MmCore ImageSize may be not page aligned, it will be converted to page
aligned for allocating MMRAM to hold MmCore image.
This patch is to call CreatMmHobList() with page aligned size of ImageSize,
otherwise ASSERT (IS_ALIGNED (Length, EFI_PAGE_SIZE)) in
MmIplBuildMmCoreModuleHob() will happen if the input MmCore ImageSize is
not page aligned.
Signed-off-by: Star Zeng <star.zeng@intel.com>
The various cores all attempt to print the EfiFileName when
loading/dispatching drivers, but they are not unified on
approach. This commit ensures they are using the same buffer
size and the loop parsing variables are unsigned, as we should
not have a negative index.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
Today, StandaloneMM Core's image loader only prints driver load messages
if debug code is enabled. However, these are some of the most
important prints in the codebase: on a given system even if you
have nothing else to debug with, you can see the last driver
executed.
Debug code blocks are used to skip logic that only exists for
debug purposes and wastes time on a release build. However, the
logic to print a line and determine the filename from the PDB
is not extensive and provides critical information, so it is
inappropriate to wrap in a debug code section.
Platforms can still choose to disable logging at DEBUG_INFO/DEBUG_LOAD
and will not see the error messages.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
Due to PEIM will do following MM notify event under API mode:
1.MM end of dxe notify Event
2.MM ready to lock notify Event
3.MM ready to boot notify Event
4.MM exit boot services notify Event
It will conflict with the notify event in MmCommunicationDxe.inf
on edk2 bootloader under API mode, so split following MmEvent to
MmCommunicationNotifyDxe.inf, and avoid run this driver under API
mode.
Signed-off-by: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Dun Tan <dun.tan@intel.com>
Cc: Khor Swee Aun <swee.aun.khor@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Current MM IPL in PEI phase does not open the MMRAM regions through MM
access PPI. This is causing some platforms like OVMF reading all `0xFF`s
when trying to relocate the Standalone MM core.
This change opens all the MMRAM regions provided by MM access PPI and
closes + locks the regions after initial MM foundation setup, when MM
Access PPI is available.
Platforms that require MM access PPI can inject depex through libraries.
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
There could be scenarios where the HOB producer does not create any HOBs.
In such cases, the buffer intended to be freed will have zero pages.
This update addresses the issue that could cause assertions during
runtime by ensuring that buffers with zero pages are not freed.
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Update logic to prevent case where PlatformHobList may be used
without being initialized. Check for expected return statuses
and values from first call to CreateMmPlatformHob().
Remove use of CpuDeadLoop() and instead make consistent use of
DEBUG_ERROR log messages and ASSERT()s to detect unexpected
failures determining the size and allocating the platform HOB
List for the Standalone MM environment.
Fix potential memory leak when the expected allocation size
does not match the actual allocation size.
Fixes a build error detected with CLANG 20.1.0.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Original logic skips to call MmDispatcher() when number of FV HOBs exceeds
the max supported FVs even for the already-discovered FVs.
Original logic skips to call MmDispatcher() and even skips to process other
FVs when insufficient MM memory for shadowing a FV.
For both cases, replace "return" with "continue" to try best to dispatch
more FVs.
Signed-off-by: Ray Ni <ray.ni@intel.com>
Refine debug output for better troubleshooting:
1. Consolidate FV address and size into one log message
2. Add function name to error messages for better traceability
3. Use AllocateCopyPool() instead of separate AllocatePool() and CopyMem()
Signed-off-by: Ray Ni <ray.ni@intel.com>
Previously, MmDispatchFvs could enter an infinite loop if a Firmware Volume
HOB with zero length was encountered, because GetNextHob() was called with
the same FvHob pointer repeatedly. This patch fixes the issue by passing
GET_NEXT_HOB(FvHob) to GetNextHob(), ensuring the loop advances to the next
HOB and preventing hangs.
Signed-off-by: Ray Ni <ray.ni@intel.com>
This commit is to add two new APIs in StandaloneMmPkg
StandaloneMmHobLib and StandaloneMmCoreHobLib:
1.The GetNextMemoryAllocationGuidHob () returns the next
instance of the Memory Allocation HOB with the matched
GUID from a starting HOB pointer.
2.The TagMemoryAllocationHobWithGuid () searchs the HOB
list for the Memory Allocation HOB with a matching base
address and set the Name GUID. Then the instance of the
tagged Memory Allocation HOB with matched base address is
returned.
Signed-off-by: Dun Tan <dun.tan@intel.com>
ArmFfaLib is an implementation of an industry specification-defined
interface with UEFI specific method of handling Rx/Tx buffer sharing
across multiple boot phases, which is more appropriately placed in
MdeModulePkg.
This update relocates the implementation of ArmFfaLib to MdeModulePkg,
thereby supporting the FFA call primitives for all other packages that
depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
As an implementation of an industry specification-defined interface,
ArmSvcLib is more appropriately placed in MdePkg.
This update relocates both the header definition and the implementation
of ArmSvcLib to MdePkg, thereby supporting the supervisor call primitives
for all other packages that depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
As an implementation of an industry specification-defined interface,
ArmSmcLib is more appropriately placed in MdePkg.
This update relocates both the header definition and the implementation
of ArmSmcLib to MdePkg, thereby supporting the monitor call primitives
for all other packages that depend on this interface.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Include PerformanceLib for StandaloneMmCore, add performance logging for
MM driver loading and starting.
Add FV_FILEPATH_DEVICE_PATH into Loaded Image protocol for MM driver,
then StandaloneMmCorePerformanceLib can get the FILE_GUID from the device
path.
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3398
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3430
MM communicate protocols are expanded with EFI_MM_COMMUNICATE_HEADER_V3
structure that cooperates with updated field types and flexible array.
The PiSmmCore implementation is updated to detect and process incoming
data accordingly.
Two checks are also performed to prevent legacy communicate data or
unsupported data is fed into MM core under agreed header guid.
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Produce gMmStatusCodeUseSerialHobGuid as MM Foundation HOB to
describe the status code use serial port or not.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
PcdStatusCodeUseSerial can be the dynamic PCD, which can't be used
in MM drivers. So, defines gMmStatusCodeUseSerialHobGuid HOB to
indicate StatusCode is reported via serial port or not. The value
shall match with the PcdStatusCodeUseSerial.
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
For AARCH64 using StandaloneMmPkg, gMmCommBufferHobGuid will not exist.
Aarch64 makes use of their own Root MmiHandler that will get the
communication buffer out of a separate buffer, and will call
MmiMange directly with the information.
For x64, where gMmCommBufferHobGuid is expected to be supplied
in the hob list passed to StandaloneCore, if the hob does not
exist, print out a debug message describing the failure scenario.
Its important to note that a mising gMmCommBufferHobGuid will
mean non-root MmiHandlers will not be dispatched in the x64
scenario, but that root MmiHandlers will still be dispatched.
Signed-off-by: Aaron Pop <aaronpop@microsoft.com>
Co-authored-by: Aaron Pop <aaronpop@microsoft.com>
GetBootModeHob function need to add EFI_HOB_HANDOFF_INFO_TABLE
in MM hob data base.
Signed-off-by: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Produce StandaloneMM Entry/Exit Notify Protocol for PlatformHook.
This replaces the SMM core platform hook implementation in the
traditional SMM (Edk2\MdeModulePkg\Include\Library\SmmCorePlatformHookLib.h).
Unlike traditional SMM, Standalone MM prefers a more generic method to
perform platform-specific tasks before and after the SMI handler. Therefore,
it introduces the gMmEntryNotifyProtocolGuid and gMmExitNotifyProtocolGuid
protocols to notify the SMM entry and exit. This approach is more flexible
for the platform, eliminating the need to place all tasks in
PlatformHookBeforeSmmDispatch() and PlatformHookAfterSmmDispatch(), thus
platform code can depend on the protocol notification to perform
platform-specific tasks.
Signed-off-by: Diat Siah Yap <diat.siah.yap@intel.com>
This commit is to dump finaled HOB list in MMRAM.
In previous commit, we verify the HOB list and initialize a
new HOB list in MMRAM before we call the library constructor.
Since we might migrate some memory allocation HOB into MMRAM,
it's cleared to dump information in finaled HOB list.
Signed-off-by: Dun Tan <dun.tan@intel.com>
The commit changes the code to initializes new HOB list in MMRAM
before the ProcessLibraryConstructorList() and pass the MMRAM HOB
list to lib constructor.
Previously, the HOB list in non-MMRAM range is passed to the lib
constructor. Then code in the library constructor would consume
unverified HOB list in non-MMRAM buffer. With this commit, the
HOB validation and memory allocation HOB migration are doned before
the library constructor.
Since the HOB list initialization needs to allocate memory in MMRAM,
we also need to call the MmInitializeMemoryServices() before the HOB
list initialization. Then the duplicated code in the StandaloneMmCore
MemoryAllocationLib can also be removed.
Signed-off-by: Dun Tan <dun.tan@intel.com>
StandaloneMmCoreMemoryAllocationLib.c and StandaloneMmServicesTableLib.c
are both defining gMmst, StandaloneMmCoreMemoryAllocationLib will be
linked to StandaloneMmCore directly, StandaloneMmServicesTableLib may be
linked to StandaloneMmCore indirectly, when they are both linked to
StandaloneMmCore, there will be "lld-link: error: duplicate symbol: gMmst"
build error with Clang compiler.
gMmst is declared in MmServicesTableLib.h and its definition should be
owned by MmServicesTableLib.
This patch renames gMmst in StandaloneMmCoreMemoryAllocationLib.c to
mMemoryAllocationMmst to avoid this build error.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Now that the X64 StandaloneMmCoreEntryPoint has been moved to
MdePkg, it can be removed from StandaloneMmPkg and consumed
from MdePpkg.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
On some Arm platforms the boot firmware volume passed in the HOB
by the secure world firmware (TF-A) is never freed and is always
mapped as read-only.
On such platforms the heap memory can be saved by disabling the
shadow copy of the boot firmware volume. This is useful as on
some platforms the amount of memory available is limited.
Therefore, introduce a PCD PcdShadowBfv that platforms
can configure to disable the shadow boot FV. This PCD is set to
TRUE by default.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
StandaloneMmCpu driver is only used for Arm architecture and
StandaloneMmCoreEntryPointLib for Arm has specific implementation with
StandaloneMmCpu driver.
Move StandaloneMmCpu Driver and StandaloneMmCoreEntryPointLib for Arm
to ArmPkg.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
The default ExtractGuidedSectionLib used by Standalone MM is the
implementation in EmbeddedPkg. However, the ExtractGuidedSectionLib
implementation in EmbeddedPkg builds HOBs to save the extract handler
information.
Since StandaloneMm is consumer of HOB, not a HOB producer, introduce
a StandaloneMmExtraGuidedSectionLib implementation that saves the
extract handler information in the ConfigurationTable.
This StandaloneMmExtraGuidedSectionLib can be used by MM_STANDALONE
and MM_CORE_STANDALONE modules.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
StandaloneMm in Arm is UP-migratable which means StandaloneMm
cannot run concurrently.
Therefore, remove per-cpu feature in StandaloneMm.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Arm has three types of communication buffer
- Non secure communication buffer: shared buffer with NS partition
- Secure communication buffer: shared buffer with Secure partition
- Internal Misc service buffer: For misc service
i.e. for services that do not use MmCommunication protocol,
a buffer is created and populated internally.
Since, internal Misc service buffer is allocated dynamically in
StandaloneMm there is no additional check required for the Misc
service buffer.
This patch move sanity check of communication buffer from
StandaloneMmCpu Driver to StandaloneMmEntryPoint.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
There are 2 communication interfaces between the SPMC and StandaloneMM
1. SpmMM
2. FF-A
When SpmMM is enabled, TF-A acts as the SPMC at EL3 and the stack is setup
by TF-A for use by StandaloneMm. However, when FF-A is enabled, the SPMC
does not setup the stack for StandaloneMm and it is expected that the
StandaloneMm code will setup its own stack.
Therefore, reserve an area in the data region for use as the stack for
StandaloneMM. This stack will be used in both the scenarios described
above, i.e. when either SpmMM or FF-A is enabled.
Although the stack is reserved from the data section which is expected
to be Read-Write enabled, when TF-A maps the StandaloneMM binary into
the DRAM it configures the entire StandaloneMM memory as Read-Only.
Therefore, before the stack can be utilised, the PE Coff sections
need to be scanned to change the the stack region from Read-Only to
Read-Write.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
On Arm all requests are handled as Asynchronous events by the Root
MMI handler.
Since the communication data is conveyed using either the NS shared
buffer or the Secure shared buffer, the Arm implementation does not
setup the mCommunicationBuffer. Therefore, the mCommunicationBuffer
being NULL is not an error case.
Moreover, the existing code switches to Asynchronous event processing
when the mCommunicationBuffer is NULL, which means that the log is an
info log rather than an error.
Therefore, change the log level from ERROR to INFO when the
mCommunicationBuffer is NULL.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
To support the service other than Mmcommunication service,
StandaloneMm should use FF-A v1.2 or later [0].
For this, StandaloneMm needs to change:
1. apply FF-A boot protocol
- FF-A uses its own boot protocol and it can deliver phit hob.
So, StandaloneMm should understand FF-A boot protocol and
get phit hob from it to initialize.
2. Use DIRECT_REQ2 / DIRECT_RESP2
- To support the other service via FF-A protocol
than MmCommunication,
StandaloneMm should use DIRECT_REQ2 / DIRECT_RESP2.
In case of service provided with MmCommunication protocol,
register x2/x3 value is set as gEfiMmCommunication2ProtocolGuid and
register x4 value is set with MmCommunication Buffer
(ServiceTypeMmCommunication).
In case of service with each speicifiation via FF-A,
register x2/x3 value is set as each service guid
and StandaloneMmCoreEntryPoint genreates Mm communication header
with passed arguments to dispatch this service
provided by StandaloneMm.
i.e) Tpm service, Firmware update service and etc.
(ServiceTypeMisc)
Link: https://developer.arm.com/documentation/den0077/latest/ [0]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Add ArmFfaLib used in StandaloneMmCore/StandaloneMm Driver.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
PcdFfaEnabled is no more used because ArmFfaLib could find whether FF-A
is supported dynamically.
This patch removes usage of PcdFfaEnabled.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
To remove hob creation in StandaloneMm entrypoint,
TF-A should pass PHIT hob information to StandaloneMm.
When it passes PHIT hob, it passes according to
firmware handoff specification[0].
This patch applies boot protocol using transfer list with firmware
handoff specification and remove hob creation in StandaloneMm
entrypoint.
Link: https://github.com/FirmwareHandoff/firmware_handoff [0]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change naming convention in ArmMmSvc.h with
MM to SPM_MM
This would make it clear to discern ABI protocol used to communicate
with secure partition.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
By using transfer list passed by TF-A,
StandaloneMmCore is no more producer of HOBs, But it is consumer.
So, the Arm-specific implementation of StandaloneMmCoreHobLib
is no longer needed.
This change removes the Arm-specific HOB creation code and
integrates the necessary adjustments.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
This patch introduces a PI_MM_CPU_DRIVER_EP protocol to handle
Mmcommunication request based on the CPU driver.
Previously the CPU driver entry point was retrieved using the
gEfiArmTfCpuDriverEntryPoint HOB.
However, this practice is incorrect as StandaloneMM must be a HOB
consumer and not a HOB producer.
Therefore, remove the CPU entry HOB gEfiArmTfCpuDriverEntryPoint,
and replace it with the CPU driver entry protocol
EDKII_PI_MM_CPU_DRIVER_EP_PROTOCOL.
The EDKII_PI_MM_CPU_DRIVER_EP_PROTOCOL installed in
StandaloneMmCpuInitialize() will be used by the code in
Arm/StandaloneMmCoreEntryPoint.
This protocol is used like below:
+=====+
|StandaloneMmCore|
+=====+
|
CEntryPoint()
===================
|
ProcessModuleEntryPointList()
|
+--> StandaloneMmMain()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| // Load StandaloneMmCpu driver which implements
| // CpuDriverEntryPoint used by DelegatedEventLoop().
| // and install the gEdkiiPiMmCpuDriverEpProtocolGuid.
--------------
|
... // Get CpuDriverEntryPoint implemented by
// StandaloneMmCpu driver with gEdkiiPiMmCpuDriverEpProtocolGuid
|
DelegatedEventLoop() // Handle request by delegating it to
// CpuDriverEntryPoint.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Communication with Stmm can be via SPM using MM or FF-A.
However, some return values differ between these
communication models.
This patch adds helper functions to covert the return
values based on the communication model.
It also fixes an issue when using the SPM using MM model,
wherein an error code value of -7 was being returned when
an unknown error occurred. The -7 value is not defined in
SPM using MM. Therefore, return an UNSUPPORTED code instead.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
When at last hob, the FV HOB check function should
exit from the loop
Signed-off-by: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Today, StandaloneMmCore calls PeCoffLoaderRelocateImage() when loading
images, which calls PeCoffLoaderRelocateImageExtraAction(). On AARCH64,
this sets the image memory protections accordingly, RO + E on code
sections, RW + NX on data sections.
However, if an image fails to start (i.e. its entry point returns a
failure) StandaloneMmCore does not call the corresponding
PeCoffLoaderUnloadImage, which calls PeCoffLoaderUnloadImageExtraAction,
which on AARCH64 undoes the memory protections on the image, setting the
whole memory region back to RW + NX. The core then frees this memory
and the next allocation attempts to use it, which results in a data
abort if a read only memory region is attempted to be written to.
Theoretically, other instances of the PeCoffExtraActionLib could take
other actions and so regardless of architecture, the contract with the
PeCoffLoader should be maintained.
This patch calls PeCoffLoaderUnloadImage when an image's entry point
returns a failure, before freeing the image memory. This meets the
contract and follows the DXE core behavior.
Signed-off-by: Oliver Smith-Denny <osde@microsoft.com>
If the Dispatcher fails to allocate memory for the driver that it is
trying to load then ASSERT, else the Dispatcher silently stops loading
subsequent drivers from the FV.
Signed-off-by: Girish Mahadevan <gmahadevan@nvidia.com>
Reviewed-by: Jeff Brasen <jbrasen@nvidia.com>
Add support to dispatch multiple standalone MM FVs for StandaloneMmCore.
Set the maximum supported FV count to 2.
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
MmIpl should locate MM core FV location PPI to find current MM
FV location.
Signed-off-by: Hongbin1 Zhang <hongbin1.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Wei6 Xu <wei6.xu@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
