From: Jian J Wang <jian.j.wang@intel.com>
To: edk2-devel@lists.01.org
Subject: [PATCH v2 0/4] Enable page table write protection
Date: Mon, 4 Dec 2017 16:35:52 +0800 [thread overview]
Message-ID: <20171204083556.19416-1-jian.j.wang@intel.com> (raw)
> v2 changes:
> a. Enable protection on any newly added page table after DxeIpl.
> b. Introduce page table pool concept to make page table allocation
> and protection easier and error free.
Write Protect feature (CR0.WP) is always enabled in driver UefiCpuPkg/CpuDxe.
But the memory pages used for page table are not set as read-only in the driver
DxeIplPeim, after the paging is setup. This might jeopardize the page table
integrity if there's buffer overflow occured in other part of system.
This patch series will change this situation by clearing R/W bit in page attribute
of the pages used as page table.
Validation works include booting Windows (10/server 2016) and Linux (Fedora/Ubuntu)
on OVMF and Intel real platform.
Jian J Wang (4):
MdeModulePkg/MdeModulePkg.dec: Add new PCDs and Guid
MdeModulePkg/PageTablePool.h: Page table pool GUID definition file
MdeModulePkg/DxeIpl: Mark page table as read-only
UefiCpuPkg/CpuDxe: Enable protection for newly added page table
MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 34 +++
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 +
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 8 +-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 315 +++++++++++++++++++++-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 15 ++
MdeModulePkg/Include/Guid/PageTablePool.h | 53 ++++
MdeModulePkg/MdeModulePkg.dec | 28 ++
UefiCpuPkg/CpuDxe/CpuDxe.c | 17 +-
UefiCpuPkg/CpuDxe/CpuDxe.h | 2 +
UefiCpuPkg/CpuDxe/CpuDxe.inf | 3 +
UefiCpuPkg/CpuDxe/CpuPageTable.c | 329 ++++++++++++++++++++++-
UefiCpuPkg/CpuDxe/CpuPageTable.h | 22 ++
12 files changed, 816 insertions(+), 13 deletions(-)
create mode 100644 MdeModulePkg/Include/Guid/PageTablePool.h
--
2.14.1.windows.1
next reply other threads:[~2017-12-04 8:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-04 8:35 Jian J Wang [this message]
2017-12-04 8:35 ` [PATCH v2 1/4] MdeModulePkg/MdeModulePkg.dec: Add new PCDs and Guid Jian J Wang
2017-12-04 8:35 ` [PATCH v2 2/4] MdeModulePkg/PageTablePool.h: Page table pool GUID definition file Jian J Wang
2017-12-04 8:35 ` [PATCH v2 3/4] MdeModulePkg/DxeIpl: Mark page table as read-only Jian J Wang
2017-12-04 8:35 ` [PATCH v2 4/4] UefiCpuPkg/CpuDxe: Enable protection for newly added page table Jian J Wang
2017-12-04 9:11 ` [PATCH v2 0/4] Enable page table write protection Zeng, Star
2017-12-04 9:26 ` Wang, Jian J
2017-12-05 2:26 ` Yao, Jiewen
2017-12-05 6:26 ` Wang, Jian J
2017-12-05 2:31 ` Yao, Jiewen
2017-12-05 6:41 ` Wang, Jian J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171204083556.19416-1-jian.j.wang@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox