Merge pull request #790 from elicn/dev-uefi-imp

Misc. UEFI improvements and bugfixes

Author: xwings

qiling/os/uefi/bs.py

@@ -510,7 +510,7 @@ def hook_SetMem(ql: Qiling, address: int, params):
 def hook_CreateEventEx(ql: Qiling, address: int, params):
 	return CreateEvent(ql, params)
 
-def CreateEvent(ql, params):
+def CreateEvent(ql: Qiling, params):
 	event_id = len(ql.loader.events)
 	event_dic = {
 		"NotifyFunction": params["NotifyFunction"],

qiling/os/uefi/hob.py

@@ -4,7 +4,8 @@
 #
 
 from qiling import Qiling
-from qiling.os.uefi.utils import GetEfiConfigurationTable
+from qiling.os.uefi.context import UefiContext
+from qiling.os.uefi.utils import GetEfiConfigurationTable, CompareGuid, str_to_guid
 from qiling.os.uefi.UefiBaseType import STRUCT, EFI_GUID, UINT32, UINT16
 from qiling.os.uefi.UefiSpec import EFI_CONFIGURATION_TABLE
 
@@ -25,31 +26,25 @@ class EFI_HOB_GUID_TYPE(STRUCT):
 		('Name',	EFI_GUID)
 	]
 
-def GetHobList(ql: Qiling) -> int:
+def GetHobList(ql: Qiling, context: UefiContext) -> int:
 	"""Get HOB list location in memory (ostensibly set by PEI).
 	"""
 
 	conftable_guid = ql.os.profile['HOB_LIST']['Guid']
-	conftable_ptr = GetEfiConfigurationTable(ql.loader.dxe_context, conftable_guid)
+	conftable_ptr = GetEfiConfigurationTable(context, conftable_guid)
 	conftable = EFI_CONFIGURATION_TABLE.loadFrom(ql, conftable_ptr)
 
 	return ql.unpack64(conftable.VendorTable)
 
-def CreateHob(ql: Qiling, hob) -> int:
+def CreateHob(ql: Qiling, context: UefiContext, hob) -> int:
 	"""Add a HOB to the end of the HOB list.
 	"""
 
-	hoblist = GetHobList(ql)
+	hoblist = GetHobList(ql, context)
 
 	# look for the list end marker; uefi codebase assumes there is
 	# always one
-	while True:
-		header = EFI_HOB_GENERIC_HEADER.loadFrom(ql, hoblist)
-
-		if header.HobType == EFI_HOB_TYPE_END_OF_HOB_LIST:
-			break
-
-		hoblist += header.HobLength
+	hoblist = GetNextHob(ql, EFI_HOB_TYPE_END_OF_HOB_LIST, hoblist)
 
 	# overwrite end marker with the hob
 	pHob = hoblist
@@ -65,3 +60,46 @@ def CreateHob(ql: Qiling, hob) -> int:
 
 	# return the address the hob was written to; it might be useful
 	return pHob
+
+def GetNextHob(ql: Qiling, hobtype: int, hoblist: int) -> int:
+	"""Get next HOB on the list.
+	"""
+
+	hobaddr = hoblist
+
+	while True:
+		header = EFI_HOB_GENERIC_HEADER.loadFrom(ql, hobaddr)
+
+		# found the hob?
+		if header.HobType == hobtype:
+			break
+
+		# reached end of hob list?
+		if header.HobType == EFI_HOB_TYPE_END_OF_HOB_LIST:
+			return 0
+
+		hobaddr += header.HobLength
+
+	return hobaddr
+
+def GetNextGuidHob(ql: Qiling, guid: str, hoblist: int):
+	"""Find next HOB with the specified GUID.
+	"""
+
+	hobguid = str_to_guid(guid)
+	hobaddr = hoblist
+
+	while True:
+		hobaddr = GetNextHob(ql, EFI_HOB_TYPE_GUID_EXTENSION, hobaddr)
+
+		if not hobaddr:
+			return 0
+
+		hob = EFI_HOB_GUID_TYPE.loadFrom(ql, hobaddr)
+
+		if CompareGuid(hob.Name, hobguid):
+			break
+
+		hobaddr += hob.Header.HobLength
+
+	return hobaddr

qiling/os/uefi/protocols/EfiSmmAccess2Protocol.py

@@ -3,13 +3,14 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
+from qiling import Qiling
 from qiling.os.const import *
 from qiling.os.uefi.const import *
 from ..fncc import *
 from ..ProcessorBind import *
 from ..UefiBaseType import *
 from ..PiMultiPhase import *
-from ..utils import write_int64, read_int64
+from .. import utils
 
 # @see: MdePkg\Include\Pi\PiMultiPhase.h
 class EFI_MMRAM_DESCRIPTOR(STRUCT):
@@ -37,23 +38,23 @@ class EFI_SMM_ACCESS2_PROTOCOL(STRUCT):
 @dxeapi(params = {
 	"This" : POINTER
 })
-def hook_Open(ql, address, params):
+def hook_Open(ql: Qiling, address: int, params):
 	ql.loader.smm_context.tseg_open = True
 
 	return EFI_SUCCESS
 
 @dxeapi(params = {
 	"This" : POINTER
 })
-def hook_Close(ql, address, params):
+def hook_Close(ql: Qiling, address: int, params):
 	ql.loader.smm_context.tseg_open = False
 
 	return EFI_SUCCESS
 
 @dxeapi(params = {
 	"This" : POINTER
 })
-def hook_Lock(ql, address, params):
+def hook_Lock(ql: Qiling, address: int, params):
 	ql.loader.smm_context.tseg_locked = True
 
 	return EFI_SUCCESS
@@ -84,7 +85,7 @@ def _coalesce(seq):
 	"MmramMapSize"  : POINTER,	# IN OUT PTR(UINTN)
 	"MmramMap"      : POINTER	# OUT PTR(EFI_MMRAM_DESCRIPTOR)
 })
-def hook_GetCapabilities(ql, address, params):
+def hook_GetCapabilities(ql: Qiling, address: int, params):
 	heap = ql.loader.smm_context.heap
 
 	# get a copy of smm heap chunks list sorted by starting address
@@ -107,8 +108,23 @@ def hook_GetCapabilities(ql, address, params):
 	size = len(chunks) * EFI_SMRAM_DESCRIPTOR.sizeof()
 	MmramMapSize = params["MmramMapSize"]
 
-	if read_int64(ql, MmramMapSize) < size:
-		write_int64(ql, MmramMapSize, size)
+	if utils.read_int64(ql, MmramMapSize) < size:
+		# since the caller cannot predict how much memory would be required for storing
+		# the memory map, this method is normally called twice. the first one passes a
+		# zero size only to determine the expected size, then the caller allocates the
+		# required amount of memory and call it again.
+		#
+		# our memory map is managed differently from the real one, and memory allocations
+		# are likely to generate an additional "map block" (or two, if allocated somewhere
+		# in the last free heap chunk). because the caller allocates a new memory chunk
+		# between the two calls, that would cause the second call to always complain the
+		# buffer is too small.
+		#
+		# to work around that, we have the first call return a larger number than it should
+		# have, to compensate on the coming allocation.
+		extra = 2 * EFI_SMRAM_DESCRIPTOR.sizeof()
+
+		utils.write_int64(ql, MmramMapSize, size + extra)
 		return EFI_BUFFER_TOO_SMALL
 
 	MmramMap = params["MmramMap"]

qiling/os/uefi/protocols/EfiSmmCpuProtocol.py

@@ -98,19 +98,19 @@ class EFI_SMM_SAVE_STATE_REGISTER(ENUM_UC):
 
 @dxeapi(params = {
 	"This"		: POINTER,	# EFI_SMM_CPU_PROTOCOL
-	"Width"		: UINTN,	# UINTN
+	"Width"		: ULONGLONG,# UINTN
 	"Register"	: INT,		# EFI_SMM_SAVE_STATE_REGISTER
-	"CpuIndex"	: UINTN,	# UINTN
+	"CpuIndex"	: ULONGLONG,# UINTN
 	"Buffer"	: POINTER	# PTR(VOID))
 })
 def hook_SmmReadSaveState(ql, address, params):
 	return EFI_SUCCESS
 
