From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=40.107.3.80; helo=eur03-am5-obe.outbound.protection.outlook.com; envelope-from=achin.gupta@arm.com; receiver=edk2-devel@lists.01.org Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30080.outbound.protection.outlook.com [40.107.3.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1FCFC21A07A80 for ; Fri, 9 Nov 2018 05:27:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p0jkTbcGQPs7ELCY8j8XI91wiYo3fGqIHApPPLPmyp4=; b=JmUn18bYNIvHB3nidAV7XTPlrI0agRvyvbZDCXgGgTXBC0ugvcmwJm2i/R1gatF1RLX79rBjBOKEVy01zj05cb/FEF5qJhpP1c5jIPO3ZfyCvYrc4MAKwDM17c4HVt8jHLWXmpzMg7z77eypWvinuo1E8GQKLJrpo5cIk+k3ENs= Received: from AM0PR08MB2980.eurprd08.prod.outlook.com (52.134.92.153) by AM0PR08MB3793.eurprd08.prod.outlook.com (20.178.23.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.26; Fri, 9 Nov 2018 13:27:19 +0000 Received: from AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::90a1:268c:89c1:2f83]) by AM0PR08MB2980.eurprd08.prod.outlook.com ([fe80::90a1:268c:89c1:2f83%5]) with mapi id 15.20.1294.034; Fri, 9 Nov 2018 13:27:19 +0000 From: Achin Gupta To: Ard Biesheuvel CC: Sughosh Ganu , "edk2-devel@lists.01.org" , nd Thread-Topic: [edk2] [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image Thread-Index: AQHUICad4+qAB8+Nn02Pg9Fn6FQq+aSZhVYAgAOQ1ACALOAss4AFPluAgF+BGACAABzTAIAZTPSA Date: Fri, 9 Nov 2018 13:27:18 +0000 Message-ID: <20181109132715.GM4897@e104320-lin> References: <1532090300-5250-1-git-send-email-sughosh.ganu@arm.com> <1532090300-5250-8-git-send-email-sughosh.ganu@arm.com> <1532367194.3302.36.camel@arm.com> <20180821065047.GA17216@arm.com> <20181024082212.GD4897@e104320-lin> In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Mutt/1.5.21 (2010-09-15) x-originating-ip: [217.140.106.51] x-clientproxiedby: CWXP265CA0019.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:2e::31) To AM0PR08MB2980.eurprd08.prod.outlook.com (2603:10a6:208:5b::25) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Achin.Gupta@arm.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM0PR08MB3793; 6:S+30TMT97aogqu0DjKdow4tEx1OEsnf3bMANDW/Xvvd7liYthbnPyIHaC47yMtvedfCRS+WAGDKWVfUWXHZ1RqjDfUTYjaVV8CJjL//8J0GilMbyXZuGubUIOiGlfWAekmOeP42xsxbS40/8qghbrO6fGG9qHjBN1ZW4FNcBPsNClZmWyhsWO11YKrInLl5XH3FUW+tAeC7qqSGRteI7wRYxcCee/pnswqX8q3jpGLKVq6yM/XYOnpEGOl6bELBXufiHxw5/zHr8L+jyDe8Cjn7BeU9UPbBLhzAXyJXxoxQwKJG4PqZbAuIwvp9TBMHVINZT4xKxJDBCidex1DfXTkSE061AtOHxFM7d4THJtYy7vX1yFkkj+pPmixkFRYqTb0npiRcbm2sz4M5yvuyNbzxlqPcIhLA5yrVaGcU4r0nF8ibR1Mztiir7VJhbjAb7eTE04lj5KUnTzzssPc1BFw==; 5:hOxNw/qZvYFzFcJJxTCm1l3kfybHFtQtPxZeAQWvB/aEUzazKfHu+c4zmjKdvgrg4/AZ+4AMHuKDCzqILqHFU9UUHJ6HRZtGm/c6DdpMC4HsC5VjyR3SSDyifVli1BJvWjo+/O6mGVt323MkiHh3nHa0oP55rL/yUR6hairzrko=; 7:1I2A8INqzfMrN6nEtehw2A3FgpDsqtufFWKkeifLjyEhlAoZMBQnGhPRjmdu73+shqBA0g3n6ZuRDw0vtkqSxcT2jre49pHYd/7tbWX0y8qhT8vi3lkdro54fzhaVDv0cAmVB2Jtd+XBR0OCIwSv/g== x-ms-office365-filtering-correlation-id: c62fd1da-7873-4c09-a70f-08d6464711de x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM0PR08MB3793; x-ms-traffictypediagnostic: AM0PR08MB3793: nodisclaimer: True x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(162533806227266)(155532106045638)(21532816269658)(180628864354917); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231382)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:AM0PR08MB3793; BCL:0; PCL:0; RULEID:; SRVR:AM0PR08MB3793; x-forefront-prvs: 08512C5403 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916004)(39860400002)(136003)(366004)(396003)(376002)(346002)(69234005)(199004)(189003)(33896004)(86362001)(966005)(53546011)(102836004)(26005)(14444005)(256004)(229853002)(53936002)(386003)(14454004)(2906002)(6486002)(6506007)(97736004)(99286004)(5660300001)(316002)(6436002)(33656002)(446003)(58126008)(76176011)(72206003)(52116002)(54906003)(6306002)(6916009)(478600001)(9686003)(8676002)(11346002)(44832011)(93886005)(6116002)(7736002)(1076002)(15650500001)(305945005)(106356001)(186003)(81156014)(3846002)(4326008)(68736007)(476003)(33716001)(71190400001)(25786009)(71200400001)(6246003)(105586002)(486006)(8936002)(2900100001)(81166006)(6512007)(66066001)(18370500001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3793; H:AM0PR08MB2980.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: XBbYoV9Fkjt2ZPgyFgBO18W4suvwLy3LSfzj1Eiw4JFhEZ2ZpOtGMmTCSAvOUKO8Lpw0tZdz6qLv0c4a0INEHvdi8am8QUWyDo29mSh84JUJnpC1oM+n9+NxhPYV65pzTBQ47b79reUp3wbBx8xT0kUMPc5RJV2my2kSgCF8WSQnHr0ZeqQRHfhcaq0aiDi0AiUgn0jnKXC2T6b02KASRDEdbYJNiX47QU66ehMdrvbqkXuIHC+IhhYteKwOMetWqlNSoi4ye1x7BIBnRPAu7dMorb5vdNHFaXuyNQW8i4Sfd5NvYy4CbH4bGy2mgu68blweynj9xc/jLCirQlwv8JFilgY1Pk90qRoddGqwmHM= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: c62fd1da-7873-4c09-a70f-08d6464711de X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2018 13:27:19.0270 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3793 Subject: Re: [PATCH v2 7/7] ArmPkg: Extra action to update permissions for S-ELO MM Image X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2018 13:27:23 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-ID: <21BB4569365D5148AE16FED185E77048@eurprd08.prod.outlook.com> Content-Transfer-Encoding: quoted-printable Hi Ard, Just a polite poke that Sughosh had posted the patches as I had described b= elow here [1] & here [2]. Please let us know what you think. cheers, Achin [1] https://lists.01.org/pipermail/edk2-devel/2018-October/031377.html [2] https://lists.01.org/pipermail/edk2-devel/2018-October/031384.html On Wed, Oct 24, 2018 at 08:05:22AM -0300, Ard Biesheuvel wrote: > On 24 October 2018 at 05:22, Achin Gupta wrote: > > Hi Ard, > > > > Please see CIL.. > > >=20 > FYI I will be on leave until 5th of November, so I will get to this > once I get back. >=20 > --=20 > Ard. >=20 > > On Fri, Aug 24, 2018 at 03:55:29PM +0100, Ard Biesheuvel wrote: > >> On 21 August 2018 at 07:50, Sughosh Ganu wrote: > >> > hi Ard, > >> > > >> > On Tue July 23, 2018 at 11:03PM +0530, Supreeth Venkatesh wrote: > >> >> > >> >> On Sat, 2018-07-21 at 20:06 +0900, Ard Biesheuvel wrote: > >> >> > On 20 July 2018 at 21:38, Sughosh Ganu wro= te: > >> >> > > > >> >> > > From: Achin Gupta > >> >> > > > >> >> > > The Standalone MM drivers runs in S-EL0 in AArch64 on ARM Stand= ard > >> >> > > Platforms and is deployed during SEC phase. The memory allocate= d to > >> >> > > the Standalone MM drivers should be marked as RO+X. > >> >> > > > >> >> > > During PE/COFF Image section parsing, this patch implements ext= ra > >> >> > > action "UpdatePeCoffPermissions" to request the privileged firm= ware > >> >> > > in > >> >> > > EL3 to update the permissions. > >> >> > > > >> >> > > Contributed-under: TianoCore Contribution Agreement 1.1 > >> >> > > Signed-off-by: Sughosh Ganu > >> >> > Apologies for bringing this up only now, but I don't think I was = ever > >> >> > cc'ed on these patches. > >> >> > > >> >> Apologies if you have missed it. But I am pretty sure it was part o= f > >> >> earlier large patch-set on which you and leif were copied, as it wa= s > >> >> part of ArmPkg. > >> >> > > >> >> > We are relying on a debug hook in the PE/COFF loader to ensure th= at > >> >> > we > >> >> > don't end up with memory that is both writable and executable in = the > >> >> > secure world. Do we really think that is a good idea? > >> >> > > >> >> > (I know this code was derived from a proof of concept that I did > >> >> > years > >> >> > ago, but that was just a PoC) > >> >> I think we need a little bit more details on what is your suggestio= n? > >> >> > >> >> A little bit background here: This code runs in S-EL0 and Request g= ets > >> >> sent to secure world SPM to ensure that the region permissions are > >> >> updated correctly via the "ArmMmuStandaloneMmCoreLib" SVC - > >> >> ARM_SVC_ID_SP_SET_MEM_ATTRIBUTES_AARCH64. > >> >> > >> >> DebugPeCoffExtraActionLib is just used to extract image region > >> >> information, but the region permission > >> >> update request is sent to secure world for validation. > >> >> > >> >> With the above explanation, can you provide an insight into what wa= s > >> >> your thinking? > >> >> Do you want us to create a separate library and call it > >> >> as PeCoffExtraActionLib to avoid the "Debug" word though it is a ho= ok > >> >> to PeCoffExtraActionLib in MdePkg or do we want to create this libr= ary > >> >> in a separate package (may be in MdePkg?) or something totally > >> >> different. > >> > > >> > Supreeth had replied to your comments on the patch. Can you please > >> > check this. If you feel that this needs to be implemented differentl= y, > >> > can you please suggest it to us. Thanks. > >> > > >> > >> My point is that such a fundamental action that needs to occur while > >> loading the PE/COFF image should not be hooked into the loader this > >> way. > > > > Based upon our discussion at the Linaro Connect, we investigated levera= ging the > > DXE Image Protection support [1] in Standalone MM (StMM). Amongst other > > challenges, there is a chicken and egg problem. I will try and explain. > > > > DXE Memory protection has dependencies that cannot be fulfilled in StMM= . A > > non-exhaustive list is: > > > > 1. Dependency on CPU_ARCH protocol > > 2. Dependency on Loaded Image patch protocol > > 3. Dependency on Boot services > > > > There is an inherent assumption that this support will never be used in > > SMM. Furthermore, in StMM, permissions are changed when the StMM driver= s are > > first dispatched. A dependency on a driver to change the permissions is= the > > chicken and egg. So we need a library. > > > > One option is to introduce a memory protection library in StMM i.e. a l= ibrary > > interface like StandaloneMmImageProtect(). This function will be called= from > > generic code after the PE-COFF loader has loaded and relocated the StMM= driver > > image. However, this support is not required on x86. They will have to = include a > > NULL library implementation. This would be in addition to the NULL > > PeCoffExtraActionLib they already include through MdePkg.dsc. > > > > I am hesitant to take this approach in the absence of a requirement on = x86. At > > the same time, the current approach of leveraging the DebugPeCoffExtraA= ctionLib > > in ArmPkg does not make sense either. > > > > IMO, the better approach would be to add a AArch64 specific > > StandaloneMmPeCoffExtraActionLib in the StandaloneMmPkg. Memory protect= ion will > > be implemented in the relocation hook. There will be no impact on x86 o= r the > > ArmPkg. If in future there is a requirement to support this feature on = x86 as > > well, then a separate library could be implemented. > > > > Please let us know if this sounds reasonable to you. Sughosh will be po= sting the > > patches with this approach in a bit to aid the discussion. > > > > Cheers, > > Achin > > > > [1] MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > > > >> _______________________________________________ > >> edk2-devel mailing list > >> edk2-devel@lists.01.org > >> https://lists.01.org/mailman/listinfo/edk2-devel