From nobody Mon Sep 16 19:23:03 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+101139+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101139+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=kernel.org
ARC-Seal: i=1; a=rsa-sha256; t=1678727950; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EjOg4V4ZKVmJV8hbLszMKwLoR8wdRPw8EE0xf5wQl19M+mxFgz31vHVK5ESVXaTA5r2hrbGxrAK67t28t7N8A+8ZIJyWdbGDDLnd05ZwoZf4S0J77bNZtyntOiWgyijdkv6Xza2+e/tm7nzOkjqnmUrFd1pHf/ca9hZIYO9y+6U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1678727950;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=2PZMdU1wBIpj/H2q9pDp7vm8ET8dOZTkm2JZysj7QAg=;
	b=OyTVfCjEplBpS06TeJ9rvnAvWjMToR4QsY6JJ68ht5YNkU+iX/VEoHHsWvAD+4KfulUELnTmm228KUlvFNyYAFZ3CBE/LR10SNBKYnyPPSvcPxGz1TRwjEEZNiNU66cVzQkD3y+3FwH9A5xaRQmPkDn7Uhu4+2RN9nYinqK+BKI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101139+1787277+3901457@groups.io;
	dmarc=fail header.from=<ardb@kernel.org> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1678727950292191.73202776719825;
 Mon, 13 Mar 2023 10:19:10 -0700 (PDT)
Return-Path: <bounce+27952+101139+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id LEBgYY1788612xy8kWNvCYGu;
 Mon, 13 Mar 2023 10:19:09 -0700
X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
 by mx.groups.io with SMTP id smtpd.web11.26521.1678727948933130809
 for <devel@edk2.groups.io>;
 Mon, 13 Mar 2023 10:19:09 -0700
X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id 5D435B811B3;
	Mon, 13 Mar 2023 17:19:07 +0000 (UTC)
X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id D84D4C433A0;
	Mon, 13 Mar 2023 17:19:03 +0000 (UTC)
From: "Ard Biesheuvel" <ardb@kernel.org>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Michael Kinney <michael.d.kinney@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Michael Kubacki <michael.kubacki@microsoft.com>,
	Sean Brogan <sean.brogan@microsoft.com>,
	Rebecca Cran <quic_rcran@quicinc.com>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Sami Mujawar <sami.mujawar@arm.com>,
	Taylor Beebe <t@taylorbeebe.com>
Subject: [edk2-devel] [PATCH v5 35/38] MdeModulePkg/DxeCore: Clear NX
 permissions on non-protected images
Date: Mon, 13 Mar 2023 18:17:11 +0100
Message-Id: <20230313171714.3866151-36-ardb@kernel.org>
In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org>
References: <20230313171714.3866151-1-ardb@kernel.org>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,ardb@kernel.org
X-Gm-Message-State: I0k6FzwqvxJsKqHNgWt8gPrbx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1678727949;
 bh=s0TuGQ/RT0pp9wDR6id2r0qvdbKL1Gu4sY8HZ5V3FrA=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=e5LAYFKzIhWJHdCqZzKObiDEIOFDKziXaU4B49bg5II3Itc1pv/ic7eos98kZp1+a91
 ymJrCaTcjoWtQA3lHEypzQovhb79jqvcNMEHkCfm2C4ZYjjZDquiswT/tvjil8X2wO4Fn
 u3H1Em/IEaPa9jZlbKtUwNfSpRqJUq39fG8=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1678727952526100004
Content-Type: text/plain; charset="utf-8"

Currently, we rely on the memory type for loading images being
executable by default, and only restrict the permissions if the policy
says so, and the image sections are suitably aligned. This requires that
the various 'code' memory types are executable by default, which is
unfortunate.

In order to be able to tighten this, let's update the image protection
policy handling so that images that should not be mapped with strict
separation of RW- and R-X are remapped RWX explicitly if the memory type
used for loading the images is marked as NX by default.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 98 +++++++++++---------
 1 file changed, 54 insertions(+), 44 deletions(-)

diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C=
ore/Dxe/Misc/MemoryProtection.c
index 301ddd6eb053..7c7a946c1b48 100644
--- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
+++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
@@ -373,11 +373,62 @@ ProtectUefiImage (
   }
=20
   ProtectionPolicy =3D GetUefiImageProtectionPolicy (LoadedImage, LoadedIm=
ageDevicePath);
+
+  ImageAddress =3D LoadedImage->ImageBase;
+
+  PdbPointer =3D PeCoffLoaderGetPdbPointer ((VOID *)(UINTN)ImageAddress);
+  if (PdbPointer !=3D NULL) {
+    DEBUG ((DEBUG_VERBOSE, "  Image - %a\n", PdbPointer));
+  }
+
   switch (ProtectionPolicy) {
-    case DO_NOT_PROTECT:
-      return EFI_SUCCESS;
     case PROTECT_IF_ALIGNED_ELSE_ALLOW:
-      break;
+      //
+      // Check PE/COFF image
+      //
+      DosHdr             =3D (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress;
+      PeCoffHeaderOffset =3D 0;
+      if (DosHdr->e_magic =3D=3D EFI_IMAGE_DOS_SIGNATURE) {
+        PeCoffHeaderOffset =3D DosHdr->e_lfanew;
+      }
+
+      Hdr.Pe32 =3D (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress=
 + PeCoffHeaderOffset);
+      if (Hdr.Pe32->Signature !=3D EFI_IMAGE_NT_SIGNATURE) {
+        DEBUG ((DEBUG_INFO, "Hdr.Pe32->Signature invalid - 0x%x\n", Hdr.Pe=
32->Signature));
+        // It might be image in SMM.
+      } else {
+        //
+        // Get SectionAlignment
+        //
+        if (Hdr.Pe32->OptionalHeader.Magic =3D=3D EFI_IMAGE_NT_OPTIONAL_HD=
R32_MAGIC) {
+          SectionAlignment =3D Hdr.Pe32->OptionalHeader.SectionAlignment;
+        } else {
+          SectionAlignment =3D Hdr.Pe32Plus->OptionalHeader.SectionAlignme=
nt;
+        }
+
+        if (SectionAlignment >=3D EFI_PAGE_SIZE) {
+          break;
+        }
+
+        DEBUG ((
+          DEBUG_VERBOSE,
+          "!!!!!!!!  ProtectUefiImageCommon - Section Alignment(0x%x) is i=
ncorrect  !!!!!!!!\n",
+          SectionAlignment
+          ));
+      }
+      // fall through to unprotect image if needed
+    case DO_NOT_PROTECT:
+      if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) &
+           LShiftU64 (1, LoadedImage->ImageCodeType)) !=3D 0)
+      {
+        SetUefiImageMemoryAttributes (
+          (UINTN)LoadedImage->ImageBase,
+          (LoadedImage->ImageSize + EFI_PAGE_MASK) & ~(UINT64)EFI_PAGE_MAS=
K,
+          0
+          );
+      }
+
+      return EFI_SUCCESS;
     default:
       ASSERT (FALSE);
       return EFI_SUCCESS;
@@ -396,47 +447,6 @@ ProtectUefiImage (
   ImageRecord->ImageBase =3D (EFI_PHYSICAL_ADDRESS)(UINTN)LoadedImage->Ima=
geBase;
   ImageRecord->ImageSize =3D LoadedImage->ImageSize;
=20
-  ImageAddress =3D LoadedImage->ImageBase;
-
-  PdbPointer =3D PeCoffLoaderGetPdbPointer ((VOID *)(UINTN)ImageAddress);
-  if (PdbPointer !=3D NULL) {
-    DEBUG ((DEBUG_VERBOSE, "  Image - %a\n", PdbPointer));
-  }
-
-  //
-  // Check PE/COFF image
-  //
-  DosHdr             =3D (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress;
-  PeCoffHeaderOffset =3D 0;
-  if (DosHdr->e_magic =3D=3D EFI_IMAGE_DOS_SIGNATURE) {
-    PeCoffHeaderOffset =3D DosHdr->e_lfanew;
-  }
-
-  Hdr.Pe32 =3D (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress + P=
eCoffHeaderOffset);
-  if (Hdr.Pe32->Signature !=3D EFI_IMAGE_NT_SIGNATURE) {
-    DEBUG ((DEBUG_VERBOSE, "Hdr.Pe32->Signature invalid - 0x%x\n", Hdr.Pe3=
2->Signature));
-    // It might be image in SMM.
-    goto Finish;
-  }
-
-  //
-  // Get SectionAlignment
-  //
-  if (Hdr.Pe32->OptionalHeader.Magic =3D=3D EFI_IMAGE_NT_OPTIONAL_HDR32_MA=
GIC) {
-    SectionAlignment =3D Hdr.Pe32->OptionalHeader.SectionAlignment;
-  } else {
-    SectionAlignment =3D Hdr.Pe32Plus->OptionalHeader.SectionAlignment;
-  }
-
-  if (SectionAlignment >=3D EFI_PAGE_SIZE) {
-    DEBUG ((
-      DEBUG_VERBOSE,
-      "!!!!!!!!  ProtectUefiImageCommon - Section Alignment(0x%x) is incor=
rect  !!!!!!!!\n",
-      SectionAlignment
-      ));
-    goto Finish;
-  }
-
   Section =3D (EFI_IMAGE_SECTION_HEADER *)(
                                          (UINT8 *)(UINTN)ImageAddress +
                                          PeCoffHeaderOffset +
--=20
2.39.2



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101139): https://edk2.groups.io/g/devel/message/101139
Mute This Topic: https://groups.io/mt/97586058/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-