From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mout.perfora.net (mout.perfora.net [74.208.4.196])
 by mx.groups.io with SMTP id smtpd.web11.11421.1680044373695716336
 for <devel@edk2.groups.io>;
 Tue, 28 Mar 2023 15:59:33 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: smith-denny.com, ip: 74.208.4.196, mailfrom: osd@smith-denny.com)
Received: from [10.137.194.171] ([131.107.8.107]) by mrelay.perfora.net
 (mreueus004 [74.208.5.2]) with ESMTPSA (Nemesis) id 1N33hJ-1qSMXO2jwz-013JBj;
 Wed, 29 Mar 2023 00:59:15 +0200
Message-ID: <6a919b89-b7bc-f014-1a2c-d9c30a167209@smith-denny.com>
Date: Tue, 28 Mar 2023 15:59:12 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.8.0
Subject: Re: [edk2-devel] [PATCH v2 17/17] MdeModulePkg: Enable forward edge CFI in mem attributes table
To: devel@edk2.groups.io, ardb@kernel.org
Cc: Michael Kinney <michael.d.kinney@intel.com>,
 Liming Gao <gaoliming@byosoft.com.cn>, Jiewen Yao <jiewen.yao@intel.com>,
 Michael Kubacki <michael.kubacki@microsoft.com>,
 Sean Brogan <sean.brogan@microsoft.com>,
 Rebecca Cran <quic_rcran@quicinc.com>,
 Leif Lindholm <quic_llindhol@quicinc.com>,
 Sami Mujawar <sami.mujawar@arm.com>, Taylor Beebe <t@taylorbeebe.com>,
 =?UTF-8?Q?Marvin_H=c3=a4user?= <mhaeuser@posteo.de>,
 Bob Feng <bob.c.feng@intel.com>
References: <20230327110112.262503-1-ardb@kernel.org>
 <20230327110112.262503-18-ardb@kernel.org>
From: "Oliver Smith-Denny" <osd@smith-denny.com>
In-Reply-To: <20230327110112.262503-18-ardb@kernel.org>
X-Provags-ID: V03:K1:pLwl7+t8iLcVaDQYe1xBRzhJU482SOLa25rni8sELXK7TJv+4sX
 To6YmpfskyeZ3zBAM8v6yEIHq1mqaMYdPwsv8lQZ3DDJT+AvKm6GN9Ct90TmrxQx8ZMs6Wv
 +dcjnN91K17mtpxw4D/gJNRQ9pdstlz6UT/jPJktIsRDfdc00CshJnPiOzuc59rTJInJUtB
 3E3sjICDQ//JcdYxQBPMA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:bxnbxgNzXUc=;tSCTrh21oIyiDc4Z4LhSb4B77X2
 XsBSLttQvZSgzXpw5h8ZG0mblQBmLKe4kju/6kE1SpFCueUdJkibRmHQeZWYvbhH+8r5Iyi2e
 VWTJz6yWD+5nRbBOBNedG0AwA/kcf2ddOQrjyUnbMPjUpEq8E5sg9WqP7VHmIq04MBxC8uojy
 sRKTeKvbXgj7Ijtzj8a/dcxPeq63RKa3amLSQMZl+UxOwGDZs4ImeQzqHtwb736h8WWPjpnV1
 7dUjLXh/bZIebgGgvMRPOBmgJho4OyOZuwpX1BFJEco9KaJ9Kdw2a/jxVom+3BzOZxLwnA48B
 VqtK4SOh/+OM20wGaGwZ5F7aWRrrb2Qhy/g31bSLfJaRnhwmqg870Lvb3eGrWYDyPOTcyItiE
 6tp6AtAVBHrseDQ5bKdMCb+qXvbJhXTW5b9fxAsQWFGBybSheyDu2LvjaM2r57sUGz+uTlu1v
 dHWYcLS9L4XX2jGQhuDHEjL6VMy+zDnHa/2oxBHI+26/Bi7qAmb9WQ273dVDeVXT5DHXou5BD
 iG0nBeeJ2ja7VRS7qqfazJBQaOV/JSS9TISXbkFe7e7ubB3aHLeH7mKx7xOEwoitmjMLKz/LU
 nDE2FB3OlIvnRqqgQc0hlNUqZGyurjpovxgbVPjHIHmgRs5BDhMy78+I0agY6OHVquvITCaYm
 UQLaA0zjz8s9skimA940YeX2TLEaV8h6Wy1F2c18xw==
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 3/27/2023 4:01 AM, Ard Biesheuvel wrote:
> The memory attributes table has been extended with a flag that indicates
> whether or not the OS is permitted to map the EFI runtime code regions
> with strict enforcement for IBT/BTI landing pad instructions.
> 
> Given that the PE/COFF spec now defines a DllCharacteristicsEx flag that
> indicates whether or not a loaded image is compatible with this, we can
> wire this up to the flag in the memory attributes table, and set it if
> all loaded runtime image are compatible with it.
> 
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>   MdeModulePkg/Core/Dxe/DxeMain.h                    |  2 ++
>   MdeModulePkg/Core/Dxe/Image/Image.c                | 10 ++++++++++
>   MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c |  8 +++++++-
>   3 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h
> index 815a6b4bd844a452..43daa037be441150 100644
> --- a/MdeModulePkg/Core/Dxe/DxeMain.h
> +++ b/MdeModulePkg/Core/Dxe/DxeMain.h
> @@ -280,6 +280,8 @@ extern EFI_MEMORY_TYPE_INFORMATION  gMemoryTypeInformation[EfiMaxMemoryType + 1]
>   extern BOOLEAN                    gDispatcherRunning;
> 
>   extern EFI_RUNTIME_ARCH_PROTOCOL  gRuntimeTemplate;
> 
>   
> 
> +extern BOOLEAN  gMemoryAttributesTableForwardCfi;
> 
> +
> 
>   extern EFI_LOAD_FIXED_ADDRESS_CONFIGURATION_TABLE  gLoadModuleAtFixAddressConfigurationTable;
> 
>   extern BOOLEAN                                     gLoadFixedAddressCodeMemoryReady;
> 
>   //
> 
> diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c b/MdeModulePkg/Core/Dxe/Image/Image.c
> index 8704ebea9a7c88c0..9dbfb2a1fad22ced 100644
> --- a/MdeModulePkg/Core/Dxe/Image/Image.c
> +++ b/MdeModulePkg/Core/Dxe/Image/Image.c
> @@ -1399,6 +1399,16 @@ CoreLoadImageCommon (
>       CoreNewDebugImageInfoEntry (EFI_DEBUG_IMAGE_INFO_TYPE_NORMAL, &Image->Info, Image->Handle);
> 
>     }
> 
>   
> 
> +  //
> 
> +  // Check whether we are loading a runtime image that lacks support for
> 
> +  // IBT/BTI landing pads.
> 
> +  //
> 
> +  if ((Image->ImageContext.ImageCodeMemoryType == EfiRuntimeServicesCode) &&
> 
> +      ((Image->ImageContext.DllCharacteristicsEx & EFI_IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT) == 0))
> 
> +  {
> 
> +    gMemoryAttributesTableForwardCfi = FALSE;
> 
> +  }
If I understand this correctly, we are disabling Forward CFI if we attempt
to load any runtime images that don't support it. Would it make
sense to have a PCD to determine whether we strictly enforce
Forward CFI (i.e. don't load this incompatible image) in such a case?

Thanks,
Oliver

> 
> +
> 
>     //
> 
>     // Reinstall loaded image protocol to fire any notifications
> 
>     //
> 
> diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
> index e079213711875f89..fd127ee167e1ac9a 100644
> --- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
> +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
> @@ -89,6 +89,7 @@ BOOLEAN                      mMemoryAttributesTableEnable      = TRUE;
>   BOOLEAN                      mMemoryAttributesTableEndOfDxe    = FALSE;
> 
>   EFI_MEMORY_ATTRIBUTES_TABLE  *mMemoryAttributesTable           = NULL;
> 
>   BOOLEAN                      mMemoryAttributesTableReadyToBoot = FALSE;
> 
> +BOOLEAN                      gMemoryAttributesTableForwardCfi  = TRUE;
> 
>   
> 
>   /**
> 
>     Install MemoryAttributesTable.
> 
> @@ -182,7 +183,12 @@ InstallMemoryAttributesTable (
>     MemoryAttributesTable->Version         = EFI_MEMORY_ATTRIBUTES_TABLE_VERSION;
> 
>     MemoryAttributesTable->NumberOfEntries = RuntimeEntryCount;
> 
>     MemoryAttributesTable->DescriptorSize  = (UINT32)DescriptorSize;
> 
> -  MemoryAttributesTable->Reserved        = 0;
> 
> +  if (gMemoryAttributesTableForwardCfi) {
> 
> +    MemoryAttributesTable->Flags = EFI_MEMORY_ATTRIBUTES_FLAGS_RT_FORWARD_CONTROL_FLOW_GUARD;
> 
> +  } else {
> 
> +    MemoryAttributesTable->Flags = 0;
> 
> +  }
> 
> +
> 
>     DEBUG ((DEBUG_VERBOSE, "MemoryAttributesTable:\n"));
> 
>     DEBUG ((DEBUG_VERBOSE, "  Version              - 0x%08x\n", MemoryAttributesTable->Version));
> 
>     DEBUG ((DEBUG_VERBOSE, "  NumberOfEntries      - 0x%08x\n", MemoryAttributesTable->NumberOfEntries));
>