From: Achin Gupta <Achin.Gupta@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Sughosh Ganu <Sughosh.Ganu@arm.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
nd <nd@arm.com>
Subject: Re: [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image
Date: Wed, 24 Oct 2018 08:22:14 +0000 [thread overview]
Message-ID: <20181024082212.GD4897@e104320-lin> (raw)
In-Reply-To: <CAKv+Gu-zgpMSxs3C1CGvuo4Fe0kWYQ64CwNVBJnOH=dxzJ5cDw@mail.gmail.com>
Hi Ard,
Please see CIL..
On Fri, Aug 24, 2018 at 03:55:29PM +0100, Ard Biesheuvel wrote:
> On 21 August 2018 at 07:50, Sughosh Ganu <sughosh.ganu@arm.com> wrote:
> > hi Ard,
> >
> > On Tue July 23, 2018 at 11:03PM +0530, Supreeth Venkatesh wrote:
> >>
> >> On Sat, 2018-07-21 at 20:06 +0900, Ard Biesheuvel wrote:
> >> > On 20 July 2018 at 21:38, Sughosh Ganu <sughosh.ganu@arm.com> wrote:
> >> > >
> >> > > From: Achin Gupta <achin.gupta@arm.com>
> >> > >
> >> > > The Standalone MM drivers runs in S-EL0 in AArch64 on ARM Standard
> >> > > Platforms and is deployed during SEC phase. The memory allocated to
> >> > > the Standalone MM drivers should be marked as RO+X.
> >> > >
> >> > > During PE/COFF Image section parsing, this patch implements extra
> >> > > action "UpdatePeCoffPermissions" to request the privileged firmware
> >> > > in
> >> > > EL3 to update the permissions.
> >> > >
> >> > > Contributed-under: TianoCore Contribution Agreement 1.1
> >> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
> >> > Apologies for bringing this up only now, but I don't think I was ever
> >> > cc'ed on these patches.
> >> >
> >> Apologies if you have missed it. But I am pretty sure it was part of
> >> earlier large patch-set on which you and leif were copied, as it was
> >> part of ArmPkg.
> >> >
> >> > We are relying on a debug hook in the PE/COFF loader to ensure that
> >> > we
> >> > don't end up with memory that is both writable and executable in the
> >> > secure world. Do we really think that is a good idea?
> >> >
> >> > (I know this code was derived from a proof of concept that I did
> >> > years
> >> > ago, but that was just a PoC)
> >> I think we need a little bit more details on what is your suggestion?
> >>
> >> A little bit background here: This code runs in S-EL0 and Request gets
> >> sent to secure world SPM to ensure that the region permissions are
> >> updated correctly via the "ArmMmuStandaloneMmCoreLib" SVC -
> >> ARM_SVC_ID_SP_SET_MEM_ATTRIBUTES_AARCH64.
> >>
> >> DebugPeCoffExtraActionLib is just used to extract image region
> >> information, but the region permission
> >> update request is sent to secure world for validation.
> >>
> >> With the above explanation, can you provide an insight into what was
> >> your thinking?
> >> Do you want us to create a separate library and call it
> >> as PeCoffExtraActionLib to avoid the "Debug" word though it is a hook
> >> to PeCoffExtraActionLib in MdePkg or do we want to create this library
> >> in a separate package (may be in MdePkg?) or something totally
> >> different.
> >
> > Supreeth had replied to your comments on the patch. Can you please
> > check this. If you feel that this needs to be implemented differently,
> > can you please suggest it to us. Thanks.
> >
>
> My point is that such a fundamental action that needs to occur while
> loading the PE/COFF image should not be hooked into the loader this
> way.
Based upon our discussion at the Linaro Connect, we investigated leveraging the
DXE Image Protection support [1] in Standalone MM (StMM). Amongst other
challenges, there is a chicken and egg problem. I will try and explain.
DXE Memory protection has dependencies that cannot be fulfilled in StMM. A
non-exhaustive list is:
1. Dependency on CPU_ARCH protocol
2. Dependency on Loaded Image patch protocol
3. Dependency on Boot services
There is an inherent assumption that this support will never be used in
SMM. Furthermore, in StMM, permissions are changed when the StMM drivers are
first dispatched. A dependency on a driver to change the permissions is the
chicken and egg. So we need a library.
One option is to introduce a memory protection library in StMM i.e. a library
interface like StandaloneMmImageProtect(). This function will be called from
generic code after the PE-COFF loader has loaded and relocated the StMM driver
image. However, this support is not required on x86. They will have to include a
NULL library implementation. This would be in addition to the NULL
PeCoffExtraActionLib they already include through MdePkg.dsc.
I am hesitant to take this approach in the absence of a requirement on x86. At
the same time, the current approach of leveraging the DebugPeCoffExtraActionLib
in ArmPkg does not make sense either.
IMO, the better approach would be to add a AArch64 specific
StandaloneMmPeCoffExtraActionLib in the StandaloneMmPkg. Memory protection will
be implemented in the relocation hook. There will be no impact on x86 or the
ArmPkg. If in future there is a requirement to support this feature on x86 as
well, then a separate library could be implemented.
Please let us know if this sounds reasonable to you. Sughosh will be posting the
patches with this approach in a bit to aid the discussion.
Cheers,
Achin
[1] MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2018-10-24 8:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 12:38 [PATCH v2 0/7] ArmPkg related changes for StandaloneMM package Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 1/7] ArmPkg: Add PCDs needed for MM communication driver Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 2/7] ArmPkg/Drivers: Add EFI_MM_COMMUNICATION_PROTOCOL DXE driver Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 3/7] ArmPkg/Include: Fix the SPM version SVC ID Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 4/7] ArmPkg/Include: Add MM interface SVC return codes Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 5/7] ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0 Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 6/7] ArmPkg/ArmMmuLib: Add MMU library inf file " Sughosh Ganu
2018-07-20 12:38 ` [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image Sughosh Ganu
2018-07-21 11:06 ` Ard Biesheuvel
2018-07-23 17:33 ` Supreeth Venkatesh
[not found] ` <CAHxXkBfPzG5Z+oWmQeV_zKu7a0nOEW54jmPd1uJT_XkUZAmb-g@mail.gmail.com>
2018-08-21 6:50 ` Sughosh Ganu
2018-08-24 14:55 ` Ard Biesheuvel
2018-08-28 14:30 ` Achin Gupta
2018-10-24 8:22 ` Achin Gupta [this message]
2018-10-24 11:05 ` Ard Biesheuvel
2018-11-09 13:27 ` Achin Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181024082212.GD4897@e104320-lin \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox