Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp8516364rwi; Tue, 25 Oct 2022 07:36:31 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5CevK4TrEn+mpfuTg0lHj17XGzU1DYTteTYZGa9CiLf3d89JvvlZ6Sy5dZWx6iKCsBdFyq X-Received: by 2002:a63:c145:0:b0:44e:9366:f982 with SMTP id p5-20020a63c145000000b0044e9366f982mr32469896pgi.584.1666708591483; Tue, 25 Oct 2022 07:36:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666708591; cv=none; d=google.com; s=arc-20160816; b=N4OsNDxDwMpjH7L9utnTZqINDOhsbOqKkkOtxKuJMF41eUozkGa9En7r7y8T6hJbG/ KGXBOlGo8M2VUB7GW/RF+6TJncQ+uy8ZnahZoKZ78xqSoJaM36do6NJq1UyyeXFnKAIo HMmHtPNbf6LxoX7gIf3g+Bq9vez8bIUckCAnydrulv5FQ2xCARhoDAuGlO8Nx/x7r7dt rLbgUA7rqf/NaEJRjae1APX1Ffr9O4siPMwwwrq4sgWCZSQQVqp+xearrWn8okkFl2CU S90+lo4xVwKGZ31NFT3R9qiSy/KSVyvc2PtSry5rI2r6QrrD9I6O/Z6v2Bi6pIXYC65T QqQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=IPQq2DUkqvsePNeMmcO13zCtRaNzLNzLzqZArfZzb4I=; b=tH4kjFM/AysQiHfu9h95oq0+T81EvGrO4xI2cKvxmNQwBMlX3M0mqbnMGIPwzt5PVZ Th2syFUXCDYBmAAY0nYU6oMvYw94QtJkd8nfP5KeQcdGJPzfK7L0GCKV5xYGDFyhKLo8 J9rMqd/i99lj6C9+0F4N8mdVoKcoeiFuqJis0GZDt7alRb3ENaWtVjW/JDCing/lh3xu oxnAuI/ZfIjxdFTKsGMQY6AzLIpwWGF76HhJaX0JsJi2BrnTXhnX8KBg+Y/fQNWc2SsS N131fuxMHRJFFv1P6aVsN3z98tpUNL3o0NcGrr1xSrXNKCRn4G1/5+j4K2JhZviLr6hO Cf2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b="sFbQd/6J"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 79-20020a630452000000b0043c594305besi2875902pge.500.2022.10.25.07.36.18; Tue, 25 Oct 2022 07:36:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b="sFbQd/6J"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233142AbiJYOPJ (ORCPT + 99 others); Tue, 25 Oct 2022 10:15:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46788 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233133AbiJYOOW (ORCPT ); Tue, 25 Oct 2022 10:14:22 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDC95B14F4; Tue, 25 Oct 2022 07:14:21 -0700 (PDT) Received: from localhost.localdomain (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 2F52D40737BC; Tue, 25 Oct 2022 14:14:20 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 2F52D40737BC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1666707260; bh=IPQq2DUkqvsePNeMmcO13zCtRaNzLNzLzqZArfZzb4I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sFbQd/6JEhEySWp3agtsqOQbk7vueRFcbOkkchDsC0kBV/iaWjiSLSOkFQXYreNgX 6iNASS1kdM9WHP1asr4DURYn5aZrpHSftjWk2mcZiBNblqsKk8JgIiuNB1h8uiX+j1 K50cozUr/nZTEahpCPSaFFs+0LDvF3OWVNi6jXfQ= From: Evgeniy Baskov To: Ard Biesheuvel Cc: Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 21/23] efi/x86: Explicitly set sections memory attributes Date: Tue, 25 Oct 2022 17:12:59 +0300 Message-Id: X-Mailer: git-send-email 2.37.4 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Explicitly change sections memory attributes in efi_pe_entry in case of incorrect EFI implementations and to reduce access rights to compressed kernel blob. By default it is set executable due to restriction in maximum number of sections that can fit before zero page. Signed-off-by: Evgeniy Baskov --- drivers/firmware/efi/libstub/x86-stub.c | 56 +++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index 4d9588d33479..d9bb9125d518 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -27,6 +27,12 @@ const efi_dxe_services_table_t *efi_dxe_table; extern u32 image_offset; static efi_loaded_image_t *image = NULL; +extern char _head[], _ehead[]; +extern char _compressed[], _ecompressed[]; +extern char _text[], _etext[]; +extern char _rodata[], _erodata[]; +extern char _data[]; + static efi_status_t preserve_pci_rom_image(efi_pci_io_protocol_t *pci, struct pci_setup_rom **__rom) { @@ -343,6 +349,54 @@ static void __noreturn efi_exit(efi_handle_t handle, efi_status_t status) asm("hlt"); } + +/* + * Manually setup memory protection attributes for each ELF section + * since we cannot do it properly by using PE sections. + */ +static void setup_sections_memory_protection(void *image_base, + unsigned long init_size) +{ +#ifdef CONFIG_EFI_DXE_MEM_ATTRIBUTES + efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID); + + if (!efi_dxe_table || + efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) { + efi_warn("Unable to locate EFI DXE services table\n"); + efi_dxe_table = NULL; + return; + } + + /* .setup [image_base, _head] */ + efi_adjust_memory_range_protection((unsigned long)image_base, + (unsigned long)_head - (unsigned long)image_base, + EFI_MEMORY_RO | EFI_MEMORY_XP); + /* .head.text [_head, _ehead] */ + efi_adjust_memory_range_protection((unsigned long)_head, + (unsigned long)_ehead - (unsigned long)_head, + EFI_MEMORY_RO); + /* .rodata..compressed [_compressed, _ecompressed] */ + efi_adjust_memory_range_protection((unsigned long)_compressed, + (unsigned long)_ecompressed - (unsigned long)_compressed, + EFI_MEMORY_RO | EFI_MEMORY_XP); + /* .text [_text, _etext] */ + efi_adjust_memory_range_protection((unsigned long)_text, + (unsigned long)_etext - (unsigned long)_text, + EFI_MEMORY_RO); + /* .rodata [_rodata, _erodata] */ + efi_adjust_memory_range_protection((unsigned long)_rodata, + (unsigned long)_erodata - (unsigned long)_rodata, + EFI_MEMORY_RO | EFI_MEMORY_XP); + /* .data, .bss [_data, image_base + init_size] */ + efi_adjust_memory_range_protection((unsigned long)_data, + (unsigned long)image_base + init_size - (unsigned long)_rodata, + EFI_MEMORY_XP); +#else + (void)image_base; + (void)init_size; +#endif +} + void __noreturn efi_stub_entry(efi_handle_t handle, efi_system_table_t *sys_table_arg, struct boot_params *boot_params); @@ -396,6 +450,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, memcpy(&hdr->jump, image_base + 0x1000, sizeof(struct setup_header) - offsetof(struct setup_header, jump)); + setup_sections_memory_protection(image_base, hdr->init_size); + /* * Fill out some of the header fields ourselves because the * EFI firmware loader doesn't load the first sector. -- 2.37.4