From nobody Tue Feb 10 17:13:06 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1520428767108460.58598354315643; Wed, 7 Mar 2018 05:19:27 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 077BC2257C2BA; Wed, 7 Mar 2018 05:13:09 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E77C32255D6E3 for ; Wed, 7 Mar 2018 05:13:06 -0800 (PST) Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Mar 2018 05:19:22 -0800 Received: from shwdeopenpsi068.ccr.corp.intel.com ([10.239.158.46]) by orsmga007.jf.intel.com with ESMTP; 07 Mar 2018 05:19:21 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,435,1515484800"; d="scan'208";a="22725221" From: Star Zeng To: edk2-devel@lists.01.org Date: Wed, 7 Mar 2018 21:19:11 +0800 Message-Id: <1520428757-69040-2-git-send-email-star.zeng@intel.com> X-Mailer: git-send-email 2.7.0.windows.1 In-Reply-To: <1520428757-69040-1-git-send-email-star.zeng@intel.com> References: <1520428757-69040-1-git-send-email-star.zeng@intel.com> Subject: [edk2] [PATCH V2 1/7] MdeModulePkg LockBoxLib: Support LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jiewen Yao , Star Zeng MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" With this flag, the LockBox can be restored in S3 resume only. The LockBox can not be restored after SmmReadyToLock in normal boot and after EndOfS3Resume in S3 resume. It can not be set together with LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE. Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao --- MdeModulePkg/Include/Library/LockBoxLib.h | 14 +- .../Library/SmmLockBoxLib/SmmLockBoxDxeLib.c | 4 +- .../Library/SmmLockBoxLib/SmmLockBoxSmmLib.c | 227 +++++++++++++++++= +++- .../Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf | 10 +- 4 files changed, 247 insertions(+), 8 deletions(-) diff --git a/MdeModulePkg/Include/Library/LockBoxLib.h b/MdeModulePkg/Inclu= de/Library/LockBoxLib.h index db7fd05def58..80beb4d0f880 100644 --- a/MdeModulePkg/Include/Library/LockBoxLib.h +++ b/MdeModulePkg/Include/Library/LockBoxLib.h @@ -2,7 +2,7 @@ This library is only intended to be used by DXE modules that need save confidential information to LockBox and get it by PEI modules in S3 phas= e. =20 -Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions @@ -62,9 +62,17 @@ SetLockBoxAttributes ( ); =20 // -// With this flag, this LockBox can be restored to this Buffer with Restor= eAllLockBoxInPlace() +// With this flag, this LockBox can be restored to this Buffer +// with RestoreAllLockBoxInPlace() // -#define LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE BIT0 +#define LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE BIT0 +// +// With this flag, this LockBox can be restored in S3 resume only. +// This LockBox can not be restored after SmmReadyToLock in normal boot +// and after EndOfS3Resume in S3 resume. +// It can not be set together with LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE. +// +#define LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY BIT1 =20 /** This function will update confidential information to lockbox. diff --git a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.c b/MdeMod= ulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.c index b75f81e69e04..9b6f0bedbd4f 100644 --- a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.c +++ b/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.c @@ -1,6 +1,6 @@ /** @file =20 -Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions @@ -241,7 +241,7 @@ SetLockBoxAttributes ( // Basic check // if ((Guid =3D=3D NULL) || - ((Attributes & ~LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE) !=3D 0)) { + ((Attributes & ~(LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE | LOCK_BOX_ATTR= IBUTE_RESTORE_IN_S3_ONLY)) !=3D 0)) { return EFI_INVALID_PARAMETER; } =20 diff --git a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c b/MdeMod= ulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c index 4960df755534..af75a4cb9cd1 100644 --- a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c +++ b/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c @@ -1,6 +1,6 @@ /** @file =20 -Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions @@ -20,6 +20,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHE= R EXPRESS OR IMPLIED. #include #include #include +#include +#include +#include +#include =20 #include "SmmLockBoxLibPrivate.h" =20 @@ -31,6 +35,11 @@ SMM_LOCK_BOX_CONTEXT mSmmLockBoxContext; LIST_ENTRY mLockBoxQueue =3D INITIALIZE_LIST_HEAD_VARIABLE (mLoc= kBoxQueue); =20 BOOLEAN mSmmConfigurationTableInstalled =3D FALSE; +VOID *mRegistrationSmmEndOfDxe =3D NULL; +VOID *mRegistrationSmmReadyToLock =3D NULL; +VOID *mRegistrationEndOfS3Resume =3D NULL; +BOOLEAN mSmmLockBoxSmmReadyToLock =3D FALSE; +BOOLEAN mSmmLockBoxDuringS3Resume =3D FALSE; =20 /** This function return SmmLockBox context from SMST. @@ -64,6 +73,128 @@ InternalGetSmmLockBoxContext ( } =20 /** + Notification for SMM ReadyToLock protocol. + + @param[in] Protocol Points to the protocol's unique identifier. + @param[in] Interface Points to the interface instance. + @param[in] Handle The handle on which the interface was installed. + + @retval EFI_SUCCESS Notification runs successfully. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxSmmReadyToLockNotify ( + IN CONST EFI_GUID *Protocol, + IN VOID *Interface, + IN EFI_HANDLE Handle + ) +{ + mSmmLockBoxSmmReadyToLock =3D TRUE; + return EFI_SUCCESS; +} + +/** + Main entry point for an SMM handler dispatch or communicate-based callba= ck. + + @param[in] DispatchHandle The unique handle assigned to this handle= r by SmiHandlerRegister(). + @param[in] Context Points to an optional handler context whi= ch was specified when the + handler was registered. + @param[in,out] CommBuffer A pointer to a collection of data in memo= ry that will + be conveyed from a non-SMM environment in= to an SMM environment. + @param[in,out] CommBufferSize The size of the CommBuffer. + + @retval EFI_SUCCESS The interrupt was handled an= d quiesced. No other handlers + should still be called. + @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quies= ced but other handlers should + still be called. + @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pendi= ng and other handlers should still + be called. + @retval EFI_INTERRUPT_PENDING The interrupt could not be q= uiesced. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxS3EntryCallBack ( + IN EFI_HANDLE DispatchHandle, + IN CONST VOID *Context OPTIONAL, + IN OUT VOID *CommBuffer OPTIONAL, + IN OUT UINTN *CommBufferSize OPTIONAL + ) +{ + mSmmLockBoxDuringS3Resume =3D TRUE; + return EFI_SUCCESS; +} + +/** + Notification for SMM EndOfDxe protocol. + + @param[in] Protocol Points to the protocol's unique identifier. + @param[in] Interface Points to the interface instance. + @param[in] Handle The handle on which the interface was installed. + + @retval EFI_SUCCESS Notification runs successfully. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxSmmEndOfDxeNotify ( + IN CONST EFI_GUID *Protocol, + IN VOID *Interface, + IN EFI_HANDLE Handle + ) +{ + EFI_STATUS Status; + EFI_SMM_SX_DISPATCH2_PROTOCOL *SxDispatch; + EFI_SMM_SX_REGISTER_CONTEXT EntryRegisterContext; + EFI_HANDLE S3EntryHandle; + + // + // Locate SmmSxDispatch2 protocol. + // + Status =3D gSmst->SmmLocateProtocol ( + &gEfiSmmSxDispatch2ProtocolGuid, + NULL, + (VOID **)&SxDispatch + ); + if (!EFI_ERROR (Status) && (SxDispatch !=3D NULL)) { + // + // Register a S3 entry callback function to + // determine if it will be during S3 resume. + // + EntryRegisterContext.Type =3D SxS3; + EntryRegisterContext.Phase =3D SxEntry; + Status =3D SxDispatch->Register ( + SxDispatch, + SmmLockBoxS3EntryCallBack, + &EntryRegisterContext, + &S3EntryHandle + ); + ASSERT_EFI_ERROR (Status); + } + + return EFI_SUCCESS; +} + +/** + Notification for SMM EndOfS3Resume protocol. + + @param[in] Protocol Points to the protocol's unique identifier. + @param[in] Interface Points to the interface instance. + @param[in] Handle The handle on which the interface was installed. + + @retval EFI_SUCCESS Notification runs successfully. +**/ +EFI_STATUS +EFIAPI +SmmLockBoxEndOfS3ResumeNotify ( + IN CONST EFI_GUID *Protocol, + IN VOID *Interface, + IN EFI_HANDLE Handle + ) +{ + mSmmLockBoxDuringS3Resume =3D FALSE; + return EFI_SUCCESS; +} + +/** Constructor for SmmLockBox library. This is used to set SmmLockBox context, which will be used in PEI phase = in S3 boot path later. =20 @@ -86,6 +217,36 @@ SmmLockBoxSmmConstructor ( DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib SmmLockBoxSmmConstructor - Enter\n= ")); =20 // + // Register SmmReadyToLock notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEfiSmmReadyToLockProtocolGuid, + SmmLockBoxSmmReadyToLockNotify, + &mRegistrationSmmReadyToLock + ); + ASSERT_EFI_ERROR (Status); + + // + // Register SmmEndOfDxe notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEfiSmmEndOfDxeProtocolGuid, + SmmLockBoxSmmEndOfDxeNotify, + &mRegistrationSmmEndOfDxe + ); + ASSERT_EFI_ERROR (Status); + + // + // Register EndOfS3Resume notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEdkiiEndOfS3ResumeGuid, + SmmLockBoxEndOfS3ResumeNotify, + &mRegistrationEndOfS3Resume + ); + ASSERT_EFI_ERROR (Status); + + // // Check if gEfiSmmLockBoxCommunicationGuid is installed by someone // SmmLockBoxContext =3D InternalGetSmmLockBoxContext (); @@ -158,6 +319,40 @@ SmmLockBoxSmmDestructor ( DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib uninstall SmmLockBoxCommunicatio= n configuration table\n")); } =20 + if (mRegistrationSmmReadyToLock !=3D NULL) { + // + // Unregister SmmReadyToLock notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEfiSmmReadyToLockProtocolGuid, + NULL, + &mRegistrationSmmReadyToLock + ); + ASSERT_EFI_ERROR (Status); + } + if (mRegistrationSmmEndOfDxe !=3D NULL) { + // + // Unregister SmmEndOfDxe notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEfiSmmEndOfDxeProtocolGuid, + NULL, + &mRegistrationSmmEndOfDxe + ); + ASSERT_EFI_ERROR (Status); + } + if (mRegistrationEndOfS3Resume !=3D NULL) { + // + // Unregister EndOfS3Resume notification. + // + Status =3D gSmst->SmmRegisterProtocolNotify ( + &gEdkiiEndOfS3ResumeGuid, + NULL, + &mRegistrationEndOfS3Resume + ); + ASSERT_EFI_ERROR (Status); + } + return EFI_SUCCESS; } =20 @@ -354,8 +549,16 @@ SetLockBoxAttributes ( // Basic check // if ((Guid =3D=3D NULL) || - ((Attributes & ~LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE) !=3D 0)) { + ((Attributes & ~(LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE | LOCK_BOX_ATTR= IBUTE_RESTORE_IN_S3_ONLY)) !=3D 0)) { + DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib SetLockBoxAttributes - Exit (%r)= \n", EFI_INVALID_PARAMETER)); + return EFI_INVALID_PARAMETER; + } + + if (((Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE) !=3D 0) && + ((Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY) !=3D 0)) { DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib SetLockBoxAttributes - Exit (%r)= \n", EFI_INVALID_PARAMETER)); + DEBUG ((EFI_D_INFO, " LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE and LOCK_BO= X_ATTRIBUTE_RESTORE_IN_S3_ONLY\n\n")); + DEBUG ((EFI_D_INFO, " can not be set together\n")); return EFI_INVALID_PARAMETER; } =20 @@ -368,6 +571,16 @@ SetLockBoxAttributes ( return EFI_NOT_FOUND; } =20 + if ((((Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE) !=3D 0) && + ((LockBox->Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY) !=3D = 0)) || + (((LockBox->Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE) !=3D 0= ) && + ((Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY) !=3D 0))) { + DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib SetLockBoxAttributes 0x%lx 0x%lx= - Exit (%r)\n", LockBox->Attributes, Attributes, EFI_INVALID_PARAMETER)); + DEBUG ((EFI_D_INFO, " LOCK_BOX_ATTRIBUTE_RESTORE_IN_PLACE and LOCK_BO= X_ATTRIBUTE_RESTORE_IN_S3_ONLY\n\n")); + DEBUG ((EFI_D_INFO, " can not be set together\n")); + return EFI_INVALID_PARAMETER; + } + // // Update data // @@ -496,6 +709,16 @@ RestoreLockBox ( return EFI_NOT_FOUND; } =20 + if (((LockBox->Attributes & LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY) !=3D = 0) && + mSmmLockBoxSmmReadyToLock && + !mSmmLockBoxDuringS3Resume) { + // + // With LOCK_BOX_ATTRIBUTE_RESTORE_IN_S3_ONLY, + // this LockBox can be restored in S3 resume only. + // + return EFI_ACCESS_DENIED; + } + // // Set RestoreBuffer // diff --git a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf b/MdeM= odulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf index eb7ba0bb2e89..426af4cccfe0 100644 --- a/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf +++ b/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf @@ -1,7 +1,7 @@ ## @file # SMM LockBox library instance. # -# Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
# # This program and the accompanying materials # are licensed and made available under the terms and conditions @@ -44,7 +44,15 @@ [LibraryClasses] BaseLib DebugLib =20 +[Protocols] + gEfiSmmReadyToLockProtocolGuid ## NOTIFY + gEfiSmmEndOfDxeProtocolGuid ## NOTIFY + gEfiSmmSxDispatch2ProtocolGuid ## NOTIFY + [Guids] ## SOMETIMES_CONSUMES ## UNDEFINED # SmmSystemTable ## SOMETIMES_PRODUCES ## UNDEFINED # SmmSystemTable gEfiSmmLockBoxCommunicationGuid + ## CONSUMES ## UNDEFINED # Protocol notify + gEdkiiEndOfS3ResumeGuid + --=20 2.7.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel