From patchwork Sun Feb 26 18:29:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 94529 Delivered-To: patch@linaro.org Received: by 10.140.20.113 with SMTP id 104csp566225qgi; Sun, 26 Feb 2017 10:30:35 -0800 (PST) X-Received: by 10.84.213.137 with SMTP id g9mr19069173pli.114.1488133834990; Sun, 26 Feb 2017 10:30:34 -0800 (PST) Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id m15si13115425pli.332.2017.02.26.10.30.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Feb 2017 10:30:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3B4C782123; Sun, 26 Feb 2017 10:30:34 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id F180382101 for ; Sun, 26 Feb 2017 10:30:32 -0800 (PST) Received: by mail-wm0-x22b.google.com with SMTP id v77so47556583wmv.0 for ; Sun, 26 Feb 2017 10:30:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=n2lJPTQJl0TkKCoxhUiB4HPGc6DtLqXUENOS33IPkj8=; b=KXZZvBOEvl8/LDXM5tlLqO+vA9aO5/DSZ/4NwjH/YxN/sseqj/5fyLCgkovapAVUUM mscemWE4CBEiVYs0SBQsg57/7HqMVdzA2xN/0VH0xFl60bEcJxBqT7pB7Mj2nGk28vs9 BJXUXdyKR5g8SAJv25Gg2YkzoeKIR8O6aiWu0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=n2lJPTQJl0TkKCoxhUiB4HPGc6DtLqXUENOS33IPkj8=; b=mAhkroovC4pIjEFHrk3hU3kJdfFEucE1QIJVVFKg1PoCMySC+RiUgDE7z2yHupZqPp bQ2xsLJ3ThYsC0ki2TCS17mJWrxCkgshFEfMyd29dPwbfJdNd+hPEx+QT5g1toILvbqB T4gOAOZ/FgqX6b6tyBzhHxT1kSFuet7Hr5wI98iBh2Zm6tc/Rfp90O/kSwL0kWPOdy2a arHiGcxHE+GxuaMitJbYazIYh4GhAAOoWkDJ5hc40vR2JyeVYuQPZVrevFxfR7K9uWj7 HuSCtPkXf2b9FYq0DnaJXwyNDAV+LhCPYU03U7Ul6AVykdLJHorRf7/oAJzseliJ1YY+ 1qYg== X-Gm-Message-State: AMke39nrQk+VNgS6M884pw2s6v+XMfLOOn/JY1JIWmetCR0KzKeNYxLoyGLJ06RvjJh9GpD9 X-Received: by 10.28.125.212 with SMTP id y203mr2226195wmc.90.1488133831241; Sun, 26 Feb 2017 10:30:31 -0800 (PST) Received: from localhost.localdomain ([105.149.201.216]) by smtp.gmail.com with ESMTPSA id s103sm4499474wrc.6.2017.02.26.10.30.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 26 Feb 2017 10:30:29 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, jiewen.yao@intel.com, leif.lindholm@linaro.org Date: Sun, 26 Feb 2017 18:29:59 +0000 Message-Id: <1488133805-4773-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [edk2] [PATCH v3 0/6] RFC: increased memory protection X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: feng.tian@intel.com, Ard Biesheuvel , afish@apple.com, liming.gao@Intel.com, michael.d.kinney@intel.com, lersek@redhat.com, star.zeng@intel.com MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Hello all, This is a proof of concept implementation that removes all executable permissions from writable memory regions, which greatly enhances security. It is based on Jiewen's recent work, which is a step in the right direction, but still leaves most of memory exploitable due to the default R+W+X permissions. The idea is that the implementation of the CPU arch protocol goes over the memory map and removes exec permissions from all regions that are not already marked as 'code. This requires some preparatory work to ensure that the DxeCore itself is covered by a BootServicesCode region, not a BootServicesData region. Exec permissions are re-granted selectively, when the PE/COFF loader allocates the space for it. Combined with Jiewen's code/data split, this removes all RWX mapped regions. Changes since v2: - added patch to make EBC use EfiBootServicesCode pool allocations for thunks - redefine PCD according to Jiewen's feedback, including default value - use sorted memory map and merge adjacent entries with the same policy, to prevent unnecessary page table splitting - ignore policy when executing in SMM - refactor the logic for managing permission attributes of pool allocations - added some R-b's Changes since v1: - allocate code pages for PE/COFF images in PeiCore, so that DxeCore pages have the expected memory type (as suggested by Jiewen) - add patch to inhibit page table updates while syncing the GCD memory space map with the page tables - add PCD to set memory protection policy, which allows the policy for reserved and ACPI/NVS memory to be configured separately - move attribute manipulation into DxeCore page allocation code: this way, we should be able to solve the EBC case by allocating BootServicesCode pool memory explicitly. Series can be found here: https://git.linaro.org/people/ard.biesheuvel/uefi-next.git/log/?h=memprot-take2 Note that to test this properly, the default value of 0 should be changed to 0x7FD5, which applies non-exec permissions to everything except Efi*Code regions. Ard Biesheuvel (6): ArmPkg/CpuDxe: ignore attribute changes during SyncCacheConfig() MdeModulePkg/PeiCore: allocate BootServicesCode memory for PE/COFF images MdeModulePkg/EbcDxe: use EfiBootServicesCode memory for thunks MdeModulePkg/DxeCore: use separate lock for pool allocations MdeModulePkg: define PCD for DXE memory protection policy MdeModulePkg/DxeCore: implement memory protection policy ArmPkg/Drivers/CpuDxe/CpuDxe.c | 3 + ArmPkg/Drivers/CpuDxe/CpuDxe.h | 1 + ArmPkg/Drivers/CpuDxe/CpuMmuCommon.c | 4 + MdeModulePkg/Core/Dxe/DxeMain.h | 24 ++ MdeModulePkg/Core/Dxe/DxeMain.inf | 1 + MdeModulePkg/Core/Dxe/Mem/Page.c | 4 + MdeModulePkg/Core/Dxe/Mem/Pool.c | 60 +++- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 306 +++++++++++++++++++- MdeModulePkg/Core/Pei/Image/Image.c | 10 +- MdeModulePkg/MdeModulePkg.dec | 31 ++ MdeModulePkg/Universal/EbcDxe/AArch64/EbcSupport.c | 2 +- MdeModulePkg/Universal/EbcDxe/EbcInt.c | 23 ++ MdeModulePkg/Universal/EbcDxe/EbcInt.h | 14 + MdeModulePkg/Universal/EbcDxe/Ia32/EbcSupport.c | 2 +- MdeModulePkg/Universal/EbcDxe/Ipf/EbcSupport.c | 2 +- MdeModulePkg/Universal/EbcDxe/X64/EbcSupport.c | 2 +- 16 files changed, 471 insertions(+), 18 deletions(-) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel