From: "Ard Biesheuvel" <ardb@kernel.org>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb@kernel.org>,
Michael Kinney <michael.d.kinney@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Jiewen Yao <jiewen.yao@intel.com>,
Michael Kubacki <michael.kubacki@microsoft.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Rebecca Cran <quic_rcran@quicinc.com>,
Leif Lindholm <quic_llindhol@quicinc.com>,
Sami Mujawar <sami.mujawar@arm.com>,
Taylor Beebe <t@taylorbeebe.com>
Subject: [PATCH v5 35/38] MdeModulePkg/DxeCore: Clear NX permissions on non-protected images
Date: Mon, 13 Mar 2023 18:17:11 +0100 [thread overview]
Message-ID: <20230313171714.3866151-36-ardb@kernel.org> (raw)
In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org>
Currently, we rely on the memory type for loading images being
executable by default, and only restrict the permissions if the policy
says so, and the image sections are suitably aligned. This requires that
the various 'code' memory types are executable by default, which is
unfortunate.
In order to be able to tighten this, let's update the image protection
policy handling so that images that should not be mapped with strict
separation of RW- and R-X are remapped RWX explicitly if the memory type
used for loading the images is marked as NX by default.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 98 +++++++++++---------
1 file changed, 54 insertions(+), 44 deletions(-)
diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
index 301ddd6eb053..7c7a946c1b48 100644
--- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
+++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
@@ -373,11 +373,62 @@ ProtectUefiImage (
}
ProtectionPolicy = GetUefiImageProtectionPolicy (LoadedImage, LoadedImageDevicePath);
+
+ ImageAddress = LoadedImage->ImageBase;
+
+ PdbPointer = PeCoffLoaderGetPdbPointer ((VOID *)(UINTN)ImageAddress);
+ if (PdbPointer != NULL) {
+ DEBUG ((DEBUG_VERBOSE, " Image - %a\n", PdbPointer));
+ }
+
switch (ProtectionPolicy) {
- case DO_NOT_PROTECT:
- return EFI_SUCCESS;
case PROTECT_IF_ALIGNED_ELSE_ALLOW:
- break;
+ //
+ // Check PE/COFF image
+ //
+ DosHdr = (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress;
+ PeCoffHeaderOffset = 0;
+ if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {
+ PeCoffHeaderOffset = DosHdr->e_lfanew;
+ }
+
+ Hdr.Pe32 = (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress + PeCoffHeaderOffset);
+ if (Hdr.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) {
+ DEBUG ((DEBUG_INFO, "Hdr.Pe32->Signature invalid - 0x%x\n", Hdr.Pe32->Signature));
+ // It might be image in SMM.
+ } else {
+ //
+ // Get SectionAlignment
+ //
+ if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
+ SectionAlignment = Hdr.Pe32->OptionalHeader.SectionAlignment;
+ } else {
+ SectionAlignment = Hdr.Pe32Plus->OptionalHeader.SectionAlignment;
+ }
+
+ if (SectionAlignment >= EFI_PAGE_SIZE) {
+ break;
+ }
+
+ DEBUG ((
+ DEBUG_VERBOSE,
+ "!!!!!!!! ProtectUefiImageCommon - Section Alignment(0x%x) is incorrect !!!!!!!!\n",
+ SectionAlignment
+ ));
+ }
+ // fall through to unprotect image if needed
+ case DO_NOT_PROTECT:
+ if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) &
+ LShiftU64 (1, LoadedImage->ImageCodeType)) != 0)
+ {
+ SetUefiImageMemoryAttributes (
+ (UINTN)LoadedImage->ImageBase,
+ (LoadedImage->ImageSize + EFI_PAGE_MASK) & ~(UINT64)EFI_PAGE_MASK,
+ 0
+ );
+ }
+
+ return EFI_SUCCESS;
default:
ASSERT (FALSE);
return EFI_SUCCESS;
@@ -396,47 +447,6 @@ ProtectUefiImage (
ImageRecord->ImageBase = (EFI_PHYSICAL_ADDRESS)(UINTN)LoadedImage->ImageBase;
ImageRecord->ImageSize = LoadedImage->ImageSize;
- ImageAddress = LoadedImage->ImageBase;
-
- PdbPointer = PeCoffLoaderGetPdbPointer ((VOID *)(UINTN)ImageAddress);
- if (PdbPointer != NULL) {
- DEBUG ((DEBUG_VERBOSE, " Image - %a\n", PdbPointer));
- }
-
- //
- // Check PE/COFF image
- //
- DosHdr = (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress;
- PeCoffHeaderOffset = 0;
- if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {
- PeCoffHeaderOffset = DosHdr->e_lfanew;
- }
-
- Hdr.Pe32 = (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress + PeCoffHeaderOffset);
- if (Hdr.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) {
- DEBUG ((DEBUG_VERBOSE, "Hdr.Pe32->Signature invalid - 0x%x\n", Hdr.Pe32->Signature));
- // It might be image in SMM.
- goto Finish;
- }
-
- //
- // Get SectionAlignment
- //
- if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- SectionAlignment = Hdr.Pe32->OptionalHeader.SectionAlignment;
- } else {
- SectionAlignment = Hdr.Pe32Plus->OptionalHeader.SectionAlignment;
- }
-
- if (SectionAlignment >= EFI_PAGE_SIZE) {
- DEBUG ((
- DEBUG_VERBOSE,
- "!!!!!!!! ProtectUefiImageCommon - Section Alignment(0x%x) is incorrect !!!!!!!!\n",
- SectionAlignment
- ));
- goto Finish;
- }
-
Section = (EFI_IMAGE_SECTION_HEADER *)(
(UINT8 *)(UINTN)ImageAddress +
PeCoffHeaderOffset +
--
2.39.2
next prev parent reply other threads:[~2023-03-13 17:19 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-13 17:16 [PATCH v5 00/38] Implement strict memory permissions throughout Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 01/38] ArmPkg/ArmMmuLib ARM: Remove half baked large page support Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 02/38] ArmPkg/ArmMmuLib ARM: Split off XN page descriptor bit from type field Ard Biesheuvel
2023-03-14 17:24 ` Leif Lindholm
2023-03-13 17:16 ` [PATCH v5 03/38] ArmPkg/CpuDxe ARM: Fix page-to-section attribute conversion Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 04/38] ArmPkg/ArmMmuLib ARM: Isolate the access flag from AP mask Ard Biesheuvel
2023-03-14 17:55 ` [edk2-devel] " Leif Lindholm
2023-03-13 17:16 ` [PATCH v5 05/38] ArmPkg/ArmMmuLib ARM: Clear individual permission bits Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 06/38] ArmPkg/ArmMmuLib: Implement EFI_MEMORY_RP using access flag Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 07/38] ArmVirtPkg: Enable stack guard Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 08/38] ArmPkg/ArmMmuLib: Avoid splitting block entries if possible Ard Biesheuvel
2023-03-14 18:13 ` [edk2-devel] " Leif Lindholm
2023-03-14 18:29 ` Ard Biesheuvel
2023-03-15 18:02 ` Leif Lindholm
2023-03-13 17:16 ` [PATCH v5 09/38] ArmPkg/CpuDxe: Expose unified region-to-EFI attribute conversion Ard Biesheuvel
2023-03-15 18:08 ` [edk2-devel] " Leif Lindholm
2023-03-13 17:16 ` [PATCH v5 10/38] MdePkg: Add Memory Attribute Protocol definition Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 11/38] ArmPkg/CpuDxe: Implement EFI memory attributes protocol Ard Biesheuvel
2023-03-15 18:31 ` Leif Lindholm
2023-03-16 7:19 ` [edk2-devel] " Ard Biesheuvel
2023-03-16 9:27 ` Ard Biesheuvel
2023-03-16 11:41 ` Leif Lindholm
2023-03-13 17:16 ` [PATCH v5 12/38] ArmPkg/CpuDxe: Perform preliminary NX remap of free memory Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 13/38] MdeModulePkg/DxeCore: Unconditionally set memory protections Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 14/38] ArmPkg/Mmu: Remove handling of NONSECURE memory regions Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 15/38] ArmPkg/ArmMmuLib: Introduce region types for RO/XP WB cached memory Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 16/38] MdePkg/BasePeCoffLib: Add API to keep track of relocation range Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 17/38] MdeModulePkg/DxeIpl: Avoid shadowing IPL PEIM by default Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 18/38] MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch Ard Biesheuvel
2023-03-16 22:20 ` [edk2-devel] " osd
2023-03-13 17:16 ` [PATCH v5 19/38] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 20/38] MdeModulePkg/DxeCore: Permit preliminary CPU arch fallback Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 21/38] ArmPkg: Implement ArmSetMemoryOverrideLib Ard Biesheuvel
2023-03-16 13:27 ` [edk2-devel] " Leif Lindholm
2023-03-16 14:20 ` Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 22/38] MdeModulePkg/PcdPeim: Permit unshadowed execution Ard Biesheuvel
2023-03-13 17:16 ` [PATCH v5 23/38] EmbeddedPkg/PrePiLib AARCH64: Remap DXE core before execution Ard Biesheuvel
2023-03-16 13:33 ` Leif Lindholm
2023-03-16 13:50 ` [edk2-devel] " Ard Biesheuvel
2023-03-16 14:09 ` Leif Lindholm
2023-03-13 17:17 ` [PATCH v5 24/38] ArmVirtPkg/ArmVirtQemu: Use XP memory mappings by default Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 25/38] ArmVirtPkg/ArmVirtQemu: Use PEI flavor of ArmMmuLib for all PEIMs Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 26/38] ArmVirtPkg/ArmVirtQemu: Use read-only memory region type for code flash Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 27/38] BaseTools/GccBase AARCH64: Avoid page sharing between code and data Ard Biesheuvel
2023-03-16 13:46 ` [edk2-devel] " Leif Lindholm
2023-03-16 14:30 ` Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 28/38] ArmVirtPkg/ArmVirtQemu: Enable hardware enforced W^X memory permissions Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 29/38] MdePkg/PeCoffLib: Capture DLL characteristics field in image context Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 30/38] MdePkg/IndustryStandard: PeImage.h: Import DLL characteristics Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 31/38] MdeModulePkg/DxeCore: Remove redundant DEBUG statements Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 32/38] MdeModulePkg/DxeCore: Update memory protections before freeing a region Ard Biesheuvel
2023-03-16 13:51 ` Leif Lindholm
2023-03-16 14:00 ` [edk2-devel] " Ard Biesheuvel
2023-03-16 14:52 ` Leif Lindholm
2023-03-13 17:17 ` [PATCH v5 33/38] MdeModulePkg/DxeCore: Disregard runtime alignment for image protection Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 34/38] MdeModulePkg/DxeCore: Deal with failure in UefiProtectImage() Ard Biesheuvel
2023-03-13 17:17 ` Ard Biesheuvel [this message]
2023-03-17 20:04 ` [edk2-devel] [PATCH v5 35/38] MdeModulePkg/DxeCore: Clear NX permissions on non-protected images Oliver Smith-Denny
2023-03-13 17:17 ` [PATCH v5 36/38] MdeModulePkg/DxeCore: Permit NX protection for code regions Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 37/38] MdeModulePkg/DxeCore: Check NX compat when using restricted " Ard Biesheuvel
2023-03-13 17:17 ` [PATCH v5 38/38] MdeModulePkg DEC: Remove inaccurate comment Ard Biesheuvel
2023-03-16 14:04 ` [edk2-devel] [PATCH v5 00/38] Implement strict memory permissions throughout Leif Lindholm
2023-03-17 21:41 ` Oliver Smith-Denny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230313171714.3866151-36-ardb@kernel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox