QemuQ35Pkg: Disable paging at SMM init entry and re-enable once it is done.

kuqin12 · apop5 · commit 8c00682d6c7a · 2025-06-06T14:25:48.000-07:00
System would hang in debug builds on attempting SmmRelocation
from QemuQ35Pkg's PlatformPei.

INFO - PlatformPei: OnMpServices2Available
INFO - SmmRelocationInit Start
INFO - SmmRelocationInit - SmmRelocationSize: 0x0000A000
INFO - SmmRelocationInit - SmmRelocationStart: 0x7F000000
INFO - SmmRelocationInit - SmmStackSize: 0x00001000
INFO - SmmRelocationInit - SmmStacks: 0x7EAF6000

Paging was enabled, and as best we can tell, when
attempting to init the AP's, a page fault would be
triggered and hang the system.

Follow the MpInitLib's implementation of disabling
Paging during the Ap Smm relocation to prevent
triggering of page faults and hanging the
system.
diff --git a/Platforms/QemuQ35Pkg/Library/SmmRelocationLib/Ia32/SmmInit.nasm b/Platforms/QemuQ35Pkg/Library/SmmRelocationLib/Ia32/SmmInit.nasm
@@ -94,6 +94,10 @@ global ASM_PFX(SmmStartup)
 
 BITS 16
 ASM_PFX(SmmStartup):
+    mov     eax, strict dword 0         ; source operand will be patched
+ASM_PFX(gPatchSmmInitCr0):
+    btr     eax, 31             ; Clear CR0.PG
+    mov     cr0, eax
     mov     eax, 0x80000001             ; read capability
     cpuid
     mov     ebx, edx                    ; rdmsr will change edx. keep it in ebx.
@@ -106,14 +110,11 @@ o32 lgdt    [cs:ebp + (ASM_PFX(gcSmmInitGdtr) - ASM_PFX(SmmStartup))]
     mov     eax, strict dword 0         ; source operand will be patched
 ASM_PFX(gPatchSmmInitCr4):
     mov     cr4, eax
-    mov     ecx, 0xc0000080             ; IA32_EFER MSR
-    rdmsr
-    or      eax, ebx                    ; set NXE bit if NX is available
-    wrmsr
-    mov     eax, strict dword 0         ; source operand will be patched
-ASM_PFX(gPatchSmmInitCr0):
+    ; mov     ecx, 0xc0000080             ; IA32_EFER MSR
+    ; rdmsr
+    ; or      eax, ebx                    ; set NXE bit if NX is available
+    ; wrmsr
     mov     di, PROTECT_MODE_DS
-    mov     cr0, eax
     jmp     PROTECT_MODE_CS : dword @32bit
 
 BITS 32
@@ -125,6 +126,9 @@ BITS 32
     mov     ss, edi
     mov     esp, strict dword 0         ; source operand will be patched
 ASM_PFX(gPatchSmmInitStack):
+    mov     eax, cr0
+    bts     eax, 31
+    mov     cr0, eax
     call    ASM_PFX(SmmInitHandler)
     StuffRsb32
     rsm
diff --git a/Platforms/QemuQ35Pkg/Library/SmmRelocationLib/SmmRelocationLib.c b/Platforms/QemuQ35Pkg/Library/SmmRelocationLib/SmmRelocationLib.c
@@ -206,6 +206,8 @@ SmmRelocateBases (
   //
   CopyMem (U8Ptr, gcSmmInitTemplate, gcSmmInitSize);
 
+  // RemoveNxProtection ((EFI_PHYSICAL_ADDRESS)((UINTN)SmmStartup & ~(EFI_PAGE_SIZE - 1)), EFI_PAGE_SIZE * 2);
+
   //
   // Retrieve the local APIC ID of current processor
   //
