From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout.perfora.net (mout.perfora.net [74.208.4.196]) by mx.groups.io with SMTP id smtpd.web10.11226.1680044421336930542 for ; Tue, 28 Mar 2023 16:00:21 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: smith-denny.com, ip: 74.208.4.196, mailfrom: osd@smith-denny.com) Received: from [10.137.194.171] ([131.107.8.107]) by mrelay.perfora.net (mreueus003 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MO8aA-1pmmTA3FjA-005VXX; Wed, 29 Mar 2023 01:00:04 +0200 Message-ID: <78855412-f3de-d17b-cb0a-5013c150f50b@smith-denny.com> Date: Tue, 28 Mar 2023 16:00:02 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [edk2-devel] [PATCH v2 00/17] Enable BTI support in memory attributes table To: devel@edk2.groups.io, ardb@kernel.org Cc: Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , =?UTF-8?Q?Marvin_H=c3=a4user?= , Bob Feng References: <20230327110112.262503-1-ardb@kernel.org> From: "Oliver Smith-Denny" In-Reply-To: <20230327110112.262503-1-ardb@kernel.org> X-Provags-ID: V03:K1:t/sBopaeKnaRDC/dNCLxD5jyCDPCc3/hJfrbY/ECye5v/mlPalv w2j1zI2pioAaU0ts2qjNBZAUr2OO2YNtk6H+CbW641bje1vUfnQO6odp6p05+zrYg1J3fyp FrnUdcewuFO3r4dddXcVre1fyDYo5/thRVP/fs+R8S1AeGf1dDu5m4xUWxiP3yfCBfwp9rL S18KVRLcTwnCTY/Wv/Fag== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:40p0eEJVzwI=;YRKY5ZkYxp5r5kBlxJ6AaZEABwB rlCk2YNlbsmtGzIKgrY8aL2qVxes2AggHzm8jPslbpQS1+AkmPYZtYyWuIbZ27zfkHkFB5xg3 wuQkVWCmqIB8GGeHsbEOy8XjlfD8+hZWsbY9YkaqSSJjYqt2+vUp7uA8qVpF64E9QEIoz/NYd CwbWIKUwws4RbBYCLHP8s6NEaSQ8Tol1h+2JqlSTfrH1Gc3ILxKgqK51PK8czC4o5qhW9ATdc OGZQ40y4QOLFB3x0TLZFkxj/HqrhVvmecVD773WuWaBlhsLcO1hmJgPazZ/XOFkLfWj3uyTP5 DBYsBL5Ndnw3w26JJX662Glr0g5EiAofbF/N34HKYABBoZFjCZOBg1eOHpzg39UXdg7I5+4y0 um8mgnOMl3/BoPjVsPW8d1fx+r1gGyAJE4lxDA/RKtku95ukgIv1QVjzjoFik4H0yFzKakUAg XOhQ+UsxH5w9WLZzwuwD631Qcv2PyKYRt/T437ginSbljyCJ9/ZrMSajdw7p2/Jqs21K06jdY HrlSgMAl0QFAdzvTSyZWqeS/RrtA65Gp41TIQ15Lqx/F4Mv6sF1zfjc3EmiIHZ1zoSz0+LlrY bspHBmdC1H4evRN04Hk00xumEaHyYl/resrf9kMbmFaNi36ctt5olpmhuHSPI1gx+oZ2s7HPh tbiqFlckMa3qCOGy/NjPcfmNf8XleCg0zScycMxGRA== Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit For the patchset: Reviewed-by: Oliver Smith-Denny Thanks! On 3/27/2023 4:00 AM, Ard Biesheuvel wrote: > Implement version 2 of the memory attributes table, which now contains a > > flag informing the OS whether or not code regions may be mapped with CFI > > mitigations such as IBT or BTI enabled. > > > > This series covers roughly the following parts: > > > > - (AARCH64) Annotate ELF objects generated from asm as BTI compatible > > when BTI codegen is enabled > > - Update the BaseTools to emit the appropriate PE/COFF annotation when a > > BTI/IBT compatible ELF executable is converted to PE/COFF > > - Take this PE/COFF annotation into account when populating the memory > > attributes table in the DXE core > > > > TODO: > > - X64 changes to make the code IBT compatible and emit the ELF note > > - Figure out how to generate such executables with native PE toolchains > > - Implement BTI/IBT enforcement at boot time - this is something I > > intend to look into next. > > > > Can be tested with the CLANG38 toolchain (both Clang compiler and LLD > > linker, version 3.8 or newer) with the following build options. > > > > [BuildOptions] > > GCC:*_*_AARCH64_PP_FLAGS = -mbranch-protection=bti > > GCC:*_*_AARCH64_CC_FLAGS = -mbranch-protection=bti > > GCC:*_*_AARCH64_DLINK_FLAGS = -fuse-ld=lld -Wl,--no-relax,--no-pie,-z,bti-report=error > > > > Cc: Michael Kinney > > Cc: Liming Gao > > Cc: Jiewen Yao > > Cc: Michael Kubacki > > Cc: Sean Brogan > > Cc: Rebecca Cran > > Cc: Leif Lindholm > > Cc: Sami Mujawar > > Cc: Taylor Beebe > > Cc: Marvin Häuser > > Cc: Bob Feng > > > > Ard Biesheuvel (17): > > MdePkg/ProcessorBind AARCH64: Add asm macro to emit GNU BTI note > > MdePkg/BaseCpuLib AARCH64: Make asm files BTI compatible > > MdePkg/BaseIoLibIntrinsic AARCH64: Make asm files BTI compatible > > MdePkg/BaseLib AARCH64: Make LongJump() BTI compatible > > MdePkg/BaseLib AARCH64: Make asm files BTI compatible > > MdePkg/BaseMemoryLibOptDxe AARCH64: Make asm files BTI compatible > > MdePkg/BaseSynchronizationLib AARCH64: Make asm files BTI compatible > > MdePkg/BaseRngLib AARCH64: Make asm files BTI compatible > > ArmPkg: Emit BTI opcodes when BTI codegen is enabled > > ArmPkg/GccLto AARCH64: Add BTI note to LTO helper library > > ArmPkg, BaseTools AARCH64: Add BTI ELF note to .hii objects > > ArmPlatformPkg/PrePeiCore: Make vector table object BTI compatible > > BaseTools/GenFw: Parse IBT/BTI support status from ELF note > > BaseTools/GenFw: Add DllCharacteristicsEx field to debug data > > MdePkg: Update MemoryAttributesTable to v2.10 > > MdePkg/PeCoffLib: Capture DLL characteristics fieldis in image context > > MdeModulePkg: Enable forward edge CFI in mem attributes table > > > > ArmPkg/Include/AsmMacroIoLibV8.h | 3 +- > > ArmPkg/Library/ArmExceptionLib/AArch64/ExceptionSupport.S | 3 +- > > ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S | 4 +- > > ArmPkg/Library/GccLto/liblto-aarch64.a | Bin 1016 -> 1128 bytes > > ArmPkg/Library/GnuNoteBti.bin | Bin 0 -> 32 bytes > > ArmPlatformPkg/PrePeiCore/AArch64/Exception.S | 2 + > > ArmVirtPkg/Library/ArmPlatformLibQemu/IdMap.S | 2 + > > BaseTools/Conf/tools_def.template | 4 +- > > BaseTools/Source/C/GenFw/Elf64Convert.c | 104 +++++++++++++++++--- > > BaseTools/Source/C/GenFw/GenFw.c | 3 +- > > BaseTools/Source/C/GenFw/elf_common.h | 9 ++ > > BaseTools/Source/C/Include/IndustryStandard/PeImage.h | 13 ++- > > MdeModulePkg/Core/Dxe/DxeMain.h | 2 + > > MdeModulePkg/Core/Dxe/Image/Image.c | 10 ++ > > MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c | 8 +- > > MdePkg/Include/AArch64/ProcessorBind.h | 31 ++++++ > > MdePkg/Include/Guid/MemoryAttributesTable.h | 8 +- > > MdePkg/Include/IndustryStandard/PeImage.h | 13 ++- > > MdePkg/Include/Library/PeCoffLib.h | 6 ++ > > MdePkg/Library/BaseCpuLib/AArch64/CpuFlushTlb.S | 1 + > > MdePkg/Library/BaseCpuLib/AArch64/CpuSleep.S | 1 + > > MdePkg/Library/BaseIoLibIntrinsic/AArch64/ArmVirtMmio.S | 8 ++ > > MdePkg/Library/BaseLib/AArch64/CpuBreakpoint.S | 1 + > > MdePkg/Library/BaseLib/AArch64/DisableInterrupts.S | 1 + > > MdePkg/Library/BaseLib/AArch64/EnableInterrupts.S | 1 + > > MdePkg/Library/BaseLib/AArch64/GetInterruptsState.S | 1 + > > MdePkg/Library/BaseLib/AArch64/MemoryFence.S | 1 + > > MdePkg/Library/BaseLib/AArch64/SetJumpLongJump.S | 5 +- > > MdePkg/Library/BaseLib/AArch64/SpeculationBarrier.S | 1 + > > MdePkg/Library/BaseLib/AArch64/SwitchStack.S | 2 + > > MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CompareGuid.S | 1 + > > MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CompareMem.S | 1 + > > MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CopyMem.S | 1 + > > MdePkg/Library/BaseMemoryLibOptDxe/AArch64/ScanMem.S | 1 + > > MdePkg/Library/BaseMemoryLibOptDxe/AArch64/SetMem.S | 5 + > > MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 46 ++++++--- > > MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.S | 3 +- > > MdePkg/Library/BaseRngLib/AArch64/ArmRng.S | 1 + > > MdePkg/Library/BaseSynchronizationLib/AArch64/Synchronization.S | 5 + > > 39 files changed, 270 insertions(+), 42 deletions(-) > > create mode 100644 ArmPkg/Library/GnuNoteBti.bin > > >