Patina: R-EFI 6.0 migration

Cargo.toml

@@ -29,7 +29,7 @@ linked_list_allocator = { version = "^0.10" }
 linkme = { version = "^0.3.29" }
 log = { version = "0.4", default-features = false }
 memoffset = {version = "0.9.1" }
-mu_rust_helpers = { version = "3.0.2" }
+mu_rust_helpers = { version = "4.0.0" }
 num-traits = { version = "0.2", default-features = false }
 patina = { version = "21.0.2", path = "sdk/patina" }
 patina_debugger = { version = "21.0.2", path = "core/patina_debugger" }
@@ -49,7 +49,7 @@ patina_stacktrace = { version = "21.0.2", path = "core/patina_stacktrace" }
 patina_test = { version = "21.0.2", path = "components/patina_test" }
 proc-macro2 = { version = "1" }
 quote = { version = "1" }
-r-efi = { version = "5.0.0", default-features = false }
+r-efi = { version = "6.0.0", default-features = false }
 scroll = { version = "0.13", default-features = false, features = ["derive"]}
 spin = { version = "^0.9" }
 syn = { version = "2" }

components/patina_acpi/src/acpi_table.rs

@@ -498,11 +498,14 @@ impl AcpiTable {
         };
 
         // Allocate memory in appropriate ACPI region, up to page granularity.
+        // SAFETY: allocation_strategy is either PageAllocationStrategy::MaxAddress(SIZE_4GB - 1) for
+        // FACS tables (which must reside in the lower 32-bit address space) or
+        // PageAllocationStrategy::Any for all others. Neither requires dereferencing a
+        // caller-provided address.
+        let alloc_options =
+            unsafe { AllocationOptions::new().with_memory_type(allocator_type).with_strategy(allocation_strategy) };
         let table_page_alloc = mm
-            .allocate_pages(
-                uefi_size_to_pages!(table_length),
-                AllocationOptions::new().with_memory_type(allocator_type).with_strategy(allocation_strategy),
-            )
+            .allocate_pages(uefi_size_to_pages!(table_length), alloc_options)
             .map_err(|_e| AcpiError::AllocationFailed)?;
 
         // Get the raw pointer to the allocated memory for copying.

components/patina_test/src/component.rs

@@ -310,7 +310,7 @@ pub(crate) mod tests {
         extern "efiapi" fn noop_create_event(
             _type: u32,
             _tpl: r_efi::efi::Tpl,
-            _notify_function: Option<extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
+            _notify_function: Option<unsafe extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
             _notify_context: *mut core::ffi::c_void,
             _event: *mut r_efi::efi::Event,
         ) -> r_efi::efi::Status {
@@ -320,7 +320,7 @@ pub(crate) mod tests {
         extern "efiapi" fn noop_create_event_ex(
             _type: u32,
             _tpl: r_efi::efi::Tpl,
-            _notify_function: Option<extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
+            _notify_function: Option<unsafe extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
             _notify_context: *const core::ffi::c_void,
             _guid: *const r_efi::efi::Guid,
             _event: *mut r_efi::efi::Event,
@@ -351,7 +351,7 @@ pub(crate) mod tests {
         extern "efiapi" fn noop_create_event(
             _type: u32,
             _tpl: r_efi::efi::Tpl,
-            _notify_function: Option<extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
+            _notify_function: Option<unsafe extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
             _notify_context: *mut core::ffi::c_void,
             _event: *mut r_efi::efi::Event,
         ) -> r_efi::efi::Status {
@@ -361,7 +361,7 @@ pub(crate) mod tests {
         extern "efiapi" fn noop_create_event_ex(
             _type: u32,
             _tpl: r_efi::efi::Tpl,
-            _notify_function: Option<extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
+            _notify_function: Option<unsafe extern "efiapi" fn(r_efi::efi::Event, *mut core::ffi::c_void)>,
             _notify_context: *const core::ffi::c_void,
             _guid: *const r_efi::efi::Guid,
             _event: *mut r_efi::efi::Event,

patina_dxe_core/src/allocator/uefi_allocator.rs

@@ -148,8 +148,8 @@ where
             }
         };
 
-        //TODO: trusting that "buffer" is legit is pretty naive - but performant. Presently the allocator doesn't have
-        //tracking mechanisms that permit the validation of the pointer (hence the unsafe).
+        // TODO: trusting that "buffer" is legit is pretty naive - but performant. Presently the allocator doesn't have
+        // tracking mechanisms that permit the validation of the pointer (hence the unsafe).
 
         // SAFETY: Caller must follow safety contract defined by this function.
         let mut ptr = unsafe {
@@ -168,7 +168,7 @@ where
         if allocation_info.memory_type != self.memory_type() {
             return Err(EfiError::NotFound);
         }
-        //zero after check so it doesn't get reused.
+        // zero after check so it doesn't get reused.
         allocation_info.signature = 0;
 
         // SAFETY: Caller must follow safety contract defined by this function.

patina_dxe_core/src/allocator/usage_tests/uefi_memory_map.rs

@@ -219,13 +219,17 @@ mod tests {
             let mut descriptor_size: usize = 0;
             let mut descriptor_version: u32 = 0;
 
-            let status = get_memory_map(
-                ptr::from_mut(&mut memory_map_size),
-                ptr::null_mut(),
-                ptr::from_mut(&mut map_key),
-                ptr::from_mut(&mut descriptor_size),
-                ptr::from_mut(&mut descriptor_version),
-            );
+            // SAFETY: all pointers are derived from local variables and are valid.
+            // memory_map is null to perform a size query.
+            let status = unsafe {
+                get_memory_map(
+                    ptr::from_mut(&mut memory_map_size),
+                    ptr::null_mut(),
+                    ptr::from_mut(&mut map_key),
+                    ptr::from_mut(&mut descriptor_size),
+                    ptr::from_mut(&mut descriptor_version),
+                )
+            };
 
             if status != efi::Status::BUFFER_TOO_SMALL {
                 return Err(format!("Expected BUFFER_TOO_SMALL, got {:?}", status));
@@ -237,13 +241,17 @@ mod tests {
             // SAFETY: Capacity was reserved for `descriptor_count` elements and the length below matches that.
             unsafe { descriptors.set_len(descriptor_count) };
 
-            let status = get_memory_map(
-                ptr::from_mut(&mut memory_map_size),
-                descriptors.as_mut_ptr().cast(),
-                ptr::from_mut(&mut map_key),
-                ptr::from_mut(&mut descriptor_size),
-                ptr::from_mut(&mut descriptor_version),
-            );
+            // SAFETY: all pointers are derived from local variables. descriptors buffer
+            // is properly sized from the previous size query.
+            let status = unsafe {
+                get_memory_map(
+                    ptr::from_mut(&mut memory_map_size),
+                    descriptors.as_mut_ptr().cast(),
+                    ptr::from_mut(&mut map_key),
+                    ptr::from_mut(&mut descriptor_size),
+                    ptr::from_mut(&mut descriptor_version),
+                )
+            };
 
             if status != efi::Status::SUCCESS {
                 return Err(format!("get_memory_map() failed: {:?}", status));

patina_dxe_core/src/config_tables.rs

@@ -23,7 +23,15 @@ use crate::{
     systemtables::{EfiSystemTable, SYSTEM_TABLE},
 };
 
-extern "efiapi" fn install_configuration_table(table_guid: *mut efi::Guid, table: *mut c_void) -> efi::Status {
+/// Installs a configuration table entry identified by `table_guid` into the system table.
+///
+/// # Safety
+///
+/// The caller is responsible for ensuring that `table_guid` points to valid, readable memory
+/// containing an `efi::Guid` and that `table` (if non-null) points to valid memory that remains
+/// valid for the lifetime of the configuration table entry. `table_guid` is null-checked, but
+/// validity of the referenced memory is the caller's responsibility.
+unsafe extern "efiapi" fn install_configuration_table(table_guid: *mut efi::Guid, table: *mut c_void) -> efi::Status {
     if table_guid.is_null() {
         return efi::Status::INVALID_PARAMETER;
     }
@@ -43,8 +51,10 @@ extern "efiapi" fn install_configuration_table(table_guid: *mut efi::Guid, table
     }
 }
 
-/// Install a configuration table in the system table, replacing any existing table with the same GUID.
-/// If a table is replaced or deleted, a pointer to the old table is returned.
+/// Install a configuration table in the system table, replacing any existing table with the same
+/// GUID. If a table is replaced or deleted, a pointer to the old table is returned. This function
+/// is not marked as unsafe because the `vendor_table` parameter is not dereferenced inside the
+/// function.
 pub fn core_install_configuration_table(
     vendor_guid: efi::Guid,
     vendor_table: *mut c_void,
@@ -184,7 +194,11 @@ mod tests {
 
             assert!(get_configuration_table(&guid).is_none());
 
-            assert_eq!(install_configuration_table(&guid as *const _ as *mut _, table), efi::Status::SUCCESS);
+            assert_eq!(
+                // SAFETY: The passed in values are safe because they are constructed in this test case.
+                unsafe { install_configuration_table(&guid as *const _ as *mut _, table) },
+                efi::Status::SUCCESS
+            );
             assert_eq!(get_configuration_table(&guid).unwrap().as_ptr(), table);
         });
     }
@@ -195,7 +209,11 @@ mod tests {
             let guid: efi::Guid = guid::Guid::from_string("78926ab0-af16-49e4-8e05-115aafbca1df").to_efi_guid();
             let table = 0x12345678u32 as *mut c_void;
 
-            assert_eq!(install_configuration_table(&guid as *const _ as *mut _, table), efi::Status::SUCCESS);
+            assert_eq!(
+                // SAFETY: The passed in values are safe because they are constructed in this test case.
+                unsafe { install_configuration_table(&guid as *const _ as *mut _, table) },
+                efi::Status::SUCCESS
+            );
 
             assert_eq!(get_configuration_table(&guid).unwrap().as_ptr(), table);
 

patina_dxe_core/src/config_tables/memory_attributes_table.rs

@@ -313,27 +313,22 @@ mod tests {
                 let page_count =
                     entry_count * uefi_size_to_pages!(crate::allocator::RUNTIME_PAGE_ALLOCATION_GRANULARITY);
 
-                let mut buffer_ptr: *mut u8 = core::ptr::null_mut();
-                match core_allocate_pages(
-                    efi::ALLOCATE_ANY_PAGES,
-                    page_type.0,
-                    page_count,
-                    core::ptr::addr_of_mut!(buffer_ptr) as *mut efi::PhysicalAddress,
-                    None,
-                ) {
+                let address = match core_allocate_pages(efi::ALLOCATE_ANY_PAGES, page_type.0, page_count, 0, None) {
                     // because we allocate top down, we need to insert at the front of the vector
-                    Ok(_) if page_type.0 != efi::BOOT_SERVICES_DATA => {
-                        allocated_pages.insert(0, (buffer_ptr, page_type, page_count))
+                    Ok(address) => {
+                        if page_type.0 != efi::BOOT_SERVICES_DATA {
+                            allocated_pages.insert(0, (address, page_type, page_count));
+                        }
+                        address
                     }
-                    Ok(_) => (),
                     _ => panic!("Failed to allocate pages"),
-                }
+                };
 
                 let len = page_count * UEFI_PAGE_SIZE;
                 // ignore failures here, we can't set attributes in the actual page table here, but the GCD will
                 // get updated
-                let _ = core_set_memory_space_capabilities(buffer_ptr as u64, len as u64, u64::MAX);
-                let _ = core_set_memory_space_attributes(buffer_ptr as u64, len as u64, page_type.1);
+                let _ = core_set_memory_space_capabilities(address, len as u64, u64::MAX);
+                let _ = core_set_memory_space_attributes(address, len as u64, page_type.1);
             }
 
             // before we create the MAT, we expect MEMORY_ATTRIBUTES_TABLE to be None
@@ -368,7 +363,7 @@ mod tests {
                 // We don't assume ordering; find by physical_start and number_of_pages.
                 for page in allocated_pages.iter() {
                     let expected_type = page.1.0;
-                    let expected_physical_start = page.0 as u64;
+                    let expected_physical_start = page.0;
                     let expected_number_of_pages = page.2 as u64;
                     // expected_attribute from setup isn't used directly; MAT constrains attrs based on type.
 

patina_dxe_core/src/debugger_reload.rs

@@ -194,10 +194,11 @@ fn core_reload(image: &[u8], out: &mut dyn core::fmt::Write) {
 
     // Step 1: allocate the image memory.
     let image_size = pe_info.size_of_image as usize;
-    let alloc = match CoreMemoryManager.allocate_pages(
-        uefi_size_to_pages!(image_size),
-        AllocationOptions::new().with_strategy(ARCH_ALLOCATION_STRATEGY),
-    ) {
+    // SAFETY: ARCH_ALLOCATION_STRATEGY is a compile-time constant that is either
+    // PageAllocationStrategy::MaxAddress(0xFFFF_FFFF) or PageAllocationStrategy::Any;
+    // neither requires dereferencing a caller provided address.
+    let options = unsafe { AllocationOptions::new().with_strategy(ARCH_ALLOCATION_STRATEGY) };
+    let alloc = match CoreMemoryManager.allocate_pages(uefi_size_to_pages!(image_size), options) {
         Ok(pages) => pages,
         Err(err) => {
             let _ = writeln!(out, "Failed to allocate load buffer: {:?}", err);