From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 6C18E8042B
 for <edk2-devel@ml01.01.org>; Fri, 17 Mar 2017 05:35:42 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id B779985376;
 Fri, 17 Mar 2017 12:35:42 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B779985376
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=lersek@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B779985376
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-70.phx2.redhat.com
 [10.3.116.70])
 by smtp.corp.redhat.com (Postfix) with ESMTP id AF3865DC1D;
 Fri, 17 Mar 2017 12:35:41 +0000 (UTC)
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
References: <1487958664-10707-1-git-send-email-ard.biesheuvel@linaro.org>
 <74D8A39837DF1E4DA445A8C0B3885C503A8F5385@shsmsx102.ccr.corp.intel.com>
 <CAKv+Gu86Aq+u1n8tkE6Bw1BOWR6y+qAC2j_UVEA58iURzTBuOQ@mail.gmail.com>
 <262ebc4d-629c-3437-2146-f4c0e5723f1a@redhat.com>
 <CAKv+Gu8iP+86iAxke1vYKL0-4VocmAftMjOBUH5jfvAW8-FUxA@mail.gmail.com>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
 "edk2-devel@lists.01.org" <edk2-devel@ml01.01.org>,
 "Gao, Liming" <liming.gao@intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <48f431ec-483e-4896-3fca-c5fedcdc1029@redhat.com>
Date: Fri, 17 Mar 2017 13:35:39 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAKv+Gu8iP+86iAxke1vYKL0-4VocmAftMjOBUH5jfvAW8-FUxA@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.25]); Fri, 17 Mar 2017 12:35:42 +0000 (UTC)
Subject: Re: [PATCH] MdeModulePkg/DxeCore: base code protection on permission attributes
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 12:35:42 -0000
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 03/17/17 13:11, Ard Biesheuvel wrote:
> On 17 March 2017 at 12:07, Laszlo Ersek <lersek@redhat.com> wrote:
>> On 02/26/17 15:00, Ard Biesheuvel wrote:
>>> On 25 February 2017 at 04:04, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>>>> Hi Ard
>>>> I agree with you on this enhancement.
>>>>
>>>> I prefer to adding the description as comment in the code, so that people
>>>> can get clear picture when he/she reads the code.
>>>>
>>>> //
>>>> // Instead of assuming that a PE/COFF section of type EFI_IMAGE_SCN_CNT_CODE
>>>> // can always be mapped read-only, classify a section as a code section only
>>>> // if it has the executable attribute set and the writable attribute
>>>> cleared.
>>>> //
>>>> // This adheres more closely to the PE/COFF spec, and avoids issues with
>>>> // Linux OS loaders that consists of a single read/write/execute section.
>>>> //
>>>> if ((Section[Index].Characteristics & (EFI_IMAGE_SCN_MEM_WRITE |
>>>> EFI_IMAGE_SCN_MEM_EXECUTE)) == EFI_IMAGE_SCN_MEM_EXECUTE) {
>>>>
>>>> With comment update, reviewed-by: Jiewen.yao@intel.com
>>>>
>>>
>>> Thanks Jiewen
>>>
>>> Pushed as a2ed40c02bf2
>>
>> Is it possible that (recent?) Linux EFI stubs (aarch64) don't pass the
>> above check? I got a report from a colleague:
>>
>> !!!!!!!!  ProtectUefiImageCommon - CodeSegmentCount is 0  !!!!!!!!
>> EFI stub: Booting Linux Kernel...
>> EFI stub: Using DTB from configuration table
>> EFI stub: Exiting boot services and installing virtual address map...
>>
>> I tried to reproduce it with "4.5.0-15.el7.aarch64", and with
>> "4.8.7-300.fc25.aarch64", and I'm not seeing the message with either.
>>
>> I asked him about the exact kernel version (no answer yet, his workday
>> hasn't started yet).
>>
> 
> Well, the warning may be a bit loud, but this is expected behavior. I
> expect to be able to queue the linux/arm64 changes that split the
> PE/COFF sections and align them to 4 KB for v4.12, and so current
> kernels all consists of a single rwx section, which does not qualify
> as a code section.

Okay, thanks.

In that case, does it make sense to downgrade the messages from DEBUG_ERROR to DEBUG_WARN?

  if (ImageRecord->CodeSegmentCount == 0) {
    DEBUG ((DEBUG_ERROR, "!!!!!!!!  ProtectUefiImageCommon - CodeSegmentCount is 0  !!!!!!!!\n"));
    PdbPointer = PeCoffLoaderGetPdbPointer ((VOID*) (UINTN) ImageAddress);
    if (PdbPointer != NULL) {
      DEBUG ((DEBUG_ERROR, "!!!!!!!!  Image - %a  !!!!!!!!\n", PdbPointer));
    }
    goto Finish;
  }

Thanks
Laszlo

>> Any idea how I could validate the section headers of a (decompressed)
>> kernel image? I tried "aarch64-linux-gnu-objdump --section-headers", but
>> it doesn't recognize the image.
>>
> 
> It's a PE/COFF image not an ELF image.
>