From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.16812.1676301525629520842 for ; Mon, 13 Feb 2023 07:18:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=H/G1yxwS; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 18BB2B8125E; Mon, 13 Feb 2023 15:18:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39F1EC433D2; Mon, 13 Feb 2023 15:18:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676301522; bh=T6VPKZaHtPezwjaVkiqNAXnq7FgeqnA+YL6/XKHFU04=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H/G1yxwStjaPP/fkW3ZFNtgpPgGpJbqiIw7/LbKhf+f1W44D2RdKBB0jeTCuP4pQz IOmbsd7PatsVw+4MdeP4GBPjiXCHfU3JT8bKaj3RO3ZZLCH5pEMDOuryY74NkP7QR1 kQu48aAWiq8293w/B+55CaReDosuxWxMJVKeIKguOkpe1FiVh+JOLtuDRUDNG87btD MDjXlAjp2RjDrhIAJPf1D9bMHpflBMgq0VQcncx3tHhx+Z9cVPgX2rY7Ne0IWsNpKR XY6UB859vR5GEiRzamJJ9aQez/N/ShNe3HZsk5n3N21FLUaiCdte89dEdwOotnOhco 8MyXS3BkorP5Q== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [RFC 05/13] MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch Date: Mon, 13 Feb 2023 16:18:02 +0100 Message-Id: <20230213151810.2301480-6-ardb@kernel.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable To permit the platform to adopt a stricter policy when it comes to memory protections, and map all memory XP by default, add the necessary handling to the DXE IPL PEIM to ensure that the DXE core code section is mapped executable before invoking the DXE core. It is up to the DXE core itself to manage the executable permissions on other DXE and UEFI drivers and applications that it dispatches. Note that this requires that the DXE IPL executes non-shadowed from a FV that is mapped executable. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c | 69 ++++++++++++++++++++ MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 1 + 2 files changed, 70 insertions(+) diff --git a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c b/MdeModulePkg/= Core/DxeIplPeim/Arm/DxeLoadFunc.c index f62b6dcb38a7..21eac2851554 100644 --- a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c +++ b/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c @@ -11,6 +11,69 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "DxeIpl.h"=0D =0D #include =0D +#include =0D +=0D +STATIC=0D +VOID=0D +RemapDxeCoreCodeReadOnly (=0D + IN EFI_PHYSICAL_ADDRESS DxeCoreEntryPoint,=0D + IN EFI_PEI_HOB_POINTERS HobList=0D + )=0D +{=0D + EFI_PEI_HOB_POINTERS Hob;=0D + EFI_HOB_MEMORY_ALLOCATION *ModuleHob;=0D + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;=0D + RETURN_STATUS Status;=0D + EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr;=0D + EFI_IMAGE_SECTION_HEADER *Section;=0D + UINTN Index;=0D +=0D + ImageContext.ImageRead =3D PeCoffLoaderImageReadFromMemory;=0D + ImageContext.Handle =3D NULL;=0D +=0D + //=0D + // Find the module HOB for the DXE core=0D + //=0D + for (Hob.Raw =3D HobList.Raw; !END_OF_HOB_LIST (Hob); Hob.Raw =3D GET_NE= XT_HOB (Hob)) {=0D + if (GET_HOB_TYPE (Hob) =3D=3D EFI_HOB_TYPE_MEMORY_ALLOCATION) {=0D + ModuleHob =3D Hob.MemoryAllocation;=0D + if ((ModuleHob->AllocDescriptor.MemoryBaseAddress <=3D DxeCoreEntryP= oint &&=0D + ((ModuleHob->AllocDescriptor.MemoryBaseAddress + ModuleHob->Allo= cDescriptor.MemoryLength) > DxeCoreEntryPoint)))=0D + {=0D + ImageContext.Handle =3D (VOID *)(UINTN)ModuleHob->AllocDescriptor.= MemoryBaseAddress;=0D + break;=0D + }=0D + }=0D + }=0D +=0D + ASSERT (ImageContext.Handle !=3D NULL);=0D +=0D + Status =3D PeCoffLoaderGetImageInfo (&ImageContext);=0D + ASSERT_RETURN_ERROR (Status);=0D +=0D + Hdr.Union =3D (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((UINT8 *)ImageContext.= Handle +=0D + ImageContext.PeCoffHeade= rOffset);=0D + ASSERT (Hdr.Pe32->Signature =3D=3D EFI_IMAGE_NT_SIGNATURE);=0D +=0D + Section =3D (EFI_IMAGE_SECTION_HEADER *)((UINT8 *)Hdr.Union + sizeof (UI= NT32) +=0D + sizeof (EFI_IMAGE_FILE_HEADER) += =0D + Hdr.Pe32->FileHeader.SizeOfOption= alHeader=0D + );=0D +=0D + for (Index =3D 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++= ) {=0D + if ((Section[Index].Characteristics & EFI_IMAGE_SCN_CNT_CODE) !=3D 0) = {=0D + ArmSetMemoryRegionReadOnly (=0D + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAdd= ress),=0D + Section[Index].Misc.VirtualSize=0D + );=0D +=0D + ArmClearMemoryRegionNoExec (=0D + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAdd= ress),=0D + Section[Index].Misc.VirtualSize=0D + );=0D + }=0D + }=0D +}=0D =0D /**=0D Transfers control to DxeCore.=0D @@ -33,6 +96,12 @@ HandOffToDxeCore ( VOID *TopOfStack;=0D EFI_STATUS Status;=0D =0D + //=0D + // DRAM may be mapped with non-executable permissions by default, so=0D + // we'll need to map the DXE core code region executable explicitly.=0D + //=0D + RemapDxeCoreCodeReadOnly (DxeCoreEntryPoint, HobList);=0D +=0D //=0D // Allocate 128KB for the Stack=0D //=0D diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/Dx= eIplPeim/DxeIpl.inf index 62821477d012..d85ca79dc0c3 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -82,6 +82,7 @@ [LibraryClasses] =0D [LibraryClasses.ARM, LibraryClasses.AARCH64]=0D ArmMmuLib=0D + PeCoffLib=0D =0D [Ppis]=0D gEfiDxeIplPpiGuid ## PRODUCES=0D --=20 2.39.1