From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ard.biesheuvel@linaro.org>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2607:f8b0:4001:c0b::243; helo=mail-it0-x243.google.com;
 envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org 
Received: from mail-it0-x243.google.com (mail-it0-x243.google.com
 [IPv6:2607:f8b0:4001:c0b::243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 0B89121A07A80
 for <edk2-devel@lists.01.org>; Tue, 11 Sep 2018 01:57:49 -0700 (PDT)
Received: by mail-it0-x243.google.com with SMTP id f14-v6so505652ita.4
 for <edk2-devel@lists.01.org>; Tue, 11 Sep 2018 01:57:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=hK7TANhWguXCPeQ1gPMBtbQvp8GTSyE8r1AeZ2lBouo=;
 b=SEv4jaGmLE1zBwc2q3p9e/S3RzhBHUzZIcTmrnLA37PFxZeaHz5QdW+MHHa5M72Cbo
 gTAYzFx/eHIxbUz9aqIhZnw3CXtCnYdy1OmWRuAnsrsKrd43BKG613TciCcFwbgzGHBv
 fJbY38+7WI+2Yl2MtFpK7pEboK4SD1Ncggpwc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=hK7TANhWguXCPeQ1gPMBtbQvp8GTSyE8r1AeZ2lBouo=;
 b=kG24acRzjkGt+3eUi5e6J0NV/EO7KJ4xwhQjuQWsSVuNOQrFBGIkGFVwUPXuJAVl0Z
 F2Y7Gc3QjMkI3G5v8v1Iv+9NR6/JgeU+CvojEl0XKk8+TMzZveBnq2lurVM5jgpLAvm+
 aTVGhyCCwh1q4u4KP8Rdb9RwRt7c/wjsjl+6TJuMCvjq3GsUxTSEdVBI5TXylk5HeqNy
 SBXvZ/d17POjmQlU5sUzlA6gEcZEntkS7ws6dmiUp6suj5RRwK7lQN+b3f8yGUl3JE4T
 +i7/x6LEn55RoK+FuE6rUGuvvuD1gZ4BFfZlTop2HH1ZofcRuhaA7oC0rmoVXWpv+QAq
 e2eA==
X-Gm-Message-State: APzg51A/mzO5+hZF//sFfGMa79OD2xQbLnbEPn/PPp6RX5S9WD+OHi6c
 9+wAeMljW+p5ZT6P6rMpt7XY9TihE1d/8Z1t218LDg==
X-Google-Smtp-Source: ANB0Vdbx+tePZcaHlPgluxa5zzfDRgRN9b9UFiFQgfiorkjcDT+TE0KUy4uW6y9Kr4FxPHLhjQdMfZlpqr8Ul4AjDGI=
X-Received: by 2002:a02:4d1b:: with SMTP id
 l27-v6mr22182460jab.86.1536656268847; 
 Tue, 11 Sep 2018 01:57:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a6b:2848:0:0:0:0:0 with HTTP; Tue, 11 Sep 2018 01:57:48
 -0700 (PDT)
In-Reply-To: <20180911051636.4888-1-jian.j.wang@intel.com>
References: <20180911051636.4888-1-jian.j.wang@intel.com>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue, 11 Sep 2018 10:57:48 +0200
Message-ID: <CAKv+Gu97xS0YCU1BGKmG0Xn8nsUUTHAR0EY6S1-nivv5OWxxSw@mail.gmail.com>
To: Jian J Wang <jian.j.wang@intel.com>, Laszlo Ersek <lersek@redhat.com>, 
 Charles Garcia-Tobin <Charles.Garcia-Tobin@arm.com>,
 Leif Lindholm <leif.lindholm@linaro.org>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [PATCH 0/5] expire the use of PcdSetNxForStack
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 08:57:50 -0000
Content-Type: text/plain; charset="UTF-8"

On 11 September 2018 at 07:16, Jian J Wang <jian.j.wang@intel.com> wrote:
> BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
>
> Since the stack memory is allocated as EfiBootServicesData, its NX protection
> can be covered by BIT4 of PcdDxeNxMemoryProtectionPolicy. To avoid confusing
> in setting related PCDs, PcdSetNxForStack will be expired. Instead, If BIT4
> of PcdDxeNxMemoryProtectionPolicy is set, the DxeIpl will set NX bit in page
> table entries mapping the stack memory.
>

I disagree. This removes the possibility to map EfiBootServicesData as
executable while still mapping the stack NX. As we all know, an
executable stack is in a class of its own when it comes to
exploitability, and should *never* be mapped executable unless in
highly exceptional cases. Mapping all EfiBootServicesData as
non-executable may cause backward compatibility problems.

In particular, this makes it impossible for AArch64 to populate the
1:1 mapping using 64k pages (which is necessary for 52-bit address
support) and still have a non-executable stack, since
PcdDxeNxMemoryProtectionPolicy is disabled in that scenario.

So please disregard these patches.


> Jian J Wang (5):
>   MdeModulePkg/DxeIplPeim: expire the use of PcdSetNxForStack
>   OvmfPkg/PlatformPei: expire the use of PcdSetNxForStack
>   OvmfPkg: expire the use of PcdSetNxForStack
>   ArmVirtPkg/ArmVirt.dsc.inc: expire the use of PcdSetNxForStack
>   MdeModulePkg: expire PcdSetNxForStack
>
>  ArmVirtPkg/ArmVirt.dsc.inc                       |  5 -----
>  MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c   |  6 +++++-
>  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf          |  2 +-
>  MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c  |  3 ++-
>  MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c   |  2 +-
>  MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 14 +++++++++++---
>  MdeModulePkg/MdeModulePkg.dec                    | 10 +---------
>  MdeModulePkg/MdeModulePkg.uni                    | 10 +---------
>  OvmfPkg/OvmfPkgIa32.dsc                          |  1 -
>  OvmfPkg/OvmfPkgIa32X64.dsc                       |  1 -
>  OvmfPkg/OvmfPkgX64.dsc                           |  1 -
>  OvmfPkg/PlatformPei/Platform.c                   |  1 -
>  OvmfPkg/PlatformPei/PlatformPei.inf              |  1 -
>  13 files changed, 22 insertions(+), 35 deletions(-)
>
> --
> 2.16.2.windows.1
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel