OvmfPkg/IoMmuDxe: cleanups and fixes

[edk2] [PATCH 08/12] OvmfPkg/IoMmuDxe: zero out pages before releasing them
Posted by Laszlo Ersek 7 years, 4 months ago
Whenever we release the plaintext bounce buffer pages that were allocated
implicitly in Map() for BusMasterRead[64] and BusMasterWrite[64], we
restore the encryption mask on them. However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Similarly, whenever we release the plaintext common buffer pages that were
allocated explicitly in AllocateBuffer() for BusMasterCommonBuffer[64], we
restore the encryption mask on them.  However, we should also rewrite the
area (fill it with zeros) so that the hypervisor is not left with a
plaintext view of the earlier data.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/IoMmuDxe/AmdSevIoMmu.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
index 8c2c23356a40..d899b0ab9e41 100644
--- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
+++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
@@ -227,87 +227,91 @@ EFIAPI
 IoMmuUnmap (
   IN  EDKII_IOMMU_PROTOCOL                     *This,
   IN  VOID                                     *Mapping
   )
 {
   MAP_INFO                 *MapInfo;
   EFI_STATUS               Status;
 
   if (Mapping == NULL) {
     return EFI_INVALID_PARAMETER;
   }
 
   //
   // See if the Map() operation associated with this Unmap() required a mapping
   // buffer. If a mapping buffer was not required, then this function simply
   // buffer. If a mapping buffer was not required, then this function simply
   //
   if (Mapping == NO_MAPPING) {
     return EFI_SUCCESS;
   }
 
   MapInfo = (MAP_INFO *)Mapping;
 
   //
   // If this is a write operation from the Bus Master's point of view,
   // then copy the contents of the mapped buffer into the real buffer
   // so the processor can read the contents of the real buffer.
   //
   if (MapInfo->Operation == EdkiiIoMmuOperationBusMasterWrite ||
       MapInfo->Operation == EdkiiIoMmuOperationBusMasterWrite64) {
     CopyMem (
       (VOID *) (UINTN) MapInfo->CryptedAddress,
       (VOID *) (UINTN) MapInfo->PlainTextAddress,
       MapInfo->NumberOfBytes
       );
   }
 
   DEBUG ((
     DEBUG_VERBOSE,
     "%a PlainText 0x%Lx Crypted 0x%Lx Pages 0x%Lx Bytes 0x%Lx\n",
     __FUNCTION__,
     MapInfo->PlainTextAddress,
     MapInfo->CryptedAddress,
     (UINT64)MapInfo->NumberOfPages,
     (UINT64)MapInfo->NumberOfBytes
     ));
   //
   // Restore the memory encryption mask
   //
   Status = MemEncryptSevSetPageEncMask (
              0,
              MapInfo->PlainTextAddress,
              MapInfo->NumberOfPages,
              TRUE
              );
   ASSERT_EFI_ERROR(Status);
+  ZeroMem (
+    (VOID*)(UINTN)MapInfo->PlainTextAddress,
+    EFI_PAGES_TO_SIZE (MapInfo->NumberOfPages)
+    );
 
   //
   // Free the mapped buffer and the MAP_INFO structure.
   //
   gBS->FreePages (MapInfo->PlainTextAddress, MapInfo->NumberOfPages);
   FreePool (Mapping);
   return EFI_SUCCESS;
 }
 
 /**
   Allocates pages that are suitable for an OperationBusMasterCommonBuffer or
   OperationBusMasterCommonBuffer64 mapping.
 
   @param  This                  The protocol instance pointer.
   @param  Type                  This parameter is not used and must be ignored.
   @param  MemoryType            The type of memory to allocate,
                                 EfiBootServicesData or EfiRuntimeServicesData.
   @param  Pages                 The number of pages to allocate.
   @param  HostAddress           A pointer to store the base system memory
                                 address of the allocated range.
   @param  Attributes            The requested bit mask of attributes for the
                                 allocated range.
 
   @retval EFI_SUCCESS           The requested memory pages were allocated.
   @retval EFI_UNSUPPORTED       Attributes is unsupported. The only legal
                                 attribute bits are MEMORY_WRITE_COMBINE and
                                 MEMORY_CACHED.
   @retval EFI_INVALID_PARAMETER One or more parameters are invalid.
   @retval EFI_OUT_OF_RESOURCES  The memory pages could not be allocated.
 
 **/
@@ -399,78 +403,79 @@ EFIAPI
 IoMmuFreeBuffer (
   IN  EDKII_IOMMU_PROTOCOL                     *This,
   IN  UINTN                                    Pages,
   IN  VOID                                     *HostAddress
   )
 {
   EFI_STATUS  Status;
 
   //
   // Set memory encryption mask
   //
   Status = MemEncryptSevSetPageEncMask (
              0,
              (EFI_PHYSICAL_ADDRESS)(UINTN)HostAddress,
              Pages,
              TRUE
              );
   ASSERT_EFI_ERROR(Status);
+  ZeroMem (HostAddress, EFI_PAGES_TO_SIZE (Pages));
 
   DEBUG ((
     DEBUG_VERBOSE,
     "%a Address 0x%Lx Pages 0x%Lx\n",
     __FUNCTION__,
     (UINT64)(UINTN)HostAddress,
     (UINT64)Pages
     ));
   return gBS->FreePages ((EFI_PHYSICAL_ADDRESS) (UINTN) HostAddress, Pages);
 }
 
 
 /**
   Set IOMMU attribute for a system memory.
 
   If the IOMMU protocol exists, the system memory cannot be used
   for DMA by default.
 
   When a device requests a DMA access for a system memory,
   the device driver need use SetAttribute() to update the IOMMU
   attribute to request DMA access (read and/or write).
 
   The DeviceHandle is used to identify which device submits the request.
   The IOMMU implementation need translate the device path to an IOMMU device
   ID, and set IOMMU hardware register accordingly.
   1) DeviceHandle can be a standard PCI device.
      The memory for BusMasterRead need set EDKII_IOMMU_ACCESS_READ.
      The memory for BusMasterWrite need set EDKII_IOMMU_ACCESS_WRITE.
      The memory for BusMasterCommonBuffer need set
      EDKII_IOMMU_ACCESS_READ|EDKII_IOMMU_ACCESS_WRITE.
      After the memory is used, the memory need set 0 to keep it being
      protected.
   2) DeviceHandle can be an ACPI device (ISA, I2C, SPI, etc).
      The memory for DMA access need set EDKII_IOMMU_ACCESS_READ and/or
      EDKII_IOMMU_ACCESS_WRITE.
 
   @param[in]  This              The protocol instance pointer.
   @param[in]  DeviceHandle      The device who initiates the DMA access
                                 request.
   @param[in]  Mapping           The mapping value returned from Map().
   @param[in]  IoMmuAccess       The IOMMU access.
 
   @retval EFI_SUCCESS            The IoMmuAccess is set for the memory range
                                  specified by DeviceAddress and Length.
   @retval EFI_INVALID_PARAMETER  DeviceHandle is an invalid handle.
   @retval EFI_INVALID_PARAMETER  Mapping is not a value that was returned by
                                  Map().
   @retval EFI_INVALID_PARAMETER  IoMmuAccess specified an illegal combination
                                  of access.
   @retval EFI_UNSUPPORTED        DeviceHandle is unknown by the IOMMU.
   @retval EFI_UNSUPPORTED        The bit mask of IoMmuAccess is not supported
                                  by the IOMMU.
   @retval EFI_UNSUPPORTED        The IOMMU does not support the memory range
                                  specified by Mapping.
   @retval EFI_OUT_OF_RESOURCES   There are not enough resources available to
                                  modify the IOMMU access.
   @retval EFI_DEVICE_ERROR       The IOMMU device reported an error while
                                  attempting the operation.
 
 **/
-- 
2.13.1.3.g8be5a757fa67


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel