MdeModulePkg/NvmExpressDxe: Add NVMe namespace filtering PCD

[eeshanl]

Description

Add PcdNvmeNamespaceFilter to control NVMe namespace enumeration.
When TRUE, only the first namespace (NSID 1) is discovered and enumerated. When FALSE (default), all namespaces are enumerated as before.

This improves security on NVMe devices with multiple namespaces.
Without filtering, UEFI enumerates all namespaces and an attacker could place malicious boot media in a secondary namespace. By restricting enumeration to only the first namespace, we ensure the system boots exclusively from the intended namespace and prevents exploitation of additional namespaces as an attack vector.

Changes:

• NvmExpress.h: Add NVME_FIRST_NSID define
• NvmExpress.c: Add FilteringEnabled parameter to DiscoverAllNamespaces, EnumerateNvmeDevNamespace with namespace ID check when filtering
• NvmExpressDxe.inf: Add PcdNvmeNamespaceFilter to [Pcd] section
• MdeModulePkg.dec: Define PcdNvmeNamespaceFilter (default FALSE)

Ref: microsoft/mu_msvm@9337285

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

• Impacts functionality?
• Impacts security?
• Breaking change?
• Includes tests?
• Includes documentation?

How This Was Tested

Tested on:

• OpenVMM platform where namespace filtering is required and successfully booted to OS via DDA NVMe with Namespace filtering on & off.

• Physical platform and booted to OS with physical NVMe with Namespace filtering on & off.

• Qemu Q35 by booting to OS via NVMe with Namespace filtering on & off:

  Modified QemuCommandBuilder.py with the following:

  elif device == "ssd" and self._architecture == QemuArchitecture.Q35:
      # Create NVMe controller with 2 namespaces for testing namespace filtering
      # NS1: boot media, NS2: empty 1GB drive
      self._args.extend([
          "-drive",
          f"file={path},format={format},if=none,id=nvme_ns1",
          "-drive",
          "if=none,id=nvme_ns2,format=raw,file.driver=null-co,file.size=1G",
          "-device",
          "nvme,id=nvme0,serial=nvme-1",
          "-device",
          "nvme-ns,drive=nvme_ns1,bus=nvme0,nsid=1",
          "-device",
          "nvme-ns,drive=nvme_ns2,bus=nvme0,nsid=2",
      ])
  

With this change, we have added 2 NVMe namespaces nsid 1 & 2, and we have added 2 boot media, 1 with the real OS and 2 with an empty drive.

With PcdNvmeNamespaceFilter == TRUE we only enumerate the NSID 1 and successfully boot to OS.

With PcdNvmeNamespaceFilter == FALSE we enumerate both the namespaces as defined above and also successfully boot to OS.

Integration Instructions

Set PcdNvmeNamespaceFilter to TRUE when required at the platform dsc.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 18 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release/202511@872dc15). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c	0.00%	18 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             release/202511    #1754   +/-   ##
=================================================
  Coverage                  ?    1.84%           
=================================================
  Files                     ?     1150           
  Lines                     ?   376097           
  Branches                  ?     3196           
=================================================
  Hits                      ?     6936           
  Misses                    ?   369105           
  Partials                  ?       56           

Flag	Coverage Δ
FmpDevicePkg	9.53% <ø> (?)
MdeModulePkg	1.58% <0.00%> (?)
NetworkPkg	0.55% <ø> (?)
PolicyServicePkg	30.42% <ø> (?)
SecurityPkg	1.61% <ø> (?)
UefiCpuPkg	4.78% <ø> (?)
UnitTestFrameworkPkg	11.70% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mu-automation]

✅ QEMU Validation Passed

Source Dependencies

Repository	Commit
mu_basecore	ede9f77
mu_tiano_platforms	e7f5cec

Results

Platform	Target	Build	Boot	Overall Boot Time	Build Logs	Boot Logs
Q35	DEBUG	✅ success	✅ success	0m 16s	Build Logs	Boot Logs
SBSA	DEBUG	✅ success	✅ success	0m 31s	Build Logs	Boot Logs

Workflow run: https://github.com/microsoft/mu_basecore/actions/runs/24270302709

This comment was automatically generated by the Mu QEMU PR Validation workflow.

[eeshanl]

Disclaimer: Readme.md is AI generated

[os-d]

Can you take this directly to edk2 or do we have a platform need to get this into Mu now? If so, please take it to edk2 in parallel. Obviously dropping the MU_CHANGEs part of the readme.

[os-d]

I know this is from existing platform code, but there is nothing special about the first namespace, right? Should this PCD specify which namespace ID to exclusively use?

[apop5]

I would second Olver's comment.

NSID 0 is an invalid name space. Name spaces start at 1 and go up from there.
I think the PcdNvmeNamespaceFilter could be used to specify the name space being filtered, with 0 being no filtering.

And this would eliminate that #define as well

[os-d]

drop

[os-d]

drop (not much info beyond the filename, will go out of date)