From nobody Mon Oct 14 09:36:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101123+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101123+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1678727907; cv=none; d=zohomail.com; s=zohoarc; b=WLi5D2yaOhXZNp9jmtwSyEIMMr6wIB7idqKtDDo8TS3o+nX09BpxByz8sHFPdFBHtTIMIXpCCUailijKTLLj517XO+zcoNVdbtSBDv5DZCAsq6JOzAcXrRWvYby1ZrKYfrBR5muw/bm1yWBzBEqaXPRlitIEYDUJlNAqW7HlnBw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678727907; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ySCXcE3+SCQFKWGvHJqmdn2cKwIKU67OlYCLyHqPLiE=; b=nzv/MtYiI++8fcXFjfmGhcEQ+uSq1mtiFvE0qD8A20e3UKnQ0VIvrY14iys903fL+qYxaay3E+O0QCtYi60BPWtjhOEjzy1vUobBfhaq/ickBaBnbJK5d75gi4Im5ry9RZh3luLWQTMb8yPW8wAOlFZBovyYd0EqKwiIiZMsgRI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101123+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1678727907026940.3216828989332; Mon, 13 Mar 2023 10:18:27 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id uRvgYY1788612xbTioVUIgEa; Mon, 13 Mar 2023 10:18:26 -0700 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.25809.1678727905814613329 for ; Mon, 13 Mar 2023 10:18:26 -0700 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 28071B811C0; Mon, 13 Mar 2023 17:18:24 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9EE2AC433A0; Mon, 13 Mar 2023 17:18:21 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [edk2-devel] [PATCH v5 19/38] MdeModulePkg/DxeCore: Reduce range of W+X remaps at EBS time Date: Mon, 13 Mar 2023 18:16:55 +0100 Message-Id: <20230313171714.3866151-20-ardb@kernel.org> In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org> References: <20230313171714.3866151-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: 0aIFwmkIzKA8KYVdcaMvD8Rdx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1678727906; bh=fjucUUTQnUPZ1ps3lOcdVVz/FXphEqcluQ2Brx5gSFQ=; h=Cc:Date:From:Reply-To:Subject:To; b=HGM7bte6w7n/0dbLE4wM7pk9SiYWAQQMyHad/PEPenZ26koE0zysHiMvViKh38e57yT cnPA4LIfh1lriA4VBatFTpONmDDc7xCwwHMmqD655uEkaC4M5pz0hvJmT3QZM9kVgoeQ1 j1rd8/+E5k0LlT6V1C5O8K8i+AWXGbwl76U= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1678727908186100006 Content-Type: text/plain; charset="utf-8" Instead of remapping all DXE runtime drivers with read-write-execute permissions entirely when ExitBootServices() is called, remap only the parts of those images that require writable access for applying relocation fixups at SetVirtualAddressMap() time. As illustrated below, this greatly reduces the footprint of those regions, which is important for safe execution. And given that the most important ISAs and toolchains split executable code from relocatable quantities, the remapped pages in question are generally not the ones that contain code as well. On a ArmVirtQemu build, the footprint of those RWX pages is shown below. As future work, we might investigate whether we can find a way to guarantee in general that images are built in a way where executable code and relocatable data never share a 4 KiB page, in which case we could apply EFI_MEMORY_XP permissions here instead of allowing RWX. Before: SetUefiImageMemoryAttributes - 0x0000000047600000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044290000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044230000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000441D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000440D0000 - 0x0000000000050000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F90000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043F40000 - 0x0000000000040000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000043EF0000 - 0x0000000000040000 (0= x0000000000000008) After: SetUefiImageMemoryAttributes - 0x0000000047630000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x00000000442C0000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044260000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044200000 - 0x0000000000001000 (0= x0000000000000008) SetUefiImageMemoryAttributes - 0x0000000044100000 - 0x0000000000001000 (0= x0000000000000008) Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index 5a82eee80781..3e6f2b4e74cc 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -1060,6 +1060,8 @@ MemoryProtectionExitBootServicesCallback ( { EFI_RUNTIME_IMAGE_ENTRY *RuntimeImage; LIST_ENTRY *Link; + PHYSICAL_ADDRESS RelocationRangeStart; + PHYSICAL_ADDRESS RelocationRangeEnd; =20 // // We need remove the RT protection, because RT relocation need write co= de segment @@ -1073,7 +1075,22 @@ MemoryProtectionExitBootServicesCallback ( if (mImageProtectionPolicy !=3D 0) { for (Link =3D gRuntime->ImageHead.ForwardLink; Link !=3D &gRuntime->Im= ageHead; Link =3D Link->ForwardLink) { RuntimeImage =3D BASE_CR (Link, EFI_RUNTIME_IMAGE_ENTRY, Link); - SetUefiImageMemoryAttributes ((UINT64)(UINTN)RuntimeImage->ImageBase= , ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), 0); + + PeCoffLoaderGetRelocationRange ( + (PHYSICAL_ADDRESS)(UINTN)RuntimeImage->ImageBase, + (UINTN)ALIGN_VALUE (RuntimeImage->ImageSize, EFI_PAGE_SIZE), + RuntimeImage->RelocationData, + &RelocationRangeStart, + &RelocationRangeEnd + ); + + if (RelocationRangeEnd > RelocationRangeStart) { + SetUefiImageMemoryAttributes ( + RelocationRangeStart, + (UINTN)(RelocationRangeEnd - RelocationRangeStart), + 0 + ); + } } } } --=20 2.39.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101123): https://edk2.groups.io/g/devel/message/101123 Mute This Topic: https://groups.io/mt/97586021/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-