From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.16985.1676301528816854294 for ; Mon, 13 Feb 2023 07:18:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=BAIVZ0+r; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3E5B1B8122D; Mon, 13 Feb 2023 15:18:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4460FC4339B; Mon, 13 Feb 2023 15:18:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676301525; bh=MfIb3Ao6+AmavPGOHuI7vsbt+V48gdNXFuHoW57+vHE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BAIVZ0+rwuat5Uo/v+uMzDCun8M+2NX50OwUO4cGqcQGJ+e+VAc5ZTFJsHQ0YWwzL tv8Vz8XgG92XdKO5t62Iy8dJ9vMzbfYHy7GZ5iVFEyZvYd6Ofp3h3oB64BrDeNmZKk W2wAez8CffVWyZ8pahvi9OOH+jMu6dl0sS3wMdzt11Am05N+DTfzhD+r20OanV3Ia6 7R1uHLVPwf/nHwUJoVPuiFg+4mkTxcTx974uBve5+CW5u4SXhPD4E0ky3ZhgI9rOKh qHpIK3VTfxc9I4/oJmYHFpBAHNADANpe1tgztaDKarKSK+EESxFVZtkRB8/hTTEqwx CzswEC9xI6E8Q== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [RFC 06/13] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Date: Mon, 13 Feb 2023 16:18:03 +0100 Message-Id: <20230213151810.2301480-7-ardb@kernel.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Instead of remapping all DXE runtime drivers with read-write-execute permissions entirely when ExitBootServices() is called, remap only the parts of those images that require writable access for applying relocation fixups at SetVirtualAddressMap() time. As illustrated below, this greatly reduces the footprint of those regions, which is important for safe execution. And given that the most important ISAs and toolchains split executable code from relocatable quantities, the remapped pages in question are generally not the ones that contain code as well. On a ArmVirtQemu build, the footprint of those RWX pages is shown below. As future work, we might investigate whether we can find a way to guarantee in general that images are built in a way where executable code and relocatable data never share a 4 KiB page, in which case we could apply EFI_MEMORY_XP permissions here instead of allowing RWX. Before: SetUefiImageMemoryAttributes - 0x0000000047600000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044290000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044230000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000441D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000440D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F90000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F40000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043EF0000 - 0x0000000000040000 (0= x0000000000000008) After: SetUefiImageMemoryAttributes - 0x0000000047630000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000442C0000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044260000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044200000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044100000 - 0x0000000000001000 (0= x0000000000000008) Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 5a82eee80781..854651556de4 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -1060,6 +1060,8 @@ MemoryProtectionExitBootServicesCallback ( {=0D EFI_RUNTIME_IMAGE_ENTRY *RuntimeImage;=0D LIST_ENTRY *Link;=0D + PHYSICAL_ADDRESS RelocationRangeStart;=0D + PHYSICAL_ADDRESS RelocationRangeEnd;=0D =0D //=0D // We need remove the RT protection, because RT relocation need write co= de segment=0D @@ -1073,7 +1075,22 @@ MemoryProtectionExitBootServicesCallback ( if (mImageProtectionPolicy !=3D 0) {=0D for (Link =3D gRuntime->ImageHead.ForwardLink; Link !=3D &gRuntime->Im= ageHead; Link =3D Link->ForwardLink) {=0D RuntimeImage =3D BASE_CR (Link, EFI_RUNTIME_IMAGE_ENTRY, Link);=0D - SetUefiImageMemoryAttributes ((UINT64)(UINTN)RuntimeImage->ImageBase= , ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), 0);=0D +=0D + PeCoffLoaderGetRelocationRange (=0D + (PHYSICAL_ADDRESS)(UINTN)RuntimeImage->ImageBase,=0D + ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE),=0D + RuntimeImage->RelocationData,=0D + &RelocationRangeStart,=0D + &RelocationRangeEnd=0D + );=0D +=0D + if (RelocationRangeEnd > RelocationRangeStart) {=0D + SetUefiImageMemoryAttributes (=0D + RelocationRangeStart,=0D + (UINTN)(RelocationRangeEnd - RelocationRangeStart),=0D + 0=0D + );=0D + }=0D }=0D }=0D }=0D --=20 2.39.1