From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.1548.1675361033357012815 for ; Thu, 02 Feb 2023 10:03:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CFU8QiP0; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D258861C1D; Thu, 2 Feb 2023 18:03:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1221AC4339E; Thu, 2 Feb 2023 18:03:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1675361032; bh=z0jNCAOHwrgiA0bZOtDA7tZQ2dqcaD4tRhwrsMY1yG0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CFU8QiP049etjlNJegHJFjSF5PeDocwXXC2CT75Kz0s3MMAaOeq+Eq7s9rcYm04x6 is6HOgKGXso4DF+uKr+hB5Oa7hoZv4UwSYpTKZmEPnH2Axi8LauDE07AYbD9tfGzgW cBzEGL8bOOcW36cgktXYNPEtKEe2Yo5pvFB+h7dEkUDrkm3gUtil6E+OesfQWOLlZn cl3bycKkapb4mN0C6pFThbkmGdlmluRoMLGL9qxLf9ZXb7pnOTJCJrNsztVGTuEwbl TV9Jap0emu/bSC6biWmuboVILYaFL1jM7YgEZ9vdNVuk3wbEfzUADHuyAMRTQi7wFp 9/NjojdsSz2cw== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [RFC PATCH 2/3] MdeModulePkg: Enable forward edge CFI in mem attributes table Date: Thu, 2 Feb 2023 19:03:34 +0100 Message-Id: <20230202180335.2256160-3-ardb@kernel.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230202180335.2256160-1-ardb@kernel.org> References: <20230202180335.2256160-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable The memory attributes table has been extended with a flag that indicates whether or not the OS is permitted to map the EFI runtime code regions with strict enforcement for IBT/BTI landing pad instructions. This is generally a property of the firmware build, and so we can permit a platform to set this property using a PCD, and put the burden on the platform definition to set the toolchain options accordingly. There is one snag, however: PE/COFF does not expose whether or not the code was generated with landing pads, so if any runtime DXE drivers were loaded from storage other than the firmware volumes, we must assume that setting the CFI flag in the memory attributes table is unsafe. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/DxeMain.h | 2 ++ MdeModulePkg/Core/Dxe/DxeMain.inf | 1 + MdeModulePkg/Core/Dxe/Image/Image.c | 11 +++++++++++ MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c | 7 ++++++- MdeModulePkg/MdeModulePkg.dec | 8 ++++++++ 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMai= n.h index 815a6b4bd844..427a5fc78f72 100644 --- a/MdeModulePkg/Core/Dxe/DxeMain.h +++ b/MdeModulePkg/Core/Dxe/DxeMain.h @@ -280,6 +280,8 @@ extern EFI_MEMORY_TYPE_INFORMATION gMemoryTypeInformat= ion[EfiMaxMemoryType + 1] extern BOOLEAN gDispatcherRunning;=0D extern EFI_RUNTIME_ARCH_PROTOCOL gRuntimeTemplate;=0D =0D +extern BOOLEAN gMemoryAttributesTableForwardCfi;=0D +=0D extern EFI_LOAD_FIXED_ADDRESS_CONFIGURATION_TABLE gLoadModuleAtFixAddress= ConfigurationTable;=0D extern BOOLEAN gLoadFixedAddressCodeMe= moryReady;=0D //=0D diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeM= ain.inf index 35d5bf0dee6f..e6ff67773a69 100644 --- a/MdeModulePkg/Core/Dxe/DxeMain.inf +++ b/MdeModulePkg/Core/Dxe/DxeMain.inf @@ -187,6 +187,7 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask = ## CONSUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard = ## CONSUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth = ## CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryAttributesTableForwardCfi = ## CONSUMES=0D =0D # [Hob]=0D # RESOURCE_DESCRIPTOR ## CONSUMES=0D diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c b/MdeModulePkg/Core/Dxe/Im= age/Image.c index 06cc6744b8c6..181fefdb6657 100644 --- a/MdeModulePkg/Core/Dxe/Image/Image.c +++ b/MdeModulePkg/Core/Dxe/Image/Image.c @@ -1398,6 +1398,17 @@ CoreLoadImageCommon ( CoreNewDebugImageInfoEntry (EFI_DEBUG_IMAGE_INFO_TYPE_NORMAL, &Image->= Info, Image->Handle);=0D }=0D =0D + //=0D + // If we loaded a runtime DXE driver from something other than a FV, it= =0D + // was not built as part of the firmware image, and so we cannot assume= =0D + // that it was built with IBT/BTI landing pads for forward edge control= =0D + // flow integrity.=0D + //=0D + if (!ImageIsFromFv &&=0D + (Image->ImageContext.ImageCodeMemoryType =3D=3D EfiRuntimeServicesCo= de)) {=0D + gMemoryAttributesTableForwardCfi =3D FALSE;=0D + }=0D +=0D //=0D // Reinstall loaded image protocol to fire any notifications=0D //=0D diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c b/MdeModule= Pkg/Core/Dxe/Misc/MemoryAttributesTable.c index e07921371187..cdd35ade0a8a 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c @@ -89,6 +89,7 @@ BOOLEAN mMemoryAttributesTableEnable= =3D TRUE; BOOLEAN mMemoryAttributesTableEndOfDxe =3D FALSE;= =0D EFI_MEMORY_ATTRIBUTES_TABLE *mMemoryAttributesTable =3D NULL;=0D BOOLEAN mMemoryAttributesTableReadyToBoot =3D FALSE;= =0D +BOOLEAN gMemoryAttributesTableForwardCfi =3D FixedPc= dGetBool (PcdMemoryAttributesTableForwardCfi);=0D =0D /**=0D Install MemoryAttributesTable.=0D @@ -182,7 +183,11 @@ InstallMemoryAttributesTable ( MemoryAttributesTable->Version =3D EFI_MEMORY_ATTRIBUTES_TABLE_V= ERSION;=0D MemoryAttributesTable->NumberOfEntries =3D RuntimeEntryCount;=0D MemoryAttributesTable->DescriptorSize =3D (UINT32)DescriptorSize;=0D - MemoryAttributesTable->Reserved =3D 0;=0D + if (gMemoryAttributesTableForwardCfi) {=0D + MemoryAttributesTable->Flags =3D EFI_MEMORY_ATTRIBUTES_FLAGS_R= T_FORWARD_CONTROL_FLOW_GUARD;=0D + } else {=0D + MemoryAttributesTable->Flags =3D 0;=0D + }=0D DEBUG ((DEBUG_VERBOSE, "MemoryAttributesTable:\n"));=0D DEBUG ((DEBUG_VERBOSE, " Version - 0x%08x\n", MemoryAttrib= utesTable->Version));=0D DEBUG ((DEBUG_VERBOSE, " NumberOfEntries - 0x%08x\n", MemoryAttrib= utesTable->NumberOfEntries));=0D diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 9605c617b7a8..d336a38655a3 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -1093,6 +1093,14 @@ [PcdsFixedAtBuild] # @Prompt Enable UEFI Stack Guard.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard|FALSE|BOOLEAN|0x30001055= =0D =0D + ## Indicates whether the EFI memory attributes table will inform the OS = that=0D + # forward edge control flow guards have been inserted into the runtime = services=0D + # code regions.=0D + # TRUE - Runtime code has forward control flow guards.
=0D + # FALSE - Runtime code does not have forward control flow guards.
= =0D + # @Prompt Enable forward control flow guards in EFI memory attributes ta= ble=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryAttributesTableForwardCfi|FALSE|= BOOLEAN|0x30001056=0D +=0D [PcdsFixedAtBuild, PcdsPatchableInModule]=0D ## Dynamic type PCD can be registered callback function for Pcd setting = action.=0D # PcdMaxPeiPcdCallBackNumberPerPcdEntry indicates the maximum number of= callback function=0D --=20 2.39.1