From patchwork Tue Jun 12 11:23:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 138319 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp5218627lji; Tue, 12 Jun 2018 04:23:39 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKMxwMOBRJNs/HNvB0IIRdwVReKAp9KL1p7qfvgGthNyeGKI/wQ6wwtp+dVrG3F2COhXIhx X-Received: by 2002:a63:9e0a:: with SMTP id s10-v6mr2906066pgd.305.1528802619389; Tue, 12 Jun 2018 04:23:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528802619; cv=none; d=google.com; s=arc-20160816; b=CIMKpr48aNfiAot+BxePI6peEmTH42WpOOcS697lm2nFZzCAwuoBariFeoYmlVrYE+ u2O4vPXbsqaPo0yfmWeWcLzR1AUYt77MuYKERs1DivygkMdWoQMTB/I/8R86969Toagn cj3Or23amNiHjuS8cgaegLDaYVt494nZ38ss4/SFPRfN7FSwn3de70/CWZMPi6wxcULa aarwqnLYpUNTKkhWUz4AGuS/FFgDy5WCL4NG/DR/SjgyCctRsf9/1k1yyO/hQsCNWU3z GKHgBqd2W5Fjbn00xcr7anl40KgyaQb+Rhojjzd8+eZaIP5OPyKqzkPASvwAWKd6OsqB PTTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=GPK9T+CGdRdKQZRE8P8t8dN5xcyiicy9FFinFYV0Ilc=; b=WMgDaSeiD/wbM+tin0Iiv6hbO3/3qcFSBaT4Wnzsh0q9K7fshUCuFaeUyUM83F8vrD TJAz9PxyB6bJZrF5uf3RX/nFaDUVPI+RXJRSXcq+Er4cohBG9ACQNQWMt59Z8oKmo2tA QdkHzN/H/QbtNQfE80WFWfNOOoIYMtxq+JzbEGmmBVyrpGtv5Ri7g8CIh30CdFTvze4p 3lrQ8bIm4SenfH9W2Wfj9wJWw4FY80xyNSWW8WLUBG/kjWM0RtedxYX34fTCCo/oQSkx fM5TNpb8loZ4GHA93pLIqXej+sAcsaNhorm6K2DH2PSm3mzVkSvZs6LIPkO1l4ZQ8f7r SxHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=WfHBMsld; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id t8-v6si572761pgq.369.2018.06.12.04.23.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jun 2018 04:23:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=WfHBMsld; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 0FAE62121796A; Tue, 12 Jun 2018 04:23:38 -0700 (PDT) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:400c:c09::241; helo=mail-wm0-x241.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E1A3821217948 for ; Tue, 12 Jun 2018 04:23:36 -0700 (PDT) Received: by mail-wm0-x241.google.com with SMTP id 69-v6so22530092wmf.3 for ; Tue, 12 Jun 2018 04:23:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=uThG1A0rfE/YeQ4x29WlPWvhi7jqx/S3kiLBnZwJZNI=; b=WfHBMsld50Pt/wGEQEhr9uvJLoSR11XPdimVEcpi1IFgJ9llWO6QJgdbQUN3sbMCmQ DSlQY+XobaaxyFD6AX5oNeoP0UtMDql6rfBqGpM2Xq3BAqhvM5fn3YiVpmKLYsfN0fAf IoDeagLGfbrHzscZe5LkyGLU1ECLpXaGF4tS0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=uThG1A0rfE/YeQ4x29WlPWvhi7jqx/S3kiLBnZwJZNI=; b=nDz7jDiDteKe6f3ykBso4Md+BrVTIarHON2T1pF5K0mYGU3eruSzyM6frNd42+SF/H 8COsRhvIhlI+c5vhMqF+FrPWKxvEGTFk6Iw8bVC8X+YGh0U+n+O6XBRdwiccy8eKt0rJ indkhVP5uvbflsVkQQynlRaaMNG0kwrnPlzope3rMWhBkgyLAG+PqfhXa1B2yD9MXLgt uwj/FUurvZ98ph0XDX/QpKjfJzZBghf3VtnMGDuxcNP/QZ7zHSWZViSvP6EeDuhowdHk qovKMDm36/7YqLu4cX1zX/e6DxSWOSVs9Bmiabd0lDgU+n8D3Zokrh8wVCRAJhxcXKD9 kkPw== X-Gm-Message-State: APt69E2GP3dQteeveYQs/0KQXgjLtN/E+y4hVxym0RheNZ7N1CF+fzSW DyYTk4QIH+31f4ern8OE7EGo3g+RsW0= X-Received: by 2002:a1c:aa12:: with SMTP id t18-v6mr1778608wme.54.1528802614974; Tue, 12 Jun 2018 04:23:34 -0700 (PDT) Received: from dogfood.home ([2a01:cb1d:112:6f00:3c84:18ae:27f2:d03]) by smtp.gmail.com with ESMTPSA id o16-v6sm1177202wrp.8.2018.06.12.04.23.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jun 2018 04:23:34 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Tue, 12 Jun 2018 13:23:26 +0200 Message-Id: <20180612112329.664-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612112329.664-1-ard.biesheuvel@linaro.org> References: <20180612112329.664-1-ard.biesheuvel@linaro.org> Subject: [edk2] [PATCH v3 1/4] MdeModulePkg/CapsuleRuntimeDxe: clean the capsule payload to DRAM X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: michael.d.kinney@intel.com, jiewen.yao@intel.com, star.zeng@intel.com, leif.lindholm@linaro.org, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" When capsule