From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9EDA682215 for ; Tue, 21 Feb 2017 00:36:16 -0800 (PST) Received: by mail-it0-x231.google.com with SMTP id k200so31262792itb.1 for ; Tue, 21 Feb 2017 00:36:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PaGne97M7rs/3Jhpd6yrwwoDu30o5tfCirMzKpk7xNk=; b=eThGGa2MlhP5XlO/KENmwlKBuiaQ+nHMHf+T2wKPh28U+dEXhHJYKApZ0ByVbgtvO5 rXZlriY8B/8nvG0wLd5wVPVNZy9qB1cINDHZesjps4G15hpJ18RVfhN3WsL+Algm96it Rb3bpyt1TZvsRFZ/i09tAbspHuW43fAM9KeJw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PaGne97M7rs/3Jhpd6yrwwoDu30o5tfCirMzKpk7xNk=; b=eOniZ/jF1GyrfTQZA2IIp34nZSDF09QdYgfP3v8CA1r1I+qjKsC9E0BRl+ei16CP7u GUhTq/3sYygtLDZU+D6vRvtouTBbonxH4eSvvJQnOazwUkdHNQxPzBObKHz1zJj3Y5Ps Lf3qp9h54JD/rioTbueehEwdbvGN53K7NqpDLhCovjJT8THiszoU/pXdIjKVi4J4DGEL 62v/fOb+m6kq8tcUf80/TLPVN/jWhVSvB166GKEi3bj6TXY4NjRYc319GHYpo6uSzDWS Pxu7DSoOPIwdkwFWjbjpsS8U90u7MHBNWvXL6V6eVZet1onSQkb0zQPpgCxm6dIuQCbv 76Tg== X-Gm-Message-State: AMke39nCSz3l4Zkd558dq02IBpMgCet4WoQqrDeqIG4UtO8KP3e6c8nMaudE7dpKxvBfVg3Zt17YCtXJUJvVp8Hw X-Received: by 10.36.207.212 with SMTP id y203mr14017872itf.63.1487666175947; Tue, 21 Feb 2017 00:36:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.198.134 with HTTP; Tue, 21 Feb 2017 00:36:15 -0800 (PST) In-Reply-To: <1487660229-4820-1-git-send-email-jiewen.yao@intel.com> References: <1487660229-4820-1-git-send-email-jiewen.yao@intel.com> From: Ard Biesheuvel Date: Tue, 21 Feb 2017 08:36:15 +0000 Message-ID: To: Jiewen Yao , Leif Lindholm Cc: "edk2-devel@lists.01.org" , Jeff Fan , Michael Kinney , Star Zeng , Feng Tian Subject: Re: [PATCH V4 0/3] DXE Memory Protection X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2017 08:36:16 -0000 Content-Type: text/plain; charset=UTF-8 On 21 February 2017 at 06:57, Jiewen Yao wrote: > ==== V4 ==== > 1) Remove ARM patch. (Which was already submitted by Ard Biesheuvel in another series) > 2) Unprotect RT image at ExitBootServices (feedback from Ard Biesheuvel) > 3) Round up the ImageSize on protection (feedback from Ard Biesheuvel) > Hello Jiewen, This works fine now on AARCH64. Tested-by: Ard Biesheuvel Could you please wait a little bit before merging this? Leif and I need to get the AARCH64 prepatory patches merged first, but I am hoping to do that today. Thanks, Ard. > ==== V3 ==== > 1) Add PCD for policy control (feedback from Ard Biesheuvel) > (Discussed with Mike Kinney) > + # BIT0 - Image from unknown device.
> + # BIT1 - Image from firmware volume.
> + # @Prompt Set image protection policy. > + # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F > + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000002|UINT32|0x00001047 > > 2) Remove unused function in CpuDxe.(feedback from Liming Gao) > 3) Add commit log on link option assumption (feedback from Feng Tian) > 4) Rename file PageTableLib.h/.c to CpuPageTable.h/.c file (from Jeff Fan) > 5) Remove multi-entrypoint usage (from Liming Gao/Mike Kinney) > > ==== V2 ==== > 1) Clean up ArmPkg, (feedback from Leif Lindholm) > > ==== V1 ==== > This series patch provides capability to protect PE/COFF image > in DXE memory. > If the UEFI image is page aligned, the image code section is set to read > only and the image data section is set to non-executable. > > The DxeCore calls CpuArchProtocol->SetMemoryAttributes() to protect > the image. > > Tested platform: NT32/Quark IA32/OVMF IA32/OVMF IA32X64/Intel internal X64/ > Tested OS: UEFI Win10, UEFI Ubuntu 16.04. > > Untested platform: ARM/AARCH64. > Can ARM/AARCH64 owner help to take a look and try the ARM platform? > > > Cc: Jeff Fan > Cc: Michael Kinney > Cc: Leif Lindholm > Cc: Ard Biesheuvel > Cc: Star Zeng > Cc: Feng Tian > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Jiewen Yao > > > Jiewen Yao (3): > UefiCpuPkg/CpuDxe: Add memory attribute setting. > MdeModulePkg/dec: add PcdImageProtectionPolicy. > MdeModulePkg/DxeCore: Add UEFI image protection. > > MdeModulePkg/Core/Dxe/DxeMain.h | 61 ++ > MdeModulePkg/Core/Dxe/DxeMain.inf | 5 +- > MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 5 +- > MdeModulePkg/Core/Dxe/Image/Image.c | 7 +- > MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 769 +++++++++++++++++++ > MdeModulePkg/Core/Dxe/Misc/PropertiesTable.c | 24 +- > MdeModulePkg/MdeModulePkg.dec | 10 + > UefiCpuPkg/CpuDxe/CpuDxe.c | 141 ++-- > UefiCpuPkg/CpuDxe/CpuDxe.inf | 5 +- > UefiCpuPkg/CpuDxe/CpuPageTable.c | 779 ++++++++++++++++++++ > UefiCpuPkg/CpuDxe/CpuPageTable.h | 113 +++ > 11 files changed, 1832 insertions(+), 87 deletions(-) > create mode 100644 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.c > create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.h > > -- > 2.7.4.windows.1 >