Date   

Re: [PATCH v14 00/46] SEV-ES guest support

Lendacky, Thomas
 

On 8/11/20 9:49 AM, Laszlo Ersek wrote:
On 08/11/20 03:12, Gao, Liming wrote:
Tom:
I run ECC plugin (https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F63271&;data=02%7C01%7Cthomas.lendacky%40amd.com%7C9c0fb2b16af248090fdb08d83e05c821%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327542159394484&sdata=tCG%2FO%2BgAaAFijo2ULCSyUivk1%2Fo5XTUt%2FyY0f7Hxd7g%3D&reserved=0) in my local machine. It reports below issues. Can you help update the patches to fix them?
I use the standalone EccCheck from https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fshenglei10%2Fedk2%2Ftree%2Fecc_script&;data=02%7C01%7Cthomas.lendacky%40amd.com%7C9c0fb2b16af248090fdb08d83e05c821%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327542159394484&sdata=J4ItgPOb7FCzO7NH12mhDNC7VrMuhxO6TFVTN51pR%2Fk%3D&reserved=0.

EFI coding style error
*Error code: 8005
*Variable name does not follow the rules: 1. First character should be upper case 2. Must contain lower case characters 3. No white space characters 4. Global variable name must start with a 'g'
*file: D:\AllPkg\edk2\OvmfPkg\Sec\SecMain.c
*Line number: 867
*The variable name [*Ds] does not follow the rules
I don't understand this report; with this series applied, line 867 is
the following:

867 UINT8 *Src, *Dst;

coming from patch v14 37/46, "OvmfPkg/Sec: Add #VC exception handling
for Sec phase".

Perhaps ECC is confused because we have two declarations on the same
line; I'm not sure.

In general I too like to keep declarations on separate lines, but there
are exceptions. Declaring *Src and *Dst on the same line is pretty
reasonable, and trivial.

I think it's time for us to put the ECC exception list to use, under
OvmfPkg.

Tom, please try to reproduce this error locally, and then modify
"OvmfPkg/OvmfPkg.ci.yaml", adding an exception under the EccCheck block.

... Oh wait, we haven't even merged Shenglei's series for that! The
latest posting is:

[edk2-devel] [PATCH v9 00/16]
Add a plugin to check Ecc issues for edk2 on open ci

and it's still under review.

Indeed, Liming says above that he used the "standalone EccCheck".

OK. In this case, I state that some of these ECC reports for OvmfPkg
should be waived.

I'm in general of the opinion that ECC is too strict, and package
maintainers should have power to selectively enforce or override ECC
reports. That's why I agreed to the ECC CI plugin in the first place --
becase we have exception lists that are controllable under specific
package directories (in the *.ci.yaml files).

In the present case, running the standalone ECC check has worse
granularity than the upcoming ECC CI plugin. So, because I can't ask Tom
to add a new exception to "OvmfPkg/OvmfPkg.ci.yaml" right now (before we
merge this series), I'm replacing that with a waiver in this email.

Of course, if maintainers of other packages want the ECC reports issued
under their packages addressed, that's their call. I can only waive ECC
reports under OvmfPkg.

EFI coding style error
*Error code: 9003
*The first line of text in a comment block should be a brief description of the element being documented and the brief description must end with a period.
*file: D:\AllPkg\edk2\OvmfPkg\Library\BaseMemEncryptSevLib\MemEncryptSevLibInternal.c
*Line number: 72
*Comment description should end with period '.'
Disagree; sometimes people use well-formed full English sentences,
sometimes only thought fragments.

EFI coding style error
*Error code: 3002
*Non-Boolean comparisons should use a compare operator (==, !=, >, < >=, <=)
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 1280
*Predicate Expression: OpCount
On the other hand, this report *is* worth fixing.

1280 while (OpCount) {

I've myself asked Tom for observing this rule at several locations, but
we both missed the one reported above. It comes from patch #14
("OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events").

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 845
*Variable Name: Data
Agree this should be fixed; I should have noticed it during review. My
apologies.

845 UINT8 *Data = (UINT8 *) Ghcb->SharedBuffer;

Comes from patch #17 ("OvmfPkg/VmgExitLib: Add support for NPF NAE
events (MMIO)").

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 849
*Variable Name: Data
Yes, this should be fixed too:

849 UINT16 *Data = (UINT16 *) Ghcb->SharedBuffer;

Again, I should have noticed it; I'm sorry.

It comes from patch #17 ("OvmfPkg/VmgExitLib: Add support for NPF NAE
events (MMIO)") again.

Tom: given that a new iteration seems justified after all (I'm really
sorry about that -- with Shenglei's series hopefully soon merged, such
issues will be reported earlier!), if you'd like, you could address the
two ECC reports too that I said were too strict and should be ignored.
(That means breaking the "*Dst" declaration to a new line, and adding a
period to the comment.) Up to you; I certainly don't insist on those.
No worries, easy enough to do if I'm already updating the others.

I would like to be able to run this tool on my system, though, to see if
anything else gets flagged after fixing the above mentioned issues. But
the tool fails for me as I described in another post. The reason I say
that is, for example, the issue about the comment description ending with
a period was actually in multiple spots of the commit, even though the
tool only flagged one. I'd hate to think I've fixed everything only to
have the tool find more issues after I've submitted another series, all
because I couldn't run the tool.

Thanks,
Tom


Thanks!
Laszlo


Thanks
Liming
-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: 2020年8月11日 3:36
To: devel@edk2.groups.io; thomas.lendacky@...
Cc: Brijesh Singh <brijesh.singh@...>; Ard Biesheuvel <ard.biesheuvel@...>; Dong, Eric <eric.dong@...>; Justen, Jordan L <jordan.l.justen@...>; Gao, Liming <liming.gao@...>; Kinney, Michael D <michael.d.kinney@...>; Ni, Ray <ray.ni@...>; Andrew Fish <afish@...>; Anthony Perard <anthony.perard@...>; You, Benjamin <benjamin.you@...>; Bi, Dandan <dandan.bi@...>; Dong, Guo <guo.dong@...>; Wu, Hao A <hao.a.wu@...>; Wang, Jian J <jian.j.wang@...>; Julien Grall <julien@...>; Leif Lindholm <leif@...>; Ma, Maurice <maurice.ma@...>
Subject: Re: [edk2-devel] [PATCH v14 00/46] SEV-ES guest support

On 08/07/20 21:38, Lendacky, Thomas wrote:
From: Tom Lendacky <thomas.lendacky@...>

This patch series provides support for running EDK2/OVMF under SEV-ES.

Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on
the SEV support to protect the guest register state from the
hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System Programming",
section "15.35 Encrypted State (SEV-ES)" [1].

In order to allow a hypervisor to perform functions on behalf of a
guest, there is architectural support for notifying a guest's
operating system when certain types of VMEXITs are about to occur.
This allows the guest to selectively share information with the
hypervisor to satisfy the requested function. The notification is
performed using a new exception, the VMM Communication exception
(#VC). The information is shared through the Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
The GHCB format and the protocol for using it is documented in "SEV-ES
Guest-Hypervisor Communication Block Standardization" [2].

The main areas of the EDK2 code that are updated to support SEV-ES are
around the exception handling support and the AP boot support.

Exception support is required starting in Sec, continuing through Pei
and into Dxe in order to handle #VC exceptions that are generated.
Each AP requires it's own GHCB page as well as a page to hold values
specific to that AP.

AP booting poses some interesting challenges. The INIT-SIPI-SIPI
sequence is typically used to boot the APs. However, the hypervisor is
not allowed to update the guest registers. The GHCB document [2] talks
about how SMP booting under SEV-ES is performed.

Since the GHCB page must be a shared (unencrypted) page, the processor
must be running in long mode in order for the guest and hypervisor to
communicate with each other. As a result, SEV-ES is only supported
under the X64 architecture.

This series adds a new library requirement for the VmgExitLib library
against the UefiCpuPkg CpuExceptionHandlerLib library and the
UefiCpuPkg MpInitLib library. The edk2-platforms repo requires
updates/patches to add the new library requirement. To accomodate
that, this series could be split between:

patch number 10:
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library

and patch number 11:
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC
exception

The updates to edk2-platforms can be applied at the split.

[1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&;data=02%7C01%7Cthomas.lendacky%40amd.com%7C9c0fb2b16af248090fdb08d83e05c821%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327542159394484&amp;sdata=zusPC5xFZWfLxt6T5Psxb1%2Fw4mrVWnkrrECkuKSsxLk%3D&amp;reserved=0
[2] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&;data=02%7C01%7Cthomas.lendacky%40amd.com%7C9c0fb2b16af248090fdb08d83e05c821%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327542159394484&amp;sdata=yk7o8h1lajI449tZfXGbPumnkvRjswKp1FRmSUdewh4%3D&amp;reserved=0

---

These patches are based on commit:
9565ab67c209 ("ShellPkg: smbiosview - Change some type 17 field values
format")

A version of the tree can be found at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-es-v22&;data=02%7C01%7Cthomas.lendacky%40amd.com%7C9c0fb2b16af248090fdb08d83e05c821%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327542159404476&amp;sdata=6b9EqEVAy1VK38oMSuAPJhOourJpPXUnRIgMcSWRMQc%3D&amp;reserved=0

Cc: Andrew Fish <afish@...>
Cc: Anthony Perard <anthony.perard@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Benjamin You <benjamin.you@...>
Cc: Dandan Bi <dandan.bi@...>
Cc: Eric Dong <eric.dong@...>
Cc: Guo Dong <guo.dong@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Julien Grall <julien@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Leif Lindholm <leif@...>
Cc: Liming Gao <liming.gao@...>
Cc: Maurice Ma <maurice.ma@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Ray Ni <ray.ni@...>

Changes since v13:
- Fixup the AsmRelocateApLoop() call site so IA32 successfully boots APs.
Do this by appending the three new parameters without altering the
original parameter passing order.
- Minor updates to description text and help text to expand the GHCB
acronym.

Changes since v12:
- Change IA32 VMGEXIT .nasm file to issue an int 3. Depending on the
version of NASM, the "BITS 64" trick to get NASM to recognize the
VMMCALL instruction (VMGEXIT is a REP VMMCALL) caused an error. Since
SEV-ES is X64 only, VMGEXIT should never be called in IA32.

Changes since v11:
- Make the XGETBV and VMGEXIT .nasm files buildable for all environments
and remove the updates that add these instructions to GccInline.c

Changes since v10:
- Fix conflicts around GccInline.c file after moving to latest commit
- Fix conflicts with OVMF PCD values after moving to latest commit

Changes since v9:
- Fixed bit field declarations in the GHCB structure to use UINT32
and not UINT64.
- Fixed a warning produced by VS2019 in the instruction parsing code
by expliciting casting a bit shift to an INT64.
- Sorted section entries in the OVMF VmgExitLib INF file.
- Moved the new Maintainers.txt entry so entries remain sorted.
- Documentation style fixes for return values.
- Miscellaneous code style fixes.

Changes since v8:
- Move IOIO exit info definitions into Ghcb.h file
- Add a macro for calculating IO instruction bytes (IOIO_DATA_BYTES)
- Exception handler support for debug registers
- Moved the DRx register saving changes into the UefiCpuPkg patch for
base #VC support in CpuExceptionHandlerLib.
- OvmfPkg VmgExitLib
- Remove the .uni file
- Update .inf file:
- New file location for VmgExitVcHandler.c
- Add additional Packages and LibraryClasses
- Introduce a header file to hold the #VC instruction parsing related
definitions
- Include additional #defines for instruction decoding to replace
hard coded values for things like instruction prefixes and escapes.
- Replace hardcoded CPUID values with values from existing header files
and use existing CR4 definition for accessing CR4 data.
- Change the type used for obtaining data addresses in the instruction
parsing
- Switch from INTN to UINT64 and use compiler conversions and casting
to perform the correct address calculation
- ResetVector code:
- Revert some inadvertant changes introduced in v7 for reserving the
SEV-ES work area memory and for checking the status of SEV-ES.
- AP Booting
- Provide support for non-broadcast INIT-SIPI-SIPI AP boot (minimize
code duplication by creating a function to set the AP jump table
vector address).
- Fix file/directory entry in maintainer changes.
- Various coding style fixes
- Commenting, if statements, etc.
- Various documentation style fixes

Changes since v7:
- Reserve the SEV-ES workarea when S3 is enabled
- Fix warnings issued by the Visual Studio compiler
- Create a NULL VmgExitLib instance that is used for VMGEXIT
related operations as well as #VC handling. Then create the full
VmgExitLib support only in OvmfPkg - where it will be used. This
removes a bunch of implementation code from platforms that will
not be using the functionality.
- Remove single use interfaces from the VmgExitLib (VmgMmioWrite
and VmgSetApJumpTable)

Changes since v6:
- Add function comments to all functions, including local functions
- Add function parameter direction to all functions (in/out)
- Add support for MMIO MOVZX/MOVSX instructions
- Ensure the per-CPU variable page remains encrypted
- Coding-style fixes as identified by Ecc

Changes since v5:
- Remove extraneous VmgExitLib usage
- Miscellaneous changes to address feedback (coding style, etc.)

Changes since v4:
- Move the SEV-ES protocol negotiation out of the SEC exception handler
and into the SecMain.c file. As a result:
- Move the SecGhcb related PCDs out of UefiCpuPkg and into OvmfPkg
- Combine SecAMDSevVcHandler.c and PeiDxeAMDSevVcHandler.c into a
single AMDSevVcHandler.c
- Consolidate VmgExitLib usage into common LibraryClasses sections
- Add documentation comments to the VmgExitLib functions

Changes since v3:
- Remove the need for the MP library finalization routine. The AP
jump table address will be held by the hypervisor rather than
communicated via the GHCB MSR. This removes some fragility around
the UEFI to OS transition.
- Rename the SEV-ES RIP reset area to SEV-ES workarea and use it to
communicate the SEV-ES status, so that SEC CPU exception handling is
only established for an SEV-ES guest.
- Fix SMM build breakageAdd around QemuFlashPtrWrite().
- Fix SMM build breakage by adding VC exception support the SMM CPU
exception handling.
- Add memory fencing around the invocation of AsmVmgExit().
- Clarify comments around the SEV-ES AP reset RIP values and usage.
- Move some PCD definitions from MdeModulePkg to UefiCpuPkg.
- Remove the 16-bit code selector definition from MdeModulePkg

Changes since v2:
- Added a way to locate the SEV-ES fixed AP RIP address for starting
AP's to avoid updating the actual flash image (build time location
that is identified with a GUID value).
- Create a VmgExit library to replace static inline functions.
- Move some PCDs to the appropriate packages
- Add support for writing to QEMU flash under SEV-ES
- Add additional MMIO opcode support
- Cleaned up the GHCB MSR CPUID protocol support

Changes since v1:
- Patches reworked to be more specific to the component/area being updated
and order of definition/usage
- Created a library for VMGEXIT-related functions to replace use of inline
functions
- Allocation method for GDT changed from AllocatePool to AllocatePages
- Early caching only enabled for SEV-ES guests
- Ensure AP loop mode set to halt loop mode for SEV-ES guests
- Reserved SEC GHCB-related memory areas when S3 is enabled

Tom Lendacky (46):
MdeModulePkg: Create PCDs to be used in support of SEV-ES
UefiCpuPkg: Create PCD to be used in support of SEV-ES
MdePkg: Add the MSR definition for the GHCB register
MdePkg: Add a structure definition for the GHCB
MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables
MdePkg/BaseLib: Add support for the XGETBV instruction
MdePkg/BaseLib: Add support for the VMGEXIT instruction
UefiCpuPkg: Implement library support for VMGEXIT
OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
OvmfPkg/VmgExitLib: Implement library support for VmgExitLib in OVMF
OvmfPkg/VmgExitLib: Add support for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Add support for CPUID NAE events
OvmfPkg/VmgExitLib: Add support for MSR_PROT NAE events
OvmfPkg/VmgExitLib: Add support for NPF NAE events (MMIO)
OvmfPkg/VmgExitLib: Add support for WBINVD NAE events
OvmfPkg/VmgExitLib: Add support for RDTSC NAE events
OvmfPkg/VmgExitLib: Add support for RDPMC NAE events
OvmfPkg/VmgExitLib: Add support for INVD NAE events
OvmfPkg/VmgExitLib: Add support for VMMCALL NAE events
OvmfPkg/VmgExitLib: Add support for RDTSCP NAE events
OvmfPkg/VmgExitLib: Add support for MONITOR/MONITORX NAE events
OvmfPkg/VmgExitLib: Add support for MWAIT/MWAITX NAE events
OvmfPkg/VmgExitLib: Add support for DR7 Read/Write NAE events
OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function
OvmfPkg: Add support to perform SEV-ES initialization
OvmfPkg: Create a GHCB page for use during Sec phase
OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported
OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled
UefiCpuPkg: Create an SEV-ES workarea PCD
OvmfPkg: Reserve a page in memory for the SEV-ES usage
OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
OvmfPkg/ResetVector: Add support for a 32-bit SEV check
OvmfPkg/Sec: Add #VC exception handling for Sec phase
OvmfPkg/Sec: Enable cache early to speed up booting
OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with
SEV-ES
UefiCpuPkg: Add a 16-bit protected mode code segment descriptor
UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is
enabled
UefiCpuPkg: Allow AP booting under SEV-ES
OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector
OvmfPkg: Move the GHCB allocations into reserved memory
UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use
Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files

MdeModulePkg/MdeModulePkg.dec | 9 +
OvmfPkg/OvmfPkg.dec | 9 +
UefiCpuPkg/UefiCpuPkg.dec | 17 +
OvmfPkg/OvmfPkgIa32.dsc | 6 +
OvmfPkg/OvmfPkgIa32X64.dsc | 6 +
OvmfPkg/OvmfPkgX64.dsc | 6 +
OvmfPkg/OvmfXen.dsc | 1 +
UefiCpuPkg/UefiCpuPkg.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.fdf | 9 +
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 +
MdePkg/Library/BaseLib/BaseLib.inf | 4 +
OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 36 +
OvmfPkg/PlatformPei/PlatformPei.inf | 9 +
.../FvbServicesRuntimeDxe.inf | 2 +
OvmfPkg/ResetVector/ResetVector.inf | 8 +
OvmfPkg/Sec/SecMain.inf | 4 +
.../DxeCpuExceptionHandlerLib.inf | 1 +
.../PeiCpuExceptionHandlerLib.inf | 1 +
.../SecPeiCpuExceptionHandlerLib.inf | 1 +
.../SmmCpuExceptionHandlerLib.inf | 1 +
.../Xcode5SecPeiCpuExceptionHandlerLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 4 +
UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 +
.../Library/VmgExitLibNull/VmgExitLibNull.inf | 27 +
.../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +-
MdePkg/Include/Library/BaseLib.h | 31 +
MdePkg/Include/Register/Amd/Fam17Msr.h | 46 +
MdePkg/Include/Register/Amd/Ghcb.h | 166 ++
.../IndustryStandard/InstructionParsing.h | 83 +
OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +
.../QemuFlash.h | 13 +
UefiCpuPkg/CpuDxe/CpuGdt.h | 4 +-
UefiCpuPkg/Include/Library/VmgExitLib.h | 103 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 68 +-
.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 +-
.../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +-
.../Core/DxeIplPeim/X64/VirtualMemory.c | 57 +-
.../MemEncryptSevLibInternal.c | 75 +-
OvmfPkg/Library/VmgExitLib/VmgExitLib.c | 159 ++
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 1716 +++++++++++++++++
OvmfPkg/PlatformPei/AmdSev.c | 89 +
OvmfPkg/PlatformPei/MemDetect.c | 43 +
.../QemuFlash.c | 23 +-
.../QemuFlashDxe.c | 40 +
.../QemuFlashSmm.c | 16 +
OvmfPkg/Sec/SecMain.c | 188 +-
UefiCpuPkg/CpuDxe/CpuGdt.c | 8 +-
.../CpuExceptionCommon.c | 10 +-
.../PeiDxeSmmCpuException.c | 20 +-
.../SecPeiCpuException.c | 19 +
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 120 +-
UefiCpuPkg/Library/MpInitLib/MpLib.c | 337 +++-
UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 19 +
.../Library/VmgExitLibNull/VmgExitLibNull.c | 121 ++
UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +-
Maintainers.txt | 10 +
MdeModulePkg/MdeModulePkg.uni | 8 +
MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 38 +
MdePkg/Library/BaseLib/Ia32/XGetBv.nasm | 31 +
MdePkg/Library/BaseLib/X64/VmgExit.nasm | 32 +
MdePkg/Library/BaseLib/X64/XGetBv.nasm | 34 +
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 100 +
OvmfPkg/ResetVector/Ia32/PageTables64.asm | 351 +++-
OvmfPkg/ResetVector/ResetVector.nasmb | 20 +
.../X64/ExceptionHandlerAsm.nasm | 17 +
.../X64/Xcode5ExceptionHandlerAsm.nasm | 17 +
UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc | 2 +-
.../Library/MpInitLib/Ia32/MpFuncs.nasm | 20 +-
UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 4 +-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 369 +++-
.../Library/VmgExitLibNull/VmgExitLibNull.uni | 15 +
.../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm | 9 +
UefiCpuPkg/UefiCpuPkg.uni | 11 +
75 files changed, 4777 insertions(+), 100 deletions(-) create mode
100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
create mode 100644 MdePkg/Include/Register/Amd/Ghcb.h
create mode 100644
OvmfPkg/Include/IndustryStandard/InstructionParsing.h
create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.c
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
create mode 100644 UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.c
create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/Ia32/XGetBv.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/XGetBv.nasm
create mode 100644 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.uni
For all patches except #10 ("UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library") and #46 ("Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files"):

Regression-tested-by: Laszlo Ersek <lersek@...>

Thanks
Laszlo


Re: [PATCH v4 3/5] OvmfPkg: Add RngLib based on TimerLib for Crypto

Laszlo Ersek
 

On 08/11/20 04:21, Matthew Carlson wrote:
From: Matthew Carlson <macarl@...>

Cc: Jordan Justen <jordan.l.justen@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Anthony Perard <anthony.perard@...>
Cc: Julien Grall <julien@...>
Signed-off-by: Matthew Carlson <matthewfcarlson@...>
---
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfXen.dsc | 1 +
4 files changed, 4 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 9178ffeb71cb..118fd1aff246 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -116,6 +116,7 @@
[LibraryClasses]
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseAcpiTimerLib.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/BaseResetSystemLib.inf
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a665f78f0dc7..6b9da5b996ff 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -120,6 +120,7 @@
[LibraryClasses]
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseAcpiTimerLib.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/BaseResetSystemLib.inf
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 17f345acf4ee..3a354eb3a2bd 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -120,6 +120,7 @@
[LibraryClasses]
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseAcpiTimerLib.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/BaseResetSystemLib.inf
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 782803cb2787..f97e2b7e07d0 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -110,6 +110,7 @@
[LibraryClasses]
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
TimerLib|MdePkg/Library/SecPeiDxeTimerLibCpu/SecPeiDxeTimerLibCpu.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/BaseResetSystemLib.inf
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLibRepStr/BaseMemoryLibRepStr.inf
(1) This patch does not cover "OvmfPkg/Bhyve/BhyvePkgX64.dsc", which
also resolves "OpensslLib".

