1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met

Joey Vagedes posted 2 patches 10 months, 1 week ago
Failed in applying to current master (apply log)
There is a newer version of this series
MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++
BaseTools/Source/C/GenFw/GenFw.c          | 59 ++++++++++++++++++++
2 files changed, 74 insertions(+)
[edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
Posted by Joey Vagedes 10 months, 1 week ago 
Utilize GenFw to automatically set the NXCOMPAT bit of the DLL Characteristics 
field of the Optional Header if the following requirements are met:

1. It is a 64bit PE
2. The section alignment is evently divisible by 4K
3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and EFI_IMAGE_SCN_MEM_WRITE

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>

Joey Vagedes (2):
  MdePkg: IndustryStandard: Add DLL Characteristics
  BaseTools: GenFw: auto-set nxcompat flag

 MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++
 BaseTools/Source/C/GenFw/GenFw.c          | 59 ++++++++++++++++++++
 2 files changed, 74 insertions(+)

-- 
2.41.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106295): https://edk2.groups.io/g/devel/message/106295
Mute This Topic: https://groups.io/mt/99721318/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
Posted by Ard Biesheuvel 10 months, 1 week ago 
On Fri, 23 Jun 2023 at 18:03, Joey Vagedes <joey.vagedes@gmail.com> wrote:
>
> Utilize GenFw to automatically set the NXCOMPAT bit of the DLL Characteristics
> field of the Optional Header if the following requirements are met:
>
> 1. It is a 64bit PE
> 2. The section alignment is evently divisible by 4K
> 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and EFI_IMAGE_SCN_MEM_WRITE
>

Is this sufficient? For example, the EBC DXE driver creates code
trampolines in page allocations, and expects them to be executable.
However, this change would flag that driver as NX compat too.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106298): https://edk2.groups.io/g/devel/message/106298
Mute This Topic: https://groups.io/mt/99721318/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
Posted by Joey Vagedes 10 months ago 
Hi Ard,

Talked to the team and I think the appropriate answer to this is to follow
what is currently done through the MSVC FLAGS, i.e. that any PE that
knowingly does not meet these requirements manually opts out of NXCOMPAT
via the /NXCOMPAT:no flag. That means adding a flag to GENFW: "--nxcompat
no". Then this can be appended to existing flags in the INF of any
incompatible component.

Invalid PEs could be reviewed after this patch is in, or as a part of it.
We have a list of modules that modules that are potentially non-nx compat,
but would need to be evaluated by package owners and may not be all
encompassing.

Thanks,
Joey

On Fri, Jun 23, 2023 at 9:11 AM Ard Biesheuvel <ardb@kernel.org> wrote:

> On Fri, 23 Jun 2023 at 18:03, Joey Vagedes <joey.vagedes@gmail.com> wrote:
> >
> > Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> Characteristics
> > field of the Optional Header if the following requirements are met:
> >
> > 1. It is a 64bit PE
> > 2. The section alignment is evently divisible by 4K
> > 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> EFI_IMAGE_SCN_MEM_WRITE
> >
>
> Is this sufficient? For example, the EBC DXE driver creates code
> trampolines in page allocations, and expects them to be executable.
> However, this change would flag that driver as NX compat too.
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106450): https://edk2.groups.io/g/devel/message/106450
Mute This Topic: https://groups.io/mt/99721318/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
回复: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
Posted by gaoliming via groups.io 10 months, 1 week ago 
Joey:
  Can you describe the full usage of NXCOMPAT bit? This patch sets NXCOMPAT
bit. And, which module will consume NXCOMPAT bit, how use it? DxeCore?

Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Joey Vagedes
> 发送时间: 2023年6月23日 23:45
> 收件人: devel@edk2.groups.io
> 抄送: Michael D Kinney <michael.d.kinney@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Zhiguang Liu <zhiguang.liu@intel.com>;
> Rebecca Cran <rebecca@bsdio.com>; Bob Feng <bob.c.feng@intel.com>;
> Yuwei Chen <yuwei.chen@intel.com>
> 主题: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if
> requirements are met
> 
> Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> Characteristics
> field of the Optional Header if the following requirements are met:
> 
> 1. It is a 64bit PE
> 2. The section alignment is evently divisible by 4K
> 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> EFI_IMAGE_SCN_MEM_WRITE
> 
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> 
> Joey Vagedes (2):
>   MdePkg: IndustryStandard: Add DLL Characteristics
>   BaseTools: GenFw: auto-set nxcompat flag
> 
>  MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++
>  BaseTools/Source/C/GenFw/GenFw.c          | 59
> ++++++++++++++++++++
>  2 files changed, 74 insertions(+)
> 
> --
> 2.41.0.windows.1
> 
> 
> 
> 
> 





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106318): https://edk2.groups.io/g/devel/message/106318
Mute This Topic: https://groups.io/mt/99764034/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
Posted by Joey Vagedes 10 months ago 
Hi Liming,

This is being done as a part of the memory protections work which can be
reviewed here: Task Table · Memory Protections (github.com)
<https://github.com/orgs/tianocore/projects/3>

Overall, DxeCore will ingest the NX_COMPAT flag on image load.

In the base case, when modules make allocations of type EfiLoaderCode,
EfiBootServicesCode, and EfiRuntimeServicesCode, the EFI_MEMORY_XP access
attribute will be applied with the expectation that the allocating modules
will remove the EFI_MEMORY_XP attribute and apply the EFI_MEMORY_RO
attribute once they have loaded their code into the buffer for execution.

In the exception case, if an EFI_APPLICATION type image is loaded without
the NX_COMPAT flag then allocations of type EfiLoaderCode,
EfiBootServicesCode, and EfiRuntimeServicesCode will no longer have
EFI_MEMORY_XP applied for the remainder of boot.

Note that a patch series for the supporting DxeCore logic has not yet been
submitted.

Thanks,
Joey

On Sat, Jun 24, 2023 at 7:46 PM gaoliming <gaoliming@byosoft.com.cn> wrote:

> Joey:
>   Can you describe the full usage of NXCOMPAT bit? This patch sets NXCOMPAT
> bit. And, which module will consume NXCOMPAT bit, how use it? DxeCore?
>
> Thanks
> Liming
> > -----邮件原件-----
> > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Joey Vagedes
> > 发送时间: 2023年6月23日 23:45
> > 收件人: devel@edk2.groups.io
> > 抄送: Michael D Kinney <michael.d.kinney@intel.com>; Liming Gao
> > <gaoliming@byosoft.com.cn>; Zhiguang Liu <zhiguang.liu@intel.com>;
> > Rebecca Cran <rebecca@bsdio.com>; Bob Feng <bob.c.feng@intel.com>;
> > Yuwei Chen <yuwei.chen@intel.com>
> > 主题: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if
> > requirements are met
> >
> > Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> > Characteristics
> > field of the Optional Header if the following requirements are met:
> >
> > 1. It is a 64bit PE
> > 2. The section alignment is evently divisible by 4K
> > 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> > EFI_IMAGE_SCN_MEM_WRITE
> >
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> > Cc: Rebecca Cran <rebecca@bsdio.com>
> > Cc: Bob Feng <bob.c.feng@intel.com>
> > Cc: Yuwei Chen <yuwei.chen@intel.com>
> >
> > Joey Vagedes (2):
> >   MdePkg: IndustryStandard: Add DLL Characteristics
> >   BaseTools: GenFw: auto-set nxcompat flag
> >
> >  MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++
> >  BaseTools/Source/C/GenFw/GenFw.c          | 59
> > ++++++++++++++++++++
> >  2 files changed, 74 insertions(+)
> >
> > --
> > 2.41.0.windows.1
> >
> >
> >
> > 
> >
>
>
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106403): https://edk2.groups.io/g/devel/message/106403
Mute This Topic: https://groups.io/mt/99798785/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.