mu_feature_mm_supv - v13.0.2 Latest Release

Published by github-actions[bot] about 2 months ago

What's Changed

This change updated the override validation tags. It also integrates the cherry-pick commit from https://github.com/microsoft/mu_basecore/commit/4d722ac91608d3c4fbe807b418b77f2a6e279117.

For details on how to complete to complete these options and their meaning refer to CONTRIBUTING.md.

Impacts functionality?
Impacts security?
Breaking change?
Includes tests?
Includes documentation?

How This Was Tested

This was tested on pipeline and passed override check. Also booted on Q35 branch.

Integration Instructions

The change needs to pair with basecore commit https://github.com/microsoft/mu_basecore/commit/4d722ac91608d3c4fbe807b418b77f2a6e279117 or later.

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v13.0.1...v13.0.2

mu_feature_mm_supv - v13.0.1

Published by github-actions[bot] 2 months ago

What's Changed

This change updates the version information of this package and module. It also updates the document on how to integrate the latest changes into platforms that are picking up 202405.

The version number is updated from 11 to 13 to match the release version, which was missed in v12 release.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v13.0.0...v13.0.1

mu_feature_mm_supv - v12.0.0

Published by github-actions[bot] 4 months ago

What's Changed

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change will cover a few more CLANG fixes, including uninitialized variables and unintentionally pulled in compiler intrinsics.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This was tested on QEMU Q35.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

The pipeline build is broken due to a commit cherry-picked in to basecore: https://github.com/microsoft/mu_basecore/commit/7f9a27e0d7bcefd06e8d45fc06d5e906b6898911.

This change is needed to unblock other PRs into this repo.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

Primarily made to pull in this change UefiCpuPkg/PiSmmCpuDxeSmm: Use NonSmm BSP as default SMM BSP..

Also includes other optimizations to keep the file in sync with edk2. The history of the recent changes in the file in this repo vs edk2 are shown for reference.

Commit URL	Title	Notes
2ca8d55974...	UefiCpuPkg/PiSmmCpuDxeSmm: Check BspIndex first before lock cmpxchg	New incoming change
d698bcfe4f...	UefiCpuPkg/PiSmmCpuDxeSmm: Avoid BspIndex typecasting	New incoming change
58d9463939...	UefiCpuPkg/PiSmmCpuDxeSmm: Reduce one round BSP & AP sync	New incoming change
41d1c4475b...	UefiCpuPkg/PiSmmCpuDxeSmm: Invert ReleaseAllAPs & InitializeDebugAgent	New incoming change
3a4ec6de01...	UefiCpuPkg/PiSmmCpuDxeSmm: Align BSP and AP sync logic for SMI exit	New incoming change
e1b62f3e28...	UefiCpuPkg/PiSmmCpuDxeSmm: Check SMM Debug Agent support or not	Skipped since it touches other files and is unrelated.
a83d953dc2...	UefiCpuPkg/PiSmmCpuDxeSmm: Consume SmmCpuSyncLib	Cherry-picked to basecore. Included in StandaloneMmCpuSyncLib PR (#257).
cc698d0335...	UefiCpuPkg/PiSmmCpuDxeSmm: Simplify RunningApCount decrement	Cherry-picked to basecore. Included in StandaloneMmCpuSyncLib PR (#257).
e14a022246...	UefiCpuPkg/PiSmmCpuDxeSmm: Optimize Semaphore Sync between BSP and AP	Included in StandaloneMmCpuSyncLib PR (#257)
68d506e0d1...	UefiCpuPkg/PiSmmCpuDxeSmm: Use NonSmm BSP as default SMM BSP.	New incoming change
b4dde1ae6a...	UefiCpuPkg: Use GenSmmPageTable() to create Smm S3 page table	Last commit in the 202311 update.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

MmSupervisorPkg build.
Intel physical platform build and boot to Windows OS.
QemuQ35Pkg build and boot to Windows OS.

Integration Instructions

N/A

⚠️ Breaking Changes

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change is integrating the changes from BASECORE:
https://github.com/microsoft/mu_basecore/commit/ff7dabfdca8534a1d1b3551e91b739be20a5f8fc
https://github.com/microsoft/mu_basecore/commit/719bf756ea6d94ef800eaab4601d3ed52423ef35

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change is tested with QEMU Q35.

Integration Instructions

This requires the platforms to update their BASECORE version to be later than https://github.com/microsoft/mu_basecore/commit/719bf756ea6d94ef800eaab4601d3ed52423ef35 of release/202311.

  </blockquote>
  <hr>
</details>

This change integrated the update from EDK2 where the MP information of the system will be pulled from the HOBs instead of gBS, which aligns with our existing implementation.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change was tested on QEMU Q35 and booted to UEFI shell.

Integration Instructions

N/A

🐛 Bug Fixes

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change fixes a code path where the Status could get evaluated without being initialized.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This was tested on QEMU Q35.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v11.0.1...v12.0.0

mu_feature_mm_supv - v11.0.1

Published by github-actions[bot] 6 months ago

What's Changed

We have not updated this field for too long, which will make the print out during runtime have discrepancy compared to the code release version. This change is made to fix that.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This is only a version change, no functional update.

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v11.0.0...v11.0.1

mu_feature_mm_supv - v11.0.0

Published by github-actions[bot] 6 months ago

What's Changed

⚠️ Breaking Changes

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change integrates 4 commits from MU_BASECORE to use the common library implementation for image record creation and resolve the corresponding override validation failures.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change was tested on QEMU Q35 and booted to UEFI shell.

Integration Instructions

Platform needs to include ImagePropertiesRecordLib in their platform dsc file to pick up this change.

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v10.0.0...v11.0.0

mu_feature_mm_supv - v10.0.0

Published by github-actions[bot] 7 months ago

What's Changed

⚠️ Breaking Changes

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

The BaseLib is updated with new support of CRC16-CCITT-FALSE implementation. This change added the change and updated the override hash.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change is tested on QEMU Q35 and booted to UEFI shell.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v9.0.1...v10.0.0

mu_feature_mm_supv - v9.0.1

Published by github-actions[bot] 7 months ago

What's Changed

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

The current exception handling routine has 2 issues:

When it comes to page fault, the miscellaneous exception handler will print the exception context and then hand off to the specific page fault handler, which will make the log appear as the system double fault.
When the page fault exception occurs, the existing setup will switch the system to use a separate stack, which is hardcoded to be 4KB from the top of supervisor stack. This size is insufficient after switching to PageTableLib based page table attribute manipulations.

This change should fix both issues.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change is tested on QEMU Q35 and verified bootable into UEFI shell.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Integrated the following commits from MU_BASECORE into the supervisor core (which themselves were taken from edk2):
https://github.com/microsoft/mu_basecore/commit/fba09d01a35746f4e8a3b03a70b1f13fb43342be
https://github.com/microsoft/mu_basecore/commit/f5417b804d5cb89dbbe384458fa6dfc0b81377ff
https://github.com/microsoft/mu_basecore/commit/d421e2b9c9d1af511aca95a20f6fe483f646909b
https://github.com/microsoft/mu_basecore/commit/bb7120572e7f8754fa46aaf01b76f9734ab4b29e

Additionally updated the override of UefiCpuPkg in the supervisor cores inf.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Tested on physical platforms with the latest MU 202311 branches. No issues observed.

Integration Instructions

N/A

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

It does not seem that the edk2-basetools are not being used. This change will remove it.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Pipeline change, no firmware function changes.

Integration Instructions

N/A.

  </blockquote>
  <hr>
</details>

An instance of StackCheckLib must be in each DSC to accommodate -fstack-protector and /GS flags.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Tested in pipelines

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v9.0.0...v9.0.1

mu_feature_mm_supv - v9.0.0

Published by github-actions[bot] 9 months ago

What's Changed

This change updated the release version to v9 to reflect the new value from release template.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

⚠️ Breaking Changes

This change integrates the edk2 upstream changes into applicable overridden modules.

Specifically, this change integrates the following commits:

The following commits are determined not relevant to this package:

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change is tested on QEMU Q35 and SBSA virtual platform and booted to UEFI shell as well as host OS. This change is also verified bootable on proprietary hardware platform.

Integration Instructions

An update of 202311 based mu submodules are required to consume this change.

🐛 Bug Fixes

Contains the primary commit for the HOB calculation overflow and
a separate commit to build with the tip of mu_basecore release/202302.

CVE-2022-36765 - StandaloneMmHobLibSysCall: Prevent integer overflow in CreateHob()

Based on commit 9a75b030cf27d2530444e9a2f9f11867f79bf679 in edk2.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

MmSupervisorPkg/BaseLibSysCall/BaseLib: Update override

The change that occurred in MdePkg/Library/BaseLib only affected
AARCH64 which does not exist in the instance in MmSupervisorPkg.

So, this change simply updates the override hash to the new value.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

MmSupervisorPkg CI.
Upstream validation.
Boot on QEMU.

Integration Instructions

N/A

🔐 Security Impacting

Contains the primary commit for the HOB calculation overflow and
a separate commit to build with the tip of mu_basecore release/202302.

CVE-2022-36765 - StandaloneMmHobLibSysCall: Prevent integer overflow in CreateHob()

Based on commit 9a75b030cf27d2530444e9a2f9f11867f79bf679 in edk2.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

MmSupervisorPkg/BaseLibSysCall/BaseLib: Update override

The change that occurred in MdePkg/Library/BaseLib only affected
AARCH64 which does not exist in the instance in MmSupervisorPkg.

So, this change simply updates the override hash to the new value.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

MmSupervisorPkg CI.
Upstream validation.
Boot on QEMU.

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.8...v9.0.0

mu_feature_mm_supv - v8.1.7

Published by github-actions[bot] 11 months ago

What's Changed

🔐 Security Impacting

This series transitions the core to use the new stack cookie libraries.
The stack cookie value no longer needs to be initialized before
image execution and can instead be initialized in the library
constructor.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Tested on Q35

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.6...v8.1.7

mu_feature_mm_supv - v8.1.6

Published by github-actions[bot] about 1 year ago

What's Changed

🐛 Bug Fixes

Fixes #182

The main change is to remove a NULL check for the CommBufferSize
parameter value in the MM_SUPERVISOR_REQUEST_FETCH_POLICY switch
case since it triggers a CodeQL alert as a redundant NULL check
operation. The actual parameter value is checked for NULL at the
beginning of the function and not modified until that line of code.

However, the function API and implementation is confusing so that's
cleaned up as well.

The Context parameter is not used at all. Since it is marked
optional, it is left so the function prototype can remain
consistent in case the parameter is needed in the future.
The CommBuffer and CommBufferSize parameters are also marked
optional, but they're not. The function immediately returns
EFI_INVALID_PARAMETER if they are not provided (null).

For (2), the optional modifier is simply removed from the arguments
to indicate the function expects valid pointers are passed.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

MmSupervisorPkg build and CI checks

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.5...v8.1.6

mu_feature_mm_supv - v8.1.5

Published by github-actions[bot] about 1 year ago

What's Changed

Updates the repo for a change that merged UefiCpuLib with CpuLib.

UefiCpuLib will be removed entirely soon so all references are updated to CpuLib.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

MmSupervisorPkg CI build
Feature integration build (in QemuQ35Pkg)

Integration Instructions

N/A

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.4...v8.1.5

mu_feature_mm_supv - v8.1.4

Published by github-actions[bot] about 1 year ago

What's Changed

PcdUserCommBufferPages is currently set to 4. This buffer is
used for UEFI variable transactions where includes larger data like Intel
memory training and Secure Boot related UEFI variables.

16 pages provides 64KB by default which allows these common scenarios
to succeed in most cases without platform intervention.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Verified on Qemu Q35 and a physical Intel platform.

Integration Instructions

If the default value was previously unmodified on a platform, expect that the
user mode communicate buffer will now be 48KB larger. If that's an issue, set
gMmSupervisorPkgTokenSpaceGuid.PcdUserCommBufferPages to 4 in the platform
DSC file to restore previous behavior.

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.3...v8.1.4

mu_feature_mm_supv - v8.1.3

Published by github-actions[bot] about 1 year ago

What's Changed

Current implementation of MmIsBufferOutsideMmValid for the user instance will only check to see if the requested space is unblocked from the perspective of MM supervisor, which could result in the issue that the region is only unblocked at the supervisor level is still not accessible from user space. If this is the case, FALSE should be returned.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This change is tested on Q35 platform and booted to UEFI shell.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.2...v8.1.3

mu_feature_mm_supv - v8.1.2

Published by github-actions[bot] over 1 year ago

What's Changed

Updates overrides for:

MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.inf

Relevant changes from https://github.com/microsoft/mu_basecore/pull/490

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

CI build and QemuQ35Pkg unit boot.

Integration Instructions

When updating Mu Basecore to include the changes linked in the
description, update the submodule with MmSupervisorPkg to
include these changes.

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.1...v8.1.2

mu_feature_mm_supv - v8.1.1

Published by github-actions[bot] over 1 year ago

What's Changed

Updates DumpInfo function for a policy to dump it's contents to any IO object, not just to stdout. By default, the DumpInfo function will dump to stdout, keeping existing logic, but allows the caller to specify any IO object via the outfs optional parameter.

Additionally changes the dump for the purpose of the SupervisorPolicyMaker helper script to dump to logging.DEBUG rather than as a print statement, as the print statement does not end up in the log file.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Virtual Platforms

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Catching a bare exception is considered bad practice. Catching bare exceptions can make it impossible to interrupt the program (e.g., with Ctrl-C) and can disguise other problems. This removes all bare excepts and instead catches Exception which is the base class for all code-generated exceptions.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Updates the UT_LOG_* messages to print a new line so the prints
do not run into the individual test section dividers.

Prints additional information when examining IOMMU regions to show
what regions are being considered and specific details about
potential range overlaps.

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Ran test on a physical Intel platform and reviewed debug output.

Integration Instructions

N/A

Add a PrEval entry to all ci.yaml files. This enables the PrEval Policy 5

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

🔐 Security Impacting

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change updated the unit test to inspect retrieved MM policy attribute against protected regions, such as TXT and IOMMU regions as defined by WHCP specification.

Although the specification only mentions that the regions should have no write access, this implementation will flag attributes on executable protected regions.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This is tested on QemuQ35Pkg.

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v8.1.0...v8.1.1

mu_feature_mm_supv - v8.1.0

Published by github-actions[bot] over 1 year ago

What's Changed

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change bumps the version number to make a release before we transition to 202302.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

N/A

Integration Instructions

N/A

  </blockquote>
  <hr>
</details>

⚠️ Breaking Changes

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change integrates a series of patches checked into the overridden modules from supervisor repo.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This was tested on QEMU virtual platform and proprietary hardware.

Integration Instructions

End user should update to release/202302 branches for other project MU repos to consume this.

🔐 Security Impacting

Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.

Description

This change integrates a series of patches checked into the overridden modules from supervisor repo.

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

This was tested on QEMU virtual platform and proprietary hardware.

Integration Instructions

End user should update to release/202302 branches for other project MU repos to consume this.

Full Changelog: https://github.com/microsoft/mu_feature_mm_supv/compare/v7.3.2...v8.1.0