From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.13266.1685025059297815434 for ; Thu, 25 May 2023 07:30:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bAh+On1h; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CC930645DC; Thu, 25 May 2023 14:30:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A19D1C433D2; Thu, 25 May 2023 14:30:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1685025058; bh=clk8CycPK9c0CzHZZJ5m4pNsgbOapHGttGHxZ4QlWTo=; h=From:To:Cc:Subject:Date:From; b=bAh+On1hTWZleQESsWy2xM63yJyMwPu7QO+l7OzQhbStuaqBCjr3aOfwXoirVxEd/ nsihSyZEJfMsKlLXW/OxrAPjnUkfEFhcsECGzdDjpCsDvM2ZpGPzR1ofkMK5g5luNC LnCoTaSFzM524dTlZvewdep2OoBVZWWfG60mH+0d0pnvLJPwr8nkz2vLACR0Tu7lkN u6rTTUq3osGJtGDth3suszN7v25K9lIbssOn5yyPIdVjKcz8Z3FbqaLx/9z1U1mOiV wXzfUJ+oYhX+JLf5XyRvI4+GIgu71dKJWYTLlBM3/PB42cgym6KMncJhedlT1x/COp dzWC9Qc+BkcPg== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Ray Ni , Jiewen Yao , Gerd Hoffmann , Taylor Beebe , Oliver Smith-Denny , Dandan Bi , Liming Gao , "Kinney, Michael D" , Leif Lindholm , Sunil V L , Andrei Warkentin Subject: [RFC PATCH 00/10] Add PPI to manage PEI phase memory attributes Date: Thu, 25 May 2023 16:30:31 +0200 Message-Id: <20230525143041.1172989-1-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4468=0D =0D This is a proof-of-concept RFC that implements a PEI phase PPI to manage=0D memory permission attributes, and wires it up to the PEI image loader so=0D that shadowed PEIMs as well as the DXE core are remapped with the=0D appropriate, restricted memory permission attributes before execution.=0D =0D This means that neither shadowed PEIMs nor the DXE core will ever=0D execute with writable code regions. It also removes the need on the part=0D of PEI for memory to be mapped with both writable and executable=0D permissions by default out of reset. Similar work still needs to be done=0D to address the early DXE phase (before the CPU arch protocol becomes=0D available), but once that is out of the way as well, platforms should be=0D able to map all memory non-executable from the beginning.=0D =0D This by itself is a major improvement in terms of robustness. It is also=0D a prerequisite for enabling the WXN MMU control on AArch64, which makes=0D all writable memory mappings non-executable regardless of the non-exec=0D page table attribute.=0D =0D Patches #1 to #4 are prepatory work.=0D Patch #5 proposes the memory attribute PPI protocol interface.=0D Patch #6 implements it for ARM and AARCH64.=0D Patch #7 wires it up into the PEI image loader.=0D Patches #8 to #10 update the DxeIpl to use this PPI on ARM/AARCH64 for=0D mapping the stack NX.=0D instead of an explicit reference to ArmMmuLib. Other architectures=0D (except IA32/X64) will seamlessly inherit this once they implement the=0D PPI as well.=0D =0D Cc: Ray Ni =0D Cc: Jiewen Yao =0D Cc: Gerd Hoffmann =0D Cc: Taylor Beebe =0D Cc: Oliver Smith-Denny =0D Cc: Dandan Bi =0D Cc: Liming Gao =0D Cc: "Kinney, Michael D" =0D Cc: Leif Lindholm =0D Cc: Sunil V L =0D Cc: Andrei Warkentin =0D =0D Ard Biesheuvel (10):=0D ArmPkg/ArmMmuLib: Extend API to manage memory permissions better=0D ArmPkg/CpuDxe: Simplify memory attributes protocol implementation=0D ArmPkg/CpuPei: Drop bogus DEPEX on PEI permanent memory=0D OvmfPkg/RiscVVirt: Remove unimplemented NxForStack configuration=0D MdeModulePkg: Define memory attribute PPI=0D ArmPkg/CpuPei: Implement the memory attributes PPI=0D MdeModulePkg/PeiCore: Apply restricted permissions in image loader=0D MdeModulePkg/DxeIpl: Merge EBC, RISCV64 and LOONGARCH code=0D MdeModulePkg/DxeIpl: Use memory attribute PPI to remap the stack NX=0D MdeModulePkg/DxeIpl ARM AARCH64: Switch to generic handoff code=0D =0D ArmPkg/Drivers/CpuDxe/CpuMmuCommon.c | 2 +-= =0D ArmPkg/Drivers/CpuDxe/MemoryAttribute.c | 50 +--= ---=0D ArmPkg/Drivers/CpuPei/CpuPei.c | 78 +++= ++++++-=0D ArmPkg/Drivers/CpuPei/CpuPei.inf | 7 +-= =0D ArmPkg/Include/Library/ArmMmuLib.h | 36 +++= +-=0D ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 52 +++= +++-=0D ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibUpdate.c | 88 +++= ++++++--=0D ArmPkg/Library/OpteeLib/Optee.c | 2 +-= =0D MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c | 71 ---= ------=0D MdeModulePkg/Core/DxeIplPeim/{Ebc/DxeLoadFunc.c =3D> DxeHandoff.c} | 31 += ++-=0D MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 24 +--= =0D MdeModulePkg/Core/DxeIplPeim/LoongArch64/DxeLoadFunc.c | 63 ---= -----=0D MdeModulePkg/Core/DxeIplPeim/RiscV64/DxeLoadFunc.c | 75 ---= ------=0D MdeModulePkg/Core/Pei/Image/Image.c | 160 +++= +++++++++++++++++=0D MdeModulePkg/Core/Pei/PeiMain.h | 6 +=0D MdeModulePkg/Core/Pei/PeiMain.inf | 1 +=0D MdeModulePkg/Include/Ppi/MemoryAttribute.h | 78 +++= +++++++=0D MdeModulePkg/MdeModulePkg.dec | 3 +=0D OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 6 -=0D 19 files changed, 523 insertions(+), 310 deletions(-)=0D delete mode 100644 MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c=0D rename MdeModulePkg/Core/DxeIplPeim/{Ebc/DxeLoadFunc.c =3D> DxeHandoff.c} = (62%)=0D delete mode 100644 MdeModulePkg/Core/DxeIplPeim/LoongArch64/DxeLoadFunc.c= =0D delete mode 100644 MdeModulePkg/Core/DxeIplPeim/RiscV64/DxeLoadFunc.c=0D create mode 100644 MdeModulePkg/Include/Ppi/MemoryAttribute.h=0D =0D -- =0D 2.39.2=0D =0D