From patchwork Tue Mar 21 09:23:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95610 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp1343166qgd; Tue, 21 Mar 2017 02:24:42 -0700 (PDT) X-Received: by 10.99.160.111 with SMTP id u47mr13928827pgn.161.1490088282697; Tue, 21 Mar 2017 02:24:42 -0700 (PDT) Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id p5si20639945pgk.146.2017.03.21.02.24.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Mar 2017 02:24:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 6430280475; Tue, 21 Mar 2017 02:24:42 -0700 (PDT) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 433AD80472 for ; Tue, 21 Mar 2017 02:24:40 -0700 (PDT) Received: by mail-wm0-x229.google.com with SMTP id n11so7443651wma.1 for ; Tue, 21 Mar 2017 02:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=G1ru3a02UErN9ToSWVxb6gdp0NfAoNtIL58PTxzVyvo=; b=dOwQ3aKuNuB8jXl9X370Tui3NSx9JUJYLFmC4KQ1+/PMrwouzDn+9xTOeie6TXtfxr wWuvok9Ak3Jw7Na82S+0pTObLrwWZ54n1IkX013hM/A1kchfzyTRkgZiYCfji0vwvGlr TpgNnKQurtV1m+Jt2/2ocw7CUPOiHyHQ3AgYw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=G1ru3a02UErN9ToSWVxb6gdp0NfAoNtIL58PTxzVyvo=; b=Xyc601Ns8DclHVa3yMU/HwORtp4IR2WAK3CBWG/S2CtlApr9a8bBDeYsyV6ZhjQsGo hRiK4C69AM70SkudXTLSeDFJgGCl884mdZMk0pZYTJi+Jp2tHGxMyhz4Eh/x5RDhj9GI aZHfhjcIE795BOYreWCLSwyKSdfPR/4ko92obKvIsjUGGpM10nmTl6+RuKknQvOgdLRm QBOb5ziLV0GH/8Z7Pxu00js+HrJEZI+unI/Yzgo/lwgXZHijtRNAV84mEwENpPZGdHYo 1WZnnDaMHg/wtS3AZP87qJ3lXRZhhOV9eAQgXxisQ5DmIG2eew82G2DQCzJPQQgntV9o liog== X-Gm-Message-State: AFeK/H2rvCyI/LGjPZSz8jKw0K+tr6y8cuX/zpLzA6EiwbJ40QXug8+pxk0bp3JoINC6RCoy X-Received: by 10.28.132.20 with SMTP id g20mr1828493wmd.68.1490088278794; Tue, 21 Mar 2017 02:24:38 -0700 (PDT) Received: from localhost.localdomain (188.16.90.92.rev.sfr.net. [92.90.16.188]) by smtp.gmail.com with ESMTPSA id k139sm16841848wmg.11.2017.03.21.02.24.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 21 Mar 2017 02:24:38 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.01.org, lersek@redhat.com Date: Tue, 21 Mar 2017 09:23:28 +0000 Message-Id: <1490088209-8564-2-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490088209-8564-1-git-send-email-ard.biesheuvel@linaro.org> References: <1490088209-8564-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [PATCH 1/2] ArmVirtPkg/HighMemDxe: use CPU arch protocol to apply memprotect policy X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sigmaepsilon92@gmail.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Instead of invoking gDS->SetMemorySpaceAttributes to set the EFI_MEMORY_XP attribute on newly added regions, which is guaranteed to fail if the same attribute was not declared as a capability of the region when it as added, invoke the CPU arch protocol directly to set the EFI_MEMORY_XP attribute if our memory protection policy demands it. Reported-by: Michael Zimmermann Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/HighMemDxe/HighMemDxe.c | 31 +++++++++++++++----- ArmVirtPkg/HighMemDxe/HighMemDxe.inf | 1 + 2 files changed, 25 insertions(+), 7 deletions(-) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel Reviewed-by: Laszlo Ersek diff --git a/ArmVirtPkg/HighMemDxe/HighMemDxe.c b/ArmVirtPkg/HighMemDxe/HighMemDxe.c index f70978f6414f..4e41120deff3 100644 --- a/ArmVirtPkg/HighMemDxe/HighMemDxe.c +++ b/ArmVirtPkg/HighMemDxe/HighMemDxe.c @@ -20,6 +20,7 @@ #include #include +#include #include EFI_STATUS @@ -30,6 +31,7 @@ InitializeHighMemDxe ( ) { FDT_CLIENT_PROTOCOL *FdtClient; + EFI_CPU_ARCH_PROTOCOL *Cpu; EFI_STATUS Status, FindNodeStatus; INT32 Node; CONST UINT32 *Reg; @@ -43,6 +45,10 @@ InitializeHighMemDxe ( (VOID **)&FdtClient); ASSERT_EFI_ERROR (Status); + Status = gBS->LocateProtocol (&gEfiCpuArchProtocolGuid, NULL, + (VOID **)&Cpu); + ASSERT_EFI_ERROR (Status); + // // Check for memory node and add the memory spaces except the lowest one // @@ -78,13 +84,24 @@ InitializeHighMemDxe ( continue; } + Status = gDS->SetMemorySpaceAttributes (CurBase, CurSize, + EFI_MEMORY_WB); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_WARN, + "%a: gDS->SetMemorySpaceAttributes() failed on region 0x%lx - 0x%lx (%r)\n", + __FUNCTION__, CurBase, CurBase + CurSize - 1, Status)); + } + + // + // Due to the ambiguous nature of the RO/XP GCD memory space attributes, + // it is impossible to add a memory space with the XP attribute in a way + // that does not result in the XP attribute being set on *all* UEFI + // memory map entries that are carved from it, including code regions + // that require executable permissions. // - // Take care not to strip any permission attributes that will have been - // set by DxeCore on the region we just added if a strict permission - // policy is in effect for EfiConventionalMemory regions. - // Unfortunately, we cannot interrogate the GCD memory space map for - // those permissions, since they are not recorded there (for historical - // reasons), so check the policy directly. + // So instead, we never set the RO/XP attributes in the GCD memory space + // capabilities or attribute fields, and apply any protections directly + // on the page table mappings by going through the cpu arch protocol. // Attributes = EFI_MEMORY_WB; if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & @@ -92,7 +109,7 @@ InitializeHighMemDxe ( Attributes |= EFI_MEMORY_XP; } - Status = gDS->SetMemorySpaceAttributes (CurBase, CurSize, Attributes); + Status = Cpu->SetMemoryAttributes (Cpu, CurBase, CurSize, Attributes); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, diff --git a/ArmVirtPkg/HighMemDxe/HighMemDxe.inf b/ArmVirtPkg/HighMemDxe/HighMemDxe.inf index 89c743ebe058..ac1761974f52 100644 --- a/ArmVirtPkg/HighMemDxe/HighMemDxe.inf +++ b/ArmVirtPkg/HighMemDxe/HighMemDxe.inf @@ -41,6 +41,7 @@ [LibraryClasses] UefiDriverEntryPoint [Protocols] + gEfiCpuArchProtocolGuid ## CONSUMES gFdtClientProtocolGuid ## CONSUMES [Pcd] From patchwork Tue Mar 21 09:23:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95611 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp1343198qgd; Tue, 21 Mar 2017 02:24:47 -0700 (PDT) X-Received: by 10.84.217.199 with SMTP id d7mr21232518plj.114.1490088287869; Tue, 21 Mar 2017 02:24:47 -0700 (PDT) Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id n74si6010747pfa.413.2017.03.21.02.24.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Mar 2017 02:24:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8F0B080487; Tue, 21 Mar 2017 02:24:47 -0700 (PDT) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3A35780472 for ; Tue, 21 Mar 2017 02:24:45 -0700 (PDT) Received: by mail-wm0-x22c.google.com with SMTP id t189so7617382wmt.1 for ; Tue, 21 Mar 2017 02:24:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5LZrsFgN1nMzgqcRBoMpaINCPwGTnp/r1Pn1I3TNf6U=; b=D9I3rERBBZXFzM6bQuqWkdAJ94PFelffNQDR4LaVevVfy/ljZUdZWFpwUHl1wvnQ8s knsKvb/RDmXW+rCyH5ZzxP5iZWB5q1r0YlJwc32UCgks02qLSt4Wa7213PFvYprU4wI1 eswusWjVq6FsNu512pGy8uPP89k6HdgQRgIpc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5LZrsFgN1nMzgqcRBoMpaINCPwGTnp/r1Pn1I3TNf6U=; b=scn5k44N2Ac4+h6YDCwsuGzs+jfiN/yOUcOG3JhgB9u9fD9qD5n/1TiG2MQ0MqR6LC 7X8L+atb6HfbjYhewZXkNct+1yghDCm9jqpHSPOLmPC/d4CAuJT6DqgCr0qNWPfvsX8B Nfhu4+X6BqlnFiXXyQTpq/xL+cGFy4uVSPC/WBjDOATvtwErzC5q9uXhNy8SyF2XHm60 p8Jy9MrTAFIxLEaaTCXbg8IOoHZaHW7ej4OxYYuuKssFcEoo1jOyvcqbZmbRxdjJlPQx m/INLO6Kk6IRutUaQuXUof0FgJwFM0PyBX2w1RKRIVAMTEm9x+UmIJcCIbPEPsKRABqh BxZw== X-Gm-Message-State: AFeK/H0ZJvTBrz2POu1DFZXPZbt/b5FVOqUBVsUw4EtQqHfueHLOxjpr0EQZB8t/UJ41W/9+ X-Received: by 10.28.212.79 with SMTP id l76mr1729396wmg.6.1490088283854; Tue, 21 Mar 2017 02:24:43 -0700 (PDT) Received: from localhost.localdomain (188.16.90.92.rev.sfr.net. [92.90.16.188]) by smtp.gmail.com with ESMTPSA id k139sm16841848wmg.11.2017.03.21.02.24.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 21 Mar 2017 02:24:43 -0700 (PDT) From: Ard Biesheuvel To: edk2-devel@lists.01.org, lersek@redhat.com Date: Tue, 21 Mar 2017 09:23:29 +0000 Message-Id: <1490088209-8564-3-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490088209-8564-1-git-send-email-ard.biesheuvel@linaro.org> References: <1490088209-8564-1-git-send-email-ard.biesheuvel@linaro.org> Subject: [edk2] [PATCH 2/2] ArmVirtPkg/HighMemDxe: check new regions against GCD memory space map X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sigmaepsilon92@gmail.com, Ard Biesheuvel MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Instead of looking at the PCD gArmTokenSpaceGuid.PcdSystemMemoryBase to decide which DT node covers the memory we are already using, query the GCD memory space map, which is the authoritative source for this kind of information This fixes a problem observed by Michael on platforms where this PCD is of the 'Patchable' type, which means updates to its value do not propagate to other modules. Reported-by: Michael Zimmermann Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/HighMemDxe/HighMemDxe.c | 30 +++++++++++++------- ArmVirtPkg/HighMemDxe/HighMemDxe.inf | 1 - 2 files changed, 19 insertions(+), 12 deletions(-) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel Reviewed-by: Laszlo Ersek diff --git a/ArmVirtPkg/HighMemDxe/HighMemDxe.c b/ArmVirtPkg/HighMemDxe/HighMemDxe.c index 4e41120deff3..aa3f5f6d8956 100644 --- a/ArmVirtPkg/HighMemDxe/HighMemDxe.c +++ b/ArmVirtPkg/HighMemDxe/HighMemDxe.c @@ -30,16 +30,17 @@ InitializeHighMemDxe ( IN EFI_SYSTEM_TABLE *SystemTable ) { - FDT_CLIENT_PROTOCOL *FdtClient; - EFI_CPU_ARCH_PROTOCOL *Cpu; - EFI_STATUS Status, FindNodeStatus; - INT32 Node; - CONST UINT32 *Reg; - UINT32 RegSize; - UINTN AddressCells, SizeCells; - UINT64 CurBase; - UINT64 CurSize; - UINT64 Attributes; + FDT_CLIENT_PROTOCOL *FdtClient; + EFI_CPU_ARCH_PROTOCOL *Cpu; + EFI_STATUS Status, FindNodeStatus; + INT32 Node; + CONST UINT32 *Reg; + UINT32 RegSize; + UINTN AddressCells, SizeCells; + UINT64 CurBase; + UINT64 CurSize; + UINT64 Attributes; + EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; Status = gBS->LocateProtocol (&gFdtClientProtocolGuid, NULL, (VOID **)&FdtClient); @@ -73,7 +74,14 @@ InitializeHighMemDxe ( } RegSize -= (AddressCells + SizeCells) * sizeof (UINT32); - if (PcdGet64 (PcdSystemMemoryBase) != CurBase) { + Status = gDS->GetMemorySpaceDescriptor (CurBase, &GcdDescriptor); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_WARN, + "%a: Region 0x%lx - 0x%lx not found in the GCD memory space map\n", + __FUNCTION__, CurBase, CurBase + CurSize - 1)); + continue; + } + if (GcdDescriptor.GcdMemoryType == EfiGcdMemoryTypeNonExistent) { Status = gDS->AddMemorySpace (EfiGcdMemoryTypeSystemMemory, CurBase, CurSize, EFI_MEMORY_WB); diff --git a/ArmVirtPkg/HighMemDxe/HighMemDxe.inf b/ArmVirtPkg/HighMemDxe/HighMemDxe.inf index ac1761974f52..a7072e38d09d 100644 --- a/ArmVirtPkg/HighMemDxe/HighMemDxe.inf +++ b/ArmVirtPkg/HighMemDxe/HighMemDxe.inf @@ -45,7 +45,6 @@ [Protocols] gFdtClientProtocolGuid ## CONSUMES [Pcd] - gArmTokenSpaceGuid.PcdSystemMemoryBase gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy [Depex]