From: "Ard Biesheuvel" <ardb@kernel.org>
To: Oliver Smith-Denny <osde@linux.microsoft.com>
Cc: devel@edk2.groups.io, Ray Ni <ray.ni@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Taylor Beebe <t@taylorbeebe.com>,
Oliver Smith-Denny <osd@smith-denny.com>,
Dandan Bi <dandan.bi@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
Leif Lindholm <quic_llindhol@quicinc.com>,
Sunil V L <sunilvl@ventanamicro.com>,
Andrei Warkentin <andrei.warkentin@intel.com>
Subject: Re: [edk2-devel] [RFC PATCH 07/10] MdeModulePkg/PeiCore: Apply restricted permissions in image loader
Date: Thu, 25 May 2023 23:29:46 +0200 [thread overview]
Message-ID: <CAMj1kXHiFkwowN7U6sXks-e-=Qhcz1T4WbBi7mY_swhDuxjSXg@mail.gmail.com> (raw)
In-Reply-To: <dbe7a641-783a-012b-82d2-2a71b10b53f7@linux.microsoft.com>
On Thu, 25 May 2023 at 19:21, Oliver Smith-Denny
<osde@linux.microsoft.com> wrote:
>
> On 5/25/2023 7:30 AM, Ard Biesheuvel wrote:
> > Add a notification callback to the PEI core to grab a reference to the
> > memory attributes PPI as soon as it is registered, and use it in the
> > image loader to set restricted memory permissions after loading the
> > image if the image was loaded into memory.
> >
> > There are two use cases for this:
> > - when the DXE IPL loads the DXE core using the PEI image services, its
> > mappings will be set according to the PE section permission attributes
> > if the image was built with 4k section alignment; this means DXE core
> > will never run with mappings that are both writable and executable.
> > - when PEIMs are shadowed to memory, they will not only be mapped
> > read-only, but any non-exec permissions will also be removed. (Note
> > that this requires the component that installs PEI permanent memory to
> > depex on the memory attributes PPI, to ensure that it is available to
> > manage permissions on permanent memory before it is used to load
> > images)
> >
> > With this logic in place *, there is no longer a need for system memory
> > to be mapped with both write and execute permissions out of reset.
> > Instead, all memory can be mapped with non-executable permissions by
> > default, which means that the stack and other allocations used in PEI or
> > early in DXE will no longer need to be mapped non-exec explicitly.
> >
> > * the DXE core will also need its own method for clearing non-exec
> > permissions on memory ranges, but this is being addressed in a
> > separate series.
> >
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > ---
> > MdeModulePkg/Core/Pei/Image/Image.c | 160 ++++++++++++++++++++
> > MdeModulePkg/Core/Pei/PeiMain.h | 6 +
> > MdeModulePkg/Core/Pei/PeiMain.inf | 1 +
> > 3 files changed, 167 insertions(+)
> >
> > diff --git a/MdeModulePkg/Core/Pei/Image/Image.c b/MdeModulePkg/Core/Pei/Image/Image.c
> > index cee9f09c6ea61e31..3a7de45014b8f772 100644
> > --- a/MdeModulePkg/Core/Pei/Image/Image.c
> > +++ b/MdeModulePkg/Core/Pei/Image/Image.c
> > @@ -18,6 +18,50 @@ EFI_PEI_PPI_DESCRIPTOR gPpiLoadFilePpiList = {
> > &mPeiLoadImagePpi
> >
> > };
> >
> >
> >
> > +/**
> >
> > + Provide a callback for when the memory attributes PPI is installed.
> >
> > +
> >
> > + @param PeiServices An indirect pointer to the EFI_PEI_SERVICES table
> >
> > + published by the PEI Foundation.
> >
> > + @param NotifyDescriptor The descriptor for the notification event.
> >
> > + @param Ppi Pointer to the PPI in question.
> >
> > +
> >
> > + @return Always success
> >
> > +
> >
> > +**/
> >
> > +STATIC
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +MemoryAttributePpiNotifyCallback (
> >
> > + IN EFI_PEI_SERVICES **PeiServices,
> >
> > + IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
> >
> > + IN VOID *Ppi
> >
> > + )
> >
> > +{
> >
> > + PEI_CORE_INSTANCE *PrivateData;
> >
> > +
> >
> > + //
> >
> > + // Get PEI Core private data
> >
> > + //
> >
> > + PrivateData = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
> >
> > +
> >
> > + //
> >
> > + // If there isn't a memory attribute PPI installed, use the one from
> >
> > + // notification
> >
> > + //
> >
> > + if (PrivateData->MemoryAttributePpi == NULL) {
> >
> > + PrivateData->MemoryAttributePpi = (EDKII_MEMORY_ATTRIBUTE_PPI *)Ppi;
> >
> > + }
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
> >
> > +
> >
> > +STATIC CONST EFI_PEI_NOTIFY_DESCRIPTOR mNotifyList = {
> >
> > + EFI_PEI_PPI_DESCRIPTOR_NOTIFY_DISPATCH | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
> >
> > + &gEdkiiMemoryAttributePpiGuid,
> >
> > + MemoryAttributePpiNotifyCallback
> >
> > +};
> >
> > +
> >
> > /**
> >
> >
> >
> > Support routine for the PE/COFF Loader that reads a buffer from a PE/COFF file.
> >
> > @@ -243,6 +287,106 @@ GetPeCoffImageFixLoadingAssignedAddress (
> > return Status;
> >
> > }
> >
> >
> >
> > +/**
> >
> > + Remap the memory region covering a loaded image so it can be executed.
> >
> > +
> >
> > + @param ImageContext Pointer to the image context structure that describes the
> >
> > + PE/COFF image that needs to be examined by this function.
> >
> > + @param FileType The FFS file type of the image
> >
> > + @param ImageAddress The start of the memory region covering the image
> >
> > + @param ImageSize The size of the memory region covering the image
> >
> > +
> >
> > + @retval EFI_SUCCESS The image is ready to be executed
> >
> > + @retval EFI_OUT_OF_RESOURCES Not enough memory available to update the memory
> >
> > + mapping
> >
> > +
> >
> > +**/
> >
> > +STATIC
> >
> > +EFI_STATUS
> >
> > +RemapLoadedImageForExecution (
> >
> > + IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext,
> >
> > + IN EFI_FV_FILETYPE FileType,
> >
> > + IN PHYSICAL_ADDRESS ImageAddress,
> >
> > + IN UINT64 ImageSize
> >
> > + )
> >
> > +{
> >
> > + PEI_CORE_INSTANCE *Private;
> >
> > + EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr;
> >
> > + EFI_IMAGE_SECTION_HEADER *Section;
> >
> > + PHYSICAL_ADDRESS SectionAddress;
> >
> > + EFI_STATUS Status;
> >
> > + UINT64 Permissions;
> >
> > + UINTN Index;
> >
> > +
> >
> > + Private = PEI_CORE_INSTANCE_FROM_PS_THIS (GetPeiServicesTablePointer ());
> >
> > +
> >
> > + if (Private->MemoryAttributePpi == NULL) {
> >
> > + return EFI_SUCCESS;
>
> We will have a gap here before the MemoryAttributePpi is installed,
> obviously, when CpuPei is installed. Is the expectation that only
> dependencies for CpuPei will be launched before and everything else
> will have a dependency on CpuPei?
>
> Or, is it that shadowed PEIMs won't happen before CpuPei? I am curious
> how big or small of a gap this really is.
>
There are two different cases to consider here:
- First, there is the DxeIpl, which will rely on the PPI (via the
image loader and directly) to map the DXE core and the NX stack. The
DxeIpl will not proceed with that until all PEIMs are dispatched, so
if the PPI is going to be exposed, it will be available by that time.
- Then there are the shadowed PEIMs, and given that shadowed PEIMs
implicitly depend on PEI permanent memory having been installed, the
only requirement here is that, if the platform needs/wants this for
shadowed PEIMs as well, the PEIM that installs the PEI permanent
memory should depex on the PPI.
> >
> > + }
> >
> > +
> >
> > + //
> >
> > + // PEI phase executables must be able to execute in place from read-only NOR
> >
> > + // flash, and so they can be mapped read-only in their entirety.
> >
> > + //
> >
> > + if ((FileType == EFI_FV_FILETYPE_PEI_CORE) ||
> >
> > + (FileType == EFI_FV_FILETYPE_PEIM) ||
> >
> > + (FileType == EFI_FV_FILETYPE_COMBINED_PEIM_DRIVER))
> >
> > + {
>
> We are calling this from PEI Core, will we have more images of type
> PEI Core? I understand if this is for completeness, but just making
> sure I understand the flow.
>
PEI core itself may be shadowed as well, and will be mapped read-only
as well if it is included here.
--
Ard.
next prev parent reply other threads:[~2023-05-25 21:30 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-25 14:30 [RFC PATCH 00/10] Add PPI to manage PEI phase memory attributes Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 01/10] ArmPkg/ArmMmuLib: Extend API to manage memory permissions better Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 02/10] ArmPkg/CpuDxe: Simplify memory attributes protocol implementation Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 03/10] ArmPkg/CpuPei: Drop bogus DEPEX on PEI permanent memory Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 04/10] OvmfPkg/RiscVVirt: Remove unimplemented NxForStack configuration Ard Biesheuvel
2023-05-29 12:50 ` Sunil V L
2023-05-25 14:30 ` [RFC PATCH 05/10] MdeModulePkg: Define memory attribute PPI Ard Biesheuvel
2023-05-30 7:15 ` Ni, Ray
2023-05-30 7:32 ` Ard Biesheuvel
2023-05-31 7:33 ` Ni, Ray
2023-05-31 7:53 ` Ard Biesheuvel
2023-05-31 8:56 ` [edk2-devel] " Ni, Ray
2023-05-31 9:24 ` Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 06/10] ArmPkg/CpuPei: Implement the memory attributes PPI Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 07/10] MdeModulePkg/PeiCore: Apply restricted permissions in image loader Ard Biesheuvel
2023-05-25 17:21 ` [edk2-devel] " Oliver Smith-Denny
2023-05-25 21:29 ` Ard Biesheuvel [this message]
2023-05-30 16:51 ` Oliver Smith-Denny
2023-05-30 20:51 ` Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 08/10] MdeModulePkg/DxeIpl: Merge EBC, RISCV64 and LOONGARCH code Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 09/10] MdeModulePkg/DxeIpl: Use memory attribute PPI to remap the stack NX Ard Biesheuvel
2023-05-30 7:19 ` Ni, Ray
2023-05-30 10:25 ` duntan
2023-05-30 12:51 ` Ard Biesheuvel
2023-05-31 7:22 ` Gerd Hoffmann
2023-05-31 1:29 ` Ni, Ray
2023-05-31 19:03 ` [edk2-devel] " Lendacky, Thomas
2023-05-31 21:01 ` Ard Biesheuvel
2023-05-25 14:30 ` [RFC PATCH 10/10] MdeModulePkg/DxeIpl ARM AARCH64: Switch to generic handoff code Ard Biesheuvel
2023-05-25 17:20 ` [edk2-devel] [RFC PATCH 00/10] Add PPI to manage PEI phase memory attributes Oliver Smith-Denny
2023-05-25 21:43 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMj1kXHiFkwowN7U6sXks-e-=Qhcz1T4WbBi7mY_swhDuxjSXg@mail.gmail.com' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox