From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by mx.groups.io with SMTP id smtpd.web11.1691.1672786074197205816 for ; Tue, 03 Jan 2023 14:47:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@canonical.com header.s=20210705 header.b=WwgZgvj0; spf=pass (domain: canonical.com, ip: 185.125.188.123, mailfrom: dann.frazier@canonical.com) Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 23E6D418E6 for ; Tue, 3 Jan 2023 22:47:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1672786071; bh=BiYuaROSHvi1thSJdING8+XVZnWgDGPKldPkB4Go3JM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=WwgZgvj02GjkeDnTBDxjcNCQ4LkquO6j8Ir/hV+nzc2c/neECx3BxQ/RtWvFkZjVb peS/ney26o9D4AVWc3KAoQB5Cyz5qKLmjmVnYIRy8gBD7O+Hdm81d8In4JYtst1vyg J3H5gFwVX5ns0V/R4+l9TxbZoxn/g8mAyBkNiJJwnnaVBWoCjiN7x+qK1iGAsrxFKy zQBRu89PZ+aYmt2OT9loUzdo1Zg5gww9ZVkMiW+/G7lFi35VLXyoqfkhNaE8fS0M8R oE5DHkncJEn+YLwoioB7LbcruJICsEBYcoxsTwz222TZqyoAmV9P10+589cJ1QGrgr FRIQj+qVPRxZQ== Received: by mail-io1-f72.google.com with SMTP id o16-20020a056602225000b006e032e361ccso8998341ioo.13 for ; Tue, 03 Jan 2023 14:47:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BiYuaROSHvi1thSJdING8+XVZnWgDGPKldPkB4Go3JM=; b=VGArBrjOUz2CLf/InUcPkl9gQF8wZTlpgl0DljmAU+Ud4vVsjMioFsABkXXZYz6+XJ gWnXS1mlGEQeTa/2fdCSNPSHPDkIC7OqqFwTzBp0ltJD+ZGn86Acr96schMH5adYfNbO 551UJu6hhGUU2rL8xnMMIeygdyyGlJEDuPh+N6kKvbv6g+a5f0n2t+MpWvTWp57z6HMR tNMgfikBPSOImwJNKfAQhTNY/5SfgNTvV4S6YVoiJ9iUPVzUmZ8Asreuq0zEMriMBSqV UJ0oVtw9kguHnTPyFQ2t/Ji1zNcRKqkgvwpgkiGi5adidDJ6eRDDjAphXhHQaEVdX3RZ d7xw== X-Gm-Message-State: AFqh2kqzEwBs9tRGCwV23F2/MC7yC0P8Z5Lmudrrsc8LxDwnCDKFzJXK Wq98Tx7e1Y5DngbPrMpJXrIMObeOaG16COFCnHXVrck/i284vfIF8IVsKTjDi1wa6cCVIUM5iSp HsiobK+QPE/Hwyy+K8xMF1eQBAXlSupE= X-Received: by 2002:a5e:d911:0:b0:6dc:5e15:c6e4 with SMTP id n17-20020a5ed911000000b006dc5e15c6e4mr29799096iop.11.1672786069618; Tue, 03 Jan 2023 14:47:49 -0800 (PST) X-Google-Smtp-Source: AMrXdXski+Wnpv82RcMaTxGd2G5xnCrh3okX7GhFRvl+m4usszMQlt+bFoY1sHCnHH1/CbTe9nL7+g== X-Received: by 2002:a5e:d911:0:b0:6dc:5e15:c6e4 with SMTP id n17-20020a5ed911000000b006dc5e15c6e4mr29799078iop.11.1672786069307; Tue, 03 Jan 2023 14:47:49 -0800 (PST) Received: from xps13.dannf ([38.15.56.166]) by smtp.gmail.com with ESMTPSA id v1-20020a056602058100b006bb57cfcb88sm11946791iox.44.2023.01.03.14.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Jan 2023 14:47:48 -0800 (PST) Date: Tue, 3 Jan 2023 15:47:47 -0700 From: "dann frazier" To: Alexander Graf Cc: Ard Biesheuvel , devel@edk2.groups.io, kraxel@redhat.com, Leif Lindholm Subject: Re: [edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable Message-ID: References: <20220926082511.2110797-1-ardb@kernel.org> <20220926082511.2110797-4-ardb@kernel.org> <20221128154610.wik3f65bhbfrdpva@sirius.home.kraxel.org> <7bba7344-fc37-abde-a792-5ae40621c70f@csgraf.de> MIME-Version: 1.0 In-Reply-To: <7bba7344-fc37-abde-a792-5ae40621c70f@csgraf.de> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 03, 2023 at 08:39:24PM +0100, Alexander Graf wrote: > Hey Ard, > > On 03.01.23 10:59, Ard Biesheuvel wrote: > > On Thu, 29 Dec 2022 at 19:00, dann frazier wrote: > > > On Mon, Nov 28, 2022 at 04:46:10PM +0100, Gerd Hoffmann wrote: > > > > On Mon, Sep 26, 2022 at 10:24:58AM +0200, Ard Biesheuvel wrote: > > > > > When the memory protections were implemented and enabled on ArmVirtQemu > > > > > 5+ years ago, we had to work around the fact that GRUB at the time > > > > > expected EFI_LOADER_DATA to be executable, as that is the memory type it > > > > > allocates when loading its modules. > > > > > > > > > > This has been fixed in GRUB in August 2017, so by now, we should be able > > > > > to tighten this, and remove execute permissions from EFI_LOADER_DATA > > > > > allocations. > > > > Data point: https://bugzilla.redhat.com/show_bug.cgi?id=2149020 > > > > tl;dr: fedora 37 grub.efi is still broken. > > > This is also the case with existing Ubuntu releases, as well as > > > AlmaLinux 9.1 and RHEL 8.7[*]. While it does appear to be fixed for > > > the upcoming Ubuntu 23.04 (presumably via [**]), I plan to revert this > > > patch in Debian/Ubuntu until it is more ubiquitous. Do you want to do > > > the same upstream? I'm not sure at what point it would make sense to > > > reintroduce it, given we can't force users to upgrade their bootloaders. > > > > > Thanks for the report. > > > > You can override PCDs on the build command line, so I suggest you use > > that for building these images as long as it is needed. > > > > E.g,, append this to the build.sh command line > > > > --pcd PcdDxeNxMemoryProtectionPolicy=0xC000000000007FD1 > > > > to undo the effects of this patch. > > > > I do not intend to revert this patch - the trend under EFI is towards > > much stricter memory permissions, also on the MS side, and this is > > especially important under CC scenarios. And if 5+ years is not > > sufficient for out-of-tree GRUB to catch up, what is the point of > > waiting for it? > > > I think we need to be smarter here. ArmVirtPkg is used by a lot of > virtualization software - such as QEMU. Typically, users (and developers) > expect that an update to a newer version will preserve compatibility. > > Let me contrive an example: In 1 year, QEMU updates to the latest AAVMF. It > ships that as part of its pc-bios directory. Suddenly, we accidentally break > old (immutable!) iso images that used to work. So someone that updates QEMU > to a newer version will have a regression in running a Fedora 37 > installation. Or RHEL 8.7 installation. Not good :). > > Outside of OSVs providing new iso images, there is also not much you can do > about this. The grub binary here runs way before any updater code that could > pull a fixed version from the internet. > > What alternatives do we have? Assuming grub is the only offender we have to > worry about, is there a way we can identify that the allocation came from an > unpatched version? Or have a database of hashes (with all known grub > binaries that have this bug in existing isos) that would force disable NX > protection for it if we hit it? Or disable NX when Secure Boot is disabled? > > I really think we need to be a bit more creative than make NX mandatory in > all cases when we know the are immutable images out there that won't work > with it, otherwise we break very legit use cases. While it has its own issues, I suppose another way to go about it is for distributors to provide multiple AAVMF_CODE images, and perhaps invent a "feature" flag for the json descriptor for management tools to select an appropriate one. -dann