From nobody Sat Feb 7 08:43:51 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100093+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100093+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1676301530; cv=none; d=zohomail.com; s=zohoarc; b=Vwmj5QQDN/LtMtK3InJYy1GAKcvKtBmsEVnL1o9xVK9bcytSrTzYXnjsFp2o7CzfHRlSXVU605xhKOsQ1xXWfNBaCcZcMqvchow9buaZORBt13B8UMxWSZ6cleuZNBxzk4vqA01pWsyPpC2guPbtmuEVTVCJPzu+0YFj1qU3XqI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676301530; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=t7iC/97MNF9e9F6Z9TcZKVvBKFFUILeWoRqS7BYIvz0=; b=A39f5+EjLCFAAtHwP4kXf8AzEUvdAvkreJlUIRKtY+J279TbJdEgkiiImIle3EwaAr2oUij+WYd8Yt8lXLzkVG8poDbirzFvJNAj00QMPwRKhrK/4O9SR8eio2C6tWI+FEd2gsVj+LsUdcGvpd2ii+Ktxe6LQgWNkXZzz5NULCI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100093+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1676301530353402.9348662347785; Mon, 13 Feb 2023 07:18:50 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Ba7NYY1788612xVwT37Myh7b; Mon, 13 Feb 2023 07:18:50 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.16985.1676301528816854294 for ; Mon, 13 Feb 2023 07:18:49 -0800 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3E5B1B8122D; Mon, 13 Feb 2023 15:18:47 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4460FC4339B; Mon, 13 Feb 2023 15:18:43 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe , Matthew Garrett , Peter Jones , Kees Cook Subject: [edk2-devel] [RFC 06/13] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Date: Mon, 13 Feb 2023 16:18:03 +0100 Message-Id: <20230213151810.2301480-7-ardb@kernel.org> In-Reply-To: <20230213151810.2301480-1-ardb@kernel.org> References: <20230213151810.2301480-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: AGSr8x34nuj6onpsC35WYjoNx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1676301530; bh=zi6EhoznhaiJ16lk9lXRiA9IWMoVl3ccpyrPSLQGLxk=; h=Cc:Date:From:Reply-To:Subject:To; b=qgfkDKA/Z/zBLh/4mLGzZCB7ylgeySsGRs7Hv27jVsY7GP1ZCZ7noVfO0IysPVJmrMP yjMEsP1UPAMrUQGB60YPLYyzZrx+r3RmKpEsQYvhEt7+zV3JxD4PiQSz+IUmFnwbnbqkT M67n4HHoxQEWNIQTnnMYCXbCciqAF81L7Z0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1676301531663100002 Content-Type: text/plain; charset="utf-8" Instead of remapping all DXE runtime drivers with read-write-execute permissions entirely when ExitBootServices() is called, remap only the parts of those images that require writable access for applying relocation fixups at SetVirtualAddressMap() time. As illustrated below, this greatly reduces the footprint of those regions, which is important for safe execution. And given that the most important ISAs and toolchains split executable code from relocatable quantities, the remapped pages in question are generally not the ones that contain code as well. On a ArmVirtQemu build, the footprint of those RWX pages is shown below. As future work, we might investigate whether we can find a way to guarantee in general that images are built in a way where executable code and relocatable data never share a 4 KiB page, in which case we could apply EFI_MEMORY_XP permissions here instead of allowing RWX. Before: SetUefiImageMemoryAttributes - 0x0000000047600000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044290000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044230000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000441D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000440D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F90000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F40000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043EF0000 - 0x0000000000040000 (0= x0000000000000008) After: SetUefiImageMemoryAttributes - 0x0000000047630000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000442C0000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044260000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044200000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044100000 - 0x0000000000001000 (0= x0000000000000008) Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 5a82eee80781..854651556de4 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -1060,6 +1060,8 @@ MemoryProtectionExitBootServicesCallback ( { EFI_RUNTIME_IMAGE_ENTRY *RuntimeImage; LIST_ENTRY *Link; + PHYSICAL_ADDRESS RelocationRangeStart; + PHYSICAL_ADDRESS RelocationRangeEnd; =20 // // We need remove the RT protection, because RT relocation need write co= de segment @@ -1073,7 +1075,22 @@ MemoryProtectionExitBootServicesCallback ( if (mImageProtectionPolicy !=3D 0) { for (Link =3D gRuntime->ImageHead.ForwardLink; Link !=3D &gRuntime->Im= ageHead; Link =3D Link->ForwardLink) { RuntimeImage =3D BASE_CR (Link, EFI_RUNTIME_IMAGE_ENTRY, Link); - SetUefiImageMemoryAttributes ((UINT64)(UINTN)RuntimeImage->ImageBase= , ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), 0); + + PeCoffLoaderGetRelocationRange ( + (PHYSICAL_ADDRESS)(UINTN)RuntimeImage->ImageBase, + ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), + RuntimeImage->RelocationData, + &RelocationRangeStart, + &RelocationRangeEnd + ); + + if (RelocationRangeEnd > RelocationRangeStart) { + SetUefiImageMemoryAttributes ( + RelocationRangeStart, + (UINTN)(RelocationRangeEnd - RelocationRangeStart), + 0 + ); + } } } } --=20 2.39.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100093): https://edk2.groups.io/g/devel/message/100093 Mute This Topic: https://groups.io/mt/96937482/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-