(2) Please add the RngLib resolution just after the "OpensslLib"
resolution(s), in each of the five DSC files.

Thank you,
Laszlo


Re: [PATCH v4 4/5] ArmVirtPkg: Add RngLib based on TimerLib for CryptoPkg

Laszlo Ersek
 

On 08/11/20 04:21, Matthew Carlson wrote:
From: Matthew Carlson <macarl@...>

Cc: Laszlo Ersek <lersek@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Leif Lindholm <leif@...>
Signed-off-by: Matthew Carlson <matthewfcarlson@...>
---
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
1 file changed, 1 insertion(+)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index cf44fc73890b..ddfcd0cf9eee 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -42,6 +42,7 @@
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf

BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+ RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
BmpSupportLib|MdeModulePkg/Library/BaseBmpSupportLib/BaseBmpSupportLib.inf
SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
In addition to the documentation updates requested by Ard and myself
under the OvmfPkg patch (non-empty commit message body, BZ reference),
I'd like to request that we add the RngLib resolution near the
OpensslLib resolution(s). For example, right after:

!if $(NETWORK_TLS_ENABLE) == TRUE
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
!else
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
!endif

Thanks!
Laszlo


Re: [PATCH v4 3/5] OvmfPkg: Add RngLib based on TimerLib for Crypto

Laszlo Ersek
 

Hi Ard!

On 08/11/20 10:22, Ard Biesheuvel wrote:
On 8/11/20 4:21 AM, matthewfcarlson@... wrote:
From: Matthew Carlson <macarl@...>
How am I supposed to review this change? The commit log is empty and I
was not cc'ed on the cover letter.
Cover letter:

[edk2-devel] [PATCH v4 0/5] Use RngLib instead of TimerLib for OpensslLib

https://edk2.groups.io/g/devel/message/63944
http://mid.mail-archive.com/20200811022200.1087-1-matthewfcarlson@gmail.com

Bugzilla:

https://bugzilla.tianocore.org/show_bug.cgi?id=1871

Unfortunately, the cover letter doesn't much explain the approach
either. The latest comments in the BZ should be helpful though.

My understanding is that the timer-based "pseudo-random" generation is
factored out of "CryptoPkg/Library/OpensslLib/rand_pool_noise*" to the
new BaseRngLibTimerLib instance (see patches #1 and #5). In the middle,
platforms native to the edk2 tree and currently using "rand_pool_noise*"
are diverted to the new lib instance. (Patches #3 and #4.)

So I think the intent is to introduce no change in behavior for those
platforms, only make OpensslLib depend on the RngLib class.

Patch#2 adds BaseRngLibDxe, which depends on gEfiRngProtocolGuid.

I think the structure of the series is correct.

--*--

In edk2, we have two RNG protocol implementations,
"OvmfPkg/VirtioRngDxe" and "SecurityPkg/RandomNumberGenerator/RngDxe".
While it would be nice to use the "BaseRngLibDxe" instance in OvmfPkg
and ArmVirtPkg, *in the longer term*, I have some doubts:

- I don't know whether or how "SecurityPkg/RandomNumberGenerator/RngDxe"
applies to virtual machines.

- OvmfPkg/VirtioRngDxe does not produce gEfiRngProtocolGuid if there is
no virtio-rng-(pci|device) device configured in QEMU. So a strict depex
would not work; we'd again need some kind of OR depex.

- The ArmVirtQemu and OVMF PlatformBootManagerLib instances connect
virtio-rng-(pci|device) devices after signaling EndOfDxe. That's good
enough for boot loaders and the Linux kernel's UEFI stub, but possibly
not good enough for platform DXE drivers that need randomness before
EndOfDxe.

- The "BaseRngLibDxe" instance from patch#2 only accepts one of the
"Sp80090Ctr256", "Sp80090Hmac256", and "Sp80090Hash256" algorithms, and
"OvmfPkg/VirtioRngDxe" provides none of those.
("SecurityPkg/RandomNumberGenerator/RngDxe" seems to provide
"Sp80090Ctr256".)

But, anyway, these are just longer-term points for OvmfPkg and
ArmVirtPkg; they aren't a problem with this patch set.

In general, please try to muster up the energy to write at least one
sentence that describes *why* the patch is needed, complementing the
subject line, which in this case summarizes correctly *what* the patch
does.
Agreed.

And, in addition to the minimally one-sentence commit message body, each
commit message should reference
<https://bugzilla.tianocore.org/show_bug.cgi?id=1871>.


I'd be very happy if you could review this patch series; personally I
can only formally review patches #3 and #4.

Thanks!
Laszlo


Re: [PATCH v9 00/16] Add a plugin to check Ecc issues for edk2 on open ci

Laszlo Ersek
 

Hello Shenglei,

(+Ard)

On 08/11/20 09:01, Zhang, Shenglei wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2606
As planed we will enable Ecc check for edk2 on open ci. And they are
ready now. I appreciate receiving feedback and comments if someone
find errors or false positive issues.

I created a pipline of EccCheck for my forked edk2. Welcome everyone to
create pull request to test the quality of this plugin.
My forked tree: https://github.com/shenglei10/edk2

And I also created some test cases for ECC plugin. Below are test cases.
https://github.com/shenglei10/edk2/tree/ECC
Results can be view in below azure server.
https://dev.azure.com/shengleizhang/shengleizhang/_build?definitionId=12&_a=summary

Patches
1/16: It's a lib necessary for py3 to run Ecc on azure servers.

2/16: EccCheck.py is a plugin to report Ecc issues for commits. It can be run
on azure servers for open ci, or a local virtual environment.

3/16~16/16: We consider some cases that will report out Ecc issues but they won't
be fixed, like submodule and industry standard related things. So we
add two configuration fields "Exception" and "IgnoreFiles" for people
to use. These patches add configuration in yaml files for Ecc check.

Cc: Bob Feng <bob.c.feng@...>
Cc: Bret Barkelew <Bret.Barkelew@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Liming Gao <liming.gao@...>
Cc: Sean Brogan <sean.brogan@...>

v2: Update 1/17, fix the bug that the script can't hanlde multiple commits.

v3: Update 1/17, set the only workalbe workspace is edk2 root directory.
Update 2/17, designate the version of antlr4 is 4.7.1.
Add 4/17~17/17.

v4. Update 1/17, remove the function EdksetupRebuild(), instead add
function SetupEnvironment(). Update variables' format and type hints
to pass flake8 and mypy.

v5. Conver the former method to plugin solution, to align with
other check points on open ci.

v6. The 1/16 patch is missed in v5 series. Now add it in v6.

v7. Fix a bug that Ecc plugin can not be run correctly under Linux OS.

v8. Enable error code config section to ignore certain kinds of issues,
which are always false positive in partial Ecc scaning.
All patches except 2/16 have been R-B and are not updated in v8 series.
To avoid making noise in community, I only send cover letter and 2/16 patch.
2/16: ".pytool/Plugin: Add a plugin EccCheck"


v9. Update 2/16, 3/16, 5/16 and 16/16.
2/16: ".pytool/Plugin: Add a plugin EccCheck"
3/16: "MdeModulePkg/MdeModulePkg.ci.yaml: Add configuration for Ecc check"
5/16: "CryptoPkg/CryptoPkg.ci.yaml: Add configuration for Ecc check"
16/16: "UnitTestFrameworkPkg: Add configuration for Ecc check in yaml file"

So no changes to the ArmVirtPkg and OvmfPkg patches since v7.

In v7, my Acked-by was present on both patches 04/16
("ArmVirtPkg/ArmVirtPkg.ci.yaml: Add configuration for Ecc check"):

http://mid.mail-archive.com/20200706084846.12748-5-shenglei.zhang@intel.com
https://edk2.groups.io/g/devel/message/62075

and 11/16 ("OvmfPkg/OvmfPkg.ci.yaml: Add configuration for Ecc check"):

http://mid.mail-archive.com/20200706084846.12748-12-shenglei.zhang@intel.com
https://edk2.groups.io/g/devel/message/62082

Why did you drop my A-b from the ArmVirtPkg patch in v9?

Thanks,
Laszlo

1. Enable directory path for "IgnoreFiles" section in xxxPkg.yaml. So that
users can skip a certain directory and don't need to fill in with file names.
2. Add submodule pathes in "IgnoreFiles" in MdeModulePkg.ci.yaml,
CryptoPkg.ci.yaml and UnitTestFrameworkPkg.ci.yaml.

Shenglei Zhang (16):
pip-requirements.txt: Add Ecc required lib
.pytool/Plugin: Add a plugin EccCheck
MdeModulePkg/MdeModulePkg.ci.yaml: Add configuration for Ecc check
ArmVirtPkg/ArmVirtPkg.ci.yaml: Add configuration for Ecc check
CryptoPkg/CryptoPkg.ci.yaml: Add configuration for Ecc check
EmulatorPkg/EmulatorPkg.ci.yaml: Add configuration for Ecc check
FatPkg/FatPkg.ci.yaml: Add configuration for Ecc check
FmpDevicePkg/FmpDevicePkg.ci.yaml: Add configuration for Ecc check
MdePkg/MdePkg.ci.yaml: Add configuration for Ecc check
NetworkPkg/NetworkPkg.ci.yaml: Add configuration for Ecc check
OvmfPkg/OvmfPkg.ci.yaml: Add configuration for Ecc check
PcAtChipsetPkg/PcAtChipsetPkg.ci.yaml: Add configuration for Ecc check
SecurityPkg/SecurityPkg.ci.yaml: Add configuration for Ecc check
ShellPkg/ShellPkg.ci.yaml: Add configuration for Ecc check
UefiCpuPkg/UefiCpuPkg.ci.yaml: Add configuration for Ecc check
UnitTestFrameworkPkg: Add configuration for Ecc check in yaml file

.pytool/Plugin/EccCheck/EccCheck.py | 302 ++++++++++++++++++
.pytool/Plugin/EccCheck/EccCheck_plug_in.yaml | 11 +
.pytool/Plugin/EccCheck/Readme.md | 15 +
ArmVirtPkg/ArmVirtPkg.ci.yaml | 11 +
CryptoPkg/CryptoPkg.ci.yaml | 13 +
EmulatorPkg/EmulatorPkg.ci.yaml | 11 +
FatPkg/FatPkg.ci.yaml | 12 +
FmpDevicePkg/FmpDevicePkg.ci.yaml | 12 +
MdeModulePkg/MdeModulePkg.ci.yaml | 13 +
MdePkg/MdePkg.ci.yaml | 11 +
NetworkPkg/NetworkPkg.ci.yaml | 12 +
OvmfPkg/OvmfPkg.ci.yaml | 11 +
PcAtChipsetPkg/PcAtChipsetPkg.ci.yaml | 12 +
SecurityPkg/SecurityPkg.ci.yaml | 12 +
ShellPkg/ShellPkg.ci.yaml | 12 +
UefiCpuPkg/UefiCpuPkg.ci.yaml | 12 +
.../UnitTestFrameworkPkg.ci.yaml | 11 +
pip-requirements.txt | 1 +
18 files changed, 494 insertions(+)
create mode 100644 .pytool/Plugin/EccCheck/EccCheck.py
create mode 100644 .pytool/Plugin/EccCheck/EccCheck_plug_in.yaml
create mode 100644 .pytool/Plugin/EccCheck/Readme.md


Re: [Wiki][Patch V2] Add EDK II Code First Process Wiki Page

Michael D Kinney
 

Hi Samer,

Comments included below.

Mike

-----Original Message-----
From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@...>
Sent: Monday, August 10, 2020 11:37 AM
To: devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@...>; rfc@edk2.groups.io
Cc: Laszlo Ersek <lersek@...>; Andrew Fish <afish@...>; Leif Lindholm <leif@...>; Samer El-Haj-
Mahmoud <Samer.El-Haj-Mahmoud@...>
Subject: RE: [edk2-devel] [Wiki][Patch V2] Add EDK II Code First Process Wiki Page

Mike,

Looks good as a starting point!

Acked-by: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@...>


I do have a few questions on this sentence: "Specification text changes are held within the affected source repository,
using the GitHub flavor of markdown, in a file (or split across several files) with .md suffix."

- For TianoCore, is the "affected source repository" this sentence is referring to edk2-staging, or edk2?
This will typically be in the edk2-staging repository. We have no plans to put these specification text changes
into the edk2 repo. The idea of additional repositories is for upstream/downstream dependencies or other components
that may be impacted by a proposed changes (i.e. OSes). We may need to determine if we want to archive ECRs after
the spec is published and the branch has been merged.


- If the proposed specification and associated code starts in a branch in edk2-staging respiratory, when does it get
accepted into edk2/edk2-platforms? Is it when the proposed specification change reaches a certain status (such as
"accepted by industry standard forum"), or when the formal specification (with that proposed change) is published by the
UEFI Forum ?
The starting approach will wait for the change to appear in a published specification. Platforms can choose to use
before that point by merging in changes from the edk2-staging branch with the BZXXXX prefixes.


- Any guidance on the specification text md file(s) names (and location) within the repository?
In the root directory of the branch. It would be good if the Readme.md in the root clearly identified it
it is an ECR branch with link to the ECR MD document.


- If the change includes some graphics, is there any guidance on inclusion of the graphics files in the repository?
GitHub Markdown has an easy syntax to include images. We can work on some small examples/templates in the
edk2-staging repo for single MD file, multiple MD files, and adding images. Images are typically put
into an Images directory below the MD file. We may want to consider recommending SVG so they render
well at all resolutions and are small text files instead of binary formats like PNG. ASCII art inline in
the MD file is also an option.


Thanks,
--Samer



-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael
D Kinney via groups.io
Sent: Friday, August 7, 2020 9:07 PM
To: devel@edk2.groups.io; Kinney, Michael D
<michael.d.kinney@...>; rfc@edk2.groups.io
Cc: Laszlo Ersek <lersek@...>; Andrew Fish <afish@...>;
Leif Lindholm <leif@...>
Subject: Re: [edk2-devel] [Wiki][Patch V2] Add EDK II Code First Process
Wiki Page

A version of this Wiki page is also provided here for review:

https://github.com/mdkinney/edk2/wiki/EDK-II-Code-First-Process

Mike

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
Michael
D Kinney
Sent: Friday, August 7, 2020 6:05 PM
To: devel@edk2.groups.io
Cc: Laszlo Ersek <lersek@...>; Andrew Fish <afish@...>;
Leif Lindholm <leif@...>
Subject: [edk2-devel] [Wiki][Patch V2] Add EDK II Code First Process
Wiki Page

Based on the following RFC:

https://edk2.groups.io/g/rfc/message/258

Additional updates:
* Add examples of all specifications currently maintained by
the UEFI Forums.
* Added specification change template using a CC-BY-4.0 license.
* Add source code example for an enum value
* Minor grammar updates to change from an RFC proposal to an
active process.

Cc: Laszlo Ersek <lersek@...>
Cc: Andrew Fish <afish@...>
Cc: Leif Lindholm <leif@...>
Signed-off-by: Michael D Kinney <michael.d.kinney@...>
---
EDK-II-Code-First-Process.md | 182
+++++++++++++++++++++++++++++++++++
1 file changed, 182 insertions(+)
create mode 100644 EDK-II-Code-First-Process.md

diff --git a/EDK-II-Code-First-Process.md
b/EDK-II-Code-First-Process.md new file mode 100644 index
0000000..d5c938e
--- /dev/null
+++ b/EDK-II-Code-First-Process.md
@@ -0,0 +1,182 @@
+The EDK II Code First Process is a process by which new features can
+be added to UEFI Forum specifications after first having been
+designed and prototyped in the open.
+
+This process lets changes and the development of new features happen
+in the open, without violating the UEFI forum bylaws which prevent
+publication of code for in-draft features/changes.
+
+The process does not in fact change the UEFI bylaws - the change is
+that the development (of both specification and code) happens in the
+open. The resulting specification update is then submitted to the
+appropriate working group as an Engineering Change Request (ECR), and
+voted on. For the UEFI Forum, this is a change in workflow, not a change
in process.
+
+ECRs are tracked in a UEFI Forum Mantis instance, access restricted
+to UEFI Forum Members. TianoCore enables this new process by
+providing areas on [TianoCore
+Bugzilla](https://bugzilla.tianocore.org) to track both specification
+updates and reference implementations and new repositories under
[TianoCore GitHub](https://github.com/tianocore) dedicated to hold "code
first".
+
+# TianoCore Bugzilla
+
+[TianoCore Bugzilla](bugzilla.tianocore.org) has a product categories
+for
+ * ACPI Specification
+ * UEFI Shell Specification
+ * UEFI Platform Initialization Distribution Packaging Specification
+ * UEFI Platform Initialization Specification Specification
+ * UEFI Specification
+
+Each product category has separate components for
+ * Specification
+ * Reference implementation
+
+# TianoCore GitHub
+
+Reference implementations targeting the EDK II open source project
+are held in branches in the
+[edk2-staging](https://github.com/tianocore/edk2-staging)
+repository.
+
+Additional repositories for implementing reference features in
+additional open source projects can be added in the future, as required.
+
+Specification text changes are held within the affected source
+repository, using the GitHub flavor of markdown, in a file (or split
+across several files) with .md suffix. Multiple files are required
+if changes impact multiple specifications or if the specification is
+large and is easier to maintain if the changes are split across multiple
files.
+
+* NOTE: This one may break down where we have a specification change
+affecting
+ multiple specifications, but at that point we can track it with
+multiple
+ TianoCore Bugzilla entries.
+
+## Specification Text Template
+
+The following is a template of specification text changes using the
+GitHub flavor of markdown. The title and complete description of the
+specification changes must be provided in the specification text
+along with the name and version of the specification the change
+applies. The `Status` of the specification change always starts in
+the `Draft` state and is updated based on feedback from the industry
+standard forums. The contents of the specification text are required
+to use the [Creative Commons Attribution 4.0
+International](https://spdx.org/licenses/CC-BY-4.0.html)
+license using a `SPDX-License-Identifier` statement.
+
+```
+# Title: [Must be Filled In]
+
+# Status: [Status]
+
+[Status] must be one of the following:
+* Draft
+* Submitted to industry standard forum
+* Accepted by industry standard forum
+* Accepted by industry standard forum with modifications
+* Rejected by industry standard forum
+
+# Document: [Title and Version]
+
+Here are some examples of [Title and Version]:
+* UEFI Specification Version 2.8
+* ACPI Specification Version 6.3
+* UEFI Shell Specification Version 2.2
+* UEFI Platform Initialization Specification Version 1.7
+* UEFI Platform Initialization Distribution Packaging Specification
+Version 1.1
+
+# License
+
+SPDX-License-Identifier: CC-BY-4.0
+
+# Submitter: [TianoCore Community](https://www.tianocore.org)
+
+# Summary of the change
+
+Required Section
+
+# Benefits of the change
+
+Required Section
+
+# Impact of the change
+
+Required Section
+
+# Detailed description of the change [normative updates]
+
+Required Section
+
+# Special Instructions
+
+Optional Section
+```
+
+# Intended workflow
+
+The entity initiating a specification change enters a Bugzilla in the
+appropriate area of [TianoCore Bugzilla](bugzilla.tianocore.org).
+This entry contains the outline of the change, and the full initial draft
text is attached.
+
+If multiple specification updates are interdependent, especially if
+between different specifications, then multiple Bugzilla entries should be
created.
+These Bugzilla entries *must* be linked together with dependencies.
+
+After the Bugzillas have been created, new branches should be created
+in the relevant repositories for each Bugzilla. The branch names
+must use the following format where #### is the Bugzilla ID and
+<Brief Description> is an optional description of the change.
+
+ BZ####-<Brief Description>
+
+If multiple Bugzilla entries must coexist on a single branch, one of
+them is designated the _top-level_, with dependencies properly
+tracked. That Bugzilla is be the one naming the branch.
+
+# Source Code
+
+In order to ensure draft code does not accidentally leak into
+production use, and to signify when the changeover from draft to
+final happens, *all* new or modified[1] identifiers must be prefixed with
the relevant BZ#### identifiers.
+
+* [1] Modified in a non-backwards-compatible way. If, for example, a
statically
+ sized array is grown - this does not need to be prefixed. But a tag in a
+ comment would be *highly* recommended.
+
+## File names
+
+New public header files require the prefix (i.e.
`Bz1234MyNewProtocol.h`).
+Private header files do not need the prefix.
+
+## Contents
+
+The tagging must follow the coding style used by each affected code
base.
+Examples:
+
+| Released in spec | Draft version in tree | Comment |
+| --- | --- | --- |
+| `FunctionName` | `Bz1234FunctionName` | |
+| `HEADER_MACRO` | `BZ1234_HEADER_MACRO` | |
+
+For data structures or enums, any new or non-backwards-compatible
+structs or fields require a prefix. As above, growing an existing
+array in an existing struct requires no prefix.
+
+| Released in spec | Draft version in tree | Comment |
+| --- | --- | --- |
+| `typedef SOME_STRUCT` | `BZ1234_SOME_STRUCT` | Typedef only [2]
|
+| `StructField` | `Bz1234StructField` | In existing struct[3] |
+| `typedef SOME_ENUM` | `BZ1234_SOME_ENUM` | Typedef only [2]
|
+| `EnumValue` | `BzEnumValue` | In existing enum[3] |
+
+* [2] If the struct or enum definition is separate from the typedef in the
public
+ header, the definition does not need the prefix.
+* [3] Individual fields in newly added struct or enum do not need prefix,
the
+ struct or enum already carried the prefix.
+
+Variable prefixes indicating global scope ('g' or 'm') go before the BZ
prefix.
+
+| Released in spec | Draft version in tree | Comment |
+| --- | --- | --- |
+| `gSomeGuid` | `gBz1234SomeGuid` | |
+
+Local identifiers, including module-global ones (m-prefixed) do not
+require a BZ prefix.
--
2.21.0.windows.1



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are
not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use
it for any purpose, or store or copy the information in any medium. Thank you.


Re: [PATCH v14 00/46] SEV-ES guest support

Laszlo Ersek
 

On 08/11/20 03:12, Gao, Liming wrote:
Tom:
I run ECC plugin (https://edk2.groups.io/g/devel/message/63271) in my local machine. It reports below issues. Can you help update the patches to fix them?
I use the standalone EccCheck from https://github.com/shenglei10/edk2/tree/ecc_script.

EFI coding style error
*Error code: 8005
*Variable name does not follow the rules: 1. First character should be upper case 2. Must contain lower case characters 3. No white space characters 4. Global variable name must start with a 'g'
*file: D:\AllPkg\edk2\OvmfPkg\Sec\SecMain.c
*Line number: 867
*The variable name [*Ds] does not follow the rules
I don't understand this report; with this series applied, line 867 is
the following:

867 UINT8 *Src, *Dst;

coming from patch v14 37/46, "OvmfPkg/Sec: Add #VC exception handling
for Sec phase".

Perhaps ECC is confused because we have two declarations on the same
line; I'm not sure.

In general I too like to keep declarations on separate lines, but there
are exceptions. Declaring *Src and *Dst on the same line is pretty
reasonable, and trivial.

I think it's time for us to put the ECC exception list to use, under
OvmfPkg.

Tom, please try to reproduce this error locally, and then modify
"OvmfPkg/OvmfPkg.ci.yaml", adding an exception under the EccCheck block.

... Oh wait, we haven't even merged Shenglei's series for that! The
latest posting is:

[edk2-devel] [PATCH v9 00/16]
Add a plugin to check Ecc issues for edk2 on open ci

and it's still under review.

Indeed, Liming says above that he used the "standalone EccCheck".

OK. In this case, I state that some of these ECC reports for OvmfPkg
should be waived.

I'm in general of the opinion that ECC is too strict, and package
maintainers should have power to selectively enforce or override ECC
reports. That's why I agreed to the ECC CI plugin in the first place --
becase we have exception lists that are controllable under specific
package directories (in the *.ci.yaml files).

In the present case, running the standalone ECC check has worse
granularity than the upcoming ECC CI plugin. So, because I can't ask Tom
to add a new exception to "OvmfPkg/OvmfPkg.ci.yaml" right now (before we
merge this series), I'm replacing that with a waiver in this email.

Of course, if maintainers of other packages want the ECC reports issued
under their packages addressed, that's their call. I can only waive ECC
reports under OvmfPkg.

EFI coding style error
*Error code: 9003
*The first line of text in a comment block should be a brief description of the element being documented and the brief description must end with a period.
*file: D:\AllPkg\edk2\OvmfPkg\Library\BaseMemEncryptSevLib\MemEncryptSevLibInternal.c
*Line number: 72
*Comment description should end with period '.'
Disagree; sometimes people use well-formed full English sentences,
sometimes only thought fragments.

EFI coding style error
*Error code: 3002
*Non-Boolean comparisons should use a compare operator (==, !=, >, < >=, <=)
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 1280
*Predicate Expression: OpCount
On the other hand, this report *is* worth fixing.

1280 while (OpCount) {

I've myself asked Tom for observing this rule at several locations, but
we both missed the one reported above. It comes from patch #14
("OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events").

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 845
*Variable Name: Data
Agree this should be fixed; I should have noticed it during review. My
apologies.

845 UINT8 *Data = (UINT8 *) Ghcb->SharedBuffer;

Comes from patch #17 ("OvmfPkg/VmgExitLib: Add support for NPF NAE
events (MMIO)").

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 849
*Variable Name: Data
Yes, this should be fixed too:

849 UINT16 *Data = (UINT16 *) Ghcb->SharedBuffer;

Again, I should have noticed it; I'm sorry.

It comes from patch #17 ("OvmfPkg/VmgExitLib: Add support for NPF NAE
events (MMIO)") again.

Tom: given that a new iteration seems justified after all (I'm really
sorry about that -- with Shenglei's series hopefully soon merged, such
issues will be reported earlier!), if you'd like, you could address the
two ECC reports too that I said were too strict and should be ignored.
(That means breaking the "*Dst" declaration to a new line, and adding a
period to the comment.) Up to you; I certainly don't insist on those.

Thanks!
Laszlo


Thanks
Liming
-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: 2020年8月11日 3:36
To: devel@edk2.groups.io; thomas.lendacky@...
Cc: Brijesh Singh <brijesh.singh@...>; Ard Biesheuvel <ard.biesheuvel@...>; Dong, Eric <eric.dong@...>; Justen, Jordan L <jordan.l.justen@...>; Gao, Liming <liming.gao@...>; Kinney, Michael D <michael.d.kinney@...>; Ni, Ray <ray.ni@...>; Andrew Fish <afish@...>; Anthony Perard <anthony.perard@...>; You, Benjamin <benjamin.you@...>; Bi, Dandan <dandan.bi@...>; Dong, Guo <guo.dong@...>; Wu, Hao A <hao.a.wu@...>; Wang, Jian J <jian.j.wang@...>; Julien Grall <julien@...>; Leif Lindholm <leif@...>; Ma, Maurice <maurice.ma@...>
Subject: Re: [edk2-devel] [PATCH v14 00/46] SEV-ES guest support

On 08/07/20 21:38, Lendacky, Thomas wrote:
From: Tom Lendacky <thomas.lendacky@...>

This patch series provides support for running EDK2/OVMF under SEV-ES.

Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on
the SEV support to protect the guest register state from the
hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System Programming",
section "15.35 Encrypted State (SEV-ES)" [1].

In order to allow a hypervisor to perform functions on behalf of a
guest, there is architectural support for notifying a guest's
operating system when certain types of VMEXITs are about to occur.
This allows the guest to selectively share information with the
hypervisor to satisfy the requested function. The notification is
performed using a new exception, the VMM Communication exception
(#VC). The information is shared through the Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
The GHCB format and the protocol for using it is documented in "SEV-ES
Guest-Hypervisor Communication Block Standardization" [2].

The main areas of the EDK2 code that are updated to support SEV-ES are
around the exception handling support and the AP boot support.

Exception support is required starting in Sec, continuing through Pei
and into Dxe in order to handle #VC exceptions that are generated.
Each AP requires it's own GHCB page as well as a page to hold values
specific to that AP.

AP booting poses some interesting challenges. The INIT-SIPI-SIPI
sequence is typically used to boot the APs. However, the hypervisor is
not allowed to update the guest registers. The GHCB document [2] talks
about how SMP booting under SEV-ES is performed.

Since the GHCB page must be a shared (unencrypted) page, the processor
must be running in long mode in order for the guest and hypervisor to
communicate with each other. As a result, SEV-ES is only supported
under the X64 architecture.

This series adds a new library requirement for the VmgExitLib library
against the UefiCpuPkg CpuExceptionHandlerLib library and the
UefiCpuPkg MpInitLib library. The edk2-platforms repo requires
updates/patches to add the new library requirement. To accomodate
that, this series could be split between:

patch number 10:
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library

and patch number 11:
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC
exception

The updates to edk2-platforms can be applied at the split.

[1] https://www.amd.com/system/files/TechDocs/24593.pdf
[2] https://developer.amd.com/wp-content/resources/56421.pdf

---

These patches are based on commit:
9565ab67c209 ("ShellPkg: smbiosview - Change some type 17 field values
format")

A version of the tree can be found at:
https://github.com/AMDESE/ovmf/tree/sev-es-v22

Cc: Andrew Fish <afish@...>
Cc: Anthony Perard <anthony.perard@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Benjamin You <benjamin.you@...>
Cc: Dandan Bi <dandan.bi@...>
Cc: Eric Dong <eric.dong@...>
Cc: Guo Dong <guo.dong@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Julien Grall <julien@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Leif Lindholm <leif@...>
Cc: Liming Gao <liming.gao@...>
Cc: Maurice Ma <maurice.ma@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Ray Ni <ray.ni@...>

Changes since v13:
- Fixup the AsmRelocateApLoop() call site so IA32 successfully boots APs.
Do this by appending the three new parameters without altering the
original parameter passing order.
- Minor updates to description text and help text to expand the GHCB
acronym.

Changes since v12:
- Change IA32 VMGEXIT .nasm file to issue an int 3. Depending on the
version of NASM, the "BITS 64" trick to get NASM to recognize the
VMMCALL instruction (VMGEXIT is a REP VMMCALL) caused an error. Since
SEV-ES is X64 only, VMGEXIT should never be called in IA32.

Changes since v11:
- Make the XGETBV and VMGEXIT .nasm files buildable for all environments
and remove the updates that add these instructions to GccInline.c

Changes since v10:
- Fix conflicts around GccInline.c file after moving to latest commit
- Fix conflicts with OVMF PCD values after moving to latest commit

Changes since v9:
- Fixed bit field declarations in the GHCB structure to use UINT32
and not UINT64.
- Fixed a warning produced by VS2019 in the instruction parsing code
by expliciting casting a bit shift to an INT64.
- Sorted section entries in the OVMF VmgExitLib INF file.
- Moved the new Maintainers.txt entry so entries remain sorted.
- Documentation style fixes for return values.
- Miscellaneous code style fixes.

Changes since v8:
- Move IOIO exit info definitions into Ghcb.h file
- Add a macro for calculating IO instruction bytes (IOIO_DATA_BYTES)
- Exception handler support for debug registers
- Moved the DRx register saving changes into the UefiCpuPkg patch for
base #VC support in CpuExceptionHandlerLib.
- OvmfPkg VmgExitLib
- Remove the .uni file
- Update .inf file:
- New file location for VmgExitVcHandler.c
- Add additional Packages and LibraryClasses
- Introduce a header file to hold the #VC instruction parsing related
definitions
- Include additional #defines for instruction decoding to replace
hard coded values for things like instruction prefixes and escapes.
- Replace hardcoded CPUID values with values from existing header files
and use existing CR4 definition for accessing CR4 data.
- Change the type used for obtaining data addresses in the instruction
parsing
- Switch from INTN to UINT64 and use compiler conversions and casting
to perform the correct address calculation
- ResetVector code:
- Revert some inadvertant changes introduced in v7 for reserving the
SEV-ES work area memory and for checking the status of SEV-ES.
- AP Booting
- Provide support for non-broadcast INIT-SIPI-SIPI AP boot (minimize
code duplication by creating a function to set the AP jump table
vector address).
- Fix file/directory entry in maintainer changes.
- Various coding style fixes
- Commenting, if statements, etc.
- Various documentation style fixes

Changes since v7:
- Reserve the SEV-ES workarea when S3 is enabled
- Fix warnings issued by the Visual Studio compiler
- Create a NULL VmgExitLib instance that is used for VMGEXIT
related operations as well as #VC handling. Then create the full
VmgExitLib support only in OvmfPkg - where it will be used. This
removes a bunch of implementation code from platforms that will
not be using the functionality.
- Remove single use interfaces from the VmgExitLib (VmgMmioWrite
and VmgSetApJumpTable)

Changes since v6:
- Add function comments to all functions, including local functions
- Add function parameter direction to all functions (in/out)
- Add support for MMIO MOVZX/MOVSX instructions
- Ensure the per-CPU variable page remains encrypted
- Coding-style fixes as identified by Ecc

Changes since v5:
- Remove extraneous VmgExitLib usage
- Miscellaneous changes to address feedback (coding style, etc.)

Changes since v4:
- Move the SEV-ES protocol negotiation out of the SEC exception handler
and into the SecMain.c file. As a result:
- Move the SecGhcb related PCDs out of UefiCpuPkg and into OvmfPkg
- Combine SecAMDSevVcHandler.c and PeiDxeAMDSevVcHandler.c into a
single AMDSevVcHandler.c
- Consolidate VmgExitLib usage into common LibraryClasses sections
- Add documentation comments to the VmgExitLib functions

Changes since v3:
- Remove the need for the MP library finalization routine. The AP
jump table address will be held by the hypervisor rather than
communicated via the GHCB MSR. This removes some fragility around
the UEFI to OS transition.
- Rename the SEV-ES RIP reset area to SEV-ES workarea and use it to
communicate the SEV-ES status, so that SEC CPU exception handling is
only established for an SEV-ES guest.
- Fix SMM build breakageAdd around QemuFlashPtrWrite().
- Fix SMM build breakage by adding VC exception support the SMM CPU
exception handling.
- Add memory fencing around the invocation of AsmVmgExit().
- Clarify comments around the SEV-ES AP reset RIP values and usage.
- Move some PCD definitions from MdeModulePkg to UefiCpuPkg.
- Remove the 16-bit code selector definition from MdeModulePkg

Changes since v2:
- Added a way to locate the SEV-ES fixed AP RIP address for starting
AP's to avoid updating the actual flash image (build time location
that is identified with a GUID value).
- Create a VmgExit library to replace static inline functions.
- Move some PCDs to the appropriate packages
- Add support for writing to QEMU flash under SEV-ES
- Add additional MMIO opcode support
- Cleaned up the GHCB MSR CPUID protocol support

Changes since v1:
- Patches reworked to be more specific to the component/area being updated
and order of definition/usage
- Created a library for VMGEXIT-related functions to replace use of inline
functions
- Allocation method for GDT changed from AllocatePool to AllocatePages
- Early caching only enabled for SEV-ES guests
- Ensure AP loop mode set to halt loop mode for SEV-ES guests
- Reserved SEC GHCB-related memory areas when S3 is enabled

Tom Lendacky (46):
MdeModulePkg: Create PCDs to be used in support of SEV-ES
UefiCpuPkg: Create PCD to be used in support of SEV-ES
MdePkg: Add the MSR definition for the GHCB register
MdePkg: Add a structure definition for the GHCB
MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables
MdePkg/BaseLib: Add support for the XGETBV instruction
MdePkg/BaseLib: Add support for the VMGEXIT instruction
UefiCpuPkg: Implement library support for VMGEXIT
OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
OvmfPkg/VmgExitLib: Implement library support for VmgExitLib in OVMF
OvmfPkg/VmgExitLib: Add support for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Add support for CPUID NAE events
OvmfPkg/VmgExitLib: Add support for MSR_PROT NAE events
OvmfPkg/VmgExitLib: Add support for NPF NAE events (MMIO)
OvmfPkg/VmgExitLib: Add support for WBINVD NAE events
OvmfPkg/VmgExitLib: Add support for RDTSC NAE events
OvmfPkg/VmgExitLib: Add support for RDPMC NAE events
OvmfPkg/VmgExitLib: Add support for INVD NAE events
OvmfPkg/VmgExitLib: Add support for VMMCALL NAE events
OvmfPkg/VmgExitLib: Add support for RDTSCP NAE events
OvmfPkg/VmgExitLib: Add support for MONITOR/MONITORX NAE events
OvmfPkg/VmgExitLib: Add support for MWAIT/MWAITX NAE events
OvmfPkg/VmgExitLib: Add support for DR7 Read/Write NAE events
OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function
OvmfPkg: Add support to perform SEV-ES initialization
OvmfPkg: Create a GHCB page for use during Sec phase
OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported
OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled
UefiCpuPkg: Create an SEV-ES workarea PCD
OvmfPkg: Reserve a page in memory for the SEV-ES usage
OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
OvmfPkg/ResetVector: Add support for a 32-bit SEV check
OvmfPkg/Sec: Add #VC exception handling for Sec phase
OvmfPkg/Sec: Enable cache early to speed up booting
OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with
SEV-ES
UefiCpuPkg: Add a 16-bit protected mode code segment descriptor
UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is
enabled
UefiCpuPkg: Allow AP booting under SEV-ES
OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector
OvmfPkg: Move the GHCB allocations into reserved memory
UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use
Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files

MdeModulePkg/MdeModulePkg.dec | 9 +
OvmfPkg/OvmfPkg.dec | 9 +
UefiCpuPkg/UefiCpuPkg.dec | 17 +
OvmfPkg/OvmfPkgIa32.dsc | 6 +
OvmfPkg/OvmfPkgIa32X64.dsc | 6 +
OvmfPkg/OvmfPkgX64.dsc | 6 +
OvmfPkg/OvmfXen.dsc | 1 +
UefiCpuPkg/UefiCpuPkg.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.fdf | 9 +
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 +
MdePkg/Library/BaseLib/BaseLib.inf | 4 +
OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 36 +
OvmfPkg/PlatformPei/PlatformPei.inf | 9 +
.../FvbServicesRuntimeDxe.inf | 2 +
OvmfPkg/ResetVector/ResetVector.inf | 8 +
OvmfPkg/Sec/SecMain.inf | 4 +
.../DxeCpuExceptionHandlerLib.inf | 1 +
.../PeiCpuExceptionHandlerLib.inf | 1 +
.../SecPeiCpuExceptionHandlerLib.inf | 1 +
.../SmmCpuExceptionHandlerLib.inf | 1 +
.../Xcode5SecPeiCpuExceptionHandlerLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 4 +
UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 +
.../Library/VmgExitLibNull/VmgExitLibNull.inf | 27 +
.../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +-
MdePkg/Include/Library/BaseLib.h | 31 +
MdePkg/Include/Register/Amd/Fam17Msr.h | 46 +
MdePkg/Include/Register/Amd/Ghcb.h | 166 ++
.../IndustryStandard/InstructionParsing.h | 83 +
OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +
.../QemuFlash.h | 13 +
UefiCpuPkg/CpuDxe/CpuGdt.h | 4 +-
UefiCpuPkg/Include/Library/VmgExitLib.h | 103 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 68 +-
.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 +-
.../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +-
.../Core/DxeIplPeim/X64/VirtualMemory.c | 57 +-
.../MemEncryptSevLibInternal.c | 75 +-
OvmfPkg/Library/VmgExitLib/VmgExitLib.c | 159 ++
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 1716 +++++++++++++++++
OvmfPkg/PlatformPei/AmdSev.c | 89 +
OvmfPkg/PlatformPei/MemDetect.c | 43 +
.../QemuFlash.c | 23 +-
.../QemuFlashDxe.c | 40 +
.../QemuFlashSmm.c | 16 +
OvmfPkg/Sec/SecMain.c | 188 +-
UefiCpuPkg/CpuDxe/CpuGdt.c | 8 +-
.../CpuExceptionCommon.c | 10 +-
.../PeiDxeSmmCpuException.c | 20 +-
.../SecPeiCpuException.c | 19 +
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 120 +-
UefiCpuPkg/Library/MpInitLib/MpLib.c | 337 +++-
UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 19 +
.../Library/VmgExitLibNull/VmgExitLibNull.c | 121 ++
UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +-
Maintainers.txt | 10 +
MdeModulePkg/MdeModulePkg.uni | 8 +
MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 38 +
MdePkg/Library/BaseLib/Ia32/XGetBv.nasm | 31 +
MdePkg/Library/BaseLib/X64/VmgExit.nasm | 32 +
MdePkg/Library/BaseLib/X64/XGetBv.nasm | 34 +
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 100 +
OvmfPkg/ResetVector/Ia32/PageTables64.asm | 351 +++-
OvmfPkg/ResetVector/ResetVector.nasmb | 20 +
.../X64/ExceptionHandlerAsm.nasm | 17 +
.../X64/Xcode5ExceptionHandlerAsm.nasm | 17 +
UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc | 2 +-
.../Library/MpInitLib/Ia32/MpFuncs.nasm | 20 +-
UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 4 +-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 369 +++-
.../Library/VmgExitLibNull/VmgExitLibNull.uni | 15 +
.../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm | 9 +
UefiCpuPkg/UefiCpuPkg.uni | 11 +
75 files changed, 4777 insertions(+), 100 deletions(-) create mode
100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
create mode 100644 MdePkg/Include/Register/Amd/Ghcb.h
create mode 100644
OvmfPkg/Include/IndustryStandard/InstructionParsing.h
create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.c
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
create mode 100644 UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.c
create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/Ia32/XGetBv.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/XGetBv.nasm
create mode 100644 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.uni
For all patches except #10 ("UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library") and #46 ("Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files"):

Regression-tested-by: Laszlo Ersek <lersek@...>

Thanks
Laszlo


Re: [PATCH v14 00/46] SEV-ES guest support

Lendacky, Thomas
 

On 8/10/20 8:12 PM, Gao, Liming wrote:
Tom:
I run ECC plugin (https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F63271&;data=02%7C01%7Cthomas.lendacky%40amd.com%7Ce7a200ac9bfb47bff77e08d83d93abe6%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327052903689176&amp;sdata=SMb6IdJWNnk2NGIMatXRUO1RB7AhdB%2B%2BMJryMiEoL78%3D&amp;reserved=0) in my local machine. It reports below issues. Can you help update the patches to fix them?
I use the standalone EccCheck from https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fshenglei10%2Fedk2%2Ftree%2Fecc_script&;data=02%7C01%7Cthomas.lendacky%40amd.com%7Ce7a200ac9bfb47bff77e08d83d93abe6%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327052903689176&amp;sdata=B1yImgWXGeXG3fs2mo1j3Oe34hhcgXUjRCkvyew1HVw%3D&amp;reserved=0.

EFI coding style error
*Error code: 8005
*Variable name does not follow the rules: 1. First character should be upper case 2. Must contain lower case characters 3. No white space characters 4. Global variable name must start with a 'g'
*file: D:\AllPkg\edk2\OvmfPkg\Sec\SecMain.c
*Line number: 867
*The variable name [*Ds] does not follow the rules
So line 867 of SecMain.c has:

UINT8 *Src, *Dst;

which appears correct to me, so I believe that is an issue with the tool?

EFI coding style error
*Error code: 9003
*The first line of text in a comment block should be a brief description of the element being documented and the brief description must end with a period.
*file: D:\AllPkg\edk2\OvmfPkg\Library\BaseMemEncryptSevLib\MemEncryptSevLibInternal.c
*Line number: 72
*Comment description should end with period '.'
I'll fix this.

EFI coding style error
*Error code: 3002
*Non-Boolean comparisons should use a compare operator (==, !=, >, < >=, <=)
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 1280
*Predicate Expression: OpCount
I'll fix this.

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 845
*Variable Name: Data
I'll fix this.

EFI coding style error
*Error code: 5007
*There should be no initialization of a variable as part of its declaration
*file: D:\AllPkg\edk2\OvmfPkg\Library\VmgExitLib\VmgExitVcHandler.c
*Line number: 849
*Variable Name: Data
I'll fix this.

I'm trying to run this tool on my Ubuntu installs (both 18.04 and 20.04)
and it consistently fails trying to execute a git command:

$ python3 BaseTools/Scripts/EccCheck.py
usage: git [--version] [--help] [-C <path>] [-c <name>=<value>]
[--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
[-p | --paginate | -P | --no-pager] [--no-replace-objects] [--bare]
[--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
<command> [<args>]

These are common Git commands used in various situations:

start a working area (see also: git help tutorial)
clone Clone a repository into a new directory
init Create an empty Git repository or reinitialize an existing one

work on the current change (see also: git help everyday)
add Add file contents to the index
mv Move or rename a file, a directory, or a symlink
restore Restore working tree files
rm Remove files from the working tree and from the index
sparse-checkout Initialize and modify the sparse-checkout

examine the history and state (see also: git help revisions)
bisect Use binary search to find the commit that introduced a bug
diff Show changes between commits, commit and working tree, etc
grep Print lines matching a pattern
log Show commit logs
show Show various types of objects
status Show the working tree status

grow, mark and tweak your common history
branch List, create, or delete branches
commit Record changes to the repository
merge Join two or more development histories together
rebase Reapply commits on top of another base tip
reset Reset current HEAD to the specified state
switch Switch branches
tag Create, list, delete or verify a tag object signed with GPG

collaborate (see also: git help workflows)
fetch Download objects and refs from another repository
pull Fetch from and integrate with another repository or a local branch
push Update remote refs along with associated objects

'git help -a' and 'git help -g' list available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
to read about a specific subcommand or concept.
See 'git help git' for an overview of the system.
Fail to run GIT
ECC tool detect error

I've also tried specifying -1, a commit id, etc., but the same thing happens.

Has this been run/tested on Ubuntu? Is there something specific that needs
to be done in order to run this tool?

Thanks,
Tom


Thanks
Liming
-----Original Message-----
From: Laszlo Ersek <lersek@...>
Sent: 2020年8月11日 3:36
To: devel@edk2.groups.io; thomas.lendacky@...
Cc: Brijesh Singh <brijesh.singh@...>; Ard Biesheuvel <ard.biesheuvel@...>; Dong, Eric <eric.dong@...>; Justen, Jordan L <jordan.l.justen@...>; Gao, Liming <liming.gao@...>; Kinney, Michael D <michael.d.kinney@...>; Ni, Ray <ray.ni@...>; Andrew Fish <afish@...>; Anthony Perard <anthony.perard@...>; You, Benjamin <benjamin.you@...>; Bi, Dandan <dandan.bi@...>; Dong, Guo <guo.dong@...>; Wu, Hao A <hao.a.wu@...>; Wang, Jian J <jian.j.wang@...>; Julien Grall <julien@...>; Leif Lindholm <leif@...>; Ma, Maurice <maurice.ma@...>
Subject: Re: [edk2-devel] [PATCH v14 00/46] SEV-ES guest support

On 08/07/20 21:38, Lendacky, Thomas wrote:
From: Tom Lendacky <thomas.lendacky@...>

This patch series provides support for running EDK2/OVMF under SEV-ES.

Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on
the SEV support to protect the guest register state from the
hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System Programming",
section "15.35 Encrypted State (SEV-ES)" [1].

In order to allow a hypervisor to perform functions on behalf of a
guest, there is architectural support for notifying a guest's
operating system when certain types of VMEXITs are about to occur.
This allows the guest to selectively share information with the
hypervisor to satisfy the requested function. The notification is
performed using a new exception, the VMM Communication exception
(#VC). The information is shared through the Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
The GHCB format and the protocol for using it is documented in "SEV-ES
Guest-Hypervisor Communication Block Standardization" [2].

The main areas of the EDK2 code that are updated to support SEV-ES are
around the exception handling support and the AP boot support.

Exception support is required starting in Sec, continuing through Pei
and into Dxe in order to handle #VC exceptions that are generated.
Each AP requires it's own GHCB page as well as a page to hold values
specific to that AP.

AP booting poses some interesting challenges. The INIT-SIPI-SIPI
sequence is typically used to boot the APs. However, the hypervisor is
not allowed to update the guest registers. The GHCB document [2] talks
about how SMP booting under SEV-ES is performed.

Since the GHCB page must be a shared (unencrypted) page, the processor
must be running in long mode in order for the guest and hypervisor to
communicate with each other. As a result, SEV-ES is only supported
under the X64 architecture.

This series adds a new library requirement for the VmgExitLib library
against the UefiCpuPkg CpuExceptionHandlerLib library and the
UefiCpuPkg MpInitLib library. The edk2-platforms repo requires
updates/patches to add the new library requirement. To accomodate
that, this series could be split between:

patch number 10:
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library

and patch number 11:
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC
exception

The updates to edk2-platforms can be applied at the split.

[1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&;data=02%7C01%7Cthomas.lendacky%40amd.com%7Ce7a200ac9bfb47bff77e08d83d93abe6%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327052903689176&amp;sdata=laSNrQUXRN7lLHNNWKvVSRqJk7VGviYtTTJ%2F%2BqiTQKY%3D&amp;reserved=0
[2] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&;data=02%7C01%7Cthomas.lendacky%40amd.com%7Ce7a200ac9bfb47bff77e08d83d93abe6%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327052903689176&amp;sdata=yCRA3fdXO3Mgg%2BiqgQ3ERY4WUHs3OVmzPA7jL8Tq0wE%3D&amp;reserved=0

---

These patches are based on commit:
9565ab67c209 ("ShellPkg: smbiosview - Change some type 17 field values
format")

A version of the tree can be found at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-es-v22&;data=02%7C01%7Cthomas.lendacky%40amd.com%7Ce7a200ac9bfb47bff77e08d83d93abe6%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637327052903689176&amp;sdata=5AHBB1tfOdODnXo9XQqbdzzAXc3s38%2Bwb2ICZs1dRXg%3D&amp;reserved=0

Cc: Andrew Fish <afish@...>
Cc: Anthony Perard <anthony.perard@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Benjamin You <benjamin.you@...>
Cc: Dandan Bi <dandan.bi@...>
Cc: Eric Dong <eric.dong@...>
Cc: Guo Dong <guo.dong@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Julien Grall <julien@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Leif Lindholm <leif@...>
Cc: Liming Gao <liming.gao@...>
Cc: Maurice Ma <maurice.ma@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Ray Ni <ray.ni@...>

Changes since v13:
- Fixup the AsmRelocateApLoop() call site so IA32 successfully boots APs.
Do this by appending the three new parameters without altering the
original parameter passing order.
- Minor updates to description text and help text to expand the GHCB
acronym.

Changes since v12:
- Change IA32 VMGEXIT .nasm file to issue an int 3. Depending on the
version of NASM, the "BITS 64" trick to get NASM to recognize the
VMMCALL instruction (VMGEXIT is a REP VMMCALL) caused an error. Since
SEV-ES is X64 only, VMGEXIT should never be called in IA32.

Changes since v11:
- Make the XGETBV and VMGEXIT .nasm files buildable for all environments
and remove the updates that add these instructions to GccInline.c

Changes since v10:
- Fix conflicts around GccInline.c file after moving to latest commit
- Fix conflicts with OVMF PCD values after moving to latest commit

Changes since v9:
- Fixed bit field declarations in the GHCB structure to use UINT32
and not UINT64.
- Fixed a warning produced by VS2019 in the instruction parsing code
by expliciting casting a bit shift to an INT64.
- Sorted section entries in the OVMF VmgExitLib INF file.
- Moved the new Maintainers.txt entry so entries remain sorted.
- Documentation style fixes for return values.
- Miscellaneous code style fixes.

Changes since v8:
- Move IOIO exit info definitions into Ghcb.h file
- Add a macro for calculating IO instruction bytes (IOIO_DATA_BYTES)
- Exception handler support for debug registers
- Moved the DRx register saving changes into the UefiCpuPkg patch for
base #VC support in CpuExceptionHandlerLib.
- OvmfPkg VmgExitLib
- Remove the .uni file
- Update .inf file:
- New file location for VmgExitVcHandler.c
- Add additional Packages and LibraryClasses
- Introduce a header file to hold the #VC instruction parsing related
definitions
- Include additional #defines for instruction decoding to replace
hard coded values for things like instruction prefixes and escapes.
- Replace hardcoded CPUID values with values from existing header files
and use existing CR4 definition for accessing CR4 data.
- Change the type used for obtaining data addresses in the instruction
parsing
- Switch from INTN to UINT64 and use compiler conversions and casting
to perform the correct address calculation
- ResetVector code:
- Revert some inadvertant changes introduced in v7 for reserving the
SEV-ES work area memory and for checking the status of SEV-ES.
- AP Booting
- Provide support for non-broadcast INIT-SIPI-SIPI AP boot (minimize
code duplication by creating a function to set the AP jump table
vector address).
- Fix file/directory entry in maintainer changes.
- Various coding style fixes
- Commenting, if statements, etc.
- Various documentation style fixes

Changes since v7:
- Reserve the SEV-ES workarea when S3 is enabled
- Fix warnings issued by the Visual Studio compiler
- Create a NULL VmgExitLib instance that is used for VMGEXIT
related operations as well as #VC handling. Then create the full
VmgExitLib support only in OvmfPkg - where it will be used. This
removes a bunch of implementation code from platforms that will
not be using the functionality.
- Remove single use interfaces from the VmgExitLib (VmgMmioWrite
and VmgSetApJumpTable)

Changes since v6:
- Add function comments to all functions, including local functions
- Add function parameter direction to all functions (in/out)
- Add support for MMIO MOVZX/MOVSX instructions
- Ensure the per-CPU variable page remains encrypted
- Coding-style fixes as identified by Ecc

Changes since v5:
- Remove extraneous VmgExitLib usage
- Miscellaneous changes to address feedback (coding style, etc.)

Changes since v4:
- Move the SEV-ES protocol negotiation out of the SEC exception handler
and into the SecMain.c file. As a result:
- Move the SecGhcb related PCDs out of UefiCpuPkg and into OvmfPkg
- Combine SecAMDSevVcHandler.c and PeiDxeAMDSevVcHandler.c into a
single AMDSevVcHandler.c
- Consolidate VmgExitLib usage into common LibraryClasses sections
- Add documentation comments to the VmgExitLib functions

Changes since v3:
- Remove the need for the MP library finalization routine. The AP
jump table address will be held by the hypervisor rather than
communicated via the GHCB MSR. This removes some fragility around
the UEFI to OS transition.
- Rename the SEV-ES RIP reset area to SEV-ES workarea and use it to
communicate the SEV-ES status, so that SEC CPU exception handling is
only established for an SEV-ES guest.
- Fix SMM build breakageAdd around QemuFlashPtrWrite().
- Fix SMM build breakage by adding VC exception support the SMM CPU
exception handling.
- Add memory fencing around the invocation of AsmVmgExit().
- Clarify comments around the SEV-ES AP reset RIP values and usage.
- Move some PCD definitions from MdeModulePkg to UefiCpuPkg.
- Remove the 16-bit code selector definition from MdeModulePkg

Changes since v2:
- Added a way to locate the SEV-ES fixed AP RIP address for starting
AP's to avoid updating the actual flash image (build time location
that is identified with a GUID value).
- Create a VmgExit library to replace static inline functions.
- Move some PCDs to the appropriate packages
- Add support for writing to QEMU flash under SEV-ES
- Add additional MMIO opcode support
- Cleaned up the GHCB MSR CPUID protocol support

Changes since v1:
- Patches reworked to be more specific to the component/area being updated
and order of definition/usage
- Created a library for VMGEXIT-related functions to replace use of inline
functions
- Allocation method for GDT changed from AllocatePool to AllocatePages
- Early caching only enabled for SEV-ES guests
- Ensure AP loop mode set to halt loop mode for SEV-ES guests
- Reserved SEC GHCB-related memory areas when S3 is enabled

Tom Lendacky (46):
MdeModulePkg: Create PCDs to be used in support of SEV-ES
UefiCpuPkg: Create PCD to be used in support of SEV-ES
MdePkg: Add the MSR definition for the GHCB register
MdePkg: Add a structure definition for the GHCB
MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables
MdePkg/BaseLib: Add support for the XGETBV instruction
MdePkg/BaseLib: Add support for the VMGEXIT instruction
UefiCpuPkg: Implement library support for VMGEXIT
OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library
UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library
UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception
OvmfPkg/VmgExitLib: Implement library support for VmgExitLib in OVMF
OvmfPkg/VmgExitLib: Add support for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Support string IO for IOIO_PROT NAE events
OvmfPkg/VmgExitLib: Add support for CPUID NAE events
OvmfPkg/VmgExitLib: Add support for MSR_PROT NAE events
OvmfPkg/VmgExitLib: Add support for NPF NAE events (MMIO)
OvmfPkg/VmgExitLib: Add support for WBINVD NAE events
OvmfPkg/VmgExitLib: Add support for RDTSC NAE events
OvmfPkg/VmgExitLib: Add support for RDPMC NAE events
OvmfPkg/VmgExitLib: Add support for INVD NAE events
OvmfPkg/VmgExitLib: Add support for VMMCALL NAE events
OvmfPkg/VmgExitLib: Add support for RDTSCP NAE events
OvmfPkg/VmgExitLib: Add support for MONITOR/MONITORX NAE events
OvmfPkg/VmgExitLib: Add support for MWAIT/MWAITX NAE events
OvmfPkg/VmgExitLib: Add support for DR7 Read/Write NAE events
OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function
OvmfPkg: Add support to perform SEV-ES initialization
OvmfPkg: Create a GHCB page for use during Sec phase
OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported
OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled
UefiCpuPkg: Create an SEV-ES workarea PCD
OvmfPkg: Reserve a page in memory for the SEV-ES usage
OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
OvmfPkg/ResetVector: Add support for a 32-bit SEV check
OvmfPkg/Sec: Add #VC exception handling for Sec phase
OvmfPkg/Sec: Enable cache early to speed up booting
OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with
SEV-ES
UefiCpuPkg: Add a 16-bit protected mode code segment descriptor
UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is
enabled
UefiCpuPkg: Allow AP booting under SEV-ES
OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector
OvmfPkg: Move the GHCB allocations into reserved memory
UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use
Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files

MdeModulePkg/MdeModulePkg.dec | 9 +
OvmfPkg/OvmfPkg.dec | 9 +
UefiCpuPkg/UefiCpuPkg.dec | 17 +
OvmfPkg/OvmfPkgIa32.dsc | 6 +
OvmfPkg/OvmfPkgIa32X64.dsc | 6 +
OvmfPkg/OvmfPkgX64.dsc | 6 +
OvmfPkg/OvmfXen.dsc | 1 +
UefiCpuPkg/UefiCpuPkg.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.fdf | 9 +
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 +
MdePkg/Library/BaseLib/BaseLib.inf | 4 +
OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 36 +
OvmfPkg/PlatformPei/PlatformPei.inf | 9 +
.../FvbServicesRuntimeDxe.inf | 2 +
OvmfPkg/ResetVector/ResetVector.inf | 8 +
OvmfPkg/Sec/SecMain.inf | 4 +
.../DxeCpuExceptionHandlerLib.inf | 1 +
.../PeiCpuExceptionHandlerLib.inf | 1 +
.../SecPeiCpuExceptionHandlerLib.inf | 1 +
.../SmmCpuExceptionHandlerLib.inf | 1 +
.../Xcode5SecPeiCpuExceptionHandlerLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 4 +
UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 +
.../Library/VmgExitLibNull/VmgExitLibNull.inf | 27 +
.../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +-
MdePkg/Include/Library/BaseLib.h | 31 +
MdePkg/Include/Register/Amd/Fam17Msr.h | 46 +
MdePkg/Include/Register/Amd/Ghcb.h | 166 ++
.../IndustryStandard/InstructionParsing.h | 83 +
OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +
.../QemuFlash.h | 13 +
UefiCpuPkg/CpuDxe/CpuGdt.h | 4 +-
UefiCpuPkg/Include/Library/VmgExitLib.h | 103 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 68 +-
.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 +-
.../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +-
.../Core/DxeIplPeim/X64/VirtualMemory.c | 57 +-
.../MemEncryptSevLibInternal.c | 75 +-
OvmfPkg/Library/VmgExitLib/VmgExitLib.c | 159 ++
OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 1716 +++++++++++++++++
OvmfPkg/PlatformPei/AmdSev.c | 89 +
OvmfPkg/PlatformPei/MemDetect.c | 43 +
.../QemuFlash.c | 23 +-
.../QemuFlashDxe.c | 40 +
.../QemuFlashSmm.c | 16 +
OvmfPkg/Sec/SecMain.c | 188 +-
UefiCpuPkg/CpuDxe/CpuGdt.c | 8 +-
.../CpuExceptionCommon.c | 10 +-
.../PeiDxeSmmCpuException.c | 20 +-
.../SecPeiCpuException.c | 19 +
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 120 +-
UefiCpuPkg/Library/MpInitLib/MpLib.c | 337 +++-
UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 19 +
.../Library/VmgExitLibNull/VmgExitLibNull.c | 121 ++
UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +-
Maintainers.txt | 10 +
MdeModulePkg/MdeModulePkg.uni | 8 +
MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 38 +
MdePkg/Library/BaseLib/Ia32/XGetBv.nasm | 31 +
MdePkg/Library/BaseLib/X64/VmgExit.nasm | 32 +
MdePkg/Library/BaseLib/X64/XGetBv.nasm | 34 +
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 100 +
OvmfPkg/ResetVector/Ia32/PageTables64.asm | 351 +++-
OvmfPkg/ResetVector/ResetVector.nasmb | 20 +
.../X64/ExceptionHandlerAsm.nasm | 17 +
.../X64/Xcode5ExceptionHandlerAsm.nasm | 17 +
UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc | 2 +-
.../Library/MpInitLib/Ia32/MpFuncs.nasm | 20 +-
UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 4 +-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 369 +++-
.../Library/VmgExitLibNull/VmgExitLibNull.uni | 15 +
.../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm | 9 +
UefiCpuPkg/UefiCpuPkg.uni | 11 +
75 files changed, 4777 insertions(+), 100 deletions(-) create mode
100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.inf
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
create mode 100644 MdePkg/Include/Register/Amd/Ghcb.h
create mode 100644
OvmfPkg/Include/IndustryStandard/InstructionParsing.h
create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitLib.c
create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c
create mode 100644 UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.c
create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/Ia32/XGetBv.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/XGetBv.nasm
create mode 100644 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
create mode 100644
UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.uni
For all patches except #10 ("UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library") and #46 ("Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files"):

Regression-tested-by: Laszlo Ersek <lersek@...>

Thanks
Laszlo


Re: [PATCH v6 00/14] Add the VariablePolicy feature

Dandan Bi
 

Hi Bret,

Sorry for the delayed response.

Some more comments here:

1. Currently I see the LockVaribePolicy is called at ReadyToBoot by variable driver, could we update it to be called at EndOfDxe? We should prevent malicious code registering policy after EndOfDxe for security concern. And could we also add the test case to check the variable policy is locked at EndofDxe?

2. For patch 4, the SMM communication, some general guidelines for SMI handler:
a) Check whether the communication buffer is outside SMM and valid.
For this feature, please double check whether the communication buffer is checked, if all the range in communication buffer has already been checked within existing edk2 core infrastructure, please also add the comments in the code to mention that it has been checked.

b) Should copy the communication buffer to SMRAM before checking the data fields to avoid TOC/TOU attac
For this feature, for example, when dump variable policy, if malicious code updates the DumpParams->TotalSize in communication buffer to smaller one to allocate the PaginationCache buffer, and then update it the correct one and dump the variable policy data into the PaginationCache buffer, it will cause buffer overflow in this case. So please double check the code and copy the communication buffer into SMRAM to avoid such kind issue.

3. Did you do any security test for this feature?

4. Currently, LockVariablePolicy can prevent RegisterVariablePolicy and DisableVariablePolicy. So in SMI hander, could we check the variable policy is locked or not firstly and then decide whether need to check and execution for VAR_CHECK_POLICY_COMMAND_REGISTER and VAR_CHECK_POLICY_COMMAND_DISABLE?

5. Since there is the logic when variable policy is disabled, it will permit deletion of auth/protected variables. Could we add some comments in code to mention that variable policy should always be enabled for security concern to avoid giving bad example?


Thanks,
Dandan

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Dandan
Bi
Sent: Thursday, July 2, 2020 10:14 AM
To: devel@edk2.groups.io; bret@...
Cc: Yao, Jiewen <jiewen.yao@...>; Zhang, Chao B
<chao.b.zhang@...>; Wang, Jian J <jian.j.wang@...>; Wu, Hao
A <hao.a.wu@...>; Gao, Liming <liming.gao@...>; Justen,
Jordan L <jordan.l.justen@...>; Laszlo Ersek <lersek@...>;
Ard Biesheuvel <ard.biesheuvel@...>; Andrew Fish
<afish@...>; Ni, Ray <ray.ni@...>
Subject: Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature

Hi Bret,

Thanks for the contribution.

I have taken an overview of this patch series and have some small comments
in the related patches, please check in sub-patch.

I will review the patch series more in details and bring more comments back
if have. Do you have a branch for these patches in GitHub? Which should be
easy for review.


Thanks,
Dandan

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
Barkelew
Sent: Tuesday, June 23, 2020 2:41 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@...>; Zhang, Chao B
<chao.b.zhang@...>; Wang, Jian J <jian.j.wang@...>; Wu,
Hao A <hao.a.wu@...>; Gao, Liming <liming.gao@...>;
Justen, Jordan L <jordan.l.justen@...>; Laszlo Ersek
<lersek@...>; Ard Biesheuvel <ard.biesheuvel@...>;
Andrew
Fish <afish@...>; Ni, Ray <ray.ni@...>
Subject: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2522

The 14 patches in this series add the VariablePolicy feature to the
core, deprecate Edk2VarLock (while adding a compatibility layer to
reduce code churn), and integrate the VariablePolicy libraries and
protocols into Variable Services.

Since the integration requires multiple changes, including adding
libraries, a protocol, an SMI communication handler, and
VariableServices integration, the patches are broken up by individual
library additions and then a final integration. Security-sensitive
changes like bypassing Authenticated Variable enforcement are also
broken out into individual patches so that attention can be called directly to
them.

Platform porting instructions are described in this wiki entry:
https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-
Protocol---Enhanced-Method-for-Managing-Variables#platform-porting

Discussion of the feature can be found in multiple places throughout
the last year on the RFC channel, staging branches, and in devel.

Most recently, this subject was discussed in this thread:
https://edk2.groups.io/g/devel/message/53712
(the code branches shared in that discussion are now out of date, but
the whitepapers and discussion are relevant).

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Chao Zhang <chao.b.zhang@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Liming Gao <liming.gao@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Laszlo Ersek <lersek@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Cc: Andrew Fish <afish@...>
Cc: Ray Ni <ray.ni@...>
Cc: Bret Barkelew <brbarkel@...>
Signed-off-by: Bret Barkelew <brbarkel@...>

v6 changes:
* Fix an issue with uninitialized Status in InitVariablePolicyLib()
and
DeinitVariablePolicyLib()
* Fix GCC building in shell-based functional test
* Rebase on latest origin/master

v5 changes:
* Fix the CONST mismatch in VariablePolicy.h and
VariablePolicySmmDxe.c
* Fix EFIAPI mismatches in the functional unittest
* Rebase on latest origin/master

v4 changes:
* Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from
platforms
* Rebase on master
* Migrate to new MmCommunicate2 protocol
* Fix an oversight in the default return value for
InitMmCommonCommBuffer
* Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume
variables

V3 changes:
* Address all non-unittest issues with ECC
* Make additional style changes
* Include section name in hunk headers in "ini-style" files
* Remove requirement for the EdkiiPiSmmCommunicationsRegionTable
driver
(now allocates its own buffer)
* Change names from VARIABLE_POLICY_PROTOCOL and
gVariablePolicyProtocolGuid
to EDKII_VARIABLE_POLICY_PROTOCOL and
gEdkiiVariablePolicyProtocolGuid
* Fix GCC warning about initializing externs
* Add UNI strings for new PCD
* Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg
* Reorder patches according to Liming's feedback about adding to
platforms
before changing variable driver

V2 changes:
* Fixed implementation for RuntimeDxe
* Add PCD to block DisableVariablePolicy
* Fix the DumpVariablePolicy pagination in SMM

Bret Barkelew (14):
MdeModulePkg: Define the VariablePolicy protocol interface
MdeModulePkg: Define the VariablePolicyLib
MdeModulePkg: Define the VariablePolicyHelperLib
MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
OvmfPkg: Add VariablePolicy engine to OvmfPkg platform
EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform
ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform
UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform
MdeModulePkg: Connect VariablePolicy business logic to
VariableServices
MdeModulePkg: Allow VariablePolicy state to delete protected variables
SecurityPkg: Allow VariablePolicy state to delete authenticated
variables
MdeModulePkg: Change TCG MOR variables to use VariablePolicy
MdeModulePkg: Drop VarLock from RuntimeDxe variable driver
MdeModulePkg: Add a shell-based functional test for VariablePolicy

MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
| 320 +++

MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
| 396 ++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c
| 46 +

MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx
e.c | 85 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
| 816 +++++++

MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo
licyUnitTest.c | 2440 ++++++++++++++++++++

MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu
ncTestApp.c | 1978 ++++++++++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
| 52 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
| 60 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
| 49 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
| 53 +

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock
.c | 71 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
| 642 +++++

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.
c | 14 +
SecurityPkg/Library/AuthVariableLib/AuthService.c |
22
+-
ArmVirtPkg/ArmVirt.dsc.inc | 4 +
EmulatorPkg/EmulatorPkg.dsc | 3 +
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
|
54 +
MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
| 164 ++
MdeModulePkg/Include/Library/VariablePolicyLib.h |
207 ++
MdeModulePkg/Include/Protocol/VariablePolicy.h |
157 ++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
| 42 +
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
| 12 +

MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.i
nf
| 35 +

MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.u
ni
| 12 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
| 44 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
| 12 +

MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
| 51 +

MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo
licyUnitTest.inf | 40 +
MdeModulePkg/MdeModulePkg.ci.yaml | 4
+-
MdeModulePkg/MdeModulePkg.dec | 26 +-
MdeModulePkg/MdeModulePkg.dsc | 15 +
MdeModulePkg/MdeModulePkg.uni | 7 +
MdeModulePkg/Test/MdeModulePkgHostTest.dsc
|
11 +
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md
| 55 +

MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu
ncTestApp.inf | 42 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
| 5 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
| 4 +

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i
nf | 10 +

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
| 4 +
OvmfPkg/OvmfPkgIa32.dsc | 5 +
OvmfPkg/OvmfPkgIa32X64.dsc | 5 +
OvmfPkg/OvmfPkgX64.dsc | 5 +
OvmfPkg/OvmfXen.dsc | 4 +
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf |
2 +
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 4 +
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 4 +
47 files changed, 8015 insertions(+), 78 deletions(-) create mode
100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
create mode 100644
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeD
x
e.c
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variable
Po
licyUnitTest.c
create mode 100644
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu
ncTestApp.c
create mode 100644
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock
.c
create mode 100644
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
create mode 100644
MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h
create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h
create mode 100644
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
create mode 100644
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
create mode 100644
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.i
nf
create mode 100644
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.u
ni
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
create mode 100644
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variable
Po
licyUnitTest.inf
create mode 100644
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md
create mode 100644
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu
ncTestApp.inf

--
2.26.2.windows.1.8.g01c50adf56.20200515075929




Re: [PATCH 2/3] MdeModulePkg/PartitionDxe: Remove the check for special MBR

Ni, Ray
 

I prefer to directly revert the patch. It simplifies the change history.

-----Original Message-----
From: Gao, Zhichao <zhichao.gao@...>
Sent: Tuesday, August 11, 2020 4:29 PM
To: devel@edk2.groups.io; Ni, Ray <ray.ni@...>
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A <hao.a.wu@...>;
Gary Lin <glin@...>; Andrew Fish <afish@...>
Subject: RE: [edk2-devel] [PATCH 2/3] MdeModulePkg/PartitionDxe: Remove
the check for special MBR

I also add some variables to calculate StartingLBA and SizeInLBA instead of
calculate them when they are needed.
I am fine to revert the whole changes. Just make you aware of this.

Thanks,
Zhichao

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ni, Ray
Sent: Tuesday, August 11, 2020 4:06 PM
To: Gao, Zhichao <zhichao.gao@...>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A <hao.a.wu@...>;
Gary Lin <glin@...>; Andrew Fish <afish@...>
Subject: Re: [edk2-devel] [PATCH 2/3] MdeModulePkg/PartitionDxe: Remove
the check for special MBR

Zhichao,
Can you please just revert the fix you recently added?

-----Original Message-----
From: Gao, Zhichao <zhichao.gao@...>
Sent: Tuesday, August 11, 2020 2:43 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A
<hao.a.wu@...>; Ni, Ray <ray.ni@...>; Gary Lin
<glin@...>; Andrew Fish <afish@...>
Subject: [PATCH 2/3] MdeModulePkg/PartitionDxe: Remove the check for
special MBR

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2823

Follow the spec definition, the ISO 9660 (and UDF) would be checked
before the MBR. So it is not required to skip such MBR talbe that
contian the entire block device.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Ray Ni <ray.ni@...>
Cc: Gary Lin <glin@...>
Cc: Andrew Fish <afish@...>
Signed-off-by: Zhichao Gao <zhichao.gao@...>
---
.../Universal/Disk/PartitionDxe/Mbr.c | 19 -------------------
1 file changed, 19 deletions(-)

diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
index 3830af1ea7..822bf03e92 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Mbr.c
@@ -55,25 +55,6 @@ PartitionValidMbr (
StartingLBA = UNPACK_UINT32 (Mbr->Partition[Index1].StartingLBA);
SizeInLBA = UNPACK_UINT32 (Mbr->Partition[Index1].SizeInLBA);

- //
- // If the MBR with partition entry covering the ENTIRE disk, i.e. start at
LBA0
- // with whole disk size, we treat it as an invalid MBR partition.
- //
- if ((StartingLBA == 0) &&
- (SizeInLBA == (LastLba + 1))) {
- //
- // Refer to the
http://manpages.ubuntu.com/manpages/bionic/man8/mkudffs.8.html
- // "WHOLE DISK VS PARTITION"
- // Some linux ISOs may put the MBR table in the first 512 bytes for
compatibility reasons with Windows.
- // Linux kernel ignores MBR table if contains partition which starts at
sector 0.
- // Skip it because we don't have the partition check for UDF(El Torito
compatible).
- // It would continue to do the whole disk check in the UDF routine.
- //
- DEBUG ((DEBUG_INFO, "PartitionValidMbr: MBR table has partition
entry
covering the ENTIRE disk. Don't treat it as a
valid MBR.\n"));
-
- return FALSE;
- }
-
if (Mbr->Partition[Index1].OSIndicator == 0x00 || SizeInLBA == 0) {
continue;
}
--
2.21.0.windows.1


Re: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check ahead of MBR

Ni, Ray
 

This would also solve the issue that ISO image with MBR would be treat
as MBR device instead of CD/DVD. That would make the behavior of the
image boot different.
Can you please explain this in detail?
It's ok to not provide the "root" cause of why the image boot behavior is different.
Saying the specific issue can help people to understand the issue in future.

-----Original Message-----
From: Gao, Zhichao <zhichao.gao@...>
Sent: Tuesday, August 11, 2020 4:34 PM
To: Ni, Ray <ray.ni@...>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A <hao.a.wu@...>;
Gary Lin <glin@...>; Andrew Fish <afish@...>
Subject: RE: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check
ahead of MBR

Ray,

The MBR info is correct. The order change is to avoid the MBR being checked
before UDF/ISO 9660 check.
That is why I make the patch #3 in the last of the patch set.

Thanks,
Zhichao

-----Original Message-----
From: Ni, Ray <ray.ni@...>
Sent: Tuesday, August 11, 2020 4:04 PM
To: Gao, Zhichao <zhichao.gao@...>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A <hao.a.wu@...>;
Gary Lin <glin@...>; Andrew Fish <afish@...>
Subject: RE: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check
ahead
of MBR

Zhichao,
Can you also add notes in the commit message describing that for some ISOs
(better with more specific ISO info), the MBR information is not correct?

Thanks,
Ray


-----Original Message-----
From: Gao, Zhichao <zhichao.gao@...>
Sent: Tuesday, August 11, 2020 2:43 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A
<hao.a.wu@...>; Ni, Ray <ray.ni@...>; Gary Lin
<glin@...>; Andrew Fish <afish@...>
Subject: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check
ahead of MBR

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2823

Refer to UEFI spec 2.8, Section 13.3.2, a block device should be
scanned as below order:
1. GPT
2. ISO 9660 (El Torito) (UDF should aslo be here) 3. MBR 4. no
partition found
Note: UDF is using the same boot method as CD, so put it in the same
priority with ISO 9660.

This would also solve the issue that ISO image with MBR would be treat
as MBR device instead of CD/DVD. That would make the behavior of the
image boot different.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Ray Ni <ray.ni@...>
Cc: Gary Lin <glin@...>
Cc: Andrew Fish <afish@...>
Signed-off-by: Zhichao Gao <zhichao.gao@...>
---
MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
index 6a43c3cafb..473e091320 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
@@ -35,11 +35,19 @@ EFI_DRIVER_BINDING_PROTOCOL
gPartitionDriverBinding = {

//
// Prioritized function list to detect partition table.
+// Refer to UEFI Spec 13.3.2 Partition Discovery, the block device //
+should be scanned in below order:
+// 1. GPT
+// 2. ISO 9660 (El Torito) (or UDF)
+// 3. MBR
+// 4. no partiton found
+// Note: UDF is using a same method as booting from CD-ROM, so put it
along
+// with CD-ROM check.
//
PARTITION_DETECT_ROUTINE mPartitionDetectRoutineTable[] = {
PartitionInstallGptChildHandles,
- PartitionInstallMbrChildHandles,
PartitionInstallUdfChildHandles,
+ PartitionInstallMbrChildHandles,
NULL
};

--
2.21.0.windows.1


Re: acpiview error handling patches

Sami Mujawar
 

Hi Zhichao,

Some patches in this series need reworking.

Example - For '[PATCH v3 1/8] ShellPkg/AcpiView: Extract configuration struct' & '[PATCH v3 2/8] ShellPkg/AcpiView: Declutter error counters'
I feel accessor methods offer a better design and should be retained.

Other patches in the series need a bit of rework to follow coding conventions etc.

This patch series has too many changes to the parsers. I request to put this patch series on hold as we have other patches that need to go in on priority. e.g. loop detection in PPTT table.

Since Tomas is no longer with Arm, someone from Arm will pick up repost the reworked series.

Regards,

Sami Mujawar

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao, Zhichao via groups.io
Sent: 31 July 2020 01:43 AM
To: devel@edk2.groups.io; tomas@...
Subject: Re: [edk2-devel] acpiview error handling patches

I am busy at other works recent weeks. I plan to review the patch in next two weeks. Hope it is acceptable for you.

Thanks,
Zhichao

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Tomas
Pilar
(tpilar)
Sent: Wednesday, July 29, 2020 7:23 PM
To: Gao; Gao, Zhichao <zhichao.gao@...>; devel@edk2.groups.io
Subject: Re: [edk2-devel] acpiview error handling patches

(change of email)

Hi Zhichao,

I've amended the patches and respun a v3 version. Any chance you could
have a look to see if I've fixed the issues correctly?

Cheers,
Tom




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: [edk2-platform][PATCH v1 0/7] Platform/RaspberryPi : SMBIOS fixes and cleanup

Samer El-Haj-Mahmoud
 

Reminder for review of this series

Thanks,
--Samer

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Samer
El-Haj-Mahmoud via groups.io
Sent: Monday, July 20, 2020 2:17 PM
To: devel@edk2.groups.io
Cc: Leif Lindholm <leif@...>; Pete Batard <pete@...>; Andrei
Warkentin (awarkentin@...) <awarkentin@...>; Ard
Biesheuvel <Ard.Biesheuvel@...>
Subject: [edk2-devel] [edk2-platform][PATCH v1 0/7] Platform/RaspberryPi :
SMBIOS fixes and cleanup

Fixes and enhancements to RaspberryPi SMBIOS Types 0, 2, 3, 4, 7, 16, 17,
and 19.
These were compared against SMBIOS spec ver 3.3, and SBBR ver 1.2, and
tested in UEFI Shell with smbiosview.

One issue found in smbiosview (for Type 17, "VolatileSize") and will be fixed
as a seperate patch.

This series addresses :
- Most items in https://github.com/pftf/RPi4/issues/16
- One of the issues in https://github.com/pftf/RPi4/issues/75

Series pushed to:
https://github.com/samerhaj/edk2-platforms/tree/rpi_smbios_fixes_v1

Cc: Leif Lindholm <leif@...>
Cc: Pete Batard <pete@...>
Cc: Andrei Warkentin <awarkentin@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Signed-off-by: Samer El-Haj-Mahmoud <samer.el-haj-mahmoud@...>

Samer El-Haj-Mahmoud (7):
Platforms/RaspberryPi: Fix NULL AssetTag in SMBIOS
Platforms/RaspberryPi: SMBIOS Type 2 and Type 3 fixes
Platforms/RaspberryPi: SMBIOS Type 0 fixes
Platforms/RaspberryPi: SMBIOS Type 4 fixes
Platforms/RaspberryPi: SMBIOS Type 7 fixes
Platforms/RaspberryPi: SMBIOS Memory Types fixes
Platforms/RaspberryPi: SMBIOS minor cleanup

.../PlatformSmbiosDxe/PlatformSmbiosDxe.inf | 7 +-
.../PlatformSmbiosDxe/PlatformSmbiosDxe.c | 457 ++++++++++++------
2 files changed, 320 insertions(+), 144 deletions(-)

--
2.17.1


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: [edk2-platform][PATCH v1 1/1] Platforms/RaspberryPi: Fix RPi4 GICC PMU PPI

Samer El-Haj-Mahmoud
 

Thanks Pete.

Ard, Leif,

If there are no concerns, can you please push this patch, along with the other series that are reviews:

https://edk2.groups.io/g/devel/message/63042
https://edk2.groups.io/g/devel/message/62790

Thanks,
--Samer

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Pete
Batard via groups.io
Sent: Monday, August 3, 2020 1:12 PM
To: devel@edk2.groups.io; Samer El-Haj-Mahmoud <Samer.El-Haj-
Mahmoud@...>
Cc: Leif Lindholm <leif@...>; Andrei Warkentin
(awarkentin@...) <awarkentin@...>; Ard Biesheuvel
<Ard.Biesheuvel@...>
Subject: Re: [edk2-devel] [edk2-platform][PATCH v1 1/1]
Platforms/RaspberryPi: Fix RPi4 GICC PMU PPI

Adding a tested-by, since these are values that could potentially trip the
custom handling that Windows seems to have of MADT, and I hadn't tested
that yet.

Testing shows that Windows is happy with these new values, so with this:

On 2020.07.31 08:55, Pete Batard via groups.io wrote:
On 2020.07.28 22:00, Samer El-Haj-Mahmoud wrote:
Arm SBSA specification section ver 6.0, 4.1.5 defines specific PPI
values for certain standard interrupt IDs. The value for "Performance
Monitors Interrupt" needs to be 23.

REF: https://developer.arm.com/documentation/den0029/latest

This partially fixes SBSA test #11 ("Incorrect PPI value") reported
in
https://github.com/pftf/RPi4/issues/74

Cc: Leif Lindholm <leif@...>
Cc: Pete Batard <pete@...>
Cc: Andrei Warkentin <awarkentin@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Signed-off-by: Samer El-Haj-Mahmoud <samer.el-haj-
mahmoud@...>
---
Platform/RaspberryPi/RPi4/RPi4.dsc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc
b/Platform/RaspberryPi/RPi4/RPi4.dsc
index c481c3534263..00683afe96b9 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -433,10 +433,10 @@ [PcdsFixedAtBuild.common]

gRaspberryPiTokenSpaceGuid.PcdGicInterruptInterfaceHBase|0xFF844000

gRaspberryPiTokenSpaceGuid.PcdGicInterruptInterfaceVBase|0xFF846000
gRaspberryPiTokenSpaceGuid.PcdGicGsivId|0x19
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq0|0x30
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq1|0x31
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq2|0x32
- gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq3|0x33
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq0|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq1|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq2|23
+ gRaspberryPiTokenSpaceGuid.PcdGicPmuIrq3|23
#
# Fixed CPU settings.
Reviewed-by: Pete Batard <pete@...>
Tested-by: Pete Batard <pete@...>




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native instruction support for X64

Guomin Jiang
 

It is slight complex, I will review it by 9/11/2020.

Thanks.

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Zurcher,
Christopher J
Sent: Tuesday, August 4, 2020 8:24 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@...>; Wang, Jian J
<jian.j.wang@...>; Lu, XiaoyuX <xiaoyux.lu@...>; Ard
Biesheuvel <ard.biesheuvel@...>
Subject: [edk2-devel] [PATCH v2 1/2] CryptoPkg/OpensslLib: Add native
instruction support for X64

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507

Adding OpensslLibX64.inf and modifying process_files.pl to process this file
and generate the necessary assembly files.
ApiHooks.c contains a stub function for a Windows API call.
uefi-asm.conf contains the limited assembly configurations for OpenSSL.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Cc: Ard Biesheuvel <ard.biesheuvel@...>
Signed-off-by: Christopher J Zurcher <christopher.j.zurcher@...>
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLibX64.inf | 656
++++++++++++++++++++
CryptoPkg/Library/Include/openssl/opensslconf.h | 3 -
CryptoPkg/Library/OpensslLib/ApiHooks.c | 18 +
CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c | 34 +
CryptoPkg/Library/OpensslLib/process_files.pl | 223 +++++--
CryptoPkg/Library/OpensslLib/uefi-asm.conf | 15 +
8 files changed, 903 insertions(+), 50 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dbbe5386a1..bd62d86936 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -16,7 +16,7 @@
VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib
DEFINE OPENSSL_PATH = openssl- DEFINE OPENSSL_FLAGS = -
DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -
D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE+
DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT
-D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -
DOPENSSL_NO_ASM # # VALID_ARCHITECTURES = IA32 X64 ARM
AARCH64diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 616ccd9f62..2b7324a990 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -16,7 +16,7 @@
VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib
DEFINE OPENSSL_PATH = openssl- DEFINE OPENSSL_FLAGS = -
DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -
D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE+
DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT
-D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -
DOPENSSL_NO_ASM # # VALID_ARCHITECTURES = IA32 X64 ARM
AARCH64diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
new file mode 100644
index 0000000000..825eea0254
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
@@ -0,0 +1,656 @@
+## @file+# This module provides OpenSSL Library implementation.+#+#
Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>+# (C)
Copyright 2020 Hewlett Packard Enterprise Development LP<BR>+# SPDX-
License-Identifier: BSD-2-Clause-Patent+#+##++[Defines]+ INF_VERSION
= 0x00010005+ BASE_NAME = OpensslLibX64+
MODULE_UNI_FILE = OpensslLib.uni+ FILE_GUID =
18125E50-0117-4DD0-BE54-4784AD995FEF+ MODULE_TYPE = BASE+
VERSION_STRING = 1.0+ LIBRARY_CLASS = OpensslLib+
DEFINE OPENSSL_PATH = openssl+ DEFINE OPENSSL_FLAGS = -
DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -
D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE+
DEFINE OPENSSL_FLAGS_CONFIG = -DOPENSSL_CPUID_OBJ -DSHA1_ASM -
DSHA256_ASM -DSHA512_ASM -DAESNI_ASM -DVPAES_ASM -
DGHASH_ASM+ CONSTRUCTOR = OpensslLibConstructor++#+#
VALID_ARCHITECTURES = X64+#++[Sources]+ OpensslLibConstructor.c+
$(OPENSSL_PATH)/e_os.h+ $(OPENSSL_PATH)/ms/uplink.h+#
Autogenerated files list starts here+ X64/crypto/aes/aesni-mb-
x86_64.nasm+ X64/crypto/aes/aesni-sha1-x86_64.nasm+
X64/crypto/aes/aesni-sha256-x86_64.nasm+ X64/crypto/aes/aesni-
x86_64.nasm+ X64/crypto/aes/vpaes-x86_64.nasm+
X64/crypto/modes/ghash-x86_64.nasm+ X64/crypto/sha/sha1-mb-
x86_64.nasm+ X64/crypto/sha/sha1-x86_64.nasm+ X64/crypto/sha/sha256-
mb-x86_64.nasm+ X64/crypto/sha/sha256-x86_64.nasm+
X64/crypto/sha/sha512-x86_64.nasm+ X64/crypto/x86_64cpuid.nasm+
$(OPENSSL_PATH)/crypto/aes/aes_cbc.c+
$(OPENSSL_PATH)/crypto/aes/aes_cfb.c+
$(OPENSSL_PATH)/crypto/aes/aes_core.c+
$(OPENSSL_PATH)/crypto/aes/aes_ige.c+
$(OPENSSL_PATH)/crypto/aes/aes_misc.c+
$(OPENSSL_PATH)/crypto/aes/aes_ofb.c+
$(OPENSSL_PATH)/crypto/aes/aes_wrap.c+
$(OPENSSL_PATH)/crypto/aria/aria.c+
$(OPENSSL_PATH)/crypto/asn1/a_bitstr.c+
$(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c+
$(OPENSSL_PATH)/crypto/asn1/a_digest.c+
$(OPENSSL_PATH)/crypto/asn1/a_dup.c+
$(OPENSSL_PATH)/crypto/asn1/a_gentm.c+
$(OPENSSL_PATH)/crypto/asn1/a_i2d_fp.c+
$(OPENSSL_PATH)/crypto/asn1/a_int.c+
$(OPENSSL_PATH)/crypto/asn1/a_mbstr.c+
$(OPENSSL_PATH)/crypto/asn1/a_object.c+
$(OPENSSL_PATH)/crypto/asn1/a_octet.c+
$(OPENSSL_PATH)/crypto/asn1/a_print.c+
$(OPENSSL_PATH)/crypto/asn1/a_sign.c+
$(OPENSSL_PATH)/crypto/asn1/a_strex.c+
$(OPENSSL_PATH)/crypto/asn1/a_strnid.c+
$(OPENSSL_PATH)/crypto/asn1/a_time.c+
$(OPENSSL_PATH)/crypto/asn1/a_type.c+
$(OPENSSL_PATH)/crypto/asn1/a_utctm.c+
$(OPENSSL_PATH)/crypto/asn1/a_utf8.c+
$(OPENSSL_PATH)/crypto/asn1/a_verify.c+
$(OPENSSL_PATH)/crypto/asn1/ameth_lib.c+
$(OPENSSL_PATH)/crypto/asn1/asn1_err.c+
$(OPENSSL_PATH)/crypto/asn1/asn1_gen.c+
$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c+
$(OPENSSL_PATH)/crypto/asn1/asn1_lib.c+
$(OPENSSL_PATH)/crypto/asn1/asn1_par.c+
$(OPENSSL_PATH)/crypto/asn1/asn_mime.c+
$(OPENSSL_PATH)/crypto/asn1/asn_moid.c+
$(OPENSSL_PATH)/crypto/asn1/asn_mstbl.c+
$(OPENSSL_PATH)/crypto/asn1/asn_pack.c+
$(OPENSSL_PATH)/crypto/asn1/bio_asn1.c+
$(OPENSSL_PATH)/crypto/asn1/bio_ndef.c+
$(OPENSSL_PATH)/crypto/asn1/d2i_pr.c+
$(OPENSSL_PATH)/crypto/asn1/d2i_pu.c+
$(OPENSSL_PATH)/crypto/asn1/evp_asn1.c+
$(OPENSSL_PATH)/crypto/asn1/f_int.c+
$(OPENSSL_PATH)/crypto/asn1/f_string.c+
$(OPENSSL_PATH)/crypto/asn1/i2d_pr.c+
$(OPENSSL_PATH)/crypto/asn1/i2d_pu.c+
$(OPENSSL_PATH)/crypto/asn1/n_pkey.c+
$(OPENSSL_PATH)/crypto/asn1/nsseq.c+
$(OPENSSL_PATH)/crypto/asn1/p5_pbe.c+
$(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c+
$(OPENSSL_PATH)/crypto/asn1/p5_scrypt.c+
$(OPENSSL_PATH)/crypto/asn1/p8_pkey.c+
$(OPENSSL_PATH)/crypto/asn1/t_bitst.c+
$(OPENSSL_PATH)/crypto/asn1/t_pkey.c+
$(OPENSSL_PATH)/crypto/asn1/t_spki.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_dec.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_enc.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_fre.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_new.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_prn.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_scn.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_typ.c+
$(OPENSSL_PATH)/crypto/asn1/tasn_utl.c+
$(OPENSSL_PATH)/crypto/asn1/x_algor.c+
$(OPENSSL_PATH)/crypto/asn1/x_bignum.c+
$(OPENSSL_PATH)/crypto/asn1/x_info.c+
$(OPENSSL_PATH)/crypto/asn1/x_int64.c+
$(OPENSSL_PATH)/crypto/asn1/x_long.c+
$(OPENSSL_PATH)/crypto/asn1/x_pkey.c+
$(OPENSSL_PATH)/crypto/asn1/x_sig.c+
$(OPENSSL_PATH)/crypto/asn1/x_spki.c+
$(OPENSSL_PATH)/crypto/asn1/x_val.c+
$(OPENSSL_PATH)/crypto/async/arch/async_null.c+
$(OPENSSL_PATH)/crypto/async/arch/async_posix.c+
$(OPENSSL_PATH)/crypto/async/arch/async_win.c+
$(OPENSSL_PATH)/crypto/async/async.c+
$(OPENSSL_PATH)/crypto/async/async_err.c+
$(OPENSSL_PATH)/crypto/async/async_wait.c+
$(OPENSSL_PATH)/crypto/bio/b_addr.c+
$(OPENSSL_PATH)/crypto/bio/b_dump.c+
$(OPENSSL_PATH)/crypto/bio/b_sock.c+
$(OPENSSL_PATH)/crypto/bio/b_sock2.c+
$(OPENSSL_PATH)/crypto/bio/bf_buff.c+
$(OPENSSL_PATH)/crypto/bio/bf_lbuf.c+
$(OPENSSL_PATH)/crypto/bio/bf_nbio.c+
$(OPENSSL_PATH)/crypto/bio/bf_null.c+
$(OPENSSL_PATH)/crypto/bio/bio_cb.c+
$(OPENSSL_PATH)/crypto/bio/bio_err.c+
$(OPENSSL_PATH)/crypto/bio/bio_lib.c+
$(OPENSSL_PATH)/crypto/bio/bio_meth.c+
$(OPENSSL_PATH)/crypto/bio/bss_acpt.c+
$(OPENSSL_PATH)/crypto/bio/bss_bio.c+
$(OPENSSL_PATH)/crypto/bio/bss_conn.c+
$(OPENSSL_PATH)/crypto/bio/bss_dgram.c+
$(OPENSSL_PATH)/crypto/bio/bss_fd.c+
$(OPENSSL_PATH)/crypto/bio/bss_file.c+
$(OPENSSL_PATH)/crypto/bio/bss_log.c+
$(OPENSSL_PATH)/crypto/bio/bss_mem.c+
$(OPENSSL_PATH)/crypto/bio/bss_null.c+
$(OPENSSL_PATH)/crypto/bio/bss_sock.c+
$(OPENSSL_PATH)/crypto/bn/bn_add.c+
$(OPENSSL_PATH)/crypto/bn/bn_asm.c+
$(OPENSSL_PATH)/crypto/bn/bn_blind.c+
$(OPENSSL_PATH)/crypto/bn/bn_const.c+
$(OPENSSL_PATH)/crypto/bn/bn_ctx.c+
$(OPENSSL_PATH)/crypto/bn/bn_depr.c+
$(OPENSSL_PATH)/crypto/bn/bn_dh.c+
$(OPENSSL_PATH)/crypto/bn/bn_div.c+
$(OPENSSL_PATH)/crypto/bn/bn_err.c+
$(OPENSSL_PATH)/crypto/bn/bn_exp.c+
$(OPENSSL_PATH)/crypto/bn/bn_exp2.c+
$(OPENSSL_PATH)/crypto/bn/bn_gcd.c+
$(OPENSSL_PATH)/crypto/bn/bn_gf2m.c+
$(OPENSSL_PATH)/crypto/bn/bn_intern.c+
$(OPENSSL_PATH)/crypto/bn/bn_kron.c+
$(OPENSSL_PATH)/crypto/bn/bn_lib.c+
$(OPENSSL_PATH)/crypto/bn/bn_mod.c+
$(OPENSSL_PATH)/crypto/bn/bn_mont.c+
$(OPENSSL_PATH)/crypto/bn/bn_mpi.c+
$(OPENSSL_PATH)/crypto/bn/bn_mul.c+
$(OPENSSL_PATH)/crypto/bn/bn_nist.c+
$(OPENSSL_PATH)/crypto/bn/bn_prime.c+
$(OPENSSL_PATH)/crypto/bn/bn_print.c+
$(OPENSSL_PATH)/crypto/bn/bn_rand.c+
$(OPENSSL_PATH)/crypto/bn/bn_recp.c+
$(OPENSSL_PATH)/crypto/bn/bn_shift.c+
$(OPENSSL_PATH)/crypto/bn/bn_sqr.c+
$(OPENSSL_PATH)/crypto/bn/bn_sqrt.c+
$(OPENSSL_PATH)/crypto/bn/bn_srp.c+
$(OPENSSL_PATH)/crypto/bn/bn_word.c+
$(OPENSSL_PATH)/crypto/bn/bn_x931p.c+
$(OPENSSL_PATH)/crypto/buffer/buf_err.c+
$(OPENSSL_PATH)/crypto/buffer/buffer.c+
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c+
$(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c+
$(OPENSSL_PATH)/crypto/cmac/cmac.c+
$(OPENSSL_PATH)/crypto/comp/c_zlib.c+
$(OPENSSL_PATH)/crypto/comp/comp_err.c+
$(OPENSSL_PATH)/crypto/comp/comp_lib.c+
$(OPENSSL_PATH)/crypto/conf/conf_api.c+
$(OPENSSL_PATH)/crypto/conf/conf_def.c+
$(OPENSSL_PATH)/crypto/conf/conf_err.c+
$(OPENSSL_PATH)/crypto/conf/conf_lib.c+
$(OPENSSL_PATH)/crypto/conf/conf_mall.c+
$(OPENSSL_PATH)/crypto/conf/conf_mod.c+
$(OPENSSL_PATH)/crypto/conf/conf_sap.c+
$(OPENSSL_PATH)/crypto/conf/conf_ssl.c+
$(OPENSSL_PATH)/crypto/cpt_err.c+ $(OPENSSL_PATH)/crypto/cryptlib.c+
$(OPENSSL_PATH)/crypto/ctype.c+ $(OPENSSL_PATH)/crypto/cversion.c+
$(OPENSSL_PATH)/crypto/dh/dh_ameth.c+
$(OPENSSL_PATH)/crypto/dh/dh_asn1.c+
$(OPENSSL_PATH)/crypto/dh/dh_check.c+
$(OPENSSL_PATH)/crypto/dh/dh_depr.c+
$(OPENSSL_PATH)/crypto/dh/dh_err.c+
$(OPENSSL_PATH)/crypto/dh/dh_gen.c+
$(OPENSSL_PATH)/crypto/dh/dh_kdf.c+
$(OPENSSL_PATH)/crypto/dh/dh_key.c+
$(OPENSSL_PATH)/crypto/dh/dh_lib.c+
$(OPENSSL_PATH)/crypto/dh/dh_meth.c+
$(OPENSSL_PATH)/crypto/dh/dh_pmeth.c+
$(OPENSSL_PATH)/crypto/dh/dh_prn.c+
$(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c+
$(OPENSSL_PATH)/crypto/dh/dh_rfc7919.c+
$(OPENSSL_PATH)/crypto/dso/dso_dl.c+
$(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c+
$(OPENSSL_PATH)/crypto/dso/dso_err.c+
$(OPENSSL_PATH)/crypto/dso/dso_lib.c+
$(OPENSSL_PATH)/crypto/dso/dso_openssl.c+
$(OPENSSL_PATH)/crypto/dso/dso_vms.c+
$(OPENSSL_PATH)/crypto/dso/dso_win32.c+
$(OPENSSL_PATH)/crypto/ebcdic.c+ $(OPENSSL_PATH)/crypto/err/err.c+
$(OPENSSL_PATH)/crypto/err/err_prn.c+
$(OPENSSL_PATH)/crypto/evp/bio_b64.c+
$(OPENSSL_PATH)/crypto/evp/bio_enc.c+
$(OPENSSL_PATH)/crypto/evp/bio_md.c+
$(OPENSSL_PATH)/crypto/evp/bio_ok.c+
$(OPENSSL_PATH)/crypto/evp/c_allc.c+
$(OPENSSL_PATH)/crypto/evp/c_alld.c+
$(OPENSSL_PATH)/crypto/evp/cmeth_lib.c+
$(OPENSSL_PATH)/crypto/evp/digest.c+
$(OPENSSL_PATH)/crypto/evp/e_aes.c+
$(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c+
$(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c+
$(OPENSSL_PATH)/crypto/evp/e_aria.c+
$(OPENSSL_PATH)/crypto/evp/e_bf.c+
$(OPENSSL_PATH)/crypto/evp/e_camellia.c+
$(OPENSSL_PATH)/crypto/evp/e_cast.c+
$(OPENSSL_PATH)/crypto/evp/e_chacha20_poly1305.c+
$(OPENSSL_PATH)/crypto/evp/e_des.c+
$(OPENSSL_PATH)/crypto/evp/e_des3.c+
$(OPENSSL_PATH)/crypto/evp/e_idea.c+
$(OPENSSL_PATH)/crypto/evp/e_null.c+
$(OPENSSL_PATH)/crypto/evp/e_old.c+
$(OPENSSL_PATH)/crypto/evp/e_rc2.c+
$(OPENSSL_PATH)/crypto/evp/e_rc4.c+
$(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c+
$(OPENSSL_PATH)/crypto/evp/e_rc5.c+
$(OPENSSL_PATH)/crypto/evp/e_seed.c+
$(OPENSSL_PATH)/crypto/evp/e_sm4.c+
$(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c+
$(OPENSSL_PATH)/crypto/evp/encode.c+
$(OPENSSL_PATH)/crypto/evp/evp_cnf.c+
$(OPENSSL_PATH)/crypto/evp/evp_enc.c+
$(OPENSSL_PATH)/crypto/evp/evp_err.c+
$(OPENSSL_PATH)/crypto/evp/evp_key.c+
$(OPENSSL_PATH)/crypto/evp/evp_lib.c+
$(OPENSSL_PATH)/crypto/evp/evp_pbe.c+
$(OPENSSL_PATH)/crypto/evp/evp_pkey.c+
$(OPENSSL_PATH)/crypto/evp/m_md2.c+
$(OPENSSL_PATH)/crypto/evp/m_md4.c+
$(OPENSSL_PATH)/crypto/evp/m_md5.c+
$(OPENSSL_PATH)/crypto/evp/m_md5_sha1.c+
$(OPENSSL_PATH)/crypto/evp/m_mdc2.c+
$(OPENSSL_PATH)/crypto/evp/m_null.c+
$(OPENSSL_PATH)/crypto/evp/m_ripemd.c+
$(OPENSSL_PATH)/crypto/evp/m_sha1.c+
$(OPENSSL_PATH)/crypto/evp/m_sha3.c+
$(OPENSSL_PATH)/crypto/evp/m_sigver.c+
$(OPENSSL_PATH)/crypto/evp/m_wp.c+
$(OPENSSL_PATH)/crypto/evp/names.c+
$(OPENSSL_PATH)/crypto/evp/p5_crpt.c+
$(OPENSSL_PATH)/crypto/evp/p5_crpt2.c+
$(OPENSSL_PATH)/crypto/evp/p_dec.c+
$(OPENSSL_PATH)/crypto/evp/p_enc.c+
$(OPENSSL_PATH)/crypto/evp/p_lib.c+
$(OPENSSL_PATH)/crypto/evp/p_open.c+
$(OPENSSL_PATH)/crypto/evp/p_seal.c+
$(OPENSSL_PATH)/crypto/evp/p_sign.c+
$(OPENSSL_PATH)/crypto/evp/p_verify.c+
$(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c+
$(OPENSSL_PATH)/crypto/evp/pmeth_fn.c+
$(OPENSSL_PATH)/crypto/evp/pmeth_gn.c+
$(OPENSSL_PATH)/crypto/evp/pmeth_lib.c+
$(OPENSSL_PATH)/crypto/ex_data.c+ $(OPENSSL_PATH)/crypto/getenv.c+
$(OPENSSL_PATH)/crypto/hmac/hm_ameth.c+
$(OPENSSL_PATH)/crypto/hmac/hm_pmeth.c+
$(OPENSSL_PATH)/crypto/hmac/hmac.c+ $(OPENSSL_PATH)/crypto/init.c+
$(OPENSSL_PATH)/crypto/kdf/hkdf.c+
$(OPENSSL_PATH)/crypto/kdf/kdf_err.c+
$(OPENSSL_PATH)/crypto/kdf/scrypt.c+
$(OPENSSL_PATH)/crypto/kdf/tls1_prf.c+
$(OPENSSL_PATH)/crypto/lhash/lh_stats.c+
$(OPENSSL_PATH)/crypto/lhash/lhash.c+
$(OPENSSL_PATH)/crypto/md5/md5_dgst.c+
$(OPENSSL_PATH)/crypto/md5/md5_one.c+
$(OPENSSL_PATH)/crypto/mem.c+ $(OPENSSL_PATH)/crypto/mem_dbg.c+
$(OPENSSL_PATH)/crypto/mem_sec.c+
$(OPENSSL_PATH)/crypto/modes/cbc128.c+
$(OPENSSL_PATH)/crypto/modes/ccm128.c+
$(OPENSSL_PATH)/crypto/modes/cfb128.c+
$(OPENSSL_PATH)/crypto/modes/ctr128.c+
$(OPENSSL_PATH)/crypto/modes/cts128.c+
$(OPENSSL_PATH)/crypto/modes/gcm128.c+
$(OPENSSL_PATH)/crypto/modes/ocb128.c+
$(OPENSSL_PATH)/crypto/modes/ofb128.c+
$(OPENSSL_PATH)/crypto/modes/wrap128.c+
$(OPENSSL_PATH)/crypto/modes/xts128.c+
$(OPENSSL_PATH)/crypto/o_dir.c+ $(OPENSSL_PATH)/crypto/o_fips.c+
$(OPENSSL_PATH)/crypto/o_fopen.c+ $(OPENSSL_PATH)/crypto/o_init.c+
$(OPENSSL_PATH)/crypto/o_str.c+ $(OPENSSL_PATH)/crypto/o_time.c+
$(OPENSSL_PATH)/crypto/objects/o_names.c+
$(OPENSSL_PATH)/crypto/objects/obj_dat.c+
$(OPENSSL_PATH)/crypto/objects/obj_err.c+
$(OPENSSL_PATH)/crypto/objects/obj_lib.c+
$(OPENSSL_PATH)/crypto/objects/obj_xref.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_asn.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_cl.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_err.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_ext.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_ht.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_lib.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_prn.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_srv.c+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_vfy.c+
$(OPENSSL_PATH)/crypto/ocsp/v3_ocsp.c+
$(OPENSSL_PATH)/crypto/pem/pem_all.c+
$(OPENSSL_PATH)/crypto/pem/pem_err.c+
$(OPENSSL_PATH)/crypto/pem/pem_info.c+
$(OPENSSL_PATH)/crypto/pem/pem_lib.c+
$(OPENSSL_PATH)/crypto/pem/pem_oth.c+
$(OPENSSL_PATH)/crypto/pem/pem_pk8.c+
$(OPENSSL_PATH)/crypto/pem/pem_pkey.c+
$(OPENSSL_PATH)/crypto/pem/pem_sign.c+
$(OPENSSL_PATH)/crypto/pem/pem_x509.c+
$(OPENSSL_PATH)/crypto/pem/pem_xaux.c+
$(OPENSSL_PATH)/crypto/pem/pvkfmt.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_add.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_crpt.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_crt.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_init.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_key.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c+
$(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c+
$(OPENSSL_PATH)/crypto/pkcs12/pk12err.c+
$(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_doit.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c+
$(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c+
$(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c+
$(OPENSSL_PATH)/crypto/rand/drbg_ctr.c+
$(OPENSSL_PATH)/crypto/rand/drbg_lib.c+
$(OPENSSL_PATH)/crypto/rand/rand_egd.c+
$(OPENSSL_PATH)/crypto/rand/rand_err.c+
$(OPENSSL_PATH)/crypto/rand/rand_lib.c+
$(OPENSSL_PATH)/crypto/rand/rand_unix.c+
$(OPENSSL_PATH)/crypto/rand/rand_vms.c+
$(OPENSSL_PATH)/crypto/rand/rand_win.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_chk.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_depr.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_err.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_gen.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_lib.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_meth.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_mp.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_none.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_prn.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_pss.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_saos.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_sign.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_ssl.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_x931.c+
$(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c+
$(OPENSSL_PATH)/crypto/sha/keccak1600.c+
$(OPENSSL_PATH)/crypto/sha/sha1_one.c+
$(OPENSSL_PATH)/crypto/sha/sha1dgst.c+
$(OPENSSL_PATH)/crypto/sha/sha256.c+
$(OPENSSL_PATH)/crypto/sha/sha512.c+
$(OPENSSL_PATH)/crypto/siphash/siphash.c+
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c+
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c+
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c+
$(OPENSSL_PATH)/crypto/sm3/sm3.c+
$(OPENSSL_PATH)/crypto/sm4/sm4.c+
$(OPENSSL_PATH)/crypto/stack/stack.c+
$(OPENSSL_PATH)/crypto/threads_none.c+
$(OPENSSL_PATH)/crypto/threads_pthread.c+
$(OPENSSL_PATH)/crypto/threads_win.c+
$(OPENSSL_PATH)/crypto/txt_db/txt_db.c+
$(OPENSSL_PATH)/crypto/ui/ui_err.c+
$(OPENSSL_PATH)/crypto/ui/ui_lib.c+
$(OPENSSL_PATH)/crypto/ui/ui_null.c+
$(OPENSSL_PATH)/crypto/ui/ui_openssl.c+
$(OPENSSL_PATH)/crypto/ui/ui_util.c+ $(OPENSSL_PATH)/crypto/uid.c+
$(OPENSSL_PATH)/crypto/x509/by_dir.c+
$(OPENSSL_PATH)/crypto/x509/by_file.c+
$(OPENSSL_PATH)/crypto/x509/t_crl.c+
$(OPENSSL_PATH)/crypto/x509/t_req.c+
$(OPENSSL_PATH)/crypto/x509/t_x509.c+
$(OPENSSL_PATH)/crypto/x509/x509_att.c+
$(OPENSSL_PATH)/crypto/x509/x509_cmp.c+
$(OPENSSL_PATH)/crypto/x509/x509_d2.c+
$(OPENSSL_PATH)/crypto/x509/x509_def.c+
$(OPENSSL_PATH)/crypto/x509/x509_err.c+
$(OPENSSL_PATH)/crypto/x509/x509_ext.c+
$(OPENSSL_PATH)/crypto/x509/x509_lu.c+
$(OPENSSL_PATH)/crypto/x509/x509_meth.c+
$(OPENSSL_PATH)/crypto/x509/x509_obj.c+
$(OPENSSL_PATH)/crypto/x509/x509_r2x.c+
$(OPENSSL_PATH)/crypto/x509/x509_req.c+
$(OPENSSL_PATH)/crypto/x509/x509_set.c+
$(OPENSSL_PATH)/crypto/x509/x509_trs.c+
$(OPENSSL_PATH)/crypto/x509/x509_txt.c+
$(OPENSSL_PATH)/crypto/x509/x509_v3.c+
$(OPENSSL_PATH)/crypto/x509/x509_vfy.c+
$(OPENSSL_PATH)/crypto/x509/x509_vpm.c+
$(OPENSSL_PATH)/crypto/x509/x509cset.c+
$(OPENSSL_PATH)/crypto/x509/x509name.c+
$(OPENSSL_PATH)/crypto/x509/x509rset.c+
$(OPENSSL_PATH)/crypto/x509/x509spki.c+
$(OPENSSL_PATH)/crypto/x509/x509type.c+
$(OPENSSL_PATH)/crypto/x509/x_all.c+
$(OPENSSL_PATH)/crypto/x509/x_attrib.c+
$(OPENSSL_PATH)/crypto/x509/x_crl.c+
$(OPENSSL_PATH)/crypto/x509/x_exten.c+
$(OPENSSL_PATH)/crypto/x509/x_name.c+
$(OPENSSL_PATH)/crypto/x509/x_pubkey.c+
$(OPENSSL_PATH)/crypto/x509/x_req.c+
$(OPENSSL_PATH)/crypto/x509/x_x509.c+
$(OPENSSL_PATH)/crypto/x509/x_x509a.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_cache.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_data.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_lib.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_map.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_node.c+
$(OPENSSL_PATH)/crypto/x509v3/pcy_tree.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_addr.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_akey.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_akeya.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_alt.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_asid.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_bcons.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_bitst.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_conf.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_cpols.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_crld.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_enum.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_extku.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_genn.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_ia5.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_info.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_int.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_lib.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_ncons.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_pci.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_pcia.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_pcons.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_pku.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_pmaps.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_prn.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_purp.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_skey.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_sxnet.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c+
$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c+
$(OPENSSL_PATH)/crypto/x509v3/v3err.c+
$(OPENSSL_PATH)/crypto/arm_arch.h+
$(OPENSSL_PATH)/crypto/mips_arch.h+
$(OPENSSL_PATH)/crypto/ppc_arch.h+
$(OPENSSL_PATH)/crypto/s390x_arch.h+
$(OPENSSL_PATH)/crypto/sparc_arch.h+
$(OPENSSL_PATH)/crypto/vms_rms.h+
$(OPENSSL_PATH)/crypto/aes/aes_local.h+
$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h+
$(OPENSSL_PATH)/crypto/asn1/asn1_local.h+
$(OPENSSL_PATH)/crypto/asn1/charmap.h+
$(OPENSSL_PATH)/crypto/asn1/standard_methods.h+
$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h+
$(OPENSSL_PATH)/crypto/async/async_local.h+
$(OPENSSL_PATH)/crypto/async/arch/async_null.h+
$(OPENSSL_PATH)/crypto/async/arch/async_posix.h+
$(OPENSSL_PATH)/crypto/async/arch/async_win.h+
$(OPENSSL_PATH)/crypto/bio/bio_local.h+
$(OPENSSL_PATH)/crypto/bn/bn_local.h+
$(OPENSSL_PATH)/crypto/bn/bn_prime.h+
$(OPENSSL_PATH)/crypto/bn/rsaz_exp.h+
$(OPENSSL_PATH)/crypto/comp/comp_local.h+
$(OPENSSL_PATH)/crypto/conf/conf_def.h+
$(OPENSSL_PATH)/crypto/conf/conf_local.h+
$(OPENSSL_PATH)/crypto/dh/dh_local.h+
$(OPENSSL_PATH)/crypto/dso/dso_local.h+
$(OPENSSL_PATH)/crypto/evp/evp_local.h+
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h+
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h+
$(OPENSSL_PATH)/crypto/md5/md5_local.h+
$(OPENSSL_PATH)/crypto/modes/modes_local.h+
$(OPENSSL_PATH)/crypto/objects/obj_dat.h+
$(OPENSSL_PATH)/crypto/objects/obj_local.h+
$(OPENSSL_PATH)/crypto/objects/obj_xref.h+
$(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h+
$(OPENSSL_PATH)/crypto/pkcs12/p12_local.h+
$(OPENSSL_PATH)/crypto/rand/rand_local.h+
$(OPENSSL_PATH)/crypto/rsa/rsa_local.h+
$(OPENSSL_PATH)/crypto/sha/sha_local.h+
$(OPENSSL_PATH)/crypto/siphash/siphash_local.h+
$(OPENSSL_PATH)/crypto/sm3/sm3_local.h+
$(OPENSSL_PATH)/crypto/store/store_local.h+
$(OPENSSL_PATH)/crypto/ui/ui_local.h+
$(OPENSSL_PATH)/crypto/x509/x509_local.h+
$(OPENSSL_PATH)/crypto/x509v3/ext_dat.h+
$(OPENSSL_PATH)/crypto/x509v3/pcy_local.h+
$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h+
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h+
$(OPENSSL_PATH)/ssl/bio_ssl.c+ $(OPENSSL_PATH)/ssl/d1_lib.c+
$(OPENSSL_PATH)/ssl/d1_msg.c+ $(OPENSSL_PATH)/ssl/d1_srtp.c+
$(OPENSSL_PATH)/ssl/methods.c+ $(OPENSSL_PATH)/ssl/packet.c+
$(OPENSSL_PATH)/ssl/pqueue.c+
$(OPENSSL_PATH)/ssl/record/dtls1_bitmap.c+
$(OPENSSL_PATH)/ssl/record/rec_layer_d1.c+
$(OPENSSL_PATH)/ssl/record/rec_layer_s3.c+
$(OPENSSL_PATH)/ssl/record/ssl3_buffer.c+
$(OPENSSL_PATH)/ssl/record/ssl3_record.c+
$(OPENSSL_PATH)/ssl/record/ssl3_record_tls13.c+
$(OPENSSL_PATH)/ssl/s3_cbc.c+ $(OPENSSL_PATH)/ssl/s3_enc.c+
$(OPENSSL_PATH)/ssl/s3_lib.c+ $(OPENSSL_PATH)/ssl/s3_msg.c+
$(OPENSSL_PATH)/ssl/ssl_asn1.c+ $(OPENSSL_PATH)/ssl/ssl_cert.c+
$(OPENSSL_PATH)/ssl/ssl_ciph.c+ $(OPENSSL_PATH)/ssl/ssl_conf.c+
$(OPENSSL_PATH)/ssl/ssl_err.c+ $(OPENSSL_PATH)/ssl/ssl_init.c+
$(OPENSSL_PATH)/ssl/ssl_lib.c+ $(OPENSSL_PATH)/ssl/ssl_mcnf.c+
$(OPENSSL_PATH)/ssl/ssl_rsa.c+ $(OPENSSL_PATH)/ssl/ssl_sess.c+
$(OPENSSL_PATH)/ssl/ssl_stat.c+ $(OPENSSL_PATH)/ssl/ssl_txt.c+
$(OPENSSL_PATH)/ssl/ssl_utst.c+
$(OPENSSL_PATH)/ssl/statem/extensions.c+
$(OPENSSL_PATH)/ssl/statem/extensions_clnt.c+
$(OPENSSL_PATH)/ssl/statem/extensions_cust.c+
$(OPENSSL_PATH)/ssl/statem/extensions_srvr.c+
$(OPENSSL_PATH)/ssl/statem/statem.c+
$(OPENSSL_PATH)/ssl/statem/statem_clnt.c+
$(OPENSSL_PATH)/ssl/statem/statem_dtls.c+
$(OPENSSL_PATH)/ssl/statem/statem_lib.c+
$(OPENSSL_PATH)/ssl/statem/statem_srvr.c+
$(OPENSSL_PATH)/ssl/t1_enc.c+ $(OPENSSL_PATH)/ssl/t1_lib.c+
$(OPENSSL_PATH)/ssl/t1_trce.c+ $(OPENSSL_PATH)/ssl/tls13_enc.c+
$(OPENSSL_PATH)/ssl/tls_srp.c+ $(OPENSSL_PATH)/ssl/packet_local.h+
$(OPENSSL_PATH)/ssl/ssl_cert_table.h+ $(OPENSSL_PATH)/ssl/ssl_local.h+
$(OPENSSL_PATH)/ssl/record/record.h+
$(OPENSSL_PATH)/ssl/record/record_local.h+
$(OPENSSL_PATH)/ssl/statem/statem.h+
$(OPENSSL_PATH)/ssl/statem/statem_local.h+# Autogenerated files list
ends here+ buildinf.h+ rand_pool_noise.h+ ossl_store.c+
rand_pool.c++[Sources.X64]+ rand_pool_noise_tsc.c+
ApiHooks.c++[Packages]+ MdePkg/MdePkg.dec+
CryptoPkg/CryptoPkg.dec++[LibraryClasses]+ BaseLib+ DebugLib+
TimerLib+ PrintLib++[BuildOptions]+ #+ # Disables the following Visual
Studio compiler warnings brought by openssl source,+ # so we do not break
the build with /WX option:+ # C4090: 'function' : different 'const' qualifiers+
# C4132: 'object' : const object should be initialized (tls13_enc.c)+ # C4210:
nonstandard extension used: function given file scope+ # C4244:
conversion from type1 to type2, possible loss of data+ # C4245: conversion
from type1 to type2, signed/unsigned mismatch+ # C4267: conversion from
size_t to type, possible loss of data+ # C4306: 'identifier' : conversion from
'type1' to 'type2' of greater size+ # C4310: cast truncates constant value+ #
C4389: 'operator' : signed/unsigned mismatch (xxxx)+ # C4700: uninitialized
local variable 'name' used. (conf_sap.c(71))+ # C4702: unreachable code+ #
C4706: assignment within conditional expression+ # C4819: The file contains
a character that cannot be represented in the current code page+ #+
MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER
$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) /wd4090 /wd4132 /wd4210
/wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702
/wd4706 /wd4819++ INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -
U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) /w++
#+ # Suppress the following build warnings in openssl so we don't break the
build with -Werror+ # -Werror=maybe-uninitialized: there exist some other
paths for which the variable is not initialized.+ # -Werror=format: Check
calls to printf and scanf, etc., to make sure that the arguments supplied
have+ # types appropriate to the format string specified.+ # -
Werror=unused-but-set-variable: Warn whenever a local variable is assigned
to, but otherwise unused (aside from its declaration).+ #+
GCC:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS)
$(OPENSSL_FLAGS_CONFIG) -Wno-error=maybe-uninitialized -Wno-
error=format -Wno-format -Wno-error=unused-but-set-variable -
DNO_MSABI_VA_FUNCS++ # suppress the following warnings in openssl so
we don't break the build with warnings-as-errors:+ # 1295: Deprecated
declaration <entity> - give arg types+ # 550: <entity> was set but never
used+ # 1293: assignment in condition+ # 111: statement is unreachable
(invariably "break;" after "return X;" in case statement)+ # 68: integer
conversion resulted in a change of sign ("if (Status == -1)")+ # 177: <entity>
was declared but never referenced+ # 223: function <entity> declared
implicitly+ # 144: a value of type <type> cannot be used to initialize an entity
of type <type>+ # 513: a value of type <type> cannot be assigned to an
entity of type <type>+ # 188: enumerated type mixed with another type
(i.e. passing an integer as an enum without a cast)+ # 1296: Extended
constant initialiser used+ # 128: loop is not reachable - may be emitted
inappropriately if code follows a conditional return+ # from the function
that evaluates to true at compile time+ # 546: transfer of control bypasses
initialization - may be emitted inappropriately if the uninitialized+ #
variable is never referenced after the jump+ # 1: ignore "#1-D: last line of
file ends without a newline"+ # 3017: <entity> may be used before being set
(NOTE: This was fixed in OpenSSL 1.1 HEAD with+ # commit
d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.)+
XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64
$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_CONFIG) -w -std=c99 -Wno-
error=uninitializeddiff --git
a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 3a2544ea5c..e8f73c4d10 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -112,9 +112,6 @@ extern "C" {
#ifndef OPENSSL_NO_ASAN # define OPENSSL_NO_ASAN #endif-#ifndef
OPENSSL_NO_ASM-# define OPENSSL_NO_ASM-#endif #ifndef
OPENSSL_NO_ASYNC # define OPENSSL_NO_ASYNC #endifdiff --git
a/CryptoPkg/Library/OpensslLib/ApiHooks.c
b/CryptoPkg/Library/OpensslLib/ApiHooks.c
new file mode 100644
index 0000000000..58cff16838
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/ApiHooks.c
@@ -0,0 +1,18 @@
+/** @file+ OpenSSL Library API hooks.++Copyright (c) 2020, Intel
Corporation. All rights reserved.<BR>+SPDX-License-Identifier: BSD-2-
Clause-Patent++**/++#include <Uefi.h>++VOID *+__imp_RtlVirtualUnwind
(+ VOID * Args+ )+{+ return NULL;+}+diff --git
a/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
b/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
new file mode 100644
index 0000000000..ef20d2b84e
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
@@ -0,0 +1,34 @@
+/** @file+ Constructor to initialize CPUID data for OpenSSL assembly
operations.++Copyright (c) 2020, Intel Corporation. All rights
reserved.<BR>+SPDX-License-Identifier: BSD-2-Clause-
Patent++**/++#include <Uefi.h>++extern void OPENSSL_cpuid_setup
(void);++/**+ Constructor routine for OpensslLib.++ The constructor calls an
internal OpenSSL function which fetches a local copy+ of the hardware
capability flags, used to enable native crypto instructions.++ @param
None++ @retval EFI_SUCCESS The construction
succeeded.++**/+EFI_STATUS+EFIAPI+OpensslLibConstructor (+ VOID+
)+{+ OPENSSL_cpuid_setup ();++ return EFI_SUCCESS;+}+diff --git
a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 57ce195394..472f59bc8e 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -9,9 +9,63 @@
# do not need to do this, since the results are stored in the EDK2 # git
repository for them. #+# Due to the script wrapping required to process the
OpenSSL+# configuration data, each native architecture must be
processed+# individually by the maintainer (in addition to the standard
version):+# ./process_files.pl+# ./process_files.pl X64+# ./process_files.pl
[Arch]+ use strict; use Cwd; use File::Copy;+use File::Basename;+use
File::Path qw(make_path remove_tree);+use Text::Tabs;++#+# OpenSSL
perlasm generator script does not transfer the copyright header+#+sub
copy_license_header+{+ my @args = split / /, shift; #Separate args by
spaces+ my $source = $args[1]; #Source file is second (after "perl")+
my $target = pop @args; #Target file is always last+ chop ($target);
#Remove newline char++ my $temp_file_name = "license.tmp";+ open
(my $source_file, "<" . $source) || die $source;+ open (my $target_file, "<"
. $target) || die $target;+ open (my $temp_file, ">" . $temp_file_name) ||
die $temp_file_name;++ #Add "generated file" warning+ $source =~
s/^..//; #Remove leading "./"+ print ($temp_file "; WARNING: do not
edit!\r\n");+ print ($temp_file "; Generated from $source\r\n");+ print
($temp_file ";\r\n");++ #Copy source file header to temp file+ while (my
$line = <$source_file>) {+ next if ($line =~ /#!/); #Ignore shebang line+
$line =~ s/#/;/; #Fix comment character for assembly+ $line =~
s/\s+$/\r\n/; #Trim trailing whitepsace, fixup line endings+ print
($temp_file $line);+ last if ($line =~ /http/); #Last line of copyright header
contains a web link+ }+ print ($temp_file "\r\n");+ #Retrieve generated
assembly contents+ while (my $line = <$target_file>) {+ $line =~
s/\s+$/\r\n/; #Trim trailing whitepsace, fixup line endings+ print
($temp_file expand ($line)); #expand() replaces tabs with spaces+ }++
close ($source_file);+ close ($target_file);+ close ($temp_file);++ move
($temp_file_name, $target) ||+ die "Cannot replace \"" . $target .
"\"!";+} # # Find the openssl directory name for use lib. We have to do
this@@ -21,10 +75,41 @@ use File::Copy;
# my $inf_file; my $OPENSSL_PATH;+my $uefi_config;+my $extension;+my
$arch; my @inf; BEGIN { $inf_file = "OpensslLib.inf";+ $uefi_config =
"UEFI";+ $arch = shift;++ if (defined $arch) {+ if (uc ($arch) eq "X64") {+
$arch = "X64";+ $inf_file = "OpensslLibX64.inf";+ $uefi_config =
"UEFI-x86_64";+ $extension = "nasm";+ } else {+ die
"Unsupported architecture \"" . $arch . "\"!";+ }+ if ($extension eq
"nasm") {+ if (`nasm -v 2>&1`) {+ #Presence of nasm executable
will trigger inclusion of AVX instructions+ die "\nCannot run assembly
generators with NASM in path!\n\n";+ }+ }++ # Prepare
assembly folder+ if (-d $arch) {+ remove_tree ($arch, {safe => 1})
||+ die "Cannot clean assembly folder \"" . $arch . "\"!";+ } else {+
mkdir $arch ||+ die "Cannot create assembly folder \"" . $arch .
"\"!";+ }+ } # Read the contents of the inf file open( FD, "<" .
$inf_file ) ||@@ -47,9 +132,9 @@ BEGIN {
# Configure UEFI system( "./Configure",-
"UEFI",+ "--config=../uefi-asm.conf",+ "$uefi_config",
"no-afalgeng",- "no-asm", "no-async", "no-
autoerrinit", "no-autoload-config",@@ -129,23 +214,53 @@ BEGIN {
# Retrieve file lists from OpenSSL configdata # use configdata
qw/%unified_info/;+use configdata qw/%config/;+use configdata
qw/%target/;++#+# Collect build flags from configdata+#+my $flags =
"";+foreach my $f (@{$config{lib_defines}}) {+ $flags .= " -D$f";+} my
@cryptofilelist = (); my @sslfilelist = ();+my @asmfilelist = ();+my @asmbuild
= (); foreach my $product ((@{$unified_info{libraries}},
@{$unified_info{engines}})) { foreach my $o (@{$unified_info{sources}-
{$product}}) { foreach my $s (@{$unified_info{sources}->{$o}}) {-
next if ($unified_info{generate}->{$s});- next if $s =~
"crypto/bio/b_print.c";- # No need to add unused files in UEFI. #
So it can reduce porting time, compile time, library size.+ next if $s =~
"crypto/bio/b_print.c"; next if $s =~ "crypto/rand/randfile.c";
next if $s =~ "crypto/store/"; next if $s =~ "crypto/err/err_all.c";
next if $s =~ "crypto/aes/aes_ecb.c"; + if ($unified_info{generate}-
{$s}) {+ if (defined $arch) {+ my $buildstring = "perl";+
foreach my $arg (@{$unified_info{generate}->{$s}}) {+ if ($arg =~
".pl") {+ $buildstring .= " ./openssl/$arg";+ } elsif
($arg =~ "PERLASM_SCHEME") {+ $buildstring .= "
$target{perlasm_scheme}";+ } elsif ($arg =~ "LIB_CFLAGS") {+
$buildstring .= "$flags";+ }+ }+ ($s, my $path,
undef) = fileparse($s, qr/\.[^.]*/);+ $buildstring .= "
./$arch/$path$s.$extension";+ make_path ("./$arch/$path");+
push @asmbuild, "$buildstring\n";+ push @asmfilelist, "
$arch/$path$s.$extension\r\n";+ }+ next;+ } if
($product =~ "libssl") { push @sslfilelist, ' $(OPENSSL_PATH)/' . $s .
"\r\n"; next;@@ -183,15 +298,31 @@ foreach (@headers){
} +#+# Generate assembly files+#+if (@asmbuild) {+ print "\n-->
Generating assembly files ... ";+ foreach my $buildstring (@asmbuild) {+
system ("$buildstring");+ copy_license_header ($buildstring);+ }+ print
"Done!";+}+ # # Update OpensslLib.inf with autogenerated file list # my
@new_inf = (); my $subbing = 0;-print "\n--> Updating OpensslLib.inf ...
";+print "\n--> Updating $inf_file ... "; foreach (@inf) {+ if ($_ =~ "DEFINE
OPENSSL_FLAGS_CONFIG") {+ push @new_inf, " DEFINE
OPENSSL_FLAGS_CONFIG =" . $flags . "\r\n";+ next;+ } if ( $_ =~ "#
Autogenerated files list starts here" ) {- push @new_inf, $_,
@cryptofilelist, @sslfilelist;+ push @new_inf, $_, @asmfilelist,
@cryptofilelist, @sslfilelist; $subbing = 1; next; }@@ -216,49
+347,51 @@ rename( $new_inf_file, $inf_file ) ||
die "rename $inf_file"; print "Done!"; -#-# Update OpensslLibCrypto.inf
with auto-generated file list (no libssl)-#-$inf_file = "OpensslLibCrypto.inf";--
# Read the contents of the inf file-@inf = ();-@new_inf = ();-open( FD, "<" .
$inf_file ) ||- die "Cannot open \"" . $inf_file . "\"!";-@inf = (<FD>);-
close(FD) ||- die "Cannot close \"" . $inf_file . "\"!";+if (!defined $arch) {+
#+ # Update OpensslLibCrypto.inf with auto-generated file list (no libssl)+
#+ $inf_file = "OpensslLibCrypto.inf"; -$subbing = 0;-print "\n--> Updating
OpensslLibCrypto.inf ... ";-foreach (@inf) {- if ( $_ =~ "# Autogenerated files
list starts here" ) {- push @new_inf, $_, @cryptofilelist;- $subbing = 1;-
next;- }- if ( $_ =~ "# Autogenerated files list ends here" ) {- push
@new_inf, $_;- $subbing = 0;- next;+ # Read the contents of the inf
file+ @inf = ();+ @new_inf = ();+ open( FD, "<" . $inf_file ) ||+ die
"Cannot open \"" . $inf_file . "\"!";+ @inf = (<FD>);+ close(FD) ||+ die
"Cannot close \"" . $inf_file . "\"!";++ $subbing = 0;+ print "\n--> Updating
OpensslLibCrypto.inf ... ";+ foreach (@inf) {+ if ( $_ =~ "#
Autogenerated files list starts here" ) {+ push @new_inf, $_,
@cryptofilelist;+ $subbing = 1;+ next;+ }+ if ( $_ =~ "#
Autogenerated files list ends here" ) {+ push @new_inf, $_;+
$subbing = 0;+ next;+ }++ push @new_inf, $_+ unless
($subbing); } - push @new_inf, $_- unless ($subbing);+
$new_inf_file = $inf_file . ".new";+ open( FD, ">" . $new_inf_file ) ||+
die $new_inf_file;+ print( FD @new_inf ) ||+ die $new_inf_file;+
close(FD) ||+ die $new_inf_file;+ rename( $new_inf_file, $inf_file ) ||+
die "rename $inf_file";+ print "Done!"; } -$new_inf_file = $inf_file .
".new";-open( FD, ">" . $new_inf_file ) ||- die $new_inf_file;-print( FD
@new_inf ) ||- die $new_inf_file;-close(FD) ||- die $new_inf_file;-
rename( $new_inf_file, $inf_file ) ||- die "rename $inf_file";-print
"Done!";- # # Copy opensslconf.h and dso_conf.h generated from OpenSSL
Configuration #diff --git a/CryptoPkg/Library/OpensslLib/uefi-asm.conf
b/CryptoPkg/Library/OpensslLib/uefi-asm.conf
new file mode 100644
index 0000000000..55eedbf3ba
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/uefi-asm.conf
@@ -0,0 +1,15 @@
+## -*- mode: perl; -*-+## UEFI assembly openssl configuration
targets.++my %targets = (+#### UEFI+ "UEFI-x86_64" => {+
perlasm_scheme => "nasm",+ # inherit_from => [ "UEFI",
asm("x86_64_asm") ],+ inherit_from => [ "UEFI" ],+ cpuid_asm_src
=> "x86_64cpuid.s",+ aes_asm_src => "aes_core.c aes_cbc.c vpaes-
x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-
mb-x86_64.s",+ sha1_asm_src => "sha1-x86_64.s sha256-x86_64.s
sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",+
modes_asm_src => "ghash-x86_64.s",+ },+);--
2.28.0.windows.1


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#63682): https://edk2.groups.io/g/devel/message/63682
Mute This Topic: https://groups.io/mt/75978612/4399222
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub
[guomin.jiang@...] -=-=-=-=-=-=


Re: [PATCH v4 0/5] Use RngLib instead of TimerLib for OpensslLib

Guomin Jiang
 

I will review the patch by next week(8/21).

Thanks
Guomin

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
Matthew Carlson
Sent: Tuesday, August 11, 2020 10:22 AM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH v4 0/5] Use RngLib instead of TimerLib for
OpensslLib

From: Matthew Carlson <macarl@...>

Ref: https://github.com/tianocore/edk2/pull/845
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1871

Matthew Carlson (5):
MdePkg: TimerRngLib: Added RngLib that uses TimerLib
MdePkg: BaseRngLibDxe: Add RngLib that uses RngDxe
OvmfPkg: Add RngLib based on TimerLib for Crypto
ArmVirtPkg: Add RngLib based on TimerLib for CryptoPkg
CryptoPkg: OpensslLib: Use RngLib to generate entropy in rand_pool

CryptoPkg/Library/OpensslLib/rand_pool.c | 203 ++------------------
CryptoPkg/Library/OpensslLib/rand_pool_noise.c | 29 ---
CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c | 43 -----
MdePkg/Library/BaseRngLibDxe/RngDxeLib.c | 200
+++++++++++++++++++
MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c | 187
++++++++++++++++++
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
CryptoPkg/CryptoPkg.dsc | 1 +
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 15 +-
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 15 +-
CryptoPkg/Library/OpensslLib/rand_pool_noise.h | 29 ---
MdePkg/Library/BaseRngLibDxe/BaseRngLibDxe.inf | 38 ++++
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | 40 ++++
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.uni | 17 ++
MdePkg/MdePkg.dsc | 5 +-
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfXen.dsc | 1 +
18 files changed, 513 insertions(+), 314 deletions(-) delete mode 100644
CryptoPkg/Library/OpensslLib/rand_pool_noise.c
delete mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise_tsc.c
create mode 100644 MdePkg/Library/BaseRngLibDxe/RngDxeLib.c
create mode 100644 MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
delete mode 100644 CryptoPkg/Library/OpensslLib/rand_pool_noise.h
create mode 100644 MdePkg/Library/BaseRngLibDxe/BaseRngLibDxe.inf
create mode 100644
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
create mode 100644
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.uni

--
2.27.0.windows.1



Re: [PATCH v9 05/16] CryptoPkg/CryptoPkg.ci.yaml: Add configuration for Ecc check

Guomin Jiang
 

Reviewed-by: Guomin Jiang <guomin.jiang@...>

Thanks
Guomin

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Zhang,
Shenglei
Sent: Tuesday, August 11, 2020 3:02 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Lu, XiaoyuX
<xiaoyux.lu@...>
Subject: [edk2-devel] [PATCH v9 05/16] CryptoPkg/CryptoPkg.ci.yaml: Add
configuration for Ecc check

Add configuration ExceptionList and IgnoreFiles for package config files. So
users can rely on this to ignore some Ecc issues.
Besides, add submodule path in IgnoreFiles section.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Xiaoyu Lu <xiaoyux.lu@...>
Signed-off-by: Shenglei Zhang <shenglei.zhang@...>
---
CryptoPkg/CryptoPkg.ci.yaml | 13 +++++++++++++
1 file changed, 13 insertions(+)

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
index e73b79e01fef..e2d190a90c51 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -2,12 +2,25 @@
# CI configuration for CryptoPkg
#
# Copyright (c) Microsoft Corporation
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent ## {
"LicenseCheck": {
"IgnoreFiles": []
},
+ "EccCheck": {
+ ## Exception sample looks like below:
+ ## "ExceptionList": [
+ ## "<ErrorID>", "<KeyWord>"
+ ## ]
+ "ExceptionList": [
+ ],
+ ## Both file path and directory path are accepted.
+ "IgnoreFiles": [
+ "Library/OpensslLib/openssl"
+ ]
+ },
"CompilerPlugin": {
"DscPath": "CryptoPkg.dsc"
},
--
2.18.0.windows.1



Re: [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

Guomin Jiang
 

+Hao, Ray,

 

Hi Libo, thanks for your explanation.

 

So I think the patch is improvement for current logic.

 

Hi Hao and Ray,

 

Can you give some comments for the change.

 

Hi Jeremy,

 

It may be helpful for the ASSERT issue https://edk2.groups.io/g/devel/message/62651,can you try it?

 

Best Regards

Guomin

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Feng Libo
Sent: Tuesday, August 11, 2020 5:50 PM
To: Jiang, Guomin <guomin.jiang@...>
Cc: devel@edk2.groups.io; jeremy.linton@...
Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

 

Hello, Mr. Jiang,

 

Thank for the review.

 

The original enumeration steps in the function of UsbEnumerateNewDev of file UsbEnumer.c: 1 reset the port, 2 set the usb device address, 3 get the Max Packet Size, 4 get the full device descriptor. However, when plugging a USB PenDisk with Innostor USB

controller chip (VID=0x1F75, PID=0x917, USB3.1), the fourth step always fails, trace as below:

 

========

XhcCheckUrbResult: TRANSACTION_ERROR! Completecode = 4 XhcControlTransfer: error - Device Error, transfer - 40 UsbGetOneConfig: failed to get full descript Device Error UsbBuildDescTable: failed to get configure (index 0) UsbEnumerateNewDev: failed to build descriptor table - Device Error

=======

 

The host controller need to get the full device descriptor, but this moment, the Pendisk device doesn't response any more. Then timeout. and UsbEnumerateNewDev complains : failed to build descriptor.

 

We have three Pendisks from different manufacturers, all with Innostor USB controller chip. they all can't be enumerated all. And we observed the problem on both Huawei KunPeng(华为鲲鹏)and Loognson(龙芯)platforms.

 

The three Pendisks always fail the USB enumeration. Other USB 2.0 and USB 3.0 on hand can work well.

 

With the patch, the three pendisks and other pendisks can all work well.

 

THanks

 

--

Best Regards

 

Feng Libo

ZD Technology (Beijing) Co., Ltd


发件人:"Jiang, Guomin" <guomin.jiang@...>
发送日期:2020-08-11 08:21:10
收件人:"devel@edk2.groups.io" <devel@edk2.groups.io>,"Jiang, Guomin" <guomin.jiang@...>,"lbfeng@..." <lbfeng@...>
抄送人:"jeremy.linton@..." <jeremy.linton@...>
主题:RE: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

+Jeremy,

 

I review the patch and think it is reasonable, but I want to know some more detail information

  1. Can you provide the detail debug log about USB?
  2. The symptom always can be seen or have fail rate?

 

Best Regards

Guomin

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang
Sent: Thursday, August 6, 2020 12:29 PM
To: devel@edk2.groups.io; lbfeng@...
Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

 

I will review it by next weekend(8/14).

 

Thanks.

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Feng Libo
Sent: Thursday, August 6, 2020 9:25 AM
To: Feng Libo <lbfeng@...>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

 

Hello, 

could anyone review this PATCH?

We encountered the USB enumeration problem and the patch is based on the Microsoft post as below.

https://techcommunity.microsoft.com/t5/microsoft-usb-blog/how-does-usb-stack-enumerate-a-device/ba-p/270685#:~:text=%20How%20does%20USB%20stack%20enumerate%20a%20device%3F,a%20request%20for%20the%20USB%20Device...%20More%20

Thanks

Best Regards

Feng Libo


Re: [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

Feng Libo <lbfeng@...>
 

Hello, Mr. Jiang,

Thank for the review.

The original enumeration steps in the function of UsbEnumerateNewDev of file UsbEnumer.c: 1 reset the port, 2 set the usb device address, 3 get the Max Packet Size, 4 get the full device descriptor. However, when plugging a USB PenDisk with Innostor USB
controller chip (VID=0x1F75, PID=0x917, USB3.1), the fourth step always fails, trace as below:

========
XhcCheckUrbResult: TRANSACTION_ERROR! Completecode = 4 XhcControlTransfer: error - Device Error, transfer - 40 UsbGetOneConfig: failed to get full descript Device Error UsbBuildDescTable: failed to get configure (index 0) UsbEnumerateNewDev: failed to build descriptor table - Device Error
=======

The host controller need to get the full device descriptor, but this moment, the Pendisk device doesn't response any more. Then timeout. and UsbEnumerateNewDev complains : failed to build descriptor.

We have three Pendisks from different manufacturers, all with Innostor USB controller chip. they all can't be enumerated all. And we observed the problem on both Huawei KunPeng(华为鲲鹏)and Loognson(龙芯)platforms.

The three Pendisks always fail the USB enumeration. Other USB 2.0 and USB 3.0 on hand can work well.

With the patch, the three pendisks and other pendisks can all work well.

THanks

--
Best Regards

Feng Libo
ZD Technology (Beijing) Co., Ltd

发件人:"Jiang, Guomin" <guomin.jiang@...>
发送日期:2020-08-11 08:21:10
收件人:"devel@edk2.groups.io" <devel@edk2.groups.io>,"Jiang, Guomin" <guomin.jiang@...>,"lbfeng@..." <lbfeng@...>
抄送人:"jeremy.linton@..." <jeremy.linton@...>
主题:RE: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

+Jeremy,

 

I review the patch and think it is reasonable, but I want to know some more detail information

  1. Can you provide the detail debug log about USB?
  2. The symptom always can be seen or have fail rate?

 

Best Regards

Guomin

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang
Sent: Thursday, August 6, 2020 12:29 PM
To: devel@edk2.groups.io; lbfeng@...
Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

 

I will review it by next weekend(8/14).

 

Thanks.

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Feng Libo
Sent: Thursday, August 6, 2020 9:25 AM
To: Feng Libo <lbfeng@...>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UsbBusDxe: some USB PenDisk fails enumeration.

 

Hello, 

could anyone review this PATCH?

We encountered the USB enumeration problem and the patch is based on the Microsoft post as below.

https://techcommunity.microsoft.com/t5/microsoft-usb-blog/how-does-usb-stack-enumerate-a-device/ba-p/270685#:~:text=%20How%20does%20USB%20stack%20enumerate%20a%20device%3F,a%20request%20for%20the%20USB%20Device...%20More%20

Thanks

Best Regards

Feng Libo


Re: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check ahead of MBR

Gao, Zhichao
 

Ray,

The MBR info is correct. The order change is to avoid the MBR being checked before UDF/ISO 9660 check.
That is why I make the patch #3 in the last of the patch set.

Thanks,
Zhichao

-----Original Message-----
From: Ni, Ray <ray.ni@...>
Sent: Tuesday, August 11, 2020 4:04 PM
To: Gao, Zhichao <zhichao.gao@...>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A <hao.a.wu@...>;
Gary Lin <glin@...>; Andrew Fish <afish@...>
Subject: RE: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check ahead
of MBR

Zhichao,
Can you also add notes in the commit message describing that for some ISOs
(better with more specific ISO info), the MBR information is not correct?

Thanks,
Ray


-----Original Message-----
From: Gao, Zhichao <zhichao.gao@...>
Sent: Tuesday, August 11, 2020 2:43 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@...>; Wu, Hao A
<hao.a.wu@...>; Ni, Ray <ray.ni@...>; Gary Lin
<glin@...>; Andrew Fish <afish@...>
Subject: [PATCH 1/3] MdeModulePkg/PartitionDxe: Put the UDF check
ahead of MBR

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2823

Refer to UEFI spec 2.8, Section 13.3.2, a block device should be
scanned as below order:
1. GPT
2. ISO 9660 (El Torito) (UDF should aslo be here) 3. MBR 4. no
partition found
Note: UDF is using the same boot method as CD, so put it in the same
priority with ISO 9660.

This would also solve the issue that ISO image with MBR would be treat
as MBR device instead of CD/DVD. That would make the behavior of the
image boot different.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Hao A Wu <hao.a.wu@...>
Cc: Ray Ni <ray.ni@...>
Cc: Gary Lin <glin@...>
Cc: Andrew Fish <afish@...>
Signed-off-by: Zhichao Gao <zhichao.gao@...>
---
MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
b/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
index 6a43c3cafb..473e091320 100644
--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
+++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Partition.c
@@ -35,11 +35,19 @@ EFI_DRIVER_BINDING_PROTOCOL
gPartitionDriverBinding = {

//
// Prioritized function list to detect partition table.
+// Refer to UEFI Spec 13.3.2 Partition Discovery, the block device //
+should be scanned in below order:
+// 1. GPT
+// 2. ISO 9660 (El Torito) (or UDF)
+// 3. MBR
+// 4. no partiton found
+// Note: UDF is using a same method as booting from CD-ROM, so put it
along
+// with CD-ROM check.
//
PARTITION_DETECT_ROUTINE mPartitionDetectRoutineTable[] = {
PartitionInstallGptChildHandles,
- PartitionInstallMbrChildHandles,
PartitionInstallUdfChildHandles,
+ PartitionInstallMbrChildHandles,
NULL
};

--
2.21.0.windows.1