ASSERT_EFI_ERROR (Status); ++ if (EFI_ERROR (Status)) { ++ return NULL; ++ } ++ ++ return HiiHandle; ++} +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h +new file mode 100644 +index 000000000000..049823242659 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h +@@ -0,0 +1,129 @@ ++/** @file ++ Internal header file for the module. ++ ++ Copyright (c) Microsoft Corporation. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#ifndef VAR_POLICY_DYNAMIC_SHELL_COMMAND_H_ ++#define VAR_POLICY_DYNAMIC_SHELL_COMMAND_H_ ++ ++#include ++#include ++ ++#define VAR_POLICY_COMMAND_NAME L"varpolicy" ++ ++typedef enum { ++ VariableVendorCapsule, ++ VariableVendorCapsuleReport, ++ VariableVendorGlobal, ++ VariableVendorMemoryTypeInfo, ++ VariableVendorMonotonicCounter, ++ VariableVendorMorControl, ++ VariableVendorShell, ++ VariableVendorGuidMax ++} VAR_POLICY_CMD_VENDOR_GUID_TYPE; ++ ++typedef struct { ++ VAR_POLICY_CMD_VENDOR_GUID_TYPE VendorGuidType; ++ EFI_GUID *VendorGuid; ++ CHAR16 *Description; ++} VAR_POLICY_CMD_VAR_NAMESPACE; ++ ++/** ++ Log a formatted console message. ++ ++ This is not specific to this shell command but scoped so to prevent global ++ name conflicts. ++ ++ The hex dump is split into lines of 16 dumped bytes. ++ ++ The full hex dump is bracketed, and its byte ascii char also print. ++ If the byte value is not an ascii code, it will print as '.' ++ ++ @param[in] Offset Offset to be display after PrefixFormat. ++ Offset will be increased for each print line. ++ @param[in] Data The data to dump. ++ @param[in] DataSize Number of bytes in Data. ++ ++**/ ++#define VAR_POLICY_CMD_SHELL_DUMP_HEX(Offset, \ ++ Data, \ ++ DataSize \ ++ ) \ ++ { \ ++ UINT8 *_DataToDump; \ ++ UINT8 _Val[50]; \ ++ UINT8 _Str[20]; \ ++ UINT8 _TempByte; \ ++ UINTN _Size; \ ++ UINTN _DumpHexIndex; \ ++ UINTN _LocalOffset; \ ++ UINTN _LocalDataSize; \ ++ CONST CHAR8 *_Hex = "0123456789ABCDEF"; \ ++ _LocalOffset = (Offset); \ ++ _LocalDataSize = (DataSize); \ ++ _DataToDump = (UINT8 *)(Data); \ ++ \ ++ ASSERT (_DataToDump != NULL); \ ++ \ ++ while (_LocalDataSize != 0) { \ ++ _Size = 16; \ ++ if (_Size > _LocalDataSize) { \ ++ _Size = _LocalDataSize; \ ++ } \ ++ \ ++ for (_DumpHexIndex = 0; _DumpHexIndex < _Size; _DumpHexIndex += 1) { \ ++ _TempByte = (UINT8) _DataToDump[_DumpHexIndex]; \ ++ _Val[_DumpHexIndex * 3 + 0] = (UINT8) _Hex[_TempByte >> 4]; \ ++ _Val[_DumpHexIndex * 3 + 1] = (UINT8) _Hex[_TempByte & 0xF]; \ ++ _Val[_DumpHexIndex * 3 + 2] = \ ++ (CHAR8) ((_DumpHexIndex == 7) ? '-' : ' '); \ ++ _Str[_DumpHexIndex] = \ ++ (CHAR8) ((_TempByte < ' ' || _TempByte > '~') ? '.' : _TempByte); \ ++ } \ ++ \ ++ _Val[_DumpHexIndex * 3] = 0; \ ++ _Str[_DumpHexIndex] = 0; \ ++ \ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_HEX_DUMP_LINE), mVarPolicyShellCommandHiiHandle, _LocalOffset, _Val, _Str); \ ++ _DataToDump = (UINT8 *)(((UINTN)_DataToDump) + _Size); \ ++ _LocalOffset += _Size; \ ++ _LocalDataSize -= _Size; \ ++ } \ ++ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_GEN_LINE_BREAK), mVarPolicyShellCommandHiiHandle); \ ++ } ++ ++/** ++ Retrieve HII package list from ImageHandle and publish to HII database. ++ ++ @param[in] ImageHandle The image handle of the process. ++ ++ @return HII handle. ++ ++**/ ++EFI_HII_HANDLE ++InitializeHiiPackage ( ++ IN EFI_HANDLE ImageHandle ++ ); ++ ++/** ++ Main entry function for the "varpolicy" command/app. ++ ++ @param[in] ImageHandle Handle to the Image (NULL if Internal). ++ @param[in] SystemTable Pointer to the System Table (NULL if Internal). ++ ++ @retval SHELL_SUCCESS The "varpolicy" shell command executed successfully. ++ @retval SHELL_INVALID_PARAMETER An argument passed to the shell command is invalid. ++ @retval Others A different error occurred. ++ ++**/ ++SHELL_STATUS ++EFIAPI ++RunVarPolicy ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ); ++ ++#endif +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni +new file mode 100644 +index 000000000000..194468285609 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni +@@ -0,0 +1,86 @@ ++// /** ++// String definitions for the Variable Policy ("varpolicy") shell command/app. ++// ++// Copyright (c) Microsoft Corporation. ++// SPDX-License-Identifier: BSD-2-Clause-Patent ++// ++// **/ ++ ++/=# ++ ++#langdef en-US "english" ++ ++// General Strings ++#string STR_GEN_PROBLEM #language en-US "%H%s%N: Unknown flag - '%H%s%N'\r\n" ++#string STR_GEN_TOO_MANY #language en-US "%H%s%N: Too many arguments.\r\n" ++#string STR_GEN_NO_VARS #language en-US "No UEFI variables found!\r\n" ++#string STR_GEN_LINE_BREAK #language en-US "\r\n" ++ ++#string STR_GEN_HEX_DUMP_LINE #language en-US "%B%08X%N: %-48a %V*%a*%N\r\n" ++ ++#string STR_VAR_POL_POLICY_INT_ERR #language en-US "%EInternal Application Error Getting Policy Info!%N\r\n" ++#string STR_VAR_POL_POLICY_NO_PROT #language en-US "%EVariable Policy Protocol Was Not Found!%N\r\n" ++#string STR_VAR_POL_POLICY_NOT_INIT #language en-US "%EUEFI Variable Policy is Not Initialized!%N\r\n" ++#string STR_VAR_POL_POLICY_NOT_FOUND #language en-US "%EVariable Policy Not Found for This Variable!%N\r\n" ++#string STR_VAR_POL_POLICY_UNEXP_ERR #language en-US "%EUnexpected Error Getting Policy Info!%N - %H%r%N\r\n" ++#string STR_VAR_POL_POLICY_HEADER_1 #language en-US "+-----------------------------------------------------------------------------+\r\n" ++#string STR_VAR_POL_POLICY_HEADER_2 #language en-US "| Variable Policy Info |\r\n" ++#string STR_VAR_POL_POLICY_VERSION #language en-US "| Version: 0x%-8x |\r\n" ++#string STR_VAR_POL_POLICY_VARIABLE #language en-US "| Variable: % -64s |\r\n" ++#string STR_VAR_POL_POLICY_NAMESPACE #language en-US "| Namespace: {%g} |\r\n" ++#string STR_VAR_POL_POLICY_MIN_SIZE #language en-US "| Minimum Size: 0x%-8x |\r\n" ++#string STR_VAR_POL_POLICY_MAX_SIZE #language en-US "| Maximum Size: 0x%-8x |\r\n" ++#string STR_VAR_POL_POLICY_ATTR_MUST #language en-US "| Required Attributes: |\r\n" ++#string STR_VAR_POL_POLICY_ATTR_NOT #language en-US "| Disallowed Attributes: |\r\n" ++#string STR_VAR_POL_POLICY_ATTR_GEN #language en-US "| %73-.73s |\r\n" ++#string STR_VAR_POL_POLICY_LOCK_TYPE #language en-US "| Lock Type: % -64s |\r\n" ++#string STR_VAR_POL_POLICY_STATE_NS #language en-US "| Namespace: {%g} |\r\n" ++#string STR_VAR_POL_POLICY_STATE_VAL #language en-US "| Value: 0x%-8x |\r\n" ++#string STR_VAR_POL_POLICY_STATE_NAME #language en-US "| Name: % -64s |\r\n" ++#string STR_VAR_POL_POLICY_STATS_PASS #language en-US " %V%d/%d UEFI variables have policy%N\r\n" ++#string STR_VAR_POL_POLICY_STATS_FAIL #language en-US " %E%d/%d UEFI variables have policy%N\r\n" ++ ++#string STR_VAR_POL_VAR_TYPE #language en-US "%H% -70s%N\r\n" ++#string STR_VAR_POL_VAR_NAME #language en-US "Name: % -70s\r\n" ++#string STR_VAR_POL_VAR_SIZE #language en-US "Size: 0x%-16x (%-,d) bytes\r\n" ++#string STR_VAR_POL_VAR_ATTR #language en-US "Attributes: % -60s\r\n" ++ ++#string STR_VAR_POL_STATS_HEADER_1 #language en-US "+----------------------------------------------------------------+\r\n" ++#string STR_VAR_POL_STATS_HEADER_2 #language en-US "| UEFI Variable Statistics |\r\n" ++#string STR_VAR_POL_STATS_TOTAL_VARS #language en-US " Total UEFI Variables: %,d\r\n" ++#string STR_VAR_POL_STATS_TOTAL_SIZE #language en-US " Total UEFI Variable Size: 0x%x (%,d) bytes\r\n" ++ ++#string STR_GET_HELP_VAR_POLICY #language en-US "" ++".TH varpolicy 0 "Lists UEFI variable policy information."\r\n" ++".SH NAME\r\n" ++"Lists UEFI variable policy information.\r\n" ++".SH SYNOPSIS\r\n" ++" \r\n" ++"VARPOLICY [-p] [-s] [-v]\r\n" ++".SH OPTIONS\r\n" ++" \r\n" ++" -p - The policy flag will print variable policy info for each variable.\r\n" ++" \r\n" ++" -s - The stats flag will print overall UEFI variable policy statistics.\r\n" ++" \r\n" ++" -v - The verbose flag indicates all known information should be printed.\r\n" ++" \r\n" ++" This includes a dump of the corresponding UEFI variable data in\r\n" ++" addition to all other UEFI variable policy information.\r\n" ++".SH DESCRIPTION\r\n" ++" \r\n" ++".SH EXAMPLES\r\n" ++" \r\n" ++"EXAMPLES:\r\n" ++" * To dump all active UEFI variables:\r\n" ++" fs0:\> varpolicy\r\n" ++"\r\n" ++" * To include UEFI variable policy information:\r\n" ++" fs0:\> varpolicy -p\r\n" ++"\r\n" ++" * To include UEFI variable statistics:\r\n" ++" fs0:\> varpolicy -s\r\n" ++"\r\n" ++" * To include a hexadecimal dump of data for each variable\r\n" ++" and all other variable information:\r\n" ++" fs0:\> varpolicy -v\r\n" +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c +new file mode 100644 +index 000000000000..f3ab45de6ae8 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c +@@ -0,0 +1,59 @@ ++/** @file ++ Functionality specific for standalone UEFI application support. ++ ++ This application can provide detailed UEFI variable policy configuration ++ information in the UEFI shell. ++ ++ Copyright (c) Microsoft Corporation. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include "VariablePolicy.h" ++ ++#include ++#include ++ ++extern EFI_HII_HANDLE mVarPolicyShellCommandHiiHandle; ++ ++// ++// String token ID of help message text. ++// Shell supports finding the help message in the resource section of an ++// application image if a .MAN file is not found. This global variable is added ++// to make the build tool recognize that the help string is consumed by the user and ++// then the build tool will add the string into the resource section. Thus the ++// application can use '-?' option to show help message in Shell. ++// ++GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringHelpTokenId = STRING_TOKEN (STR_GET_HELP_VAR_POLICY); ++ ++/** ++ Entry of the UEFI variable policy application. ++ ++ @param ImageHandle The image handle of the process. ++ @param SystemTable The EFI System Table pointer. ++ ++ @retval EFI_SUCCESS The application successfully initialized. ++ @retval EFI_ABORTED The application failed to initialize. ++ @retval Others A different error occurred. ++ ++**/ ++EFI_STATUS ++EFIAPI ++VariablePolicyAppInitialize ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ) ++{ ++ EFI_STATUS Status; ++ ++ mVarPolicyShellCommandHiiHandle = InitializeHiiPackage (ImageHandle); ++ if (mVarPolicyShellCommandHiiHandle == NULL) { ++ return EFI_ABORTED; ++ } ++ ++ Status = (EFI_STATUS)RunVarPolicy (ImageHandle, SystemTable); ++ ++ HiiRemovePackages (mVarPolicyShellCommandHiiHandle); ++ ++ return Status; ++} +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf +new file mode 100644 +index 000000000000..1e8abe0923d1 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf +@@ -0,0 +1,62 @@ ++## @file ++# A UEFI variable policy application that displays information ++# about UEFI variable policy configuration on the system. ++# ++# Copyright (c) Microsoft Corporation. ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++## ++ ++[Defines] ++ INF_VERSION = 0x00010006 ++ BASE_NAME = varpolicy ++ FILE_GUID = CA3D995F-3291-45AF-B50A-7C8AE584D857 ++ MODULE_TYPE = UEFI_APPLICATION ++ VERSION_STRING = 1.0 ++ ENTRY_POINT = VariablePolicyAppInitialize ++ # Note: GetHelpText() in the EFI shell protocol will associate the help text ++ # for the app if the app name (command) matches the .TH section name in ++ # the Unicode help text. That name is "varpolicy". ++ UEFI_HII_RESOURCE_SECTION = TRUE ++ ++[Sources.common] ++ VariablePolicy.uni ++ VariablePolicy.h ++ VariablePolicy.c ++ VariablePolicyApp.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ ShellPkg/ShellPkg.dec ++ ++[LibraryClasses] ++ BaseLib ++ BaseMemoryLib ++ DebugLib ++ HiiLib ++ MemoryAllocationLib ++ PrintLib ++ ShellLib ++ UefiApplicationEntryPoint ++ UefiBootServicesTableLib ++ UefiHiiServicesLib ++ UefiRuntimeServicesTableLib ++ ++[Protocols] ++ gEdkiiVariablePolicyProtocolGuid ## SOMETIMES_CONSUMES ++ gEfiHiiPackageListProtocolGuid ## CONSUMES ++ ++[Guids] ++ ## SOMETIMES_CONSUMES ## Variables in Vendor Namespace ++ gEfiCapsuleReportGuid ++ gEfiCapsuleVendorGuid ++ gEfiGlobalVariableGuid ++ gEfiMemoryOverwriteRequestControlLockGuid ++ gEfiMemoryTypeInformationGuid ++ gMtcVendorGuid ++ gShellAliasGuid ++ gShellVariableGuid ++ ++[DEPEX] ++ TRUE +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c +new file mode 100644 +index 000000000000..c1e309ad078f +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c +@@ -0,0 +1,157 @@ ++/** @file ++ Functionality specific for dynamic UEFI shell command support. ++ ++ This command can provide detailed UEFI variable policy configuration ++ information in the UEFI shell. ++ ++ Copyright (c) Microsoft Corporation. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include "VariablePolicy.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++extern EFI_HII_HANDLE mVarPolicyShellCommandHiiHandle; ++ ++/** ++ This is the shell command handler function pointer callback type. ++ ++ This function handles the command when it is invoked in the shell. ++ ++ @param[in] This The instance of the ++ EFI_SHELL_DYNAMIC_COMMAND_PROTOCOL. ++ @param[in] SystemTable The pointer to the system table. ++ @param[in] ShellParameters The parameters associated with the command. ++ @param[in] Shell The instance of the shell protocol used in ++ the context of processing this command. ++ ++ @return EFI_SUCCESS the operation was successful ++ @return other the operation failed. ++ ++**/ ++SHELL_STATUS ++EFIAPI ++VarPolicyCommandHandler ( ++ IN EFI_SHELL_DYNAMIC_COMMAND_PROTOCOL *This, ++ IN EFI_SYSTEM_TABLE *SystemTable, ++ IN EFI_SHELL_PARAMETERS_PROTOCOL *ShellParameters, ++ IN EFI_SHELL_PROTOCOL *Shell ++ ) ++{ ++ gEfiShellParametersProtocol = ShellParameters; ++ gEfiShellProtocol = Shell; ++ ++ return RunVarPolicy (gImageHandle, SystemTable); ++} ++ ++/** ++ This is the command help handler function pointer callback type. This ++ function is responsible for displaying help information for the associated ++ command. ++ ++ @param[in] This The instance of the ++ EFI_SHELL_DYNAMIC_COMMAND_PROTOCOL. ++ @param[in] Language The pointer to the language string to use. ++ ++ @return string Pool allocated help string, must be freed ++ by caller. ++ ++**/ ++STATIC ++CHAR16 * ++EFIAPI ++VarPolicyCommandGetHelp ( ++ IN EFI_SHELL_DYNAMIC_COMMAND_PROTOCOL *This, ++ IN CONST CHAR8 *Language ++ ) ++{ ++ return HiiGetString ( ++ mVarPolicyShellCommandHiiHandle, ++ STRING_TOKEN (STR_GET_HELP_VAR_POLICY), ++ Language ++ ); ++} ++ ++STATIC EFI_SHELL_DYNAMIC_COMMAND_PROTOCOL mVarPolicyDynamicCommand = { ++ VAR_POLICY_COMMAND_NAME, ++ VarPolicyCommandHandler, ++ VarPolicyCommandGetHelp ++}; ++ ++/** ++ Entry point of the UEFI variable policy dynamic shell command. ++ ++ Produce the Dynamic Command Protocol to handle the "varpolicy" command. ++ ++ @param[in] ImageHandle The image handle of the process. ++ @param[in] SystemTable The EFI System Table pointer. ++ ++ @retval EFI_SUCCESS The "varpolicy" command executed successfully. ++ @retval EFI_ABORTED HII package failed to initialize. ++ @retval others Other errors when executing "varpolicy" command. ++ ++**/ ++EFI_STATUS ++EFIAPI ++VariablePolicyDynamicCommandEntryPoint ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ) ++{ ++ EFI_STATUS Status; ++ ++ mVarPolicyShellCommandHiiHandle = InitializeHiiPackage (ImageHandle); ++ if (mVarPolicyShellCommandHiiHandle == NULL) { ++ return EFI_ABORTED; ++ } ++ ++ Status = gBS->InstallProtocolInterface ( ++ &ImageHandle, ++ &gEfiShellDynamicCommandProtocolGuid, ++ EFI_NATIVE_INTERFACE, ++ &mVarPolicyDynamicCommand ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ return Status; ++} ++ ++/** ++ Unload the dynamic "varpolicy" UEFI Shell command. ++ ++ @param[in] ImageHandle The image handle of the process. ++ ++ @retval EFI_SUCCESS The image is unloaded. ++ @retval Others Failed to unload the image. ++ ++**/ ++EFI_STATUS ++EFIAPI ++VariablePolicyDynamicCommandUnload ( ++ IN EFI_HANDLE ImageHandle ++ ) ++{ ++ EFI_STATUS Status; ++ ++ Status = gBS->UninstallProtocolInterface ( ++ ImageHandle, ++ &gEfiShellDynamicCommandProtocolGuid, ++ &mVarPolicyDynamicCommand ++ ); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ HiiRemovePackages (mVarPolicyShellCommandHiiHandle); ++ ++ return EFI_SUCCESS; ++} +diff --git a/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf +new file mode 100644 +index 000000000000..120e7339daa3 +--- /dev/null ++++ b/ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf +@@ -0,0 +1,61 @@ ++## @file ++# A UEFI variable policy dynamic shell command that displays information ++# about UEFI variable policy configuration on the system. ++# ++# Copyright (c) Microsoft Corporation. ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++## ++ ++[Defines] ++ INF_VERSION = 1.27 ++ BASE_NAME = VariablePolicyDynamicCommand ++ FILE_GUID = 17D0EF2A-5933-4007-8950-5749169D3DC5 ++ MODULE_TYPE = DXE_DRIVER ++ VERSION_STRING = 1.0 ++ ENTRY_POINT = VariablePolicyDynamicCommandEntryPoint ++ UNLOAD_IMAGE = VariablePolicyDynamicCommandUnload ++ UEFI_HII_RESOURCE_SECTION = TRUE ++ ++[Sources.common] ++ VariablePolicy.uni ++ VariablePolicy.h ++ VariablePolicy.c ++ VariablePolicyDynamicCommand.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ ShellPkg/ShellPkg.dec ++ ++[LibraryClasses] ++ BaseLib ++ BaseMemoryLib ++ DebugLib ++ HiiLib ++ MemoryAllocationLib ++ PrintLib ++ ShellLib ++ UefiBootServicesTableLib ++ UefiDriverEntryPoint ++ UefiHiiServicesLib ++ UefiRuntimeServicesTableLib ++ ++[Protocols] ++ gEdkiiVariablePolicyProtocolGuid ## SOMETIMES_CONSUMES ++ gEfiHiiPackageListProtocolGuid ## CONSUMES ++ gEfiShellDynamicCommandProtocolGuid ## PRODUCES ++ ++[Guids] ++ ## SOMETIMES_CONSUMES ## Variables in Vendor Namespace ++ gEfiCapsuleReportGuid ++ gEfiCapsuleVendorGuid ++ gEfiGlobalVariableGuid ++ gEfiMemoryOverwriteRequestControlLockGuid ++ gEfiMemoryTypeInformationGuid ++ gMtcVendorGuid ++ gShellAliasGuid ++ gShellVariableGuid ++ ++[DEPEX] ++ TRUE +diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc +index dd0d88603f11..557b0ec0f3d6 100644 +--- a/ShellPkg/ShellPkg.dsc ++++ b/ShellPkg/ShellPkg.dsc +@@ -154,6 +154,11 @@ + gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE + } + ShellPkg/DynamicCommand/DpDynamicCommand/DpApp.inf ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf { ++ ++ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE ++ } ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf + ShellPkg/Application/AcpiViewApp/AcpiViewApp.inf + + [BuildOptions] +-- +2.43.0 + diff --git a/0146-MdeModulePkg-VariablePolicy-Add-more-granular-variab.patch b/0146-MdeModulePkg-VariablePolicy-Add-more-granular-variab.patch new file mode 100644 index 0000000..6c7809d --- /dev/null +++ b/0146-MdeModulePkg-VariablePolicy-Add-more-granular-variab.patch @@ -0,0 +1,1372 @@ +From 4c65a29ebdd3efd654ec8424f849aa59cd92558a Mon Sep 17 00:00:00 2001 +From: Michael Kubacki +Date: Mon, 30 Oct 2023 16:31:09 -0400 +Subject: [PATCH 31/31] MdeModulePkg/VariablePolicy: Add more granular variable + policy querying + +commit f3b2187d558b1540e65e86024423ee39fe6264aa upstream. + +Introduces two new APIs to EDKII_VARIABLE_POLICY_PROTOCOL: + 1. GetVariablePolicyInfo() + 2. GetLockOnVariableStateVariablePolicyInfo() + +These allow a caller to retrieve policy information associated with +a UEFI variable given the variable name and vendor GUID. + +GetVariablePolicyInfo() - Returns the variable policy applied to the +UEFI variable. If the variable policy is applied toward an individual +UEFI variable, that name can optionally be returned. + +GetLockOnVariableStateVariablePolicyInfo() - Returns the Lock on +Variable State policy applied to the UEFI variable. If the Lock on +Variable State policy is applied to a specific variable name, that +name can optionally be returned. + +These functions can be useful for a variety of purposes such as +auditing, testing, and functional flows. + +Also fixed some variable name typos in code touched by the changes. + +Cc: Dandan Bi +Cc: Hao A Wu +Cc: Jian J Wang +Cc: Liming Gao +Signed-off-by: Michael Kubacki +Reviewed-by: Ard Biesheuvel +Reviewed-by: Liming Gao +Message-Id: <20231030203112.736-2-mikuback@linux.microsoft.com> +Signed-off-by: Jeevan deep J +--- + MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 39 +- + .../Include/Library/VariablePolicyLib.h | 107 ++++++ + .../Include/Protocol/VariablePolicy.h | 133 ++++++- + .../VarCheckPolicyLib/VarCheckPolicyLib.c | 174 +++++++-- + .../VariablePolicyLib/VariablePolicyLib.c | 304 +++++++++++++++ + .../VariablePolicyLib/VariablePolicyLib.inf | 1 + + .../Variable/RuntimeDxe/VariableDxe.c | 4 +- + .../RuntimeDxe/VariablePolicySmmDxe.c | 346 +++++++++++++++++- + 8 files changed, 1062 insertions(+), 46 deletions(-) + +diff --git a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h +index ff3d4a1fd68a..a692fa40c946 100644 +--- a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h ++++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h +@@ -32,23 +32,52 @@ typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS { + BOOLEAN HasMore; + } VAR_CHECK_POLICY_COMM_DUMP_PARAMS; + ++typedef union { ++ VARIABLE_POLICY_ENTRY VariablePolicy; ++ VARIABLE_LOCK_ON_VAR_STATE_POLICY LockOnVarStatePolicy; ++} VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY; ++ ++typedef struct _VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS { ++ EFI_GUID InputVendorGuid; ++ UINT32 InputVariableNameSize; ++ UINT32 OutputVariableNameSize; ++ VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY OutputPolicyEntry; ++ CHAR16 InputVariableName[1]; ++} VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS; ++ + #pragma pack(pop) + ++#define VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END \ ++ (OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName)) ++ + // Make sure that we will hold at least the headers. + #define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4)) + #define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \ + (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \ + sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \ + sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS))) ++ ++#define VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \ ++ (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \ ++ sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \ ++ OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName))) ++ + STATIC_ASSERT ( + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE, + "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE" + ); + +-#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001 +-#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002 +-#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003 +-#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004 +-#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005 ++STATIC_ASSERT ( ++ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE, ++ "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE" ++ ); ++ ++#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001 ++#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002 ++#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003 ++#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004 ++#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005 ++#define VAR_CHECK_POLICY_COMMAND_GET_INFO 0x0006 ++#define VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO 0x0007 + + #endif // _VAR_CHECK_POLICY_MMI_COMMON_H_ +diff --git a/MdeModulePkg/Include/Library/VariablePolicyLib.h b/MdeModulePkg/Include/Library/VariablePolicyLib.h +index 63c49fbca1ed..bc4e26b2d434 100644 +--- a/MdeModulePkg/Include/Library/VariablePolicyLib.h ++++ b/MdeModulePkg/Include/Library/VariablePolicyLib.h +@@ -102,6 +102,113 @@ DumpVariablePolicy ( + IN OUT UINT32 *Size + ); + ++/** ++ This function will return variable policy information for a UEFI variable with a ++ registered variable policy. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search. ++ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName ++ buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariablePolicyVariableName buffer size ++ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is ++ guaranteed to be returned if the variable policy variable name ++ is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the ++ variable policy will be written if a variable name is ++ registered. ++ ++ If the variable policy is not associated with a variable name ++ (e.g. applied to variable vendor namespace) and this parameter ++ is given, this parameter will not be modified and ++ VariablePolicyVariableNameBufferSize will be set to zero to ++ indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariablePolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A variable policy entry was found and returned successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize ++ is NULL. ++ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_POLICY_ENTRY *VariablePolicy, ++ OUT CHAR16 *VariablePolicyVariableName OPTIONAL ++ ); ++ ++/** ++ This function will return the Lock on Variable State policy information for the policy ++ associated with the given UEFI variable. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy ++ search. ++ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the ++ VariableLockPolicyVariableName buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariableLockPolicyVariableName buffer ++ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL ++ is guaranteed to be returned if the variable policy variable ++ name is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the ++ variable lock on variable state policy will be written if ++ a variable name is registered. ++ ++ If the lock on variable policy is not associated with a ++ variable name (e.g. applied to variable vendor namespace) ++ and this parameter is given, this parameter will not be ++ modified and VariableLockPolicyVariableNameBufferSize will ++ be set to zero to indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariableLockPolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned ++ successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariableLockPolicyVariableName is non-NULL and ++ VariableLockPolicyVariableNameBufferSize is NULL. ++ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI ++ variable name and vendor GUID. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetLockOnVariableStateVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy, ++ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL ++ ); ++ + /** + This API function returns whether or not the policy engine is + currently being enforced. +diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/Include/Protocol/VariablePolicy.h +index 98d739401f83..4b57f70a9da8 100644 +--- a/MdeModulePkg/Include/Protocol/VariablePolicy.h ++++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h +@@ -9,7 +9,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__ + #define __EDKII_VARIABLE_POLICY_PROTOCOL__ + +-#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000 ++#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000020000 ++ ++/* ++ Rev 0x0000000000010000: ++ - Initial protocol definition ++ ++ Rev 0x0000000000020000: ++ - Add GetVariablePolicyInfo() API ++ - Add GetLockOnVariableStateVariablePolicyInfo() API ++ ++*/ + + #define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \ + { \ +@@ -141,13 +151,122 @@ EFI_STATUS + VOID + ); + ++/** ++ This function will return variable policy information for a UEFI variable with a ++ registered variable policy. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search. ++ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName ++ buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariablePolicyVariableName buffer size ++ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is ++ guaranteed to be returned if the variable policy variable name ++ is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the ++ variable policy will be written if a variable name is ++ registered. ++ ++ If the variable policy is not associated with a variable name ++ (e.g. applied to variable vendor namespace) and this parameter ++ is given, this parameter will not be modified and ++ VariablePolicyVariableNameBufferSize will be set to zero to ++ indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariablePolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A variable policy entry was found and returned successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize ++ is NULL. ++ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID. ++ ++**/ ++typedef ++EFI_STATUS ++(EFIAPI *GET_VARIABLE_POLICY_INFO)( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_POLICY_ENTRY *VariablePolicy, ++ OUT CHAR16 *VariablePolicyVariableName OPTIONAL ++ ); ++ ++/** ++ This function will return the Lock on Variable State policy information for the policy ++ associated with the given UEFI variable. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy ++ search. ++ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the ++ VariableLockPolicyVariableName buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariableLockPolicyVariableName buffer ++ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL ++ is guaranteed to be returned if the variable policy variable ++ name is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the ++ variable lock on variable state policy will be written if ++ a variable name is registered. ++ ++ If the lock on variable policy is not associated with a ++ variable name (e.g. applied to variable vendor namespace) ++ and this parameter is given, this parameter will not be ++ modified and VariableLockPolicyVariableNameBufferSize will ++ be set to zero to indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariableLockPolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned ++ successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariableLockPolicyVariableName is non-NULL and ++ VariableLockPolicyVariableNameBufferSize is NULL. ++ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI ++ variable name and vendor GUID. ++ ++**/ ++typedef ++EFI_STATUS ++(EFIAPI *GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO)( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy, ++ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL ++ ); ++ + typedef struct { +- UINT64 Revision; +- DISABLE_VARIABLE_POLICY DisableVariablePolicy; +- IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled; +- REGISTER_VARIABLE_POLICY RegisterVariablePolicy; +- DUMP_VARIABLE_POLICY DumpVariablePolicy; +- LOCK_VARIABLE_POLICY LockVariablePolicy; ++ UINT64 Revision; ++ DISABLE_VARIABLE_POLICY DisableVariablePolicy; ++ IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled; ++ REGISTER_VARIABLE_POLICY RegisterVariablePolicy; ++ DUMP_VARIABLE_POLICY DumpVariablePolicy; ++ LOCK_VARIABLE_POLICY LockVariablePolicy; ++ GET_VARIABLE_POLICY_INFO GetVariablePolicyInfo; ++ GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO GetLockOnVariableStateVariablePolicyInfo; + } _EDKII_VARIABLE_POLICY_PROTOCOL; + + typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL; +diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c +index 5de46133bb26..1448af85555a 100644 +--- a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c ++++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c +@@ -76,14 +76,20 @@ VarCheckPolicyLibMmiHandler ( + VOID *InternalCommBuffer; + EFI_STATUS Status; + EFI_STATUS SubCommandStatus; +- VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader; +- VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommmHeader; ++ VAR_CHECK_POLICY_COMM_HEADER *PolicyCommHeader; ++ VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommHeader; + VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams; + VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn; + VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut; ++ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsInternal; ++ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsExternal; ++ CHAR16 *InternalCopyOfOutputVariableName; ++ CHAR16 *ExternalCopyOfOutputVariableName; + UINT8 *DumpInputBuffer; + UINT8 *DumpOutputBuffer; ++ UINTN AllowedOutputVariableNameSize; + UINTN DumpTotalPages; ++ UINTN LocalSize; + VARIABLE_POLICY_ENTRY *PolicyEntry; + UINTN ExpectedSize; + UINT32 TempSize; +@@ -122,21 +128,21 @@ VarCheckPolicyLibMmiHandler ( + // + InternalCommBuffer = &mSecurityEvalBuffer[0]; + CopyMem (InternalCommBuffer, CommBuffer, InternalCommBufferSize); +- PolicyCommmHeader = CommBuffer; +- InternalPolicyCommmHeader = InternalCommBuffer; ++ PolicyCommHeader = CommBuffer; ++ InternalPolicyCommHeader = InternalCommBuffer; + // Check the revision and the signature of the comm header. +- if ((InternalPolicyCommmHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) || +- (InternalPolicyCommmHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION)) ++ if ((InternalPolicyCommHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) || ++ (InternalPolicyCommHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION)) + { + DEBUG ((DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __func__)); + // We have verified the buffer is not null and have enough size to hold Result field. +- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; + return EFI_SUCCESS; + } + + // If we're in the middle of a paginated dump and any other command is sent, + // pagination cache must be cleared. +- if ((mPaginationCache != NULL) && (InternalPolicyCommmHeader->Command != mCurrentPaginationCommand)) { ++ if ((mPaginationCache != NULL) && (InternalPolicyCommHeader->Command != mCurrentPaginationCommand)) { + FreePool (mPaginationCache); + mPaginationCache = NULL; + mPaginationCacheSize = 0; +@@ -146,10 +152,10 @@ VarCheckPolicyLibMmiHandler ( + // + // Now we can process the command as it was sent. + // +- PolicyCommmHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands. +- switch (InternalPolicyCommmHeader->Command) { ++ PolicyCommHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands. ++ switch (InternalPolicyCommHeader->Command) { + case VAR_CHECK_POLICY_COMMAND_DISABLE: +- PolicyCommmHeader->Result = DisableVariablePolicy (); ++ PolicyCommHeader->Result = DisableVariablePolicy (); + break; + + case VAR_CHECK_POLICY_COMMAND_IS_ENABLED: +@@ -158,14 +164,14 @@ VarCheckPolicyLibMmiHandler ( + ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS); + if (InternalCommBufferSize < ExpectedSize) { + DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); +- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; + break; + } + + // Now that we know we've got a valid size, we can fill in the rest of the data. +- IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER)); +- IsEnabledParams->State = IsVariablePolicyEnabled (); +- PolicyCommmHeader->Result = EFI_SUCCESS; ++ IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER)); ++ IsEnabledParams->State = IsVariablePolicyEnabled (); ++ PolicyCommHeader->Result = EFI_SUCCESS; + break; + + case VAR_CHECK_POLICY_COMMAND_REGISTER: +@@ -174,7 +180,7 @@ VarCheckPolicyLibMmiHandler ( + ExpectedSize += sizeof (VARIABLE_POLICY_ENTRY); + if (InternalCommBufferSize < ExpectedSize) { + DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); +- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; + break; + } + +@@ -187,11 +193,11 @@ VarCheckPolicyLibMmiHandler ( + (InternalCommBufferSize < ExpectedSize)) + { + DEBUG ((DEBUG_INFO, "%a - Bad policy entry contents!\n", __func__)); +- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; + break; + } + +- PolicyCommmHeader->Result = RegisterVariablePolicy (PolicyEntry); ++ PolicyCommHeader->Result = RegisterVariablePolicy (PolicyEntry); + break; + + case VAR_CHECK_POLICY_COMMAND_DUMP: +@@ -200,13 +206,13 @@ VarCheckPolicyLibMmiHandler ( + ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE; + if (InternalCommBufferSize < ExpectedSize) { + DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); +- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; + break; + } + + // Now that we know we've got a valid size, we can fill in the rest of the data. +- DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommmHeader + 1); +- DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommmHeader + 1); ++ DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommHeader + 1); ++ DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommHeader + 1); + + // If we're requesting the first page, initialize the cache and get the sizes. + if (DumpParamsIn->PageRequested == 0) { +@@ -289,17 +295,131 @@ VarCheckPolicyLibMmiHandler ( + } + + // There's currently no use for this, but it shouldn't be hard to implement. +- PolicyCommmHeader->Result = SubCommandStatus; ++ PolicyCommHeader->Result = SubCommandStatus; + break; + + case VAR_CHECK_POLICY_COMMAND_LOCK: +- PolicyCommmHeader->Result = LockVariablePolicy (); ++ PolicyCommHeader->Result = LockVariablePolicy (); ++ break; ++ ++ case VAR_CHECK_POLICY_COMMAND_GET_INFO: ++ case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO: ++ ExpectedSize += VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END + VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE; ++ ++ if (InternalCommBufferSize < ExpectedSize) { ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; ++ break; ++ } ++ ++ GetInfoParamsInternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(InternalPolicyCommHeader + 1); ++ GetInfoParamsExternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyCommHeader + 1); ++ ++ SubCommandStatus = SafeUintnSub ( ++ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE, ++ GetInfoParamsInternal->InputVariableNameSize, ++ &AllowedOutputVariableNameSize ++ ); ++ if (EFI_ERROR (SubCommandStatus)) { ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; ++ break; ++ } ++ ++ if (GetInfoParamsInternal->OutputVariableNameSize > 0) { ++ SubCommandStatus = SafeUintnAdd ( ++ ((UINTN)GetInfoParamsInternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END), ++ (UINTN)GetInfoParamsInternal->InputVariableNameSize, ++ (UINTN *)&InternalCopyOfOutputVariableName ++ ); ++ if (EFI_ERROR (SubCommandStatus)) { ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; ++ break; ++ } ++ } else { ++ InternalCopyOfOutputVariableName = NULL; ++ } ++ ++ ZeroMem (&GetInfoParamsInternal->OutputPolicyEntry, sizeof (GetInfoParamsInternal->OutputPolicyEntry)); ++ ZeroMem (&GetInfoParamsExternal->OutputPolicyEntry, sizeof (GetInfoParamsExternal->OutputPolicyEntry)); ++ ++ LocalSize = (UINTN)GetInfoParamsInternal->OutputVariableNameSize; ++ ++ if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) { ++ SubCommandStatus = GetVariablePolicyInfo ( ++ GetInfoParamsInternal->InputVariableName, ++ &GetInfoParamsInternal->InputVendorGuid, ++ &LocalSize, ++ &GetInfoParamsInternal->OutputPolicyEntry.VariablePolicy, ++ InternalCopyOfOutputVariableName ++ ); ++ } else if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO) { ++ SubCommandStatus = GetLockOnVariableStateVariablePolicyInfo ( ++ GetInfoParamsInternal->InputVariableName, ++ &GetInfoParamsInternal->InputVendorGuid, ++ &LocalSize, ++ &GetInfoParamsInternal->OutputPolicyEntry.LockOnVarStatePolicy, ++ InternalCopyOfOutputVariableName ++ ); ++ } else { ++ PolicyCommHeader->Result = EFI_INVALID_PARAMETER; ++ break; ++ } ++ ++ if (EFI_ERROR (SubCommandStatus) && (SubCommandStatus != EFI_BUFFER_TOO_SMALL)) { ++ PolicyCommHeader->Result = SubCommandStatus; ++ break; ++ } ++ ++ if (EFI_ERROR (SafeUintnToUint32 (LocalSize, &GetInfoParamsInternal->OutputVariableNameSize))) { ++ PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE; ++ break; ++ } ++ ++ ASSERT (sizeof (GetInfoParamsInternal->OutputPolicyEntry) == sizeof (GetInfoParamsExternal->OutputPolicyEntry)); ++ CopyMem ( ++ &GetInfoParamsExternal->OutputPolicyEntry, ++ &GetInfoParamsInternal->OutputPolicyEntry, ++ sizeof (GetInfoParamsExternal->OutputPolicyEntry) ++ ); ++ ++ GetInfoParamsExternal->OutputVariableNameSize = GetInfoParamsInternal->OutputVariableNameSize; ++ if (SubCommandStatus == EFI_BUFFER_TOO_SMALL) { ++ PolicyCommHeader->Result = EFI_BUFFER_TOO_SMALL; ++ break; ++ } ++ ++ SubCommandStatus = SafeUintnAdd ( ++ ((UINTN)GetInfoParamsExternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END), ++ (UINTN)GetInfoParamsInternal->InputVariableNameSize, ++ (UINTN *)&ExternalCopyOfOutputVariableName ++ ); ++ if (EFI_ERROR (SubCommandStatus)) { ++ PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE; ++ break; ++ } ++ ++ if (GetInfoParamsInternal->OutputVariableNameSize > 0) { ++ SubCommandStatus = StrnCpyS ( ++ ExternalCopyOfOutputVariableName, ++ AllowedOutputVariableNameSize, ++ InternalCopyOfOutputVariableName, ++ (UINTN)GetInfoParamsInternal->OutputVariableNameSize ++ ); ++ ASSERT_EFI_ERROR (SubCommandStatus); ++ } else { ++ // The comm buffer should always have the space for the variable policy output ++ // variable name. Fill it with NULL chars if a variable name is not present so ++ // it has a consistent value in the case of variable name absence. ++ SetMem (ExternalCopyOfOutputVariableName, AllowedOutputVariableNameSize, CHAR_NULL); ++ } ++ ++ PolicyCommHeader->Result = SubCommandStatus; ++ + break; + + default: + // Mark unknown requested command as EFI_UNSUPPORTED. +- DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommmHeader->Command)); +- PolicyCommmHeader->Result = EFI_UNSUPPORTED; ++ DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommHeader->Command)); ++ PolicyCommHeader->Result = EFI_UNSUPPORTED; + break; + } + +@@ -307,8 +427,8 @@ VarCheckPolicyLibMmiHandler ( + DEBUG_VERBOSE, + "%a - Command %d returning %r.\n", + __func__, +- PolicyCommmHeader->Command, +- PolicyCommmHeader->Result ++ PolicyCommHeader->Command, ++ PolicyCommHeader->Result + )); + + return Status; +diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c +index 214f76ab9626..768662829dbf 100644 +--- a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c ++++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c +@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + #include + ++#include + #include + #include + #include +@@ -684,6 +685,309 @@ DumpVariablePolicy ( + return EFI_SUCCESS; + } + ++/** ++ This function will return variable policy information for a UEFI variable with a ++ registered variable policy. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search. ++ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName ++ buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariablePolicyVariableName buffer size ++ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is ++ guaranteed to be returned if the variable policy variable name ++ is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the ++ variable policy will be written if a variable name is ++ registered. ++ ++ If the variable policy is not associated with a variable name ++ (e.g. applied to variable vendor namespace) and this parameter ++ is given, this parameter will not be modified and ++ VariablePolicyVariableNameBufferSize will be set to zero to ++ indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariablePolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A variable policy entry was found and returned successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize ++ is NULL. ++ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_POLICY_ENTRY *VariablePolicy, ++ OUT CHAR16 *VariablePolicyVariableName OPTIONAL ++ ) ++{ ++ EFI_STATUS Status; ++ UINT8 MatchPriority; ++ UINTN LocalVariablePolicyVariableNameBufferSize; ++ UINTN RequiredVariablePolicyVariableNameBufferSize; ++ VARIABLE_POLICY_ENTRY *MatchPolicy; ++ ++ Status = EFI_SUCCESS; ++ ++ if (!IsVariablePolicyLibInitialized ()) { ++ return EFI_NOT_READY; ++ } ++ ++ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ MatchPolicy = GetBestPolicyMatch ( ++ VariableName, ++ VendorGuid, ++ &MatchPriority ++ ); ++ if (MatchPolicy != NULL) { ++ CopyMem (VariablePolicy, MatchPolicy, sizeof (*VariablePolicy)); ++ ++ if (VariablePolicyVariableNameBufferSize == NULL) { ++ if (VariablePolicyVariableName != NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ return Status; ++ } ++ ++ if (MatchPolicy->Size != MatchPolicy->OffsetToName) { ++ if (MatchPolicy->Size < MatchPolicy->OffsetToName) { ++ ASSERT (MatchPolicy->Size > MatchPolicy->OffsetToName); ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName); ++ ASSERT (RequiredVariablePolicyVariableNameBufferSize > 0); ++ ++ if (*VariablePolicyVariableNameBufferSize < RequiredVariablePolicyVariableNameBufferSize) { ++ // Let the caller get the size needed to hold the policy variable name ++ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize; ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (VariablePolicyVariableName == NULL) { ++ // If the policy variable name size given is valid, then a valid policy variable name buffer should be provided ++ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize; ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ LocalVariablePolicyVariableNameBufferSize = *VariablePolicyVariableNameBufferSize; ++ ++ // Actual string size should match expected string size ++ if ( ++ ((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) ++ != RequiredVariablePolicyVariableNameBufferSize) ++ { ++ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE); ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize; ++ ++ Status = StrnCpyS ( ++ VariablePolicyVariableName, ++ LocalVariablePolicyVariableNameBufferSize / sizeof (CHAR16), ++ GET_POLICY_NAME (MatchPolicy), ++ RequiredVariablePolicyVariableNameBufferSize / sizeof (CHAR16) ++ ); ++ ASSERT_EFI_ERROR (Status); ++ } else { ++ // A variable policy variable name is not present. Return values according to interface. ++ *VariablePolicyVariableNameBufferSize = 0; ++ } ++ ++ return Status; ++ } ++ ++ return EFI_NOT_FOUND; ++} ++ ++/** ++ This function will return the Lock on Variable State policy information for the policy ++ associated with the given UEFI variable. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy ++ search. ++ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the ++ VariableLockPolicyVariableName buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariableLockPolicyVariableName buffer ++ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL ++ is guaranteed to be returned if the variable policy variable ++ name is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the ++ variable lock on variable state policy will be written if ++ a variable name is registered. ++ ++ If the lock on variable policy is not associated with a ++ variable name (e.g. applied to variable vendor namespace) ++ and this parameter is given, this parameter will not be ++ modified and VariableLockPolicyVariableNameBufferSize will ++ be set to zero to indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariableLockPolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned ++ successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariableLockPolicyVariableName is non-NULL and ++ VariableLockPolicyVariableNameBufferSize is NULL. ++ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI ++ variable name and vendor GUID. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetLockOnVariableStateVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL, ++ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy, ++ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL ++ ) ++{ ++ EFI_STATUS Status; ++ UINT8 MatchPriority; ++ UINTN RequiredVariablePolicyVariableNameBufferSize; ++ UINTN RequiredVariableLockPolicyVariableNameBufferSize; ++ UINTN LocalVariablePolicyLockVariableNameBufferSize; ++ UINTN LockOnVarStatePolicyEndOffset; ++ CHAR16 *LocalVariableLockPolicyVariableName; ++ VARIABLE_LOCK_ON_VAR_STATE_POLICY *LocalLockOnVarStatePolicy; ++ VARIABLE_POLICY_ENTRY *MatchPolicy; ++ ++ Status = EFI_SUCCESS; ++ ++ if (!IsVariablePolicyLibInitialized ()) { ++ return EFI_NOT_READY; ++ } ++ ++ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ MatchPolicy = GetBestPolicyMatch ( ++ VariableName, ++ VendorGuid, ++ &MatchPriority ++ ); ++ if (MatchPolicy != NULL) { ++ if (MatchPolicy->LockPolicyType != VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE) { ++ return EFI_NOT_FOUND; ++ } ++ ++ Status = SafeUintnAdd ( ++ sizeof (VARIABLE_POLICY_ENTRY), ++ sizeof (VARIABLE_LOCK_ON_VAR_STATE_POLICY), ++ &LockOnVarStatePolicyEndOffset ++ ); ++ if (EFI_ERROR (Status) || (LockOnVarStatePolicyEndOffset > (UINTN)MatchPolicy->Size)) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ LocalLockOnVarStatePolicy = (VARIABLE_LOCK_ON_VAR_STATE_POLICY *)(MatchPolicy + 1); ++ CopyMem (VariablePolicy, LocalLockOnVarStatePolicy, sizeof (*LocalLockOnVarStatePolicy)); ++ ++ if ((VariableLockPolicyVariableNameBufferSize == NULL)) { ++ if (VariableLockPolicyVariableName != NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ return Status; ++ } ++ ++ // The name offset should be less than or equal to the total policy size. ++ if (MatchPolicy->Size < MatchPolicy->OffsetToName) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName); ++ RequiredVariableLockPolicyVariableNameBufferSize = MatchPolicy->Size - ++ (LockOnVarStatePolicyEndOffset + RequiredVariablePolicyVariableNameBufferSize); ++ ++ LocalVariablePolicyLockVariableNameBufferSize = *VariableLockPolicyVariableNameBufferSize; ++ *VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize; ++ ++ if (LocalVariablePolicyLockVariableNameBufferSize < RequiredVariableLockPolicyVariableNameBufferSize) { ++ // Let the caller get the size needed to hold the policy variable name ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (VariableLockPolicyVariableName == NULL) { ++ // If the policy variable name size given is valid, then a valid policy variable name buffer should be provided ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (RequiredVariableLockPolicyVariableNameBufferSize == 0) { ++ return Status; ++ } ++ ++ LocalVariableLockPolicyVariableName = (CHAR16 *)((UINT8 *)LocalLockOnVarStatePolicy + sizeof (*LocalLockOnVarStatePolicy)); ++ *VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize; ++ ++ // Actual string size should match expected string size (if a variable name is present) ++ if ( ++ (RequiredVariablePolicyVariableNameBufferSize > 0) && ++ (((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) != ++ RequiredVariablePolicyVariableNameBufferSize)) ++ { ++ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE); ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ // Actual string size should match expected string size (if here, variable lock variable name is present) ++ if ( ++ ((StrnLenS (LocalVariableLockPolicyVariableName, RequiredVariableLockPolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) != ++ RequiredVariableLockPolicyVariableNameBufferSize) ++ { ++ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE); ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ Status = StrnCpyS ( ++ VariableLockPolicyVariableName, ++ LocalVariablePolicyLockVariableNameBufferSize / sizeof (CHAR16), ++ LocalVariableLockPolicyVariableName, ++ RequiredVariableLockPolicyVariableNameBufferSize / sizeof (CHAR16) ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ return Status; ++ } ++ ++ return EFI_NOT_FOUND; ++} ++ + /** + This API function returns whether or not the policy engine is + currently being enforced. +diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf +index 3fe6043bf631..7048d555f0a9 100644 +--- a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf ++++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf +@@ -32,6 +32,7 @@ + + + [LibraryClasses] ++ BaseLib + DebugLib + BaseMemoryLib + MemoryAllocationLib +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +index d5c409c914d1..c4ccdfd20f74 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +@@ -33,7 +33,9 @@ EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol = { + ProtocolIsVariablePolicyEnabled, + RegisterVariablePolicy, + DumpVariablePolicy, +- LockVariablePolicy ++ LockVariablePolicy, ++ GetVariablePolicyInfo, ++ GetLockOnVariableStateVariablePolicyInfo + }; + EDKII_VAR_CHECK_PROTOCOL mVarCheck = { + VarCheckRegisterSetVariableCheckHandler, +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c +index 6151a2ba0b18..0dd72dde27ce 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c +@@ -410,6 +410,338 @@ ProtocolLockVariablePolicy ( + return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result; + } + ++/** ++ Internal implementation to retrieve variable information for a given UEFI variable that is shared ++ between different policy types. ++ ++ Currently, the two policy structure types supported (and all that is defined) are VARIABLE_POLICY_ENTRY ++ and VARIABLE_LOCK_ON_VAR_STATE_POLICY. ++ ++ @param[in] Command The command value to use in the communicate call. ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search. ++ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName ++ buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariablePolicyVariableName buffer size ++ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is ++ guaranteed to be returned if the variable policy variable name ++ is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the ++ variable policy will be written if a variable name is ++ registered. ++ ++ If the variable policy is not associated with a variable name ++ (e.g. applied to variable vendor namespace) and this parameter ++ is given, this parameter will not be modified and ++ VariablePolicyVariableNameBufferSize will be set to zero to ++ indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariablePolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A variable policy entry was found and returned successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize ++ is NULL. It can also be returned if the Command value provided is invalid. ++ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID. ++ ++ ++**/ ++STATIC ++EFI_STATUS ++InternalProtocolGetVariablePolicyInfo ( ++ IN UINT32 Command, ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL ++ OUT VOID *VariablePolicy, ++ OUT CHAR16 *VariablePolicyVariableName OPTIONAL ++ ) ++{ ++ EFI_STATUS Status; ++ CHAR16 *OutputVariableName; ++ EFI_MM_COMMUNICATE_HEADER *CommHeader; ++ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader; ++ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *CommandParams; ++ UINTN AllowedOutputVariableNameSize; ++ UINTN BufferSize; ++ UINTN VariableNameSize; ++ ++ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ switch (Command) { ++ case VAR_CHECK_POLICY_COMMAND_GET_INFO: ++ case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO: ++ break; ++ default: ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ AcquireLockOnlyAtBootTime (&mMmCommunicationLock); ++ ++ VariableNameSize = StrnSizeS ( ++ VariableName, ++ (VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END) ++ ); ++ if (VariableNameSize >= (VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END)) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ if ((VariablePolicyVariableName != NULL) && (VariablePolicyVariableNameBufferSize == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ BufferSize = mMmCommunicationBufferSize; ++ CommHeader = mMmCommunicationBuffer; ++ ++ Status = SafeUintnSub ( ++ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE, ++ VariableNameSize, ++ &AllowedOutputVariableNameSize ++ ); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ if (VariablePolicyVariableNameBufferSize != NULL) { ++ AllowedOutputVariableNameSize = MIN (AllowedOutputVariableNameSize, *VariablePolicyVariableNameBufferSize); ++ } else { ++ AllowedOutputVariableNameSize = 0; ++ } ++ ++ PolicyHeader = (VAR_CHECK_POLICY_COMM_HEADER *)&CommHeader->Data; ++ CommandParams = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyHeader + 1); ++ ++ CopyGuid (&CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid); ++ CommHeader->MessageLength = BufferSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data); ++ PolicyHeader->Signature = VAR_CHECK_POLICY_COMM_SIG; ++ PolicyHeader->Revision = VAR_CHECK_POLICY_COMM_REVISION; ++ PolicyHeader->Command = Command; ++ ++ ZeroMem ((VOID *)&CommandParams->OutputPolicyEntry, sizeof (CommandParams->OutputPolicyEntry)); ++ CopyGuid (&CommandParams->InputVendorGuid, VendorGuid); ++ Status = SafeUintnToUint32 (VariableNameSize, &CommandParams->InputVariableNameSize); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ Status = SafeUintnToUint32 (AllowedOutputVariableNameSize, &CommandParams->OutputVariableNameSize); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Done; ++ } ++ ++ if (AllowedOutputVariableNameSize > 0) { ++ Status = StrnCpyS ( ++ CommandParams->InputVariableName, ++ AllowedOutputVariableNameSize / sizeof (CHAR16), ++ VariableName, ++ (UINTN)CommandParams->InputVariableNameSize / sizeof (CHAR16) ++ ); ++ ASSERT_EFI_ERROR (Status); ++ } ++ ++ Status = InternalMmCommunicate (CommHeader, &BufferSize); ++ if (Status == EFI_SUCCESS) { ++ CopyMem ( ++ VariablePolicy, ++ (VOID *)&CommandParams->OutputPolicyEntry, ++ (Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) ? ++ sizeof (CommandParams->OutputPolicyEntry.VariablePolicy) : ++ sizeof (CommandParams->OutputPolicyEntry.LockOnVarStatePolicy) ++ ); ++ ++ if (VariablePolicyVariableNameBufferSize == NULL) { ++ if (VariablePolicyVariableName != NULL) { ++ Status = EFI_INVALID_PARAMETER; ++ } ++ ++ goto Done; ++ } ++ ++ if (PolicyHeader->Result == EFI_BUFFER_TOO_SMALL) { ++ *VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize; ++ goto Done; ++ } ++ ++ if (PolicyHeader->Result == EFI_SUCCESS) { ++ if (CommandParams->OutputVariableNameSize > 0) { ++ Status = SafeUintnAdd ( ++ ((UINTN)CommandParams + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END), ++ (UINTN)CommandParams->InputVariableNameSize, ++ (UINTN *)&OutputVariableName ++ ); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_BAD_BUFFER_SIZE; ++ goto Done; ++ } ++ ++ Status = StrnCpyS ( ++ VariablePolicyVariableName, ++ *VariablePolicyVariableNameBufferSize / sizeof (CHAR16), ++ OutputVariableName, ++ (UINTN)CommandParams->OutputVariableNameSize ++ ); ++ ASSERT_EFI_ERROR (Status); ++ *VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize; ++ } else { ++ // A variable policy variable name is not present. Return values according to interface. ++ *VariablePolicyVariableNameBufferSize = 0; ++ } ++ } ++ } ++ ++Done: ++ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock); ++ ++ return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result; ++} ++ ++/** ++ This function will return variable policy information for a UEFI variable with a ++ registered variable policy. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search. ++ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName ++ buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariablePolicyVariableName buffer size ++ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is ++ guaranteed to be returned if the variable policy variable name ++ is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the ++ variable policy will be written if a variable name is ++ registered. ++ ++ If the variable policy is not associated with a variable name ++ (e.g. applied to variable vendor namespace) and this parameter ++ is given, this parameter will not be modified and ++ VariablePolicyVariableNameBufferSize will be set to zero to ++ indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariablePolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A variable policy entry was found and returned successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize ++ is NULL. ++ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++ProtocolGetVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL ++ OUT VARIABLE_POLICY_ENTRY *VariablePolicy, ++ OUT CHAR16 *VariablePolicyVariableName OPTIONAL ++ ) ++{ ++ return InternalProtocolGetVariablePolicyInfo ( ++ VAR_CHECK_POLICY_COMMAND_GET_INFO, ++ VariableName, ++ VendorGuid, ++ VariablePolicyVariableNameBufferSize, ++ VariablePolicy, ++ VariablePolicyVariableName ++ ); ++} ++ ++/** ++ This function will return the Lock on Variable State policy information for the policy ++ associated with the given UEFI variable. ++ ++ @param[in] VariableName The name of the variable to use for the policy search. ++ @param[in] VendorGuid The vendor GUID of the variable to use for the policy ++ search. ++ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the ++ VariableLockPolicyVariableName buffer. ++ ++ On output, the size, in bytes, needed to store the variable ++ policy variable name. ++ ++ If testing for the VariableLockPolicyVariableName buffer ++ P size needed, set this value to zero so EFI_BUFFER_TOO_SMALL ++ is guaranteed to be returned if the variable policy variable ++ name is found. ++ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written ++ if found. ++ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the ++ variable lock on variable state policy will be written if ++ a variable name is registered. ++ ++ If the lock on variable policy is not associated with a ++ variable name (e.g. applied to variable vendor namespace) ++ and this parameter is given, this parameter will not be ++ modified and VariableLockPolicyVariableNameBufferSize will ++ be set to zero to indicate a name was not present. ++ ++ If the pointer given is not NULL, ++ VariableLockPolicyVariableNameBufferSize must be non-NULL. ++ ++ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned ++ successfully. ++ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error. ++ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed. ++ The buffer should now point to the size needed. ++ @retval EFI_NOT_READY Variable policy has not yet been initialized. ++ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if ++ VariableLockPolicyVariableName is non-NULL and ++ VariableLockPolicyVariableNameBufferSize is NULL. ++ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI ++ variable name and vendor GUID. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++ProtocolGetLockOnVariableStateVariablePolicyInfo ( ++ IN CONST CHAR16 *VariableName, ++ IN CONST EFI_GUID *VendorGuid, ++ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize, OPTIONAL ++ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy, ++ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL ++ ) ++{ ++ return InternalProtocolGetVariablePolicyInfo ( ++ VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO, ++ VariableName, ++ VendorGuid, ++ VariableLockPolicyVariableNameBufferSize, ++ VariablePolicy, ++ VariableLockPolicyVariableName ++ ); ++} ++ + /** + This helper function locates the shared comm buffer and assigns it to input pointers. + +@@ -514,12 +846,14 @@ VariablePolicySmmDxeMain ( + } + + // Configure the VariablePolicy protocol structure. +- mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION; +- mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy; +- mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled; +- mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy; +- mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy; +- mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy; ++ mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION; ++ mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy; ++ mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled; ++ mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy; ++ mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy; ++ mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy; ++ mVariablePolicyProtocol.GetVariablePolicyInfo = ProtocolGetVariablePolicyInfo; ++ mVariablePolicyProtocol.GetLockOnVariableStateVariablePolicyInfo = ProtocolGetLockOnVariableStateVariablePolicyInfo; + + // Register all the protocols and return the status. + Status = gBS->InstallMultipleProtocolInterfaces ( +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index c454645..e576f4e 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 25 +Release: 26 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -184,6 +184,39 @@ patch114: 0114-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch # Encryption right out of the box. patch115: 0115-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch +# Support for SEV-SNP +patch116: 0116-UefiCpuPkg-MpInitLib-Use-AsmCpuidEx-for-CPUID_EXTEND.patch +patch117: 0117-UefiCpuPkg-MpInitLib-Copy-SEV-ES-save-area-pointer-d.patch +patch118: 0118-OvmfPkg-MemEncryptSevLib-Fix-address-overflow-during.patch +patch119: 0119-OvmfPkg-IoMmuDxe-Provide-an-implementation-for-SetAt.patch +patch120: 0120-OvmfPkg-ResetVector-Fix-SNP-CPUID-table-processing-r.patch +patch121: 0121-OvmfPkg-ResetVector-improve-page-table-flag-names.patch +patch122: 0122-OvmfPkg-ResetVector-add-ClearOvmfPageTables-macro.patch +patch123: 0123-OvmfPkg-ResetVector-add-CreatePageTables4Level-macro.patch +patch124: 0124-OvmfPkg-ResetVector-split-TDX-BSP-workflow.patch +patch125: 0125-OvmfPkg-ResetVector-split-SEV-and-non-CoCo-workflows.patch +patch126: 0126-OvmfPkg-ResetVector-add-5-level-paging-support.patch +patch127: 0127-OvmfPkg-ResetVector-print-post-codes-for-4-5-level-p.patch +patch128: 0128-OvmfPkg-ResetVector-wire-up-5-level-paging-for-TDX.patch +patch129: 0129-OvmfPkg-ResetVector-Clear-SEV-encryption-bit-for-non.patch +patch130: 0130-OvmfPkg-AmdSev-Reorder-MEMFD-pages-to-match-the-orde.patch +patch131: 0131-OvmfPkg-exclude-NullMemoryTestDxe-driver.patch +patch132: 0132-OvmfPkg-switch-AmdSevX64-to-new-shell-include-files.patch +patch133: 0133-OvmfPkg-ResetVector-send-post-codes-to-qemu-debug-co.patch +patch134: 0134-OvmfPkg-ResetVector-Define-SNP-metadata-for-kernel-h.patch +patch135: 0135-OvmfPkg-Don-t-make-APIC-MMIO-accesses-with-encryptio.patch +patch136: 0136-OvmfPkg-CcExitLib-Drop-special-handling-for-Encrypte.patch +patch137: 0137-OvmfPkg-add-ShellLibs.dsc.inc.patch +patch138: 0138-OvmfPkg-Add-varpolicy-shell-command.patch +patch139: 0139-OvmfPkg-exclude-the-CSM-based-VideoDxe-driver.patch +patch140: 0140-OvmfPkg-exclude-LegacyBiosDxe.patch +patch141: 0141-OvmfPkg-exclude-Csm16.inf-Csm16.bin.patch +patch142: 0142-OvmfPkg-add-ShellComponents.dsc.inc.patch +patch143: 0143-OvmfPkg-add-ShellDxe.fdf.inc.patch +patch144: 0144-OvmfPkg-Shell-.inc-allow-building-without-network-su.patch +patch145: 0145-ShellPkg-Add-varpolicy-dynamic-shell-command-and-app.patch +patch146: 0146-MdeModulePkg-VariablePolicy-Add-more-granular-variab.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %ifarch x86_64 @@ -495,6 +528,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Aug 21 2025 PrithivishS - 202308-26 +- Support for AMD SEV-SNP + * Wed Jun 25 2025 hanliyang - 202308-25 - Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption - Add build process that uses OvmfPkg/AmdSev/AmdSevX64.dsc -- Gitee