From patchwork Wed Feb 22 18:24:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 94359 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp1041808qgi; Wed, 22 Feb 2017 10:25:11 -0800 (PST) X-Received: by 10.36.14.213 with SMTP id 204mr3246813ite.80.1487787911760; Wed, 22 Feb 2017 10:25:11 -0800 (PST) Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id u131si2666512itf.72.2017.02.22.10.25.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 10:25:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 01E7C82226; Wed, 22 Feb 2017 10:25:11 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6DEBC82226 for ; Wed, 22 Feb 2017 10:25:09 -0800 (PST) Received: by mail-wr0-x233.google.com with SMTP id 89so7939926wrr.3 for ; Wed, 22 Feb 2017 10:25:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=86tRaLXNh4jG5PH7v9lHRWgZoFiaBQ8bDbsNCKKwkys=; b=aWVNDte1Ees/jXQKZ67CLdQVAotFgvqb+aBIwXdfU1JLdSsbpmRrtZ8TA5hotjvcjX 2m1LqFJqvXv1ko8Q8/eyVov6jCe0we7K9fkum//zCqoHH94jUx+bBDHaI70BFayqDn54 YpbBz4acviZbixKF1I/j9rxnUKQkTbRApt4zQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=86tRaLXNh4jG5PH7v9lHRWgZoFiaBQ8bDbsNCKKwkys=; b=nJLGJIH6GmBQjiYr+EfH8f2wnBq1mlfwdwvQOvf5ZRPnCP9rlttiutNQkc1z1q1wyk 9wMb3S5cvrXqdZw0iGofe69HWRJBrfNX/t474tVYFNgPAvG+/aaArD/hnIgiQzDzNqKj d6wNFuiL/K2GllOKg4Q/yP2w6PypccsQihKlqD/PsQAm+e1HX60P7pfDGUYMVNQ1pQlI KnLIap3jZd3cghndCXXPMLiTxdB3vmzFfWv88TGbCDfQjg/lM3fm3ctCS8jtEMtbUb1L dgi6soPFXJuSQaUqzblYj+eb1t8QyYwA0HtcZcAsZ2F+G8fHuZMyyLOBikyDNeCqBzRw 6PDw== X-Gm-Message-State: AMke39kFVKj2lKZ3pOP/gxMaYOA6NWSy88tvD32GT+uxxNBtkCueRKORq39fOJh8S2xh3eyR X-Received: by 10.223.139.137 with SMTP id o9mr28192125wra.88.1487787908027; Wed, 22 Feb 2017 10:25:08 -0800 (PST) Received: from localhost.localdomain ([196.80.204.181]) by smtp.gmail.com with ESMTPSA id e73sm3504667wmi.32.2017.02.22.10.25.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Feb 2017 10:25:07 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, afish@apple.com, leif.lindholm@linaro.org, michael.d.kinney@intel.com, liming.gao@intel.com, jiewen.yao@intel.com Date: Wed, 22 Feb 2017 18:24:55 +0000 Message-Id: <1487787898-5222-2-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> References: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [RFC PATCH 1/4] MdeModulePkg/DxeCore: allow BootServicesData->BootServicesCode conversion X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: feng.tian@intel.com, lersek@redhat.com, star.zeng@intel.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Unlike all other PE/COFF images loaded after it, the DXE core is loaded into BootServicesData memory rather than BootServicesCode memory, due to the fact that the PEI phase memory allocation routines only distinguish between boot-time and runtime. So in preparation of adding support for restricted permissions, allow the direct conversion of BootServicesData to BootServicesCode. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Mem/Page.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c index bda4f6397e91..b0939c596991 100644 --- a/MdeModulePkg/Core/Dxe/Mem/Page.c +++ b/MdeModulePkg/Core/Dxe/Mem/Page.c @@ -773,7 +773,8 @@ CoreConvertPagesEx ( // // Debug code - verify conversion is allowed // - if (!(NewType == EfiConventionalMemory ? 1 : 0) ^ (Entry->Type == EfiConventionalMemory ? 1 : 0)) { + if (!(NewType == EfiConventionalMemory ? 1 : 0) ^ (Entry->Type == EfiConventionalMemory ? 1 : 0) && + !(NewType == EfiBootServicesCode && Entry->Type == EfiBootServicesData)) { DEBUG ((DEBUG_ERROR | DEBUG_PAGE, "ConvertPages: Incompatible memory types\n")); return EFI_NOT_FOUND; } From patchwork Wed Feb 22 18:24:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 94360 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp1041819qgi; Wed, 22 Feb 2017 10:25:14 -0800 (PST) X-Received: by 10.107.6.156 with SMTP id f28mr24688619ioi.6.1487787914015; Wed, 22 Feb 2017 10:25:14 -0800 (PST) Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id 198si2341438ita.77.2017.02.22.10.25.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 10:25:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3EA2382241; Wed, 22 Feb 2017 10:25:13 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2904A82241 for ; Wed, 22 Feb 2017 10:25:12 -0800 (PST) Received: by mail-wr0-x231.google.com with SMTP id s27so7996226wrb.2 for ; Wed, 22 Feb 2017 10:25:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=PZzERjxxvqhbBXywh2UfA5kCwGMS83lyqLRRBYIdBS8=; b=VQgt8KXB8tjqKAsFrQweg3WB6LQYhZHkYUCDecYAVSpFzhcDBtog9bYTl3j4eUmxE2 Ac3KX8iLOgfXnLCDueDNSAwOtn0JjSDzCnis1Z8zHMM5mUbTn6mtXUVEJcxwj9HHVJKv ULu8mcIhcMLpC45rIhGnaRoYAgKEKOUVQg2WU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=PZzERjxxvqhbBXywh2UfA5kCwGMS83lyqLRRBYIdBS8=; b=aTFd4rT25UlKdcbFgXz+CdHRbGrGdKawaCgT8H+1hv7kSnpHzzibMgb7wrj5WKSrHS vbXgt2dmcC22lusxsgz8VV4dpBj7K2T2MFSts7pUx7OJcHfHFerZUU96M3ZH8DbdOUYU Blk4RIwIiXQ9WZG39bFr/qqbFo/nOYmpxKXD6tEMLLlCXHC5Gidu1QGsUEOSUzCO438d AOsxW/W0ccdzfJRdEEHtim/q7o1v1f7VUeKZmvhwmO33DCwavdrmXAmTosyzgunzVXVp CSTsD8CvLJ1D13A3rfOOBic3CjGB3/u7pzC6HIUSV+Jq5I0ircQhH4y6Dx1d5EwyPoRs uZUA== X-Gm-Message-State: AMke39kxE8hnWHPs+w9M/DOwdVzVUC4OH0APLwWegfzlXn+aIePZ4JK+pb0YPTo1TsKPNDNZ X-Received: by 10.223.129.74 with SMTP id 68mr24080363wrm.183.1487787910626; Wed, 22 Feb 2017 10:25:10 -0800 (PST) Received: from localhost.localdomain ([196.80.204.181]) by smtp.gmail.com with ESMTPSA id e73sm3504667wmi.32.2017.02.22.10.25.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Feb 2017 10:25:09 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, afish@apple.com, leif.lindholm@linaro.org, michael.d.kinney@intel.com, liming.gao@intel.com, jiewen.yao@intel.com Date: Wed, 22 Feb 2017 18:24:56 +0000 Message-Id: <1487787898-5222-3-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> References: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [RFC PATCH 2/4] MdeModulePkg/DxeCore: convert the DxeCore memory region to BootServicesCode X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: feng.tian@intel.com, lersek@redhat.com, star.zeng@intel.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Before removing exec permissions from all non-code regions, ensure that the DXE core itself is covered by a BootServicesCode region, by adding a new function ConvertDxeCoreImage () and calling it at the right time from DxeMain (). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/DxeMain.h | 8 ++++++++ MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 2 ++ MdeModulePkg/Core/Dxe/Mem/Page.c | 15 +++++++++++++++ 3 files changed, 25 insertions(+) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h index b14be9a74d8e..300f19a3aa58 100644 --- a/MdeModulePkg/Core/Dxe/DxeMain.h +++ b/MdeModulePkg/Core/Dxe/DxeMain.h @@ -2949,4 +2949,12 @@ MemoryProtectionExitBootServicesCallback ( VOID ); +/** + Convert DXE core image to BootServicesCode memory +**/ +VOID +ConvertDxeCoreImage ( + VOID + ); + #endif diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c index 91e94a78d205..d3a873e737b1 100644 --- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c +++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c @@ -396,6 +396,8 @@ DxeMain ( MemoryProfileInstallProtocol (); + ConvertDxeCoreImage (); + CoreInitializePropertiesTable (); CoreInitializeMemoryAttributesTable (); CoreInitializeMemoryProtection (); diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c index b0939c596991..73b56fccf965 100644 --- a/MdeModulePkg/Core/Dxe/Mem/Page.c +++ b/MdeModulePkg/Core/Dxe/Mem/Page.c @@ -1951,8 +1951,23 @@ Done: } +VOID +ConvertDxeCoreImage ( + VOID + ) +{ + CoreAcquireMemoryLock (); + // + // Convert the memory region that backs the DXE core to a 'code' region, so + // that the strict permissions handling doesn't take our exec permissions + // away. + // + CoreConvertPages ((UINTN)gDxeCoreLoadedImage->ImageBase, + EFI_SIZE_TO_PAGES (gDxeCoreLoadedImage->ImageSize), EfiBootServicesCode); + CoreReleaseMemoryLock (); +} From patchwork Wed Feb 22 18:24:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 94361 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp1041836qgi; Wed, 22 Feb 2017 10:25:16 -0800 (PST) X-Received: by 10.84.224.11 with SMTP id r11mr50211617plj.130.1487787916887; Wed, 22 Feb 2017 10:25:16 -0800 (PST) Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id i135si1897591pgd.33.2017.02.22.10.25.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 10:25:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 73FD882245; Wed, 22 Feb 2017 10:25:16 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B705582245 for ; Wed, 22 Feb 2017 10:25:14 -0800 (PST) Received: by mail-wm0-x231.google.com with SMTP id v186so148569892wmd.0 for ; Wed, 22 Feb 2017 10:25:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jl3Cv2W9dBV/wPbqxZBS//P62jVQme8foGbc/HQDDck=; b=dr6eG8ae5wfAP7t1XpPnzuOx1FszajxZa77P67DSqRlepZZqPyTKBaH7DoDgc8Blt2 jTmhBVLx117616HZazrc7URRY59lIBV4DiEMd3kcGurDYTjGIdHR8bygSN4/nB+3oAgu 6NPE/6i0LwrZPS1/sVlyzEArgD86n0PRE1IZk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jl3Cv2W9dBV/wPbqxZBS//P62jVQme8foGbc/HQDDck=; b=aGb6sTfwPtN1A1AVMGZee/+dlzhSuGZ8ipAgPya/CCDIHLC/WvV6cOmUTAG6g8D0Ct XC3QTw+pKYMljXay1JdQ4NnkPZP3CyLj6SwKBBhpVuG0b33dPfo914dgLVm6bAVa64hU qsOrPpeaj1oeYyBMmk+Xd9dtrUfqz9ybNFz0dKV0OQq7M/g7rrnTlKfHF9ZDNkx2I4Xi H28Mp6T2A/6AJXqk6OnRux9qQMxu4NvnZ1pDR9wAflG7ouw6eRW0x15KhiCFmrsORwW3 cnoaD2H1aTttUiNSe1R39/f/MnWPwl9Vg6eWWr/AyBd7qmHv13Nu0OoYdiyJhCHmJ568 iU8Q== X-Gm-Message-State: AMke39lqWPSXzI8YWHEF2gj7O1fycpkeM1hTerENeFQFF53DM1bJGGc9ZP7jEpwNkx1UuKHp X-Received: by 10.28.226.67 with SMTP id z64mr3446117wmg.137.1487787913176; Wed, 22 Feb 2017 10:25:13 -0800 (PST) Received: from localhost.localdomain ([196.80.204.181]) by smtp.gmail.com with ESMTPSA id e73sm3504667wmi.32.2017.02.22.10.25.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Feb 2017 10:25:12 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, afish@apple.com, leif.lindholm@linaro.org, michael.d.kinney@intel.com, liming.gao@intel.com, jiewen.yao@intel.com Date: Wed, 22 Feb 2017 18:24:57 +0000 Message-Id: <1487787898-5222-4-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> References: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [RFC PATCH 3/4] MdeModulePkg/DxeCore: lift non-exec permissions on loaded images X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: feng.tian@intel.com, lersek@redhat.com, star.zeng@intel.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" To ensure that loaded PE/COFF images are executable regardless of the protection policy and the section alignment, clear all permission restrictions when loading PE/COFF images. Subsequently, permissions may be restricted again if the protection policy and section alignment allow it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Image/Image.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c b/MdeModulePkg/Core/Dxe/Image/Image.c index 652da8bf1075..cab06e821e39 100644 --- a/MdeModulePkg/Core/Dxe/Image/Image.c +++ b/MdeModulePkg/Core/Dxe/Image/Image.c @@ -644,6 +644,14 @@ CoreLoadPeImage ( InvalidateInstructionCacheRange ((VOID *)(UINTN)Image->ImageContext.ImageAddress, (UINTN)Image->ImageContext.ImageSize); // + // Remove any permission restrictions. + // + if (gCpu != NULL) { + gCpu->SetMemoryAttributes (gCpu, Image->ImageContext.ImageAddress, + Image->ImageContext.ImageSize, 0); + } + + // // Copy the machine type from the context to the image private data. This // is needed during image unload to know if we should call an EBC protocol // to unload the image. From patchwork Wed Feb 22 18:24:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 94362 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp1041852qgi; Wed, 22 Feb 2017 10:25:19 -0800 (PST) X-Received: by 10.36.181.65 with SMTP id j1mr3202181iti.91.1487787919473; Wed, 22 Feb 2017 10:25:19 -0800 (PST) Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id z64si2339360itg.85.2017.02.22.10.25.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 10:25:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id B256082249; Wed, 22 Feb 2017 10:25:18 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 39DA28224A for ; Wed, 22 Feb 2017 10:25:17 -0800 (PST) Received: by mail-wr0-x22f.google.com with SMTP id 97so8011564wrb.0 for ; Wed, 22 Feb 2017 10:25:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iedE+i6gHuMm+L5i3+BKqJiqQgPaoaiplSFJX26Gx8M=; b=OxrSnZJx9Kjhno23WrJk//of6zROUP8bcyX/dJ4TWyqoi8alOIH/zsqtQpGPHEucKU vA/+B3Q/Pv/jI5tScdC52Aws850cLS/Wq1SEQiqqrp8TD5yJDMI5yMaZzqRY/Oll3rTC J0ldccOEFQgPu9Js5kzL55jPljUVGMbR8d/x0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iedE+i6gHuMm+L5i3+BKqJiqQgPaoaiplSFJX26Gx8M=; b=Yj20LmctpgQDtAWmsCP8R2m5rnUeLyGkQulqi1bA+jXUX+tlJ2XQKk+WZrCD1FoIgT kajGqxQMcUejY/UeSWGmSJl5L2V2AWUSdwChxCEEiGSZ3zLn9lrIBdcq+QAF/orYl76h Y0Bh1Y2e1PvkwpsJvuEXc8WBD0g2BPqWcWIQA4SbJkPhg808Y0Yz8SBJb61fTKm5pLN5 V21R21UDNplbxWGVaxw6BKYds0hl0x0cBrZJhSJIKaJ7vudM1ywigJUvc5PNBvUic2/N rZcc7Y/hnFtuB/bcrrCXFX3/hgWf1YcI+4M97IMzbw6lciPFqAQegIWodkdEs5wLHjTi A21w== X-Gm-Message-State: AMke39n7rimzVO/46MzkjibtfSdSqA8Kjj46p9A+ynBAtx+rsG1wCq4tQB1hjxJMAZxPuj2+ X-Received: by 10.223.145.193 with SMTP id 59mr4589392wri.82.1487787915792; Wed, 22 Feb 2017 10:25:15 -0800 (PST) Received: from localhost.localdomain ([196.80.204.181]) by smtp.gmail.com with ESMTPSA id e73sm3504667wmi.32.2017.02.22.10.25.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Feb 2017 10:25:15 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, afish@apple.com, leif.lindholm@linaro.org, michael.d.kinney@intel.com, liming.gao@intel.com, jiewen.yao@intel.com Date: Wed, 22 Feb 2017 18:24:58 +0000 Message-Id: <1487787898-5222-5-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> References: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [RFC PATCH 4/4] ArmPkg/CpuDxe: remap all data regions non-executable X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: feng.tian@intel.com, lersek@redhat.com, star.zeng@intel.