[v4,19/21] sandbox: Allow to execute from RAM

Message ID	20180618152315.34233-20-agraf@suse.de
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; From: Alexander Graf <agraf@suse.de> To: u-boot@lists.denx.de Date: Mon, 18 Jun 2018 17:23:13 +0200 Message-Id: <20180618152315.34233-20-agraf@suse.de> In-Reply-To: <20180618152315.34233-1-agraf@suse.de> References: <20180618152315.34233-1-agraf@suse.de> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>, Andy Shevchenko <andriy.shevchenko@linux.intel.com> Subject: [U-Boot] [PATCH v4 19/21] sandbox: Allow to execute from RAM Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	sandbox: efi_loader support \| expand [v4,00/21] sandbox: efi_loader support [v4,01/21] efi: sandbox: Add distroboot support [v4,02/21] efi: sandbox: Add relocation constants [v4,03/21] efi_loader: Use compiler constants for image loader [v4,04/21] efi_loader: Use map_sysmem() in bootefi command [v4,05/21] efi.h: Do not use config options [v4,06/21] efi_loader: Allow SMBIOS tables in highmem [v4,07/21] sandbox: Map host memory for efi_loader [v4,08/21] efi_loader: efi_allocate_pages is too restrictive [v4,09/21] efi_loader: Disable miniapps on sandbox [v4,10/21] fs: Convert fs_read/write to take buffer instead of address [v4,11/21] efi_loader: Introduce ms abi vararg helpers [v4,12/21] efi: sandbox: Enable EFI loader for sandbox [v4,13/21] distro: Move to compiler based target architecture determination [v4,14/21] efi_loader: Move to compiler based target architecture determination [v4,15/21] sandbox: Fix setjmp/longjmp [v4,16/21] elf: Move x86 reloc defines to common elf.h [v4,17/21] efi_loader: Use common elf.h reloc defines [v4,18/21] efi: sandbox: Adjust memory usage for sandbox [v4,19/21] sandbox: Allow to execute from RAM [v4,20/21] sandbox: Always allocate aligned buffers [v4,21/21] efi_loader: Expose U-Boot addresses in memory map for sandbox

Message ID

20180618152315.34233-20-agraf@suse.de

State

New

Headers

Received-SPF: pass (google.com: best guess record for domain of
	u-boot-bounces@lists.denx.de designates 81.169.180.215 as
	permitted sender) client-ip=81.169.180.215; 
From: Alexander Graf <agraf@suse.de>
To: u-boot@lists.denx.de
Date: Mon, 18 Jun 2018 17:23:13 +0200
Message-Id: <20180618152315.34233-20-agraf@suse.de>
In-Reply-To: <20180618152315.34233-1-agraf@suse.de>
References: <20180618152315.34233-1-agraf@suse.de>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Subject: [U-Boot] [PATCH v4 19/21] sandbox: Allow to execute from RAM
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

sandbox: efi_loader support | expand

Commit Message

Alexander Graf June 18, 2018, 3:23 p.m. UTC

With efi_loader, we may want to execute payloads from RAM. By default,
permissions on the RAM region don't allow us to execute from there though.

So whenever we get into the efi_loader case, let's mark RAM as executable.
That way we still protect normal cases, but allow for efi binaries to
directly get executed from within RAM.

For this, we hook into the already existing allow_unaligned() call which
also transitions the system over into semantics required by the UEFI
specification.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 arch/sandbox/cpu/cpu.c | 14 ++++++++++++++
 arch/sandbox/cpu/os.c  | 14 ++++++++++++++
 include/os.h           | 19 +++++++++++++++++++
 3 files changed, 47 insertions(+)

Comments

Simon Glass June 21, 2018, 2:02 a.m. UTC | #1

Hi Alex,

On 18 June 2018 at 09:23, Alexander Graf <agraf@suse.de> wrote:
> With efi_loader, we may want to execute payloads from RAM. By default,
> permissions on the RAM region don't allow us to execute from there though.
>
> So whenever we get into the efi_loader case, let's mark RAM as executable.
> That way we still protect normal cases, but allow for efi binaries to
> directly get executed from within RAM.
>
> For this, we hook into the already existing allow_unaligned() call which
> also transitions the system over into semantics required by the UEFI
> specification.
>
> Signed-off-by: Alexander Graf <agraf@suse.de>
> ---
>  arch/sandbox/cpu/cpu.c | 14 ++++++++++++++
>  arch/sandbox/cpu/os.c  | 14 ++++++++++++++
>  include/os.h           | 19 +++++++++++++++++++
>  3 files changed, 47 insertions(+)
>

What is this patch actually for? Does it make something work that did
not before? Where is it called?

Regards.
Simon

Alexander Graf June 21, 2018, 9:44 a.m. UTC | #2

On 06/21/2018 04:02 AM, Simon Glass wrote:
> Hi Alex,
>
> On 18 June 2018 at 09:23, Alexander Graf <agraf@suse.de> wrote:
>> With efi_loader, we may want to execute payloads from RAM. By default,
>> permissions on the RAM region don't allow us to execute from there though.
>>
>> So whenever we get into the efi_loader case, let's mark RAM as executable.
>> That way we still protect normal cases, but allow for efi binaries to
>> directly get executed from within RAM.
>>
>> For this, we hook into the already existing allow_unaligned() call which
>> also transitions the system over into semantics required by the UEFI
>> specification.
>>
>> Signed-off-by: Alexander Graf <agraf@suse.de>
>> ---
>>   arch/sandbox/cpu/cpu.c | 14 ++++++++++++++
>>   arch/sandbox/cpu/os.c  | 14 ++++++++++++++
>>   include/os.h           | 19 +++++++++++++++++++
>>   3 files changed, 47 insertions(+)
>>
> What is this patch actually for? Does it make something work that did
> not before? Where is it called?

At least on aarch64 executing from the RAM region fails on the first 
instruction you call inside it, because it's not mapped with PROT_EXEC. 
I think not mapping it with PROT_EXEC is a good thing in the normal 
sandbox use case, but for EFI we need to run from RAM ;).

So yes, this patch makes that work. It's called from allow_unaligned() 
which gets called from the bootefi command function.

Alex

Simon Glass June 21, 2018, 7:45 p.m. UTC | #3

Hi Alex,

On 21 June 2018 at 03:44, Alexander Graf <agraf@suse.de> wrote:
> On 06/21/2018 04:02 AM, Simon Glass wrote:
>>
>> Hi Alex,
>>
>> On 18 June 2018 at 09:23, Alexander Graf <agraf@suse.de> wrote:
>>>
>>> With efi_loader, we may want to execute payloads from RAM. By default,
>>> permissions on the RAM region don't allow us to execute from there
>>> though.
>>>
>>> So whenever we get into the efi_loader case, let's mark RAM as
>>> executable.
>>> That way we still protect normal cases, but allow for efi binaries to
>>> directly get executed from within RAM.
>>>
>>> For this, we hook into the already existing allow_unaligned() call which
>>> also transitions the system over into semantics required by the UEFI
>>> specification.
>>>
>>> Signed-off-by: Alexander Graf <agraf@suse.de>
>>> ---
>>>   arch/sandbox/cpu/cpu.c | 14 ++++++++++++++
>>>   arch/sandbox/cpu/os.c  | 14 ++++++++++++++
>>>   include/os.h           | 19 +++++++++++++++++++
>>>   3 files changed, 47 insertions(+)
>>>
>> What is this patch actually for? Does it make something work that did
>> not before? Where is it called?
>
>
> At least on aarch64 executing from the RAM region fails on the first
> instruction you call inside it, because it's not mapped with PROT_EXEC. I
> think not mapping it with PROT_EXEC is a good thing in the normal sandbox
> use case, but for EFI we need to run from RAM ;).
>
> So yes, this patch makes that work. It's called from allow_unaligned() which
> gets called from the bootefi command function.

OK I see. This is so that sandbox running on an ARM platform can
actually load and run an EFI application, right?

Can you please make this code and commit message ARM-specific? Also,
just call your code on start-up in cpu.c. We don't need to connect to
an allow_unaligned() thing, which is a misnomer in this case.

Regards,
Simon

Alexander Graf June 22, 2018, 9:43 a.m. UTC | #4

On 06/21/2018 09:45 PM, Simon Glass wrote:
> Hi Alex,
>
> On 21 June 2018 at 03:44, Alexander Graf <agraf@suse.de> wrote:
>> On 06/21/2018 04:02 AM, Simon Glass wrote:
>>> Hi Alex,
>>>
>>> On 18 June 2018 at 09:23, Alexander Graf <agraf@suse.de> wrote:
>>>> With efi_loader, we may want to execute payloads from RAM. By default,
>>>> permissions on the RAM region don't allow us to execute from there
>>>> though.
>>>>
>>>> So whenever we get into the efi_loader case, let's mark RAM as
>>>> executable.
>>>> That way we still protect normal cases, but allow for efi binaries to
>>>> directly get executed from within RAM.
>>>>
>>>> For this, we hook into the already existing allow_unaligned() call which
>>>> also transitions the system over into semantics required by the UEFI
>>>> specification.
>>>>
>>>> Signed-off-by: Alexander Graf <agraf@suse.de>
>>>> ---
>>>>    arch/sandbox/cpu/cpu.c | 14 ++++++++++++++
>>>>    arch/sandbox/cpu/os.c  | 14 ++++++++++++++
>>>>    include/os.h           | 19 +++++++++++++++++++
>>>>    3 files changed, 47 insertions(+)
>>>>
>>> What is this patch actually for? Does it make something work that did
>>> not before? Where is it called?
>>
>> At least on aarch64 executing from the RAM region fails on the first
>> instruction you call inside it, because it's not mapped with PROT_EXEC. I
>> think not mapping it with PROT_EXEC is a good thing in the normal sandbox
>> use case, but for EFI we need to run from RAM ;).
>>
>> So yes, this patch makes that work. It's called from allow_unaligned() which
>> gets called from the bootefi command function.
> OK I see. This is so that sandbox running on an ARM platform can
> actually load and run an EFI application, right?
>
> Can you please make this code and commit message ARM-specific? Also,

Not, it's not ARM specific. You may hit this on any system that actually 
checks for PROT_EXEC.

> just call your code on start-up in cpu.c. We don't need to connect to
> an allow_unaligned() thing, which is a misnomer in this case.

In that case we can just tell mmap() to map RAM with PROC_EXEC.


Alex

diff --git a/arch/sandbox/cpu/cpu.c b/arch/sandbox/cpu/cpu.c
index 9087026d71..641b66a0a7 100644
--- a/arch/sandbox/cpu/cpu.c
+++ b/arch/sandbox/cpu/cpu.c
@@ -192,3 +192,17 @@  void efi_add_known_memory(void)
 }
 
 #endif
+
+#if CONFIG_IS_ENABLED(EFI_LOADER)
+
+void allow_unaligned(void)
+{
+	int r;
+
+	r = os_mprotect(gd->arch.ram_buf, gd->ram_size,
+			OS_PROT_READ | OS_PROT_WRITE | OS_PROT_EXEC);
+
+	assert(!r);
+}
+
+#endif
diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c
index 9cfdc9f31f..9fa79a8843 100644
--- a/arch/sandbox/cpu/os.c
+++ b/arch/sandbox/cpu/os.c
@@ -183,6 +183,20 @@  void *os_realloc(void *ptr, size_t length)
 	return buf;
 }
 
+int os_mprotect(void *ptr, size_t length, int prot)
+{
+	int p = 0;
+
+	if (prot & OS_PROT_READ)
+		p |= PROT_READ;
+	if (prot & OS_PROT_WRITE)
+		p |= PROT_WRITE;
+	if (prot & OS_PROT_EXEC)
+		p |= PROT_EXEC;
+
+	return mprotect(ptr, length, p);
+}
+
 void os_usleep(unsigned long usec)
 {
 	usleep(usec);
diff --git a/include/os.h b/include/os.h
index c8e0f52d30..d451e12064 100644
--- a/include/os.h
+++ b/include/os.h
@@ -157,6 +157,25 @@  void os_free(void *ptr);
 void *os_realloc(void *ptr, size_t length);
 
 /**
+ * Modify protection of a memory region
+ *
+ * This function changes the memory protection scheme of a given memory
+ * region. Using it you can for example allow execution of memory that
+ * would otherwise prohibit it.
+ *
+ * \param ptr		Pointer to memory region to modify
+ * \param length	New length for memory block
+ * \param prot		New protection scheme (ORed OS_PROT_ values)
+ * \return 0 on success, -1 otherwise.
+ */
+int os_mprotect(void *ptr, size_t length, int prot);
+
+/* Defines for "prot" in os_mprotect() */
+#define OS_PROT_READ	0x1
+#define OS_PROT_WRITE	0x2
+#define OS_PROT_EXEC	0x4
+
+/**
  * Access to the usleep function of the os
  *
  * \param usec Time to sleep in micro seconds

[v4,19/21] sandbox: Allow to execute from RAM

Commit Message

Comments

Patch