Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Sun, 20 Nov 2022 09:49:19 +0800
From:   joeyli <jlee@suse.com>
To:     Evgeniy Baskov <baskov@ispras.ru>
Cc:     Ard Biesheuvel <ardb@kernel.org>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Peter Jones <pjones@redhat.com>, lvc-project@linuxtesting.org,
        x86@kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2 00/23] x86_64: Improvements at compressed kernel stage
Message-ID: <20221120014919.GV3967@linux-l9pv.suse>
References: <cover.1666705333.git.baskov@ispras.ru>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cover.1666705333.git.baskov@ispras.ru>
User-Agent: Mutt/1.11.4 (2019-03-13)
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ZXbCpcWn93lOvI8BGNDHKPPCj+einVhgtvpMlxEmN3EQfJb6yYfuP99I9h2J?=
 =?us-ascii?Q?/lej6+Yx/F7uISquoFtr2UWshPRcm15n/wPEKNiExWxfos2os7ncrt6XU82y?=
 =?us-ascii?Q?Hh3hNr0DbwIcpElmpNv6DRSS6Sg/jgNqcbNIUnGpAHG7Hn2nGzqghTSgRMDK?=
 =?us-ascii?Q?xBzJXkmeysuRMffq0dcK2wkr5VVW3aGfz4enTy0CRA8d3YGFN48RntJrrXWz?=
 =?us-ascii?Q?Sszllt0myQLxigc495r3dH3V1Q27/xbONjaLV3OFFyDLQmyqb67v46GZZgUt?=
 =?us-ascii?Q?8J6pBWWDhFd1Gg+Wh5EfjC9IOvTc0p3cqd8SnnTacAruU2iIWNaRqJK0IITX?=
 =?us-ascii?Q?zl/MHkzeMw7zqLeqCMN8dqTrif6MVLEBXd7z562IhZcNe96PoWOAs2fuJWh5?=
 =?us-ascii?Q?+YIbWxUO/2lBi8BGEHfelWbmtYjHzLHbJhW0CXJB1kUBGzMshg7t7BBT623T?=
 =?us-ascii?Q?Za8sau+alXWnZF9wX7jm+Vz53lMSEFs/NHhOHZwlSRU0z7JGcsVAvhEwdf6l?=
 =?us-ascii?Q?8NWEE3258EpXtGwFpH+S7Vck2XbkroGCkBw+4F3y5pcvV8CpFBnr+vu0yGgX?=
 =?us-ascii?Q?vFQUNERSlz8b5Bi3bthimdOYJvc9F2WNvK+yizJcvaUhyb2l6VOhJtciDEIu?=
 =?us-ascii?Q?swEdleFETulEk80DsM7lZT9syfSgM/06e2zWHcAeWFnKuN7Sm0r+tzDfCYcw?=
 =?us-ascii?Q?0eYZ2UKnARL7uBtlgPYxDWFziRAOVZnM9LK31RsSSVuYAcwGNzqQORW5gR3F?=
 =?us-ascii?Q?9n1UpHgp33/iP8lL1YISVQPqQOof3viVXTmrWoU4l4nsLnQ1fbuqpqKDHUVk?=
 =?us-ascii?Q?ZnVxm5RyTuxRR7m++xta7bV5MFbHqMGtjkyYQHZeYae7Rkt0OUKD/Pww7UDo?=
 =?us-ascii?Q?ZK/7wAZxp/xNqVg8CLfFRDyLtD2cFsAMNLGeLgjcsjCcTlo6TrMmFOZe+Lo0?=
 =?us-ascii?Q?wHS+su/X6OW7YhVLHAeX0Mgf6Mv3Yj1TYk/hHHGra9NQrtJl+zgBYmi2esQT?=
 =?us-ascii?Q?g9Cyzp9xbvuW0S8Xn6yTvuuMyRKlM460ute0+H7RA1WU2yDcaRitLOrpmfK5?=
 =?us-ascii?Q?jSXq01kTWeq5Zi2fuPFoWZwbsCOA1th1g8hkHGFkXPnCKWg2PajyIlOw4Es4?=
 =?us-ascii?Q?VeoBr8ykfdf5wtzG/HTWl2Y0u/pCsI3n7eqXx16cqS84Dz+QJ8068vdM73Ky?=
 =?us-ascii?Q?3OvMi0333S3YiTmFsd/yYhNuxIHqMLsxKiN99iAEsyNkHsFSGW7iSoFVZO+8?=
 =?us-ascii?Q?50VCop3N1QQYrd87vXdlpggjPncxt01Vxa5kCPlp/bdg+KkeR0yMy6Y1arUr?=
 =?us-ascii?Q?Y0qb547/rXos+u2dX8IU6F57lz0k0OaEHMalPnIRGhvHOLgU5Qc7PAi+fi/A?=
 =?us-ascii?Q?2OpXdpmkwrlQSY8VQjeKKVyr7IEqPpd4U2vPmwGH20KFFMSKZf/RzuObbUY9?=
 =?us-ascii?Q?2Ni+iUWtQRKDkmAaJyhxpB7fX+euBsEhKQ8DKx+F9uZ7FX7e9+IQDMZox/ey?=
 =?us-ascii?Q?4LYkytwZ7uEbUVfzjKkog7GjLBQmMIQN6QE9/xO16LZbnXPTGKQcgCSIQZBc?=
 =?us-ascii?Q?gmt0HEYqQYu3un4DlR0=3D?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e2bd8367-8c14-4186-7943-08daca997952
X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7164.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Nov 2022 01:49:35.2017
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: QQqteQsOMl6u5cUwbaZHNqDZdy82EZnQsgl1ZsQa4LsgesChi0UN5tZil8OEXezN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB7055
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Evgeniy,

Thanks for your effort!

On Tue, Oct 25, 2022 at 05:12:38PM +0300, Evgeniy Baskov wrote:
> This patchset is aimed
> * to improve UEFI compatibility of compressed kernel code for x86_64
> * to setup proper memory access attributes for code and rodata sections
> * to implement W^X protection policy throughout the whole execution 
>   of compressed kernel for EFISTUB code path. 
> 
> Kernel is made to be more compatible with PE image specification [3],
> allowing it to be successfully loaded by stricter PE loader
> implementations like the one from [2]. There is at least one
> known implementation that uses that loader in production [4].
> There are also ongoing efforts to upstream these changes.
> 
> Also the patchset adds EFI_MEMORY_ATTTRIBUTE_PROTOCOL, included into
> EFI specification since version 2.10, as a better alternative to
> using DXE services for memory protection attributes manipulation,
> since it is defined by the UEFI specification itself and not UEFI PI
> specification. This protocol is not widely available so the code
> using DXE services is kept in place as a fallback in case specific
> implementation does not support the new protocol.
> One of EFI implementations that already support
> EFI_MEMORY_ATTTRIBUTE_PROTOCOL is Microsoft Project Mu [5].
>  

Because Peter Jones point out this patchset to me, so I tried it
on OVMF, and I set the EfiLoaderData in DXE memory protection policy:

Index: edk2/MdeModulePkg/MdeModulePkg.dec
===================================================================
--- edk2.orig/MdeModulePkg/MdeModulePkg.dec
+++ edk2/MdeModulePkg/MdeModulePkg.dec
@@ -1392,7 +1392,7 @@
   # e.g. 0x7BD4 can be used for all memory except Code and ACPINVS/Reserved. <BR>
   #
   # @Prompt Set DXE memory protection policy.
-  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0x0000000|UINT64|0x00001048^M
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0x0000004|UINT64|0x00001048^M
 
   ## PCI Serial Device Info. It is an array of Device, Function, and Power Management
   #  information that describes the path that contains zero or more PCI to PCI bridges


I applied this v2 patch set on top of v6.1-rc5 kernel, and boot with a shim which
set the PE NX-compatibility DLL Characteristic flag. I got a page fault exception:

Loading Linux 6.1.0-rc5-default+ ...
Loading initial ramdisk ...
!!!! X64 Exception Type - 0E(#PF - Page-Fault)  CPU Apic ID - 00000000 !!!!
ExceptionData - 0000000000000011  I:1 R:0 U:0 W:0 P:1 PK:0 SS:0 SGX:0
RIP  - 0000000076A3C390, CS  - 0000000000000038, RFLAGS - 0000000000210202
RAX  - 000000007D8CCDF8, RCX - 0000000076A3C390, RDX - 000000007DE86000
RBX  - 0000000076A3C000, RSP - 000000007FF0D2C8, RBP - 000000007DE86000
RSI  - 000000007F9EE018, RDI - 000000007DFD1C18
R8   - 0000000076A3C000, R9  - 0000000000000190, R10 - 000000007FF1D658
R11  - 0000000000000004, R12 - 0000000000000190, R13 - 000000007D8CCE00
R14  - 000000007D8C76B4, R15 - 000000007BF0CBD5
DS   - 0000000000000030, ES  - 0000000000000030, FS  - 0000000000000030
GS   - 0000000000000030, SS  - 0000000000000030
CR0  - 0000000080010033, CR2 - 0000000076A3C390, CR3 - 000000007FC01000
CR4  - 0000000000000668, CR8 - 0000000000000000
DR0  - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3  - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 000000007F9DE000 0000000000000047, LDTR - 0000000000000000
IDTR - 000000007F2E9018 0000000000000FFF,   TR - 0000000000000000
FXSAVE_STATE - 000000007FF0CF20
!!!! Find image based on IP(0x7BF0BAB5) /mnt/working/source_code-git/edk2/Build/OvmfX64/DEBUG_GCC5/X64/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe/DEBUG/VariableRuntimeDxe.dll (ImageBase=0000000000F40E7C, EntryPoint=0000000000F767B8) !!!!


My question is: Can I just set EfiLoaderData in DXE memory protection policy
in EDK2/OVMF to test this patchset? Or which platform (virtual or physical)
can we use for testing?

Thanks a lot!
Joey Lee