* [PATCH v4 0/2] Enable page table write protection @ 2017-12-07 11:32 Jian J Wang 2017-12-07 11:32 ` [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only Jian J Wang 2017-12-07 11:32 ` [PATCH v4 2/2] UefiCpuPkg/CpuDxe: Enable protection for newly added page table Jian J Wang 0 siblings, 2 replies; 5+ messages in thread From: Jian J Wang @ 2017-12-07 11:32 UTC (permalink / raw) To: edk2-devel > v4 changes: >MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 22 ++++++++++----------- > MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 2 +- > UefiCpuPkg/CpuDxe/CpuPageTable.c | 25 +++++++++++------------- > UefiCpuPkg/CpuDxe/CpuPageTable.h | 2 +- > 4 files changed, 23 insertions(+), 28 deletions(-) > >diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c >index 4ef3521224..038aa0d127 100644 >--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c >+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c >@@ -126,12 +126,13 @@ EnableExecuteDisableBit ( > Initialize a buffer pool for page table use only. > > To reduce the potential split operation on page table, the pages reserved for >- page table should be allocated in the times of 512 (= SIZE_2MB) and at the >- boundary of SIZE_2MB. So the page pool is always initialized with number of >- pages greater than or equal to the given PoolPages. >+ page table should be allocated in the times of PAGE_TABLE_POOL_UNIT_PAGES and >+ at the boundary of PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always >+ initialized with number of pages greater than or equal to the given PoolPages. > > Once the pages in the pool are used up, this method should be called again to >- reserve at least another 512 pages. But usually this won't happen in practice. >+ reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. But usually this won't >+ happen in practice. > > @param PoolPages The least page number of the pool to be created. > >@@ -146,15 +147,12 @@ InitializePageTablePool ( > VOID *Buffer; > > // >- // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES (512). >+ // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one page for >+ // header. > // >- if (PoolPages <= PAGE_TABLE_POOL_UNIT_PAGES) { >- PoolPages = PAGE_TABLE_POOL_UNIT_PAGES; >- } else { >- PoolPages = ((PoolPages + PAGE_TABLE_POOL_UNIT_PAGES) % >- PAGE_TABLE_POOL_UNIT_PAGES) * PAGE_TABLE_POOL_UNIT_PAGES; >- } >- >+ PoolPages += 1; // Add one page for header. >+ PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * >+ PAGE_TABLE_POOL_UNIT_PAGES; > Buffer = AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); > if (Buffer == NULL) { > DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); >diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h >index 9f14ac6007..b8cf43104e 100644 >--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h >+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h >@@ -169,7 +169,7 @@ typedef union { > > #define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB > #define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB >-#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (SIZE_2MB) >+#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (PAGE_TABLE_POOL_UNIT_SIZE) > #define PAGE_TABLE_POOL_ALIGN_MASK \ > (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) > >diff --git a/UefiCpuPkg/CpuDxe/CpuPageTable.c b/UefiCpuPkg/CpuDxe/CpuPageTable.c >index 57ec76378a..a9c9bc9d5e 100644 >--- a/UefiCpuPkg/CpuDxe/CpuPageTable.c >+++ b/UefiCpuPkg/CpuDxe/CpuPageTable.c >@@ -1000,13 +1000,13 @@ RefreshGcdMemoryAttributesFromPaging ( > Initialize a buffer pool for page table use only. > > To reduce the potential split operation on page table, the pages reserved for >- page table should be allocated in the times of 512 (= SIZE_2MB) and at the >- boundary of SIZE_2MB. So the page pool is always initialized with number of >- pages greater than or equal to the given PoolPages. >+ page table should be allocated in the times of PAGE_TABLE_POOL_UNIT_PAGES and >+ at the boundary of PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always >+ initialized with number of pages greater than or equal to the given PoolPages. > > Once the pages in the pool are used up, this method should be called again to >- reserve at least another 512 pages. Usually this won't happen often in >- practice. >+ reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. Usually this won't happen >+ often in practice. > > @param[in] PoolPages The least page number of the pool to be created. > >@@ -1022,15 +1022,12 @@ InitializePageTablePool ( > BOOLEAN IsModified; > > // >- // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES (512). >+ // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one page for >+ // header. > // >- if (PoolPages <= PAGE_TABLE_POOL_UNIT_PAGES) { >- PoolPages = PAGE_TABLE_POOL_UNIT_PAGES; >- } else { >- PoolPages = ((PoolPages + PAGE_TABLE_POOL_UNIT_PAGES) % >- PAGE_TABLE_POOL_UNIT_PAGES) * PAGE_TABLE_POOL_UNIT_PAGES; >- } >- >+ PoolPages += 1; // Add one page for header. >+ PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * >+ PAGE_TABLE_POOL_UNIT_PAGES; > Buffer = AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); > if (Buffer == NULL) { > DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); >@@ -1139,7 +1136,7 @@ InitializePageTableLib ( > (CurrentPagingContext.ContextData.Ia32.Attributes & > PAGE_TABLE_LIB_PAGING_CONTEXT_IA32_X64_ATTRIBUTES_PAE) != 0) { > DisableReadOnlyPageWriteProtect (); >- InitializePageTablePool (PAGE_TABLE_POOL_UNIT_SIZE); >+ InitializePageTablePool (1); > EnableReadOnlyPageWriteProtect (); > } > >diff --git a/UefiCpuPkg/CpuDxe/CpuPageTable.h b/UefiCpuPkg/CpuDxe/CpuPageTable.h >index 2557ffaecf..48da9cdde7 100644 >--- a/UefiCpuPkg/CpuDxe/CpuPageTable.h >+++ b/UefiCpuPkg/CpuDxe/CpuPageTable.h >@@ -52,7 +52,7 @@ typedef struct { > > #define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB > #define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB >-#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (SIZE_2MB) >+#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (PAGE_TABLE_POOL_UNIT_SIZE) > #define PAGE_TABLE_POOL_ALIGN_MASK \ > (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) > v3 changes: > a. According to code review comments, remove the public definitions of > page table pool. Now the DxeIpl and CpuDxe will have their own page > table pool but in the same mechanism. Related PCDs, GUDI and headers > are also removed. > b. Apply protection to all page tables, including new ones added in > CpuDxe driver. > c. Code/comments cleanup. > v2 changes: > a. Enable protection on any newly added page table after DxeIpl. > b. Introduce page table pool concept to make page table allocation > and protection easier and error free. Write Protect feature (CR0.WP) is always enabled in driver UefiCpuPkg/CpuDxe. But the memory pages used for page table are not set as read-only in the driver DxeIplPeim, after the paging is setup. This might jeopardize the page table integrity if there's buffer overflow occured in other part of system. This patch series will change this situation by clearing R/W bit in page attribute of the pages used as page table. Validation works include booting Windows (10/server 2016) and Linux (Fedora/Ubuntu) on OVMF and Intel real platform. Jian J Wang (2): MdeModulePkg/DxeIpl: Mark page table as read-only UefiCpuPkg/CpuDxe: Enable protection for newly added page table MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 34 +++ MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 8 +- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 299 ++++++++++++++++++++++- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 26 ++ UefiCpuPkg/CpuDxe/CpuDxe.c | 17 +- UefiCpuPkg/CpuDxe/CpuDxe.h | 2 + UefiCpuPkg/CpuDxe/CpuPageTable.c | 223 ++++++++++++++++- UefiCpuPkg/CpuDxe/CpuPageTable.h | 34 +++ 8 files changed, 630 insertions(+), 13 deletions(-) -- 2.15.1.windows.