From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.60059.1672740012370504677 for ; Tue, 03 Jan 2023 02:00:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=lpoDzZrt; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 48D1BB80E80 for ; Tue, 3 Jan 2023 10:00:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 130DEC433D2 for ; Tue, 3 Jan 2023 10:00:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1672740009; bh=3Ykw0DVZjEGIl1HDnyGLvdt+oYdGTJchD1XT4niw9pc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=lpoDzZrth43c19z23YF0bRVwrw8B6WIDAH6SUSSMI34Yfu8p3aSRV6hhsDxTxFtNI onGDW9BRp9so/nHDJd4S3TnAEr/fL9TXOK5Pn7ViJ+m6kHxD+jYFkt6gdWDmEeIcn2 t8erQkcBp1BGNSGRId7Yr/JMzQ7LRP6tLdU4O9g11tlqoazsaNPwMRr2cUFeIuIyrk kS3CUNKMcJHXzIJt9LOdTt0nsUA8WbYIcMwDI9uATsOsqmV/hfAkBJl1Zzb7oH/kmE Nq6BMzERGCTjvOZ9U/3bxW3Iyzoe2lKshQYQCPj3xiLQnxvcKLsAhV2+n9c4PZzi7H FX2kvvrYQac1A== Received: by mail-lf1-f45.google.com with SMTP id cf42so44961124lfb.1 for ; Tue, 03 Jan 2023 02:00:08 -0800 (PST) X-Gm-Message-State: AFqh2kq//Q69y2bnqG8996789N5JavFkdUifyzoQEI1sCCDv4mmUxXd4 spYYPxBPEIafcM7FvIu8R32rAjMQ7+P8WZgnIDg= X-Google-Smtp-Source: AMrXdXsTUJQUzMjJSqsh8MIvD5KkbRH02Wd8b0uFsSW997C88Ms0e/wMfVMJiIswQ/UQVYV/3GDQLkAF+aTGVaSQI6s= X-Received: by 2002:a05:6512:15a3:b0:4bc:bdf5:f163 with SMTP id bp35-20020a05651215a300b004bcbdf5f163mr2143570lfb.583.1672740007100; Tue, 03 Jan 2023 02:00:07 -0800 (PST) MIME-Version: 1.0 References: <20220926082511.2110797-1-ardb@kernel.org> <20220926082511.2110797-4-ardb@kernel.org> <20221128154610.wik3f65bhbfrdpva@sirius.home.kraxel.org> In-Reply-To: From: "Ard Biesheuvel" Date: Tue, 3 Jan 2023 10:59:55 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable To: dann frazier Cc: devel@edk2.groups.io, kraxel@redhat.com, Leif Lindholm , Alexander Graf Content-Type: text/plain; charset="UTF-8" On Thu, 29 Dec 2022 at 19:00, dann frazier wrote: > > On Mon, Nov 28, 2022 at 04:46:10PM +0100, Gerd Hoffmann wrote: > > On Mon, Sep 26, 2022 at 10:24:58AM +0200, Ard Biesheuvel wrote: > > > When the memory protections were implemented and enabled on ArmVirtQemu > > > 5+ years ago, we had to work around the fact that GRUB at the time > > > expected EFI_LOADER_DATA to be executable, as that is the memory type it > > > allocates when loading its modules. > > > > > > This has been fixed in GRUB in August 2017, so by now, we should be able > > > to tighten this, and remove execute permissions from EFI_LOADER_DATA > > > allocations. > > > > Data point: https://bugzilla.redhat.com/show_bug.cgi?id=2149020 > > tl;dr: fedora 37 grub.efi is still broken. > > This is also the case with existing Ubuntu releases, as well as > AlmaLinux 9.1 and RHEL 8.7[*]. While it does appear to be fixed for > the upcoming Ubuntu 23.04 (presumably via [**]), I plan to revert this > patch in Debian/Ubuntu until it is more ubiquitous. Do you want to do > the same upstream? I'm not sure at what point it would make sense to > reintroduce it, given we can't force users to upgrade their bootloaders. > Thanks for the report. You can override PCDs on the build command line, so I suggest you use that for building these images as long as it is needed. E.g,, append this to the build.sh command line --pcd PcdDxeNxMemoryProtectionPolicy=0xC000000000007FD1 to undo the effects of this patch. I do not intend to revert this patch - the trend under EFI is towards much stricter memory permissions, also on the MS side, and this is especially important under CC scenarios. And if 5+ years is not sufficient for out-of-tree GRUB to catch up, what is the point of waiting for it? Thanks, Ard.