public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Jiewen Yao <jiewen.yao@intel.com>
To: edk2-devel@lists.01.org
Cc: Jeff Fan <jeff.fan@intel.com>,
	Michael Kinney <michael.d.kinney@intel.com>,
	Leif Lindholm <leif.lindholm@linaro.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Star Zeng <star.zeng@intel.com>, Feng Tian <feng.tian@intel.com>
Subject: [PATCH V4 0/3] DXE Memory Protection
Date: Tue, 21 Feb 2017 14:57:06 +0800	[thread overview]
Message-ID: <1487660229-4820-1-git-send-email-jiewen.yao@intel.com> (raw)

==== V4 ====
1) Remove ARM patch. (Which was already submitted by Ard Biesheuvel in another series)
2) Unprotect RT image at ExitBootServices (feedback from Ard Biesheuvel)
3) Round up the ImageSize on protection (feedback from Ard Biesheuvel)

==== V3 ====
1) Add PCD for policy control (feedback from Ard Biesheuvel)
(Discussed with Mike Kinney)
+  #    BIT0       - Image from unknown device. <BR>
+  #    BIT1       - Image from firmware volume.<BR>
+  # @Prompt Set image protection policy.
+  # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000002|UINT32|0x00001047

2) Remove unused function in CpuDxe.(feedback from Liming Gao)
3) Add commit log on link option assumption (feedback from Feng Tian)
4) Rename file PageTableLib.h/.c to CpuPageTable.h/.c file (from Jeff Fan)
5) Remove multi-entrypoint usage (from Liming Gao/Mike Kinney)

==== V2 ====
1) Clean up ArmPkg, (feedback from Leif Lindholm)

==== V1 ====
This series patch provides capability to protect PE/COFF image
in DXE memory.
If the UEFI image is page aligned, the image code section is set to read
only and the image data section is set to non-executable.

The DxeCore calls CpuArchProtocol->SetMemoryAttributes() to protect
the image.

Tested platform: NT32/Quark IA32/OVMF IA32/OVMF IA32X64/Intel internal X64/
Tested OS: UEFI Win10, UEFI Ubuntu 16.04.

Untested platform: ARM/AARCH64.
Can ARM/AARCH64 owner help to take a look and try the ARM platform?


Cc: Jeff Fan <jeff.fan@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>


Jiewen Yao (3):
  UefiCpuPkg/CpuDxe: Add memory attribute setting.
  MdeModulePkg/dec: add PcdImageProtectionPolicy.
  MdeModulePkg/DxeCore: Add UEFI image protection.

 MdeModulePkg/Core/Dxe/DxeMain.h               |  61 ++
 MdeModulePkg/Core/Dxe/DxeMain.inf             |   5 +-
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c       |   5 +-
 MdeModulePkg/Core/Dxe/Image/Image.c           |   7 +-
 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 769 +++++++++++++++++++
 MdeModulePkg/Core/Dxe/Misc/PropertiesTable.c  |  24 +-
 MdeModulePkg/MdeModulePkg.dec                 |  10 +
 UefiCpuPkg/CpuDxe/CpuDxe.c                    | 141 ++--
 UefiCpuPkg/CpuDxe/CpuDxe.inf                  |   5 +-
 UefiCpuPkg/CpuDxe/CpuPageTable.c              | 779 ++++++++++++++++++++
 UefiCpuPkg/CpuDxe/CpuPageTable.h              | 113 +++
 11 files changed, 1832 insertions(+), 87 deletions(-)
 create mode 100644 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
 create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.c
 create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.h

-- 
2.7.4.windows.1



             reply	other threads:[~2017-02-21  6:57 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-21  6:57 Jiewen Yao [this message]
2017-02-21  6:57 ` [PATCH V4 1/3] UefiCpuPkg/CpuDxe: Add memory attribute setting Jiewen Yao
2017-03-09 11:52   ` Anthony PERARD
2017-03-10  1:02     ` Fan, Jeff
2017-03-10 15:21       ` Anthony PERARD
2017-03-13  1:58         ` Fan, Jeff
2017-02-21  6:57 ` [PATCH V4 2/3] MdeModulePkg/dec: add PcdImageProtectionPolicy Jiewen Yao
2017-02-21  6:57 ` [PATCH V4 3/3] MdeModulePkg/DxeCore: Add UEFI image protection Jiewen Yao
2017-02-21  7:23 ` [PATCH V4 0/3] DXE Memory Protection Fan, Jeff
2017-02-21  8:36 ` Ard Biesheuvel
2017-02-21  8:39   ` Yao, Jiewen
2017-02-21 17:25     ` Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1487660229-4820-1-git-send-email-jiewen.yao@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox