Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1071486rwb; Fri, 23 Sep 2022 07:53:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5kXBcuj8FNlK8jSmoqvjavC5KFMWYCj5QcbLWQwZW0T2QS0bohWvJPDueNAUAgciVGie3R X-Received: by 2002:a17:907:3207:b0:741:3a59:738d with SMTP id xg7-20020a170907320700b007413a59738dmr7448401ejb.110.1663944838556; Fri, 23 Sep 2022 07:53:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663944838; cv=none; d=google.com; s=arc-20160816; b=OHSKT92CX8FV1iUSpVADa2C6A//4lat0oFOB9YuR6C4WHjkpm/r0QSNHI2CqrofeFN JqaUDhhhAGapKvp5UeFdyW6gQEgtnz8s4XzrM2MBauzFQJN9oql2iF6NJUtPXhIc/JM/ q+zcV9f+g2Ii5jPyQ0nh3B5g5wOMrmRDlg7OL++3iLzO+kn+FdcP/mCChQsGkGxOdUsz q3SWsDQ/WMlx7AQIM4LXuLfooRxdalfUEDIoJTtAXZXdJzlGEzLiUD61SnN3j9yGoTHz MX3klMki4LAT9e9u7oH26raoHvm3AzlKR24R/kfC3KD6jWWF1gZD42sO91P1MnZr8FwH saQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2XcBEi6sl5jLoQf2kpZ1tFVwF2yN3kZuQICilWnHJOo=; b=CHWDoOVh/XEcz8YPsFe+c6ZXV7jbU8qqpzqU8RGJyqL6Odg1ISrpR+5t2IscjudGff 8GgWwAYuN/zCL6kxgffuAcOIcJEnB2FMFY0EE7ox8BeJ2NtHk0VOZbCgKRDNGJUYluSg 2NQjgyemFmLgugLWtW3dZc8S7X06BcUZ2PnpQSaCOo2+TFpVcx5jDCtwnWpfGBcCrt2Q /xRh/VUkx6ar7O8rWwBouWOWVJgNXI+JfSXSEARg2AM3mNfyUS1+fEVv11LHjmuEQckK zEZ/B21Cv0fxxIX5ed8iF2UXSU1LizM+clBUnI5vnDqZxyPOgqO98oe8JBhXjmt4fjol bSUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XYsZ9J+m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id di17-20020a170906731100b007317ad1f9a4si4087688ejc.310.2022.09.23.07.53.30; Fri, 23 Sep 2022 07:53:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XYsZ9J+m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229733AbiIWO1k (ORCPT + 99 others); Fri, 23 Sep 2022 10:27:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232628AbiIWO1S (ORCPT ); Fri, 23 Sep 2022 10:27:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 603FB1438E3; Fri, 23 Sep 2022 07:27:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CE27160FD6; Fri, 23 Sep 2022 14:27:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E004C433D6; Fri, 23 Sep 2022 14:27:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1663943233; bh=2XcBEi6sl5jLoQf2kpZ1tFVwF2yN3kZuQICilWnHJOo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=XYsZ9J+mR0Zcv10kewzN94+9JE951kQlpB82LXIOrOBrSRJtjtZltwvsUfgRRtV3u c1kildVVsH0i5wA29/UrLv/eabwtolE9QejdMbi/2eYhFoiT1tmyzFOEUx8fE+7RQs Ng7U2UwT81EeMDdzWtpzJtiBEvFN5SvKP80cu3F7hBdwpnf14+l/FDLWSagyPqrFhC NlMo4dN/+P84g3bCMRvvcLih8eZsrbswvunaA7jmJnp5lDusFbY01jk4+Md/PM0zGi NPKhCB3KYMQ9OOgC5aphWJl1y1G8tsmbVSgedWPfoUPdRjRlYMh3cfencYiay2AgNG ze+inArKURvNg== Received: by mail-lf1-f53.google.com with SMTP id a8so497307lff.13; Fri, 23 Sep 2022 07:27:13 -0700 (PDT) X-Gm-Message-State: ACrzQf01EBk27DGUwajMpzVcriivvZG4cwWjgv5i9J2kv7h28VNd2xfi OYEx0SH4cz3jObn98V+UgmqmLGyPJashU1XsTS8= X-Received: by 2002:a05:6512:3d09:b0:497:ab35:fd12 with SMTP id d9-20020a0565123d0900b00497ab35fd12mr3476720lfv.539.1663943231231; Fri, 23 Sep 2022 07:27:11 -0700 (PDT) MIME-Version: 1.0 References: <08906193-246b-c874-8bac-1d98d2313ac4@roeck-us.net> <20220922193157.1673623-1-dave.hansen@linux.intel.com> <5f443915-b38a-c78d-cccd-876501434cef@roeck-us.net> In-Reply-To: <5f443915-b38a-c78d-cccd-876501434cef@roeck-us.net> From: Ard Biesheuvel Date: Fri, 23 Sep 2022 16:26:58 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] x86/mm+efi: Avoid creating W+X mappings To: Guenter Roeck Cc: Peter Zijlstra , Dave Hansen , linux-kernel@vger.kernel.org, Darren Hart , Andy Shevchenko , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, linux-efi@vger.kernel.org, "H. Peter Anvin" , Kees Cook Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 23 Sept 2022 at 15:58, Guenter Roeck wrote: > > On 