From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+106960+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 86A63AC1185
	for <rebecca@openfw.io>; Mon, 17 Jul 2023 09:31:06 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=aDH32Uqj3M4LiV2LmKGQJFv8XtmU836CcEeLWxy4Gu4=;
 c=relaxed/simple; d=groups.io;
 h=X-Received:X-Received:X-Received:X-MC-Unique:X-Received:X-Received:X-Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:X-Scanned-By:X-Mimecast-Spam-Score:X-Mimecast-Originator:Precedence:List-Unsubscribe:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:X-Gm-Message-State:Content-Type:Content-Disposition;
 s=20140610; t=1689586265; v=1;
 b=TlBnVkzayIGGeY/vIj7U2m1sc046hAD3eveiMTUcEGddYcdvhcpR2za/i7eP7p2ZOLwKNENq
 Tk54w3s4gZmyyjg7gzqrOdau8Qp3tmJwmrcky+2gUgl/181GkjTeEGrSRtR3JasZu2Cw6eWQ86C
 omri5ccssCT/QBWV5tb4SfpM=
X-Received: by 127.0.0.2 with SMTP id UpHrYY7687511xbk43vOPp18; Mon, 17 Jul 2023 02:31:05 -0700
X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web11.4480.1689586264146364243
 for <devel@edk2.groups.io>;
 Mon, 17 Jul 2023 02:31:04 -0700
X-Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-617-AvhfvNIkOWShMe9do6QKGg-1; Mon, 17 Jul 2023 05:30:59 -0400
X-MC-Unique: AvhfvNIkOWShMe9do6QKGg-1
X-Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4B95B1C07242;
	Mon, 17 Jul 2023 09:30:59 +0000 (UTC)
X-Received: from sirius.home.kraxel.org (unknown [10.39.193.170])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id DDED81454142;
	Mon, 17 Jul 2023 09:30:58 +0000 (UTC)
X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id 8B69B180078D; Mon, 17 Jul 2023 11:30:56 +0200 (CEST)
Date: Mon, 17 Jul 2023 11:30:56 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: devel@edk2.groups.io, osy@turing.llc, Ard Biesheuvel <ardb@kernel.org>, 
	Leif Lindholm <quic_llindhol@quicinc.com>, dann frazier <dann.frazier@canonical.com>
Subject: Re: [edk2-devel] ArmVirtPkg: non-executable EFI_LOADER_DATA breaks GRUB on Ubuntu 22.04
Message-ID: <3dmys7b2ml4z2p2z5ucacq66d2q5ynrlpycmdg7rf2ks5zpgv3@hr45oxed2mmh>
References: <G5uU.1688851011402113527.gj7D@groups.io>
 <CAKbZUD3xob5az6W=zzu7RVijD42HgXoAp+XJeEWNc7KSzEtytA@mail.gmail.com>
 <tyk4dtmygz2lpqxsofhxl56yq2gassqcfiqyt4w63ogjtph4es@cpmxdfaduna4>
 <CAKbZUD2xCD03Pf8erBA86WL=7nz2CvBnoBLmonN1n52G1m12Sg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAKbZUD2xCD03Pf8erBA86WL=7nz2CvBnoBLmonN1n52G1m12Sg@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,kraxel@redhat.com
X-Gm-Message-State: BFkr127LbquYd0oncqerYqjYx7686176AA=
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=TlBnVkza;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

  Hi,

> > The idea is: Improve page fault handler to (a) print a big'n'fat
> > warning, and (b) loosening up memory permissions for the faulting
> > page address.
> >
> > No patch for that emerged (yet?).
> 
> Ack. I can work on that.

FYI: There was a patch series on the list last week to move various
paging / security related options from compile time (PCD) to runtime
(config struct in HOB).  All NX settings are in there, also page guard
and heap guard.  Also some (very basic) support for config profiles.

With that in place it would be possible to make this configurable in
uefi firmware settings (or via fw_cfg, or both).

> Also, what's the situation on this for x86? I assume it's a lot worse there?

Currently x86 is less problematic in practice, but only because many of
the security features are not (yet) enabled.

Note it's not only grub+shim, the linux kernel stub is affected too.

The new, uefi-stub-only archs (armv7, armv8,riscv) are fixed meanwhile,
and they all use the common zboot code.  x86 is wip still, ard has a
patch series in flight, it's more tricky there due to hybrid bios/uefi
kernels and other legacy cruft ...

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106960): https://edk2.groups.io/g/devel/message/106960
Mute This Topic: https://groups.io/mt/100057351/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-