The ARM architecture has an interesting feature in its virtual memory
controls called 'WXN', which puts the MMU in a mode where all mappings
of memory that are writable are implicitly non-executable as well.

While EDK2 implements a couple of memory protection features already, in
some places it still relies fundamentally on mappings that are both
writable and executable at the same time, which is not great from a
robustness and code safety point of view.

This series is a proof-of-concept for ArmVirtQemu that addresses each of
those issues, allowing it to boot into the OS (Linux) successfully with
the WXN control enabled.

The following issues are being addressed:
- the flash region must be mapped read-only explicitly, so that its code
  is executable
- the DXE IPL must not run shadowed so it executes in place from the
  executable mapping of the FV (and PEIM shadowing must be off in
  general)
- the DXE IPL must map the DXE core code region read-only explicitly so
  it can execute
- the DXE core must be equipped with a preliminary version of the
  SetMemoryAttributes member of the CPU arch protocol so that it can
  manipulate memory permissions before the CPU arch protocol driver is
  dispatched
- need to use XP mappings for all DRAM regions out of reset - this is
  to avoid unbounded recursion in the page table handling code, which
  may now be called before the CPU arch protocol driver remaps all
  unused regions with XP attributes
- limit the memory regions that are remapped writable+executable during
  ExitBootServices() to those pages that are actually subject to
  relocation fixups
- ensure that AArch64 runtime DXE driver images do not carry code and
  relocatable quantities in the same 4k page, so that clearing the RO
  bit does not remove its executable permissions

(patch #1 is preparatory cleanup and not relevant to the above)

Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Kubacki <michael.kubacki@microsoft.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Rebecca Cran <quic_rcran@quicinc.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Taylor Beebe <t@taylorbeebe.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Peter Jones <pjones@redhat.com>
Cc: Kees Cook <keescook@chromium.org>

Ard Biesheuvel (13):
  ArmPkg/Mmu: Remove handling of NONSECURE memory regions
  ArmPkg/ArmMmuLib: Introduce region types for RO/XP WB cached memory
  MdePkg/BasePeCoffLib: Add API to keep track of relocation range
  MdeModulePkg/DxeIpl: Avoid shadowing IPL PEIM by default
  MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch
  MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time
  MdeModulePkg/DxeCore: Permit preliminary CPU arch fallback
  ArmPkg: Implement ArmSetMemoryOverrideLib
  ArmVirtPkg/ArmVirtQemu: Use XP memory mappings by default
  ArmVirtPkg/ArmVirtQemu: Use PEI flavor of ArmMmuLib for all PEIMs
  ArmVirtPkg/ArmVirtQemu: Use read-only memory region type for code
    flash
  BaseTools/GccBase AARCH64: Avoid page sharing between code and data
  ArmVirtPkg/ArmVirtQemu: Enable hardware enforced W^X memory
    permissions

 ArmPkg/Include/Chipset/ArmV7Mmu.h                                  | 51 +++++-------
 ArmPkg/Include/Library/ArmLib.h                                    | 17 ++--
 ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c                   | 34 +++++---
 ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c                       | 49 ++++++------
 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c   | 56 +++++++++++++
 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf | 25 ++++++
 ArmVirtPkg/ArmVirt.dsc.inc                                         |  1 +
 ArmVirtPkg/ArmVirtQemu.dsc                                         | 11 ++-
 ArmVirtPkg/ArmVirtQemuKernel.dsc                                   |  1 +
 ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S  |  2 +-
 ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c         |  4 +-
 BaseTools/Scripts/GccBase.lds                                      | 13 ++-
 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c                      | 33 ++++++--
 MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c                     | 69 ++++++++++++++++
 MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf                            |  6 +-
 MdeModulePkg/Core/DxeIplPeim/DxeLoad.c                             | 24 +++---
 MdePkg/Include/Library/PeCoffLib.h                                 | 25 ++++++
 MdePkg/Library/BasePeCoffLib/BasePeCoff.c                          | 83 +++++++++++++++++++-
 18 files changed, 392 insertions(+), 112 deletions(-)
 create mode 100644 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c
 create mode 100644 ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf

-- 
2.39.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100087): https://edk2.groups.io/g/devel/message/100087
Mute This Topic: https://groups.io/mt/96937470/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-