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" When installing the CPU arch protocol, iterate over the UEFI memory map and remove the executable permissions from each encountered non-code region. Those will be re-added later selectively, to the extent required according to the image protection policy and section alignment. With a strict image protection policy in place, this all but eliminates any regions that are mapped both writable and executable, which is an significant improvement in security. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- ArmPkg/Drivers/CpuDxe/CpuDxe.c | 76 ++++++++++++++++++++ 1 file changed, 76 insertions(+) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/ArmPkg/Drivers/CpuDxe/CpuDxe.c b/ArmPkg/Drivers/CpuDxe/CpuDxe.c index 7d328d096b1e..dd3bf44a00b3 100644 --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.c +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.c @@ -15,6 +15,9 @@ #include "CpuDxe.h" +#include +#include + #include @@ -237,6 +240,74 @@ InitializeDma ( CpuArchProtocol->DmaBufferAlignment = ArmCacheWritebackGranule (); } +STATIC +VOID +RemapAllDataRegionsNonExec ( + VOID + ) +{ + UINTN MemoryMapSize; + UINTN MapKey; + UINTN DescriptorSize; + UINT32 DescriptorVersion; + EFI_MEMORY_DESCRIPTOR *MemoryMap; + EFI_MEMORY_DESCRIPTOR *MemoryMapEntry; + EFI_MEMORY_DESCRIPTOR *MemoryMapEnd; + EFI_STATUS Status; + + // + // Iterate over the memory map, and remove execute permissions from all + // memory regions that are not BootServiceCode or RuntimeServicesCode. + // + + // + // Get the EFI memory map. + // + MemoryMapSize = 0; + MemoryMap = NULL; + + Status = gBS->GetMemoryMap ( + &MemoryMapSize, + MemoryMap, + &MapKey, + &DescriptorSize, + &DescriptorVersion + ); + ASSERT (Status == EFI_BUFFER_TOO_SMALL); + do { + MemoryMap = (EFI_MEMORY_DESCRIPTOR *) AllocatePool (MemoryMapSize); + ASSERT (MemoryMap != NULL); + Status = gBS->GetMemoryMap ( + &MemoryMapSize, + MemoryMap, + &MapKey, + &DescriptorSize, + &DescriptorVersion + ); + if (EFI_ERROR (Status)) { + FreePool (MemoryMap); + } + } while (Status == EFI_BUFFER_TOO_SMALL); + ASSERT_EFI_ERROR (Status); + + MemoryMapEntry = MemoryMap; + MemoryMapEnd = (EFI_MEMORY_DESCRIPTOR *) ((UINT8 *) MemoryMap + MemoryMapSize); + while ((UINTN) MemoryMapEntry < (UINTN) MemoryMapEnd) { + if ((MemoryMapEntry->Type != EfiBootServicesCode) && + (MemoryMapEntry->Type != EfiRuntimeServicesCode)) { + + CpuSetMemoryAttributes (&mCpu, MemoryMapEntry->PhysicalStart, + EFI_PAGES_TO_SIZE(MemoryMapEntry->NumberOfPages), EFI_MEMORY_XP); + DEBUG((DEBUG_ERROR, "%a: removing exec permissions from 0x%lx - 0x%lx (Type == 0x%x)\n", + __FUNCTION__, MemoryMapEntry->PhysicalStart, + MemoryMapEntry->PhysicalStart + EFI_PAGES_TO_SIZE(MemoryMapEntry->NumberOfPages) - 1, + MemoryMapEntry->Type)); + } + MemoryMapEntry = NEXT_MEMORY_DESCRIPTOR (MemoryMapEntry, DescriptorSize); + } + FreePool (MemoryMap); +} + EFI_STATUS CpuDxeInitialize ( IN EFI_HANDLE ImageHandle, @@ -264,6 +335,11 @@ CpuDxeInitialize ( // SyncCacheConfig (&mCpu); + // + // Remap all conventional memory as non-executable. + // + RemapAllDataRegionsNonExec (); + // If the platform is a MPCore system then install the Configuration Table describing the // secondary core states if (ArmIsMpCore()) {