Re: [RFC PATCH 0/4] RFC: increased memory protection

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	"afish@apple.com" <afish@apple.com>,
	"leif.lindholm@linaro.org" <leif.lindholm@linaro.org>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Gao, Liming" <liming.gao@intel.com>,
	"lersek@redhat.com" <lersek@redhat.com>,
	"Tian, Feng" <feng.tian@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [RFC PATCH 0/4] RFC: increased memory protection
Date: Fri, 24 Feb 2017 02:25:57 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A8F4C32@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <CAKv+Gu9UmvvbvO9Vee4NfUyBQBe5GnZJStNYGX382UDFGeaFHg@mail.gmail.com>

HI Ard
In X86 CPU driver - UefiCpuPkg\CpuDxe, we use a global variable – mIsFlushingGCD.

In RefreshGcdMemoryAttributes(), we set mIsFlushingGCD=TRUE.
In CpuSetMemoryAttributes(), we check mIsFlushingGCD. If mIsFlushingGCD is TRUE, CpuSetMemoryAttributes() returns immediately without touching cache attribute or memory attribute.

The reason is that RefreshGcdMemoryAttributes() just sync current CPU hardware setting to GCD software record.
No real need to set cache again.

Previous we purposely skip GCD setting on RO/XP, the reason is still compatibility concern.
We do not want to provide a different memory map to 3rd part code, just in case there is hidden assumption on memory map attributes.

Maybe ARM can use similar way in SyncCacheConfig() and do a simple check in CpuSetMemoryAttributes().

Thank you
Yao Jiewen

From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
Sent: Friday, February 24, 2017 3:33 AM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: edk2-devel@lists.01.org; afish@apple.com; leif.lindholm@linaro.org; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming <liming.gao@intel.com>; lersek@redhat.com; Tian, Feng <feng.tian@intel.com>; Zeng, Star <star.zeng@intel.com>
Subject: Re: [RFC PATCH 0/4] RFC: increased memory protection

On 23 February 2017 at 11:45, Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
> Sounds great.
>
> I look forward to your V2.
>

Hello Jiewen,

What I am currently struggling with is the fact that we don't use the
GCD RO/XP permissions at all. This means that
RefreshGcdMemoryAttributes () (or SyncCacheConfig() on ARM) will
remove non-exec attributes if we add them in the CPU arch protocol
installation notifier callback.

So there are two approaches imo:
- introduce a way to call into the DXE core to mark all non-code
regions non-exec after RefreshGcdMemoryAttributes () has been called,
or
- add the RO/XP attributes to the GCD memory space map, and enable
them in the attributes.

Option #2 will require a change to CoreAddRange to prevent those RO/XP
attributes to leak into the UEFI memory map, because that results in
all regions have to RO/XP attributes set by default, which is
obviously not what we want.

Any thoughts?

Thanks,
Ard.

next prev parent reply	other threads:[~2017-02-24  2:26 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-22 18:24 [RFC PATCH 0/4] RFC: increased memory protection Ard Biesheuvel
2017-02-22 18:24 ` [RFC PATCH 1/4] MdeModulePkg/DxeCore: allow BootServicesData->BootServicesCode conversion Ard Biesheuvel
2017-02-22 18:24 ` [RFC PATCH 2/4] MdeModulePkg/DxeCore: convert the DxeCore memory region to BootServicesCode Ard Biesheuvel
2017-02-22 18:24 ` [RFC PATCH 3/4] MdeModulePkg/DxeCore: lift non-exec permissions on loaded images Ard Biesheuvel
2017-02-22 18:24 ` [RFC PATCH 4/4] ArmPkg/CpuDxe: remap all data regions non-executable Ard Biesheuvel
2017-02-23  8:52 ` [RFC PATCH 0/4] RFC: increased memory protection Yao, Jiewen
2017-02-23 11:39   ` Ard Biesheuvel
2017-02-23 11:45     ` Yao, Jiewen
2017-02-23 19:32       ` Ard Biesheuvel
2017-02-24  2:25         ` Yao, Jiewen [this message]
2017-02-23 10:34 ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503A8F4C32@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox