From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C7BE382184 for ; Thu, 23 Feb 2017 02:34:49 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4F770624AA; Thu, 23 Feb 2017 10:34:50 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NAYln3004720; Thu, 23 Feb 2017 05:34:48 -0500 To: Ard Biesheuvel , edk2-devel@ml01.01.org, afish@apple.com, leif.lindholm@linaro.org, michael.d.kinney@intel.com, liming.gao@intel.com, jiewen.yao@intel.com References: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> Cc: feng.tian@intel.com, star.zeng@intel.com From: Laszlo Ersek Message-ID: Date: Thu, 23 Feb 2017 11:34:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <1487787898-5222-1-git-send-email-ard.biesheuvel@linaro.org> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 23 Feb 2017 10:34:50 +0000 (UTC) Subject: Re: [RFC PATCH 0/4] RFC: increased memory protection X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 10:34:49 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Hi, On 02/22/17 19:24, Ard Biesheuvel wrote: > Hello all, > > This is a proof of concept implementation that removes all executable > permissions from writable memory regions, which greatly enhances security. > It is based on Jiewen's recent work, which is a step in the right direction, > but still leaves most of memory exploitable due to the default R+W+X > permissions. > > The idea is that the implementation of the CPU arch protocol goes over the > memory map and removes exec permissions from all regions that are not already > marked as 'code. This requires some preparatory work to ensure that the DxeCore > itself is covered by a BootServicesCode region, not a BootServicesData region. > Exec permissions are re-granted selectively, when the PE/COFF loader allocates > the space for it. Combined with Jiewen's code/data split, this removes all > RWX mapped regions. > > There is a caveat, though (and there are likely more of that kind): the EBC > driver will need some work to ensure the thunk buffers have the noexec > restriction lifted. This could be done in the EBC driver, but perhaps it is > better to either > a) modify the DXE core so it always removes noexec restrictions when allocating > code pages, or > b) add AllocateExecPages/AllocateExecPool() functions to the MemoryAllocationLib > API > > Comments please! My only comment is "good idea, as long as it doesn't regress anything". :) I haven't done any testing with this; once you think the series is mature enough for that, I could run my usual tests. Feel free to ping me for that whenever. Thanks! Laszlo > Ard Biesheuvel (4): > MdeModulePkg/DxeCore: allow BootServicesData->BootServicesCode > conversion > MdeModulePkg/DxeCore: convert the DxeCore memory region to > BootServicesCode > MdeModulePkg/DxeCore: lift non-exec permissions on loaded images > ArmPkg/CpuDxe: remap all data regions non-executable > > ArmPkg/Drivers/CpuDxe/CpuDxe.c | 76 ++++++++++++++++++++ > MdeModulePkg/Core/Dxe/DxeMain.h | 8 +++ > MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 2 + > MdeModulePkg/Core/Dxe/Image/Image.c | 8 +++ > MdeModulePkg/Core/Dxe/Mem/Page.c | 18 ++++- > 5 files changed, 111 insertions(+), 1 deletion(-) >