9/23/22 02:49, Ard Biesheuvel wrote: > > (cc Kees) > > > > On Fri, 23 Sept 2022 at 09:00, Peter Zijlstra wrote: > >> > >> On Fri, Sep 23, 2022 at 12:08:57AM +0200, Ard Biesheuvel wrote: > >>> On Thu, 22 Sept 2022 at 21:32, Dave Hansen wrote: > >>>> > >>>> From: Peter Zijlstra > >>>> > >>>> I'm planning on sticking this in x86/mm so that it goes upstream > >>>> along with the W+X detection code. > >>>> > >>>> -- > >>>> > >>>> A recent x86/mm change warns and refuses to create W+X mappings. > >>>> > >>>> The 32-bit EFI code tries to create such a mapping and trips over > >>>> the new W+X refusal. > >>>> > >>>> Make the EFI_RUNTIME_SERVICES_CODE mapping read-only to fix it. > >>>> > >>> > >>> This is not safe. EFI_RUNTIME_SERVICES_CODE covers both .text and > >>> .data sections of the EFI runtime PE/COFF executables in memory, so > >>> you are essentially making .data and .bss read-only. (Whether those > >>> executables actually modify their .data and .bss at runtime is a > >>> different matter, but the point is that it used to be possible) > >>> > >>> More recent firmwares may provide a 'memory attributes table' > >>> separately which describes the individual sections, but older 32-bit > >>> firmwares are not even built with 4k section alignment, so code and > >>> data may share a single page. Note that we haven't wired up this > >>> memory attributes table on i386 at the moment, and I seriously doubt > >>> that 32-bit firmware in the field exposes it. > >>> > >>> Can we just turn off this feature for 32-bit? > >> > >> Goodie; some seriously security minded people who did that EFI turd :/ > > > > To be fair, most people tended to care more about memory footprint > > than about security at the time. And I don't recall a lot of > > enthusiasm in the Linux community either for rounding up kernel > > sections so they could be mapped with W^X permissions. And without > > PAE, all memory is executable anyway. > > > >> Let's just heap it on the pile of 32bit sucks and should not be > >> considered a security target anymore and indeed kill this feature. > >> > > > > I take it this issue is triggered by the fact that i386 maps the EFI > > runtime regions into the kernel page tables, and are therefore always > > mapped, right? If anyone cares enough about this to go and fix it, we > > could switch to the approach we use everywhere else, i.e., treat EFI > > memory as user space mappings, and activate them only while a runtime > > service is in progress. > > > > But frankly, why would anyone still be running this? With the EFI > > mixed mode support, only systems with CPUs that don't actually > > implement long mode still need this, and I am skeptical that such > > deployments would use recent kernels. > > It is supported, thus I run qemu tests for it. That is the whole point > of testing, after all. I completely agree with that, and I think all the testing you do is extremely valuable. > If PAE (assuming that is what you are talking about) Not at all - I was referring to i386 support in general. I was basically making the point that we still support i386 without PAE (which is a prerequisite for supporting non-executable mappings), and if we are going to be pedantic about security on this architecture, we should probably make PAE mandatory as well. If we are ok with the current state, enabling this permission check on i386 makes no sense. > is no longer supported or supportable, its support should be > removed. If so, I'll be very happy to stop testing it. > I'd say there are better ways to spend those cycles, but for the time being, I think we should continue testing it, as otherwise it will just bit rot.