From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100088+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100088+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301515; cv=none; d=zohomail.com; s=zohoarc; b=iQCA382SdzZNNg4HTWH4SXhHYitJCjlKZzWGgLsrwZ+kJpMoDB7AuBGh6EZ8EsWpLnWEiX3AckuJRf6UBE1NeH3kjapD8xXPg2T75NZu4FuAFK2m7VBHdgW19U7EESRVoK4TvVcg/tcemy1tQY1ITGfGJJbTPqpF7izrRGjnXqM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301515; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=iN47fAI6gpO/2rQzTN65ZgrslGKzizFDnB8R96jV3Jk=; b=IDQ6Qa/bosfkrRb9FQz2k74SDU+eKbatMSL8ZoCWmFeAmABBJ7lQiEN8VwgLwXZkNOiIzRKa2RHcBDmuRUJHBw6WkrGSU8u0/1nC0NKDDAWqR1KV2EIrLyMf2OhGF3mD5ZReW8a9/maN6zkmOt5Sm3jE8SyCpj/iamA/4y9jxSU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100088+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301515378357.0831993180566; Mon, 13 Feb 2023 07:18:35 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id l1afYY1788612xRJwS93cmAA; Mon, 13 Feb 2023 07:18:34 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.16974.1676301512293552574 for ; Mon, 13 Feb 2023 07:18:32 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3F8FC61019; Mon, 13 Feb 2023 15:18:31 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 08996C4339C; Mon, 13 Feb 2023 15:18:27 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 01/13] ArmPkg/Mmu: Remove handling of NONSECURE memory regions Date: Mon, 13 Feb 2023 16:17:58 +0100 Message-Id: <20230213151810.2301480-2-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: lATPWdrbCJPgwMbtuzImCGZzx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301514; bh=RJCAJWaouzg5AU418iNCn/IJyZ7gLfJH7v2VUzFLGeQ=; h=Cc:Date:From:Reply-To:Subject:To; b=Ww6ic3ITmNLbz+ibVhSeF9NttVczyL8123jEaFJ/elz7vbqurDYD9INt00NVHwQZGt7 BvAv59MFeUPIXVugqqVmC88hstPojm8sABDqTPuvlhQomZIPrXFgu8lfVFeU5fv1GI/Xe QPlqbpKJ03Efg6kVCVbsKQol25T8CT6zMo4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301517535100008 Content-Type: text/plain; charset="utf-8" Non-secure memory is a distinction that only matters when executing code in the secure world that reasons about the secure vs non-secure address spaces. EDK2 was not designed for that, and the AArch64 version of the MMU handling library already treats them as identical, so let's just drop the ARM memory region types that mark memory as 'non-secure' explicitly. Signed-off-by: Ard Biesheuvel --- ArmPkg/Include/Chipset/ArmV7Mmu.h | 51 +++++++------------- ArmPkg/Include/Library/ArmLib.h | 11 ----- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 5 -- ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c | 33 +++---------- 4 files changed, 24 insertions(+), 76 deletions(-) diff --git a/ArmPkg/Include/Chipset/ArmV7Mmu.h b/ArmPkg/Include/Chipset/Arm= V7Mmu.h index da4f3160f8ff..89b81e33d004 100644 --- a/ArmPkg/Include/Chipset/ArmV7Mmu.h +++ b/ArmPkg/Include/Chipset/ArmV7Mmu.h @@ -157,39 +157,24 @@ #define TT_DESCRIPTOR_PAGE_BASE_ADDRESS(a) ((a) & TT_DESCRIPTOR_PAGE_BASE= _ADDRESS_MASK) #define TT_DESCRIPTOR_PAGE_BASE_SHIFT 12 =20 -#define TT_DESCRIPTOR_SECTION_WRITE_BACK(NonSecure) (TT_DESCRIPTOR_SEC= TION_TYPE_SECTION = | \ - ((NonSecure) ?= TT_DESCRIPTOR_SECTION_NS : 0) | \ - TT_DESCRIPTOR_= SECTION_NG_GLOBAL | \ - TT_DESCRIPTOR_= SECTION_S_SHARED | \ - TT_DESCRIPTOR_= SECTION_DOMAIN(0) | \ - TT_DESCRIPTOR_= SECTION_AP_RW_RW | \ - TT_DESCRIPTOR_= SECTION_AF | \ - TT_DESCRIPTOR_= SECTION_CACHE_POLICY_WRITE_BACK_ALLOC) -#define TT_DESCRIPTOR_SECTION_WRITE_THROUGH(NonSecure) (TT_DESCRIPTOR_SEC= TION_TYPE_SECTION = | \ - ((NonSecure) ?= TT_DESCRIPTOR_SECTION_NS : 0) | \ - TT_DESCRIPTOR_= SECTION_NG_GLOBAL | \ - TT_DESCRIPTOR_= SECTION_S_SHARED | \ - TT_DESCRIPTOR_= SECTION_DOMAIN(0) | \ - TT_DESCRIPTOR_= SECTION_AP_RW_RW | \ - TT_DESCRIPTOR_= SECTION_AF | \ - TT_DESCRIPTOR_= SECTION_CACHE_POLICY_WRITE_THROUGH_NO_ALLOC) -#define TT_DESCRIPTOR_SECTION_DEVICE(NonSecure) (TT_DESCRIPTOR_SEC= TION_TYPE_SECTION = | \ - ((NonSecure) ?= TT_DESCRIPTOR_SECTION_NS : 0) | \ - TT_DESCRIPTOR_= SECTION_NG_GLOBAL | \ - TT_DESCRIPTOR_= SECTION_S_NOT_SHARED | \ - TT_DESCRIPTOR_= SECTION_DOMAIN(0) | \ - TT_DESCRIPTOR_= SECTION_AP_RW_RW | \ - TT_DESCRIPTOR_= SECTION_XN_MASK | \ - TT_DESCRIPTOR_= SECTION_AF | \ - TT_DESCRIPTOR_= SECTION_CACHE_POLICY_SHAREABLE_DEVICE) -#define TT_DESCRIPTOR_SECTION_UNCACHED(NonSecure) (TT_DESCRIPTOR_SEC= TION_TYPE_SECTION = | \ - ((NonSecure) ? = TT_DESCRIPTOR_SECTION_NS : 0) | \ - TT_DESCRIPTOR_S= ECTION_NG_GLOBAL | \ - TT_DESCRIPTOR_S= ECTION_S_NOT_SHARED | \ - TT_DESCRIPTOR_S= ECTION_DOMAIN(0) | \ - TT_DESCRIPTOR_S= ECTION_AP_RW_RW | \ - TT_DESCRIPTOR_= SECTION_AF | \ - TT_DESCRIPTOR_S= ECTION_CACHE_POLICY_NON_CACHEABLE) +#define TT_DESCRIPTOR_SECTION_DEFAULT (TT_DESCRIPTOR_SECTION_TYPE_SECTION= | \ + TT_DESCRIPTOR_SECTION_NG_GLOBAL = | \ + TT_DESCRIPTOR_SECTION_S_SHARED = | \ + TT_DESCRIPTOR_SECTION_DOMAIN(0) = | \ + TT_DESCRIPTOR_SECTION_AP_RW_RW = | \ + TT_DESCRIPTOR_SECTION_AF) + +#define TT_DESCRIPTOR_SECTION_WRITE_BACK (TT_DESCRIPTOR_SECTION_DEFAULT |= \ + TT_DESCRIPTOR_SECTION_CACHE_POL= ICY_WRITE_BACK_ALLOC) + +#define TT_DESCRIPTOR_SECTION_WRITE_THROUGH (TT_DESCRIPTOR_SECTION_DEFAUL= T | \ + TT_DESCRIPTOR_SECTION_CACHE_= POLICY_WRITE_THROUGH_NO_ALLOC) + +#define TT_DESCRIPTOR_SECTION_DEVICE (TT_DESCRIPTOR_SECTION_DEFAULT | \ + TT_DESCRIPTOR_SECTION_CACHE_POLICY_= SHAREABLE_DEVICE) + +#define TT_DESCRIPTOR_SECTION_UNCACHED (TT_DESCRIPTOR_SECTION_DEFAULT | \ + TT_DESCRIPTOR_SECTION_CACHE_POLIC= Y_NON_CACHEABLE) =20 #define TT_DESCRIPTOR_PAGE_WRITE_BACK (TT_DESCRIPTOR_PAGE_TYPE_PAGE = | \ TT_DESCRIPTOR_PAGE= _NG_GLOBAL | \ diff --git a/ArmPkg/Include/Library/ArmLib.h b/ArmPkg/Include/Library/ArmLi= b.h index fa605f128bfd..a53f60d98852 100644 --- a/ArmPkg/Include/Library/ArmLib.h +++ b/ArmPkg/Include/Library/ArmLib.h @@ -25,29 +25,18 @@ EFI_MEMORY_WT | EFI_MEMORY_WB | \ EFI_MEMORY_UCE) =20 -/** - * The UEFI firmware must not use the ARM_MEMORY_REGION_ATTRIBUTE_NONSECUR= E_* attributes. - * - * The Non Secure memory attribute (ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_= *) should only - * be used in Secure World to distinguished Secure to Non-Secure memory. - */ typedef enum { ARM_MEMORY_REGION_ATTRIBUTE_UNCACHED_UNBUFFERED =3D 0, - ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_UNCACHED_UNBUFFERED, ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK, - ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK, =20 // On some platforms, memory mapped flash region is designed as not supp= orting // shareable attribute, so WRITE_BACK_NONSHAREABLE is added for such spe= cial // need. // Do NOT use below two attributes if you are not sure. ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE, - ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK_NONSHAREABLE, =20 ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH, - ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_THROUGH, ARM_MEMORY_REGION_ATTRIBUTE_DEVICE, - ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_DEVICE } ARM_MEMORY_REGION_ATTRIBUTES; =20 #define IS_ARM_MEMORY_REGION_ATTRIBUTES_SECURE(attr) ((UINT32)(attr) & 1) diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Libr= ary/ArmMmuLib/AArch64/ArmMmuLibCore.c index 1ce200c43c72..ee4c5c995ce8 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -39,26 +39,21 @@ ArmMemoryAttributeToPageAttribute ( { switch (Attributes) { case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK_NONSHAREABLE: return TT_ATTR_INDX_MEMORY_WRITE_BACK; =20 case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK: return TT_ATTR_INDX_MEMORY_WRITE_BACK | TT_SH_INNER_SHAREABLE; =20 case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_THROUGH: return TT_ATTR_INDX_MEMORY_WRITE_THROUGH | TT_SH_INNER_SHAREABLE; =20 // Uncached and device mappings are treated as outer shareable by defa= ult, case ARM_MEMORY_REGION_ATTRIBUTE_UNCACHED_UNBUFFERED: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_UNCACHED_UNBUFFERED: return TT_ATTR_INDX_MEMORY_NON_CACHEABLE; =20 default: ASSERT (0); case ARM_MEMORY_REGION_ATTRIBUTE_DEVICE: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_DEVICE: if (ArmReadCurrentEL () =3D=3D AARCH64_EL2) { return TT_ATTR_INDX_DEVICE_MEMORY | TT_XN_MASK; } else { diff --git a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c b/ArmPkg/Library/= ArmMmuLib/Arm/ArmMmuLibCore.c index 28cc9b2fe058..154298357460 100644 --- a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c @@ -100,24 +100,19 @@ PopulateLevel2PageTable ( =20 switch (Attributes) { case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK: PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_BACK; break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK_NONSHAREABLE: PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_BACK; PageAttributes &=3D ~TT_DESCRIPTOR_PAGE_S_SHARED; break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_THROUGH: PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_THROUGH; break; case ARM_MEMORY_REGION_ATTRIBUTE_DEVICE: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_DEVICE: PageAttributes =3D TT_DESCRIPTOR_PAGE_DEVICE; break; case ARM_MEMORY_REGION_ATTRIBUTE_UNCACHED_UNBUFFERED: - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_UNCACHED_UNBUFFERED: PageAttributes =3D TT_DESCRIPTOR_PAGE_UNCACHED; break; default: @@ -239,39 +234,23 @@ FillTranslationTable ( =20 switch (MemoryRegion->Attributes) { case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK (0); + Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK; break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK (0); + Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK; Attributes &=3D ~TT_DESCRIPTOR_SECTION_S_SHARED; break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_THROUGH (0); + Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_THROUGH; break; case ARM_MEMORY_REGION_ATTRIBUTE_DEVICE: - Attributes =3D TT_DESCRIPTOR_SECTION_DEVICE (0); + Attributes =3D TT_DESCRIPTOR_SECTION_DEVICE; break; case ARM_MEMORY_REGION_ATTRIBUTE_UNCACHED_UNBUFFERED: - Attributes =3D TT_DESCRIPTOR_SECTION_UNCACHED (0); - break; - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK (1); - break; - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_BACK_NONSHAREABLE: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK (1); - Attributes &=3D ~TT_DESCRIPTOR_SECTION_S_SHARED; - break; - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_WRITE_THROUGH: - Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_THROUGH (1); - break; - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_DEVICE: - Attributes =3D TT_DESCRIPTOR_SECTION_DEVICE (1); - break; - case ARM_MEMORY_REGION_ATTRIBUTE_NONSECURE_UNCACHED_UNBUFFERED: - Attributes =3D TT_DESCRIPTOR_SECTION_UNCACHED (1); + Attributes =3D TT_DESCRIPTOR_SECTION_UNCACHED; break; default: - Attributes =3D TT_DESCRIPTOR_SECTION_UNCACHED (0); + Attributes =3D TT_DESCRIPTOR_SECTION_UNCACHED; break; } =20 --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100088): https://edk2.groups.io/g/devel/message/100088 Mute This Topic: https://groups.io/mt/96937472/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100089+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100089+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301515; cv=none; d=zohomail.com; s=zohoarc; b=Dt8eciHlDG8tgfV68G/T6Mil6B02H3zmhHSFrrBsta5tGu6nG2rWtI5S2RsNwAYcriDPlLMhpF7QMoH0qags/lvfhgmD5NQygIvPddYX5jUjnQ44wwfJ1wYEQuI8PcxUMJCC6/0RcrJxkpjshg5A8owmbRyBdOjiKvMyG5kIzbU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301515; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Hi+WdmfeF0pDQUKolWrq8O9u6BjsAd4mASwm9fYmjuI=; b=S6AZ3BlmLEYwTCjXaBTM6XvpVA09u+K9gkHqnmDZGJwQsi7fSCH2rgnfhBD1ZzQK75HN4AKyA1AXvKvdps7DlnNHIxDecHPIB6VLyNcNNaLy4cG47GQlxayB/ZV402itYil6EQ7vv2tnCDJIW+wxw2LGof0mOROlqk32ggajm/M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100089+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301515810250.76003725188332; Mon, 13 Feb 2023 07:18:35 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id mb8nYY1788612xNrYyf7iKzd; Mon, 13 Feb 2023 07:18:35 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.16804.1676301514769873645 for ; Mon, 13 Feb 2023 07:18:34 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4610961176; Mon, 13 Feb 2023 15:18:34 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 14EB3C4339B; Mon, 13 Feb 2023 15:18:30 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 02/13] ArmPkg/ArmMmuLib: Introduce region types for RO/XP WB cached memory Date: Mon, 13 Feb 2023 16:17:59 +0100 Message-Id: <20230213151810.2301480-3-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: mpCr0OFJfUCAuLz0SypOH49Mx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301515; bh=o+Nnnz5+gs5bV4N7yXEOb5MZAAnhrio2O5YX2R8iK80=; h=Cc:Date:From:Reply-To:Subject:To; b=nZzaoXi2AU9VkLmCy7Studk2eil3InqeBY71c513+Gl5MKHEk1I8AdJDbBk/pYLAIKK cmY5bAcmd/0Z1MnrEQudvkFvQ1ZV0wrBsfqddU1RQNsKmSVUW4xDqW/CQO6i+yzwletaL sFI53vVOtGGjUdfwKdaNWKyRQcUoTn3NAdE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301517513100007 Content-Type: text/plain; charset="utf-8" To prepare for the enablement of booting EFI with the SCTLR.WXN control enabled, which makes all writeable memory regions non-executable by default, introduce a memory type that we will use to describe the flash region that carries the SEC and PEIM modules that execute in place. Even if these are implicitly read-only due to the ROM nature, they need to be mapped with read-only attributes in the page tables to be able to execute from them. Also add the XP counterpart which will be used for all normal DRAM right at the outset. Signed-off-by: Ard Biesheuvel --- ArmPkg/Include/Library/ArmLib.h | 6 ++++ ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 29 ++++++++++++++++---- ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c | 16 +++++++++++ 3 files changed, 45 insertions(+), 6 deletions(-) diff --git a/ArmPkg/Include/Library/ArmLib.h b/ArmPkg/Include/Library/ArmLi= b.h index a53f60d98852..fb1ae57b3522 100644 --- a/ArmPkg/Include/Library/ArmLib.h +++ b/ArmPkg/Include/Library/ArmLib.h @@ -35,6 +35,12 @@ typedef enum { // Do NOT use below two attributes if you are not sure. ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE, =20 + // Special region types for memory that must be mapped with read-only or + // non-execute permissions from the very start, e.g., to support the use + // of the WXN virtual memory control. + ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_RO, + ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_XP, + ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH, ARM_MEMORY_REGION_ATTRIBUTE_DEVICE, } ARM_MEMORY_REGION_ATTRIBUTES; diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Libr= ary/ArmMmuLib/AArch64/ArmMmuLibCore.c index ee4c5c995ce8..9cdaa8b32c62 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -37,12 +37,33 @@ ArmMemoryAttributeToPageAttribute ( IN ARM_MEMORY_REGION_ATTRIBUTES Attributes ) { + UINT64 Permissions =3D 0; + + switch (Attributes) { + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_RO: + Permissions =3D TT_AP_NO_RO; + break; + + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_XP: + case ARM_MEMORY_REGION_ATTRIBUTE_DEVICE: + if (ArmReadCurrentEL () =3D=3D AARCH64_EL2) { + Permissions =3D TT_XN_MASK; + } else { + Permissions =3D TT_UXN_MASK | TT_PXN_MASK; + } + break; + default: + break; + } + switch (Attributes) { case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_NONSHAREABLE: return TT_ATTR_INDX_MEMORY_WRITE_BACK; =20 case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK: - return TT_ATTR_INDX_MEMORY_WRITE_BACK | TT_SH_INNER_SHAREABLE; + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_RO: + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_XP: + return TT_ATTR_INDX_MEMORY_WRITE_BACK | TT_SH_INNER_SHAREABLE | Perm= issions; =20 case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: return TT_ATTR_INDX_MEMORY_WRITE_THROUGH | TT_SH_INNER_SHAREABLE; @@ -54,11 +75,7 @@ ArmMemoryAttributeToPageAttribute ( default: ASSERT (0); case ARM_MEMORY_REGION_ATTRIBUTE_DEVICE: - if (ArmReadCurrentEL () =3D=3D AARCH64_EL2) { - return TT_ATTR_INDX_DEVICE_MEMORY | TT_XN_MASK; - } else { - return TT_ATTR_INDX_DEVICE_MEMORY | TT_UXN_MASK | TT_PXN_MASK; - } + return TT_ATTR_INDX_DEVICE_MEMORY | Permissions; } } =20 diff --git a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c b/ArmPkg/Library/= ArmMmuLib/Arm/ArmMmuLibCore.c index 154298357460..00c5f42cd91a 100644 --- a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c @@ -106,6 +106,14 @@ PopulateLevel2PageTable ( PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_BACK; PageAttributes &=3D ~TT_DESCRIPTOR_PAGE_S_SHARED; break; + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_RO: + PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_BACK; + PageAttributes |=3D TT_DESCRIPTOR_PAGE_AP_NO_RO; + break; + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_XP: + PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_BACK; + PageAttributes |=3D TT_DESCRIPTOR_PAGE_XN_MASK; + break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: PageAttributes =3D TT_DESCRIPTOR_PAGE_WRITE_THROUGH; break; @@ -240,6 +248,14 @@ FillTranslationTable ( Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK; Attributes &=3D ~TT_DESCRIPTOR_SECTION_S_SHARED; break; + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_RO: + Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK; + Attributes |=3D TT_DESCRIPTOR_SECTION_AP_NO_RO; + break; + case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_BACK_XP: + Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_BACK; + Attributes |=3D TT_DESCRIPTOR_SECTION_XN_MASK; + break; case ARM_MEMORY_REGION_ATTRIBUTE_WRITE_THROUGH: Attributes =3D TT_DESCRIPTOR_SECTION_WRITE_THROUGH; break; --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100089): https://edk2.groups.io/g/devel/message/100089 Mute This Topic: https://groups.io/mt/96937475/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100090+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100090+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301519; cv=none; d=zohomail.com; s=zohoarc; b=KR4CGJbn+LKwFF/oIE7P5UvY5qXyXcP1XkUI6GJ/7aupBoiwqoMkU/RQ4EQwonP+Yt98kJxIbL5J4p3jMM5tYXBTIOo0SyeIoAK0mWebbdqcUe1hFgKvShaahKnSQ1+sC3jd2nHHdDRSrGjE6HjOS/5sHyndpfmZ4Psd08+84oI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301519; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=OjubfHLiwkvsqADAayaZZL/gwMW+99LtJKmZuItVfv4=; b=WW8gfmRai1YHtyyRn76vks7TR/KNaUgqSblvMcqQ9p92eOH187ZfrjjV2iwBYvir/hwsPZkd0x8Uu9TLccod39tQePISY2sv+UCJpEsmGtfGbs4IRIIKmpPaV4fHT53ioFwTw2NunU8epFe9/ICOcv8409XAa0K6KlwXJXexkFs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100090+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301519351784.2482547965734; Mon, 13 Feb 2023 07:18:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7q5gYY1788612xUZzDIhknyl; Mon, 13 Feb 2023 07:18:39 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.16976.1676301517872236489 for ; Mon, 13 Feb 2023 07:18:38 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 551D461124; Mon, 13 Feb 2023 15:18:37 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21314C433A0; Mon, 13 Feb 2023 15:18:33 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 03/13] MdePkg/BasePeCoffLib: Add API to keep track of relocation range Date: Mon, 13 Feb 2023 16:18:00 +0100 Message-Id: <20230213151810.2301480-4-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: iUUidWqxZAqbPfci0bwMFNk8x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301519; bh=9KoPivDTnbsxUXfYZn1Xq1sweGHkHZn7sicTQKd+6+s=; h=Cc:Date:From:Reply-To:Subject:To; b=vuYbSGOj/KqNX2yGB73ftn8+y4LrEmzkRRUDTNGCMsx4QwD+RgBLtetfUE/DVTX2xq3 CD4Pyj3iWUNroBadVGUeGEqdTNbc1EljlfX26q21ZXEfhItOxBx/5rTNK6FQFnJAHB4d6 vsqtQ0lqTq/D1YoMV6qA9funN7UryLh52qs= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301521551100013 Content-Type: text/plain; charset="utf-8" Add a library call to obtain the start and end of the region covered by relocation fixups. This will be used in a future patch to limit the range of memory that needs to be remapped with read-write-execute permissions at ExitBootServices() time. Signed-off-by: Ard Biesheuvel --- MdePkg/Include/Library/PeCoffLib.h | 25 ++++++ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 83 +++++++++++++++++++- 2 files changed, 107 insertions(+), 1 deletion(-) diff --git a/MdePkg/Include/Library/PeCoffLib.h b/MdePkg/Include/Library/Pe= CoffLib.h index b45879453785..3706c8a4e858 100644 --- a/MdePkg/Include/Library/PeCoffLib.h +++ b/MdePkg/Include/Library/PeCoffLib.h @@ -382,4 +382,29 @@ PeCoffLoaderUnloadImage ( IN OUT PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext ); =20 +/** + Retrieve the range subject to relocation fixups from the recorded fixup = data + of a runtime image + + @param ImageBase The base address of a PE/COFF image tha= t has been loaded + and relocated into system memory. + @param VirtImageBase The request virtual address that the PE= /COFF image is to + be fixed up for. + @param ImageSize The size, in bytes, of the PE/COFF imag= e. + @param RelocationData A pointer to the relocation data that w= as collected when the + PE/COFF image was relocated using PeCof= fLoaderRelocateImage(). + @param[out] RelocationRangeMin The start of the relocated range. + @param[out] RelocationRangeMax The end of the relocated range. + +**/ +VOID +EFIAPI +PeCoffLoaderGetRelocationRange ( + IN PHYSICAL_ADDRESS ImageBase, + IN UINTN ImageSize, + IN VOID *RelocationData, + OUT PHYSICAL_ADDRESS *RelocationRangeMin, + OUT PHYSICAL_ADDRESS *RelocationRangeMax + ); + #endif diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/Bas= ePeCoffLib/BasePeCoff.c index 97a8aaf8c73d..10f3d04d2490 100644 --- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c @@ -936,6 +936,8 @@ PeCoffLoaderRelocateImage ( PHYSICAL_ADDRESS BaseAddress; UINT32 NumberOfRvaAndSizes; UINT32 TeStrippedOffset; + PHYSICAL_ADDRESS *RelocRangeStart; + PHYSICAL_ADDRESS *RelocRangeEnd; =20 ASSERT (ImageContext !=3D NULL); =20 @@ -1043,6 +1045,21 @@ PeCoffLoaderRelocateImage ( // Run the relocation information and apply the fixups // FixupData =3D ImageContext->FixupData; + if (FixupData !=3D NULL) { + FixupData =3D ALIGN_POINTER (FixupData, sizeof (PHYSICAL_ADDRESS)); + + // + // Use the first two UINT64s in the fixup data to keep track of the = start + // and end of the region that is subject to relocation fixups. + // + RelocRangeStart =3D (PHYSICAL_ADDRESS *)FixupData; + RelocRangeEnd =3D RelocRangeStart + 1; + FixupData +=3D 2 * sizeof (PHYSICAL_ADDRESS); + + *RelocRangeStart =3D MAX_UINT64; + *RelocRangeEnd =3D 0; + } + while ((UINTN)RelocBase < (UINTN)RelocBaseEnd) { Reloc =3D (UINT16 *)((CHAR8 *)RelocBase + sizeof (EFI_IMAGE_BASE_REL= OCATION)); // @@ -1070,6 +1087,14 @@ PeCoffLoaderRelocateImage ( return RETURN_LOAD_ERROR; } =20 + // + // Capture this page in the recorded relocation range + // + if (FixupData !=3D NULL) { + *RelocRangeStart =3D MIN (*RelocRangeStart, (UINTN)FixupBase); + *RelocRangeEnd =3D MAX (*RelocRangeEnd, (UINTN)FixupBase + SIZE_= 4KB); + } + // // Run this relocation record // @@ -1470,6 +1495,9 @@ PeCoffLoaderLoadImage ( // ImageContext->FixupData =3D NULL; =20 + // Add two UINT64s at the start to carry the min/max of the relocated ra= nge + ImageContext->FixupDataSize +=3D 2 * sizeof (PHYSICAL_ADDRESS); + // // Load the Codeview information if present // @@ -1824,7 +1852,8 @@ PeCoffLoaderRelocateImageForRuntime ( // by code will not be fixed up, since that would set them back to // defaults. // - FixupData =3D RelocationData; + FixupData =3D ALIGN_POINTER (RelocationData, sizeof (PHYSICAL_ADDR= ESS)); + FixupData +=3D 2 * sizeof (PHYSICAL_ADDRESS); RelocBaseOrig =3D RelocBase; while ((UINTN)RelocBase < (UINTN)RelocBaseEnd) { // @@ -1994,3 +2023,55 @@ PeCoffLoaderUnloadImage ( PeCoffLoaderUnloadImageExtraAction (ImageContext); return RETURN_SUCCESS; } + +/** + Retrieve the range subject to relocation fixups from the recorded fixup = data + of a runtime image + + @param ImageBase The base address of a PE/COFF image tha= t has been loaded + and relocated into system memory. + @param VirtImageBase The request virtual address that the PE= /COFF image is to + be fixed up for. + @param ImageSize The size, in bytes, of the PE/COFF imag= e. + @param RelocationData A pointer to the relocation data that w= as collected when the + PE/COFF image was relocated using PeCof= fLoaderRelocateImage(). + @param[out] RelocationRangeMin The start of the relocated range. + @param[out] RelocationRangeMax The end of the relocated range. + +**/ +VOID +EFIAPI +PeCoffLoaderGetRelocationRange ( + IN PHYSICAL_ADDRESS ImageBase, + IN UINTN ImageSize, + IN VOID *RelocationData, + OUT PHYSICAL_ADDRESS *RelocationRangeMin, + OUT PHYSICAL_ADDRESS *RelocationRangeMax + ) +{ + PHYSICAL_ADDRESS *FixupData; + + if ((RelocationData =3D=3D NULL) || (ImageBase =3D=3D 0x0)) { + return; + } + + FixupData =3D ALIGN_POINTER (RelocationData, sizeof (PHYSICAL_ADDRESS)); + + if ((FixupData[0] =3D=3D MAX_UINT64) && (FixupData[1] =3D=3D 0)) { + // No fixups recorded + *RelocationRangeMin =3D ImageBase; + *RelocationRangeMax =3D ImageBase; + return; + } + + if ((FixupData[0] < ImageBase) || + (FixupData[1] > (ImageBase + ImageSize))) { + ASSERT (FALSE); + *RelocationRangeMin =3D ImageBase; + *RelocationRangeMax =3D ImageBase + ImageSize; + return; + } + + *RelocationRangeMin =3D FixupData[0]; + *RelocationRangeMax =3D FixupData[1]; +} --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100090): https://edk2.groups.io/g/devel/message/100090 Mute This Topic: https://groups.io/mt/96937476/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100091+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100091+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301524; cv=none; d=zohomail.com; s=zohoarc; b=GIgm4cg35Aq2OS7KxLw7H/5qEHTDysNqj+OzlNqkAVuok6K3fTzhis9ADSQTcta43R9Pwp0+ZJ7pRC7KiedNWOTJTn3uUro6yBjCcBzDsgDt0j807y+b06z4GSuV5mVkvuAJegvKlrUdLDn0WO50ev09moWxXcXbR7yl1X1Nfys= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301524; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=LIVcMZPhHuC2LUPKSi4eKF99gPOnpQpORh5lntjAGRg=; b=eiZ5YKvVH5qQYaEn7gJBmKpqQgR9RQdVsu4ERSf5IDC3p32GnekY+MZ6EVxBvhGvHnad+o8ZFvWH9/75WamTdrYUXRLWV0OUlFyk6O1LtyiCyoK6i/y1NpkGuXZHIe0aVI+MTZapWMhWHBPG9sI7TSuFc0O/Ps0HPYlHhwnBPCg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100091+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301524076438.6744587430743; Mon, 13 Feb 2023 07:18:44 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 96tMYY1788612xrg3fpp2YaU; Mon, 13 Feb 2023 07:18:43 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.16809.1676301522615212840 for ; Mon, 13 Feb 2023 07:18:43 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0AC9BB8122D; Mon, 13 Feb 2023 15:18:41 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F159C433A1; Mon, 13 Feb 2023 15:18:37 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 04/13] MdeModulePkg/DxeIpl: Avoid shadowing IPL PEIM by default Date: Mon, 13 Feb 2023 16:18:01 +0100 Message-Id: <20230213151810.2301480-5-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: uuOf1mBBwCAhF6Q5UepzCXT0x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301523; bh=Pwp6qQbxFI6dU9YryP5Hb+NDrYM+wtj+ok6jTLpV4cU=; h=Cc:Date:From:Reply-To:Subject:To; b=OXM9w079QGeyFa8JP+b00mD5JjkMNhoCwD9ABjuwBMdK9dD4ZWRF0+BTF+na54rsuYN TniGs9c90eLZ3n7wuVCX6mpgRRZAlXP8RYwg5ikYINF8ksQbeE8kU9DzxkFHKL1/rXuDn ZH4ehkmLFJCRNboyUjb6lqd3XYqq8SwyHsU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301525663100002 Content-Type: text/plain; charset="utf-8" Currently, the DXE IPL relies on permanent memory being available, but does not DEPEX on the associated PPI. Instead, it registers for PEIM shadowing, and only proceeds when running shadowed, and this implies that permanent memory has been installed. While PEIM shadowing is typically good for performance, there are reasons why we might prefer to avoid it, e.g., when running under virtualization in a mode where the write protection of the ROM is an advantage from a safety PoV, and where the performance is identical. This is especially true when code executing from ordinary RAM needs some additional work to be executable, like when enabling WXN on ARM, which only permits execution from memory that is mapped read-only. So permit DXE IPL to run unshadowed, based on the existing PCD that decides whether or not shadowing is preferred. While making this behavior depend on this PCD is strictly redundant (as the IPL PEIM will be shadowed anyway, even if RegisterForShadow() is not called), let's test it anyway to avoid modifying the behavior on existing platforms. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 5 +++- MdeModulePkg/Core/DxeIplPeim/DxeLoad.c | 24 +++++++++++--------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/Dx= eIplPeim/DxeIpl.inf index 052ea0ec1a6f..62821477d012 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -112,6 +112,9 @@ [FeaturePcd.X64] [FeaturePcd] gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSupportUefiDecompress ## CONSUMES =20 +[Pcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdShadowPeimOnBoot ## CONSUMES + [Pcd.IA32,Pcd.X64] gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ##= SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ##= CONSUMES @@ -128,7 +131,7 @@ [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64] gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIM= ES_CONSUMES =20 [Depex] - gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid + gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid AND gEfiPeiMemor= yDiscoveredPpiGuid =20 # # [BootMode] diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c b/MdeModulePkg/Core/Dxe= IplPeim/DxeLoad.c index 2c19f1a507ba..228d39a618d3 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c +++ b/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c @@ -77,18 +77,20 @@ PeimInitializeDxeIpl ( BootMode =3D GetBootModeHob (); =20 if (BootMode !=3D BOOT_ON_S3_RESUME) { - Status =3D PeiServicesRegisterForShadow (FileHandle); - if (Status =3D=3D EFI_SUCCESS) { - // - // EFI_SUCESS means it is the first time to call register for shadow. - // - return Status; - } + if (PcdGetBool (PcdShadowPeimOnBoot)) { + Status =3D PeiServicesRegisterForShadow (FileHandle); + if (Status =3D=3D EFI_SUCCESS) { + // + // EFI_SUCESS means it is the first time to call register for shad= ow. + // + return Status; + } =20 - // - // Ensure that DXE IPL is shadowed to permanent memory. - // - ASSERT (Status =3D=3D EFI_ALREADY_STARTED); + // + // Ensure that DXE IPL is shadowed to permanent memory. + // + ASSERT (Status =3D=3D EFI_ALREADY_STARTED); + } =20 // // DXE core load requires permanent memory. --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100091): https://edk2.groups.io/g/devel/message/100091 Mute This Topic: https://groups.io/mt/96937478/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100092+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100092+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301527; cv=none; d=zohomail.com; s=zohoarc; b=nNnpMQz9C6Rlq2uSbJUt8+22ddi7jhOJnlDDoEZMkKHe+vU/OgmTQ5QjVKwCvkaNHF2qBPcNtg/HOXUhDpdjj8ofswQBuUOftmG9W8d2aUxGq6f7Wf6alGV5bDZFGKbtakfECHj2wfEl/+Nq46j4EXJNaWmp8s6pshou0FWBUF4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301527; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=WbmXDFDeVtC5eLR4/gkE1fFxvMdD7Waqi04JTCSZIbE=; b=lXOHIk0WN+b5T/A5Q3QCw06yMcmWwsX05fhfFJA58tIcICHkRb0Yz6ulKRCxQALTcvI0MW0PfMspnNOEpP2JlQq5SK/R1okY3yTAF7pbthSfluYTc9GYCyaEQ1iDWZYJ3tLvlb//oSaCmkeGi+Ywsp8rePdlnc3r3AexRToMMDM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100092+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301527062429.12918976582387; Mon, 13 Feb 2023 07:18:47 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id CtV8YY1788612x679w80POqj; Mon, 13 Feb 2023 07:18:46 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.16812.1676301525629520842 for ; Mon, 13 Feb 2023 07:18:46 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 18BB2B8125E; Mon, 13 Feb 2023 15:18:44 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39F1EC433D2; Mon, 13 Feb 2023 15:18:40 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 05/13] MdeModulePkg/DxeIpl AARCH64: Remap DXE core code section before launch Date: Mon, 13 Feb 2023 16:18:02 +0100 Message-Id: <20230213151810.2301480-6-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: DaphuucpyEkMcml923PKJg7Nx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301526; bh=WoVOORN/ZpFIdtqQ73aK/IzTmj/ACS8a/3XAx1tjZwM=; h=Cc:Date:From:Reply-To:Subject:To; b=W5vknQqr2km/rlPeCqe6frPqwjcKq+dd6SorT0uojI6pIDjvymxb/i0DoH/HivF4e5f mWidx8IFHjY7LzrZhZ80IY0eFiIcYP5/Yf4aeyeUxdEqTxIRASTOBSNcwIZ6q1zzPK7DL QTLB/ZlMBzONcs6rKwsvg7SAozyldh0Nzug= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301527791100009 Content-Type: text/plain; charset="utf-8" To permit the platform to adopt a stricter policy when it comes to memory protections, and map all memory XP by default, add the necessary handling to the DXE IPL PEIM to ensure that the DXE core code section is mapped executable before invoking the DXE core. It is up to the DXE core itself to manage the executable permissions on other DXE and UEFI drivers and applications that it dispatches. Note that this requires that the DXE IPL executes non-shadowed from a FV that is mapped executable. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c | 69 ++++++++++++++++++++ MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 1 + 2 files changed, 70 insertions(+) diff --git a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c b/MdeModulePkg/= Core/DxeIplPeim/Arm/DxeLoadFunc.c index f62b6dcb38a7..21eac2851554 100644 --- a/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c +++ b/MdeModulePkg/Core/DxeIplPeim/Arm/DxeLoadFunc.c @@ -11,6 +11,69 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "DxeIpl.h" =20 #include +#include + +STATIC +VOID +RemapDxeCoreCodeReadOnly ( + IN EFI_PHYSICAL_ADDRESS DxeCoreEntryPoint, + IN EFI_PEI_HOB_POINTERS HobList + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_HOB_MEMORY_ALLOCATION *ModuleHob; + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; + RETURN_STATUS Status; + EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr; + EFI_IMAGE_SECTION_HEADER *Section; + UINTN Index; + + ImageContext.ImageRead =3D PeCoffLoaderImageReadFromMemory; + ImageContext.Handle =3D NULL; + + // + // Find the module HOB for the DXE core + // + for (Hob.Raw =3D HobList.Raw; !END_OF_HOB_LIST (Hob); Hob.Raw =3D GET_NE= XT_HOB (Hob)) { + if (GET_HOB_TYPE (Hob) =3D=3D EFI_HOB_TYPE_MEMORY_ALLOCATION) { + ModuleHob =3D Hob.MemoryAllocation; + if ((ModuleHob->AllocDescriptor.MemoryBaseAddress <=3D DxeCoreEntryP= oint && + ((ModuleHob->AllocDescriptor.MemoryBaseAddress + ModuleHob->Allo= cDescriptor.MemoryLength) > DxeCoreEntryPoint))) + { + ImageContext.Handle =3D (VOID *)(UINTN)ModuleHob->AllocDescriptor.= MemoryBaseAddress; + break; + } + } + } + + ASSERT (ImageContext.Handle !=3D NULL); + + Status =3D PeCoffLoaderGetImageInfo (&ImageContext); + ASSERT_RETURN_ERROR (Status); + + Hdr.Union =3D (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((UINT8 *)ImageContext.= Handle + + ImageContext.PeCoffHeade= rOffset); + ASSERT (Hdr.Pe32->Signature =3D=3D EFI_IMAGE_NT_SIGNATURE); + + Section =3D (EFI_IMAGE_SECTION_HEADER *)((UINT8 *)Hdr.Union + sizeof (UI= NT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + Hdr.Pe32->FileHeader.SizeOfOption= alHeader + ); + + for (Index =3D 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++= ) { + if ((Section[Index].Characteristics & EFI_IMAGE_SCN_CNT_CODE) !=3D 0) { + ArmSetMemoryRegionReadOnly ( + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAdd= ress), + Section[Index].Misc.VirtualSize + ); + + ArmClearMemoryRegionNoExec ( + (UINTN)((UINT8 *)ImageContext.Handle + Section[Index].VirtualAdd= ress), + Section[Index].Misc.VirtualSize + ); + } + } +} =20 /** Transfers control to DxeCore. @@ -33,6 +96,12 @@ HandOffToDxeCore ( VOID *TopOfStack; EFI_STATUS Status; =20 + // + // DRAM may be mapped with non-executable permissions by default, so + // we'll need to map the DXE core code region executable explicitly. + // + RemapDxeCoreCodeReadOnly (DxeCoreEntryPoint, HobList); + // // Allocate 128KB for the Stack // diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/Dx= eIplPeim/DxeIpl.inf index 62821477d012..d85ca79dc0c3 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -82,6 +82,7 @@ [LibraryClasses] =20 [LibraryClasses.ARM, LibraryClasses.AARCH64] ArmMmuLib + PeCoffLib =20 [Ppis] gEfiDxeIplPpiGuid ## PRODUCES --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100092): https://edk2.groups.io/g/devel/message/100092 Mute This Topic: https://groups.io/mt/96937479/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100093+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100093+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301530; cv=none; d=zohomail.com; s=zohoarc; b=Vwmj5QQDN/LtMtK3InJYy1GAKcvKtBmsEVnL1o9xVK9bcytSrTzYXnjsFp2o7CzfHRlSXVU605xhKOsQ1xXWfNBaCcZcMqvchow9buaZORBt13B8UMxWSZ6cleuZNBxzk4vqA01pWsyPpC2guPbtmuEVTVCJPzu+0YFj1qU3XqI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301530; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=t7iC/97MNF9e9F6Z9TcZKVvBKFFUILeWoRqS7BYIvz0=; b=A39f5+EjLCFAAtHwP4kXf8AzEUvdAvkreJlUIRKtY+J279TbJdEgkiiImIle3EwaAr2oUij+WYd8Yt8lXLzkVG8poDbirzFvJNAj00QMPwRKhrK/4O9SR8eio2C6tWI+FEd2gsVj+LsUdcGvpd2ii+Ktxe6LQgWNkXZzz5NULCI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100093+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301530353402.9348662347785; Mon, 13 Feb 2023 07:18:50 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Ba7NYY1788612xVwT37Myh7b; Mon, 13 Feb 2023 07:18:50 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.16985.1676301528816854294 for ; Mon, 13 Feb 2023 07:18:49 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3E5B1B8122D; Mon, 13 Feb 2023 15:18:47 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4460FC4339B; Mon, 13 Feb 2023 15:18:43 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 06/13] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Date: Mon, 13 Feb 2023 16:18:03 +0100 Message-Id: <20230213151810.2301480-7-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: AGSr8x34nuj6onpsC35WYjoNx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301530; bh=zi6EhoznhaiJ16lk9lXRiA9IWMoVl3ccpyrPSLQGLxk=; h=Cc:Date:From:Reply-To:Subject:To; b=qgfkDKA/Z/zBLh/4mLGzZCB7ylgeySsGRs7Hv27jVsY7GP1ZCZ7noVfO0IysPVJmrMP yjMEsP1UPAMrUQGB60YPLYyzZrx+r3RmKpEsQYvhEt7+zV3JxD4PiQSz+IUmFnwbnbqkT M67n4HHoxQEWNIQTnnMYCXbCciqAF81L7Z0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301531663100002 Content-Type: text/plain; charset="utf-8" Instead of remapping all DXE runtime drivers with read-write-execute permissions entirely when ExitBootServices() is called, remap only the parts of those images that require writable access for applying relocation fixups at SetVirtualAddressMap() time. As illustrated below, this greatly reduces the footprint of those regions, which is important for safe execution. And given that the most important ISAs and toolchains split executable code from relocatable quantities, the remapped pages in question are generally not the ones that contain code as well. On a ArmVirtQemu build, the footprint of those RWX pages is shown below. As future work, we might investigate whether we can find a way to guarantee in general that images are built in a way where executable code and relocatable data never share a 4 KiB page, in which case we could apply EFI_MEMORY_XP permissions here instead of allowing RWX. Before: SetUefiImageMemoryAttributes - 0x0000000047600000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044290000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044230000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000441D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000440D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F90000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F40000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043EF0000 - 0x0000000000040000 (0= x0000000000000008) After: SetUefiImageMemoryAttributes - 0x0000000047630000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000442C0000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044260000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044200000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044100000 - 0x0000000000001000 (0= x0000000000000008) Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 5a82eee80781..854651556de4 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -1060,6 +1060,8 @@ MemoryProtectionExitBootServicesCallback ( { EFI_RUNTIME_IMAGE_ENTRY *RuntimeImage; LIST_ENTRY *Link; + PHYSICAL_ADDRESS RelocationRangeStart; + PHYSICAL_ADDRESS RelocationRangeEnd; =20 // // We need remove the RT protection, because RT relocation need write co= de segment @@ -1073,7 +1075,22 @@ MemoryProtectionExitBootServicesCallback ( if (mImageProtectionPolicy !=3D 0) { for (Link =3D gRuntime->ImageHead.ForwardLink; Link !=3D &gRuntime->Im= ageHead; Link =3D Link->ForwardLink) { RuntimeImage =3D BASE_CR (Link, EFI_RUNTIME_IMAGE_ENTRY, Link); - SetUefiImageMemoryAttributes ((UINT64)(UINTN)RuntimeImage->ImageBase= , ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), 0); + + PeCoffLoaderGetRelocationRange ( + (PHYSICAL_ADDRESS)(UINTN)RuntimeImage->ImageBase, + ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), + RuntimeImage->RelocationData, + &RelocationRangeStart, + &RelocationRangeEnd + ); + + if (RelocationRangeEnd > RelocationRangeStart) { + SetUefiImageMemoryAttributes ( + RelocationRangeStart, + (UINTN)(RelocationRangeEnd - RelocationRangeStart), + 0 + ); + } } } } --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100093): https://edk2.groups.io/g/devel/message/100093 Mute This Topic: https://groups.io/mt/96937482/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100094+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100094+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301533; cv=none; d=zohomail.com; s=zohoarc; b=bhqaNxJfiZN2cGGfQHxjVsX7k8/SOwwWmw+f4KeXoo8RL0dBzPXq3hpThXFIFNmxuQyjFQqesOu3hv4DtlHgn+IKcpqyoTV3e3oO2hinvxJJx8+c+wq2AVobuWCJNqIUelyCOVCumtaEw2YQJYJV2tkHiWzc/22jYwBIClGl0AA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301533; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=8czoa0S6vESLDShedik7LVYcOhOL50FpV4kUZRnvVRQ=; b=H6JPu/nDJFSfgsU1PlmZPIgNUWlqJesYwaWTh/hJCOufJWSt4QNXFSa8blZUBk0ynfCp+2CjtoeMiPrcXqNWV2q5xWlajjp2KMc/PLsjAf8EQP4gTPW+3X7w6PZ+zjKdeh7wFgmVf88XnMsZ6EeXLDUMnzjVopG+dqOklXO5kWU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100094+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301533238573.5437101335036; Mon, 13 Feb 2023 07:18:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id OtrDYY1788612x63YqRVkQxT; Mon, 13 Feb 2023 07:18:52 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.16816.1676301531989068889 for ; Mon, 13 Feb 2023 07:18:52 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 49167B8125E; Mon, 13 Feb 2023 15:18:50 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F967C433A1; Mon, 13 Feb 2023 15:18:46 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 07/13] MdeModulePkg/DxeCore: Permit preliminary CPU arch fallback Date: Mon, 13 Feb 2023 16:18:04 +0100 Message-Id: <20230213151810.2301480-8-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: 0eaQHZz5jmKzvhaG4J7ack77x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301532; bh=gFdxG7Ff8vTDE50nMj4o+GJ7Z4SU5O9H5FpkNYbflkw=; h=Cc:Date:From:Reply-To:Subject:To; b=gykqXcIwnFxWVfc+tFgLcZKJw+139sF9NmDPy1xDUFZwjlqT5581amG1NroYZ2fCcrF 5P2OaOSetGuAHdFhFz//SOD+C1J9XbA23H4Y05WRT+R0OgqgIRxqkB7wmd2ZBNDMzbMjt 2aanQGepYMSeSv2oXwFZlnHl6k57CEAf3E8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301533656100006 Content-Type: text/plain; charset="utf-8" Store the address of the SetMemoryAttributes() member of the CPU arch protocol in a global variable, and invoke it via this variable. This by itself should have not result in functional changes, but it permits platforms to provide an preliminary implementation of this member at link time, allowing the DXE core to enforce strict memory permissions even before dispatching the CPU arch protocol driver itself. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 854651556de4..c29985ad3116 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -66,6 +66,8 @@ extern LIST_ENTRY mGcdMemorySpaceMap; =20 STATIC LIST_ENTRY mProtectedImageRecordList; =20 +EFI_CPU_SET_MEMORY_ATTRIBUTES gCpuSetMemoryAttributes; + /** Sort code section in image record, based upon CodeSegmentBase from low t= o high. =20 @@ -224,8 +226,8 @@ SetUefiImageMemoryAttributes ( =20 DEBUG ((DEBUG_INFO, "SetUefiImageMemoryAttributes - 0x%016lx - 0x%016lx = (0x%016lx)\n", BaseAddress, Length, FinalAttributes)); =20 - ASSERT (gCpu !=3D NULL); - gCpu->SetMemoryAttributes (gCpu, BaseAddress, Length, FinalAttributes); + ASSERT (gCpuSetMemoryAttributes !=3D NULL); + gCpuSetMemoryAttributes (gCpu, BaseAddress, Length, FinalAttributes); } =20 /** @@ -408,7 +410,7 @@ ProtectUefiImage ( DEBUG ((DEBUG_INFO, "ProtectUefiImageCommon - 0x%x\n", LoadedImage)); DEBUG ((DEBUG_INFO, " - 0x%016lx - 0x%016lx\n", (EFI_PHYSICAL_ADDRESS)(= UINTN)LoadedImage->ImageBase, LoadedImage->ImageSize)); =20 - if (gCpu =3D=3D NULL) { + if (gCpuSetMemoryAttributes =3D=3D NULL) { return; } =20 @@ -995,6 +997,8 @@ MemoryProtectionCpuArchProtocolNotify ( goto Done; } =20 + gCpuSetMemoryAttributes =3D gCpu->SetMemoryAttributes; + // // Apply the memory protection policy on non-BScode/RTcode regions. // @@ -1278,7 +1282,7 @@ ApplyMemoryProtectionPolicy ( // permission attributes, and it is the job of the driver that installs = this // protocol to set the permissions on existing allocations. // - if (gCpu =3D=3D NULL) { + if (gCpuSetMemoryAttributes =3D=3D NULL) { return EFI_SUCCESS; } =20 @@ -1318,5 +1322,5 @@ ApplyMemoryProtectionPolicy ( // NewAttributes =3D GetPermissionAttributeForMemoryType (NewType); =20 - return gCpu->SetMemoryAttributes (gCpu, Memory, Length, NewAttributes); + return gCpuSetMemoryAttributes (gCpu, Memory, Length, NewAttributes); } --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100094): https://edk2.groups.io/g/devel/message/100094 Mute This Topic: https://groups.io/mt/96937485/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100095+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100095+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301534; cv=none; d=zohomail.com; s=zohoarc; b=jzcx2kPjyN+kU52/bspONFFGMb7tAPe2eQKB5kN9WwKBEHxnmbYWtKUE1x8N2yXz6cLB8I+dzbQVG+EWJJJR1568bGFBM5OObZxVRBkqOdENVQyGpbSvmvT3WXyFXzyg+9rOcujqsAblk66F+FO27F5GGH7/9w8AVKO8usoTYqA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301534; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=tjpfOo7V3h/Y7I8rLAwfly8LQF4OD9CIH+2xvOY4HUw=; b=gRZ0zpM2rJdq2w0L3Oer8otP4PFQnY9yf+gqx8cZ+NqDcfB4cRgOJKsAPBuS8dB8GRdta1XlnKMTQCxQmcYcjgyfgx1sV6gOMoLxe4ouzw27q1zPflGrCuH36n1Yodxv9MvuNKufrcdXBIptpbhwy1nDXggLsvWtYU49pEFJK3g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100095+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301534357149.60422470941273; Mon, 13 Feb 2023 07:18:54 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id LtuFYY1788612xTW4nC9NV6T; Mon, 13 Feb 2023 07:18:54 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.16817.1676301533108320915 for ; Mon, 13 Feb 2023 07:18:53 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8CCBD61019; Mon, 13 Feb 2023 15:18:52 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5A2DDC4339E; Mon, 13 Feb 2023 15:18:49 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 08/13] ArmPkg: Implement ArmSetMemoryOverrideLib Date: Mon, 13 Feb 2023 16:18:05 +0100 Message-Id: <20230213151810.2301480-9-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: k6Jq17Qq14VjKNOZmnJBBgm6x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301534; bh=PFcr76lOJLGuIjEWkTlFEaqUxGRPwagU6IbeEL/Nk7g=; h=Cc:Date:From:Reply-To:Subject:To; b=IzDoTQq/b9XoUFVv100KjyH57T3W7iYdwtkGE5iDW0e+GF2nJmf0ZyXOJeZibsyCEq8 p6z7NsYKS9qjo+YiNFjXkbPG43QzEma5V6FU1FDqtkra4LBM/Aeq8Ltcw8MSaWXk1mUg0 t9gvhLRsCY2liXH4M5aYU2V1H9Jp9mIfO3Q= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301535747100009 Content-Type: text/plain; charset="utf-8" Implement the ARM version of a NULL class library that can be overlaid on top of the DXE core to equip it right from its launch with an implementation of the CPU arch protocol member that sets type and permission attributes on memory regions. This bridges the gap between dispatch of DXE core and dispatch of the DXE driver that implements the CPU arch protocol, removing the need to rely on memory mappings that are writable and executable at the same time. Signed-off-by: Ard Biesheuvel --- ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c | 56 ++= ++++++++++++++++++ ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf | 25 ++= +++++++ 2 files changed, 81 insertions(+) diff --git a/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib= .c b/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c new file mode 100644 index 000000000000..d2a9bc96be35 --- /dev/null +++ b/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.c @@ -0,0 +1,56 @@ +/** @file + Copyright (c) 2023, Google LLC. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include + +#include +#include +#include + +extern EFI_CPU_SET_MEMORY_ATTRIBUTES gCpuSetMemoryAttributes; + +STATIC UINTN mRecursionLevel; + +STATIC +EFI_STATUS +EFIAPI +EarlyArmSetMemoryAttributes ( + IN EFI_CPU_ARCH_PROTOCOL *This, + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINT64 Length, + IN UINT64 Attributes + ) +{ + EFI_STATUS Status; + + // There are cases where the use of strict memory permissions may trigger + // unbounded recursion in the page table code. This happens when setting + // memory permissions results in a page table split and therefore a page + // allocation, which could trigger a recursive invocation of this functi= on. + ASSERT (mRecursionLevel < 2); + + mRecursionLevel++; + + Status =3D ArmSetMemoryAttributes ( + BaseAddress, + Length, + Attributes + ); + + mRecursionLevel--; + return Status; +} + +RETURN_STATUS +EFIAPI +ArmSetMemoryOverrideLibConstructor ( + VOID + ) +{ + gCpuSetMemoryAttributes =3D EarlyArmSetMemoryAttributes; + + return RETURN_SUCCESS; +} diff --git a/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib= .inf b/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf new file mode 100644 index 000000000000..f07da3dd2d15 --- /dev/null +++ b/ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.inf @@ -0,0 +1,25 @@ +#/** @file +# Copyright (c) 2023, Google LLC. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +#**/ + +[Defines] + INF_VERSION =3D 1.29 + BASE_NAME =3D ArmSetMemoryOverrideLib + FILE_GUID =3D 849a43c0-6ad9-428e-8a5a-e090f7853bd3 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D NULL|DXE_CORE + CONSTRUCTOR =3D ArmSetMemoryOverrideLibConstructor + +[Sources.common] + ArmSetMemoryOverrideLib.c + +[Packages] + ArmPkg/ArmPkg.dec + MdePkg/MdePkg.dec + +[LibraryClasses] + ArmMmuLib + DebugLib --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100095): https://edk2.groups.io/g/devel/message/100095 Mute This Topic: https://groups.io/mt/96937487/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100096+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100096+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301537; cv=none; d=zohomail.com; s=zohoarc; b=c5ySBEh0XthuQc6ITVzO70MMwB6rxDuAd0yi30RcIcQLUCpOAsZqy5FnhaQ2AFLfiWe5oFVxJ8nq/xMV3NaN7B3OuLlikTNMPQA4tNPtNdlomSsJHVjcfQ0K9fqYbio9VrxnVU50njiE6ReXkF8Sfxk8PjSvzsUPV6jJGDsUJAw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301537; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Bb89V+Xkzbwn8WhfhVeZNWX4WkOd08zk2Ac9SSxi/Ag=; b=RqltXcbTTY3RKCb/tLww3naOaYM3GW0ETbioa+lUIDtxF6FAUQbWbfwmVBfR3q1F28U89Bczu5+ny7weS230aUeqyag88pGBv7RRthSjRXRZs6V5j/GgbhMKF7YFt0yGsCJwyJv7Tzj7z7tR37KIwbBiCVWXVnKUxoyY3JBWRas= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100096+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 167630153749152.827465193381045; Mon, 13 Feb 2023 07:18:57 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id N2goYY1788612x1nzCdqCX4n; Mon, 13 Feb 2023 07:18:57 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.16818.1676301536190477923 for ; Mon, 13 Feb 2023 07:18:56 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9C20961124; Mon, 13 Feb 2023 15:18:55 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 69347C433A0; Mon, 13 Feb 2023 15:18:52 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 09/13] ArmVirtPkg/ArmVirtQemu: Use XP memory mappings by default Date: Mon, 13 Feb 2023 16:18:06 +0100 Message-Id: <20230213151810.2301480-10-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: dtJfdvHvZZ8D2hrg8aSUOpz2x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301537; bh=bB8PMTWInMNSo8zaZOlCzLEGh/GB6Z/e4iJZtvSgZ8I=; h=Cc:Date:From:Reply-To:Subject:To; b=KsJPvgDw5zO0eY9KbKOiVy5Mte3hD+3Ezjm6Z+i/tj/SpT+kvLK3TXQSMWMFMrpSkCE yqq3FmK0rQ9P2U/zceksobvPKOuiqkwb4bBt5uAc8f/2rzSmEoZo4HTytUUEUERoMNw3D 9IqkfqCxfMm9hV4ZCXx0TUNH/zbmm+oHjcA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301539685100015 Content-Type: text/plain; charset="utf-8" Now that all the plumbing is in place, we can switch to a default policy of XP for all memory mappings straight out of reset. This reduces the risk of running with memory ranges mapped as both writable and executable at the same time. Note this this requires the overlay library to be added to the DXE core, as otherwise, it will not be able to dispatch the CPU arch protocol DXE driver (or any other DXE driver for that matter), as it would lack the ability to grant executable permissions to those executables. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirtQemu.dsc | 1 + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 0f1c6395488a..dd4c84ae6eb9 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -372,6 +372,7 @@ [Components.common] # MdeModulePkg/Core/Dxe/DxeMain.inf { + NULL|ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.= inf NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32Gu= idedSectionExtractLib.inf DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf } diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index 807c85d48285..1ea49fd32e9c 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -278,6 +278,7 @@ [Components.common] # MdeModulePkg/Core/Dxe/DxeMain.inf { + NULL|ArmPkg/Library/ArmSetMemoryOverrideLib/ArmSetMemoryOverrideLib.= inf NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32Gu= idedSectionExtractLib.inf DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf } diff --git a/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c b/A= rmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c index 9cf43f06c073..aa083cec2082 100644 --- a/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c +++ b/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c @@ -91,7 +91,7 @@ ArmVirtGetMemoryMap ( VirtualMemoryTable[0].PhysicalBase =3D PcdGet64 (PcdSystemMemoryBase); VirtualMemoryTable[0].VirtualBase =3D VirtualMemoryTable[0].PhysicalBas= e; VirtualMemoryTable[0].Length =3D *(UINT64 *)GET_GUID_HOB_DATA (Mem= orySizeHob); - VirtualMemoryTable[0].Attributes =3D ARM_MEMORY_REGION_ATTRIBUTE_WRITE= _BACK; + VirtualMemoryTable[0].Attributes =3D ARM_MEMORY_REGION_ATTRIBUTE_WRITE= _BACK_XP; =20 DEBUG (( DEBUG_INFO, --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100096): https://edk2.groups.io/g/devel/message/100096 Mute This Topic: https://groups.io/mt/96937488/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100097+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100097+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301542; cv=none; d=zohomail.com; s=zohoarc; b=hHY4nqNlUU6es22qgViBdW54UvCcsSjbrlaCNl13omlMaS6XLBx1BuZ9Vem+6BqRXK88PbrXd2WqNOWQz9bvqoaIgujtfQ1YTYJLMz8I0BeLEdyA+e4ijCklAq3/2UdLoqHHew+2a3/vdgpLqrrjaO5rMsGALBddaAJx7hd8QUg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301542; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Y4aoHMaJcjL6zs+CumQ2lKocOTUMeooSGWnEYeu/rMc=; b=AMcdX8fFHPOaA/enlKenfazcjPR7MfUaIQ0vPhuFnlEVoIJrZm176I8LIrjwMRa2I36gl8SmdPg2m4wy4wJmCBEyucIPm8NcQMeV4jPIxgAxS1XAP1XEvfYNALtdL4xoB0Rw774Dz6TKCkJ5Sed//gjdiiJoMm+KB3KeqK9lDO0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100097+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 167630154217034.52769744880379; Mon, 13 Feb 2023 07:19:02 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id D9dMYY1788612x0ZGQ5zBGHx; Mon, 13 Feb 2023 07:19:01 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.16992.1676301541096724228 for ; Mon, 13 Feb 2023 07:19:01 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7D8DCB81260; Mon, 13 Feb 2023 15:18:59 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 756B2C433A4; Mon, 13 Feb 2023 15:18:55 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 10/13] ArmVirtPkg/ArmVirtQemu: Use PEI flavor of ArmMmuLib for all PEIMs Date: Mon, 13 Feb 2023 16:18:07 +0100 Message-Id: <20230213151810.2301480-11-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: ZU7t2JgtSSQuzo8keuiUAgmmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301541; bh=P0V5scNcW4X39whlokDy7KasTZdLPQlBYzOuYp9hvqk=; h=Cc:Date:From:Reply-To:Subject:To; b=vCkenkk+QkWJA1sJQcnoNkNjWf8DFzoEHRgROsGQ+WppZoGCWCBiCsow3XZyvW58Ck7 otQtmia8pnpVIHFYLMTiEWG7gvhGAGuAwYtrNSJRaOW08tdNMIDcaI0E6NhEnM6ahC8FF gUFk7FulnUMNnT+fjZ8k2R9b09/o2dt+w+c= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301543729100001 Content-Type: text/plain; charset="utf-8" The PEI flavor of the ArmMmuLib will install a HOB that exposes its implementation of the special helper routine that is used to update live entries, so that other instantiations of ArmMmuLib can invoke it. This is needed to ensure that splitting page tables using break-before-make (BBM) does not unmap the code that is performing the split. However, the BASE variety of ArmMmuLib discovers the HOB and sets a global pointer to refer to it, which is not possible in PEIMs, and so all PEIMs must use the PEI variety of this library if one does. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirtQemu.dsc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index dd4c84ae6eb9..69e51d19300d 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -107,6 +107,9 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf !endif =20 +[LibraryClasses.AARCH64.PEIM] + ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuPeiLib.inf + [LibraryClasses.common.DXE_DRIVER] ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf =20 @@ -333,12 +336,7 @@ [Components.common] ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf MdeModulePkg/Core/Pei/PeiMain.inf ArmPlatformPkg/PlatformPei/PlatformPeim.inf - ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf { - -!if $(ARCH) =3D=3D AARCH64 - ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuPeiLib.inf -!endif - } + ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf ArmPkg/Drivers/CpuPei/CpuPei.inf =20 !if $(TPM2_ENABLE) =3D=3D TRUE --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100097): https://edk2.groups.io/g/devel/message/100097 Mute This Topic: https://groups.io/mt/96937489/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100098+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100098+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301543; cv=none; d=zohomail.com; s=zohoarc; b=ZDMUHGb1OY69MIrEBnnj30tLlPzhSHxEoM9ofxchGXwwZi/rC0x8hM5JiQJdZJ51FZ17vBO+liOseaFjHxXiyS6nM2u46fi5I7RZjjDvTAE9t1y1VwSW+6CUQ1kDI+2eY4Soxe0uN7Ch4vsZ+ufQbrxHLOahyBz7C3oC9L6lWqE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301543; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=x5eSv3kbkg2sRpevwVzSNJWQaXeLmL4j4J9D/zkNbxY=; b=Ct0WSD8DeOhLOgmv9bkxTGASrE35rXUHUzE7anLr8eYJM8/7tbKjBWXf/hoSw1yQTWHMZsLs7Lr7iI/xcKuigfFdA4Lvg8MJRnFwIGYLY4zHmdpfz+tFZb2Nxu4oHbirPDc3JhUURsg51yQzjuV29xWNKJHKfAMpCo1A9YSRWSc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100098+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301543858904.7015429889163; Mon, 13 Feb 2023 07:19:03 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id ZyrVYY1788612xlaArInpHkl; Mon, 13 Feb 2023 07:19:03 -0800 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web11.16995.1676301542216015688 for ; Mon, 13 Feb 2023 07:19:02 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B3CAD61172; Mon, 13 Feb 2023 15:19:01 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 80A3AC433EF; Mon, 13 Feb 2023 15:18:58 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 11/13] ArmVirtPkg/ArmVirtQemu: Use read-only memory region type for code flash Date: Mon, 13 Feb 2023 16:18:08 +0100 Message-Id: <20230213151810.2301480-12-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: rKrWAvmUKNtiw8Tk9zHJ5jzXx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301543; bh=mXcc94l2QLiiFvuTaNrmUMTq4+ldmxhrxTNqRrlVOOs=; h=Cc:Date:From:Reply-To:Subject:To; b=V7zpt9bnKLgY/XLbFU++vdwoSIZ66wcAOg8YTa5m7N74CPo9aoo33gVf3INBQTsW21J uxMWddB9RZZau1BjCI0+60pHhYkSlkjSiEEu9pGEFQ5uhuC/s/7QvKrY5qMolyjLVPXpP 9385nAExD3YscVTC0OyiCVx/3eeJ0OfVuw4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301545746100005 Content-Type: text/plain; charset="utf-8" Map the code flash with read-only attributes so we can execute from it even under a memory protection regime that enables WXN, making all writable memory regions non-executable by default. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c b/A= rmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c index aa083cec2082..a5324b1e4eed 100644 --- a/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c +++ b/ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoLib.c @@ -115,7 +115,7 @@ ArmVirtGetMemoryMap ( VirtualMemoryTable[2].PhysicalBase =3D PcdGet64 (PcdFvBaseAddress); VirtualMemoryTable[2].VirtualBase =3D VirtualMemoryTable[2].PhysicalBas= e; VirtualMemoryTable[2].Length =3D FixedPcdGet32 (PcdFvSize); - VirtualMemoryTable[2].Attributes =3D ARM_MEMORY_REGION_ATTRIBUTE_WRITE= _BACK; + VirtualMemoryTable[2].Attributes =3D ARM_MEMORY_REGION_ATTRIBUTE_WRITE= _BACK_RO; =20 // End of Table ZeroMem (&VirtualMemoryTable[3], sizeof (ARM_MEMORY_REGION_DESCRIPTOR)); --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100098): https://edk2.groups.io/g/devel/message/100098 Mute This Topic: https://groups.io/mt/96937491/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100099+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100099+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301548; cv=none; d=zohomail.com; s=zohoarc; b=gdov4lLkaNlw5/zRT9qOAZbM1aUAiVP1pMmcwxcSjAOIGnaOh2lxE1IZq5AzFVQDmDTUf0t7isOXO5W9SF7Wfe62ojBqljbWIeO+ZWH9ytJSgWqFdoU+aYLXwmvEZxwdwYC+nmTHp0gRxQnOQaNd2FtKGmaHUmWAXcL2BhimUMU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301548; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=2WWMuguMkH76yy9fL+l9ONVx1PC2xsOrzV9IH5f21Ig=; b=PcWpMmYMpYFRQOSAw9fF8IU4cZLh10PM01ed6L3rWjjBnlVPqjoXo3eNOYWwHRGM0VP5Bloj3RzRwGPXRf2wE/No3RppFelIr1ta07RWH1OUDLCH60bgQ3b9hmN7lQ11Kmh7UfRLEzP2T6nT1KMvuRhjHu8cSWRjXIi0517c+g4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100099+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301548547722.563362583917; Mon, 13 Feb 2023 07:19:08 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id GzWmYY1788612xzsWsNy3pFH; Mon, 13 Feb 2023 07:19:08 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.16997.1676301546917254394 for ; Mon, 13 Feb 2023 07:19:07 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 63992B8122D; Mon, 13 Feb 2023 15:19:05 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8DBC7C4339C; Mon, 13 Feb 2023 15:19:01 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 12/13] BaseTools/GccBase AARCH64: Avoid page sharing between code and data Date: Mon, 13 Feb 2023 16:18:09 +0100 Message-Id: <20230213151810.2301480-13-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: mjSNAeGgDmJ8fDXzQnoI4EsQx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301548; bh=6z0z7kLBBeqe5ECiEcOlWlh8OJRUHMnBpkCal12AhxM=; h=Cc:Date:From:Reply-To:Subject:To; b=ft/dKzh0uu4a+UfD8ued6SmhmRQCmon6AXvtqQMAmyfV0k2158oTpjvJzyQK9CpYYag frgjp0OluxNsx5VIhuNpkItHXAokW1DCVV7gwjhfvpACRQFx2vNU3nOpolQ2vr7lJKlXI fk9zzGL2DaULb6STSWZtkfwTiDKSI7aO75Y= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301549855100002 Content-Type: text/plain; charset="utf-8" The AArch64 ARM architecture supports a hardware enforcement mode for mutual exclusion between code and data: any page that is mapped writable is implicitly non-executable as well. This means that remapping part of a runtime image for reapplying relocation fixups may result in any code sharing the same page to lose its executable permissions. Let's avoid this, by moving all quantities that are subject to relocation fixups to a separate page if the build is using 64k section alignment, which is only the case when building a runtime driver for AArch64. Signed-off-by: Ard Biesheuvel --- BaseTools/Scripts/GccBase.lds | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/BaseTools/Scripts/GccBase.lds b/BaseTools/Scripts/GccBase.lds index 83cebd29d599..63e097e0727c 100644 --- a/BaseTools/Scripts/GccBase.lds +++ b/BaseTools/Scripts/GccBase.lds @@ -21,9 +21,8 @@ SECTIONS { . =3D PECOFF_HEADER_SIZE; =20 .text : ALIGN(CONSTANT(COMMONPAGESIZE)) { - *(.text .text.* .stub .gnu.linkonce.t.*) + *(.text .text.* .stub .gnu.linkonce.t.* .plt) *(.rodata .rodata.* .gnu.linkonce.r.*) - *(.got .got.*) =20 /* * The contents of AutoGen.c files are mostly constant from the POV of= the @@ -34,6 +33,16 @@ SECTIONS { * emitted GUIDs here. */ *:AutoGen.obj(.data.g*Guid) + + /* + * AArch64 runtime drivers use 64k alignment, and may run in a mode wh= ere + * mutual exclusion of RO and XP mappings are hardware enforced. In su= ch + * cases, the input sections below, which carry any quantities that are + * subject to relocation fixups at runtime, must not share a 4 KiB page + * with any code content. + */ + . =3D ALIGN(CONSTANT(COMMONPAGESIZE) > 0x1000 ? 0x1000 : 0x20); + *(.got .got.* .data.rel.ro) } =20 /* --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100099): https://edk2.groups.io/g/devel/message/100099 Mute This Topic: https://groups.io/mt/96937494/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 17 07:07:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100100+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100100+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301551; cv=none; d=zohomail.com; s=zohoarc; b=bDwnlg+6U+Z0UUYY9KPs78oMIqPbxMPMSOMnv4XdxQDp56B5uI343ub3BHPU128ouAsmh2dSmmvVQPE2+KUjav0A4MFh1hsTwpmEk8MNwmh/movnnbxbzqSQqs+VKmAcQZ/OnaKMyCd1rCst5Revt6yYahgPagE7HrVkPNGKBhE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301551; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=GZD0QGSYoHuB786yoSyyiTrvt+NiKM8CLtVPt1HejgM=; b=Tbuqx0jTqkqDfm/QIcVIsHYgWCZVXh89lNL6Y/X2rPEuYTK3KiCMyWyiBuHzcQomtmkT5bGBNcBwM3lbE2mKnJ+UJugz7gUyWGDmQyCSc9BlegV7L3udDHOu0AmhDtpitNJGKjE32b3nbMdnv5sQMjW3icQA44mjvmO2qtpw01s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100100+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301551213413.09538691634066; Mon, 13 Feb 2023 07:19:11 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id zlDTYY1788612xsjBOM1jR2Z; Mon, 13 Feb 2023 07:19:10 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.16827.1676301549959972321 for ; Mon, 13 Feb 2023 07:19:10 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 76A01B810D6; Mon, 13 Feb 2023 15:19:08 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98F3EC4339B; Mon, 13 Feb 2023 15:19:04 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 13/13] ArmVirtPkg/ArmVirtQemu: Enable hardware enforced W^X memory permissions Date: Mon, 13 Feb 2023 16:18:10 +0100 Message-Id: <20230213151810.2301480-14-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: cm6YlsV6Ry7CrCMaoNL4MOMix1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301550; bh=ns0+6masIwITZbbJB6VQaw+w7Z5QAgpHcZ427mDNHf4=; h=Cc:Date:From:Reply-To:Subject:To; b=b8ZKXxU5dqo81uDh2h2x7BWYsRWgiqR75Uiq3VyTPr+B+UWw/YeNBqN1/9m4lwzTbBE DuWX0VxKyfHhfBfV38jz7EDa32/OgnbxL5aRnv/7puIiOLqQuHaYW3JgbzovKSxmstIJc l2rpqMyPDe4kW41lpPFbkWMikfqWEQksjDY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301551802100005 Content-Type: text/plain; charset="utf-8" Enable the WXN system control bit straight out of reset when running in EL1 with the initial ID map from flash. This setting will be inherited by the page table code after it sets up the permanent boot time page tables, resulting in all memory mappings that are not explicitly mapped as read-only to be non-executable. Note that this requires runtime drivers to be built with position independent codegen, to ensure that all absolute symbol references are moved into a separate section in the binary. Otherwise, unmapping the pages that are subject to relocation fixups at runtime (during the invocation of SetVirtualAddressMap()) could result in code mappings losing their executable permissions. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirt.dsc.inc | 1 + ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 5b18184be263..928dd6330edb 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -31,6 +31,7 @@ [BuildOptions.common.EDKII.DXE_CORE,BuildOptions.common.E= DKII.DXE_DRIVER,BuildOp =20 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_ARM_DLINK_FLAGS =3D -z common-page-size=3D0x1000 + GCC:*_*_AARCH64_CC_FLAGS =3D -fpie GCC:*_*_AARCH64_DLINK_FLAGS =3D -z common-page-size=3D0x10000 =20 [LibraryClasses.common] diff --git a/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelpe= r.S b/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S index 5ac7c732f6ec..51c089a45ffc 100644 --- a/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S +++ b/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S @@ -38,7 +38,7 @@ .set SCTLR_EL1_ITD, 0x1 << 7 .set SCTLR_EL1_RES1, (0x1 << 11) | (0x1 << 20) | (0x1 << 22) | (0= x1 << 28) | (0x1 << 29) .set sctlrval, SCTLR_ELx_M | SCTLR_ELx_C | SCTLR_ELx_SA | SCTLR_EL1_IT= D | SCTLR_EL1_SED - .set sctlrval, sctlrval | SCTLR_ELx_I | SCTLR_EL1_SPAN | SCTLR_EL1_RES1 + .set sctlrval, sctlrval | SCTLR_ELx_I | SCTLR_EL1_SPAN | SCTLR_EL1_RES= 1 | SCTLR_EL1_WXN =20 =20 ASM_FUNC(ArmPlatformPeiBootAction) --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100100): https://edk2.groups.io/g/devel/message/100100 Mute This Topic: https://groups.io/mt/96937498/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-