From patchwork Fri Mar 10 12:50:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 662202 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E81BFC64EC4 for ; Fri, 10 Mar 2023 12:50:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229613AbjCJMui (ORCPT ); Fri, 10 Mar 2023 07:50:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229473AbjCJMuh (ORCPT ); Fri, 10 Mar 2023 07:50:37 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E5FBF6008; Fri, 10 Mar 2023 04:50:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CF044B82292; Fri, 10 Mar 2023 12:50:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F13AEC433D2; Fri, 10 Mar 2023 12:50:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678452633; bh=hDGDslrgVDkeI/7kh/l0dfJL9zfNgMwf25WV/aUlCEY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cqHbESWlv8NCnaQn1/2xo0zNaR7grocnU72jEiJio05AaZsxV/WycllqtOtp4ZiIc 1e8MoK/BlZcn6xZDFWAtKigrIiPCyf07N8MKFYBLzz1LsedfHqYByli6+O5BRk3TxA MoRMdqQ93OD0Occt5EF37Zt+JtlBgEAdAcct4x2LqYHyXkE2p0sNHXYtNl6MyjKOLf BvYNMPyHv57HIWPnaCYBb8GWkFTbC1fpkB9Pt45zU3+RZsy5qre4nfsbutMiS/vviy UkDz6+SFVzZxucxkqnYRJG+oP50BdVG5J0ZyDd3brQmzLcGk1zXMaCrPoEGrs3XqmJ BTRMfqCAYZqEQ== From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Peter Jones , Gerd Hoffmann , Ilias Apalodimas , Kees Cook , stable@vger.kernel.org Subject: [PATCH 1/3] efi/libstub: zboot: Mark zboot EFI application as NX compatible Date: Fri, 10 Mar 2023 13:50:24 +0100 Message-Id: <20230310125026.3390928-2-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230310125026.3390928-1-ardb@kernel.org> References: <20230310125026.3390928-1-ardb@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1016; i=ardb@kernel.org; h=from:subject; bh=hDGDslrgVDkeI/7kh/l0dfJL9zfNgMwf25WV/aUlCEY=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYVbfUKM2CMZhpk9/QJsU/4XXShonliQIRY7zYm/jnXvj A03LDs7SlkYxDgYZMUUWQRm/3238/REqVrnWbIwc1iZQIYwcHEKwERELzIy9NVn7J9yROTS5tJZ n47f35D9w/Sq0JJ1z1Wbc44K/P/BoM/wVzTjY9pJ/in1F1VvrJ9ptVVTgL1tx79X98rrL/y8mL6 FjRUA X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org Now that the zboot loader will invoke the EFI memory attributes protocol to remap the decompressed code and rodata as read-only/executable, we can set the PE/COFF header flag that indicates to the firmware that the application does not rely on writable memory being executable at the same time. Cc: # v6.2+ Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/zboot-header.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S index ec4525d40e0cf6d6..445cb646eaaaf1c6 100644 --- a/drivers/firmware/efi/libstub/zboot-header.S +++ b/drivers/firmware/efi/libstub/zboot-header.S @@ -63,7 +63,7 @@ __efistub_efi_zboot_header: .long .Lefi_header_end - .Ldoshdr .long 0 .short IMAGE_SUBSYSTEM_EFI_APPLICATION - .short 0 + .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT #ifdef CONFIG_64BIT .quad 0, 0, 0, 0 #else From patchwork Fri Mar 10 12:50:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 661898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 942BFC6FA99 for ; Fri, 10 Mar 2023 12:50:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229672AbjCJMuh (ORCPT ); Fri, 10 Mar 2023 07:50:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229613AbjCJMuh (ORCPT ); Fri, 10 Mar 2023 07:50:37 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 79ED0F6009 for ; Fri, 10 Mar 2023 04:50:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 15AC661564 for ; Fri, 10 Mar 2023 12:50:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0C40CC4339B; Fri, 10 Mar 2023 12:50:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678452635; bh=Q2hOEReJ8XL6o95bm/6W8U9iYAmkT6SKYEkF7NI1eIw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XoiL+vJBoLsAmX7P8HQkr4D55apLMLxZaJaUCSJrV9J1Kx+QzH+rF5to/b5fvDdvE 5J5bScmOsuvOdfz2er5gq0Br2NaJQ5zQmJu096jBgVSUuitwlAynvtA2exRj6WnOuD mQaDr6eALypLDiNZ980OYby6dJ+6jSmQjt/T/qZtrhD0BYJ2iSGunYYLGjHldGNWtB 5caQI7c3m+aCsUAOEjhxc1WjUTiq0ajCcrFOCH1DFMMfm8G3OiwEq4Tr5AoBkMq38u PceoZvpuT0NaSCJof+78Ua59YdxANzTK4SvWykDiMlR3jCBRFFIBGqY+vFQpYf5uH/ MLTkkm2EZ/Ozg== From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Peter Jones , Gerd Hoffmann , Ilias Apalodimas , Kees Cook Subject: [PATCH 2/3] efi/libstub: arm64: Remap relocated image with strict permissions Date: Fri, 10 Mar 2023 13:50:25 +0100 Message-Id: <20230310125026.3390928-3-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230310125026.3390928-1-ardb@kernel.org> References: <20230310125026.3390928-1-ardb@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=882; i=ardb@kernel.org; h=from:subject; bh=Q2hOEReJ8XL6o95bm/6W8U9iYAmkT6SKYEkF7NI1eIw=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYVbfWKK9zeVjV22gjuF5uRNe374UkPTX735e3cw96x9v 2D/JNbzHaUsDGIcDLJiiiwCs/++23l6olSt8yxZmDmsTCBDGLg4BWAiBcsZGZ5W7fvSdHshb8jE QFbVW0qS/T8OBjKvWqXMzS688EPj7UkM/9PjfVaYij98tG797J/z/iw00M9+NenJusoGw/Ico3J HaW4A X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org After relocating the executable image, use the EFI memory attributes protocol to remap the code and data regions with the appropriate permissions. Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/arm64-stub.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index d4a6b12a87413024..b996553cdb4c3587 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -139,6 +139,7 @@ efi_status_t handle_kernel_image(unsigned long *image_addr, *image_addr = *reserve_addr; memcpy((void *)*image_addr, _text, kernel_size); caches_clean_inval_pou(*image_addr, *image_addr + kernel_codesize); + efi_remap_image(*image_addr, *reserve_size, kernel_codesize); return EFI_SUCCESS; } From patchwork Fri Mar 10 12:50:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 661897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BAC3C6FD1E for ; Fri, 10 Mar 2023 12:50:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229996AbjCJMuk (ORCPT ); Fri, 10 Mar 2023 07:50:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229473AbjCJMuj (ORCPT ); Fri, 10 Mar 2023 07:50:39 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86811F6008; Fri, 10 Mar 2023 04:50:38 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 24FF461564; Fri, 10 Mar 2023 12:50:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E6ECEC433A0; Fri, 10 Mar 2023 12:50:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1678452637; bh=BqKhyq61XLwE5zjXHgnp77pAKVfvsJyOg3BEBwYYKxs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=amlGisrBByhHrXBn8pVJVwrdDZkhK5wNLSB7fzsPwKi9VAjTRFeruuAb96JhcK1xt H5zAQtT8VQb2ryy4X5JRI1usJP+50PUz6v6ZzUWmuiJz+EW+PM20+Ug3jSOxzicahS WZ/O6D/NFNkFfoB8788oaNVWaPGOAzJ7TkBnIn16tRVJZ/rM/pvBMnzI+nhxSD+5dY jwQtUqJEYxrDdXMskG4F4D5ahFNOVnC9eGjya8bgq2Ba2yQEauLWhhhVs7lFw5R7gv pqvt3tY2ifWA5zIbF+oHoSaDD0iUPWiVpZ+WqAfrDJli9N+ibqVQ5u7edxrdPIJcl3 X+sV2cDeF/eIA== From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Peter Jones , Gerd Hoffmann , Ilias Apalodimas , Kees Cook , stable@vger.kernel.org Subject: [PATCH 3/3] arm64: efi: Set NX compat flag in PE/COFF header Date: Fri, 10 Mar 2023 13:50:26 +0100 Message-Id: <20230310125026.3390928-4-ardb@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230310125026.3390928-1-ardb@kernel.org> References: <20230310125026.3390928-1-ardb@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1551; i=ardb@kernel.org; h=from:subject; bh=BqKhyq61XLwE5zjXHgnp77pAKVfvsJyOg3BEBwYYKxs=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYVbfeKfc9H9FbbW/f4d58wbDv5k/lnixXqAyz8tlk3a9 PPaAOWOUhYGMQ4GWTFFFoHZf9/tPD1RqtZ5lizMHFYmkCEMXJwCMJGdNxn+l2RP+Np1rzGuv+L5 Mq4n4n/VucVLji8VXqenqHRmt2qtPyNDw9Sg+iNNKpHuiZNKRaYyX9jtPa2wWnzLsbeP/25Vm/C XHwA= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org The PE/COFF header has a NX compat flag which informs the firmware that the application does not rely on memory regions being mapped with both executable and writable permissions at the same time. This is typically used by the firmware to decide whether it can set the NX attribute on all allocations it returns, but going forward, it may be used to enforce a policy that only permits applications with the NX flag set to be loaded to begin wiht in some configurations, e.g., when Secure Boot is in effect. Even though the arm64 version of the EFI stub may relocate the kernel before executing it, it always did so after disabling the MMU, and so we were always in line with what the NX compat flag conveys, we just never bothered to set it. So let's set the flag now. Cc: Signed-off-by: Ard Biesheuvel --- arch/arm64/kernel/efi-header.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S index 28d8a5dca5f12978..d731b4655df8eb27 100644 --- a/arch/arm64/kernel/efi-header.S +++ b/arch/arm64/kernel/efi-header.S @@ -66,7 +66,7 @@ .long .Lefi_header_end - .L_head // SizeOfHeaders .long 0 // CheckSum .short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem - .short 0 // DllCharacteristics + .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics .quad 0 // SizeOfStackReserve .quad 0 // SizeOfStackCommit .quad 0 // SizeOfHeapReserve