From nobody Tue Mar 11 07:03:38 2025 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1501709131872483.07449151029004; Wed, 2 Aug 2017 14:25:31 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id A25CF209589E0; Wed, 2 Aug 2017 14:23:08 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B1AAD21B06E9B for ; Wed, 2 Aug 2017 14:23:07 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 16E9EC057FAD; Wed, 2 Aug 2017 21:25:18 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-47.phx2.redhat.com [10.3.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id BA85717B57; Wed, 2 Aug 2017 21:25:16 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 16E9EC057FAD Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lersek@redhat.com From: Laszlo Ersek To: edk2-devel-01 Date: Wed, 2 Aug 2017 23:24:49 +0200 Message-Id: <20170802212453.19221-9-lersek@redhat.com> In-Reply-To: <20170802212453.19221-1-lersek@redhat.com> References: <20170802212453.19221-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 02 Aug 2017 21:25:18 +0000 (UTC) Subject: [edk2] [PATCH 08/12] OvmfPkg/IoMmuDxe: zero out pages before releasing them X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jordan Justen , Tom Lendacky , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Whenever we release the plaintext bounce buffer pages that were allocated implicitly in Map() for BusMasterRead[64] and BusMasterWrite[64], we restore the encryption mask on them. However, we should also rewrite the area (fill it with zeros) so that the hypervisor is not left with a plaintext view of the earlier data. Similarly, whenever we release the plaintext common buffer pages that were allocated explicitly in AllocateBuffer() for BusMasterCommonBuffer[64], we restore the encryption mask on them. However, we should also rewrite the area (fill it with zeros) so that the hypervisor is not left with a plaintext view of the earlier data. Cc: Ard Biesheuvel Cc: Brijesh Singh Cc: Jordan Justen Cc: Tom Lendacky Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- OvmfPkg/IoMmuDxe/AmdSevIoMmu.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c index 8c2c23356a40..d899b0ab9e41 100644 --- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c +++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c @@ -227,87 +227,91 @@ EFIAPI IoMmuUnmap ( IN EDKII_IOMMU_PROTOCOL *This, IN VOID *Mapping ) { MAP_INFO *MapInfo; EFI_STATUS Status; =20 if (Mapping =3D=3D NULL) { return EFI_INVALID_PARAMETER; } =20 // // See if the Map() operation associated with this Unmap() required a ma= pping // buffer. If a mapping buffer was not required, then this function simp= ly // buffer. If a mapping buffer was not required, then this function simp= ly // if (Mapping =3D=3D NO_MAPPING) { return EFI_SUCCESS; } =20 MapInfo =3D (MAP_INFO *)Mapping; =20 // // If this is a write operation from the Bus Master's point of view, // then copy the contents of the mapped buffer into the real buffer // so the processor can read the contents of the real buffer. // if (MapInfo->Operation =3D=3D EdkiiIoMmuOperationBusMasterWrite || MapInfo->Operation =3D=3D EdkiiIoMmuOperationBusMasterWrite64) { CopyMem ( (VOID *) (UINTN) MapInfo->CryptedAddress, (VOID *) (UINTN) MapInfo->PlainTextAddress, MapInfo->NumberOfBytes ); } =20 DEBUG (( DEBUG_VERBOSE, "%a PlainText 0x%Lx Crypted 0x%Lx Pages 0x%Lx Bytes 0x%Lx\n", __FUNCTION__, MapInfo->PlainTextAddress, MapInfo->CryptedAddress, (UINT64)MapInfo->NumberOfPages, (UINT64)MapInfo->NumberOfBytes )); // // Restore the memory encryption mask // Status =3D MemEncryptSevSetPageEncMask ( 0, MapInfo->PlainTextAddress, MapInfo->NumberOfPages, TRUE ); ASSERT_EFI_ERROR(Status); + ZeroMem ( + (VOID*)(UINTN)MapInfo->PlainTextAddress, + EFI_PAGES_TO_SIZE (MapInfo->NumberOfPages) + ); =20 // // Free the mapped buffer and the MAP_INFO structure. // gBS->FreePages (MapInfo->PlainTextAddress, MapInfo->NumberOfPages); FreePool (Mapping); return EFI_SUCCESS; } =20 /** Allocates pages that are suitable for an OperationBusMasterCommonBuffer = or OperationBusMasterCommonBuffer64 mapping. =20 @param This The protocol instance pointer. @param Type This parameter is not used and must be ign= ored. @param MemoryType The type of memory to allocate, EfiBootServicesData or EfiRuntimeServicesD= ata. @param Pages The number of pages to allocate. @param HostAddress A pointer to store the base system memory address of the allocated range. @param Attributes The requested bit mask of attributes for t= he allocated range. =20 @retval EFI_SUCCESS The requested memory pages were allocated. @retval EFI_UNSUPPORTED Attributes is unsupported. The only legal attribute bits are MEMORY_WRITE_COMBINE and MEMORY_CACHED. @retval EFI_INVALID_PARAMETER One or more parameters are invalid. @retval EFI_OUT_OF_RESOURCES The memory pages could not be allocated. =20 **/ @@ -399,78 +403,79 @@ EFIAPI IoMmuFreeBuffer ( IN EDKII_IOMMU_PROTOCOL *This, IN UINTN Pages, IN VOID *HostAddress ) { EFI_STATUS Status; =20 // // Set memory encryption mask // Status =3D MemEncryptSevSetPageEncMask ( 0, (EFI_PHYSICAL_ADDRESS)(UINTN)HostAddress, Pages, TRUE ); ASSERT_EFI_ERROR(Status); + ZeroMem (HostAddress, EFI_PAGES_TO_SIZE (Pages)); =20 DEBUG (( DEBUG_VERBOSE, "%a Address 0x%Lx Pages 0x%Lx\n", __FUNCTION__, (UINT64)(UINTN)HostAddress, (UINT64)Pages )); return gBS->FreePages ((EFI_PHYSICAL_ADDRESS) (UINTN) HostAddress, Pages= ); } =20 =20 /** Set IOMMU attribute for a system memory. =20 If the IOMMU protocol exists, the system memory cannot be used for DMA by default. =20 When a device requests a DMA access for a system memory, the device driver need use SetAttribute() to update the IOMMU attribute to request DMA access (read and/or write). =20 The DeviceHandle is used to identify which device submits the request. The IOMMU implementation need translate the device path to an IOMMU devi= ce ID, and set IOMMU hardware register accordingly. 1) DeviceHandle can be a standard PCI device. The memory for BusMasterRead need set EDKII_IOMMU_ACCESS_READ. The memory for BusMasterWrite need set EDKII_IOMMU_ACCESS_WRITE. The memory for BusMasterCommonBuffer need set EDKII_IOMMU_ACCESS_READ|EDKII_IOMMU_ACCESS_WRITE. After the memory is used, the memory need set 0 to keep it being protected. 2) DeviceHandle can be an ACPI device (ISA, I2C, SPI, etc). The memory for DMA access need set EDKII_IOMMU_ACCESS_READ and/or EDKII_IOMMU_ACCESS_WRITE. =20 @param[in] This The protocol instance pointer. @param[in] DeviceHandle The device who initiates the DMA access request. @param[in] Mapping The mapping value returned from Map(). @param[in] IoMmuAccess The IOMMU access. =20 @retval EFI_SUCCESS The IoMmuAccess is set for the memory ran= ge specified by DeviceAddress and Length. @retval EFI_INVALID_PARAMETER DeviceHandle is an invalid handle. @retval EFI_INVALID_PARAMETER Mapping is not a value that was returned = by Map(). @retval EFI_INVALID_PARAMETER IoMmuAccess specified an illegal combinat= ion of access. @retval EFI_UNSUPPORTED DeviceHandle is unknown by the IOMMU. @retval EFI_UNSUPPORTED The bit mask of IoMmuAccess is not suppor= ted by the IOMMU. @retval EFI_UNSUPPORTED The IOMMU does not support the memory ran= ge specified by Mapping. @retval EFI_OUT_OF_RESOURCES There are not enough resources available = to modify the IOMMU access. @retval EFI_DEVICE_ERROR The IOMMU device reported an error while attempting the operation. =20 **/ --=20 2.13.1.3.g8be5a757fa67 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel