| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
SmmCorePerformanceLib and insert AsmLfence API to mitigate the bounds
check bypass issue.
For SMI handler SmmPerformanceHandlerEx():
Under "case SMM_PERF_FUNCTION_GET_GAUGE_DATA :",
'SmmPerfCommData->LogEntryKey' can be a potential cross boundary access of
the 'CommBuffer' (controlled external inputs) during speculative
execution. This cross boundary access is then assign to parameter
'LogEntryKey'. And the value of 'LogEntryKey' can be inferred by code:
CopyMem (
(UINT8 *) &GaugeDataEx[Index],
(UINT8 *) &GaugeEntryExArray[LogEntryKey++],
sizeof (GAUGE_DATA_ENTRY_EX)
);
One can observe which part of the content within 'GaugeEntryExArray' was
brought into cache to possibly reveal the value of 'LogEntryKey'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there is 1 similar case for SMI handler SmmPerformanceHandler() as
well. This commit also handles it.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit applies edk2 master branch commit
e83d841fdc2878959185c4c6cc38a7a1e88377a4 to the VariableAuthenticated
driver.
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
VariableAuthenticated\RuntimeDxe driver and insert AsmLfence API to
mitigate the bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there is 1 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" as well. This commits also
handles it.
Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().
Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:
ProcessVarWithPk() or ProcessVarWithKek()
Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.
Then, 'PayloadSize' is possible to be revealed by the function call
sequence:
UpdateVariable()
CopyMem()
Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.
Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there are 1 similar case under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" as well. This commits also
handles it.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e83d841fdc2878959185c4c6cc38a7a1e88377a4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
SmmLockBox driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmLockBoxHandler():
Under "case EFI_SMM_LOCK_BOX_COMMAND_SAVE:", the 'CommBuffer' (controlled
external inputs) is passed to function SmmLockBoxSave().
'TempLockBoxParameterSave.Length' can be a potential cross boundary access
of the 'CommBuffer' during speculative execution. This cross boundary
access is later passed as parameter 'Length' into function SaveLockBox().
Within function SaveLockBox(), the value of 'Length' can be inferred by
code:
"CopyMem ((VOID *)(UINTN)SmramBuffer, (VOID *)(UINTN)Buffer, Length);".
One can observe which part of the content within 'Buffer' was brought into
cache to possibly reveal the value of 'Length'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there is a similar case under "case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:"
function SmmLockBoxUpdate() as well. This commits also handles it.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit ee65b84e7663d12c1f950a418a0ed63776a80e4f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmFaultTolerantWriteHandler():
Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a
potential cross boundary access of the 'CommBuffer' (controlled external
inputs) during speculative execution. This cross boundary access is later
passed as parameter 'Length' into function FtwWrite().
Within function FtwWrite(), the value of 'Length' can be inferred by code:
"CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which part
of the content within 'Buffer' was brought into cache to possibly reveal
the value of 'Length'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit cb54cd24634cfeccadb661f7f65aab3adee05e1c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1193
This commit will add a new BaseLib API AsmLfence(). This API will perform
a serializing operation on all load-from-memory instructions that were
issued prior to the call of this function. Please note that this API is
only available on IA-32 and x64.
The purpose of adding this API is to mitigate of the [CVE-2017-5753]
Bounds Check Bypass issue when untrusted data are being processed within
SMM. More details can be referred at the 'Bounds check bypass mitigation'
section at the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 2ecd829972f8553de83fbf943c5b89863999d7c8)
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch remove the ASSERT when receive a DHCP packet large than the maximum
cache buffer size.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
(cherry picked from commit a35dc6499beb0b76c340379a06dff74a8d38095a)
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch remove the ASSERT when receive a DHCP packet large than the maximum
cache buffer size.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
(cherry picked from commit 471342bbefaac1c21fe7fa4e80949b552b12fbdd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current code in SmmVariableHandler() checks CommBufferSize
buffer to make sure it points to outside SMRAM in
"case SMM_VARIABLE_FUNCTION_GET_STATISTICS".
But after eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer points to SMRAM that was used by
SMM core to cache CommSize from SmmCommunication protocol,
then the check will fail definitely and GET_STATISTICS
feature breaks.
In fact, do not need check CommBufferSize buffer at all
even before eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd.
Before eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer pointed to gSmmCorePrivate->BufferSize
that is outside SMRAM, the check will success definitely;
after eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer points to local variable BufferSize
(in SMRAM) in SmmEntryPoint(), the check is not needed
definitely.
The patch is to remove the check.
NOTE: This patch comes from 62016c1e898434a0326f658912b1e7e0a9c5575e
in master. Since master already has variable driver merged from
SecurityPkg to MdeModulePkg, 62016c1e898434a0326f658912b1e7e0a9c5575e
in master only updated MdeModulePkg. But variable drivers in UDK2014.SP1
are not merged, so both MdeModulePkg and SecurityPkg need to be updated,
e71ee2151fa5acabfb944f60898ae8132cf39811 is to cover MdeModulePkg update,
this patch is to cover SecurityPkg update.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jeff Fan <jeff.fan@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current code in SmmVariableHandler() checks CommBufferSize
buffer to make sure it points to outside SMRAM in
"case SMM_VARIABLE_FUNCTION_GET_STATISTICS".
But after eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer points to SMRAM that was used by
SMM core to cache CommSize from SmmCommunication protocol,
then the check will fail definitely and GET_STATISTICS
feature breaks.
In fact, do not need check CommBufferSize buffer at all
even before eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd.
Before eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer pointed to gSmmCorePrivate->BufferSize
that is outside SMRAM, the check will success definitely;
after eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd,
CommBufferSize buffer points to local variable BufferSize
(in SMRAM) in SmmEntryPoint(), the check is not needed
definitely.
The patch is to remove the check.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jeff Fan <jeff.fan@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
(cherry picked from commit 62016c1e898434a0326f658912b1e7e0a9c5575e)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In current DriverSampleDxe, the sample code of password is
not a good example, so we plan to remove it.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
| |
|
|
|
|
|
|
|
| |
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
| |
|
|
|
|
|
|
|
| |
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In current SetupBrowser, the logic related to non-interative password
is not correct. How to support it correctly or whether support it
is still under investigation. First step remove the incorrect logic.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
when the password is not supported, pop up a dialogue
to let user know the reason.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gSmmCorePrivate->CommunicationBuffer and gSmmCorePrivate->BufferSize locate at
runtime memory region. That means they could be modified by non-SMM code during
runtime.
We should cache them into SMM local variables before we verify them. After
verification, we should use the cached ones directly instead of the ones in
gSmmCorePrivate.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
(cherry picked from commit eaae7b33b1cf6b9f21db1636f219c2b6a8d88afd)
|
| |
|
|
|
|
|
|
|
|
| |
This patch updates the PXE driver to drop the input DHCP packet if it
exceed the maximum length.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
(cherry picked from commit 4f6b33b460226bc1a54d8af2c0f4fe195f2f04ce)
|
| |
|
|
|
|
|
|
|
|
| |
This patch updates the PXE driver to drop the input DHCP packet
if it exceed the maximum length.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
(cherry picked from commit 632dcfd6857b6211ce3fe9755d3c11e74ef5d447)
|
| |
|
|
|
|
|
|
|
| |
Update externals.txt to contain the version information of the
corresponding edk2-BaseTools-win32 repository for UDK2014.SP1 branch.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Sync missing part of commit d8162f5b3283a06a6dc4e2e05cd0c45fc4358eb0 from
master)
Code logic ensures that the pointer 'DriverInfoData' will not be NULL when
it is used.
Add ASSERT as warning for case that will not happen.
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
(cherry picked from commit d8162f5b3283a06a6dc4e2e05cd0c45fc4358eb0)
|
| |
|
|
|
|
|
|
| |
This commit modifies codes to avoid passing NULL pointer to function
BN_bn2bin().
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
|
| |
|
|
|
| |
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
GCC build failure: 'RealCommSize' may be used uninitialized
(This commit integrate changes in 05b39efb669eaa173a76e58daf8e65bce2e0299e
from master.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
|
| |
|
|
|
|
|
|
| |
(This commit integrate changes in faf3de9bd036cd2a387c1e44d403d24386fadb49
from master.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
|
| |
|
|
|
|
|
|
|
| |
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
(cherry picked from commit fd3fac0fb29dd093fc89cdbdd5de925a82595c5b)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In certain rare circumstance, the data passed from outside of SMM may be
invalid resulting the integer overflow. The issue are found by code review.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17908 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit 579b5ef204947defbd6fc60c11bdd740ad09d6e9)
|
| |
|
|
|
|
|
|
|
| |
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17907 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit d7fc5cfd68bdf7d0b3d94fe08a523130c961d296)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
buffer.
This patch adds more check in SmmIsBufferOutsideSmmValid(), to make sure that
SMM communication buffer is only EfiReservedMemoryType/EfiRuntimeServicesCode/
EfiRuntimeServicesData/EfiACPIMemoryNVS. So that the communication buffer will
not touch any OS memory.
The assumption is that a platform reports valid SMM communication buffer at
EndOfDxe, because EndOfDxe is last hook point that SMM code can call-out to
get memory map information.
A platform MUST finish SMM communication buffer allocation before EndOfDxe.
If a DXE or OS driver need do communication after EndOfDxe, it can either
allocate SMM communication buffer before EndOfDxe and save it, or consume
EDKII_PI_SMM_COMMUNICATION_REGION_TABLE table to get general fixed comm buffer.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 91f51fcc84d9ce3b801fdd895e514cd5525975c7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enhance performance data SMM communication by using fixed
SMM communication buffer.
Update PerformanceLib to use fixed SMM communication buffer to get
performance data by SMM_PERF_COMMUNICATE API.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit de2459d66d87eb526e3a21f1e6682fac8e1926c5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in FpdtDxe.
This patch enhance performance data SMM communication by using fixed
SMM communication buffer.
Update FpdtDxe to use fixed SMM communication buffer to get
performance data by SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET API.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit d158ba675b95c9f07455d77d0ef68ce22e7f65d0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in FpdtSmm Handler.
This patch enhance performance data SMM communication by using fixed
SMM communication buffer.
Update FpdtSmm to handle SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET
request.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit 77a6e6c4f966bd618196ba7196964515228a84e1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
definition.
This patch enhance performance data SMM communication by using fixed
SMM communication buffer.
A new command SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET is added,
because we need to support get partial PerformanceData to fixed SMM communication
buffer. If performance data is bigger than fixed SMM communication buffer,
the DXE agent need to call SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET
multiple times to get all data out.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit 7110e306faaf713ca644719685a7cb21f3c17d8b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET in MemoryProfileInfo.
This patch enhance SMM memory profile SMM communication by using fixed
SMM communication buffer.
Update MemoryProfileInfo APP to use fixed SMM communication buffer to get
profile data by SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET API.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit 2f7961c7d67faad52449ec8d5c71b2cd891bd7b6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET in PiSmmCore.
This patch enhance SMM memory profile SMM communication by using fixed
SMM communication buffer.
Update PiSmmCore to handle SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET
request.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit c3592c86ee39c3582f1d4c6b31cf91113e9d4c5f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET definition.
This patch enhance SMM memory profile SMM communication by using fixed
SMM communication buffer.
A new command SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET is added,
because we need to support get partial ProfileData to fixed SMM communication
buffer. If profile data is bigger than fixed SMM communication buffer,
the DXE agent need to call SMRAM_PROFILE_COMMAND_GET_PROFILE_DATA_BY_OFFSET
multiple times to get all data out.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit 73e0de62826dffe8f9e32d6d0d18b54a8a5d3f38)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a driver to publish EDKII_PI_SMM_COMMUNICATION_REGION_TABLE, so that
other DXE driver can consume this table directly. NOTE: This is sample driver.
A platform may uses its own way to define default SMM communication buffer
region and publish information in its own
EDKII_PI_SMM_COMMUNICATION_REGION_TABLE.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Feng, Tian <feng.tian@intel.com>
(cherry picked from commit 6e4e6ffda448b77a3b2f3549137aca5c1b62cb4a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This configuration table is used to describe platform pre-allocated memory
for SMM communication buffer. If DXE driver wants to communicate with SMM
agent, it can use this memory as SMM communication buffer instead of allocate
new memory region.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
(cherry picked from commit 1e01ea240e67aacd0e6b99012ac4ab3b68be8215)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update WSMT table link to official MSDN URL.
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
(cherry picked from commit e6877b56b2e6d781fe0ce808318c779eb703657c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds Windows SMM Security Mitigation
Table @ http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx
Cc: "Gao, Liming" <liming.gao@intel.com>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Gao, Liming" <liming.gao@intel.com>
(cherry picked from commit 6a0d24221241bb1b13bafc7b2d264240d19d2993)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had put communication buffer to Runtime memory,
so that SMI handler can know it is not used by OS.
(Sync patch r18949 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Zeng, Star" <star.zeng@intel.com>
Reviewed-by: "Kinney, Michael D" <michael.d.kinney@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18949 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
| |
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tim He <tim.he@intel.com>
Review-by: David Wei <david.wei@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@19757 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
Add setup option to control _STA of LPE Audio.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Shifei Lu <shifeix.a.lu@intel.com>
Reviewed-by: David Wei <david.wei@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@19704 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
| |
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tim He <tim.he@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@19641 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reset BIOS Setup when the jumper is
present on Turbot board.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Shifei Lu <shifeix.a.lu@intel.com>
Reviewed-by: Tim He <tim.he@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@19122 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
update Ssdt table to ACPI table.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Shifei Lu <shifeix.a.lu@intel.com>
Reviewed-by: Tim He <tim.he@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@19103 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
and Change Flash size from 3M to 4M.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Shifei Lu <shifeix.a.lu@intel.com>
Reviewed-by: David Wei <david.wei@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@18779 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
Add 'yL' build option to enable SPI lock for MinnowBoard Max.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tim He <tim.he@intel.com>
Reviewed-by: David Wei <david.wei@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@18776 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
Add "RTC Battery Present" item in setup page.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Lu Shifei <shifeix.a.lu@intel.com>
Reviewed-by: Tim He <tim.he@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@18734 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
| |
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tim He <tim.he@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@18683 6f19259b-4bc3-4df7-8a09-765794883524
|
| |
|
|
|
|
|
|
|
|
| |
MinnowBoard Turbot board.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tim He <tim.he@intel.com>
Reviewed-by: David Wei <david.wei@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2014.SP1@18508 6f19259b-4bc3-4df7-8a09-765794883524
|