 @dxeapi(params = {
 	"This"		: POINTER,	# EFI_SMM_CPU_PROTOCOL
-	"Width"		: UINTN,	# UINTN
+	"Width"		: ULONGLONG,# UINTN
 	"Register"	: INT,		# EFI_SMM_SAVE_STATE_REGISTER
-	"CpuIndex"	: UINTN,	# UINTN
+	"CpuIndex"	: ULONGLONG,# UINTN
 	"Buffer"	: POINTER	# PTR(VOID))
 })
 def hook_SmmWriteSaveState(ql, address, params):

qiling/os/uefi/rt.py

@@ -3,6 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
+from qiling import Qiling
 from qiling.os.const import *
 from .const import *
 from .utils import *
@@ -14,28 +15,28 @@
 	"Time"			: POINTER,	# OUT PTR(EFI_TIME)
 	"Capabilities"	: POINTER	# OUT PTR(EFI_TIME_CAPABILITIES)
 })
-def hook_GetTime(ql, address, params):
+def hook_GetTime(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
 	"Time": POINTER	# IN PTR(EFI_TIME)
 })
-def hook_SetTime(ql, address, params):
+def hook_SetTime(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
 	"Enabled"	: POINTER,	# OUT PTR(BOOLEAN)
 	"Pending"	: POINTER,	# OUT PTR(BOOLEAN)
 	"Time"		: POINTER	# OUT PTR(EFI_TIME)
 })
-def hook_GetWakeupTime(ql, address, params):
+def hook_GetWakeupTime(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
 	"Enable": BOOL,		# BOOLEAN
 	"Time"	: POINTER	# PTR(EFI_TIME)
 })
-def hook_SetWakeupTime(ql, address, params):
+def hook_SetWakeupTime(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
@@ -44,14 +45,14 @@ def hook_SetWakeupTime(ql, address, params):
 	"DescriptorVersion"	: UINT,		# UINT32
 	"VirtualMap"		: POINTER	# PTR(EFI_MEMORY_DESCRIPTOR)
 })
-def hook_SetVirtualAddressMap(ql, address, params):
+def hook_SetVirtualAddressMap(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
 	"DebugDisposition"	: UINT,		# UINTN
 	"Address"			: POINTER	# OUT PTR(PTR(VOID))
 })
-def hook_ConvertPointer(ql, address, params):
+def hook_ConvertPointer(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
@@ -61,28 +62,36 @@ def hook_ConvertPointer(ql, address, params):
 	"DataSize"		: POINTER,	# IN OUT PTR(UINTN)
 	"Data"			: POINTER	# OUT PTR(VOID)
 })
-def hook_GetVariable(ql, address, params):
+def hook_GetVariable(ql: Qiling, address: int, params):
 	name = params['VariableName']
+
 	if name in ql.env:
 		var = ql.env[name]
 		read_len = read_int64(ql, params['DataSize'])
+
 		if params['Attributes'] != 0:
 			write_int64(ql, params['Attributes'], 0)
+
 		write_int64(ql, params['DataSize'], len(var))
+
 		if read_len < len(var):
 			return EFI_BUFFER_TOO_SMALL
+
 		if params['Data'] != 0:
 			ql.mem.write(params['Data'], var)
+
 		return EFI_SUCCESS
+
 	ql.log.warning(f'variable with name {name} not found')
+
 	return EFI_NOT_FOUND
 
 @dxeapi(params={
 	"VariableNameSize"	: POINTER,	# IN OUT PTR(UINTN)
 	"VariableName"		: POINTER,	# IN OUT PTR(CHAR16)
 	"VendorGuid"		: GUID		# IN OUT PTR(EFI_GUID)
 })
-def hook_GetNextVariableName(ql, address, params):
+def hook_GetNextVariableName(ql: Qiling, address: int, params):
 	var_name_size = params["VariableNameSize"]
 	var_name = params["VariableName"]
 
@@ -124,14 +133,14 @@ def hook_GetNextVariableName(ql, address, params):
 	"DataSize"		: UINT,		# UINTN
 	"Data"			: POINTER	# PTR(VOID)
 })
-def hook_SetVariable(ql, address, params):
+def hook_SetVariable(ql: Qiling, address: int, params):
 	ql.env[params['VariableName']] = bytes(ql.mem.read(params['Data'], params['DataSize']))
 	return EFI_SUCCESS
 
 @dxeapi(params={
 	"HighCount": POINTER	# OUT PTR(UINT32)
 })
-def hook_GetNextHighMonotonicCount(ql, address, params):
+def hook_GetNextHighMonotonicCount(ql: Qiling, address: int, params):
 	ql.os.monotonic_count += 0x0000000100000000
 	hmc = ql.os.monotonic_count
 	hmc = (hmc >> 32) & 0xffffffff
@@ -144,7 +153,7 @@ def hook_GetNextHighMonotonicCount(ql, address, params):
 	"DataSize"		: UINT,		# UINTN
 	"ResetData"		: POINTER	# PTR(VOID)
 })
-def hook_ResetSystem(ql, address, params):
+def hook_ResetSystem(ql: Qiling, address: int, params):
 	ql.emu_stop()
 
 	return EFI_SUCCESS
@@ -154,7 +163,7 @@ def hook_ResetSystem(ql, address, params):
 	"CapsuleCount"		: UINT,		# UINTN
 	"ScatterGatherList"	: ULONGLONG	# EFI_PHYSICAL_ADDRESS
 })
-def hook_UpdateCapsule(ql, address, params):
+def hook_UpdateCapsule(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
@@ -163,7 +172,7 @@ def hook_UpdateCapsule(ql, address, params):
 	"MaximumCapsuleSize": POINTER,	# OUT PTR(UINT64)
 	"ResetType"			: POINTER	# OUT PTR(EFI_RESET_TYPE)
 })
-def hook_QueryCapsuleCapabilities(ql, address, params):
+def hook_QueryCapsuleCapabilities(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 @dxeapi(params={
@@ -172,7 +181,7 @@ def hook_QueryCapsuleCapabilities(ql, address, params):
 	"RemainingVariableStorageSize"	: POINTER,	# OUT PTR(UINT64)
 	"MaximumVariableSize"			: POINTER	# OUT PTR(UINT64)
 })
-def hook_QueryVariableInfo(ql, address, params):
+def hook_QueryVariableInfo(ql: Qiling, address: int, params):
 	return EFI_SUCCESS
 
 def initialize(ql, gRT : int):

qiling/os/uefi/smst.py

@@ -287,6 +287,7 @@ def initialize(ql, gSmst : int):
 	ql.loader.smm_context.conf_table_data_ptr = conf_data
 	ql.loader.smm_context.conf_table_data_next_ptr = conf_data
 
+	install_configuration_table(ql.loader.smm_context, "HOB_LIST", None)
 	install_configuration_table(ql.loader.smm_context, "SMM_RUNTIME_SERVICES_TABLE", gSmmRT)
 
 __all__ = [

qiling/os/uefi/st.py

@@ -3,6 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
+from qiling import Qiling
 from qiling.os.uefi import bs, rt, ds
 from qiling.os.uefi.utils import install_configuration_table
 from qiling.os.uefi.UefiSpec import EFI_SYSTEM_TABLE, EFI_BOOT_SERVICES, EFI_RUNTIME_SERVICES, EFI_CONFIGURATION_TABLE
@@ -46,7 +47,7 @@
 #
 #		... the remainder of the 256 KiB chunk may be used for more conf table data
 
-def initialize(ql, gST : int):
+def initialize(ql: Qiling, gST: int):
 	ql.loader.gST = gST
 
 	gBS = gST + EFI_SYSTEM_TABLE.sizeof()		# boot services
@@ -90,8 +91,6 @@ def initialize(ql, gST : int):
 	install_configuration_table(ql.loader.dxe_context, "HOB_LIST", None)
 	install_configuration_table(ql.loader.dxe_context, "DXE_SERVICE_TABLE", gDS)
 
-
-
 __all__ = [
 	'initialize'
 ]