Re: [RFC PATCH 0/4] RFC: increased memory protection

[Laszlo Ersek <lersek@redhat.com>]

Hi,

On 02/22/17 19:24, Ard Biesheuvel wrote:
> Hello all,
> 
> This is a proof of concept implementation that removes all executable
> permissions from writable memory regions, which greatly enhances security.
> It is based on Jiewen's recent work, which is a step in the right direction,
> but still leaves most of memory exploitable due to the default R+W+X
> permissions.
> 
> The idea is that the implementation of the CPU arch protocol goes over the
> memory map and removes exec permissions from all regions that are not already
> marked as 'code. This requires some preparatory work to ensure that the DxeCore
> itself is covered by a BootServicesCode region, not a BootServicesData region.
> Exec permissions are re-granted selectively, when the PE/COFF loader allocates
> the space for it. Combined with Jiewen's code/data split, this removes all
> RWX mapped regions.
> 
> There is a caveat, though (and there are likely more of that kind): the EBC
> driver will need some work to ensure the thunk buffers have the noexec
> restriction lifted. This could be done in the EBC driver, but perhaps it is
> better to either
> a) modify the DXE core so it always removes noexec restrictions when allocating
>    code pages, or
> b) add AllocateExecPages/AllocateExecPool() functions to the MemoryAllocationLib
>    API
> 
> Comments please!

My only comment is "good idea, as long as it doesn't regress anything". :)

I haven't done any testing with this; once you think the series is
mature enough for that, I could run my usual tests. Feel free to ping me
for that whenever.

Thanks!
Laszlo

> Ard Biesheuvel (4):
>   MdeModulePkg/DxeCore: allow BootServicesData->BootServicesCode
>     conversion
>   MdeModulePkg/DxeCore: convert the DxeCore memory region to
>     BootServicesCode
>   MdeModulePkg/DxeCore: lift non-exec permissions on loaded images
>   ArmPkg/CpuDxe: remap all data regions non-executable
> 
>  ArmPkg/Drivers/CpuDxe/CpuDxe.c          | 76 ++++++++++++++++++++
>  MdeModulePkg/Core/Dxe/DxeMain.h         |  8 +++
>  MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c |  2 +
>  MdeModulePkg/Core/Dxe/Image/Image.c     |  8 +++
>  MdeModulePkg/Core/Dxe/Mem/Page.c        | 18 ++++-
>  5 files changed, 111 insertions(+), 1 deletion(-)
>