From patchwork Mon Jan 7 07:15:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154871 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192632ljp; Sun, 6 Jan 2019 23:15:26 -0800 (PST) X-Google-Smtp-Source: ALg8bN6P/T85fbmNUoByiXrrez3O0i2I522VwjZoMwihQs9Q2RttcGn/IAfAmnJuo5IxmZ6cNyGf X-Received: by 2002:a17:902:bf44:: with SMTP id u4mr50616331pls.5.1546845326738; Sun, 06 Jan 2019 23:15:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845326; cv=none; d=google.com; s=arc-20160816; b=XJm4E5Pn4anYru5rlSpt5MKq+FHCjpYa4IrgnAxnNsxTfNZ+eP/iCmAgm9ymOQbhEK j7nzWVM4lYNBb1Q2MhZ+P/L5lYUanp+Zh53PZmjqqhtYRmpX7SHxuah4LP6+OJ9Xstyd LEiBkJ/yDsbVS1BhSsJEv3/47LyLLNBzXSHn5rotGfoOWpxBtTiB3TX3HIdFi4ja63FW 6e+zu5VL9hKoJEebeCd4/r5QZ77BJ0ygTVvChOAgRItWNc/7CYabwKfCltpIacmLoKiy WfE/gTzzxZPRg407/Mbkr/p4bMH237eVObrIdQLg61k93oXHU6h2UWtLvaM05ZY5TGyP oOZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=PhE1PoyVIM0P5z0fNwgCQbEgcV2fn6J655sciQ9a0Jw=; b=ECbn5Nel7oXjAV42CATlJP7/4GpF6kHpBPFkAE92oz0hm0tb5FQIfI68vAjKQ0UVvy EiKUvozBPK6jWlPaG0NVQNtr20/rFt7kNXZb4WX0guE68WNRZ/ugBi0o2yLPby2cz0n6 uPcFCgeye1Tcgj7k3/0rV5Zq0VlgHt4RtDmuJPJ8ZqPj6NvekTtjFj79UhYdP04M0qLF q+04NMRBvaYrRQvAHNzDu1g+Wugfu5v+HaAzNn3/fvOhOTdV5glmK8Ec0zA9Go1ehd/Q d/w34f3qwJN7tdadTIFr2wVpgGKoackHQbw3DhWSe0NGk3Gk3aDpq8ZiSWSZWGeEHZuL J4EQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=QLBhAPaR; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id a16si8664897pls.146.2019.01.06.23.15.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=QLBhAPaR; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id B67A5211B1130; Sun, 6 Jan 2019 23:15:25 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::542; helo=mail-ed1-x542.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6AE8A2119BAC9 for ; Sun, 6 Jan 2019 23:15:23 -0800 (PST) Received: by mail-ed1-x542.google.com with SMTP id h15so36914273edb.4 for ; Sun, 06 Jan 2019 23:15:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=; b=QLBhAPaRED8TJTAemSynMv55TtFjs/zTXn0d+3chJqVhn52tAprbikvRcqBRRQthzo Xks42f0Ua/pFhtygey6A+G8wuaCsii9Sn3PCp/mtehi1FvVXq5uSLT8X/yO8GvRvTvtY WIT3ktFmKBB2GVeQjjnkTH0xUukqnMW/WTDa8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+JQ5h+H2sJsTteMl/P7k20Nphsv7LpnL8o5lHwa1T0E=; b=TXYK3pKVLRfd/d01BUdovhi3c6ZPTsiNcIQwD5zkYtwhl3Oy/jEX/fBuQV/74xQuSn CeGC1XhY+6Aski5QIdE/YhVWQxlgUyDa1EV6ky65YUAEIV21ztRG4Sdmdzyi1yVs6uRg 0DiBAwWugfb9cSdDiCChGr/RmJUP1z6YKTfpTq2QCCr+VOo6iJD6HdK9jNKzy+Nbjnme bHBTBRJinGYUlMMb0ItZf8o33PXgSfPFla1O9K6EZahGDMY+gbi8wN0LfXTy4+qRlGFr +/MaDcMJkKjm1AY/31tm31Cpu6vhFaZs+zN2cbnSNb4QBFy7n50RD0E+G4QVVSERWxWm rzlg== X-Gm-Message-State: AA+aEWZxy+/I6mP7gKOXFAKCJvICmAZHGj7qy96TEBajj8nFtuzVpYjY NSKaXHv/ZGX9/SGpY/0bpEV+W++4AxVthg== X-Received: by 2002:a50:d085:: with SMTP id v5mr54147843edd.61.1546845321662; Sun, 06 Jan 2019 23:15:21 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:20 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:15:00 +0100 Message-Id: <20190107071504.2431-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Subject: [edk2] [PATCH 1/5] ArmPkg/ArmMmuLib AARCH64: fix out of bounds access X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Take care not to dereference BlockEntry if it may be pointing past the end of the page table we are manipulating. It is only a read, and thus harmless, but HeapGuard triggers on it so let's fix it. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel Reviewed-by: Leif Lindholm diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c index e41044142ef4..d66df3e17a02 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -382,7 +382,7 @@ UpdateRegionMapping ( // Break the inner loop when next block is a table // Rerun GetBlockEntryListFromAddress to avoid page table memory leak - if (TableLevel != 3 && + if (TableLevel != 3 && BlockEntry <= LastBlockEntry && (*BlockEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) { break; } From patchwork Mon Jan 7 07:15:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154872 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192671ljp; Sun, 6 Jan 2019 23:15:29 -0800 (PST) X-Google-Smtp-Source: AFSGD/Wu20XDktnibK+guoe7IbCx4/Z8BMyzmCs1VSmfN8HUputAwINH9M+dOQRqch7UBvqGjt64 X-Received: by 2002:a62:d148:: with SMTP id t8mr63465590pfl.52.1546845329599; Sun, 06 Jan 2019 23:15:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845329; cv=none; d=google.com; s=arc-20160816; b=vNe+mkRv9UiSgUIHxpJVsknqCFmwZHHZEwj78jBhCmFp14au33QpEBlrCw6PxtHBYF gzwrSkDvTAvzhwFgE8kAQngKQzuO1xS1h8n71YIo/+7jafU3WCugwG3u3HNKpdlU6n5f twyAgNW8wacKr7hJAvCSau8dEAPVWKY2EGKbp5vkF1v+HeXrB7R/mMpRcA7imnA87FfK G3I3Cam92P91cgcrafHdrGrEJdyyyXBkQhMqK7stj+jS0HoZgzi8IPLHLGvDPzf6DOOB HbirKTZdrCJTC8t2kYEUBNh7Rr/H1m5GlOiNRIWHIIUThcNDvJI+mvDTcttBBv1ViS2y 7KHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=Z6OsdVz7aknIikqWm6n/A2wF3dLJsAIQqOuYFii3e+0=; b=vAp2KIdUDhiP2scAdKsQuAeS62iBgpbC7C4XK+blIJ4XU7tjdPuFQAwpEzgS82Q1gA 3TvyzENONB+MSC66Fw+Z9Tx4i/vibbi86ekd2BfvseD1CCZKXwfDs0RT8GsBExzSrpJe 0t0YcnzSw+3ABVQ7f6ZTOOrEbgtX53B3+TqXCzn9hEF5LEmLzJ8hKtk5zAB8DNuDEmB7 vHBcfYjcCiubhFXNyv5mye7ykkjfEXHUaIAGes08as7u94Khj8utNKGLvfKR5a6CA65+ WUTZGg75fdFCBrWIXMDRQbBTEtjS+lP/E0JiJsYvWb9GqLO6IHPYxAq5WbjI82PlwStA +jgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=kOE8iKDl; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id k64si59248164pge.7.2019.01.06.23.15.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=kOE8iKDl; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id E42B3211B1134; Sun, 6 Jan 2019 23:15:25 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::543; helo=mail-ed1-x543.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8E48B21B02822 for ; Sun, 6 Jan 2019 23:15:24 -0800 (PST) Received: by mail-ed1-x543.google.com with SMTP id d39so36889235edb.12 for ; Sun, 06 Jan 2019 23:15:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eE/Fh6bjGXWm4tQ7Uaw5T3VBqcOgnBFtP+IC2qNG/tc=; b=kOE8iKDlowyUfcTusOmDdFprOfeoyoXpYD6NIrwhjySIZmAIr2kSsnj6sDRjKtBwar jpACDkmocynoILqGcl7biaW2v00L7ADYEmYQYYwWS5H4gtWjluRlnuHmDxnzsd+Bmscu 7KbOp7ZCRVs6dZxzBf9rDsl3LKbSc/kc1POOE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eE/Fh6bjGXWm4tQ7Uaw5T3VBqcOgnBFtP+IC2qNG/tc=; b=JWiaJbljXyuk23TqASGa7dxyEph6J+/KotvmIW7KFuosLURrpYJSfda/0qLbjm7lxp oAF4GblrfkfT2dqLw6Qy1QSAW7zX8WSCttJVF7XS5TCReIcOOpymgExB1rJ46ZezZtnD AaUhPp1QCbM2+c8QaszK0c8uOlLABin7J7/GrjGJ/YkNGCSjhLi48h33lZXt78kJYoU1 uh9/ynQ2r89L4mJ4LQoO2YtSNXJbGqmIOfAP6GrdVJsiQ1eoqYUQvV9huJ4C/G+4TkuW G2GddtVAh/jXt0rHJQKxkdpvvwByYt1JFpaEmbP3WgpkCpZSs9QZHcPq9MwJsfWph9d5 MQ2Q== X-Gm-Message-State: AA+aEWZ8TXvve9LgpAFN3vrZJIc4RC3h2sBfEgRgsAJPLZlxTTsqciEP BTivzP6u4m/H+9/hpSyZ0q8Wabxk6mwcNQ== X-Received: by 2002:a50:ae64:: with SMTP id c91mr54392912edd.222.1546845322795; Sun, 06 Jan 2019 23:15:22 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:22 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:15:01 +0100 Message-Id: <20190107071504.2431-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Subject: [edk2] [PATCH 2/5] ArmPkg/ArmMmuLib AARCH64: get rid of needless TLB invalidation X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Currently, we always invalidate the TLBs entirely after making any modification to the page tables. Now that we have introduced strict memory permissions in quite a number of places, such modifications occur much more often, and it is better for performance to flush only those TLB entries that are actually affected by the changes. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- ArmPkg/Include/Library/ArmMmuLib.h | 3 ++- ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S | 6 +++--- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 16 +++++++--------- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S | 14 ++++++++------ 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel Reviewed-by: Leif Lindholm Reviewed-by: Leif Lindholm diff --git a/ArmPkg/Include/Library/ArmMmuLib.h b/ArmPkg/Include/Library/ArmMmuLib.h index fb7fd006417c..d2725810f1c6 100644 --- a/ArmPkg/Include/Library/ArmMmuLib.h +++ b/ArmPkg/Include/Library/ArmMmuLib.h @@ -59,7 +59,8 @@ VOID EFIAPI ArmReplaceLiveTranslationEntry ( IN UINT64 *Entry, - IN UINT64 Value + IN UINT64 Value, + IN UINT64 Address ); EFI_STATUS diff --git a/ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S b/ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S index b7173e00b039..175fb58206b6 100644 --- a/ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S +++ b/ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S @@ -124,15 +124,15 @@ ASM_FUNC(ArmSetMAIR) // IN VOID *MVA // X1 // ); ASM_FUNC(ArmUpdateTranslationTableEntry) - dc civac, x0 // Clean and invalidate data line - dsb sy + dsb nshst + lsr x1, x1, #12 EL1_OR_EL2_OR_EL3(x0) 1: tlbi vaae1, x1 // TLB Invalidate VA , EL1 b 4f 2: tlbi vae2, x1 // TLB Invalidate VA , EL2 b 4f 3: tlbi vae3, x1 // TLB Invalidate VA , EL3 -4: dsb sy +4: dsb nsh isb ret diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c index d66df3e17a02..e1fabfcbea14 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -129,13 +129,14 @@ STATIC VOID ReplaceLiveEntry ( IN UINT64 *Entry, - IN UINT64 Value + IN UINT64 Value, + IN UINT64 Address ) { if (!ArmMmuEnabled ()) { *Entry = Value; } else { - ArmReplaceLiveTranslationEntry (Entry, Value); + ArmReplaceLiveTranslationEntry (Entry, Value, Address); } } @@ -296,7 +297,8 @@ GetBlockEntryListFromAddress ( // Fill the BlockEntry with the new TranslationTable ReplaceLiveEntry (BlockEntry, - ((UINTN)TranslationTable & TT_ADDRESS_MASK_DESCRIPTION_TABLE) | TableAttributes | TT_TYPE_TABLE_ENTRY); + (UINTN)TranslationTable | TableAttributes | TT_TYPE_TABLE_ENTRY, + RegionStart); } } else { if (IndexLevel != PageLevel) { @@ -375,6 +377,8 @@ UpdateRegionMapping ( *BlockEntry &= BlockEntryMask; *BlockEntry |= (RegionStart & TT_ADDRESS_MASK_BLOCK_ENTRY) | Attributes | Type; + ArmUpdateTranslationTableEntry (BlockEntry, (VOID *)RegionStart); + // Go to the next BlockEntry RegionStart += BlockEntrySize; RegionLength -= BlockEntrySize; @@ -487,9 +491,6 @@ ArmSetMemoryAttributes ( return Status; } - // Invalidate all TLB entries so changes are synced - ArmInvalidateTlb (); - return EFI_SUCCESS; } @@ -512,9 +513,6 @@ SetMemoryRegionAttribute ( return Status; } - // Invalidate all TLB entries so changes are synced - ArmInvalidateTlb (); - return EFI_SUCCESS; } diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S index 90192df24f55..d40c19b2e3e5 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S @@ -32,11 +32,12 @@ dmb sy dc ivac, x0 - // flush the TLBs + // flush translations for the target address from the TLBs + lsr x2, x2, #12 .if \el == 1 - tlbi vmalle1 + tlbi vaae1, x2 .else - tlbi alle\el + tlbi vae\el, x2 .endif dsb sy @@ -48,12 +49,13 @@ //VOID //ArmReplaceLiveTranslationEntry ( // IN UINT64 *Entry, -// IN UINT64 Value +// IN UINT64 Value, +// IN UINT64 Address // ) ASM_FUNC(ArmReplaceLiveTranslationEntry) // disable interrupts - mrs x2, daif + mrs x4, daif msr daifset, #0xf isb @@ -69,7 +71,7 @@ ASM_FUNC(ArmReplaceLiveTranslationEntry) b 4f 3:__replace_entry 3 -4:msr daif, x2 +4:msr daif, x4 ret ASM_GLOBAL ASM_PFX(ArmReplaceLiveTranslationEntrySize) From patchwork Mon Jan 7 07:15:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154873 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192718ljp; Sun, 6 Jan 2019 23:15:32 -0800 (PST) X-Google-Smtp-Source: ALg8bN7hY5jL+rX/Jw8/HuZSVoUCuRYDB/KLgvZrY+TvCnGQt20bgqjWIlsddTuJZ9TVPoS69bMh X-Received: by 2002:a63:ec13:: with SMTP id j19mr9920796pgh.6.1546845332427; Sun, 06 Jan 2019 23:15:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845332; cv=none; d=google.com; s=arc-20160816; b=nw/GJBBZbXM+gYfNJxVKB9IJhlBM1pW3dArdJaICfmtD/e2aRfthALwhPMyZcUFQtd KRuhEXQETfrKPqcRw7GGMcJHCBMRSv/A2RXLBA/qmZyr+s9NpKo9E6ne47qdbC2gCkKo BctpukMJvI1kPzwZh1KzcxdhU5rYuKovmugdPtP+L1tLj3Y0stVJz5W0zZ7xXyG/V1My O7hl6b92jHtaP71OOPSYh4fGgGo4r/nEpdIb51iQU1C70H0M6CSB2eszTVg3ZawmxSiH B+UJfD6pXULKh1XXkYCNVfVGuo5bd7NLEh9Bjca02P5hOomNcU+4VBo7XjVMkFlCvOqE 3vrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=0ZaTEJFV+bv26lu+4Fgq/s0UluU8wHT+YkfZxuR10HI=; b=qgCsoUb97pBvYgZHzlnoBVbFlCDvBgxJr07rIFr2yL7XXwT8ZmRAGRVZ0iT16wwDTw YF7phzXpsZXobdLlAeRq3JMoZK7/LDir97DLyX+n7olUHwbBAylXCI6kLgPXAv0kt1Ad FMD3vqOAgiSmB1b10LZ468vjcvuH6wNGfwuxiwH2/aGxY+niadts+UqvSIKg4aNzpYM3 ymcU4h4F3nsUiaIpF5buV2zGf1cN0OMCoRjbDvp0r0vp4XYXcqGWwpRBgXAz+Wt0eh1N PLAnllRIZMiVtFyb5U+qQ0S9INOXNXw/D0YGKeAoWePiVqXnxsFutfwJmYbvQ0KV4LVe XPbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=ay0Sl0i2; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id s12si3151639pgh.395.2019.01.06.23.15.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=ay0Sl0i2; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 20E70211B1138; Sun, 6 Jan 2019 23:15:27 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::544; helo=mail-ed1-x544.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B6638211B112F for ; Sun, 6 Jan 2019 23:15:25 -0800 (PST) Received: by mail-ed1-x544.google.com with SMTP id d39so36889269edb.12 for ; Sun, 06 Jan 2019 23:15:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Je5vHpyCJ7SSeFxKfHuAMdDuYVQP+0n14sZ2kw0Kvhc=; b=ay0Sl0i21740H+9UTn34NNfKtXtMcmIWiy1a9NLpRZeR4APmRw2aGruiPzPDH7NPGJ ZIM3MW0FHk36W1Ds+Ur55jvpAbDjvcKFd4mJlu5is0SkVA4uy4hM/dBuyHknCYMIgpO7 uLO31CmHrBNwyQCIT6ysSlKbR4NBx9cRczzDs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Je5vHpyCJ7SSeFxKfHuAMdDuYVQP+0n14sZ2kw0Kvhc=; b=R3TyjVLyQb3JzmonYovuLGiyiV4gawOT7UmVYoWwutN/ynIUvoPFFQRNXnA6L4l66l M9GlyEL02o9ue4Kwt8atHFUwTGH3ksSqATk+mi0ADb1nI1Um58qHsbfTOAKY8uuwOE0s 9vWIA45RN2KpqM6jVFQycGerTF2hO9V9Gjzf2xkY7oZFe+Vh8dAVj0hQgblZpc2CAyhT fMrzDSoAVYRkhQlMSrJx9Ej1jrvzqKPzVAwaXSE/uwNMWSXWPQKBumWdn1NcGWmpfVoN NvXWe/jfsmEPVpgP4UMXENP67MtcLv9fdNYy8R9w6XQ95Ty9nUNbvPMKvA6tVyEDTWsQ 5I1g== X-Gm-Message-State: AA+aEWaX2fzUqWplettQkLcPjOZMU8wme71HRRLw2l4CtmZ7zWwDMjLK nukEOdEPYnipZjU/rZixHPIWB5T040AzZw== X-Received: by 2002:aa7:d1d7:: with SMTP id g23mr52778571edp.217.1546845323904; Sun, 06 Jan 2019 23:15:23 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:23 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:15:02 +0100 Message-Id: <20190107071504.2431-4-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Subject: [edk2] [PATCH 3/5] ArmPkg/ArmMmuLib AARCH64: implement support for EFI_MEMORY_RP permissions X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Wire up the access flag (AF) page table attribute to the EFI_MEMORY_RP permission attribute, so that attempts to read from such a region will trigger an access flag fault. Note that this is a stronger notion than just read protection, since it now implies that any write or execute attempt is trapped as well. However, this does not really matter in practice since we never assume that a read protected page is writable or executable, and StackGuard and HeapGuard (which are the primary users of this facility) certainly don't care. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c | 5 +++-- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 14 +++++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c b/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c index 3e216c7cb235..e62e3fa87112 100644 --- a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c +++ b/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c @@ -223,8 +223,9 @@ EfiAttributeToArmAttribute ( ArmAttributes = TT_ATTR_INDX_MASK; } - // Set the access flag to match the block attributes - ArmAttributes |= TT_AF; + if ((EfiAttributes & EFI_MEMORY_RP) == 0) { + ArmAttributes |= TT_AF; + } // Determine protection attributes if (EfiAttributes & EFI_MEMORY_RO) { diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c index e1fabfcbea14..b59c081a7e49 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -102,6 +102,10 @@ PageAttributeToGcdAttribute ( GcdAttributes |= EFI_MEMORY_XP; } + if ((PageAttributes & TT_AF) == 0) { + GcdAttributes |= EFI_MEMORY_RP; + } + return GcdAttributes; } @@ -451,7 +455,11 @@ GcdAttributeToPageAttribute ( PageAttributes |= TT_AP_RO_RO; } - return PageAttributes | TT_AF; + if ((GcdAttributes & EFI_MEMORY_RP) == 0) { + PageAttributes |= TT_AF; + } + + return PageAttributes; } EFI_STATUS @@ -474,9 +482,9 @@ ArmSetMemoryAttributes ( // No memory type was set in Attributes, so we are going to update the // permissions only. // - PageAttributes &= TT_AP_MASK | TT_UXN_MASK | TT_PXN_MASK; + PageAttributes &= TT_AP_MASK | TT_UXN_MASK | TT_PXN_MASK | TT_AF; PageAttributeMask = ~(TT_ADDRESS_MASK_BLOCK_ENTRY | TT_AP_MASK | - TT_PXN_MASK | TT_XN_MASK); + TT_PXN_MASK | TT_XN_MASK | TT_AF); } TranslationTable = ArmGetTTBR0BaseAddress (); From patchwork Mon Jan 7 07:15:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154874 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192752ljp; Sun, 6 Jan 2019 23:15:35 -0800 (PST) X-Google-Smtp-Source: ALg8bN7LJIufdzQh1aQcX8GEWoqPRVPmVZp3AP2Whbnp838qR59H0Eadd+af4rXdT64It9RqGly5 X-Received: by 2002:a63:8b41:: with SMTP id j62mr10132969pge.182.1546845335750; Sun, 06 Jan 2019 23:15:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845335; cv=none; d=google.com; s=arc-20160816; b=znbR1bdbN7V1qPvcwjaRXeh2V+5nvBh8Um7hysCbX/sKATyJOtqnLImnoG/g0tmXAd iNLx609WslhvNXwzJSdRIc+D9MpEVQDoftEbNVTVPbq2dvPd9iFl2tC2YvljCph9fA59 OmZsZWPBOf3YQZaQGnv0gXOk4lhrWpDqH1XGn7M9tBzC04KnYOUcXIDxX5wYAF2eZgNd tHnVmETGePfZZffdaQNVLNaGcjZEGySryiGtKrzx85RXJSk0eMgnrGzB3tTRP9v4O5S9 pUL3/w3633BT40ASBhUZFKSte03/kqfkIKzspceotVOHrCSKKeF2vgeWo5kJCj42y1KM 8mFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=UdtSC5aF5oVp6HpRw1bHVJ6RkBpDwH1Oe/rHlqULRlc=; b=wzdnca767QBAeUKl3qJzNdiIN16dwOyyEnO7AX9zI+6IrlmF4Jcj6gbcP4vuYKMU06 IFgGrhDwmpectVxQpvluTQxFqT7DsoU/Ad62mf+5xd4qrAevqFOmU7wcAf0VWz0JYBGD G+mG6AyqwssebL4D4TpO0AULxsJmFXE/7Bo0H0i59sy97abYrUpRB5WlMDMwwGxPeoqb 1pSdr2ZFol3PEXXQQiO5G7AOtwAAiGqv66aH/GFpoODjrqYXGmmAegPu/M1gw2ERJBKI kdX3hH0taT8QGDmFvbW6UvhXzkvOeUAo7/eM6+28mJYm6+UUK2efgqjkeeyHJ7lAhgmE B5ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b="As3/zRo7"; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [2001:19d0:306:5::1]) by mx.google.com with ESMTPS id i5si18622pfo.189.2019.01.06.23.15.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) client-ip=2001:19d0:306:5::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b="As3/zRo7"; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 2001:19d0:306:5::1 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 4E8D2211B112C; Sun, 6 Jan 2019 23:15:29 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::541; helo=mail-ed1-x541.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 48834211B113B for ; Sun, 6 Jan 2019 23:15:27 -0800 (PST) Received: by mail-ed1-x541.google.com with SMTP id y20so36883315edw.9 for ; Sun, 06 Jan 2019 23:15:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ykripWntC//V83Pxjhm+0rNxHF0mt7ZtYpjgN+s6F5U=; b=As3/zRo7EU0PImCA36IxwveVudL1neKmXn+sWGswY7rHstyHuWn8XFUwC2GJQtB/Hn CQaP1cuzbeKm5FOjmAYvII+Afrkngfn3KzkQoMQ0WopvxRFpdnJ9K3s+hg8FJEGrfIK9 bJHwUM4kmuZmGU0IPiZJOsFQPzTWN8sjsBdHE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ykripWntC//V83Pxjhm+0rNxHF0mt7ZtYpjgN+s6F5U=; b=Sjh1kWgWpUt1a+4/+c/ATqQTOrvIXsaAP3kGhRHEtqrTbNMJml6jaWaHFzdLzxkIKp Ykf1+ejCMbXptQA6yDGQrh0AcOSA7tknK6PjBR6vypT79FGzT6dWNNR3/qMZ9lIOdVTj pOJkvTk1o54YnTUKM3AuYHYO/AfPJKBVycDNDamKwvc8NbH652+dZ0vA+NwkZcu/4v9k kAkkoUjMGLuArHyWDD1EG175mdG3c6ctxPN+fS9Z/SnrjsggGqdS4b+ko8Xm57ZVqTmj cVKX+5m69DjgliWD0X/rKQXp219MhIWKYa/Anin72HOJczoAdhNJqDz15LyJhRWG9uDZ ltNg== X-Gm-Message-State: AA+aEWY7nzQj7WYu1Zw2XfI6uQZAk7VzEgVLbDMs5Uz4WRU6I5LZOayX wo8AZP8rBNr+033DX6D9uXO93S1IFogtUg== X-Received: by 2002:a50:a622:: with SMTP id d31mr57215509edc.228.1546845325455; Sun, 06 Jan 2019 23:15:25 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:24 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:15:03 +0100 Message-Id: <20190107071504.2431-5-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Subject: [edk2] [PATCH 4/5] ArmPkg/ArmMmuLib AARCH64: add support for read-only page tables X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" As a hardening measure, implement support for remapping all page tables read-only at a certain point during the boot (end of DXE is the most appropriate trigger). This should make it a lot more difficult to take advantage of write exploits to defeat authentication checks, since the attacker can no longer manipulate the page tables directly. To allow the page tables to still be manipulated, make use of the existing code to manipulate live entries: this drops into assembler with interrupts off, and disables the MMU for a brief moment to avoid causing TLB conflicts. Since page tables are writable with the MMU off, we can reuse this code to still manipulate the page tables after we updated the CPU mappings to be read-only. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- ArmPkg/Include/Library/ArmMmuLib.h | 6 + ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 119 ++++++++++++++++++-- ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c | 8 ++ 3 files changed, 123 insertions(+), 10 deletions(-) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/ArmPkg/Include/Library/ArmMmuLib.h b/ArmPkg/Include/Library/ArmMmuLib.h index d2725810f1c6..f0832b91bf17 100644 --- a/ArmPkg/Include/Library/ArmMmuLib.h +++ b/ArmPkg/Include/Library/ArmMmuLib.h @@ -70,4 +70,10 @@ ArmSetMemoryAttributes ( IN UINT64 Attributes ); +VOID +EFIAPI +MapAllPageTablesReadOnly ( + VOID + ); + #endif diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c index b59c081a7e49..cefaad9961ea 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -28,6 +28,8 @@ // We use this index definition to define an invalid block entry #define TT_ATTR_INDX_INVALID ((UINT32)~0) +STATIC BOOLEAN mReadOnlyPageTables; + STATIC UINT64 ArmMemoryAttributeToPageAttribute ( @@ -137,6 +139,9 @@ ReplaceLiveEntry ( IN UINT64 Address ) { + if (*Entry == Value) { + return; + } if (!ArmMmuEnabled ()) { *Entry = Value; } else { @@ -181,7 +186,8 @@ GetBlockEntryListFromAddress ( IN UINT64 RegionStart, OUT UINTN *TableLevel, IN OUT UINT64 *BlockEntrySize, - OUT UINT64 **LastBlockEntry + OUT UINT64 **LastBlockEntry, + OUT BOOLEAN *NewPageTablesAllocated ) { UINTN RootTableLevel; @@ -292,6 +298,8 @@ GetBlockEntryListFromAddress ( return NULL; } + *NewPageTablesAllocated = TRUE; + // Populate the newly created lower level table SubTableBlockEntry = TranslationTable; for (Index = 0; Index < TT_ENTRY_COUNT; Index++) { @@ -316,10 +324,18 @@ GetBlockEntryListFromAddress ( return NULL; } + *NewPageTablesAllocated = TRUE; + ZeroMem (TranslationTable, TT_ENTRY_COUNT * sizeof(UINT64)); // Fill the new BlockEntry with the TranslationTable - *BlockEntry = ((UINTN)TranslationTable & TT_ADDRESS_MASK_DESCRIPTION_TABLE) | TT_TYPE_TABLE_ENTRY; + if (!mReadOnlyPageTables) { + *BlockEntry = (UINTN)TranslationTable | TT_TYPE_TABLE_ENTRY; + } else { + ReplaceLiveEntry (BlockEntry, + (UINTN)TranslationTable | TT_TYPE_TABLE_ENTRY, + RegionStart); + } } } } @@ -345,7 +361,8 @@ UpdateRegionMapping ( IN UINT64 RegionStart, IN UINT64 RegionLength, IN UINT64 Attributes, - IN UINT64 BlockEntryMask + IN UINT64 BlockEntryMask, + OUT BOOLEAN *ReadOnlyRemapDone ) { UINT32 Type; @@ -353,6 +370,7 @@ UpdateRegionMapping ( UINT64 *LastBlockEntry; UINT64 BlockEntrySize; UINTN TableLevel; + BOOLEAN NewPageTablesAllocated; // Ensure the Length is aligned on 4KB boundary if ((RegionLength == 0) || ((RegionLength & (SIZE_4KB - 1)) != 0)) { @@ -360,11 +378,13 @@ UpdateRegionMapping ( return EFI_INVALID_PARAMETER; } + NewPageTablesAllocated = FALSE; do { // Get the first Block Entry that matches the Virtual Address and also the information on the Table Descriptor // such as the the size of the Block Entry and the address of the last BlockEntry of the Table Descriptor BlockEntrySize = RegionLength; - BlockEntry = GetBlockEntryListFromAddress (RootTable, RegionStart, &TableLevel, &BlockEntrySize, &LastBlockEntry); + BlockEntry = GetBlockEntryListFromAddress (RootTable, RegionStart, + &TableLevel, &BlockEntrySize, &LastBlockEntry, &NewPageTablesAllocated); if (BlockEntry == NULL) { // GetBlockEntryListFromAddress() return NULL when it fails to allocate new pages from the Translation Tables return EFI_OUT_OF_RESOURCES; @@ -378,10 +398,16 @@ UpdateRegionMapping ( do { // Fill the Block Entry with attribute and output block address - *BlockEntry &= BlockEntryMask; - *BlockEntry |= (RegionStart & TT_ADDRESS_MASK_BLOCK_ENTRY) | Attributes | Type; + if (!mReadOnlyPageTables) { + *BlockEntry &= BlockEntryMask; + *BlockEntry |= (RegionStart & TT_ADDRESS_MASK_BLOCK_ENTRY) | Attributes | Type; - ArmUpdateTranslationTableEntry (BlockEntry, (VOID *)RegionStart); + ArmUpdateTranslationTableEntry (BlockEntry, (VOID *)RegionStart); + } else { + ReplaceLiveEntry (BlockEntry, + (*BlockEntry & BlockEntryMask) | (RegionStart & TT_ADDRESS_MASK_BLOCK_ENTRY) | Attributes | Type, + RegionStart); + } // Go to the next BlockEntry RegionStart += BlockEntrySize; @@ -397,9 +423,79 @@ UpdateRegionMapping ( } while ((RegionLength >= BlockEntrySize) && (BlockEntry <= LastBlockEntry)); } while (RegionLength != 0); + // if we have switched to read-only page tables, find the newly allocated ones + // and update their permissions + if (mReadOnlyPageTables && NewPageTablesAllocated) { + MapAllPageTablesReadOnly (); + if (ReadOnlyRemapDone) { + *ReadOnlyRemapDone = TRUE; + } + } + return EFI_SUCCESS; } +STATIC +BOOLEAN +EFIAPI +MapPageTableReadOnlyRecursive ( + IN UINT64 *RootTable, + IN UINT64 *TableEntry, + IN UINTN NumEntries, + IN UINTN TableLevel + ) +{ + EFI_STATUS Status; + BOOLEAN Done; + + // + // The UpdateRegionMapping () call in this function may recurse into + // MapAllPageTablesReadOnly () if it allocates any page tables. When + // this happens, there is little point in proceeding here, so let's + // bail early in that case. + // + Done = FALSE; + Status = UpdateRegionMapping (RootTable, (UINT64)TableEntry, EFI_PAGE_SIZE, + TT_AP_RO_RO, ~TT_ADDRESS_MASK_BLOCK_ENTRY, &Done); + ASSERT_EFI_ERROR (Status); + + if (TableLevel == 3) { + return Done; + } + + // go over the table and recurse for each table type entry + while (!Done && NumEntries--) { + if ((*TableEntry & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) { + Done = MapPageTableReadOnlyRecursive (RootTable, + (UINT64 *)(*TableEntry & TT_ADDRESS_MASK_DESCRIPTION_TABLE), + TT_ENTRY_COUNT, TableLevel + 1); + } + TableEntry++; + } + return Done; +} + +VOID +EFIAPI +MapAllPageTablesReadOnly ( + VOID + ) +{ + UINTN T0SZ; + UINTN RootTableEntryCount; + UINTN RootLevel; + UINT64 *RootTable; + + mReadOnlyPageTables = TRUE; + + T0SZ = ArmGetTCR () & TCR_T0SZ_MASK; + GetRootTranslationTableInfo (T0SZ, &RootLevel, &RootTableEntryCount); + RootTable = ArmGetTTBR0BaseAddress (); + + MapPageTableReadOnlyRecursive (RootTable, RootTable, RootTableEntryCount, + RootLevel); +} + STATIC EFI_STATUS FillTranslationTable ( @@ -412,7 +508,8 @@ FillTranslationTable ( MemoryRegion->VirtualBase, MemoryRegion->Length, ArmMemoryAttributeToPageAttribute (MemoryRegion->Attributes) | TT_AF, - 0 + 0, + NULL ); } @@ -494,7 +591,8 @@ ArmSetMemoryAttributes ( BaseAddress, Length, PageAttributes, - PageAttributeMask); + PageAttributeMask, + NULL); if (EFI_ERROR (Status)) { return Status; } @@ -516,7 +614,8 @@ SetMemoryRegionAttribute ( RootTable = ArmGetTTBR0BaseAddress (); - Status = UpdateRegionMapping (RootTable, BaseAddress, Length, Attributes, BlockEntryMask); + Status = UpdateRegionMapping (RootTable, BaseAddress, Length, Attributes, + BlockEntryMask, NULL); if (EFI_ERROR (Status)) { return Status; } diff --git a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c index bffab83d4fd0..9a75026e2919 100644 --- a/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c @@ -844,3 +844,11 @@ ArmMmuBaseLibConstructor ( { return RETURN_SUCCESS; } + +VOID +EFIAPI +MapAllPageTablesReadOnly ( + VOID + ) +{ +} From patchwork Mon Jan 7 07:15:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154875 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192788ljp; Sun, 6 Jan 2019 23:15:39 -0800 (PST) X-Google-Smtp-Source: ALg8bN7E9zjhLVL3DlJCR++7HE+veRMWmFA7zsAYCxao3kCMweAT2QSw0QHK9GqKpDuc8trH1Cuz X-Received: by 2002:a63:2507:: with SMTP id l7mr27747246pgl.22.1546845339101; Sun, 06 Jan 2019 23:15:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845339; cv=none; d=google.com; s=arc-20160816; b=c80VzURLbF5kKbr2YN7D6ZDca9hvuqri8QqfaAiVmaEfTRJ++F2BpPRVbQwXjsOr2W I8uKLGEWnMLR4TlCNT1v3MgOQB4Bptq5jwJcVeW83HK6ga4+6dTpO8aNBvq06RYWWPEy xq1gFbp0cCt2GsOAvAOffDr87McLZ2fN9p89MPD8ptdRCWSB+H/it/4hkpGR7UWeMXS2 N2t5d+OhKjeh/ZXF0R/yBNJe5iuVR9sRWKYcgJI1/uk6XfpU3dfGYHpd5If8qHkIazFQ E9qx3qM/NWiv/TGyl8f9/pmXEIyn+Ft9uCVbGQf55Psrvr7rEEFfHTPlCXB0RMiFjaOu up1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=EzD/UCXX3XG1CiV76BarTU+QEASmHPCeOBLo6Fup3s8=; b=BNQ+qIh7Wp15hd2p2KUuxR6fUE79IxR37XdL4CJXRdnlDL3NzvStiequZxIdkttg/5 B9aDwNn7c489uGwT2aDOJ0qkxZ8JbTwRiym3Y/FOjqnvHL9Kva/6Ae2stxFHlH5TW5yz cBYGbP5gRb2s7YyF0fAIhyJHUI86RinusuLmdt/JTKhhy2hOku+nvIL4ChXGDemmW3r8 Uo963muEftYB9onlxD/Lj/KKVSiAHGztqJoI3sGSH5VLLVJNboXSdKkHUvA7jymJz0sM hP7iTtOqnc5ewXRB7xJdM7MmrMmWD+6cE0//+bHhDkVKkqqRLwMf93TjXDL2fFTvF+t7 a8eA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=WtqX0v+Y; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id 38si1077836pgx.460.2019.01.06.23.15.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=WtqX0v+Y; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 7A707211B113B; Sun, 6 Jan 2019 23:15:30 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::542; helo=mail-ed1-x542.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 60C952194D387 for ; Sun, 6 Jan 2019 23:15:28 -0800 (PST) Received: by mail-ed1-x542.google.com with SMTP id f9so36890295eds.10 for ; Sun, 06 Jan 2019 23:15:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mMSizBQgJm5evq3u4Ra4FSAjA0GrPHQj0NpjOvQGfrA=; b=WtqX0v+Yby9YN8/6LwwvFWm13F3MWWIhf1Ra4BihSgVcnGG23YEbiNiQ6H7DapM4OP NBfb59gEeHEvDSoW3n6t4pp6xPwxHEZCEv2JCZh9hlq4Ri3zrlGw0pEceVqnzsDQr5+j UXuispsZtGEVexYfnHN+XxT37bljrhAskr4oo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mMSizBQgJm5evq3u4Ra4FSAjA0GrPHQj0NpjOvQGfrA=; b=a5er6apHFX7v5pvtCizJgAkOTvRM1GUnT/5h6DP2cR+gi7WU/VhiHGqsY7R6heduxf G+VffvzlXnRjJf3RHIvwylz1QxSpl2dmpOc4q8wln9V7q6VHAlVyVKStKcj5Ba2T02rP GAyj+0v7qeSILo1+eBIcZpQDaVAxEC+VkrRkIjLLxwKUTgSXzxO8CouI73cQnkuvv3cO 3kpz8XbHdAjuVC9vU9WvTnbnPH6Ras6gFcFCXKQU3dNk1tJCV3OBOlcwfLqa9UX0VeBG jc55fANS/SxmjJsXEpPwdlFT3Vp4CWii5cygEJppzPrA6m4lUb5USNGgqXJahpc0kkXU snaA== X-Gm-Message-State: AA+aEWZmRMaPz/b+xfwBVGk6UJnzrSp+kgUnH13p0y0OZMHcDPEbmvCU baq7/fvs9in6zvBf9VY3jxRTnAkEp2zcqg== X-Received: by 2002:a17:906:1e57:: with SMTP id i23-v6mr47315901ejj.146.1546845326672; Sun, 06 Jan 2019 23:15:26 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:25 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:15:04 +0100 Message-Id: <20190107071504.2431-6-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107071504.2431-1-ard.biesheuvel@linaro.org> References: <20190107071504.2431-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Subject: [edk2] [PATCH 5/5] ArmPkg/CpuDxe: switch to read-only page tables at EndOfDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Register for the EndOfDxe event, and use it to invoke the new ArmMmuLib code that remaps all page tables as read-only. This should limit the impact of arbitrary write exploits, since they can no longer be abused to modify tightened memory permissions. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel --- ArmPkg/Drivers/CpuDxe/CpuDxe.c | 23 ++++++++++++++++++++ ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 1 + 2 files changed, 24 insertions(+) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/ArmPkg/Drivers/CpuDxe/CpuDxe.c b/ArmPkg/Drivers/CpuDxe/CpuDxe.c index 5e923d45b715..11f4a2ccf5c8 100644 --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.c +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.c @@ -238,6 +238,17 @@ InitializeDma ( CpuArchProtocol->DmaBufferAlignment = ArmCacheWritebackGranule (); } +STATIC +VOID +EFIAPI +OnEndOfDxe ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + MapAllPageTablesReadOnly (); +} + EFI_STATUS CpuDxeInitialize ( IN EFI_HANDLE ImageHandle, @@ -246,6 +257,7 @@ CpuDxeInitialize ( { EFI_STATUS Status; EFI_EVENT IdleLoopEvent; + EFI_EVENT EndOfDxeEvent; InitializeExceptions (&mCpu); @@ -285,5 +297,16 @@ CpuDxeInitialize ( ); ASSERT_EFI_ERROR (Status); + + Status = gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, + TPL_CALLBACK, + OnEndOfDxe, + NULL, + &gEfiEndOfDxeEventGroupGuid, + &EndOfDxeEvent + ); + ASSERT_EFI_ERROR (Status); + return Status; } diff --git a/ArmPkg/Drivers/CpuDxe/CpuDxe.inf b/ArmPkg/Drivers/CpuDxe/CpuDxe.inf index c32d2cb9c7d4..0788a2ab27c0 100644 --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.inf +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.inf @@ -63,6 +63,7 @@ [Guids] gEfiDebugImageInfoTableGuid + gEfiEndOfDxeEventGroupGuid gArmMpCoreInfoGuid gIdleLoopEventGuid gEfiVectorHandoffTableGuid