From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751667AbbJLQns (ORCPT <rfc822;w@1wt.eu>);
	Mon, 12 Oct 2015 12:43:48 -0400
Received: from mail-io0-f171.google.com ([209.85.223.171]:33707 "EHLO
	mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751492AbbJLQnp (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 12 Oct 2015 12:43:45 -0400
MIME-Version: 1.0
In-Reply-To: <20151012155028.GH2579@codeblueprint.co.uk>
References: <5612CBE8.2010504@tycho.nsa.gov>
	<20151006073205.GA11115@gmail.com>
	<5613EAD5.2070405@tycho.nsa.gov>
	<20151012113605.GB7384@pd.tnic>
	<20151012124113.GD2579@codeblueprint.co.uk>
	<20151012124936.GA6260@gmail.com>
	<20151012125548.GE2579@codeblueprint.co.uk>
	<20151012141754.GA6621@gmail.com>
	<20151012144928.GF2579@codeblueprint.co.uk>
	<CAKv+Gu95NoB5cPqZMeBLn7i0JWDDPKX63FuiMVD94HpbGhKrhA@mail.gmail.com>
	<20151012155028.GH2579@codeblueprint.co.uk>
Date: Mon, 12 Oct 2015 18:43:44 +0200
Message-ID: <CAKv+Gu82bVMqded+GGHA2AUHCcfTjY_ZRscsVObTibnFici8=A@mail.gmail.com>
Subject: Re: [PATCH v2] x86/mm: warn on W+x mappings
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Ingo Molnar <mingo@kernel.org>, Borislav Petkov <bp@alien8.de>,
        Stephen Smalley <sds@tycho.nsa.gov>, "x86@kernel.org" <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>, "H. Peter Anvin" <hpa@zytor.com>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>,
        Andy Lutomirski <luto@kernel.org>,
        Denys Vlasenko <dvlasenk@redhat.com>, Brian Gerst <brgerst@gmail.com>,
        "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 12 October 2015 at 17:50, Matt Fleming <matt@codeblueprint.co.uk> wrote:
> On Mon, 12 Oct, at 05:34:53PM, Ard Biesheuvel wrote:
>>
>> On arm64, we only map in all of the UEFI runtime services regions
>> during the time any of these services are being invoked. I think this
>> should be mostly feasible on x86 as well, although it would involve
>> yet another rewrite of the EFI region mapping code, and most likely a
>> long list of quirks for platforms that are not able to deal with it
>> correctly for one reason or the other (but that all come down to: 'if
>> you are not doing it like Windows does it, you must be doing it
>> wrong').
>
> Actually, we use separate page tables for mapping the EFI runtime
> services on x86 right now. These tables are only used when making
> runtime calls, just like on arm64.
>
> So we've got a little bit of isolation right now.
>

Ah ok. I thought that only applied to the duplicate 1:1 mapping, not
to the high mapping.

But that does reduce the attack surface considerably. Combined with
strict w^x once the UEFI 2.5 feature is fully supported, I am a lot
less nervous about RWX EFI runtime regions being used to subvert the
system.

-- 
Ard.