From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=40.107.8.40; helo=eur04-vi1-obe.outbound.protection.outlook.com; envelope-from=achin.gupta@arm.com; receiver=edk2-devel@lists.01.org Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80040.outbound.protection.outlook.com [40.107.8.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 120CC2117AE63 for ; Wed, 24 Oct 2018 01:22:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q29PBQvuRpGJZtXCEeNr3LYYg7pGHpxyDd52m+Lvx9o=; b=WOfXz54+qskGcbMVxaKkEqfk7KtVgjXVi2M9iJF2Rps918HJRADpf+PQGvj9B0nlvyYbPqPNjL/T9DBTJ380wU8rcyMfJO4CFbIj79+3LnQAtC+kRQ2bOBdn+buuiT/bSrfzgEBYa2ygiNzsncEEmASGR82sx+APPYG9rycgBEw= Received: from AM0PR08MB2980.eurprd08.prod.outlook.com (52.134.92.153) by AM0PR08MB3443.eurprd08.prod.outlook.com (20.177.109.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1250.30; Wed, 24 Oct 2018 08:22:15 +0000 Received: from AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::90a1:268c:89c1:2f83]) by AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::90a1:268c:89c1:2f83%4]) with mapi id 15.20.1250.028; Wed, 24 Oct 2018 08:22:15 +0000 From: Achin Gupta To: Ard Biesheuvel CC: Sughosh Ganu , "edk2-devel@lists.01.org" , nd Thread-Topic: [edk2] [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image Thread-Index: AQHUICad4+qAB8+Nn02Pg9Fn6FQq+aSZhVYAgAOQ1ACALOAss4AFPluAgF9wVQA= Date: Wed, 24 Oct 2018 08:22:14 +0000 Message-ID: <20181024082212.GD4897@e104320-lin> References: <1532090300-5250-1-git-send-email-sughosh.ganu@arm.com> <1532090300-5250-8-git-send-email-sughosh.ganu@arm.com> <1532367194.3302.36.camel@arm.com> <20180821065047.GA17216@arm.com> In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Mutt/1.5.21 (2010-09-15) x-originating-ip: [217.140.106.50] x-clientproxiedby: LO2P265CA0182.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a::26) To AM0PR08MB2980.eurprd08.prod.outlook.com (2603:10a6:208:5b::25) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Achin.Gupta@arm.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM0PR08MB3443; 6:y+r5RX4jiqlZc9+eGiDI8P/u7gpsP5xLrUeS0p2NBNWW7Lr/Uy8k/SfMY8xgyktYm7wLmEKBNxzsRCOr80bKghBsB+YYdCNoBdlka9/Cozb+i59EhlPPLIakNiSICBl2fDWv4o7a2OnJDwV2OAmUDjycYAd/vSclxkyQKzWYy0EQBjYg6TICt+GpA4+HRgcmr5hFOvkZkqGeHZIT+yBgF3AI68ywNFoLqJ7QuD1G4CGiSWzlevEEyosjrKLQ97EmsMtY4myJUJ6EtniTbJnf4rHnczlfaZZicmsRYFh/b7fb8cpXU0oDdpTfnyTIsj5AycLCZrOo2X0StnbkEYnHwd3ibuzZ+jguK+sKadIWcEAwBTIDGjmlNflSmGavCmgys/bMGmgR9Ln8nboZ318WDSLvoFnjWLk8tJhN/eFD42hk8Qx6QuzNUjO+a2zXRvht3WxnDQxtldYwA6PLXiZy9A==; 5:wwJHJtyt3/aMykprivjj4SYpsMlxE78dNeHg/Aq6/bcDFHRufKt8g1B1qJvorTb9JKUPtgmJrSQl5rG9wT9ZxfoDL1bT4a0MtsJQYh1lEfS7up8sPBPkSHJSWKF3xpzBOpIaTJLGulYpblGanFtb4ZgsiPFosqaNAVbX/thZkds=; 7:AXT3X3NC4RD0tJbjHMLauWDbtTIhitUqIO+md9KgsvZET/Gk7uUWCY4w6h8KODH3ANh8fCTHO7WoNwZrb9CBaipe3NLyPAMZcegwsbnGjixgzB38a96lZjJVDg4dlf2upSPAOAVtcZPVVXbi/ndUfwYUQmuTpwBaNloNXuRwsWoUpDu3zG/az/zSd4nOeSGlgsMLd/bQu1hsvATfck+G6vXli4m5xg4eJbgt+0zyuRRQ4mHjw76vsnAyFekJ23h9 x-ms-office365-filtering-correlation-id: 301c4744-405f-49c2-e07b-08d63989cdda x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM0PR08MB3443; x-ms-traffictypediagnostic: AM0PR08MB3443: nodisclaimer: True x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(155532106045638)(21532816269658)(162533806227266)(180628864354917); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(52105095)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:AM0PR08MB3443; BCL:0; PCL:0; RULEID:; SRVR:AM0PR08MB3443; x-forefront-prvs: 083526BF8A x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916004)(376002)(39860400002)(136003)(396003)(346002)(366004)(189003)(199004)(305945005)(2900100001)(6486002)(386003)(71200400001)(7736002)(256004)(14444005)(6506007)(11346002)(72206003)(446003)(9686003)(71190400001)(186003)(6246003)(99286004)(15650500001)(26005)(5250100002)(106356001)(105586002)(6916009)(53546011)(97736004)(86362001)(33716001)(4326008)(58126008)(14454004)(966005)(81156014)(81166006)(3846002)(6116002)(52116002)(93886005)(6436002)(53936002)(229853002)(486006)(8676002)(44832011)(33656002)(68736007)(102836004)(1076002)(76176011)(6512007)(33896004)(476003)(6306002)(478600001)(25786009)(5660300001)(316002)(2906002)(66066001)(8936002)(54906003)(18370500001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3443; H:AM0PR08MB2980.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 0F2WRE/UpOYxFom+pgf0K/MGnY2GVtxR6gdQzIQk3vNGBhTzUyd8tPvOa7goKqjRIL2/zFqCNBRCyoxsdTZUk+wdUQeIT6eGXU7FmEQ/EVgcgt2iOc7Pnc0poKk+UvF71Fx8VmDx5td6c4MD3pP5VFyC4vjxrCqdfgxL7sUqd9LYeS4p0jn4SJlM3BJd7sH2et/JNImQScTHxh0scgQPjGqshimbZOQzPbuQ5Xb1cJkeASXU8/cvxB44O56QsJj8C+lpOIIX14JBU4u/0+Uk7vjWbw0EzlDUUis1VezelGUjcVIsunG2U28JtpbsANvlU/8/PxVqllFwHzoljHj899QqRcOi8awi3Nrq6hepd8E= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: 301c4744-405f-49c2-e07b-08d63989cdda X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2018 08:22:15.0230 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3443 Subject: Re: [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 08:22:19 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable Hi Ard, Please see CIL.. On Fri, Aug 24, 2018 at 03:55:29PM +0100, Ard Biesheuvel wrote: > On 21 August 2018 at 07:50, Sughosh Ganu wrote: > > hi Ard, > > > > On Tue July 23, 2018 at 11:03PM +0530, Supreeth Venkatesh wrote: > >> > >> On Sat, 2018-07-21 at 20:06 +0900, Ard Biesheuvel wrote: > >> > On 20 July 2018 at 21:38, Sughosh Ganu wrote: > >> > > > >> > > From: Achin Gupta > >> > > > >> > > The Standalone MM drivers runs in S-EL0 in AArch64 on ARM Standard > >> > > Platforms and is deployed during SEC phase. The memory allocated t= o > >> > > the Standalone MM drivers should be marked as RO+X. > >> > > > >> > > During PE/COFF Image section parsing, this patch implements extra > >> > > action "UpdatePeCoffPermissions" to request the privileged firmwar= e > >> > > in > >> > > EL3 to update the permissions. > >> > > > >> > > Contributed-under: TianoCore Contribution Agreement 1.1 > >> > > Signed-off-by: Sughosh Ganu > >> > Apologies for bringing this up only now, but I don't think I was eve= r > >> > cc'ed on these patches. > >> > > >> Apologies if you have missed it. But I am pretty sure it was part of > >> earlier large patch-set on which you and leif were copied, as it was > >> part of ArmPkg. > >> > > >> > We are relying on a debug hook in the PE/COFF loader to ensure that > >> > we > >> > don't end up with memory that is both writable and executable in the > >> > secure world. Do we really think that is a good idea? > >> > > >> > (I know this code was derived from a proof of concept that I did > >> > years > >> > ago, but that was just a PoC) > >> I think we need a little bit more details on what is your suggestion? > >> > >> A little bit background here: This code runs in S-EL0 and Request gets > >> sent to secure world SPM to ensure that the region permissions are > >> updated correctly via the "ArmMmuStandaloneMmCoreLib" SVC - > >> ARM_SVC_ID_SP_SET_MEM_ATTRIBUTES_AARCH64. > >> > >> DebugPeCoffExtraActionLib is just used to extract image region > >> information, but the region permission > >> update request is sent to secure world for validation. > >> > >> With the above explanation, can you provide an insight into what was > >> your thinking? > >> Do you want us to create a separate library and call it > >> as PeCoffExtraActionLib to avoid the "Debug" word though it is a hook > >> to PeCoffExtraActionLib in MdePkg or do we want to create this library > >> in a separate package (may be in MdePkg?) or something totally > >> different. > > > > Supreeth had replied to your comments on the patch. Can you please > > check this. If you feel that this needs to be implemented differently, > > can you please suggest it to us. Thanks. > > >=20 > My point is that such a fundamental action that needs to occur while > loading the PE/COFF image should not be hooked into the loader this > way. Based upon our discussion at the Linaro Connect, we investigated leveraging= the DXE Image Protection support [1] in Standalone MM (StMM). Amongst other challenges, there is a chicken and egg problem. I will try and explain. DXE Memory protection has dependencies that cannot be fulfilled in StMM. A non-exhaustive list is: 1. Dependency on CPU_ARCH protocol 2. Dependency on Loaded Image patch protocol 3. Dependency on Boot services=20 There is an inherent assumption that this support will never be used in SMM. Furthermore, in StMM, permissions are changed when the StMM drivers ar= e first dispatched. A dependency on a driver to change the permissions is the chicken and egg. So we need a library. One option is to introduce a memory protection library in StMM i.e. a libra= ry interface like StandaloneMmImageProtect(). This function will be called fro= m generic code after the PE-COFF loader has loaded and relocated the StMM dri= ver image. However, this support is not required on x86. They will have to incl= ude a NULL library implementation. This would be in addition to the NULL PeCoffExtraActionLib they already include through MdePkg.dsc. I am hesitant to take this approach in the absence of a requirement on x86.= At the same time, the current approach of leveraging the DebugPeCoffExtraActio= nLib in ArmPkg does not make sense either. IMO, the better approach would be to add a AArch64 specific StandaloneMmPeCoffExtraActionLib in the StandaloneMmPkg. Memory protection = will be implemented in the relocation hook. There will be no impact on x86 or th= e ArmPkg. If in future there is a requirement to support this feature on x86 = as well, then a separate library could be implemented. Please let us know if this sounds reasonable to you. Sughosh will be postin= g the patches with this approach in a bit to aid the discussion. Cheers, Achin [1] MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel