From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.25809.1678727905814613329 for ; Mon, 13 Mar 2023 10:18:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FK6cXC/1; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 28071B811C0; Mon, 13 Mar 2023 17:18:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9EE2AC433A0; Mon, 13 Mar 2023 17:18:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678727903; bh=GPrKUlTHYO6nAXQ3K6wLqXoHLjl8VVNA8IlPjnBRqAE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FK6cXC/1HscxWO0kFZnUICcMoDdWTmMXiAzJohUJrTXZQ/Kuy4vvWMqkkL2jokulg GQ788T9kLBiIHKoBt1P1i3iZHZaj8V8mqTszw43Z18f1O8DNZi/mExOMS1HLOizr2F MGZlYsDdJUhlKg5Hpuck/uUMoytUrxa+NM0bOjPBi1FYmAt1bW3b2v+VVZOBXdzMdg kDz1KXc1AWESNA776ZZak7Tp0M+7r5usG9lX37+0wtVAf+4Wa+XZ+aASW0dK7SvXOW +QCH2D+TLpkvu3lTOvj+h0bA4pGysoDCw+SdQVN2bFibwh6/NONQtvQXGC2wTWTIL2 LbSWwUvKc0Lzg== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [PATCH v5 19/38] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Date: Mon, 13 Mar 2023 18:16:55 +0100 Message-Id: <20230313171714.3866151-20-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org> References: <20230313171714.3866151-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Instead of remapping all DXE runtime drivers with read-write-execute permissions entirely when ExitBootServices() is called, remap only the parts of those images that require writable access for applying relocation fixups at SetVirtualAddressMap() time. As illustrated below, this greatly reduces the footprint of those regions, which is important for safe execution. And given that the most important ISAs and toolchains split executable code from relocatable quantities, the remapped pages in question are generally not the ones that contain code as well. On a ArmVirtQemu build, the footprint of those RWX pages is shown below. As future work, we might investigate whether we can find a way to guarantee in general that images are built in a way where executable code and relocatable data never share a 4 KiB page, in which case we could apply EFI_MEMORY_XP permissions here instead of allowing RWX. Before: SetUefiImageMemoryAttributes - 0x0000000047600000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044290000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044230000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000441D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000440D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F90000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F40000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043EF0000 - 0x0000000000040000 (0= x0000000000000008) After: SetUefiImageMemoryAttributes - 0x0000000047630000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000442C0000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044260000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044200000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044100000 - 0x0000000000001000 (0= x0000000000000008) Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 5a82eee80781..3e6f2b4e74cc 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -1060,6 +1060,8 @@ MemoryProtectionExitBootServicesCallback ( {=0D EFI_RUNTIME_IMAGE_ENTRY *RuntimeImage;=0D LIST_ENTRY *Link;=0D + PHYSICAL_ADDRESS RelocationRangeStart;=0D + PHYSICAL_ADDRESS RelocationRangeEnd;=0D =0D //=0D // We need remove the RT protection, because RT relocation need write co= de segment=0D @@ -1073,7 +1075,22 @@ MemoryProtectionExitBootServicesCallback ( if (mImageProtectionPolicy !=3D 0) {=0D for (Link =3D gRuntime->ImageHead.ForwardLink; Link !=3D &gRuntime->Im= ageHead; Link =3D Link->ForwardLink) {=0D RuntimeImage =3D BASE_CR (Link, EFI_RUNTIME_IMAGE_ENTRY, Link);=0D - SetUefiImageMemoryAttributes ((UINT64)(UINTN)RuntimeImage->ImageBase= , ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), 0);=0D +=0D + PeCoffLoaderGetRelocationRange (=0D + (PHYSICAL_ADDRESS)(UINTN)RuntimeImage->ImageBase,=0D + (UINTN)ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE),=0D + RuntimeImage->RelocationData,=0D + &RelocationRangeStart,=0D + &RelocationRangeEnd=0D + );=0D +=0D + if (RelocationRangeEnd > RelocationRangeStart) {=0D + SetUefiImageMemoryAttributes (=0D + RelocationRangeStart,=0D + (UINTN)(RelocationRangeEnd - RelocationRangeStart),=0D + 0=0D + );=0D + }=0D }=0D }=0D }=0D --=20 2.39.2