From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3CD82941DC9 for ; Thu, 15 Feb 2024 17:22:02 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=DoLiF8HrtO8xDTMMNM7/n6JXs/p4KCvT5TPSstY+EpA=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1708017720; v=1; b=M3Qv6M+0csQ0FmAx3iTL/1oI36m1JSIvGADM1d4qOKak8UFxH9C5awulwo979qCSdnuOsI+i FDd86mSWD4Soae34mr539mgmmqSO0XrrY5UVgjBPfZyX9rVtuoFwIcGB1D/fAiSNz85eO/bykQA EVFNxmLYc/GbNPDQ7vEYilIg= X-Received: by 127.0.0.2 with SMTP id gSfTYY7687511xt9EwCOIIPS; Thu, 15 Feb 2024 09:22:00 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.19853.1708017720049246241 for ; Thu, 15 Feb 2024 09:22:00 -0800 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 620FC61DDC for ; Thu, 15 Feb 2024 17:21:59 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0EE42C43394 for ; Thu, 15 Feb 2024 17:21:59 +0000 (UTC) X-Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-511ac701428so1300561e87.2 for ; Thu, 15 Feb 2024 09:21:58 -0800 (PST) X-Gm-Message-State: FsSvlf8M9iRMbmlonnrmY87cx7686176AA= X-Google-Smtp-Source: AGHT+IFHXHdEX2ZCb2QE2uueBgq5Q2bq8CqmiE74YqKU+eZQQfGk2v6vsptql3jHzTEy5+RdR/M2Ca9vQDeDzP2wPsg= X-Received: by 2002:a19:6404:0:b0:511:751d:429c with SMTP id y4-20020a196404000000b00511751d429cmr1863090lfb.8.1708017717243; Thu, 15 Feb 2024 09:21:57 -0800 (PST) MIME-Version: 1.0 References: <20240215003412.30983-1-osde@linux.microsoft.com> <7f65d4af-898e-437f-b31c-52156c6a696c@linux.microsoft.com> In-Reply-To: <7f65d4af-898e-437f-b31c-52156c6a696c@linux.microsoft.com> From: "Ard Biesheuvel" Date: Thu, 15 Feb 2024 18:21:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel][PATCH v1 1/1] MdeModulePkg: DxeCore: Don't Guard Large Runtime Granularity Allocations To: Oliver Smith-Denny Cc: devel@edk2.groups.io, Leif Lindholm , Sami Mujawar , Liming Gao Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=M3Qv6M+0; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Thu, 15 Feb 2024 at 18:08, Oliver Smith-Denny wrote: > > On 2/14/2024 11:50 PM, Ard Biesheuvel wrote> On Thu, 15 Feb 2024 at > 01:34, Oliver Smith-Denny > > wrote >> This could also be fixed with rearchitecting the heap guard system to > >> respect alignment requirements and shift the guard pages inside of the > >> outer rounded allocation or by having guard pages be the runtime > >> granularity. Both of these approaches have issues, in the former, the > >> allocator of runtime memory would get an address that was not aligned > >> with the runtime granularity (the head guard would be, but not the > >> usuable address), which seems fraught with peril. > > > > This would be my preference, and I wouldn't expect huge problems with > > code expecting a certain alignment for such allocations. The 64k > > requirement is entirely to ensure that the OS does not have to guess > > how it should map 64k pages that have conflicting memory attributes > > due to being covered by two different misaligned entries in the UEFI > > memory map. > > > > This is also why this is important for the MAT and runtime services > > code/data regions: without 64k alignment, there will be a piece in the > > middle of each runtime DXE that requires both write and execute > > permissions. > > > > > > I do have a PR up to fix the misalignment bug (I was doing a CI check on > it before sending the patch when I did some further testing to discover > the guard pages pushing out the allocation size). Would you prefer that > I update that to do the guard page allocation inside the 64k allocation? > > I can certainly do that, again my concern is that the code starts > getting more complex, with more room for errors. The heap guard code now > needs to know the actual size requested by the caller, not the rounded > size, so we can see, oh, the allocation requested is 64k, so I need > another 64k region to fit the guards into, unless we already have shared > guard pages, in which case we may not need to, or one guard may be > shared and the other isn't, etc. It is doable, but I worry about the > added complexity for only a small window of protection for these runtime > memory regions. We could also say no shared guard pages for runtime > regions if you don't have runtime allocation granularity equal to the > EFI_PAGE_SIZE. > > Based on our offline conversation, I thought you were ok with the simple > approach of disable the guards for these regions, the value of > protecting these regions at boot time is not worth the additional > complexity. But, I can update my PR to put the guards inside the > allocation and we can compare the relative complexity. > Of the two options you presented in this paragraph, I prefer the one where the allocation presented to the caller may not be aligned, but the region plus guards is. But disabling it entirely for these regions is still perfectly fine with me, especially if the remove ACPI reclaim memory from the set. Heap guard is a hardening feature, and if the implementation is too complex to reason about comfortably, I don't think we can confidently rely on it. And as far as the OS is concerned: with the MAT, the runtime DXEs are mapped in a way where the read-only regions are interleaved with the read-write regions, and the holes in between are not mapped at all (at least on Linux). IOW, there is some implicit guarding going on already. > >> diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec > >> index a2cd83345f5b..884734aff592 100644 > >> --- a/MdeModulePkg/MdeModulePkg.dec > >> +++ b/MdeModulePkg/MdeModulePkg.dec > >> @@ -1027,6 +1027,11 @@ [PcdsFixedAtBuild] > >> # free pages for all of them. The page allocation for the type related to > >> # cleared bits keeps the same as ususal. > >> # > >> + # The heap guard system only supports guarding EfiRuntimeServicesCode, EfiRuntimeServicesData, > >> + # EfiACPIReclaimMemory, and EfiACPIMemoryNVS memory types for systems that have > > > > I looked at the EFI spec again, and EfiACPIReclaimMemory is not > > actually listed as a memory type that has this 64k alignment > > requirement. This makes sense, given that this memory type has no > > significance to the firmware itself, only to the OS. OTOH, reserved > > memory does appear there. > > > > So I suggest we fix that first, and then drop any mention of > > EfiACPIReclaimMemory from this patch. At least we'll have heap guard > > coverage for ACPI table allocations on arm64 going forward. > > > > The logic in question was added in 2007 in commit 28a00297189c, so > > this was probably the rule on Itanium, but that support is long gone. > > > > Thanks for looking this up. I'll update either this patch or the unsent > patch I have depending on the direction we go. > Let's go with this approach. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115529): https://edk2.groups.io/g/devel/message/115529 Mute This Topic: https://groups.io/mt/104364784/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-