From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C18E8042B for ; Fri, 17 Mar 2017 05:35:42 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B779985376; Fri, 17 Mar 2017 12:35:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B779985376 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=lersek@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B779985376 Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-70.phx2.redhat.com [10.3.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id AF3865DC1D; Fri, 17 Mar 2017 12:35:41 +0000 (UTC) To: Ard Biesheuvel References: <1487958664-10707-1-git-send-email-ard.biesheuvel@linaro.org> <74D8A39837DF1E4DA445A8C0B3885C503A8F5385@shsmsx102.ccr.corp.intel.com> <262ebc4d-629c-3437-2146-f4c0e5723f1a@redhat.com> Cc: "Yao, Jiewen" , "edk2-devel@lists.01.org" , "Gao, Liming" From: Laszlo Ersek Message-ID: <48f431ec-483e-4896-3fca-c5fedcdc1029@redhat.com> Date: Fri, 17 Mar 2017 13:35:39 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 17 Mar 2017 12:35:42 +0000 (UTC) Subject: Re: [PATCH] MdeModulePkg/DxeCore: base code protection on permission attributes X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2017 12:35:42 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 03/17/17 13:11, Ard Biesheuvel wrote: > On 17 March 2017 at 12:07, Laszlo Ersek wrote: >> On 02/26/17 15:00, Ard Biesheuvel wrote: >>> On 25 February 2017 at 04:04, Yao, Jiewen wrote: >>>> Hi Ard >>>> I agree with you on this enhancement. >>>> >>>> I prefer to adding the description as comment in the code, so that people >>>> can get clear picture when he/she reads the code. >>>> >>>> // >>>> // Instead of assuming that a PE/COFF section of type EFI_IMAGE_SCN_CNT_CODE >>>> // can always be mapped read-only, classify a section as a code section only >>>> // if it has the executable attribute set and the writable attribute >>>> cleared. >>>> // >>>> // This adheres more closely to the PE/COFF spec, and avoids issues with >>>> // Linux OS loaders that consists of a single read/write/execute section. >>>> // >>>> if ((Section[Index].Characteristics & (EFI_IMAGE_SCN_MEM_WRITE | >>>> EFI_IMAGE_SCN_MEM_EXECUTE)) == EFI_IMAGE_SCN_MEM_EXECUTE) { >>>> >>>> With comment update, reviewed-by: Jiewen.yao@intel.com >>>> >>> >>> Thanks Jiewen >>> >>> Pushed as a2ed40c02bf2 >> >> Is it possible that (recent?) Linux EFI stubs (aarch64) don't pass the >> above check? I got a report from a colleague: >> >> !!!!!!!! ProtectUefiImageCommon - CodeSegmentCount is 0 !!!!!!!! >> EFI stub: Booting Linux Kernel... >> EFI stub: Using DTB from configuration table >> EFI stub: Exiting boot services and installing virtual address map... >> >> I tried to reproduce it with "4.5.0-15.el7.aarch64", and with >> "4.8.7-300.fc25.aarch64", and I'm not seeing the message with either. >> >> I asked him about the exact kernel version (no answer yet, his workday >> hasn't started yet). >> > > Well, the warning may be a bit loud, but this is expected behavior. I > expect to be able to queue the linux/arm64 changes that split the > PE/COFF sections and align them to 4 KB for v4.12, and so current > kernels all consists of a single rwx section, which does not qualify > as a code section. Okay, thanks. In that case, does it make sense to downgrade the messages from DEBUG_ERROR to DEBUG_WARN? if (ImageRecord->CodeSegmentCount == 0) { DEBUG ((DEBUG_ERROR, "!!!!!!!! ProtectUefiImageCommon - CodeSegmentCount is 0 !!!!!!!!\n")); PdbPointer = PeCoffLoaderGetPdbPointer ((VOID*) (UINTN) ImageAddress); if (PdbPointer != NULL) { DEBUG ((DEBUG_ERROR, "!!!!!!!! Image - %a !!!!!!!!\n", PdbPointer)); } goto Finish; } Thanks Laszlo >> Any idea how I could validate the section headers of a (decompressed) >> kernel image? I tried "aarch64-linux-gnu-objdump --section-headers", but >> it doesn't recognize the image. >> > > It's a PE/COFF image not an ELF image. >