From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 831597803D0 for ; Mon, 17 Jul 2023 16:49:31 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=IfGRhKTd92mFnKcE6Z38lwAdehygkPFaM9R4vXiTBVE=; c=relaxed/simple; d=groups.io; h=X-Received:X-Received:X-Received:X-Gm-Message-State:X-Google-Smtp-Source:X-Received:MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Unsubscribe:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:Content-Type:Content-Transfer-Encoding; s=20140610; t=1689612570; v=1; b=i/k5I3PoIpMnxrRoKblxm3J7yAC+gTzGWfKEm+G2q7wNGfJ8fZko0xoJpjsNoFPadFdrj9N3 e6EscwgvdzgjhGKd16NtoH68rQfHWIBNjTQp4vqq9pLHlmkEj3rdXSye1x+XgsYzylxwICA27bT x3+421SRzF8uhBaE+zWtGsrg= X-Received: by 127.0.0.2 with SMTP id UQ27YY7687511x484xjGn1LG; Mon, 17 Jul 2023 09:49:30 -0700 X-Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com [209.85.217.49]) by mx.groups.io with SMTP id smtpd.web11.1639.1689612569489472640 for ; Mon, 17 Jul 2023 09:49:29 -0700 X-Received: by mail-vs1-f49.google.com with SMTP id ada2fe7eead31-4435fa903f2so1126652137.1 for ; Mon, 17 Jul 2023 09:49:29 -0700 (PDT) X-Gm-Message-State: IM6q4jgCECfbmi5E1vtp85qFx7686176AA= X-Google-Smtp-Source: APBJJlFr5OumqiN3mhcWuubG9R/6Q+qc+Ne2SnzXsNxp+3OGauCPXwMDycm8Hvtrj5W+osdFJFQR7zKwAAZB+k5ws7c= X-Received: by 2002:a67:f550:0:b0:42c:9d63:47ea with SMTP id z16-20020a67f550000000b0042c9d6347eamr4421333vsn.0.1689612568491; Mon, 17 Jul 2023 09:49:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Pedro Falcato" Date: Mon, 17 Jul 2023 17:49:17 +0100 Message-ID: Subject: Re: [edk2-devel] [PATCH 00/14] Implement Dynamic Memory Protections To: Ard Biesheuvel Cc: devel@edk2.groups.io, t@taylorbeebe.com, Jian J Wang , Liming Gao , Dandan Bi , Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Leif Lindholm , Sami Mujawar , Andrew Fish , Ray Ni , Eric Dong , Rahul Kumar , Guo Dong , Sean Rhodes , James Lu , Gua Guo Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,pedro.falcato@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b="i/k5I3Po"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Mon, Jul 17, 2023 at 5:26=E2=80=AFPM Ard Biesheuvel wr= ote: > > On Mon, 17 Jul 2023 at 18:15, Pedro Falcato wro= te: > > > > On Wed, Jul 12, 2023 at 12:53=E2=80=AFAM Taylor Beebe wrote: > > > > > > In the past, memory protection settings were configured via FixedAtBu= ild PCDs, > > > which resulted in a build-time configuration of memory mitigations. T= his > > > approach limited the flexibility of applying mitigations to the > > > system and made it difficult to update or adjust the settings post-bu= ild. > > > > How do you mitigate the possibility of an attack overwriting the > > dynamic configuration data (the HOBs)? > > It seems most dangerous to me to publish this sort of > > security-sensitive configuration knobs dynamically such that an > > attacker can change them. > > > > That is a very good point. One of the things I have on my TODO list > for the memory attributes PEI work is to remap HOB memory read-only > before entering DXE. They are conceptually read-only anyway when PEI > completes, so they should never be modified afterwards. I agree, but it also seems that this patch set needs some sort of __ro_after_init capabilities. For example, in https://github.com/tianocore/edk2/pull/4566/commits/e485459b6efb1e49591c6f3= 011d9da14746c52bc#diff-02c0ef19d024b43162043efdd9ed95e0eef1653bcb5bef1e2f2b= 77587aee2622R101 (DxeMemoryProtectionHobLibConstructor), a copy of this same HOB is made onto .data, while it should be RO-protected as well. With both the HOB list and this sort of __ro_after_init protected, the only remaining exploits would be to DMA over those pages (addressed by IOMMU, not in this scope), to remap those pages (requires ring 0 access, therefore irrelevant) or to toggle some sort of WP-like bit (CR0.WP, other archs may have equivalents), which already bypasses most of the memory protections and therefore isn't all that concerning to me. --=20 Pedro -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106967): https://edk2.groups.io/g/devel/message/106967 Mute This Topic: https://groups.io/mt/100090629/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-