From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.25775.1678727854696745677 for ; Mon, 13 Mar 2023 10:17:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U09Sl8mk; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1D5756144B; Mon, 13 Mar 2023 17:17:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4FF0AC433EF; Mon, 13 Mar 2023 17:17:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678727853; bh=EwKpRtc7dTV/NBytMweIqY0wwZugshp8vpIB1/5Sy1I=; h=From:To:Cc:Subject:Date:From; b=U09Sl8mkTIakALgNVKDiPdbDBngS+F2s/uz6V7DKRpjtcbJMg2MY57zI9k4zYQYed BkqVrSLCMwPDkmChHeXiq4gjUQXNPMfMlnvmo8fabOZLy4dkZGlF/6A13hOSAUy9sk cPlgNSxMwAQDOmTcEUPwQplk4djkoAwPyxvTBsIkkxtQWwrqkwwZ+GG3ZcN4dzFnJh TD/S2/7V4rrR8V0F6N+fBM2GJHR76lk3EaYgSwFgvp7HP2pdXN9HQeJ+rYAxTRTF3N jIFhLn4AsD2yAZIvLQM5Y9sLki8SIac4UvyNRUxfc9mLH6tPtWN7CJ9pchVNUmnrDh hJ/+G2pAsRlmA== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [PATCH v5 00/38] Implement strict memory permissions throughout Date: Mon, 13 Mar 2023 18:16:36 +0100 Message-Id: <20230313171714.3866151-1-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Link: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4369=0D =0D This v5 now covers a lot more ground, and has ballooned quite=0D substantially as a result. The series is essentially a proof of concept=0D of a way to implement rigorous W^X memory protections from SEC all the=0D way to booting the OS.=0D =0D In particular:=0D - the AArch64 WXN control is enabled so that NX is implied for all=0D writable memory regions, which is rather helpful when testing changes=0D such as these;=0D - avoid PEIM shadowing where possible, as that would involve managing=0D the executable permissions of the shadowed code=0D - remap the DXE core code section read-only explicitly from IPL=0D - equip the DXE core with a way to manage memory permissions before the=0D CPU arch protocol driver is dispatched;=0D - permit the NX memory protection policy to apply to code memory type=0D regions as well=0D - check the NX compat DLL flag and section alignment to decide whether=0D an image can be loaded when the NX policy is applied to such a code=0D region =0D - implement the EFI memory attributes protocol (for ARM and AArch64=0D only) so that such NX compat compliant images have a way to create=0D executable mappings =0D =0D v4:=0D - major cleanup of the 32-bit ARM code=0D - add support for EFI_MEMORY_RP using the access flag=0D - enable stack guard in ArmVirtPkg (which uses EFI_MEMORY_RP)=0D - incorporate optimization from other series [0] to avoid splitting=0D block entries unnecessarily=0D =0D v3:=0D - fix ARM32 bug in attribute conversion=0D - add Liming's ack to patch #1=0D - include draft patch (NOT FOR MERGE) used to test the changes=0D =0D v2:=0D - drop patch to bump exposed UEFI revision to v2.10=0D - add missing permitted return values to protocol definition=0D =0D [0] https://edk2.groups.io/g/devel/message/99801=0D =0D Cc: Michael Kinney =0D Cc: Liming Gao =0D Cc: Jiewen Yao =0D Cc: Michael Kubacki =0D Cc: Sean Brogan =0D Cc: Rebecca Cran =0D Cc: Leif Lindholm =0D Cc: Sami Mujawar =0D Cc: Taylor Beebe =0D =0D Ard Biesheuvel (38):=0D ArmPkg/ArmMmuLib ARM: Remove half baked large page support=0D ArmPkg/ArmMmuLib ARM: Split off XN page descriptor bit from type field=0D ArmPkg/CpuDxe ARM: Fix page-to-section attribute conversion=0D ArmPkg/ArmMmuLib ARM: Isolate the access flag from AP mask=0D ArmPkg/ArmMmuLib ARM: Clear individual permission bits=0D ArmPkg/ArmMmuLib: Implement EFI_MEMORY_RP using access flag=0D ArmVirtPkg: Enable stack guard=0D ArmPkg/ArmMmuLib: Avoid splitting block entries if possible=0D ArmPkg/CpuDxe: Expose unified region-to-EFI attribute conversion=0D MdePkg: Add Memory Attribute Protocol definition=0D ArmPkg/CpuDxe: Implement EFI memory attributes protocol=0D ArmPkg/CpuDxe: Perform preliminary NX remap of free memory=0D MdeModulePkg/DxeCore: Unconditionally set memory protections=0D ArmPkg/Mmu: Remove handling of NONSECURE memory regions=0D ArmPkg/ArmMmuLib: Introduce region types for RO/XP WB cached memory=0D MdePkg/BasePeCoffLib: Add API to keep track of relocation range=0D MdeModulePkg/DxeIpl: Avoid shadowing IPL PEIM by default=0D MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch=0D MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time=0D MdeModulePkg/DxeCore: Permit preliminary CPU arch fallback=0D ArmPkg: Implement ArmSetMemoryOverrideLib=0D MdeModulePkg/PcdPeim: Permit unshadowed execution=0D EmbeddedPkg/PrePiLib AARCH64: Remap DXE core before execution=0D ArmVirtPkg/ArmVirtQemu: Use XP memory mappings by default=0D ArmVirtPkg/ArmVirtQemu: Use PEI flavor of ArmMmuLib for all PEIMs=0D ArmVirtPkg/ArmVirtQemu: Use read-only memory region type for code=0D flash=0D BaseTools/GccBase AARCH64: Avoid page sharing between code and data=0D ArmVirtPkg/ArmVirtQemu: Enable hardware enforced W^X memory=0D permissions=0D MdePkg/PeCoffLib: Capture DLL characteristics field in image context=0D MdePkg/IndustryStandard: PeImage.h: Import DLL characteristics=0D MdeModulePkg/DxeCore: Remove redundant DEBUG statements=0D MdeModulePkg/DxeCore: Update memory protections before freeing a=0D region=0D MdeModulePkg/DxeCore: Disregard runtime alignment for image protection=0D MdeModulePkg/DxeCore: Deal with failure in UefiProtectImage()=0D MdeModulePkg/DxeCore: Clear NX permissions on non-protected images=0D MdeModulePkg/DxeCore: Permit NX protection for code regions=0D MdeModulePkg/DxeCore: Check NX compat when using restricted code=0D regions=0D MdeModulePkg DEC: Remove inaccurate comment=0D =0D ArmPkg/ArmPkg.dec | 5 += =0D ArmPkg/ArmPkg.dsc | 1 += =0D ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c | 25 += -=0D ArmPkg/Drivers/CpuDxe/Arm/Mmu.c | 96 += ++++--=0D ArmPkg/Drivers/CpuDxe/CpuDxe.c | 87 += +++++=0D ArmPkg/Drivers/CpuDxe/CpuDxe.h | 17 += +=0D ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 5 += =0D ArmPkg/Drivers/CpuDxe/MemoryAttribute.c | 271 += +++++++++++++++++=0D ArmPkg/Include/Chipset/ArmV7Mmu.h | 131 += +++-----=0D ArmPkg/Include/Library/ArmLib.h | 17 += -=0D ArmPkg/Include/Library/ArmMmuLib.h | 34 += ++=0D ArmPkg/Library/ArmLib/Arm/ArmV7Support.S | 2 += =0D ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 103 += +++++-=0D ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibConvert.c | 8 += -=0D ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c | 51 += +--=0D ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibUpdate.c | 173 += +++++++++--=0D ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c | 78 += +++++=0D ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf | 28 += +=0D ArmVirtPkg/ArmVirt.dsc.inc | 3 += =0D ArmVirtPkg/ArmVirtQemu.dsc | 11 += -=0D ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 += =0D ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S | 2 += -=0D ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c | 4 += -=0D BaseTools/Scripts/GccBase.lds | 13 += -=0D EmbeddedPkg/Include/Library/PrePiLib.h | 16 -= -=0D EmbeddedPkg/Library/PrePiLib/Arm/RemapDxeCore.c | 51 += +++=0D EmbeddedPkg/Library/PrePiLib/PrePi.h | 13 += =0D EmbeddedPkg/Library/PrePiLib/PrePiLib.c | 4 += =0D EmbeddedPkg/Library/PrePiLib/PrePiLib.inf | 12 += =0D EmbeddedPkg/Library/PrePiLib/X86/RemapDxeCore.c | 23 += +=0D MdeModulePkg/Core/Dxe/DxeMain.h | 6 += -=0D MdeModulePkg/Core/Dxe/Image/Image.c | 8 += -=0D MdeModulePkg/Core/Dxe/Mem/Page.c | 15 += -=0D MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 288 += ++++++++++---------=0D MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c | 73 += ++++=0D MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 6 += -=0D MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 24 += -=0D MdeModulePkg/MdeModulePkg.dec | 7 += -=0D MdeModulePkg/Universal/PCD/Pei/Pcd.c | 112 += +++----=0D MdeModulePkg/Universal/PCD/Pei/Pcd.inf | 1 += =0D MdePkg/Include/IndustryStandard/PeImage.h | 15 += =0D MdePkg/Include/Library/PeCoffLib.h | 27 += +=0D MdePkg/Include/Protocol/MemoryAttribute.h | 142 += +++++++++=0D MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 105 += +++++-=0D MdePkg/MdePkg.dec | 3 += =0D 45 files changed, 1682 insertions(+), 435 deletions(-)=0D create mode 100644 ArmPkg/Drivers/CpuDxe/MemoryAttribute.c=0D create mode 100644 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOver= rideLib.c=0D create mode 100644 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOver= rideLib.inf=0D create mode 100644 EmbeddedPkg/Library/PrePiLib/Arm/RemapDxeCore.c=0D create mode 100644 EmbeddedPkg/Library/PrePiLib/X86/RemapDxeCore.c=0D create mode 100644 MdePkg/Include/Protocol/MemoryAttribute.h=0D =0D -- =0D 2.39.2=0D =0D