Date   

Re: [edk2-devel] CPU hotplug using SMM with QEMU+OVMF

Laszlo Ersek
 

On 08/14/19 16:04, Paolo Bonzini wrote:
On 14/08/19 15:20, Yao, Jiewen wrote:
- Does this part require a new branch somewhere in the OVMF SEC code?
How do we determine whether the CPU executing SEC is BSP or
hot-plugged AP?
[Jiewen] I think this is blocked from hardware perspective, since the first instruction.
There are some hardware specific registers can be used to determine if the CPU is new added.
I don’t think this must be same as the real hardware.
You are free to invent some registers in device model to be used in OVMF hot plug driver.
Yes, this would be a new operation mode for QEMU, that only applies to
hot-plugged CPUs. In this mode the AP doesn't reply to INIT or SMI, in
fact it doesn't reply to anything at all.

- How do we tell the hot-plugged AP where to start execution? (I.e. that
it should execute code at a particular pflash location.)
[Jiewen] Same real mode reset vector at FFFF:FFF0.
You do not need a reset vector or INIT/SIPI/SIPI sequence at all in
QEMU. The AP does not start execution at all when it is unplugged, so
no cache-as-RAM etc.

We only need to modify QEMU so that hot-plugged APIs do not reply to
INIT/SIPI/SMI.

I don’t think there is problem for real hardware, who always has CAR.
Can QEMU provide some CPU specific space, such as MMIO region?
Why is a CPU-specific region needed if every other processor is in SMM
and thus trusted.
I was going through the steps Jiewen and Yingwen recommended.

In step (02), the new CPU is expected to set up RAM access. In step
(03), the new CPU, executing code from flash, is expected to "send board
message to tell host CPU (GPIO->SCI) -- I am waiting for hot-add
message." For that action, the new CPU may need a stack (minimally if we
want to use C function calls).

Until step (03), there had been no word about any other (= pre-plugged)
CPUs (more precisely, Jiewen even confirmed "No impact to other
processors"), so I didn't assume that other CPUs had entered SMM.

Paolo, I've attempted to read Jiewen's response, and yours, as carefully
as I can. I'm still very confused. If you have a better understanding,
could you please write up the 15-step process from the thread starter
again, with all QEMU customizations applied? Such as, unnecessary steps
removed, and platform specifics filled in.

One more comment below:


Does CPU hotplug apply only at the socket level? If the CPU is
multi-core, what is responsible for hot-plugging all cores present in
the socket?
I can answer this: the SMM handler would interact with the hotplug
controller in the same way that ACPI DSDT does normally. This supports
multiple hotplugs already.

Writes to the hotplug controller from outside SMM would be ignored.

(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI)
-- I am waiting for hot-add message.
Maybe we can simplify this in QEMU by broadcasting an SMI to existent
processors immediately upon plugging the new CPU.
The QEMU DSDT could be modified (when secure boot is in effect) to OUT
to 0xB2 when hotplug happens. It could write a well-known value to
0xB2, to be read by an SMI handler in edk2.
(My comment below is general, and may not apply to this particular
situation. I'm too confused to figure that out myself, sorry!)

I dislike involving QEMU's generated DSDT in anything SMM (even
injecting the SMI), because the AML interpreter runs in the OS.

If a malicious OS kernel is a bit too enlightened about the DSDT, it
could willfully diverge from the process that we design. If QEMU
broadcast the SMI internally, the guest OS could not interfere with that.

If the purpose of the SMI is specifically to force all CPUs into SMM
(and thereby force them into trusted state), then the OS would be
explicitly counter-interested in carrying out the AML operations from
QEMU's DSDT.

I'd be OK with an SMM / SMI involvement in QEMU's DSDT if, by diverging
from that DSDT, the OS kernel could only mess with its own state, and
not with the firmware's.

Thanks
Laszlo




(NOTE: Host CPU can only
send
instruction in SMM mode. -- The register is SMM only)
Sorry, I don't follow -- what register are we talking about here, and
why is the BSP needed to send anything at all? What "instruction" do you
have in mind?
[Jiewen] The new CPU does not enable SMI at reset.
At some point of time later, the CPU need enable SMI, right?
The "instruction" here means, the host CPUs need tell to CPU to enable SMI.
Right, this would be a write to the CPU hotplug controller

(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU
will not enter CPU because SMI is disabled)
I don't understand the OS involvement here. But, again, perhaps QEMU can
force all existent CPUs into SMM immediately upon adding the new CPU.
[Jiewen] OS here means the Host CPU running code in OS environment, not in SMM environment.
See above.

(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?
[Jiewen] Right. That is the register to let host CPU tell new CPU to enable SMI.
It is platform specific register. Not defined in SDM.
You may invent one in device model.
See above.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.
What code does the new CPU execute after it completes step (10)? Does it
halt?
[Jiewen] The new CPU exits SMM and return to original place - where it is
interrupted to enter SMM - running code on the flash.
So in our case we'd need an INIT/SIPI/SIPI sequence between (06) and (07).

(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?

Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could
use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.
I'd rather avoid this and stay as close as possible to real hardware.

Paolo



Re: CPU hotplug using SMM with QEMU+OVMF

Yao, Jiewen
 

Hi Paolo
I am not sure what do you mean - "You do not need a reset vector ...".
If so, where is the first instruction of the new CPU in the virtualization environment?
Please help me understand that at first. Then we can continue the discussion.

Thank you
Yao Jiewen

-----Original Message-----
From: Paolo Bonzini [mailto:pbonzini@redhat.com]
Sent: Wednesday, August 14, 2019 10:05 PM
To: Yao, Jiewen <jiewen.yao@intel.com>; Laszlo Ersek
<lersek@redhat.com>; edk2-devel-groups-io <devel@edk2.groups.io>
Cc: edk2-rfc-groups-io <rfc@edk2.groups.io>; qemu devel list
<qemu-devel@nongnu.org>; Igor Mammedov <imammedo@redhat.com>;
Chen, Yingwen <yingwen.chen@intel.com>; Nakajima, Jun
<jun.nakajima@intel.com>; Boris Ostrovsky <boris.ostrovsky@oracle.com>;
Joao Marcal Lemos Martins <joao.m.martins@oracle.com>; Phillip Goerl
<phillip.goerl@oracle.com>
Subject: Re: CPU hotplug using SMM with QEMU+OVMF

On 14/08/19 15:20, Yao, Jiewen wrote:
- Does this part require a new branch somewhere in the OVMF SEC code?
How do we determine whether the CPU executing SEC is BSP or
hot-plugged AP?
[Jiewen] I think this is blocked from hardware perspective, since the first
instruction.
There are some hardware specific registers can be used to determine if the
CPU is new added.
I don’t think this must be same as the real hardware.
You are free to invent some registers in device model to be used in OVMF
hot plug driver.

Yes, this would be a new operation mode for QEMU, that only applies to
hot-plugged CPUs. In this mode the AP doesn't reply to INIT or SMI, in
fact it doesn't reply to anything at all.

- How do we tell the hot-plugged AP where to start execution? (I.e. that
it should execute code at a particular pflash location.)
[Jiewen] Same real mode reset vector at FFFF:FFF0.
You do not need a reset vector or INIT/SIPI/SIPI sequence at all in
QEMU. The AP does not start execution at all when it is unplugged, so
no cache-as-RAM etc.
We only need to modify QEMU so that hot-plugged APIs do not reply to
INIT/SIPI/SMI.

I don’t think there is problem for real hardware, who always has CAR.
Can QEMU provide some CPU specific space, such as MMIO region?
Why is a CPU-specific region needed if every other processor is in SMM
and thus trusted.
Does CPU hotplug apply only at the socket level? If the CPU is
multi-core, what is responsible for hot-plugging all cores present in
the socket?
I can answer this: the SMM handler would interact with the hotplug
controller in the same way that ACPI DSDT does normally. This supports
multiple hotplugs already.

Writes to the hotplug controller from outside SMM would be ignored.

(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI)
-- I am waiting for hot-add message.
Maybe we can simplify this in QEMU by broadcasting an SMI to existent
processors immediately upon plugging the new CPU.
The QEMU DSDT could be modified (when secure boot is in effect) to OUT
to 0xB2 when hotplug happens. It could write a well-known value to
0xB2, to be read by an SMI handler in edk2.



(NOTE: Host CPU can
only
send
instruction in SMM mode. -- The register is SMM only)
Sorry, I don't follow -- what register are we talking about here, and
why is the BSP needed to send anything at all? What "instruction" do you
have in mind?
[Jiewen] The new CPU does not enable SMI at reset.
At some point of time later, the CPU need enable SMI, right?
The "instruction" here means, the host CPUs need tell to CPU to enable
SMI.

Right, this would be a write to the CPU hotplug controller

(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU
will not enter CPU because SMI is disabled)
I don't understand the OS involvement here. But, again, perhaps QEMU
can
force all existent CPUs into SMM immediately upon adding the new CPU.
[Jiewen] OS here means the Host CPU running code in OS environment, not
in SMM environment.

See above.

(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?
[Jiewen] Right. That is the register to let host CPU tell new CPU to enable
SMI.
It is platform specific register. Not defined in SDM.
You may invent one in device model.
See above.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE
to
TSEG.
What code does the new CPU execute after it completes step (10)? Does
it
halt?
[Jiewen] The new CPU exits SMM and return to original place - where it is
interrupted to enter SMM - running code on the flash.
So in our case we'd need an INIT/SIPI/SIPI sequence between (06) and (07).

(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?

Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could
use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.
I'd rather avoid this and stay as close as possible to real hardware.

Paolo


Re: [edk2-devel] [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Eric Jin <eric.jin@...>
 

Hi Leif,

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
Leif Lindholm
Sent: Wednesday, August 14, 2019 2:47 AM
To: Gao, Liming <liming.gao@intel.com>
Cc: Jin, Eric <eric.jin@intel.com>; rfc@edk2.groups.io; devel@edk2.groups.io;
Feng, Bob C <bob.c.feng@intel.com>; Cetola, Stephano
<stephano.cetola@intel.com>; Laszlo Ersek (lersek@redhat.com)
<lersek@redhat.com>; afish@apple.com; Kinney, Michael D
<michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [RFC] BZ 1837 Enable Windows Firmware Update
Driver Tool in Edk2/BaseTools for 201908 stable tag

Hi Liming,

This is the other one. As I said, the fact that we are slipping multiple scripts in
*just* before freeze is a concern for me.
I realize it is my fault that I don't notify the release plan as early as possible even the BZ1837 is created in May and want to catch 201908 stable tag.


I have no objection to the code here though.
Thanks.


I would however request that Sean is set as author on patch 1/2 as he was
the original author of the script. (This was easy for me to find out because
the commit message was exemplary.)
In the patch series V2, Sean has been set as author on patch 1/2. Thank you for this valuable suggestion.

Best Regards
Eric


Best Regards,

Leif

On Tue, Aug 13, 2019 at 01:49:24PM +0000, Gao, Liming wrote:
I see this patch was sent a week ago. This is a standalone tool. There is no
impact on normal build and boot. I am OK to add it for 201908 stable tag.

Thanks
Liming
From: Jin, Eric
Sent: Monday, August 12, 2019 3:09 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Jin, Eric
<eric.jin@intel.com>; devel@edk2.groups.io; Feng, Bob C
<bob.c.feng@intel.com>
Subject: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in
Edk2/BaseTools for 201908 stable tag

Hi All,

It is the request to Enable Windows Firmware Update Driver Tool in
Edk2/BaseTools and catch the Q3 tag.
The new tool will leverage the edk2-pytool-library to generate the cat/inf
file based on the cap file. The output driver package can be trigged in
Windows OS to complete capsule update.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1837

Patch link: https://edk2.groups.io/g/devel/topic/32780378#44992

Best Regards
Eric


Re: CPU hotplug using SMM with QEMU+OVMF

Paolo Bonzini <pbonzini@...>
 

On 14/08/19 15:20, Yao, Jiewen wrote:
- Does this part require a new branch somewhere in the OVMF SEC code?
How do we determine whether the CPU executing SEC is BSP or
hot-plugged AP?
[Jiewen] I think this is blocked from hardware perspective, since the first instruction.
There are some hardware specific registers can be used to determine if the CPU is new added.
I don’t think this must be same as the real hardware.
You are free to invent some registers in device model to be used in OVMF hot plug driver.
Yes, this would be a new operation mode for QEMU, that only applies to
hot-plugged CPUs. In this mode the AP doesn't reply to INIT or SMI, in
fact it doesn't reply to anything at all.

- How do we tell the hot-plugged AP where to start execution? (I.e. that
it should execute code at a particular pflash location.)
[Jiewen] Same real mode reset vector at FFFF:FFF0.
You do not need a reset vector or INIT/SIPI/SIPI sequence at all in
QEMU. The AP does not start execution at all when it is unplugged, so
no cache-as-RAM etc.

We only need to modify QEMU so that hot-plugged APIs do not reply to
INIT/SIPI/SMI.

I don’t think there is problem for real hardware, who always has CAR.
Can QEMU provide some CPU specific space, such as MMIO region?
Why is a CPU-specific region needed if every other processor is in SMM
and thus trusted.

Does CPU hotplug apply only at the socket level? If the CPU is
multi-core, what is responsible for hot-plugging all cores present in
the socket?
I can answer this: the SMM handler would interact with the hotplug
controller in the same way that ACPI DSDT does normally. This supports
multiple hotplugs already.

Writes to the hotplug controller from outside SMM would be ignored.

(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI)
-- I am waiting for hot-add message.
Maybe we can simplify this in QEMU by broadcasting an SMI to existent
processors immediately upon plugging the new CPU.
The QEMU DSDT could be modified (when secure boot is in effect) to OUT
to 0xB2 when hotplug happens. It could write a well-known value to
0xB2, to be read by an SMI handler in edk2.



(NOTE: Host CPU can only
send
instruction in SMM mode. -- The register is SMM only)
Sorry, I don't follow -- what register are we talking about here, and
why is the BSP needed to send anything at all? What "instruction" do you
have in mind?
[Jiewen] The new CPU does not enable SMI at reset.
At some point of time later, the CPU need enable SMI, right?
The "instruction" here means, the host CPUs need tell to CPU to enable SMI.
Right, this would be a write to the CPU hotplug controller

(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU
will not enter CPU because SMI is disabled)
I don't understand the OS involvement here. But, again, perhaps QEMU can
force all existent CPUs into SMM immediately upon adding the new CPU.
[Jiewen] OS here means the Host CPU running code in OS environment, not in SMM environment.
See above.

(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?
[Jiewen] Right. That is the register to let host CPU tell new CPU to enable SMI.
It is platform specific register. Not defined in SDM.
You may invent one in device model.
See above.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.
What code does the new CPU execute after it completes step (10)? Does it
halt?
[Jiewen] The new CPU exits SMM and return to original place - where it is
interrupted to enter SMM - running code on the flash.
So in our case we'd need an INIT/SIPI/SIPI sequence between (06) and (07).

(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?

Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could
use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.
I'd rather avoid this and stay as close as possible to real hardware.

Paolo


Re: CPU hotplug using SMM with QEMU+OVMF

Yao, Jiewen
 

My comments below.

-----Original Message-----
From: Laszlo Ersek [mailto:lersek@redhat.com]
Sent: Wednesday, August 14, 2019 12:09 AM
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: edk2-rfc-groups-io <rfc@edk2.groups.io>; qemu devel list
<qemu-devel@nongnu.org>; Igor Mammedov <imammedo@redhat.com>;
Paolo Bonzini <pbonzini@redhat.com>; Yao, Jiewen
<jiewen.yao@intel.com>; Chen, Yingwen <yingwen.chen@intel.com>;
Nakajima, Jun <jun.nakajima@intel.com>; Boris Ostrovsky
<boris.ostrovsky@oracle.com>; Joao Marcal Lemos Martins
<joao.m.martins@oracle.com>; Phillip Goerl <phillip.goerl@oracle.com>
Subject: Re: CPU hotplug using SMM with QEMU+OVMF

On 08/13/19 16:16, Laszlo Ersek wrote:

Yingwen and Jiewen suggested the following process.

Legend:

- "New CPU": CPU being hot-added
- "Host CPU": existing CPU
- (Flash): code running from flash
- (SMM): code running from SMRAM

Steps:

(01) New CPU: (Flash) enter reset vector, Global SMI disabled by
default.
- What does "Global SMI disabled by default" mean? In particular, what
is "global" here?
[Jiewen] OK. Let's don’t use the term "global".


Do you mean that the CPU being hot-plugged should mask (by default)
broadcast SMIs? What about directed SMIs? (An attacker could try that
too.)
[Jiewen] I mean all SMIs are blocked for this specific hot-added CPU.


And what about other processors? (I'd assume step (01)) is not
relevant for other processors, but "global" is quite confusing here.)
[Jiewen] No impact to other processors.


- Does this part require a new branch somewhere in the OVMF SEC code?
How do we determine whether the CPU executing SEC is BSP or
hot-plugged AP?
[Jiewen] I think this is blocked from hardware perspective, since the first instruction.
There are some hardware specific registers can be used to determine if the CPU is new added.
I don’t think this must be same as the real hardware.
You are free to invent some registers in device model to be used in OVMF hot plug driver.


- How do we tell the hot-plugged AP where to start execution? (I.e. that
it should execute code at a particular pflash location.)
[Jiewen] Same real mode reset vector at FFFF:FFF0.


For example, in MpInitLib, we start a specific AP with INIT-SIPI-SIPI,
where "SIPI" stores the startup address in the "Interrupt Command
Register" (which is memory-mapped in xAPIC mode, and an MSR in x2APIC
mode, apparently). That doesn't apply here -- should QEMU auto-start
the new CPU?
[Jiewen] You can send INIT-SIPI-SIPI to new CPU only after it can access memory.
SIPI need give AP an below 1M memory address as waking vector.


- What memory is used as stack by the new CPU, when it runs code from
flash?
[Jiewen] Same as other CPU in normal boot. You can use special reserved memory.


QEMU does not emulate CAR (Cache As RAM). The new CPU doesn't have
access to SMRAM. And we cannot use AcpiNVS or Reserved memory,
because
a malicious OS could use other CPUs -- or PCI device DMA -- to attack
the stack (unless QEMU forcibly paused other CPUs upon hotplug; I'm
not sure).
[Jiewen] Excellent point!
I don’t think there is problem for real hardware, who always has CAR.
Can QEMU provide some CPU specific space, such as MMIO region?


- If an attempt is made to hotplug multiple CPUs in quick succession,
does something serialize those attempts?
[Jiewen] The BIOS need consider this as availability requirement.
I don’t have strong opinion.
You can design a system that required hotplug must be one-by-one, or fail the hot-add.
Or you can design a system that did not have such restriction.
Again, all we need to do is to maintain the integrity of SMM.
The availability should be considered as separate requirement.


Again, stack usage could be a concern, even with Cache-As-RAM --
HyperThreads (logical processors) on a single core don't have
dedicated cache.
[Jiewen] Agree with you on the virtual environment.
For real hardware, we do socket level hot-add only. So HT is not the concern.
But if you want to do that in virtual environment, a processor specific memory
should be considered.


Does CPU hotplug apply only at the socket level? If the CPU is
multi-core, what is responsible for hot-plugging all cores present in
the socket?
[Jiewen] Ditto.


(02) New CPU: (Flash) configure memory control to let it access global
host memory.
In QEMU/KVM guests, we don't have to enable memory explicitly, it just
exists and works.

In OVMF X64 SEC, we can't access RAM above 4GB, but that shouldn't be an
issue per se.
[Jiewen] Agree. I do not see the issue.


(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI)
-- I am waiting for hot-add message.
Maybe we can simplify this in QEMU by broadcasting an SMI to existent
processors immediately upon plugging the new CPU.


(NOTE: Host CPU can only
send
instruction in SMM mode. -- The register is SMM only)
Sorry, I don't follow -- what register are we talking about here, and
why is the BSP needed to send anything at all? What "instruction" do you
have in mind?
[Jiewen] The new CPU does not enable SMI at reset.
At some point of time later, the CPU need enable SMI, right?
The "instruction" here means, the host CPUs need tell to CPU to enable SMI.


(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU
will not enter CPU because SMI is disabled)
I don't understand the OS involvement here. But, again, perhaps QEMU can
force all existent CPUs into SMM immediately upon adding the new CPU.
[Jiewen] OS here means the Host CPU running code in OS environment, not in SMM environment.


(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?
[Jiewen] Right. That is the register to let host CPU tell new CPU to enable SMI.
It is platform specific register. Not defined in SDM.
You may invent one in device model.


(08) New CPU: (Flash) Get message - Enable SMI.

(09) Host CPU: (SMM) Send SMI to the new CPU only.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.
What code does the new CPU execute after it completes step (10)? Does it
halt?
[Jiewen] The new CPU exits SMM and return to original place - where it is
interrupted to enter SMM - running code on the flash.


(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?

Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could
use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.

The hardware SMI should tell the firmware that the rest of the process
-- step (12) below, and onward -- is being requested.

If I understand right, this approach would produce an firmware & system
state that's identical to what's expected right after step (11):

- all SMBASEs relocated
- all preexistent CPUs in SMM
- new CPU halted / blocked from launch
- DRAM at 0x30000 / 0x38000 contains OS-owned data

Is my understanding correct that this is the expected state after step
(11)?
[Jiewen] I think you are correct.


Three more comments on the "SMBASE pre-config" approach:

- the virtual hardware providing this feature should become locked after
the configuration, until next platform reset

- the pre-config should occur via simple hardware accesses, so that it
can be replayed at S3 resume, i.e. as part of the S3 boot script

- from the pre-configured state, and the APIC ID, QEMU itself could
perhaps calculate the SMI stack location for the new processor.


(12) Host CPU: (SMM) Update located data structure to add the new CPU
information. (This step will involve CPU_SERVICE protocol)
I commented on EFI_SMM_CPU_SERVICE_PROTOCOL in upon bullet (4) of
<https://bugzilla.tianocore.org/show_bug.cgi?id=1512#c4>.

Calling EFI_SMM_ADD_PROCESSOR looks justified.
[Jiewen] I think you are correct.
Also REMOVE_PROCESSOR will be used for hot-remove action.


What are some of the other member functions used for? The scary one is
EFI_SMM_REGISTER_EXCEPTION_HANDLER.
[Jiewen] This is to register a new exception handler in SMM.
I don’t think this API is involved in hot-add.


===================== (now, the next SMI will bring all CPU into TSEG)
OK... but what component injects that SMI, and when?
[Jiewen] Any SMI event. It could be synchronized SMI or asynchronized SMI.
It could from software such as IO write, or hardware such as thermal event.


(13) New CPU: (Flash) run MRC code, to init its own memory.
Why is this needed esp. after step (10)? The new CPU has accessed DRAM
already. And why are we executing code from pflash, rather than from
SMRAM, given that we're past SMBASE relocation?
[Jiewen] On real hardware, it is needed because different CPU may have different capability to access different DIMM.
I do not think your virtual platform need it.


(14) New CPU: (Flash) Deadloop, and wait for INIT-SIPI-SIPI.

(15) Host CPU: (OS) Send INIT-SIPI-SIPI to pull new CPU in.
I'm confused by these steps. I thought that step (12) would complete the
hotplug, by updating the administrative data structures internally. And
the next SMI -- raised for the usual purposes, such as a software SMI
for variable access -- would be handled like it always is, except it
would also pull the new CPU into SMM too.
[Jiewen] The OS need use the new CPU at some point of time, right?
As such, the OS need pull the new CPU into its own environment by INIT-SIPI-SIPI.


Thanks!
Laszlo


Re: [edk2-devel] [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Eric Jin <eric.jin@...>
 

Hi Leif,

Thank for the valuable suggestion.
In the patch series V2, Sean has been set as author on patch 1/2. Thank you.

Best Regards
Eric

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Leif Lindholm
Sent: Wednesday, August 14, 2019 2:47 AM
To: Gao, Liming <liming.gao@intel.com>
Cc: Jin, Eric <eric.jin@intel.com>; rfc@edk2.groups.io; devel@edk2.groups.io; Feng, Bob C <bob.c.feng@intel.com>; Cetola, Stephano <stephano.cetola@intel.com>; Laszlo Ersek (lersek@redhat.com) <lersek@redhat.com>; afish@apple.com; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Hi Liming,

This is the other one. As I said, the fact that we are slipping multiple scripts in *just* before freeze is a concern for me.

I have no objection to the code here though.

I would however request that Sean is set as author on patch 1/2 as he was the original author of the script. (This was easy for me to find out because the commit message was exemplary.)

Best Regards,

Leif

On Tue, Aug 13, 2019 at 01:49:24PM +0000, Gao, Liming wrote:
I see this patch was sent a week ago. This is a standalone tool. There is no impact on normal build and boot. I am OK to add it for 201908 stable tag.

Thanks
Liming
From: Jin, Eric
Sent: Monday, August 12, 2019 3:09 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Jin, Eric
<eric.jin@intel.com>; devel@edk2.groups.io; Feng, Bob C
<bob.c.feng@intel.com>
Subject: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in
Edk2/BaseTools for 201908 stable tag

Hi All,

It is the request to Enable Windows Firmware Update Driver Tool in Edk2/BaseTools and catch the Q3 tag.
The new tool will leverage the edk2-pytool-library to generate the cat/inf file based on the cap file. The output driver package can be trigged in Windows OS to complete capsule update.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1837

Patch link: https://edk2.groups.io/g/devel/topic/32780378#44992

Best Regards
Eric


Re: [edk2-devel] [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.

Chiu, Chasel <chasel.chiu@...>
 

Hi Leif,

Thanks for the valuable feedbacks and suggestions.
I will re-write script and re-send code review.

Regards,
Chasel

-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Leif
Lindholm
Sent: Wednesday, August 14, 2019 2:30 AM
To: Gao, Liming <liming.gao@intel.com>
Cc: Chiu, Chasel <chasel.chiu@intel.com>; rfc@edk2.groups.io; Feng, Bob C
<bob.c.feng@intel.com>; devel@edk2.groups.io; Cetola, Stephano
<stephano.cetola@intel.com>; Laszlo Ersek (lersek@redhat.com)
<lersek@redhat.com>; afish@apple.com; Kinney, Michael D
<michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [RFC] BZ 2067 BaseTools/Scripts: Add
GetUtcDateTime.py for edk2-stable201908 stable tag.

I am not fundamentally opposed to merging a simple script that does not affect
other code in the tree.

*But* the fact that we have multiple occurrences of this this time around *is*
a bit of a concern for me. Yes, they won't affect the workings of anything else
as part of the release. But they will not have had any chance to be actually used
by others.

For this particular script, I am also not very keen on the implementation. It
manually parses the command line and prints usage instead of using argparse.
And it contains the sys.exit(Main()) antipattern, which does not play well with
Python3 asynchronous i/o (and hence is a bad habit to get into).

Since this script is truly trivial, I am OK for it to be included *if* it is rewritten
using argparse and not calling sys.exit.

Best Regards,

Leif

On Tue, Aug 13, 2019 at 01:42:23PM +0000, Gao, Liming wrote:
This is a small helper script. I am OK to add it for edk2-stable201908 stable
tag.

Thanks
Liming
From: Chiu, Chasel
Sent: Monday, August 12, 2019 3:45 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Feng, Bob C
<bob.c.feng@intel.com>; devel@edk2.groups.io
Subject: [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for
edk2-stable201908 stable tag.


Hello,

I would like to add below simple script to 201908 stable tag, review was sent
on August 8th:

A script that can return UTC date and time in ascii format which is convenient
for patching build time information in any binary.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2067
Patch: https://edk2.groups.io/g/devel/topic/32797962#45177

Thanks!
Chasel


Re: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Leif Lindholm
 

Hi Liming,

This is the other one. As I said, the fact that we are slipping
multiple scripts in *just* before freeze is a concern for me.

I have no objection to the code here though.

I would however request that Sean is set as author on patch 1/2 as he
was the original author of the script. (This was easy for me to find
out because the commit message was exemplary.)

Best Regards,

Leif

On Tue, Aug 13, 2019 at 01:49:24PM +0000, Gao, Liming wrote:
I see this patch was sent a week ago. This is a standalone tool. There is no impact on normal build and boot. I am OK to add it for 201908 stable tag.

Thanks
Liming
From: Jin, Eric
Sent: Monday, August 12, 2019 3:09 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Jin, Eric <eric.jin@intel.com>; devel@edk2.groups.io; Feng, Bob C <bob.c.feng@intel.com>
Subject: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Hi All,

It is the request to Enable Windows Firmware Update Driver Tool in Edk2/BaseTools and catch the Q3 tag.
The new tool will leverage the edk2-pytool-library to generate the cat/inf file based on the cap file. The output driver package can be trigged in Windows OS to complete capsule update.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1837

Patch link: https://edk2.groups.io/g/devel/topic/32780378#44992

Best Regards
Eric


Re: [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.

Leif Lindholm
 

I am not fundamentally opposed to merging a simple script that does
not affect other code in the tree.

*But* the fact that we have multiple occurrences of this this time
around *is* a bit of a concern for me. Yes, they won't affect the
workings of anything else as part of the release. But they will not
have had any chance to be actually used by others.

For this particular script, I am also not very keen on the
implementation. It manually parses the command line and prints usage
instead of using argparse.
And it contains the sys.exit(Main()) antipattern, which does not play
well with Python3 asynchronous i/o (and hence is a bad habit to get
into).

Since this script is truly trivial, I am OK for it to be included *if*
it is rewritten using argparse and not calling sys.exit.

Best Regards,

Leif

On Tue, Aug 13, 2019 at 01:42:23PM +0000, Gao, Liming wrote:
This is a small helper script. I am OK to add it for edk2-stable201908 stable tag.

Thanks
Liming
From: Chiu, Chasel
Sent: Monday, August 12, 2019 3:45 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Feng, Bob C <bob.c.feng@intel.com>; devel@edk2.groups.io
Subject: [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.


Hello,

I would like to add below simple script to 201908 stable tag, review was sent on August 8th:

A script that can return UTC date and time in ascii format which is convenient for patching build time information in any binary.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2067
Patch: https://edk2.groups.io/g/devel/topic/32797962#45177

Thanks!
Chasel


Re: CPU hotplug using SMM with QEMU+OVMF

Laszlo Ersek
 

On 08/13/19 18:09, Laszlo Ersek wrote:
On 08/13/19 16:16, Laszlo Ersek wrote:
(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?


(08) New CPU: (Flash) Get message - Enable SMI.

(09) Host CPU: (SMM) Send SMI to the new CPU only.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.
What code does the new CPU execute after it completes step (10)? Does it
halt?


(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?


Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.

The hardware SMI should tell the firmware that the rest of the process
-- step (12) below, and onward -- is being requested.

If I understand right, this approach would produce an firmware & system
state that's identical to what's expected right after step (11):

- all SMBASEs relocated
- all preexistent CPUs in SMM
- new CPU halted / blocked from launch
- DRAM at 0x30000 / 0x38000 contains OS-owned data

Is my understanding correct that this is the expected state after step
(11)?
Revisiting some of my notes from earlier, such as
<https://bugzilla.redhat.com/show_bug.cgi?id=1454803#c46> -- apologies,
private BZ... --, we discussed some of this stuff with Mike on the phone
in April.

And, it looked like generating a hardware SMI in QEMU, in association
with the hotplug action that was being requested through the QEMU
monitor, would be the right approach.

By now I have forgotten about that discussion -- hence "revisiting my
notes"--, but luckily, it seems consistent with what I've proposed
above, under "alternatively".

Thanks,
Laszlo


Re: CPU hotplug using SMM with QEMU+OVMF

Laszlo Ersek
 

On 08/13/19 16:16, Laszlo Ersek wrote:

Yingwen and Jiewen suggested the following process.

Legend:

- "New CPU": CPU being hot-added
- "Host CPU": existing CPU
- (Flash): code running from flash
- (SMM): code running from SMRAM

Steps:

(01) New CPU: (Flash) enter reset vector, Global SMI disabled by
default.
- What does "Global SMI disabled by default" mean? In particular, what
is "global" here?

Do you mean that the CPU being hot-plugged should mask (by default)
broadcast SMIs? What about directed SMIs? (An attacker could try that
too.)

And what about other processors? (I'd assume step (01)) is not
relevant for other processors, but "global" is quite confusing here.)

- Does this part require a new branch somewhere in the OVMF SEC code?
How do we determine whether the CPU executing SEC is BSP or
hot-plugged AP?

- How do we tell the hot-plugged AP where to start execution? (I.e. that
it should execute code at a particular pflash location.)

For example, in MpInitLib, we start a specific AP with INIT-SIPI-SIPI,
where "SIPI" stores the startup address in the "Interrupt Command
Register" (which is memory-mapped in xAPIC mode, and an MSR in x2APIC
mode, apparently). That doesn't apply here -- should QEMU auto-start
the new CPU?

- What memory is used as stack by the new CPU, when it runs code from
flash?

QEMU does not emulate CAR (Cache As RAM). The new CPU doesn't have
access to SMRAM. And we cannot use AcpiNVS or Reserved memory, because
a malicious OS could use other CPUs -- or PCI device DMA -- to attack
the stack (unless QEMU forcibly paused other CPUs upon hotplug; I'm
not sure).

- If an attempt is made to hotplug multiple CPUs in quick succession,
does something serialize those attempts?

Again, stack usage could be a concern, even with Cache-As-RAM --
HyperThreads (logical processors) on a single core don't have
dedicated cache.

Does CPU hotplug apply only at the socket level? If the CPU is
multi-core, what is responsible for hot-plugging all cores present in
the socket?


(02) New CPU: (Flash) configure memory control to let it access global
host memory.
In QEMU/KVM guests, we don't have to enable memory explicitly, it just
exists and works.

In OVMF X64 SEC, we can't access RAM above 4GB, but that shouldn't be an
issue per se.


(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI)
-- I am waiting for hot-add message.
Maybe we can simplify this in QEMU by broadcasting an SMI to existent
processors immediately upon plugging the new CPU.


(NOTE: Host CPU can only send
instruction in SMM mode. -- The register is SMM only)
Sorry, I don't follow -- what register are we talking about here, and
why is the BSP needed to send anything at all? What "instruction" do you
have in mind?


(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU
will not enter CPU because SMI is disabled)
I don't understand the OS involvement here. But, again, perhaps QEMU can
force all existent CPUs into SMM immediately upon adding the new CPU.


(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM
rebase code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.
Aha, so this is the SMM-only register you mention in step (03). Is the
register specified in the Intel SDM?


(08) New CPU: (Flash) Get message - Enable SMI.

(09) Host CPU: (SMM) Send SMI to the new CPU only.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.
What code does the new CPU execute after it completes step (10)? Does it
halt?


(11) Host CPU: (SMM) Restore 38000.
These steps (i.e., (06) through (11)) don't appear RAS-specific. The
only platform-specific feature seems to be SMI masking register, which
could be extracted into a new SmmCpuFeaturesLib API.

Thus, would you please consider open sourcing firmware code for steps
(06) through (11)?


Alternatively -- and in particular because the stack for step (01)
concerns me --, we could approach this from a high-level, functional
perspective. The states that really matter are the relocated SMBASE for
the new CPU, and the state of the full system, right at the end of step
(11).

When the SMM setup quiesces during normal firmware boot, OVMF could use
existent (finalized) SMBASE infomation to *pre-program* some virtual
QEMU hardware, with such state that would be expected, as "final" state,
of any new hotplugged CPU. Afterwards, if / when the hotplug actually
happens, QEMU could blanket-apply this state to the new CPU, and
broadcast a hardware SMI to all CPUs except the new one.

The hardware SMI should tell the firmware that the rest of the process
-- step (12) below, and onward -- is being requested.

If I understand right, this approach would produce an firmware & system
state that's identical to what's expected right after step (11):

- all SMBASEs relocated
- all preexistent CPUs in SMM
- new CPU halted / blocked from launch
- DRAM at 0x30000 / 0x38000 contains OS-owned data

Is my understanding correct that this is the expected state after step
(11)?

Three more comments on the "SMBASE pre-config" approach:

- the virtual hardware providing this feature should become locked after
the configuration, until next platform reset

- the pre-config should occur via simple hardware accesses, so that it
can be replayed at S3 resume, i.e. as part of the S3 boot script

- from the pre-configured state, and the APIC ID, QEMU itself could
perhaps calculate the SMI stack location for the new processor.


(12) Host CPU: (SMM) Update located data structure to add the new CPU
information. (This step will involve CPU_SERVICE protocol)
I commented on EFI_SMM_CPU_SERVICE_PROTOCOL in upon bullet (4) of
<https://bugzilla.tianocore.org/show_bug.cgi?id=1512#c4>.

Calling EFI_SMM_ADD_PROCESSOR looks justified.

What are some of the other member functions used for? The scary one is
EFI_SMM_REGISTER_EXCEPTION_HANDLER.


===================== (now, the next SMI will bring all CPU into TSEG)
OK... but what component injects that SMI, and when?


(13) New CPU: (Flash) run MRC code, to init its own memory.
Why is this needed esp. after step (10)? The new CPU has accessed DRAM
already. And why are we executing code from pflash, rather than from
SMRAM, given that we're past SMBASE relocation?


(14) New CPU: (Flash) Deadloop, and wait for INIT-SIPI-SIPI.

(15) Host CPU: (OS) Send INIT-SIPI-SIPI to pull new CPU in.
I'm confused by these steps. I thought that step (12) would complete the
hotplug, by updating the administrative data structures internally. And
the next SMI -- raised for the usual purposes, such as a software SMI
for variable access -- would be handled like it always is, except it
would also pull the new CPU into SMM too.

Thanks!
Laszlo


CPU hotplug using SMM with QEMU+OVMF

Laszlo Ersek
 

Hi,

this message is a problem statement, and an initial recommendation for
solving it, from Jiewen, Paolo, Yingwen, and others. I'm cross-posting
the thread starter to the <devel@edk2.groups.io>, <rfc@edk2.groups.io>
and <qemu-devel@nongnu.org> lists. Please use "Reply All" when
commenting.

In response to the initial posting, I plan to ask a number of questions.

The related TianoCore bugzillas are:

https://bugzilla.tianocore.org/show_bug.cgi?id=1512
https://bugzilla.tianocore.org/show_bug.cgi?id=1515

SMM is used as a security barrier between the OS kernel and the
firmware. When a CPU is plugged into a running system where this barrier
exists fine otherwise, the new CPU can be considered a means to attack
SMM. When the next SMI is raised (globally, or targeted at the new CPU),
the SMBASE for that CPU is still at 0x30000, which is normal RAM, not
SMRAM. Therefore the OS could place attack code in that area prior to
the SMI. Once in SMM, the new CPU would execute OS-owned code (from
normal RAM) with access to SMRAM and to other SMM-protected stuff, such
as flash. [I stole a few words from Paolo here.]

Jiewen summarized the problem as follows:

- Asset: SMM

- Adversary:

- System Software Attacker, who can control any OS memory or silicon
register from OS level, or read write BIOS data.

- Simple hardware attacker, who can hot add or hot remove a CPU.

- Non-adversary: The attacker cannot modify the flash BIOS code or
read only BIOS data. The flash part itself is treated as TCB and
protected.

- Threat: The attacker may hot add or hot remove a CPU, then modify
system memory to tamper the SMRAM content, or trigger SMI to get the
privilege escalation by executing code in SMM mode.

We'd like to solve this problem for QEMU/KVM and OVMF.

(At the moment, CPU hotplug doesn't work with OVMF *iff* OVMF was built
with -D SMM_REQUIRE. SMBASE relocation never happens for the new CPU,
the SMM infrastructure in edk2 doesn't know about the new CPU, and so
when the first SMI is broadcast afterwards, we crash. We'd like this
functionality to *work*, in the first place -- but securely at that, so
that an actively malicious guest kernel can't break into SMM.)

Yingwen and Jiewen suggested the following process.

Legend:

- "New CPU": CPU being hot-added
- "Host CPU": existing CPU
- (Flash): code running from flash
- (SMM): code running from SMRAM

Steps:

(01) New CPU: (Flash) enter reset vector, Global SMI disabled by
default.

(02) New CPU: (Flash) configure memory control to let it access global
host memory.

(03) New CPU: (Flash) send board message to tell host CPU (GPIO->SCI) --
I am waiting for hot-add message. (NOTE: Host CPU can only send
instruction in SMM mode. -- The register is SMM only)

(04) Host CPU: (OS) get message from board that a new CPU is added.
(GPIO -> SCI)

(05) Host CPU: (OS) All CPUs enter SMM (SCI->SWSMI) (NOTE: New CPU will
not enter CPU because SMI is disabled)

(06) Host CPU: (SMM) Save 38000, Update 38000 -- fill simple SMM rebase
code.

(07) Host CPU: (SMM) Send message to New CPU to Enable SMI.

(08) New CPU: (Flash) Get message - Enable SMI.

(09) Host CPU: (SMM) Send SMI to the new CPU only.

(10) New CPU: (SMM) Response first SMI at 38000, and rebase SMBASE to
TSEG.

(11) Host CPU: (SMM) Restore 38000.

(12) Host CPU: (SMM) Update located data structure to add the new CPU
information. (This step will involve CPU_SERVICE protocol)

===================== (now, the next SMI will bring all CPU into TSEG)

(13) New CPU: (Flash) run MRC code, to init its own memory.

(14) New CPU: (Flash) Deadloop, and wait for INIT-SIPI-SIPI.

(15) Host CPU: (OS) Send INIT-SIPI-SIPI to pull new CPU in.

Thanks
Laszlo


Re: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Liming Gao
 

I see this patch was sent a week ago. This is a standalone tool. There is no impact on normal build and boot. I am OK to add it for 201908 stable tag.

Thanks
Liming
From: Jin, Eric
Sent: Monday, August 12, 2019 3:09 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Jin, Eric <eric.jin@intel.com>; devel@edk2.groups.io; Feng, Bob C <bob.c.feng@intel.com>
Subject: [RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Hi All,

It is the request to Enable Windows Firmware Update Driver Tool in Edk2/BaseTools and catch the Q3 tag.
The new tool will leverage the edk2-pytool-library to generate the cat/inf file based on the cap file. The output driver package can be trigged in Windows OS to complete capsule update.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1837

Patch link: https://edk2.groups.io/g/devel/topic/32780378#44992

Best Regards
Eric


Re: [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.

Liming Gao
 

This is a small helper script. I am OK to add it for edk2-stable201908 stable tag.

Thanks
Liming
From: Chiu, Chasel
Sent: Monday, August 12, 2019 3:45 PM
To: rfc@edk2.groups.io
Cc: Gao, Liming <liming.gao@intel.com>; Feng, Bob C <bob.c.feng@intel.com>; devel@edk2.groups.io
Subject: [RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.


Hello,

I would like to add below simple script to 201908 stable tag, review was sent on August 8th:

A script that can return UTC date and time in ascii format which is convenient for patching build time information in any binary.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2067
Patch: https://edk2.groups.io/g/devel/topic/32797962#45177

Thanks!
Chasel


Re: [RFC] BZ 1772 MdeModulePkg: Transfer reset data for 201908 stable tag

Gao, Zhichao
 

It is an recommended feature change. But the specific function isn't implemented with any platform yet. So it wouldn't affect any section of the edk2.
And it changed a lot of platform dsc files(or module package dsc files) in both edk2 and edk2-paltform. That may take time for the review work.
I think it is fine if this feature doesn't catch the end-line of the software-freeze.

Thanks,
Zhichao

From: Gao, Liming
Sent: Monday, August 12, 2019 4:55 PM
To: Gao, Zhichao <zhichao.gao@intel.com>; rfc@edk2.groups.io
Cc: devel@edk2.groups.io
Subject: RE: [RFC] BZ 1772 MdeModulePkg: Transfer reset data for 201908 stable tag

Zhichao:
Do you propose this feature for 201908 stable tag?

From: Gao, Zhichao
Sent: Monday, August 12, 2019 4:33 PM
To: rfc@edk2.groups.io<mailto:rfc@edk2.groups.io>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Gao, Liming <liming.gao@intel.com<mailto:liming.gao@intel.com>>
Subject: [RFC] BZ 1772 MdeModulePkg: Transfer reset data

HI,

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1772

Before the ResetData of ResetSystem is limit by ResetType and ResetStatus. As the Uefi spec update to 2.8, there is no limit any longer.
Here we introduce a new API ResetSystemWithSubtype to transfer a null string and GUID data with all ResetType to reset system.
It is useful for capsule update to get a specific GUID to do some special operation with specific phase. That can be implemented in platform code thru Reset Notify protocol.
Here is the guids:
gEdkiiCapsuleArmedResetGuid = {0xc6b4eea7, 0xfce2, 0x4625, {0x9c, 0x4f, 0xc4, 0xb0, 0x82, 0x37, 0xae, 0x23}}
gEdkiiCapsuleUpdateCompleteResetGuid = {0x5d512714, 0xa4df, 0x4e46, {0xb6, 0xc7, 0xbc, 0x9f, 0x97, 0x9d, 0x59, 0xa0}}

Thanks,
Zhichao


Re: [RFC] BZ 1772 MdeModulePkg: Transfer reset data for 201908 stable tag

Liming Gao
 

Zhichao:
Do you propose this feature for 201908 stable tag?

From: Gao, Zhichao
Sent: Monday, August 12, 2019 4:33 PM
To: rfc@edk2.groups.io
Cc: devel@edk2.groups.io; Gao, Liming <liming.gao@intel.com>
Subject: [RFC] BZ 1772 MdeModulePkg: Transfer reset data

HI,

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1772

Before the ResetData of ResetSystem is limit by ResetType and ResetStatus. As the Uefi spec update to 2.8, there is no limit any longer.
Here we introduce a new API ResetSystemWithSubtype to transfer a null string and GUID data with all ResetType to reset system.
It is useful for capsule update to get a specific GUID to do some special operation with specific phase. That can be implemented in platform code thru Reset Notify protocol.
Here is the guids:
gEdkiiCapsuleArmedResetGuid = {0xc6b4eea7, 0xfce2, 0x4625, {0x9c, 0x4f, 0xc4, 0xb0, 0x82, 0x37, 0xae, 0x23}}
gEdkiiCapsuleUpdateCompleteResetGuid = {0x5d512714, 0xa4df, 0x4e46, {0xb6, 0xc7, 0xbc, 0x9f, 0x97, 0x9d, 0x59, 0xa0}}

Thanks,
Zhichao


UEFI accessibility mandate

Ethin Probst <harlydavidsen@...>
 

Hello all,

I'm new here, and was recommended to the TianoCore project by someone over at the UEFI forum. I've run across TianoCore before, and like the project.
Before anyone gets worried by the subject line, no, this is not any kind of legal thing. Its just something I believe needs to happen. :)
Back in 2016-2017 I contacted the UEFI forum about two problems, one of which was the format of the spec, which I figured out on my own. The other problem was not so easily dealt with. Te other problem relates to accessibility of UEFI-compliant systems and platform firmware to persons with disabilities. As it currently stands, such a thing is nonexistent. To be fair, I completely understand the difficulty that such a thing would require, and I would fully agree if we still used the PC-AT BIOS systems -- yes, indeed, I would never suggest this kind of thing on such a system given that there was no actual standard of any kind for BIOSes. However, now that UEFI is here, we have such a possibility.
As it currently stands, people with low vision or blind people have access to their computers in the general sense (I am blind myself). We can do pretty much anything anyone else could do. We can code, play games, all that. There are few things that we cannot do. One of those things is managing our systems firmware in the preboot environment.
As it stands now, I can only boot other OSes or disks via memorization. While that worked on BIOS machines (I have, or had, an old Toshiba laptop that was BIOS-based), it no longer works because UEFI is mercurial. When I access the boot menu now, I play a game of chance. If the cards are in my favor, the OS I want to boot boots, and I can go on my way. But if the cards aren't in my favor, I end up making something happen that was unintended, and, worst of all, I have no idea what I did.
However, the boot menu is only one portion of a platform firmware UI. What about the setup utility or other utilities offered by computer manufacturers? What about diagnostic utilities, bootloaders, etc? What do I do with those? Well, I only have one option -- sited assistance. If I go into my computers setup utility, I cannot trust myself and say to myself, "OK, I know what I'm doing. All I need to do is change x and save and quit." No, I can't do that, because memorizing such a complex interface is extremely difficult, and its something I wouldn't expect anyone to do.
My proposal is simple, and I'm posting it here because I'd like comments and feedback before it actually gets implemented (it will take a lot of time, I'm sure): mandate, in the UEFI specification, that accessibility features for persons with disabilities must be implemented and documented, and, if such features are not implemented, then that vendor is not compliant with the specification. Place strict minimum requirements for what the accessibility features should do and how they should work.
Now, I'm sure someone out there will ask me how this can be done. Well, that's why I've joined the group -- though as I familiarize myself with EDK2 development and all that I may actually be able to participate as more than just an accessibility expert, of sorts.
As a side note, I have been blind all my life. I was born with retinopathy of prematurity (ROP), which resulted because I was born at 26 weeks. My retina was detached, and, though the doctors attempted to fix it, it would not remain attached, and there is no chance of it getting fixed now. I would neither want nor care for such a cure, however. I have lived my entire life blind, and while the thought of gaining site back is appealing, I am unwilling to go through the years and years of rewiring and reconditioning of my brain that would be required for me to survive with site. To me, it is simply not worth the cost.
But back to the discussion at hand: I would be happy to discuss how the accessibility features would work and what would be required. Even standardizing, through the specification, a key combination to toggle the accessibility features would be nice, as that would alleviate the major problem of a blind person buying a new computer and not knowing how to enable the accessibility features. The overarching goal would be to make the preboot environment (including applications run within it) accessible and usable by blind and visually impaired people as a boot service only. It would be superfluous to make this a runtime service, as all major OSes already have accessibility features. Plus, managing such a thing would be impossible to do.
This email has gotten quite long, so I will suspend the discussion of functionality and how I would like it to work for a future email once everyone has gotten on board.

Thank you for your time and consideration.


[RFC] BZ 1772 MdeModulePkg: Transfer reset data

Gao, Zhichao
 

HI,

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1772

Before the ResetData of ResetSystem is limit by ResetType and ResetStatus. As the Uefi spec update to 2.8, there is no limit any longer.
Here we introduce a new API ResetSystemWithSubtype to transfer a null string and GUID data with all ResetType to reset system.
It is useful for capsule update to get a specific GUID to do some special operation with specific phase. That can be implemented in platform code thru Reset Notify protocol.
Here is the guids:
gEdkiiCapsuleArmedResetGuid = {0xc6b4eea7, 0xfce2, 0x4625, {0x9c, 0x4f, 0xc4, 0xb0, 0x82, 0x37, 0xae, 0x23}}
gEdkiiCapsuleUpdateCompleteResetGuid = {0x5d512714, 0xa4df, 0x4e46, {0xb6, 0xc7, 0xbc, 0x9f, 0x97, 0x9d, 0x59, 0xa0}}

Thanks,
Zhichao


[RFC] BZ 2067 BaseTools/Scripts: Add GetUtcDateTime.py for edk2-stable201908 stable tag.

Chiu, Chasel <chasel.chiu@...>
 

Hello,

I would like to add below simple script to 201908 stable tag, review was sent on August 8th:

A script that can return UTC date and time in ascii format which is convenient for patching build time information in any binary.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2067
Patch: https://edk2.groups.io/g/devel/topic/32797962#45177

Thanks!
Chasel


[RFC] BZ 1837 Enable Windows Firmware Update Driver Tool in Edk2/BaseTools for 201908 stable tag

Eric Jin <eric.jin@...>
 

Hi All,

It is the request to Enable Windows Firmware Update Driver Tool in Edk2/BaseTools and catch the Q3 tag.
The new tool will leverage the edk2-pytool-library to generate the cat/inf file based on the cap file. The output driver package can be trigged in Windows OS to complete capsule update.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1837

Patch link: https://edk2.groups.io/g/devel/topic/32780378#44992

Best Regards
Eric

701 - 720 of 740