updates are staged for processing after a warm reboot, they are copied into memory with the MMU and caches enabled. When the capsule PEI gets around to coalescing the capsule, the MMU and caches may still be disabled, and so on architectures where uncached accesses are incoherent with the caches (such as ARM and AARCH64), we need to ensure that the data passed into UpdateCapsule() is written back to main memory before performing the warm reboot. Unfortunately, on ARM, the only type of cache maintenance instructions that are suitable for this purpose operate on virtual addresses only, and given that the UpdateCapsule() prototype includes the physical address of a linked list of scatter/gather data structures that are mapped at an address that is unknown to the firmware (and may not even be mapped at all when UpdateCapsule() is invoked), we can only perform this cache maintenance at boot time. Fortunately, both Windows and Linux only invoke UpdateCapsule() before calling ExitBootServices(), so this is not a problem in practice. In the future, we may propose adding a secure firmware service that permits performing the cache maintenance at OS runtime, in which case this code may be enhanced to call that service if available. For now, we just fail any UpdateCapsule() calls performed at OS runtime on ARM. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Universal/CapsuleRuntimeDxe/Arm/CacheMaintenance.c | 70 ++++++++++++++++++++ MdeModulePkg/Universal/CapsuleRuntimeDxe/CacheMaintenance.c | 39 +++++++++++ MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf | 13 +++- MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleService.c | 24 +++++++ 4 files changed, 144 insertions(+), 2 deletions(-) -- 2.17.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/Arm/CacheMaintenance.c b/MdeModulePkg/Universal/CapsuleRuntimeDxe/Arm/CacheMaintenance.c new file mode 100644 index 000000000000..dc05e345fb8d --- /dev/null +++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/Arm/CacheMaintenance.c @@ -0,0 +1,70 @@ + /** @file + Capsule cache maintenance as is required on ARM and AARCH64 + + Copyright (c) 2018, Linaro, Ltd. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this + distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include + +#include +#include + +/** + Writes Back a range of data cache lines covering a set of capsules in memory. + + Writes Back the data cache lines specified by ScatterGatherList. + + @param ScatterGatherList Physical address of the data structure that + describes a set of capsules in memory + + @return EFI_SUCCESS if the operation succeeded. + EFI_UNSUPPORTED if cache maintenance cannot be performed at this + time. + +**/ +EFI_STATUS +EFIAPI +CapsuleCacheWriteBack ( + IN EFI_PHYSICAL_ADDRESS ScatterGatherList + ) +{ + EFI_CAPSULE_BLOCK_DESCRIPTOR *Desc; + + // + // ARM requires the capsule payload to be cleaned to the point of coherency + // (PoC), but only permits doing so using cache maintenance instructions that + // operate on virtual addresses. Since at runtime, we don't know the virtual + // addresses of the data structures that make up the scatter/gather list, we + // cannot perform the maintenance, and all we can do is give up. + // + if (EfiAtRuntime ()) { + return EFI_UNSUPPORTED; + } + + Desc = (EFI_CAPSULE_BLOCK_DESCRIPTOR *)(UINTN)ScatterGatherList; + do { + WriteBackDataCacheRange (Desc, sizeof *Desc); + + if (Desc->Length > 0) { + WriteBackDataCacheRange ((VOID *)(UINTN)Desc->Union.DataBlock, + Desc->Length + ); + Desc++; + } else if (Desc->Union.ContinuationPointer > 0) { + Desc = (EFI_CAPSULE_BLOCK_DESCRIPTOR *)(UINTN)Desc->Union.ContinuationPointer; + } + } while (Desc->Length > 0 || Desc->Union.ContinuationPointer > 0); + + WriteBackDataCacheRange (Desc, sizeof *Desc); + + return EFI_SUCCESS; +} diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/CacheMaintenance.c b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CacheMaintenance.c new file mode 100644 index 000000000000..fb7504bb3e1d --- /dev/null +++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CacheMaintenance.c @@ -0,0 +1,39 @@ +/** @file + Create NULL function for capsule cache maintenance which is only needed + on ARM and AARCH64 + + Copyright (c) 2018, Linaro, Ltd. All rights reserved.
+ + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this + distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include + +/** + Writes Back a range of data cache lines covering a set of capsules in memory. + + Writes Back the data cache lines specified by ScatterGatherList. + + @param ScatterGatherList Physical address of the data structure that + describes a set of capsules in memory + + @return EFI_SUCCESS if the operation succeeded. + EFI_UNSUPPORTED if cache maintenance cannot be performed at this + time. + +**/ +EFI_STATUS +EFIAPI +CapsuleCacheWriteBack ( + IN EFI_PHYSICAL_ADDRESS ScatterGatherList + ) +{ + return EFI_SUCCESS; +} diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf index 9ab04ce1b301..3ceebc5d9646 100644 --- a/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf +++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf @@ -27,17 +27,23 @@ [Defines] # # The following information is for reference only and not required by the build tools. # -# VALID_ARCHITECTURES = IA32 X64 IPF EBC +# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM AARCH64 # [Sources] CapsuleService.c -[Sources.Ia32, Sources.IPF, Sources.EBC, Sources.ARM, Sources.AARCH64] +[Sources.Ia32, Sources.IPF, Sources.EBC] SaveLongModeContext.c + CacheMaintenance.c [Sources.X64] X64/SaveLongModeContext.c + CacheMaintenance.c + +[Sources.ARM, Sources.AARCH64] + SaveLongModeContext.c + Arm/CacheMaintenance.c [Packages] MdePkg/MdePkg.dec @@ -59,6 +65,9 @@ [LibraryClasses.X64] UefiLib BaseMemoryLib +[LibraryClasses.ARM, LibraryClasses.AARCH64] + CacheMaintenanceLib + [Guids] ## SOMETIMES_PRODUCES ## Variable:L"CapsuleUpdateData" # (Process across reset capsule image) for capsule updated data ## SOMETIMES_PRODUCES ## Variable:L"CapsuleLongModeBuffer" # The long mode buffer used by IA32 Capsule PEIM to call X64 CapsuleCoalesce code to handle >4GB capsule blocks diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleService.c b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleService.c index 216798d1617e..ee8515adf62f 100644 --- a/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleService.c +++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleService.c @@ -53,6 +53,25 @@ SaveLongModeContext ( VOID ); +/** + Writes Back a range of data cache lines covering a set of capsules in memory. + + Writes Back the data cache lines specified by ScatterGatherList. + + @param ScatterGatherList Physical address of the data structure that + describes a set of capsules in memory + + @return EFI_SUCCESS if the operation succeeded. + EFI_UNSUPPORTED if cache maintenance cannot be performed at this + time. + +**/ +EFI_STATUS +EFIAPI +CapsuleCacheWriteBack ( + IN EFI_PHYSICAL_ADDRESS ScatterGatherList + ); + /** Passes capsules to the firmware with both virtual and physical mapping. Depending on the intended consumption, the firmware may process the capsule immediately. If the payload should persist @@ -214,6 +233,11 @@ UpdateCapsule ( ); } + Status = CapsuleCacheWriteBack (ScatterGatherList); + if (EFI_ERROR (Status)) { + return Status; + } + // // ScatterGatherList is only referenced if the capsules are defined to persist across // system reset. Set its value into NV storage to let pre-boot driver to pick it up