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only 2017-12-07 11:32 [PATCH v4 0/2] Enable page table write protection Jian J Wang @ 2017-12-07 11:32 ` Jian J Wang 2017-12-08 3:04 ` Zeng, Star 2017-12-07 11:32 ` [PATCH v4 2/2] UefiCpuPkg/CpuDxe: Enable protection for newly added page table Jian J Wang 1 sibling, 1 reply; 5+ messages in thread From: Jian J Wang @ 2017-12-07 11:32 UTC (permalink / raw) To: edk2-devel; +Cc: Jiewen Yao, Star Zeng, Eric Dong, Ruiyu Ni > v4: > a. Fix a calculation error in pool page number during initialization > b. Change comments to remove constants in description > v3: > Remove the public definition of PAGE_TABLE_POOL_HEADER but keep similar > concept locally. CpuDxe has its own page table pool. > v2: > Introduce page table pool to ease the page table memory allocation and > protection, which replaces the direct calling of AllocatePages(). This patch will set the memory pages used for page table as read-only memory after the paging is setup. CR0.WP must set to let it take into effect. A simple page table memory management mechanism, page table pool concept, is introduced to simplify the page table memory allocation and protection. It will also help to reduce the potential recursive "split" action during updating memory paging attributes. The basic idea is to allocate a bunch of continuous pages of memory in advance as one or more page table pools, and all future page tables consumption will happen in those pool instead of system memory. If the page pool is reserved at the boundary of 2MB page and with same size of 2MB page, there's no page granularity "split" operation will be needed, because the memory of new page tables (if needed) will be usually in the same page as target page table you're working on. And since we have centralized page tables (a few 2MB pages), it's easier to protect them by changing their attributes to be read-only once and for all. There's no need to apply the protection for new page tables any more as long as the pool has free pages available. Once current page table pool has been used up, one can allocate another 2MB memory pool and just set this new 2MB memory block to be read-only instead of setting the new page tables one page by one page. Two new PCDs PcdPageTablePoolUnitSize and PcdPageTablePoolAlignment are used to specify the size and alignment for page table pool. For IA32 processor 0x200000 (2MB) is the only choice for both of them to meet the requirement of page table pool. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> --- MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 34 +++ MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 8 +- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 299 ++++++++++++++++++++++- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 26 ++ 4 files changed, 363 insertions(+), 4 deletions(-) diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h index f3aabdb7e0..9dc80b1508 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h @@ -265,4 +265,38 @@ IsNullDetectionEnabled ( VOID ); +/** + Prevent the memory pages used for page table from been overwritten. + + @param[in] PageTableBase Base address of page table (CR3). + +**/ +VOID +EnablePageTableProtection ( + IN UINTN PageTableBase, + IN BOOLEAN Level4Paging + ); + +/** + This API provides a way to allocate memory for page table. + + This API can be called more than once to allocate memory for page tables. + + Allocates the number of 4KB pages and returns a pointer to the allocated + buffer. The buffer returned is aligned on a 4KB boundary. + + If Pages is 0, then NULL is returned. + If there is not enough memory remaining to satisfy the request, then NULL is + returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +AllocatePageTableMemory ( + IN UINTN Pages + ); + #endif diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c index 5649265367..13fff28e93 100644 --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c @@ -99,7 +99,7 @@ Create4GPageTablesIa32Pae ( NumberOfPdpEntriesNeeded = (UINT32) LShiftU64 (1, (PhysicalAddressBits - 30)); TotalPagesNum = NumberOfPdpEntriesNeeded + 1; - PageAddress = (UINTN) AllocatePages (TotalPagesNum); + PageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); ASSERT (PageAddress != 0); PageMap = (VOID *) PageAddress; @@ -149,6 +149,12 @@ Create4GPageTablesIa32Pae ( ); } + // + // Protect the page table by marking the memory used for page table to be + // read-only. + // + EnablePageTableProtection ((UINTN)PageMap, FALSE); + return (UINTN) PageMap; } diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c index 29b6205e88..038aa0d127 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c @@ -31,6 +31,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "DxeIpl.h" #include "VirtualMemory.h" +// +// Global variable to keep track current available memory used as page table. +// +PAGE_TABLE_POOL *mPageTablePool = NULL; + /** Clear legacy memory located at the first 4K-page, if available. @@ -117,6 +122,110 @@ EnableExecuteDisableBit ( AsmWriteMsr64 (0xC0000080, MsrRegisters); } +/** + Initialize a buffer pool for page table use only. + + To reduce the potential split operation on page table, the pages reserved for + page table should be allocated in the times of PAGE_TABLE_POOL_UNIT_PAGES and + at the boundary of PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always + initialized with number of pages greater than or equal to the given PoolPages. + + Once the pages in the pool are used up, this method should be called again to + reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. But usually this won't + happen in practice. + + @param PoolPages The least page number of the pool to be created. + + @retval TRUE The pool is initialized successfully. + @retval FALSE The memory is out of resource. +**/ +BOOLEAN +InitializePageTablePool ( + IN UINTN PoolPages + ) +{ + VOID *Buffer; + + // + // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one page for + // header. + // + PoolPages += 1; // Add one page for header. + PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * + PAGE_TABLE_POOL_UNIT_PAGES; + Buffer = AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); + if (Buffer == NULL) { + DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); + return FALSE; + } + + // + // Link all pools into a list for easier track later. + // + if (mPageTablePool == NULL) { + mPageTablePool = Buffer; + mPageTablePool->NextPool = mPageTablePool; + } else { + ((PAGE_TABLE_POOL *)Buffer)->NextPool = mPageTablePool->NextPool; + mPageTablePool->NextPool = Buffer; + mPageTablePool = Buffer; + } + + // + // Reserve one page for pool header. + // + mPageTablePool->FreePages = PoolPages - 1; + mPageTablePool->Offset = EFI_PAGES_TO_SIZE (1); + + return TRUE; +} + +/** + This API provides a way to allocate memory for page table. + + This API can be called more than once to allocate memory for page tables. + + Allocates the number of 4KB pages and returns a pointer to the allocated + buffer. The buffer returned is aligned on a 4KB boundary. + + If Pages is 0, then NULL is returned. + If there is not enough memory remaining to satisfy the request, then NULL is + returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +AllocatePageTableMemory ( + IN UINTN Pages + ) +{ + VOID *Buffer; + + if (Pages == 0) { + return NULL; + } + + // + // Renew the pool if necessary. + // + if (mPageTablePool == NULL || + Pages > mPageTablePool->FreePages) { + if (!InitializePageTablePool (Pages)) { + return NULL; + } + } + + Buffer = (UINT8 *)mPageTablePool + mPageTablePool->Offset; + + mPageTablePool->Offset += EFI_PAGES_TO_SIZE (Pages); + mPageTablePool->FreePages -= Pages; + + return Buffer; +} + /** Split 2M page to 4K. @@ -144,7 +253,7 @@ Split2MPageTo4K ( // AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & PAGING_1G_ADDRESS_MASK_64; - PageTableEntry = AllocatePages (1); + PageTableEntry = AllocatePageTableMemory (1); ASSERT (PageTableEntry != NULL); // @@ -204,7 +313,7 @@ Split1GPageTo2M ( // AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & PAGING_1G_ADDRESS_MASK_64; - PageDirectoryEntry = AllocatePages (1); + PageDirectoryEntry = AllocatePageTableMemory (1); ASSERT (PageDirectoryEntry != NULL); // @@ -234,6 +343,184 @@ Split1GPageTo2M ( } } +/** + Set one page of page table pool memory to be read-only. + + @param[in] PageTableBase Base address of page table (CR3). + @param[in] Address Start address of a page to be set as read-only. + @param[in] Level4Paging Level 4 paging flag. + +**/ +VOID +SetPageTablePoolReadOnly ( + IN UINTN PageTableBase, + IN EFI_PHYSICAL_ADDRESS Address, + IN BOOLEAN Level4Paging + ) +{ + UINTN Index; + UINTN EntryIndex; + UINT64 AddressEncMask; + EFI_PHYSICAL_ADDRESS PhysicalAddress; + UINT64 *PageTable; + UINT64 *NewPageTable; + UINT64 PageAttr; + UINT64 LevelSize[5]; + UINT64 LevelMask[5]; + UINTN LevelShift[5]; + UINTN Level; + UINT64 PoolUnitSize; + + ASSERT (PageTableBase != 0); + + // + // Since the page table is always from page table pool, which is always + // located at the boundary of PcdPageTablePoolAlignment, we just need to + // set the whole pool unit to be read-only. + // + Address = Address & PAGE_TABLE_POOL_ALIGN_MASK; + + LevelShift[1] = PAGING_L1_ADDRESS_SHIFT; + LevelShift[2] = PAGING_L2_ADDRESS_SHIFT; + LevelShift[3] = PAGING_L3_ADDRESS_SHIFT; + LevelShift[4] = PAGING_L4_ADDRESS_SHIFT; + + LevelMask[1] = PAGING_4K_ADDRESS_MASK_64; + LevelMask[2] = PAGING_2M_ADDRESS_MASK_64; + LevelMask[3] = PAGING_1G_ADDRESS_MASK_64; + LevelMask[4] = PAGING_1G_ADDRESS_MASK_64; + + LevelSize[1] = SIZE_4KB; + LevelSize[2] = SIZE_2MB; + LevelSize[3] = SIZE_1GB; + LevelSize[4] = SIZE_512GB; + + AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & + PAGING_1G_ADDRESS_MASK_64; + PageTable = (UINT64 *)(UINTN)PageTableBase; + PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE; + + for (Level = (Level4Paging) ? 4 : 3; Level > 0; --Level) { + Index = ((UINTN)RShiftU64 (Address, LevelShift[Level])); + Index &= PAGING_PAE_INDEX_MASK; + + PageAttr = PageTable[Index]; + if ((PageAttr & IA32_PG_PS) == 0) { + // + // Go to next level of table. + // + PageTable = (UINT64 *)(UINTN)(PageAttr & ~AddressEncMask & + PAGING_4K_ADDRESS_MASK_64); + continue; + } + + if (PoolUnitSize >= LevelSize[Level]) { + // + // Clear R/W bit if current page granularity is not larger than pool unit + // size. + // + if ((PageAttr & IA32_PG_RW) != 0) { + while (PoolUnitSize > 0) { + // + // PAGE_TABLE_POOL_UNIT_SIZE and PAGE_TABLE_POOL_ALIGNMENT are fit in + // one page (2MB). Then we don't need to update attributes for pages + // crossing page directory. ASSERT below is for that purpose. + // + ASSERT (Index < EFI_PAGE_SIZE/sizeof (UINT64)); + + PageTable[Index] &= ~(UINT64)IA32_PG_RW; + PoolUnitSize -= LevelSize[Level]; + + ++Index; + } + } + + break; + + } else { + // + // The smaller granularity of page must be needed. + // + NewPageTable = AllocatePageTableMemory (1); + ASSERT (NewPageTable != NULL); + + PhysicalAddress = PageAttr & LevelMask[Level]; + for (EntryIndex = 0; + EntryIndex < EFI_PAGE_SIZE/sizeof (UINT64); + ++EntryIndex) { + NewPageTable[EntryIndex] = PhysicalAddress | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + if (Level > 1) { + NewPageTable[EntryIndex] |= IA32_PG_PS; + } + PhysicalAddress += LevelSize[Level]; + } + + PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + PageTable = NewPageTable; + } + } +} + +/** + Prevent the memory pages used for page table from been overwritten. + + @param[in] PageTableBase Base address of page table (CR3). + @param[in] Level4Paging Level 4 paging flag. + +**/ +VOID +EnablePageTableProtection ( + IN UINTN PageTableBase, + IN BOOLEAN Level4Paging + ) +{ + PAGE_TABLE_POOL *HeadPool; + PAGE_TABLE_POOL *Pool; + UINT64 PoolSize; + EFI_PHYSICAL_ADDRESS Address; + + if (mPageTablePool == NULL) { + return; + } + + // + // Disable write protection, because we need to mark page table to be write + // protected. + // + AsmWriteCr0 (AsmReadCr0() & ~CR0_WP); + + // + // SetPageTablePoolReadOnly might update mPageTablePool. It's safer to + // remember original one in advance. + // + HeadPool = mPageTablePool; + Pool = HeadPool; + do { + Address = (EFI_PHYSICAL_ADDRESS)(UINTN)Pool; + PoolSize = Pool->Offset + EFI_PAGES_TO_SIZE (Pool->FreePages); + + // + // The size of one pool must be multiple of PAGE_TABLE_POOL_UNIT_SIZE, which + // is one of page size of the processor (2MB by default). Let's apply the + // protection to them one by one. + // + while (PoolSize > 0) { + SetPageTablePoolReadOnly(PageTableBase, Address, Level4Paging); + Address += PAGE_TABLE_POOL_UNIT_SIZE; + PoolSize -= PAGE_TABLE_POOL_UNIT_SIZE; + } + + Pool = Pool->NextPool; + } while (Pool != HeadPool); + + // + // Enable write protection, after page table attribute updated. + // + AsmWriteCr0 (AsmReadCr0() | CR0_WP); +} + /** Allocates and fills in the Page Directory and Page Table Entries to establish a 1:1 Virtual to Physical mapping. @@ -329,7 +616,7 @@ CreateIdentityMappingPageTables ( } else { TotalPagesNum = NumberOfPml4EntriesNeeded + 1; } - BigPageAddress = (UINTN) AllocatePages (TotalPagesNum); + BigPageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); ASSERT (BigPageAddress != 0); // @@ -430,6 +717,12 @@ CreateIdentityMappingPageTables ( ); } + // + // Protect the page table by marking the memory used for page table to be + // read-only. + // + EnablePageTableProtection ((UINTN)PageMap, TRUE); + if (PcdGetBool (PcdSetNxForStack)) { EnableExecuteDisableBit (); } diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h index 7c9bb49e3e..b8cf43104e 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h @@ -148,11 +148,37 @@ typedef union { #pragma pack() +#define CR0_WP BIT16 + #define IA32_PG_P BIT0 #define IA32_PG_RW BIT1 +#define IA32_PG_PS BIT7 + +#define PAGING_PAE_INDEX_MASK 0x1FF +#define PAGING_4K_ADDRESS_MASK_64 0x000FFFFFFFFFF000ull +#define PAGING_2M_ADDRESS_MASK_64 0x000FFFFFFFE00000ull #define PAGING_1G_ADDRESS_MASK_64 0x000FFFFFC0000000ull +#define PAGING_L1_ADDRESS_SHIFT 12 +#define PAGING_L2_ADDRESS_SHIFT 21 +#define PAGING_L3_ADDRESS_SHIFT 30 +#define PAGING_L4_ADDRESS_SHIFT 39 + +#define PAGING_PML4E_NUMBER 4 + +#define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB +#define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB +#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (PAGE_TABLE_POOL_UNIT_SIZE) +#define PAGE_TABLE_POOL_ALIGN_MASK \ + (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) + +typedef struct { + VOID *NextPool; + UINTN Offset; + UINTN FreePages; +} PAGE_TABLE_POOL; + /** Enable Execute Disable Bit. -- 2.15.1.windows.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only 2017-12-07 11:32 ` [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only Jian J Wang @ 2017-12-08 3:04 ` Zeng, Star 2017-12-08 3:49 ` Wang, Jian J 0 siblings, 1 reply; 5+ messages in thread From: Zeng, Star @ 2017-12-08 3:04 UTC (permalink / raw) To: Wang, Jian J, edk2-devel@lists.01.org Cc: Yao, Jiewen, Dong, Eric, Ni, Ruiyu, Zeng, Star Could EnablePageTableProtection and AllocatePageTableMemory just be declared in VirtualMemory.h but not DxeIpl.h? As their implementation are in VirtualMemory.c that is only used by X64 and IA32, but not other archs, DxeIpl.h is used by all archs. Also have same comments to ClearFirst4KPage and IsNullDetectionEnabled and just sent a patch for them at https://lists.01.org/pipermail/edk2-devel/2017-December/018854.html. Thanks, Star -----Original Message----- From: Wang, Jian J Sent: Thursday, December 7, 2017 7:32 PM To: edk2-devel@lists.01.org Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com> Subject: [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only > v4: > a. Fix a calculation error in pool page number during initialization > b. Change comments to remove constants in description > v3: > Remove the public definition of PAGE_TABLE_POOL_HEADER but keep similar > concept locally. CpuDxe has its own page table pool. > v2: > Introduce page table pool to ease the page table memory allocation and > protection, which replaces the direct calling of AllocatePages(). This patch will set the memory pages used for page table as read-only memory after the paging is setup. CR0.WP must set to let it take into effect. A simple page table memory management mechanism, page table pool concept, is introduced to simplify the page table memory allocation and protection. It will also help to reduce the potential recursive "split" action during updating memory paging attributes. The basic idea is to allocate a bunch of continuous pages of memory in advance as one or more page table pools, and all future page tables consumption will happen in those pool instead of system memory. If the page pool is reserved at the boundary of 2MB page and with same size of 2MB page, there's no page granularity "split" operation will be needed, because the memory of new page tables (if needed) will be usually in the same page as target page table you're working on. And since we have centralized page tables (a few 2MB pages), it's easier to protect them by changing their attributes to be read-only once and for all. There's no need to apply the protection for new page tables any more as long as the pool has free pages available. Once current page table pool has been used up, one can allocate another 2MB memory pool and just set this new 2MB memory block to be read-only instead of setting the new page tables one page by one page. Two new PCDs PcdPageTablePoolUnitSize and PcdPageTablePoolAlignment are used to specify the size and alignment for page table pool. For IA32 processor 0x200000 (2MB) is the only choice for both of them to meet the requirement of page table pool. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> --- MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 34 +++ MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 8 +- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 299 ++++++++++++++++++++++- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 26 ++ 4 files changed, 363 insertions(+), 4 deletions(-) diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h index f3aabdb7e0..9dc80b1508 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h @@ -265,4 +265,38 @@ IsNullDetectionEnabled ( VOID ); +/** + Prevent the memory pages used for page table from been overwritten. + + @param[in] PageTableBase Base address of page table (CR3). + +**/ +VOID +EnablePageTableProtection ( + IN UINTN PageTableBase, + IN BOOLEAN Level4Paging + ); + +/** + This API provides a way to allocate memory for page table. + + This API can be called more than once to allocate memory for page tables. + + Allocates the number of 4KB pages and returns a pointer to the + allocated buffer. The buffer returned is aligned on a 4KB boundary. + + If Pages is 0, then NULL is returned. + If there is not enough memory remaining to satisfy the request, then + NULL is returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +AllocatePageTableMemory ( + IN UINTN Pages + ); + #endif diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c index 5649265367..13fff28e93 100644 --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c @@ -99,7 +99,7 @@ Create4GPageTablesIa32Pae ( NumberOfPdpEntriesNeeded = (UINT32) LShiftU64 (1, (PhysicalAddressBits - 30)); TotalPagesNum = NumberOfPdpEntriesNeeded + 1; - PageAddress = (UINTN) AllocatePages (TotalPagesNum); + PageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); ASSERT (PageAddress != 0); PageMap = (VOID *) PageAddress; @@ -149,6 +149,12 @@ Create4GPageTablesIa32Pae ( ); } + // + // Protect the page table by marking the memory used for page table + to be // read-only. + // + EnablePageTableProtection ((UINTN)PageMap, FALSE); + return (UINTN) PageMap; } diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c index 29b6205e88..038aa0d127 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c @@ -31,6 +31,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "DxeIpl.h" #include "VirtualMemory.h" +// +// Global variable to keep track current available memory used as page table. +// +PAGE_TABLE_POOL *mPageTablePool = NULL; + /** Clear legacy memory located at the first 4K-page, if available. @@ -117,6 +122,110 @@ EnableExecuteDisableBit ( AsmWriteMsr64 (0xC0000080, MsrRegisters); } +/** + Initialize a buffer pool for page table use only. + + To reduce the potential split operation on page table, the pages + reserved for page table should be allocated in the times of + PAGE_TABLE_POOL_UNIT_PAGES and at the boundary of + PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always initialized with number of pages greater than or equal to the given PoolPages. + + Once the pages in the pool are used up, this method should be called + again to reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. But + usually this won't happen in practice. + + @param PoolPages The least page number of the pool to be created. + + @retval TRUE The pool is initialized successfully. + @retval FALSE The memory is out of resource. +**/ +BOOLEAN +InitializePageTablePool ( + IN UINTN PoolPages + ) +{ + VOID *Buffer; + + // + // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one + page for // header. + // + PoolPages += 1; // Add one page for header. + PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * + PAGE_TABLE_POOL_UNIT_PAGES; Buffer = + AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); if + (Buffer == NULL) { + DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); + return FALSE; + } + + // + // Link all pools into a list for easier track later. + // + if (mPageTablePool == NULL) { + mPageTablePool = Buffer; + mPageTablePool->NextPool = mPageTablePool; } else { + ((PAGE_TABLE_POOL *)Buffer)->NextPool = mPageTablePool->NextPool; + mPageTablePool->NextPool = Buffer; + mPageTablePool = Buffer; + } + + // + // Reserve one page for pool header. + // + mPageTablePool->FreePages = PoolPages - 1; mPageTablePool->Offset = + EFI_PAGES_TO_SIZE (1); + + return TRUE; +} + +/** + This API provides a way to allocate memory for page table. + + This API can be called more than once to allocate memory for page tables. + + Allocates the number of 4KB pages and returns a pointer to the + allocated buffer. The buffer returned is aligned on a 4KB boundary. + + If Pages is 0, then NULL is returned. + If there is not enough memory remaining to satisfy the request, then + NULL is returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +AllocatePageTableMemory ( + IN UINTN Pages + ) +{ + VOID *Buffer; + + if (Pages == 0) { + return NULL; + } + + // + // Renew the pool if necessary. + // + if (mPageTablePool == NULL || + Pages > mPageTablePool->FreePages) { + if (!InitializePageTablePool (Pages)) { + return NULL; + } + } + + Buffer = (UINT8 *)mPageTablePool + mPageTablePool->Offset; + + mPageTablePool->Offset += EFI_PAGES_TO_SIZE (Pages); + mPageTablePool->FreePages -= Pages; + + return Buffer; +} + /** Split 2M page to 4K. @@ -144,7 +253,7 @@ Split2MPageTo4K ( // AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & PAGING_1G_ADDRESS_MASK_64; - PageTableEntry = AllocatePages (1); + PageTableEntry = AllocatePageTableMemory (1); ASSERT (PageTableEntry != NULL); // @@ -204,7 +313,7 @@ Split1GPageTo2M ( // AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & PAGING_1G_ADDRESS_MASK_64; - PageDirectoryEntry = AllocatePages (1); + PageDirectoryEntry = AllocatePageTableMemory (1); ASSERT (PageDirectoryEntry != NULL); // @@ -234,6 +343,184 @@ Split1GPageTo2M ( } } +/** + Set one page of page table pool memory to be read-only. + + @param[in] PageTableBase Base address of page table (CR3). + @param[in] Address Start address of a page to be set as read-only. + @param[in] Level4Paging Level 4 paging flag. + +**/ +VOID +SetPageTablePoolReadOnly ( + IN UINTN PageTableBase, + IN EFI_PHYSICAL_ADDRESS Address, + IN BOOLEAN Level4Paging + ) +{ + UINTN Index; + UINTN EntryIndex; + UINT64 AddressEncMask; + EFI_PHYSICAL_ADDRESS PhysicalAddress; + UINT64 *PageTable; + UINT64 *NewPageTable; + UINT64 PageAttr; + UINT64 LevelSize[5]; + UINT64 LevelMask[5]; + UINTN LevelShift[5]; + UINTN Level; + UINT64 PoolUnitSize; + + ASSERT (PageTableBase != 0); + + // + // Since the page table is always from page table pool, which is + always // located at the boundary of PcdPageTablePoolAlignment, we + just need to // set the whole pool unit to be read-only. + // + Address = Address & PAGE_TABLE_POOL_ALIGN_MASK; + + LevelShift[1] = PAGING_L1_ADDRESS_SHIFT; LevelShift[2] = + PAGING_L2_ADDRESS_SHIFT; LevelShift[3] = PAGING_L3_ADDRESS_SHIFT; + LevelShift[4] = PAGING_L4_ADDRESS_SHIFT; + + LevelMask[1] = PAGING_4K_ADDRESS_MASK_64; LevelMask[2] = + PAGING_2M_ADDRESS_MASK_64; LevelMask[3] = PAGING_1G_ADDRESS_MASK_64; + LevelMask[4] = PAGING_1G_ADDRESS_MASK_64; + + LevelSize[1] = SIZE_4KB; + LevelSize[2] = SIZE_2MB; + LevelSize[3] = SIZE_1GB; + LevelSize[4] = SIZE_512GB; + + AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & + PAGING_1G_ADDRESS_MASK_64; + PageTable = (UINT64 *)(UINTN)PageTableBase; + PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE; + + for (Level = (Level4Paging) ? 4 : 3; Level > 0; --Level) { + Index = ((UINTN)RShiftU64 (Address, LevelShift[Level])); + Index &= PAGING_PAE_INDEX_MASK; + + PageAttr = PageTable[Index]; + if ((PageAttr & IA32_PG_PS) == 0) { + // + // Go to next level of table. + // + PageTable = (UINT64 *)(UINTN)(PageAttr & ~AddressEncMask & + PAGING_4K_ADDRESS_MASK_64); + continue; + } + + if (PoolUnitSize >= LevelSize[Level]) { + // + // Clear R/W bit if current page granularity is not larger than pool unit + // size. + // + if ((PageAttr & IA32_PG_RW) != 0) { + while (PoolUnitSize > 0) { + // + // PAGE_TABLE_POOL_UNIT_SIZE and PAGE_TABLE_POOL_ALIGNMENT are fit in + // one page (2MB). Then we don't need to update attributes for pages + // crossing page directory. ASSERT below is for that purpose. + // + ASSERT (Index < EFI_PAGE_SIZE/sizeof (UINT64)); + + PageTable[Index] &= ~(UINT64)IA32_PG_RW; + PoolUnitSize -= LevelSize[Level]; + + ++Index; + } + } + + break; + + } else { + // + // The smaller granularity of page must be needed. + // + NewPageTable = AllocatePageTableMemory (1); + ASSERT (NewPageTable != NULL); + + PhysicalAddress = PageAttr & LevelMask[Level]; + for (EntryIndex = 0; + EntryIndex < EFI_PAGE_SIZE/sizeof (UINT64); + ++EntryIndex) { + NewPageTable[EntryIndex] = PhysicalAddress | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + if (Level > 1) { + NewPageTable[EntryIndex] |= IA32_PG_PS; + } + PhysicalAddress += LevelSize[Level]; + } + + PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + PageTable = NewPageTable; + } + } +} + +/** + Prevent the memory pages used for page table from been overwritten. + + @param[in] PageTableBase Base address of page table (CR3). + @param[in] Level4Paging Level 4 paging flag. + +**/ +VOID +EnablePageTableProtection ( + IN UINTN PageTableBase, + IN BOOLEAN Level4Paging + ) +{ + PAGE_TABLE_POOL *HeadPool; + PAGE_TABLE_POOL *Pool; + UINT64 PoolSize; + EFI_PHYSICAL_ADDRESS Address; + + if (mPageTablePool == NULL) { + return; + } + + // + // Disable write protection, because we need to mark page table to be + write // protected. + // + AsmWriteCr0 (AsmReadCr0() & ~CR0_WP); + + // + // SetPageTablePoolReadOnly might update mPageTablePool. It's safer + to // remember original one in advance. + // + HeadPool = mPageTablePool; + Pool = HeadPool; + do { + Address = (EFI_PHYSICAL_ADDRESS)(UINTN)Pool; + PoolSize = Pool->Offset + EFI_PAGES_TO_SIZE (Pool->FreePages); + + // + // The size of one pool must be multiple of PAGE_TABLE_POOL_UNIT_SIZE, which + // is one of page size of the processor (2MB by default). Let's apply the + // protection to them one by one. + // + while (PoolSize > 0) { + SetPageTablePoolReadOnly(PageTableBase, Address, Level4Paging); + Address += PAGE_TABLE_POOL_UNIT_SIZE; + PoolSize -= PAGE_TABLE_POOL_UNIT_SIZE; + } + + Pool = Pool->NextPool; + } while (Pool != HeadPool); + + // + // Enable write protection, after page table attribute updated. + // + AsmWriteCr0 (AsmReadCr0() | CR0_WP); +} + /** Allocates and fills in the Page Directory and Page Table Entries to establish a 1:1 Virtual to Physical mapping. @@ -329,7 +616,7 @@ CreateIdentityMappingPageTables ( } else { TotalPagesNum = NumberOfPml4EntriesNeeded + 1; } - BigPageAddress = (UINTN) AllocatePages (TotalPagesNum); + BigPageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); ASSERT (BigPageAddress != 0); // @@ -430,6 +717,12 @@ CreateIdentityMappingPageTables ( ); } + // + // Protect the page table by marking the memory used for page table + to be // read-only. + // + EnablePageTableProtection ((UINTN)PageMap, TRUE); + if (PcdGetBool (PcdSetNxForStack)) { EnableExecuteDisableBit (); } diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h index 7c9bb49e3e..b8cf43104e 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h @@ -148,11 +148,37 @@ typedef union { #pragma pack() +#define CR0_WP BIT16 + #define IA32_PG_P BIT0 #define IA32_PG_RW BIT1 +#define IA32_PG_PS BIT7 + +#define PAGING_PAE_INDEX_MASK 0x1FF +#define PAGING_4K_ADDRESS_MASK_64 0x000FFFFFFFFFF000ull +#define PAGING_2M_ADDRESS_MASK_64 0x000FFFFFFFE00000ull #define PAGING_1G_ADDRESS_MASK_64 0x000FFFFFC0000000ull +#define PAGING_L1_ADDRESS_SHIFT 12 +#define PAGING_L2_ADDRESS_SHIFT 21 +#define PAGING_L3_ADDRESS_SHIFT 30 +#define PAGING_L4_ADDRESS_SHIFT 39 + +#define PAGING_PML4E_NUMBER 4 + +#define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB +#define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB +#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES +(PAGE_TABLE_POOL_UNIT_SIZE) #define PAGE_TABLE_POOL_ALIGN_MASK \ + (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) + +typedef struct { + VOID *NextPool; + UINTN Offset; + UINTN FreePages; +} PAGE_TABLE_POOL; + /** Enable Execute Disable Bit. -- 2.15.1.windows.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only 2017-12-08 3:04 ` Zeng, Star @ 2017-12-08 3:49 ` Wang, Jian J 0 siblings, 0 replies; 5+ messages in thread From: Wang, Jian J @ 2017-12-08 3:49 UTC (permalink / raw) To: Zeng, Star, edk2-devel@lists.01.org; +Cc: Yao, Jiewen, Dong, Eric, Ni, Ruiyu Sure. I'll move them to VirtualMemory.h. If no more other comments, I think there's no need of a v5 patch. Thanks. Regards, Jian > -----Original Message----- > From: Zeng, Star > Sent: Friday, December 08, 2017 11:04 AM > To: Wang, Jian J <jian.j.wang@intel.com>; edk2-devel@lists.01.org > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, > Ruiyu <ruiyu.ni@intel.com>; Zeng, Star <star.zeng@intel.com> > Subject: RE: [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read- > only > > Could EnablePageTableProtection and AllocatePageTableMemory just be > declared in VirtualMemory.h but not DxeIpl.h? > As their implementation are in VirtualMemory.c that is only used by X64 and > IA32, but not other archs, DxeIpl.h is used by all archs. > > Also have same comments to ClearFirst4KPage and IsNullDetectionEnabled and > just sent a patch for them at https://lists.01.org/pipermail/edk2-devel/2017- > December/018854.html. > > > Thanks, > Star > -----Original Message----- > From: Wang, Jian J > Sent: Thursday, December 7, 2017 7:32 PM > To: edk2-devel@lists.01.org > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>; > Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com> > Subject: [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only > > > v4: > > a. Fix a calculation error in pool page number during initialization > > b. Change comments to remove constants in description > > > v3: > > Remove the public definition of PAGE_TABLE_POOL_HEADER but keep > similar > > concept locally. CpuDxe has its own page table pool. > > > v2: > > Introduce page table pool to ease the page table memory allocation and > > protection, which replaces the direct calling of AllocatePages(). > > This patch will set the memory pages used for page table as read-only memory > after the paging is setup. CR0.WP must set to let it take into effect. > > A simple page table memory management mechanism, page table pool concept, > is introduced to simplify the page table memory allocation and protection. > It will also help to reduce the potential recursive "split" action during updating > memory paging attributes. > > The basic idea is to allocate a bunch of continuous pages of memory in advance > as one or more page table pools, and all future page tables consumption will > happen in those pool instead of system memory. If the page pool is reserved at > the boundary of 2MB page and with same size of 2MB page, there's no page > granularity "split" operation will be needed, because the memory of new page > tables (if needed) will be usually in the same page as target page table you're > working on. > > And since we have centralized page tables (a few 2MB pages), it's easier to > protect them by changing their attributes to be read-only once and for all. > There's no need to apply the protection for new page tables any more as long as > the pool has free pages available. > > Once current page table pool has been used up, one can allocate another 2MB > memory pool and just set this new 2MB memory block to be read-only instead > of setting the new page tables one page by one page. > > Two new PCDs PcdPageTablePoolUnitSize and PcdPageTablePoolAlignment are > used to specify the size and alignment for page table pool. For IA32 processor > 0x200000 (2MB) is the only choice for both of them to meet the requirement of > page table pool. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Star Zeng <star.zeng@intel.com> > Cc: Eric Dong <eric.dong@intel.com> > Cc: Ruiyu Ni <ruiyu.ni@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Jian J Wang <jian.j.wang@intel.com> > --- > MdeModulePkg/Core/DxeIplPeim/DxeIpl.h | 34 +++ > MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 8 +- > MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 299 > ++++++++++++++++++++++- > MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 26 ++ > 4 files changed, 363 insertions(+), 4 deletions(-) > > diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h > b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h > index f3aabdb7e0..9dc80b1508 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h > +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.h > @@ -265,4 +265,38 @@ IsNullDetectionEnabled ( > VOID > ); > > +/** > + Prevent the memory pages used for page table from been overwritten. > + > + @param[in] PageTableBase Base address of page table (CR3). > + > +**/ > +VOID > +EnablePageTableProtection ( > + IN UINTN PageTableBase, > + IN BOOLEAN Level4Paging > + ); > + > +/** > + This API provides a way to allocate memory for page table. > + > + This API can be called more than once to allocate memory for page tables. > + > + Allocates the number of 4KB pages and returns a pointer to the > + allocated buffer. The buffer returned is aligned on a 4KB boundary. > + > + If Pages is 0, then NULL is returned. > + If there is not enough memory remaining to satisfy the request, then > + NULL is returned. > + > + @param Pages The number of 4 KB pages to allocate. > + > + @return A pointer to the allocated buffer or NULL if allocation fails. > + > +**/ > +VOID * > +AllocatePageTableMemory ( > + IN UINTN Pages > + ); > + > #endif > diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c > b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c > index 5649265367..13fff28e93 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c > +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c > @@ -99,7 +99,7 @@ Create4GPageTablesIa32Pae ( > NumberOfPdpEntriesNeeded = (UINT32) LShiftU64 (1, (PhysicalAddressBits - > 30)); > > TotalPagesNum = NumberOfPdpEntriesNeeded + 1; > - PageAddress = (UINTN) AllocatePages (TotalPagesNum); > + PageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); > ASSERT (PageAddress != 0); > > PageMap = (VOID *) PageAddress; > @@ -149,6 +149,12 @@ Create4GPageTablesIa32Pae ( > ); > } > > + // > + // Protect the page table by marking the memory used for page table > + to be // read-only. > + // > + EnablePageTableProtection ((UINTN)PageMap, FALSE); > + > return (UINTN) PageMap; > } > > diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c > b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c > index 29b6205e88..038aa0d127 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c > +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c > @@ -31,6 +31,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > #include "DxeIpl.h" > #include "VirtualMemory.h" > > +// > +// Global variable to keep track current available memory used as page table. > +// > +PAGE_TABLE_POOL *mPageTablePool = NULL; > + > /** > Clear legacy memory located at the first 4K-page, if available. > > @@ -117,6 +122,110 @@ EnableExecuteDisableBit ( > AsmWriteMsr64 (0xC0000080, MsrRegisters); } > > +/** > + Initialize a buffer pool for page table use only. > + > + To reduce the potential split operation on page table, the pages > + reserved for page table should be allocated in the times of > + PAGE_TABLE_POOL_UNIT_PAGES and at the boundary of > + PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always initialized with > number of pages greater than or equal to the given PoolPages. > + > + Once the pages in the pool are used up, this method should be called > + again to reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. But > + usually this won't happen in practice. > + > + @param PoolPages The least page number of the pool to be created. > + > + @retval TRUE The pool is initialized successfully. > + @retval FALSE The memory is out of resource. > +**/ > +BOOLEAN > +InitializePageTablePool ( > + IN UINTN PoolPages > + ) > +{ > + VOID *Buffer; > + > + // > + // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one > + page for // header. > + // > + PoolPages += 1; // Add one page for header. > + PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * > + PAGE_TABLE_POOL_UNIT_PAGES; Buffer = > + AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); if > + (Buffer == NULL) { > + DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); > + return FALSE; > + } > + > + // > + // Link all pools into a list for easier track later. > + // > + if (mPageTablePool == NULL) { > + mPageTablePool = Buffer; > + mPageTablePool->NextPool = mPageTablePool; } else { > + ((PAGE_TABLE_POOL *)Buffer)->NextPool = mPageTablePool->NextPool; > + mPageTablePool->NextPool = Buffer; > + mPageTablePool = Buffer; > + } > + > + // > + // Reserve one page for pool header. > + // > + mPageTablePool->FreePages = PoolPages - 1; mPageTablePool->Offset = > + EFI_PAGES_TO_SIZE (1); > + > + return TRUE; > +} > + > +/** > + This API provides a way to allocate memory for page table. > + > + This API can be called more than once to allocate memory for page tables. > + > + Allocates the number of 4KB pages and returns a pointer to the > + allocated buffer. The buffer returned is aligned on a 4KB boundary. > + > + If Pages is 0, then NULL is returned. > + If there is not enough memory remaining to satisfy the request, then > + NULL is returned. > + > + @param Pages The number of 4 KB pages to allocate. > + > + @return A pointer to the allocated buffer or NULL if allocation fails. > + > +**/ > +VOID * > +AllocatePageTableMemory ( > + IN UINTN Pages > + ) > +{ > + VOID *Buffer; > + > + if (Pages == 0) { > + return NULL; > + } > + > + // > + // Renew the pool if necessary. > + // > + if (mPageTablePool == NULL || > + Pages > mPageTablePool->FreePages) { > + if (!InitializePageTablePool (Pages)) { > + return NULL; > + } > + } > + > + Buffer = (UINT8 *)mPageTablePool + mPageTablePool->Offset; > + > + mPageTablePool->Offset += EFI_PAGES_TO_SIZE (Pages); > + mPageTablePool->FreePages -= Pages; > + > + return Buffer; > +} > + > /** > Split 2M page to 4K. > > @@ -144,7 +253,7 @@ Split2MPageTo4K ( > // > AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & > PAGING_1G_ADDRESS_MASK_64; > > - PageTableEntry = AllocatePages (1); > + PageTableEntry = AllocatePageTableMemory (1); > ASSERT (PageTableEntry != NULL); > > // > @@ -204,7 +313,7 @@ Split1GPageTo2M ( > // > AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & > PAGING_1G_ADDRESS_MASK_64; > > - PageDirectoryEntry = AllocatePages (1); > + PageDirectoryEntry = AllocatePageTableMemory (1); > ASSERT (PageDirectoryEntry != NULL); > > // > @@ -234,6 +343,184 @@ Split1GPageTo2M ( > } > } > > +/** > + Set one page of page table pool memory to be read-only. > + > + @param[in] PageTableBase Base address of page table (CR3). > + @param[in] Address Start address of a page to be set as read-only. > + @param[in] Level4Paging Level 4 paging flag. > + > +**/ > +VOID > +SetPageTablePoolReadOnly ( > + IN UINTN PageTableBase, > + IN EFI_PHYSICAL_ADDRESS Address, > + IN BOOLEAN Level4Paging > + ) > +{ > + UINTN Index; > + UINTN EntryIndex; > + UINT64 AddressEncMask; > + EFI_PHYSICAL_ADDRESS PhysicalAddress; > + UINT64 *PageTable; > + UINT64 *NewPageTable; > + UINT64 PageAttr; > + UINT64 LevelSize[5]; > + UINT64 LevelMask[5]; > + UINTN LevelShift[5]; > + UINTN Level; > + UINT64 PoolUnitSize; > + > + ASSERT (PageTableBase != 0); > + > + // > + // Since the page table is always from page table pool, which is > + always // located at the boundary of PcdPageTablePoolAlignment, we > + just need to // set the whole pool unit to be read-only. > + // > + Address = Address & PAGE_TABLE_POOL_ALIGN_MASK; > + > + LevelShift[1] = PAGING_L1_ADDRESS_SHIFT; LevelShift[2] = > + PAGING_L2_ADDRESS_SHIFT; LevelShift[3] = PAGING_L3_ADDRESS_SHIFT; > + LevelShift[4] = PAGING_L4_ADDRESS_SHIFT; > + > + LevelMask[1] = PAGING_4K_ADDRESS_MASK_64; LevelMask[2] = > + PAGING_2M_ADDRESS_MASK_64; LevelMask[3] = > PAGING_1G_ADDRESS_MASK_64; > + LevelMask[4] = PAGING_1G_ADDRESS_MASK_64; > + > + LevelSize[1] = SIZE_4KB; > + LevelSize[2] = SIZE_2MB; > + LevelSize[3] = SIZE_1GB; > + LevelSize[4] = SIZE_512GB; > + > + AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & > + PAGING_1G_ADDRESS_MASK_64; > + PageTable = (UINT64 *)(UINTN)PageTableBase; > + PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE; > + > + for (Level = (Level4Paging) ? 4 : 3; Level > 0; --Level) { > + Index = ((UINTN)RShiftU64 (Address, LevelShift[Level])); > + Index &= PAGING_PAE_INDEX_MASK; > + > + PageAttr = PageTable[Index]; > + if ((PageAttr & IA32_PG_PS) == 0) { > + // > + // Go to next level of table. > + // > + PageTable = (UINT64 *)(UINTN)(PageAttr & ~AddressEncMask & > + PAGING_4K_ADDRESS_MASK_64); > + continue; > + } > + > + if (PoolUnitSize >= LevelSize[Level]) { > + // > + // Clear R/W bit if current page granularity is not larger than pool unit > + // size. > + // > + if ((PageAttr & IA32_PG_RW) != 0) { > + while (PoolUnitSize > 0) { > + // > + // PAGE_TABLE_POOL_UNIT_SIZE and PAGE_TABLE_POOL_ALIGNMENT > are fit in > + // one page (2MB). Then we don't need to update attributes for pages > + // crossing page directory. ASSERT below is for that purpose. > + // > + ASSERT (Index < EFI_PAGE_SIZE/sizeof (UINT64)); > + > + PageTable[Index] &= ~(UINT64)IA32_PG_RW; > + PoolUnitSize -= LevelSize[Level]; > + > + ++Index; > + } > + } > + > + break; > + > + } else { > + // > + // The smaller granularity of page must be needed. > + // > + NewPageTable = AllocatePageTableMemory (1); > + ASSERT (NewPageTable != NULL); > + > + PhysicalAddress = PageAttr & LevelMask[Level]; > + for (EntryIndex = 0; > + EntryIndex < EFI_PAGE_SIZE/sizeof (UINT64); > + ++EntryIndex) { > + NewPageTable[EntryIndex] = PhysicalAddress | AddressEncMask | > + IA32_PG_P | IA32_PG_RW; > + if (Level > 1) { > + NewPageTable[EntryIndex] |= IA32_PG_PS; > + } > + PhysicalAddress += LevelSize[Level]; > + } > + > + PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask | > + IA32_PG_P | IA32_PG_RW; > + PageTable = NewPageTable; > + } > + } > +} > + > +/** > + Prevent the memory pages used for page table from been overwritten. > + > + @param[in] PageTableBase Base address of page table (CR3). > + @param[in] Level4Paging Level 4 paging flag. > + > +**/ > +VOID > +EnablePageTableProtection ( > + IN UINTN PageTableBase, > + IN BOOLEAN Level4Paging > + ) > +{ > + PAGE_TABLE_POOL *HeadPool; > + PAGE_TABLE_POOL *Pool; > + UINT64 PoolSize; > + EFI_PHYSICAL_ADDRESS Address; > + > + if (mPageTablePool == NULL) { > + return; > + } > + > + // > + // Disable write protection, because we need to mark page table to be > + write // protected. > + // > + AsmWriteCr0 (AsmReadCr0() & ~CR0_WP); > + > + // > + // SetPageTablePoolReadOnly might update mPageTablePool. It's safer > + to // remember original one in advance. > + // > + HeadPool = mPageTablePool; > + Pool = HeadPool; > + do { > + Address = (EFI_PHYSICAL_ADDRESS)(UINTN)Pool; > + PoolSize = Pool->Offset + EFI_PAGES_TO_SIZE (Pool->FreePages); > + > + // > + // The size of one pool must be multiple of PAGE_TABLE_POOL_UNIT_SIZE, > which > + // is one of page size of the processor (2MB by default). Let's apply the > + // protection to them one by one. > + // > + while (PoolSize > 0) { > + SetPageTablePoolReadOnly(PageTableBase, Address, Level4Paging); > + Address += PAGE_TABLE_POOL_UNIT_SIZE; > + PoolSize -= PAGE_TABLE_POOL_UNIT_SIZE; > + } > + > + Pool = Pool->NextPool; > + } while (Pool != HeadPool); > + > + // > + // Enable write protection, after page table attribute updated. > + // > + AsmWriteCr0 (AsmReadCr0() | CR0_WP); > +} > + > /** > Allocates and fills in the Page Directory and Page Table Entries to > establish a 1:1 Virtual to Physical mapping. > @@ -329,7 +616,7 @@ CreateIdentityMappingPageTables ( > } else { > TotalPagesNum = NumberOfPml4EntriesNeeded + 1; > } > - BigPageAddress = (UINTN) AllocatePages (TotalPagesNum); > + BigPageAddress = (UINTN) AllocatePageTableMemory (TotalPagesNum); > ASSERT (BigPageAddress != 0); > > // > @@ -430,6 +717,12 @@ CreateIdentityMappingPageTables ( > ); > } > > + // > + // Protect the page table by marking the memory used for page table > + to be // read-only. > + // > + EnablePageTableProtection ((UINTN)PageMap, TRUE); > + > if (PcdGetBool (PcdSetNxForStack)) { > EnableExecuteDisableBit (); > } > diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > index 7c9bb49e3e..b8cf43104e 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > @@ -148,11 +148,37 @@ typedef union { > > #pragma pack() > > +#define CR0_WP BIT16 > + > #define IA32_PG_P BIT0 > #define IA32_PG_RW BIT1 > +#define IA32_PG_PS BIT7 > + > +#define PAGING_PAE_INDEX_MASK 0x1FF > > +#define PAGING_4K_ADDRESS_MASK_64 0x000FFFFFFFFFF000ull > +#define PAGING_2M_ADDRESS_MASK_64 0x000FFFFFFFE00000ull > #define PAGING_1G_ADDRESS_MASK_64 0x000FFFFFC0000000ull > > +#define PAGING_L1_ADDRESS_SHIFT 12 > +#define PAGING_L2_ADDRESS_SHIFT 21 > +#define PAGING_L3_ADDRESS_SHIFT 30 > +#define PAGING_L4_ADDRESS_SHIFT 39 > + > +#define PAGING_PML4E_NUMBER 4 > + > +#define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB > +#define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB > +#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES > +(PAGE_TABLE_POOL_UNIT_SIZE) #define PAGE_TABLE_POOL_ALIGN_MASK \ > + (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) > + > +typedef struct { > + VOID *NextPool; > + UINTN Offset; > + UINTN FreePages; > +} PAGE_TABLE_POOL; > + > /** > Enable Execute Disable Bit. > > -- > 2.15.1.windows.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v4 2/2] UefiCpuPkg/CpuDxe: Enable protection for newly added page table 2017-12-07 11:32 [PATCH v4 0/2] Enable page table write protection Jian J Wang 2017-12-07 11:32 ` [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only Jian J Wang @ 2017-12-07 11:32 ` Jian J Wang 1 sibling, 0 replies; 5+ messages in thread From: Jian J Wang @ 2017-12-07 11:32 UTC (permalink / raw) To: edk2-devel; +Cc: Jiewen Yao, Eric Dong, Laszlo Ersek, Ruiyu Ni > v4: > a. Fix an error in calculating/passing pool page number during initialization > b. Change comments to remove constants in description > v3: > Create driver's own page table pool instead of inheriting from DxeIpl. > v2: > Use the page table pool to allocate new page tables and save code > to enable protection for them separately. One of the functionalities of CpuDxe is to update memory paging attributes. If page table protection is applied, it must be disabled temporarily before any attributes update and enabled again afterwards. This patch makes use of the same way as DxeIpl to allocate page table memory from reserved memory pool, which helps to reduce potential "split" operation and recursive calling of SetMemorySpaceAttributes(). Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Eric Dong <eric.dong@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> --- UefiCpuPkg/CpuDxe/CpuDxe.c | 17 ++- UefiCpuPkg/CpuDxe/CpuDxe.h | 2 + UefiCpuPkg/CpuDxe/CpuPageTable.c | 223 +++++++++++++++++++++++++++++++++++++-- UefiCpuPkg/CpuDxe/CpuPageTable.h | 34 ++++++ 4 files changed, 267 insertions(+), 9 deletions(-) diff --git a/UefiCpuPkg/CpuDxe/CpuDxe.c b/UefiCpuPkg/CpuDxe/CpuDxe.c index 8ddebabd02..6ae2dcd1c7 100644 --- a/UefiCpuPkg/CpuDxe/CpuDxe.c +++ b/UefiCpuPkg/CpuDxe/CpuDxe.c @@ -25,6 +25,7 @@ BOOLEAN InterruptState = FALSE; EFI_HANDLE mCpuHandle = NULL; BOOLEAN mIsFlushingGCD; +BOOLEAN mIsAllocatingPageTable = FALSE; UINT64 mValidMtrrAddressMask; UINT64 mValidMtrrBitsMask; UINT64 mTimerPeriod = 0; @@ -407,6 +408,20 @@ CpuSetMemoryAttributes ( return EFI_SUCCESS; } + // + // During memory attributes updating, new pages may be allocated to setup + // smaller granularity of page table. Page allocation action might then cause + // another calling of CpuSetMemoryAttributes() recursively, due to memory + // protection policy configured (such as PcdDxeNxMemoryProtectionPolicy). + // Since this driver will always protect memory used as page table by itself, + // there's no need to apply protection policy requested from memory service. + // So it's safe to just return EFI_SUCCESS if this time of calling is caused + // by page table memory allocation. + // + if (mIsAllocatingPageTable) { + DEBUG((DEBUG_VERBOSE, " Allocating page table memory\n")); + return EFI_SUCCESS; + } CacheAttributes = Attributes & CACHE_ATTRIBUTE_MASK; MemoryAttributes = Attributes & MEMORY_ATTRIBUTE_MASK; @@ -487,7 +502,7 @@ CpuSetMemoryAttributes ( // // Set memory attribute by page table // - return AssignMemoryPageAttributes (NULL, BaseAddress, Length, MemoryAttributes, AllocatePages); + return AssignMemoryPageAttributes (NULL, BaseAddress, Length, MemoryAttributes, NULL); } /** diff --git a/UefiCpuPkg/CpuDxe/CpuDxe.h b/UefiCpuPkg/CpuDxe/CpuDxe.h index 9c0d22359d..540f5f2dbf 100644 --- a/UefiCpuPkg/CpuDxe/CpuDxe.h +++ b/UefiCpuPkg/CpuDxe/CpuDxe.h @@ -273,5 +273,7 @@ RefreshGcdMemoryAttributesFromPaging ( VOID ); +extern BOOLEAN mIsAllocatingPageTable; + #endif diff --git a/UefiCpuPkg/CpuDxe/CpuPageTable.c b/UefiCpuPkg/CpuDxe/CpuPageTable.c index 9658ed74c5..a9c9bc9d5e 100644 --- a/UefiCpuPkg/CpuDxe/CpuPageTable.c +++ b/UefiCpuPkg/CpuDxe/CpuPageTable.c @@ -87,6 +87,8 @@ PAGE_ATTRIBUTE_TABLE mPageAttributeTable[] = { {Page1G, SIZE_1GB, PAGING_1G_ADDRESS_MASK_64}, }; +PAGE_TABLE_POOL *mPageTablePool = NULL; + /** Enable write protection function for AP. @@ -172,10 +174,6 @@ GetCurrentPagingContext ( } if ((AsmReadCr0 () & BIT31) != 0) { PagingContext->ContextData.X64.PageTableBase = (AsmReadCr3 () & PAGING_4K_ADDRESS_MASK_64); - if ((AsmReadCr0 () & BIT16) == 0) { - AsmWriteCr0 (AsmReadCr0 () | BIT16); - SyncMemoryPageAttributesAp (SyncCpuEnableWriteProtection); - } } else { PagingContext->ContextData.X64.PageTableBase = 0; } @@ -561,6 +559,59 @@ SplitPage ( } } +/** + Check the WP status in CR0 register. This bit is used to lock or unlock write + access to pages marked as read-only. + + @retval TRUE Write protection is enabled. + @retval FALSE Write protection is disabled. +**/ +BOOLEAN +IsReadOnlyPageWriteProtected ( + VOID + ) +{ + return ((AsmReadCr0 () & BIT16) != 0); +} + +/** + Disable write protection function for AP. + + @param[in,out] Buffer The pointer to private data buffer. +**/ +VOID +EFIAPI +SyncCpuDisableWriteProtection ( + IN OUT VOID *Buffer + ) +{ + AsmWriteCr0 (AsmReadCr0() & ~BIT16); +} + +/** + Disable Write Protect on pages marked as read-only. +**/ +VOID +DisableReadOnlyPageWriteProtect ( + VOID + ) +{ + AsmWriteCr0 (AsmReadCr0() & ~BIT16); + SyncMemoryPageAttributesAp (SyncCpuDisableWriteProtection); +} + +/** + Enable Write Protect on pages marked as read-only. +**/ +VOID +EnableReadOnlyPageWriteProtect ( + VOID + ) +{ + AsmWriteCr0 (AsmReadCr0() | BIT16); + SyncMemoryPageAttributesAp (SyncCpuEnableWriteProtection); +} + /** This function modifies the page attributes for the memory region specified by BaseAddress and Length from their current attributes to the attributes specified by Attributes. @@ -609,6 +660,7 @@ ConvertMemoryPageAttributes ( PAGE_ATTRIBUTE SplitAttribute; RETURN_STATUS Status; BOOLEAN IsEntryModified; + BOOLEAN IsWpEnabled; if ((BaseAddress & (SIZE_4KB - 1)) != 0) { DEBUG ((DEBUG_ERROR, "BaseAddress(0x%lx) is not aligned!\n", BaseAddress)); @@ -665,14 +717,27 @@ ConvertMemoryPageAttributes ( if (IsModified != NULL) { *IsModified = FALSE; } + if (AllocatePagesFunc == NULL) { + AllocatePagesFunc = AllocatePageTableMemory; + } + + // + // Make sure that the page table is changeable. + // + IsWpEnabled = IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { + DisableReadOnlyPageWriteProtect (); + } // // Below logic is to check 2M/4K page to make sure we donot waist memory. // + Status = EFI_SUCCESS; while (Length != 0) { PageEntry = GetPageTableEntry (&CurrentPagingContext, BaseAddress, &PageAttribute); if (PageEntry == NULL) { - return RETURN_UNSUPPORTED; + Status = RETURN_UNSUPPORTED; + goto Done; } PageEntryLength = PageAttributeToLength (PageAttribute); SplitAttribute = NeedSplitPage (BaseAddress, Length, PageEntry, PageAttribute); @@ -690,11 +755,13 @@ ConvertMemoryPageAttributes ( Length -= PageEntryLength; } else { if (AllocatePagesFunc == NULL) { - return RETURN_UNSUPPORTED; + Status = RETURN_UNSUPPORTED; + goto Done; } Status = SplitPage (PageEntry, PageAttribute, SplitAttribute, AllocatePagesFunc); if (RETURN_ERROR (Status)) { - return RETURN_UNSUPPORTED; + Status = RETURN_UNSUPPORTED; + goto Done; } if (IsSplitted != NULL) { *IsSplitted = TRUE; @@ -709,7 +776,14 @@ ConvertMemoryPageAttributes ( } } - return RETURN_SUCCESS; +Done: + // + // Restore page table write protection, if any. + // + if (IsWpEnabled) { + EnableReadOnlyPageWriteProtect (); + } + return Status; } /** @@ -922,6 +996,127 @@ RefreshGcdMemoryAttributesFromPaging ( FreePool (MemorySpaceMap); } +/** + Initialize a buffer pool for page table use only. + + To reduce the potential split operation on page table, the pages reserved for + page table should be allocated in the times of PAGE_TABLE_POOL_UNIT_PAGES and + at the boundary of PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always + initialized with number of pages greater than or equal to the given PoolPages. + + Once the pages in the pool are used up, this method should be called again to + reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. Usually this won't happen + often in practice. + + @param[in] PoolPages The least page number of the pool to be created. + + @retval TRUE The pool is initialized successfully. + @retval FALSE The memory is out of resource. +**/ +BOOLEAN +InitializePageTablePool ( + IN UINTN PoolPages + ) +{ + VOID *Buffer; + BOOLEAN IsModified; + + // + // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one page for + // header. + // + PoolPages += 1; // Add one page for header. + PoolPages = ((PoolPages - 1) / PAGE_TABLE_POOL_UNIT_PAGES + 1) * + PAGE_TABLE_POOL_UNIT_PAGES; + Buffer = AllocateAlignedPages (PoolPages, PAGE_TABLE_POOL_ALIGNMENT); + if (Buffer == NULL) { + DEBUG ((DEBUG_ERROR, "ERROR: Out of aligned pages\r\n")); + return FALSE; + } + + // + // Link all pools into a list for easier track later. + // + if (mPageTablePool == NULL) { + mPageTablePool = Buffer; + mPageTablePool->NextPool = mPageTablePool; + } else { + ((PAGE_TABLE_POOL *)Buffer)->NextPool = mPageTablePool->NextPool; + mPageTablePool->NextPool = Buffer; + mPageTablePool = Buffer; + } + + // + // Reserve one page for pool header. + // + mPageTablePool->FreePages = PoolPages - 1; + mPageTablePool->Offset = EFI_PAGES_TO_SIZE (1); + + // + // Mark the whole pool pages as read-only. + // + ConvertMemoryPageAttributes ( + NULL, + (PHYSICAL_ADDRESS)(UINTN)Buffer, + EFI_PAGES_TO_SIZE (PoolPages), + EFI_MEMORY_RO, + PageActionSet, + AllocatePageTableMemory, + NULL, + &IsModified + ); + ASSERT (IsModified == TRUE); + + return TRUE; +} + +/** + This API provides a way to allocate memory for page table. + + This API can be called more than once to allocate memory for page tables. + + Allocates the number of 4KB pages and returns a pointer to the allocated + buffer. The buffer returned is aligned on a 4KB boundary. + + If Pages is 0, then NULL is returned. + If there is not enough memory remaining to satisfy the request, then NULL is + returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +EFIAPI +AllocatePageTableMemory ( + IN UINTN Pages + ) +{ + VOID *Buffer; + + if (Pages == 0) { + return NULL; + } + + // + // Renew the pool if necessary. + // + if (mPageTablePool == NULL || + Pages > mPageTablePool->FreePages) { + if (!InitializePageTablePool (Pages)) { + return NULL; + } + } + + Buffer = (UINT8 *)mPageTablePool + mPageTablePool->Offset; + + mPageTablePool->Offset += EFI_PAGES_TO_SIZE (Pages); + mPageTablePool->FreePages -= Pages; + + return Buffer; +} + /** Initialize the Page Table lib. **/ @@ -933,6 +1128,18 @@ InitializePageTableLib ( PAGE_TABLE_LIB_PAGING_CONTEXT CurrentPagingContext; GetCurrentPagingContext (&CurrentPagingContext); + + // + // Reserve memory of page tables for future uses, if paging is enabled. + // + if (CurrentPagingContext.ContextData.X64.PageTableBase != 0 && + (CurrentPagingContext.ContextData.Ia32.Attributes & + PAGE_TABLE_LIB_PAGING_CONTEXT_IA32_X64_ATTRIBUTES_PAE) != 0) { + DisableReadOnlyPageWriteProtect (); + InitializePageTablePool (1); + EnableReadOnlyPageWriteProtect (); + } + DEBUG ((DEBUG_INFO, "CurrentPagingContext:\n", CurrentPagingContext.MachineType)); DEBUG ((DEBUG_INFO, " MachineType - 0x%x\n", CurrentPagingContext.MachineType)); DEBUG ((DEBUG_INFO, " PageTableBase - 0x%x\n", CurrentPagingContext.ContextData.X64.PageTableBase)); diff --git a/UefiCpuPkg/CpuDxe/CpuPageTable.h b/UefiCpuPkg/CpuDxe/CpuPageTable.h index eaff595b4c..48da9cdde7 100644 --- a/UefiCpuPkg/CpuDxe/CpuPageTable.h +++ b/UefiCpuPkg/CpuDxe/CpuPageTable.h @@ -50,6 +50,19 @@ typedef struct { PAGE_TABLE_LIB_PAGING_CONTEXT_DATA ContextData; } PAGE_TABLE_LIB_PAGING_CONTEXT; +#define PAGE_TABLE_POOL_ALIGNMENT BASE_2MB +#define PAGE_TABLE_POOL_UNIT_SIZE SIZE_2MB +#define PAGE_TABLE_POOL_UNIT_PAGES EFI_SIZE_TO_PAGES (PAGE_TABLE_POOL_UNIT_SIZE) +#define PAGE_TABLE_POOL_ALIGN_MASK \ + (~(EFI_PHYSICAL_ADDRESS)(PAGE_TABLE_POOL_ALIGNMENT - 1)) + +typedef struct { + VOID *NextPool; + UINTN Offset; + UINTN FreePages; +} PAGE_TABLE_POOL; + + /** Allocates one or more 4KB pages for page table. @@ -110,4 +123,25 @@ InitializePageTableLib ( VOID ); +/** + This API provides a way to allocate memory for page table. + + This API can be called more once to allocate memory for page tables. + + Allocates the number of 4KB pages of type EfiRuntimeServicesData and returns a pointer to the + allocated buffer. The buffer returned is aligned on a 4KB boundary. If Pages is 0, then NULL + is returned. If there is not enough memory remaining to satisfy the request, then NULL is + returned. + + @param Pages The number of 4 KB pages to allocate. + + @return A pointer to the allocated buffer or NULL if allocation fails. + +**/ +VOID * +EFIAPI +AllocatePageTableMemory ( + IN UINTN Pages + ); + #endif -- 2.15.1.windows.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-12-08 3:44 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-12-07 11:32 [PATCH v4 0/2] Enable page table write protection Jian J Wang 2017-12-07 11:32 ` [PATCH v4 1/2] MdeModulePkg/DxeIpl: Mark page table as read-only Jian J Wang 2017-12-08 3:04 ` Zeng, Star 2017-12-08 3:49 ` Wang, Jian J 2017-12-07 11:32 ` [PATCH v4 2/2] UefiCpuPkg/CpuDxe: Enable protection for newly added page table Jian J Wang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox