Re: [PATCH 00/14] Implement Dynamic Memory Protections

["Taylor Beebe" <t@taylorbeebe.com>]

On 7/12/2023 3:05 AM, Gerd Hoffmann wrote:
> On Tue, Jul 11, 2023 at 04:52:37PM -0700, Taylor Beebe wrote:
>> In the past, memory protection settings were configured via FixedAtBuild PCDs,
>> which resulted in a build-time configuration of memory mitigations. This
>> approach limited the flexibility of applying mitigations to the
>> system and made it difficult to update or adjust the settings post-build.
> 
> Can we have both?
> 
> Being able to adjust settings at runtime is great.  But being able to
> set them at compile time on the command line (via build --pcd), without
> patching code, is very useful too.
> 
> I'd suggest to keep the PCDs, create a profile from PCD settings and use
> that profile by default.  At least for the transition phase and while we
> don't have good support (yet) to actually manage profiles.
> 

Hey, Gerd.

The idea to keep PCDs around as another method of configuring 
protections is good, but I don't think there would be a way to tell if a 
zero-ed PCD value was an explicit setting or just the default without 
adding another PCD to indicate which value should be used. I think if 
the HOB is produced by the platform those settings should be used by 
default. Is that what you're envisioning as well?

The flow in this case would be: DxeIpl before handoff will search for 
the memory protection HOB entry. If it exists, do nothing. If the HOB 
was not produced, create a HOB entry using the PCD values.

I suppose we could also do some sort of hybrid where the logic always 
uses the PCD values if they are non-zero, but that may be confusing for 
platform developers.

> Speaking of profile management: What is the longer-term vision here?
> 
> Have a configuration form in the uefi firmware setup (aka UiApp)?
> 
> Try adapt settings automatically, for example pick a less strict profile
> in case an old/broken bootloader triggers a page fault due to using the
> wrong memory type for allocations?
> 

Overall, the idea is to empower platform developers with more 
configuration and compatibility options to encourage the use of memory 
protections in debug and production scenarios.

On Surface products, we've made certain memory protections a necessary 
feature of the trusted boot path with the ability to fall back to an 
unverified boot path if a page fault occurs. We also added a 
configuration feature to only allow the trusted boot path which can be 
managed via enterprise policy or through the UEFI menu.

There are lots of ways OEMs might want to configure their platform 
security and I think it's an open question what sorts of profile 
management tools would be useful to add to EDK2.

> For virtual machine firmware it a good idea to allow picking up the
> profile configuration from the host.  For qemu that can use fw_cfg,
> similar to the PcdSetNxForStack option we have today.

I don't have much experience using the fw_cfg so I'd need to look into 
the details, but would it make sense to expand the options which can be 
passed via fw_cfg to be the gamut of memory protection configuration 
settings? I can add it to the v2 if you think so.

>> This patch series also increases the memory protection level for OvmfPkg and
>> ArmVirtPkg.
> 
> Not a good idea, especially not using the 'debug' profile (which turns
> on all guard bits) because that slows down firmware boot alot.
> 

I haven't done performance testing, but I don't notice much slowdown. 
Isn't development the primary use case for these virtual platforms? Is 
there another profile you think would work better?

Thanks for your feedback :)

> take care,
>    Gerd
>