Drop S3 and Lock Box Support [Rebase & FF] #1042
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
makubacki
added
the
type:design-change
github-actions
bot
added
the
impact:breaking-change
kuqin12
approved these changes
Sep 23, 2024
os-d
approved these changes
Sep 23, 2024
makubacki
force-pushed
the
drop_s3_and_lockbox_support
branch
from
fa00791
to
5f28f6e
Compare
1. Drop SmmLockBox from build and flash image This is a Traditional SMM module that cannot be dispached with the Standalone MM module currently support in QemuQ35Pkg. 2. Drop PEI and DXE S3 and Lock Box related modules from the QemuQ35Pkg build and flash image. `gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable` is `FALSE` which disables S3 support. Code is also currently not being written to support S3 boot script replay and S3 is not tested. Modern physical platforms rarely support S3 and S3 presents its own security related concerns and maintenance overhead. Since S3 is not needed, the lock box code which is currently only used to store the S3 boot script is not needed. As a consequence, the following S3, boot script, and lock box related PEI and DXE modules are removed from QemuQ35Pkg: - `BootScriptExecutorDxe` - `CpuS3DataDxe` - `S3Resume2Pei` - `S3SaveStateDxe` 3. Drop S3 and lock box related library instances from QemuQ35Pkg build. The following library instances also do not need to be build given S3 is not supported and are removed from the QemuQ35Pkg build: - `MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf` - `MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf` - `MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxPeiLib.inf` - `MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf` - `MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxStandaloneMmLib.inf` - `QemuPkg/Library/LockBoxLib/LockBoxBaseLib.inf` - `QemuQ35Pkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf` Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Removes libraries and modules that support S3 and Lock Box since S3 is not supported by QemuQ35Pkg. Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Always follow the non-S3 flow to decompress the main FV and load the PEI core from it during SEC startup. Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
Removes platform initialization logic for S3 and the lock box. Notably, the number of MMRAM regions is reduced from two to one since the first MMRAM range was previously a 4KB page used to hold S3 resume structures. The amount of ACPI NVS reservation is reduced substantially since areas like the following do not need to be preserved for S3 resume: - CPU AP stack buffers - Temp RAM stack and heap - GUIDed section extraction handlers - Reset vector initial page tables The lock box storage buffer is also not allocated at all. Previously, it was allocated as boot services data (not ACPI NVS) since S3 was never enabled. In any case, that space is no longer allocated. Asserts are added in places through key control flow to alert a developer if S3 is detected as enabled when it should not be. Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
Removes S3 boot script related code since S3 is no longer supported. Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
Removes S3 and boot script related code to focus the module on simply installing `Trigger()` and `Clear()` functionality for the SMM Control protocol. Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
Main change is to compensate for the single MMRAM range used now that the S3 resume area is removed from MMRAM. A single range is now used to cover all of TSEG. Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
Removes the following PCDs since the lock box is no longer supported. - `gQemuPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBase` - `gQemuPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSize` Signed-off-by: Michael Kubacki <Michael.kubacki@microsoft.com>
The QemuPkg LockBoxLib is being removed. Used the null instance here for libraries (like PerformanceLib) that link against a LockBoxLib instance. Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Not needed since S3 support is not used requiring the Lock Box. Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
makubacki
force-pushed
the
drop_s3_and_lockbox_support
branch
from
5f28f6e
to
5128fa5
Compare
apop5
approved these changes
Sep 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Contains the following changes:
QemuQ35Pkg: Drop S3 and Lock Box support
Drop SmmLockBox from build and flash image
This is a Traditional SMM module that cannot be dispached with
the Standalone MM model currently supported in QemuQ35Pkg.
Drop PEI and DXE S3 and Lock Box related modules from the
QemuQ35Pkg build and flash image.
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3EnableisFALSEwhichdisables S3 support. Code is also currently not being written to
support S3 boot script replay and S3 is not tested. Modern physical
platforms rarely support S3 and S3 presents its own security
related concerns and maintenance overhead.
Since S3 is not needed, the lock box code which is currently only
used to store the S3 boot script is not needed.
As a consequence, the following S3, boot script, and lock box
related PEI and DXE modules are removed from QemuQ35Pkg:
BootScriptExecutorDxeCpuS3DataDxeS3Resume2PeiS3SaveStateDxeDrop S3 and lock box related library instances from QemuQ35Pkg
build.
The following library instances also do not need to be build given
S3 is not supported and are removed from the QemuQ35Pkg build:
MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.infMdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.infMdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxPeiLib.infMdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.infMdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxStandaloneMmLib.infQemuPkg/Library/LockBoxLib/LockBoxBaseLib.infQemuQ35Pkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.infQemuQ35Pkg: Remove S3 and Lock Box related code
Removes libraries and modules that support S3 and Lock Box since S3
is not supported by QemuQ35Pkg.
QemuQ35Pkg/Sec: Drop S3 and Lock Box support
Always follow the non-S3 flow to decompress the main FV and load
the PEI core from it during SEC startup.
QemuQ35Pkg/PlatformPei: Drop S3 and Lock Box support
Removes platform initialization logic for S3 and the lock box.
Notably, the number of MMRAM regions is reduced from two to one since
the first MMRAM range was previously a 4KB page used to hold S3
resume structures.
The amount of ACPI NVS reservation is reduced substantially since
areas like the following do not need to be preserved for S3 resume:
The lock box storage buffer is also not allocated at all. Previously,
it was allocated as boot services data (not ACPI NVS) since S3 was
never enabled. In any case, that space is no longer allocated.
Asserts are added in places through key control flow to alert a
developer if S3 is detected as enabled when it should not be.
QemuQ35Pkg/AcpiPlatformDxe: Drop S3 and Lock Box support
Removes S3 boot script related code since S3 is no longer supported.
QemuQ35Pkg/SmmControl2Dxe: Drop S3 and Lock Box support
Removes S3 and boot script related code to focus the module on simply
installing
Trigger()andClear()functionality for the SMMControl protocol.
QemuQ35Pkg/SmmAccess: Drop S3 and Lock Box support
Main change is to compensate for the single MMRAM range used now that
the S3 resume area is removed from MMRAM. A single range is now used
to cover all of TSEG.
QemuQ35Pkg.fdf: Remove assignment of Lock Box PCDs
Removes the following PCDs since the lock box is no longer supported.
gQemuPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBasegQemuPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSizeQemuSbsaPkg: Use LockBoxLib null instance
The QemuPkg
LockBoxLibis being removed. Used the null instance herefor libraries (like
PerformanceLib) that link against aLockBoxLibinstance.
QemuPkg: Remove LockBoxLib
Not needed since S3 support is not used requiring the Lock Box.
How This Was Tested
Integration Instructions