From: "Ard Biesheuvel" <ardb@kernel.org>
To: devel@edk2.groups.io
Cc: "Ard Biesheuvel" <ardb@kernel.org>,
"Michael Kinney" <michael.d.kinney@intel.com>,
"Liming Gao" <gaoliming@byosoft.com.cn>,
"Jiewen Yao" <jiewen.yao@intel.com>,
"Michael Kubacki" <michael.kubacki@microsoft.com>,
"Sean Brogan" <sean.brogan@microsoft.com>,
"Rebecca Cran" <quic_rcran@quicinc.com>,
"Leif Lindholm" <quic_llindhol@quicinc.com>,
"Sami Mujawar" <sami.mujawar@arm.com>,
"Taylor Beebe" <t@taylorbeebe.com>,
"Marvin Häuser" <mhaeuser@posteo.de>
Subject: [RFC PATCH v2 4/7] MdePkg/BasePeCoffLib: Add generic plumbing to detect IBT/BTI support
Date: Fri, 3 Feb 2023 13:10:26 +0100 [thread overview]
Message-ID: <20230203121029.2451394-5-ardb@kernel.org> (raw)
In-Reply-To: <20230203121029.2451394-1-ardb@kernel.org>
Add an internal helper that detects whether or not a loaded PE/COFF
image was built with support for forward edge control flow guards.
The default implementation will return FALSE, architectures can
specialize this based on arch specific criteria.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
MdePkg/Include/Library/PeCoffLib.h | 5 +++++
MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c | 16 ++++++++++++++++
MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 7 +++++--
MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h | 13 +++++++++++++
MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c | 16 ++++++++++++++++
MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c | 16 ++++++++++++++++
MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c | 16 ++++++++++++++++
7 files changed, 87 insertions(+), 2 deletions(-)
diff --git a/MdePkg/Include/Library/PeCoffLib.h b/MdePkg/Include/Library/PeCoffLib.h
index b45879453785..98988e566001 100644
--- a/MdePkg/Include/Library/PeCoffLib.h
+++ b/MdePkg/Include/Library/PeCoffLib.h
@@ -182,6 +182,11 @@ typedef struct {
///
BOOLEAN IsTeImage;
///
+ /// Set by PeCoffLoaderGetImageInfo() to TRUE if the image's entrypoint has
+ /// a forward control flow guard instruction, such as ENDBR on X86 for IBT.
+ ///
+ BOOLEAN HasForwardControlFlowGuards;
+ ///
/// Set by PeCoffLoaderLoadImage() to the HII resource offset
/// if the image contains a custom PE/COFF resource with the type 'HII'.
/// Otherwise, the entry remains to be 0.
diff --git a/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c b/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
index 595377bed661..82d9f548ca54 100644
--- a/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
@@ -234,3 +234,19 @@ PeHotRelocateImageEx (
return RETURN_SUCCESS;
}
+
+/**
+ Returns whether the image implements forward control flow guards.
+
+ @param ImageContext The context of the image being loaded.
+
+ @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+ IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext,
+ )
+{
+ return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 85ada399e303..8886b3d3feff 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -545,8 +545,9 @@ PeCoffLoaderGetPeHeader (
Retrieves information about a PE/COFF image.
Computes the PeCoffHeaderOffset, IsTeImage, ImageType, ImageAddress, ImageSize,
- DestinationAddress, RelocationsStripped, SectionAlignment, SizeOfHeaders, and
- DebugDirectoryEntryRva fields of the ImageContext structure.
+ DestinationAddress, RelocationsStripped, SectionAlignment, SizeOfHeaders,
+ DebugDirectoryEntryRva and HasForwardControlFlowGuards fields of the
+ ImageContext structure.
If ImageContext is NULL, then return RETURN_INVALID_PARAMETER.
If the PE/COFF image accessed through the ImageRead service in the ImageContext
structure is not a supported PE/COFF image type, then return RETURN_UNSUPPORTED.
@@ -1429,6 +1430,8 @@ PeCoffLoaderLoadImage (
);
}
+ ImageContext->HasForwardControlFlowGuards = PeCoffLoaderCheckForwardControlFlowGuards (ImageContext);
+
//
// Determine the size of the fixup data
//
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h b/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
index a29a6febe98f..3bf1b7f535fd 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
@@ -119,4 +119,17 @@ PeCoffLoaderImageAddress (
IN UINTN TeStrippedOffset
);
+/**
+ Returns whether the image implements forward control flow guards.
+
+ @param ImageContext The context of the image being loaded.
+
+ @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+ IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext
+ );
+
#endif
diff --git a/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c b/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
index 417096f33493..b3d01f0a4be9 100644
--- a/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
@@ -135,3 +135,19 @@ PeHotRelocateImageEx (
// To check
return PeCoffLoaderRelocateImageEx (Reloc, Fixup, FixupData, Adjust);
}
+
+/**
+ Returns whether the image implements forward control flow guards.
+
+ @param ImageContext The context of the image being loaded.
+
+ @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+ IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext,
+ )
+{
+ return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c b/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
index f7cade4d7d4e..43f346e0aadb 100644
--- a/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
@@ -80,3 +80,19 @@ PeHotRelocateImageEx (
{
return RETURN_UNSUPPORTED;
}
+
+/**
+ Returns whether the image implements forward control flow guards.
+
+ @param ImageContext The context of the image being loaded.
+
+ @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+ IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext,
+ )
+{
+ return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c b/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
index 71daf7fe4554..88dc9bd9b89e 100644
--- a/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
@@ -143,3 +143,19 @@ PeHotRelocateImageEx (
{
return RETURN_UNSUPPORTED;
}
+
+/**
+ Returns whether the image implements forward control flow guards.
+
+ @param ImageContext The context of the image being loaded.
+
+ @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+ IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext,
+ )
+{
+ return FALSE;
+}
--
2.39.1
next prev parent reply other threads:[~2023-02-03 12:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-03 12:10 [RFC PATCH v2 0/7] enable IBT/BTI codegen and reporting to the OS Ard Biesheuvel
2023-02-03 12:10 ` [RFC PATCH v2 1/7] MdePkg: Update MemoryAttributesTable to v2.10 Ard Biesheuvel
2023-02-03 12:10 ` [RFC PATCH v2 2/7] MdePkg/BasePeCoffLib: Move RISC-V definitions out of generic header Ard Biesheuvel
2023-02-03 12:10 ` [RFC PATCH v2 3/7] MdePkg/BasePeCoffLib: Clean up stale Itanium references in comments Ard Biesheuvel
2023-02-03 12:10 ` Ard Biesheuvel [this message]
2023-02-03 12:10 ` [RFC PATCH v2 5/7] MdePkg/BasePeCoffLib AARCH64: Implement fwd control flow guard detection Ard Biesheuvel
2023-02-03 12:10 ` [RFC PATCH v2 6/7] MdeModulePkg: Enable forward edge CFI in mem attributes table Ard Biesheuvel
2023-02-03 12:10 ` [RFC PATCH v2 7/7] ArmVirtPkg: Implement BTI for runtime regions Ard Biesheuvel
2023-02-03 12:33 ` [edk2-devel] " Michael Brown
2023-02-03 12:55 ` Ard Biesheuvel
2023-02-03 12:58 ` Michael Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230203121029.2451394-5-ardb@kernel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox