From: Ard Biesheuvel <ardb@kernel.org>
To: Evgeniy Baskov <baskov@ispras.ru>
Cc: Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Peter Jones <pjones@redhat.com>,
"Limonciello, Mario" <mario.limonciello@amd.com>,
joeyli <jlee@suse.com>,
lvc-project@linuxtesting.org, x86@kernel.org,
linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v4 23/26] efi/libstub: Use memory attribute protocol
Date: Fri, 10 Mar 2023 17:13:30 +0100 [thread overview]
Message-ID: <CAMj1kXFv2V9YRgEJnMv1VrpT_TskrCUH6C09NrMO7nO3Xh3ZPQ@mail.gmail.com> (raw)
In-Reply-To: <911afebbf7c30cf0b4af003ce4a63e42e45095d1.1671098103.git.baskov@ispras.ru>
On Thu, 15 Dec 2022 at 13:42, Evgeniy Baskov <baskov@ispras.ru> wrote:
>
> Add EFI_MEMORY_ATTRIBUTE_PROTOCOL as preferred alternative to DXE
> services for changing memory attributes in the EFISTUB.
>
> Use DXE services only as a fallback in case aforementioned protocol
> is not supported by UEFI implementation.
>
> Move DXE services initialization code closer to the place they are used
> to match EFI_MEMORY_ATTRIBUTE_PROTOCOL initialization code.
>
> Tested-by: Mario Limonciello <mario.limonciello@amd.com>
> Tested-by: Peter Jones <pjones@redhat.com>
> Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
I'm not convinced about the use of the DXE services for this, and I
think we should replace this patch with changes that base all the new
protection code on the EFI memory attributes protocol only.
We introduced that DXE code to remove protections from memory that was
mapped read-only and/or non-executable, and described as such in the
GCD memory map.
Using it to manipulate restricted permissions like this is quite a
different thing, and sadly (at least in EDK2), the GCD system memory
map is not kept in sync with the updated permissions, i.e, the W^X
protections for loaded images and the NX protection for arbitrary page
allocations are both based on the PI CPU arch protocol, which
manipulates the page tables directly, but does not record the modified
attributes in the GCD or EFI memory maps, as this would result in
massive fragmentation and break lots of other things.
That means that, except for the specific use case for which we
introduced the DXE services calls, the only reliable way to figure out
what permission attributes a certain range of memory is using is the
EFI memory attributes protocol, and I don't think we should use
anything else for tightening down these protections.
> ---
> drivers/firmware/efi/libstub/mem.c | 168 ++++++++++++++++++------
> drivers/firmware/efi/libstub/x86-stub.c | 17 ---
> 2 files changed, 128 insertions(+), 57 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/mem.c b/drivers/firmware/efi/libstub/mem.c
> index 3e47e5931f04..07d54c88c62e 100644
> --- a/drivers/firmware/efi/libstub/mem.c
> +++ b/drivers/firmware/efi/libstub/mem.c
> @@ -5,6 +5,9 @@
>
> #include "efistub.h"
>
> +const efi_dxe_services_table_t *efi_dxe_table;
> +efi_memory_attribute_protocol_t *efi_mem_attrib_proto;
> +
> /**
> * efi_get_memory_map() - get memory map
> * @map: pointer to memory map pointer to which to assign the
> @@ -129,66 +132,47 @@ void efi_free(unsigned long size, unsigned long addr)
> efi_bs_call(free_pages, addr, nr_pages);
> }
>
> -/**
> - * efi_adjust_memory_range_protection() - change memory range protection attributes
> - * @start: memory range start address
> - * @size: memory range size
> - *
> - * Actual memory range for which memory attributes are modified is
> - * the smallest ranged with start address and size aligned to EFI_PAGE_SIZE
> - * that includes [start, start + size].
> - *
> - * @return: status code
> - */
> -efi_status_t efi_adjust_memory_range_protection(unsigned long start,
> - unsigned long size,
> - unsigned long attributes)
> +static void retrieve_dxe_table(void)
> +{
> + efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID);
> + if (efi_dxe_table &&
> + efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) {
> + efi_warn("Ignoring DXE services table: invalid signature\n");
> + efi_dxe_table = NULL;
> + }
> +}
> +
> +static efi_status_t adjust_mem_attrib_dxe(efi_physical_addr_t rounded_start,
> + efi_physical_addr_t rounded_end,
> + unsigned long attributes)
> {
> efi_status_t status;
> efi_gcd_memory_space_desc_t desc;
> - efi_physical_addr_t end, next;
> - efi_physical_addr_t rounded_start, rounded_end;
> + efi_physical_addr_t end, next, start;
> efi_physical_addr_t unprotect_start, unprotect_size;
>
> - if (efi_dxe_table == NULL)
> - return EFI_UNSUPPORTED;
> + if (!efi_dxe_table) {
> + retrieve_dxe_table();
>
> - /*
> - * This function should not be used to modify attributes
> - * other than writable/executable.
> - */
> -
> - if ((attributes & ~(EFI_MEMORY_RO | EFI_MEMORY_XP)) != 0)
> - return EFI_INVALID_PARAMETER;
> -
> - /*
> - * Disallow simultaniously executable and writable memory
> - * to inforce W^X policy if direct extraction code is enabled.
> - */
> -
> - if ((attributes & (EFI_MEMORY_RO | EFI_MEMORY_XP)) == 0) {
> - efi_warn("W^X violation at [%08lx,%08lx]\n",
> - (unsigned long)rounded_start,
> - (unsigned long)rounded_end);
> + if (!efi_dxe_table)
> + return EFI_UNSUPPORTED;
> }
>
> - rounded_start = rounddown(start, EFI_PAGE_SIZE);
> - rounded_end = roundup(start + size, EFI_PAGE_SIZE);
> -
> /*
> * Don't modify memory region attributes, they are
> * already suitable, to lower the possibility to
> * encounter firmware bugs.
> */
>
> - for (end = start + size; start < end; start = next) {
> +
> + for (start = rounded_start, end = rounded_end; start < end; start = next) {
>
> status = efi_dxe_call(get_memory_space_descriptor,
> start, &desc);
>
> if (status != EFI_SUCCESS) {
> efi_warn("Unable to get memory descriptor at %lx\n",
> - start);
> + (unsigned long)start);
> return status;
> }
>
> @@ -230,3 +214,107 @@ efi_status_t efi_adjust_memory_range_protection(unsigned long start,
>
> return EFI_SUCCESS;
> }
> +
> +static void retrieve_memory_attributes_proto(void)
> +{
> + efi_status_t status;
> + efi_guid_t guid = EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
> +
> + status = efi_bs_call(locate_protocol, &guid, NULL,
> + (void **)&efi_mem_attrib_proto);
> + if (status != EFI_SUCCESS)
> + efi_mem_attrib_proto = NULL;
> +}
> +
> +/**
> + * efi_adjust_memory_range_protection() - change memory range protection attributes
> + * @start: memory range start address
> + * @size: memory range size
> + *
> + * Actual memory range for which memory attributes are modified is
> + * the smallest ranged with start address and size aligned to EFI_PAGE_SIZE
> + * that includes [start, start + size].
> + *
> + * This function first attempts to use EFI_MEMORY_ATTRIBUTE_PROTOCOL,
> + * that is a part of UEFI Specification since version 2.10.
> + * If the protocol is unavailable it falls back to DXE services functions.
> + *
> + * @return: status code
> + */
> +efi_status_t efi_adjust_memory_range_protection(unsigned long start,
> + unsigned long size,
> + unsigned long attributes)
> +{
> + efi_status_t status;
> + efi_physical_addr_t rounded_start, rounded_end;
> + unsigned long attr_clear;
> +
> + /*
> + * This function should not be used to modify attributes
> + * other than writable/executable.
> + */
> +
> + if ((attributes & ~(EFI_MEMORY_RO | EFI_MEMORY_XP)) != 0)
> + return EFI_INVALID_PARAMETER;
> +
> + /*
> + * Warn if requested to make memory simultaneously
> + * executable and writable to enforce W^X policy.
> + */
> +
> + if ((attributes & (EFI_MEMORY_RO | EFI_MEMORY_XP)) == 0) {
> + efi_warn("W^X violation at [%08lx,%08lx]",
> + (unsigned long)rounded_start,
> + (unsigned long)rounded_end);
> + }
> +
> + rounded_start = rounddown(start, EFI_PAGE_SIZE);
> + rounded_end = roundup(start + size, EFI_PAGE_SIZE);
> +
> + if (!efi_mem_attrib_proto) {
> + retrieve_memory_attributes_proto();
> +
> + /* Fall back to DXE services if unsupported */
> + if (!efi_mem_attrib_proto) {
> + return adjust_mem_attrib_dxe(rounded_start,
> + rounded_end,
> + attributes);
> + }
> + }
> +
> + /*
> + * Unlike DXE services functions, EFI_MEMORY_ATTRIBUTE_PROTOCOL
> + * does not clear unset protection bit, so it needs to be cleared
> + * explcitly
> + */
> +
> + attr_clear = ~attributes &
> + (EFI_MEMORY_RO | EFI_MEMORY_XP | EFI_MEMORY_RP);
> +
> + status = efi_call_proto(efi_mem_attrib_proto,
> + clear_memory_attributes,
> + rounded_start,
> + rounded_end - rounded_start,
> + attr_clear);
> + if (status != EFI_SUCCESS) {
> + efi_warn("Failed to clear memory attributes at [%08lx,%08lx]: %lx",
> + (unsigned long)rounded_start,
> + (unsigned long)rounded_end,
> + status);
> + return status;
> + }
> +
> + status = efi_call_proto(efi_mem_attrib_proto,
> + set_memory_attributes,
> + rounded_start,
> + rounded_end - rounded_start,
> + attributes);
> + if (status != EFI_SUCCESS) {
> + efi_warn("Failed to set memory attributes at [%08lx,%08lx]: %lx",
> + (unsigned long)rounded_start,
> + (unsigned long)rounded_end,
> + status);
> + }
> +
> + return status;
> +}
> diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
> index 60697fcd8950..06a62b121521 100644
> --- a/drivers/firmware/efi/libstub/x86-stub.c
> +++ b/drivers/firmware/efi/libstub/x86-stub.c
> @@ -23,7 +23,6 @@
> #define MAXMEM_X86_64_4LEVEL (1ull << 46)
>
> const efi_system_table_t *efi_system_table;
> -const efi_dxe_services_table_t *efi_dxe_table;
> u32 image_offset __section(".data");
> static efi_loaded_image_t *image __section(".data");
>
> @@ -357,15 +356,6 @@ void __noreturn efi_exit(efi_handle_t handle, efi_status_t status)
> static void setup_sections_memory_protection(unsigned long image_base)
> {
> #ifdef CONFIG_EFI_DXE_MEM_ATTRIBUTES
> - efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID);
> -
> - if (!efi_dxe_table ||
> - efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) {
> - efi_warn("Unable to locate EFI DXE services table\n");
> - efi_dxe_table = NULL;
> - return;
> - }
> -
> /* .setup [image_base, _head] */
> efi_adjust_memory_range_protection(image_base,
> (unsigned long)_head - image_base,
> @@ -732,13 +722,6 @@ asmlinkage unsigned long efi_main(efi_handle_t handle,
> if (efi_system_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
> efi_exit(handle, EFI_INVALID_PARAMETER);
>
> - efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID);
> - if (efi_dxe_table &&
> - efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) {
> - efi_warn("Ignoring DXE services table: invalid signature\n");
> - efi_dxe_table = NULL;
> - }
> -
> setup_sections_memory_protection(bzimage_addr - image_offset);
>
> #ifdef CONFIG_CMDLINE_BOOL
> --
> 2.37.4
>
next prev parent reply other threads:[~2023-03-10 16:20 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-15 12:37 [PATCH v4 00/26] x86_64: Improvements at compressed kernel stage Evgeniy Baskov
2022-12-15 12:37 ` [PATCH v4 01/26] x86/boot: Align vmlinuz sections on page size Evgeniy Baskov
2023-03-10 14:43 ` Ard Biesheuvel
2023-03-11 14:30 ` Evgeniy Baskov
2023-03-11 14:42 ` Ard Biesheuvel
2022-12-15 12:37 ` [PATCH v4 02/26] x86/build: Remove RWX sections and align on 4KB Evgeniy Baskov
2023-03-10 14:45 ` Ard Biesheuvel
2023-03-11 14:31 ` Evgeniy Baskov
2022-12-15 12:37 ` [PATCH v4 03/26] x86/boot: Set cr0 to known state in trampoline Evgeniy Baskov
2023-03-10 14:48 ` Ard Biesheuvel
2022-12-15 12:37 ` [PATCH v4 04/26] x86/boot: Increase boot page table size Evgeniy Baskov
2023-03-08 9:24 ` Ard Biesheuvel
2022-12-15 12:37 ` [PATCH v4 05/26] x86/boot: Support 4KB pages for identity mapping Evgeniy Baskov
2023-03-08 9:42 ` Ard Biesheuvel
2023-03-08 16:11 ` Evgeniy Baskov
2022-12-15 12:37 ` [PATCH v4 06/26] x86/boot: Setup memory protection for bzImage code Evgeniy Baskov
2023-03-08 10:47 ` Ard Biesheuvel
2023-03-08 16:15 ` Evgeniy Baskov
2022-12-15 12:37 ` [PATCH v4 07/26] x86/build: Check W^X of vmlinux during build Evgeniy Baskov
2023-03-08 9:34 ` Ard Biesheuvel
2023-03-08 16:05 ` Evgeniy Baskov
2022-12-15 12:37 ` [PATCH v4 08/26] x86/boot: Map memory explicitly Evgeniy Baskov
2023-03-08 9:38 ` Ard Biesheuvel
2023-03-08 10:28 ` Ard Biesheuvel
2023-03-08 16:09 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 09/26] x86/boot: Remove mapping from page fault handler Evgeniy Baskov
2023-03-10 14:49 ` Ard Biesheuvel
2022-12-15 12:38 ` [PATCH v4 10/26] efi/libstub: Move helper function to related file Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 11/26] x86/boot: Make console interface more abstract Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 12/26] x86/boot: Make kernel_add_identity_map() a pointer Evgeniy Baskov
2023-03-10 14:52 ` Ard Biesheuvel
2023-03-11 14:34 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 13/26] x86/boot: Split trampoline and pt init code Evgeniy Baskov
2023-03-10 14:56 ` Ard Biesheuvel
2023-03-11 14:37 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 14/26] x86/boot: Add EFI kernel extraction interface Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 15/26] efi/x86: Support extracting kernel from libstub Evgeniy Baskov
2023-03-09 16:00 ` Ard Biesheuvel
2023-03-09 17:05 ` Evgeniy Baskov
2023-03-09 16:49 ` Ard Biesheuvel
2023-03-09 17:10 ` Evgeniy Baskov
2023-03-09 17:11 ` Ard Biesheuvel
2023-03-10 15:08 ` Ard Biesheuvel
2022-12-15 12:38 ` [PATCH v4 16/26] x86/boot: Reduce lower limit of physical KASLR Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 17/26] x86/boot: Reduce size of the DOS stub Evgeniy Baskov
2023-03-10 14:59 ` Ard Biesheuvel
2023-03-11 14:49 ` Evgeniy Baskov
2023-03-11 17:27 ` Ard Biesheuvel
2023-03-12 12:10 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 18/26] tools/include: Add simplified version of pe.h Evgeniy Baskov
2023-03-10 15:01 ` Ard Biesheuvel
2022-12-15 12:38 ` [PATCH v4 19/26] x86/build: Cleanup tools/build.c Evgeniy Baskov
2023-03-09 15:57 ` Ard Biesheuvel
2023-03-09 16:25 ` Evgeniy Baskov
2023-03-09 16:50 ` Ard Biesheuvel
2023-03-09 17:22 ` Evgeniy Baskov
2023-03-09 17:37 ` Ard Biesheuvel
2022-12-15 12:38 ` [PATCH v4 20/26] x86/build: Make generated PE more spec compliant Evgeniy Baskov
2023-03-10 15:17 ` Ard Biesheuvel
2023-03-11 15:02 ` Evgeniy Baskov
2023-03-11 17:31 ` Ard Biesheuvel
2023-03-12 12:01 ` Evgeniy Baskov
2023-03-12 13:09 ` Ard Biesheuvel
2023-03-13 9:11 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 21/26] efi/x86: Explicitly set sections memory attributes Evgeniy Baskov
2023-03-10 15:20 ` Ard Biesheuvel
2023-03-11 15:09 ` Evgeniy Baskov
2023-03-11 17:39 ` Ard Biesheuvel
2023-03-12 12:10 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 22/26] efi/libstub: Add memory attribute protocol definitions Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 23/26] efi/libstub: Use memory attribute protocol Evgeniy Baskov
2023-03-10 16:13 ` Ard Biesheuvel [this message]
2023-03-11 15:14 ` Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 24/26] efi/libstub: make memory protection warnings include newlines Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 25/26] efi/x86: don't try to set page attributes on 0-sized regions Evgeniy Baskov
2022-12-15 12:38 ` [PATCH v4 26/26] efi/x86: don't set unsupported memory attributes Evgeniy Baskov
2022-12-15 19:21 ` [PATCH v4 00/26] x86_64: Improvements at compressed kernel stage Peter Jones
2022-12-19 14:08 ` Evgeniy Baskov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMj1kXFv2V9YRgEJnMv1VrpT_TskrCUH6C09NrMO7nO3Xh3ZPQ@mail.gmail.com \
--to=ardb@kernel.org \
--cc=baskov@ispras.ru \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=jlee@suse.com \
--cc=khoroshilov@ispras.ru \
--cc=linux-efi@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=mario.limonciello@amd.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).