From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B3F9F82123 for ; Sun, 26 Feb 2017 21:20:02 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Feb 2017 21:20:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.35,212,1484035200"; d="scan'208,217";a="69903392" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga005.fm.intel.com with ESMTP; 26 Feb 2017 21:20:02 -0800 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 26 Feb 2017 21:20:02 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 26 Feb 2017 21:20:00 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by SHSMSX103.ccr.corp.intel.com ([10.239.4.69]) with mapi id 14.03.0248.002; Mon, 27 Feb 2017 13:19:59 +0800 From: "Yao, Jiewen" To: Ard Biesheuvel , "edk2-devel@lists.01.org" , "leif.lindholm@linaro.org" CC: "afish@apple.com" , "Kinney, Michael D" , "Gao, Liming" , "lersek@redhat.com" , "Tian, Feng" , "Zeng, Star" Thread-Topic: [PATCH v3 0/6] RFC: increased memory protection Thread-Index: AQHSkF5rlR6e/zBFMEuwlty+9ALoXKF8TYTQ Date: Mon, 27 Feb 2017 05:19:58 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A8F5ABB@shsmsx102.ccr.corp.intel.com> References: <1488133805-4773-1-git-send-email-ard.biesheuvel@linaro.org> In-Reply-To: <1488133805-4773-1-git-send-email-ard.biesheuvel@linaro.org> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 Subject: Re: [PATCH v3 0/6] RFC: increased memory protection X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 05:20:02 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks Ard. I found V3 5/6 has typo below: + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeMemoryProtectionPolicy|0x0000000|UI= NT64|0x00001048 It should be PcdDxeNxMemoryProtectionPolicy. Or I got build failure. With above typo update, all series reviewed-by: Jiewen.yao@intel.com Regression Tested-by: Jiewen.yao@intel.com 1) Default build (NX protection disable), boot Intel X86 system (X64 build)= to UEFI Windows 10. 2) Default build (NX protection disable), boot Intel X86 system (IA32 build= ) to UEFI Shell. Thank you Yao Jiewen > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] > Sent: Monday, February 27, 2017 2:30 AM > To: edk2-devel@lists.01.org; Yao, Jiewen ; > leif.lindholm@linaro.org > Cc: afish@apple.com; Kinney, Michael D ; Gao, > Liming ; lersek@redhat.com; Tian, Feng > ; Zeng, Star ; Ard Biesheuvel > > Subject: [PATCH v3 0/6] RFC: increased memory protection > > Hello all, > > This is a proof of concept implementation that removes all executable > permissions from writable memory regions, which greatly enhances security= . > It is based on Jiewen's recent work, which is a step in the right directi= on, > but still leaves most of memory exploitable due to the default R+W+X > permissions. > > The idea is that the implementation of the CPU arch protocol goes over th= e > memory map and removes exec permissions from all regions that are not alr= eady > marked as 'code. This requires some preparatory work to ensure that the > DxeCore > itself is covered by a BootServicesCode region, not a BootServicesData re= gion. > Exec permissions are re-granted selectively, when the PE/COFF loader allo= cates > the space for it. Combined with Jiewen's code/data split, this removes al= l > RWX mapped regions. > > Changes since v2: > - added patch to make EBC use EfiBootServicesCode pool allocations for th= unks > - redefine PCD according to Jiewen's feedback, including default value > - use sorted memory map and merge adjacent entries with the same policy, = to > prevent unnecessary page table splitting > - ignore policy when executing in SMM > - refactor the logic for managing permission attributes of pool allocatio= ns > - added some R-b's > > Changes since v1: > - allocate code pages for PE/COFF images in PeiCore, so that DxeCore page= s have > the expected memory type (as suggested by Jiewen) > - add patch to inhibit page table updates while syncing the GCD memory sp= ace > map with the page tables > - add PCD to set memory protection policy, which allows the policy for re= served > and ACPI/NVS memory to be configured separately > - move attribute manipulation into DxeCore page allocation code: this way= , we > should be able to solve the EBC case by allocating BootServicesCode poo= l > memory explicitly. > > Series can be found here: > https://git.linaro.org/people/ard.biesheuvel/uefi-next.git/log/?h=3Dmempr= ot-tak > e2 > > Note that to test this properly, the default value of 0 should be changed > to 0x7FD5, which applies non-exec permissions to everything except Efi*Co= de > regions. > > Ard Biesheuvel (6): > ArmPkg/CpuDxe: ignore attribute changes during SyncCacheConfig() > MdeModulePkg/PeiCore: allocate BootServicesCode memory for PE/COFF > images > MdeModulePkg/EbcDxe: use EfiBootServicesCode memory for thunks > MdeModulePkg/DxeCore: use separate lock for pool allocations > MdeModulePkg: define PCD for DXE memory protection policy > MdeModulePkg/DxeCore: implement memory protection policy > > ArmPkg/Drivers/CpuDxe/CpuDxe.c | 3 + > ArmPkg/Drivers/CpuDxe/CpuDxe.h | 1 + > ArmPkg/Drivers/CpuDxe/CpuMmuCommon.c | 4 + > MdeModulePkg/Core/Dxe/DxeMain.h | 24 ++ > MdeModulePkg/Core/Dxe/DxeMain.inf | 1 + > MdeModulePkg/Core/Dxe/Mem/Page.c | 4 + > MdeModulePkg/Core/Dxe/Mem/Pool.c | 60 +++- > MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 306 > +++++++++++++++++++- > MdeModulePkg/Core/Pei/Image/Image.c | 10 +- > MdeModulePkg/MdeModulePkg.dec | 31 ++ > MdeModulePkg/Universal/EbcDxe/AArch64/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/EbcInt.c | 23 ++ > MdeModulePkg/Universal/EbcDxe/EbcInt.h | 14 + > MdeModulePkg/Universal/EbcDxe/Ia32/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/Ipf/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/X64/EbcSupport.c | 2 +- > 16 files changed, 471 insertions(+), 18 deletions(-) > > -- > 2.7.4