From nobody Mon Sep 16 19:05:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101141+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101141+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1678727955; cv=none; d=zohomail.com; s=zohoarc; b=LGGBqheKXT76SGCvktmonbggUMhiusCKQsu/UahnN8VltwtkW3zC/tREvCq+v4sinN2kqDR7qOK2nCik/SUrVvDK64p3p07HSGPSYrmC1jNLHTp/GzJY/HyN4m//g+dW0YmKq6fPm1uYjvvyN3yqQJTRzzkn1O6qd2wV6g96lnU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678727955; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=HA5o7gUzfTVb7sCYeLl3PUrDlTwkfCFTjOR9uJKdLHE=; b=lGEJ5aqZ9yZVUlRYLuXZN/pwywWBRxfwATNR4Ka5U7Tu4peBWjotFYtTjCfqSPRyZYtsDTGi50Lx3EhLWFGGBnPMJhF4uRYYkqf7XBTwVlZMHngfpXTtRWUlM4NvzrxrLy/Bb2FEqK751u4X/gK/T+nEgs95k5DghMgyIwZxc/o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101141+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16787279552667.668085190422403; Mon, 13 Mar 2023 10:19:15 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 5TgJYY1788612xXluFeiZy8m; Mon, 13 Mar 2023 10:19:14 -0700 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.25840.1678727954102829250 for ; Mon, 13 Mar 2023 10:19:14 -0700 X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 950B1B811AB; Mon, 13 Mar 2023 17:19:12 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 29FDFC433EF; Mon, 13 Mar 2023 17:19:09 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Michael Kinney , Liming Gao , Jiewen Yao , Michael Kubacki , Sean Brogan , Rebecca Cran , Leif Lindholm , Sami Mujawar , Taylor Beebe Subject: [edk2-devel] [PATCH v5 37/38] MdeModulePkg/DxeCore: Check NX compat when using restricted code regions Date: Mon, 13 Mar 2023 18:17:13 +0100 Message-Id: <20230313171714.3866151-38-ardb@kernel.org> In-Reply-To: <20230313171714.3866151-1-ardb@kernel.org> References: <20230313171714.3866151-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: tjPd9s70jbAwsFfJdat4i4ZWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1678727954; bh=NS98lKAGgUyjvhF38faGkHQvWGdOByRWSS93C58wWJs=; h=Cc:Date:From:Reply-To:Subject:To; b=lYC7a6zt5fQFcNNYLJplKfhzoSHb1Jd6PyXuWypFfL2CjXRzx/wQ3HprPoSj7pvY3+i ps4KjjYAi+sKzhIlP7e/gofB7VUPwjDiVFYxTmLOBhBI2bTeGV7pxpxCFgTnxgs7H6sLL sP5Pk/rI5hsobJ/EkFEnFkWwKxKnb07y0nk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1678727956529100003 Content-Type: text/plain; charset="utf-8" We currently do not permit the various 'code' type regions to be covered by the NX memory policy, and so allocations of such types are created as both writable and executable before being populated with executable code. Before adding the ability to protect those regions as well, let's make sure that the images in question are compatible with such a policy, and have the NX_COMPAT DLL flag set in the PE/COFF header. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 38 ++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/C= ore/Dxe/Misc/MemoryProtection.c index bce211a09c3e..91a04ac2ac0b 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -364,6 +364,7 @@ ProtectUefiImage ( CHAR8 *PdbPointer; IMAGE_PROPERTIES_RECORD_CODE_SECTION *ImageRecordCodeSection; UINT32 ProtectionPolicy; + UINT16 DllCharacteristics; =20 DEBUG ((DEBUG_INFO, "ProtectUefiImageCommon - 0x%x\n", LoadedImage)); DEBUG ((DEBUG_INFO, " - 0x%016lx - 0x%016lx\n", (EFI_PHYSICAL_ADDRESS)(= UINTN)LoadedImage->ImageBase, LoadedImage->ImageSize)); @@ -401,9 +402,34 @@ ProtectUefiImage ( // Get SectionAlignment // if (Hdr.Pe32->OptionalHeader.Magic =3D=3D EFI_IMAGE_NT_OPTIONAL_HD= R32_MAGIC) { - SectionAlignment =3D Hdr.Pe32->OptionalHeader.SectionAlignment; + SectionAlignment =3D Hdr.Pe32->OptionalHeader.SectionAlignment; + DllCharacteristics =3D Hdr.Pe32->OptionalHeader.DllCharacteristi= cs; } else { - SectionAlignment =3D Hdr.Pe32Plus->OptionalHeader.SectionAlignme= nt; + SectionAlignment =3D Hdr.Pe32Plus->OptionalHeader.SectionAlign= ment; + DllCharacteristics =3D Hdr.Pe32Plus->OptionalHeader.DllCharacter= istics; + } + + // + // If the NX memory policy applies to the code memory region type = used + // for this image, ensure that the image has the NX compat flag se= t, + // which means that the program's logic does not assume that memory + // allocations are mapped both writable and executable at the same= time. + // Also ensure that the section alignment is sufficient, as otherw= ise, + // the image's code and data sections might share a page that would + // require a mapping that is both writable and executable. + // + if ((LoadedImage !=3D gDxeCoreLoadedImage) && + (GetImageType (LoadedImageDevicePath) !=3D IMAGE_FROM_FV) && + (((DllCharacteristics & EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT= ) =3D=3D 0) || + (SectionAlignment < EFI_PAGE_SIZE)) && + (PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & + LShiftU64 (1, LoadedImage->ImageCodeType)) !=3D 0) { + + DEBUG (( + DEBUG_VERBOSE, + "!!!!!!!! ProtectUefiImageCommon - Image does not comply with= NX policy for code memory region type !!!!!!!!\n" + )); + return EFI_UNSUPPORTED; } =20 if (SectionAlignment >=3D EFI_PAGE_SIZE) { @@ -1154,12 +1180,20 @@ CoreInitializeMemoryProtection ( // Sanity check the PcdDxeNxMemoryProtectionPolicy setting: // - EfiConventionalMemory and EfiBootServicesData should use the // same attribute + // - the image protection policy must cover 3rd party images if + // any code memory types are being mapped NX by default // ASSERT ( GetPermissionAttributeForMemoryType (EfiBootServicesData) =3D=3D GetPermissionAttributeForMemoryType (EfiConventionalMemory) ); =20 + if (((GetPermissionAttributeForMemoryType (EfiLoaderCode) | + GetPermissionAttributeForMemoryType (EfiBootServicesCode) | + GetPermissionAttributeForMemoryType (EfiRuntimeServicesCode)) & EF= I_MEMORY_XP) !=3D 0) { + ASSERT ((mImageProtectionPolicy & BIT0) =3D=3D BIT0); + } + Status =3D CoreCreateEvent ( EVT_NOTIFY_SIGNAL, TPL_CALLBACK, --=20 2.39.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101141): https://edk2.groups.io/g/devel/message/101141 Mute This Topic: https://groups.io/mt/97586060/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-