From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.25808.1678727903975659556 for ; Mon, 13 Mar 2023 10:18:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QDy/T/sz; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8250F6144D; Mon, 13 Mar 2023 17:18:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 02E8CC4339B; Mon, 13 Mar 2023 17:18:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678727901; bh=lzQazp3ZV3C85oYgNDMTF/rt+XJcW+s0cii549YenN0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QDy/T/szHhq+y1j/+/4TJAqZBAS/FXY+mT9LfBn93EPXt2M5E+Et+vq2xZtzA1BcK G79kQUW34KDzoGSH++XY+4JwKHh0WRACZ7DBEbNHf8c+yDDr6OsAgICJQbsfsNspCh q0oECY1MxNeYzLBwpJdhzhmhsHuexDGlpm24+YHBqflJ/LRdX8ifsUnA7lFAmqDvHa pJJj/ix2l2iWLBRF+uxjUWgzHNflC6aq34ipssgIAHKQQtJYws8Kd+ta18KLbcP1DE LZIwp8+YstselIq66nRQDZLdxVjoTbFVpovm9Ct/diup9i+7Bgob92K+P2uRn0fIZq Mbh0lDea8WNjw== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [PATCH v5 18/38] MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch Date: Mon, 13 Mar 2023 18:16:54 +0100 Message-Id: <20230313171714.3866151-19-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org> References: <20230313171714.3866151-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable To permit the platform to adopt a stricter policy when it comes to memory protections, and map all memory XP by default, add the necessary handling to the DXE IPL PEIM to ensure that the DXE core code section is mapped executable before invoking the DXE core. It is up to the DXE core itself to manage the executable permissions on other DXE and UEFI drivers and applications that it dispatches. Note that this requires that the DXE IPL executes non-shadowed from a FV that is mapped executable. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c | 73 ++++++++++++++++++++ MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 1 + 2 files changed, 74 insertions(+) diff --git a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c b/MdeModulePkg/= Core/DxeIplPeim/Arm/DxeLoadFunc.c index f62b6dcb38a7..c57ffa87e30f 100644 --- a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c +++ b/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c @@ -11,6 +11,73 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "DxeIpl.h"=0D =0D #include =0D +#include =0D +=0D +/**=0D + Discover the code sections of the DXE core, and remap them read-only=0D + and executable.=0D +=0D + @param DxeCoreEntryPoint The entrypoint of the DXE core executable.=0D + @param HobList The list of HOBs passed to the DXE core from P= EI.=0D +**/=0D +STATIC=0D +VOID=0D +RemapDxeCoreCodeReadOnly (=0D + IN EFI_PHYSICAL_ADDRESS DxeCoreEntryPoint,=0D + IN EFI_PEI_HOB_POINTERS HobList=0D + )=0D +{=0D + EFI_PEI_HOB_POINTERS Hob;=0D + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;=0D + RETURN_STATUS Status;=0D + EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr;=0D + EFI_IMAGE_SECTION_HEADER *Section;=0D + UINTN Index;=0D +=0D + ImageContext.ImageRead =3D PeCoffLoaderImageReadFromMemory;=0D + ImageContext.Handle =3D NULL;=0D +=0D + //=0D + // Find the module HOB for the DXE core=0D + //=0D + for (Hob.Raw =3D HobList.Raw; !END_OF_HOB_LIST (Hob); Hob.Raw =3D GET_NE= XT_HOB (Hob)) {=0D + if ((GET_HOB_TYPE (Hob) =3D=3D EFI_HOB_TYPE_MEMORY_ALLOCATION) &&=0D + (CompareGuid (&Hob.MemoryAllocation->AllocDescriptor.Name, &gEfiHo= bMemoryAllocModuleGuid)) &&=0D + (Hob.MemoryAllocationModule->EntryPoint =3D=3D DxeCoreEntryPoint))= =0D + {=0D + ImageContext.Handle =3D (VOID *)(UINTN)Hob.MemoryAllocation->AllocDe= scriptor.MemoryBaseAddress;=0D + break;=0D + }=0D + }=0D +=0D + ASSERT (ImageContext.Handle !=3D NULL);=0D +=0D + Status =3D PeCoffLoaderGetImageInfo (&ImageContext);=0D + ASSERT_RETURN_ERROR (Status);=0D +=0D + Hdr.Union =3D (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((UINT8 *)ImageContext.= Handle +=0D + ImageContext.PeCoffHeade= rOffset);=0D + ASSERT (Hdr.Pe32->Signature =3D=3D EFI_IMAGE_NT_SIGNATURE);=0D +=0D + Section =3D (EFI_IMAGE_SECTION_HEADER *)((UINT8 *)Hdr.Union + sizeof (UI= NT32) +=0D + sizeof (EFI_IMAGE_FILE_HEADER) += =0D + Hdr.Pe32->FileHeader.SizeOfOption= alHeader=0D + );=0D +=0D + for (Index =3D 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++= ) {=0D + if ((Section[Index].Characteristics & EFI_IMAGE_SCN_CNT_CODE) !=3D 0) = {=0D + ArmSetMemoryRegionReadOnly (=0D + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAddre= ss),=0D + Section[Index].Misc.VirtualSize=0D + );=0D +=0D + ArmClearMemoryRegionNoExec (=0D + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAddre= ss),=0D + Section[Index].Misc.VirtualSize=0D + );=0D + }=0D + }=0D +}=0D =0D /**=0D Transfers control to DxeCore.=0D @@ -33,6 +100,12 @@ HandOffToDxeCore ( VOID *TopOfStack;=0D EFI_STATUS Status;=0D =0D + //=0D + // DRAM may be mapped with non-executable permissions by default, so=0D + // we'll need to map the DXE core code region executable explicitly.=0D + //=0D + RemapDxeCoreCodeReadOnly (DxeCoreEntryPoint, HobList);=0D +=0D //=0D // Allocate 128KB for the Stack=0D //=0D diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/Dx= eIplPeim/DxeIpl.inf index 62821477d012..d85ca79dc0c3 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -82,6 +82,7 @@ [LibraryClasses] =0D [LibraryClasses.ARM, LibraryClasses.AARCH64]=0D ArmMmuLib=0D + PeCoffLib=0D =0D [Ppis]=0D gEfiDxeIplPpiGuid ## PRODUCES=0D --=20 2.39.2