From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3666981F28 for ; Mon, 27 Feb 2017 21:48:19 -0800 (PST) Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Feb 2017 21:48:18 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.35,217,1484035200"; d="scan'208";a="69827668" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga005.jf.intel.com with ESMTP; 27 Feb 2017 21:48:18 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 27 Feb 2017 21:48:18 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.132]) with mapi id 14.03.0248.002; Tue, 28 Feb 2017 13:48:15 +0800 From: "Yao, Jiewen" To: Ard Biesheuvel , "edk2-devel@lists.01.org" , "afish@apple.com" , "leif.lindholm@linaro.org" , "Kinney, Michael D" , "Gao, Liming" CC: "lersek@redhat.com" , "Tian, Feng" , "Zeng, Star" Thread-Topic: [PATCH v4 0/7] MdeModulePkg/DxeCore: increased memory protection Thread-Index: AQHSkQcotNUtWmFF+EmOWWuwsTFrhKF96Z+g Date: Tue, 28 Feb 2017 05:48:14 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A8F6795@shsmsx102.ccr.corp.intel.com> References: <1488206291-25768-1-git-send-email-ard.biesheuvel@linaro.org> In-Reply-To: <1488206291-25768-1-git-send-email-ard.biesheuvel@linaro.org> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v4 0/7] MdeModulePkg/DxeCore: increased memory protection X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 05:48:19 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable All series reviewed-by: jiewen.yao@intel.com X86 platform regression tested-by: Jiewen.yao@intel.com Thank you Yao Jiewen > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] > Sent: Monday, February 27, 2017 10:38 PM > To: edk2-devel@lists.01.org; afish@apple.com; leif.lindholm@linaro.org; K= inney, > Michael D ; Gao, Liming ; > Yao, Jiewen > Cc: lersek@redhat.com; Tian, Feng ; Zeng, Star > ; Ard Biesheuvel > Subject: [PATCH v4 0/7] MdeModulePkg/DxeCore: increased memory protection >=20 > Hello all, >=20 > First of all, thanks for the reviews and regression testing. However, I d= id > not add the tested-by tags nor some of the R-b's, given the changes in th= is v4. >=20 > This series implements a memory protection policy that removes all execut= able > permissions from writable memory regions, which greatly enhances security= . > It is based on Jiewen's recent work, which is a step in the right directi= on, > but still leaves most of memory exploitable due to the default R+W+X > permissions. >=20 > The idea is that the implementation of the CPU arch protocol goes over th= e > memory map and removes exec permissions from all regions that are not alr= eady > marked as 'code. This requires some preparatory work to ensure that the > DxeCore > itself is covered by a BootServicesCode region, not a BootServicesData re= gion. > Exec permissions are re-granted selectively, when the PE/COFF loader allo= cates > the space for it. Combined with Jiewen's code/data split, this removes al= l > RWX mapped regions. >=20 > Changes since v3: > - mandate that the same policy applies to EfiConventionalMemory regions a= nd > EfiBootServicesData regions: they are unlikely to differ in practice, a= nd > dealing with that corner case greatly complicates the implementation, g= iven > the way DxeCore allocates memory for itself in the implementation of th= e > page > and pool allocation routines. > - apply the EfiConventionalMemory policy to untested RAM regions in the G= CD > memory space map: without this, we may still have a large region of RAM= that > is exploitable, and it also removes the need to apply memory protection= s in > PromoteMemoryResource (), which is very difficult to achieve without a = major > restructuring of the code due to the way locking is implemented here. > - add missing ApplyMemoryProtectionPolicy() call to > CoreAddMemoryDescriptor() > - use CoreAcquireLockOrFail() on gMemoryLock for CoreAllocatePoolPages (#= 4) > - incorporate feedback from Liming (#2, #6) > - add patch to enable the NX memory protection policy for ArmVirtPkg (#7) >=20 > Changes since v2: > - added patch to make EBC use EfiBootServicesCode pool allocations for th= unks > - redefine PCD according to Jiewen's feedback, including default value > - use sorted memory map and merge adjacent entries with the same policy, = to > prevent unnecessary page table splitting > - ignore policy when executing in SMM > - refactor the logic for managing permission attributes of pool allocatio= ns > - added some R-b's >=20 > Changes since v1: > - allocate code pages for PE/COFF images in PeiCore, so that DxeCore page= s have > the expected memory type (as suggested by Jiewen) > - add patch to inhibit page table updates while syncing the GCD memory sp= ace > map with the page tables > - add PCD to set memory protection policy, which allows the policy for re= served > and ACPI/NVS memory to be configured separately > - move attribute manipulation into DxeCore page allocation code: this way= , we > should be able to solve the EBC case by allocating BootServicesCode poo= l > memory explicitly. >=20 > Series can be found here: > https://git.linaro.org/people/ard.biesheuvel/uefi-next.git/log/?h=3Dmempr= ot-tak > e2-v4 >=20 > Ard Biesheuvel (7): > ArmPkg/CpuDxe: ignore attribute changes during SyncCacheConfig() > MdeModulePkg/PeiCore: allocate BootServicesCode memory for PE/COFF > images > MdeModulePkg/EbcDxe: use EfiBootServicesCode memory for thunks > MdeModulePkg/DxeCore: use separate lock for pool allocations > MdeModulePkg: define PCD for DXE memory protection policy > MdeModulePkg/DxeCore: implement memory protection policy > ArmVirtPkg/ArmVirt.dsc.inc: enable NX memory protection for all > platforms >=20 > ArmPkg/Drivers/CpuDxe/CpuDxe.c | 3 + > ArmPkg/Drivers/CpuDxe/CpuDxe.h | 1 + > ArmPkg/Drivers/CpuDxe/CpuMmuCommon.c | 4 + > ArmVirtPkg/ArmVirt.dsc.inc | 6 + > MdeModulePkg/Core/Dxe/DxeMain.h | 24 ++ > MdeModulePkg/Core/Dxe/DxeMain.inf | 1 + > MdeModulePkg/Core/Dxe/Mem/Page.c | 7 + > MdeModulePkg/Core/Dxe/Mem/Pool.c | 65 +++- > MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 371 > +++++++++++++++++++- > MdeModulePkg/Core/Pei/Image/Image.c | 23 +- > MdeModulePkg/MdeModulePkg.dec | 32 ++ > MdeModulePkg/Universal/EbcDxe/AArch64/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/EbcInt.c | 23 ++ > MdeModulePkg/Universal/EbcDxe/EbcInt.h | 14 + > MdeModulePkg/Universal/EbcDxe/Ia32/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/Ipf/EbcSupport.c | 2 +- > MdeModulePkg/Universal/EbcDxe/X64/EbcSupport.c | 2 +- > 17 files changed, 558 insertions(+), 24 deletions(-) >=20 > -- > 2.7.4