From patchwork Mon Jan 7 07:14:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 154870 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp3192612ljp; Sun, 6 Jan 2019 23:15:25 -0800 (PST) X-Google-Smtp-Source: ALg8bN68owMhpnET2zHVHNDXvyRTWwCRbc+apD7t24ifp93SYfzTWr6p3/lgGj+0VfxiN2JvJYkV X-Received: by 2002:a17:902:bc44:: with SMTP id t4mr59623299plz.260.1546845325287; Sun, 06 Jan 2019 23:15:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546845325; cv=none; d=google.com; s=arc-20160816; b=NYJXY0EYrDEl421uo6NPMHJ1pdjkrHd+GS34jE3HseK6z68e3d88SixANHY3hDveRt S01gfm1IqZ6VxiGDWdS9IiIKXR5veAR54SFoCZPt53t9D2c2I232bRenr8eDRPoab07d lvMVnamBC+VRsOkvfwFuvXorgnctgJ55L/NgGi9ic9ClU7e/hYD52zL5gyvFgSeA8Hyz Fw2QITvq/AjxUCBUyc6I9xSuZwGqfWIMGWK8EjV5GvGtEnDZQbPk4iYdb4McDorlFY6B E+H8o9uxKUhO8H3K/ALoQg3RASSjtcKoTIBhYQ5+lXwsU+74HzOIW9e9ehvTZUevkgTU bLjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:delivered-to; bh=9SR3vTvoEZvHjIEEAn8suxcXg0teah3oxJp8gIKkvIU=; b=F4bOj7Lm1Bv/nPXtpxdos7WwCQ3RVin7o7erU5gdh1UW1GeeLfzpQdjQ4dnkxhbQ/w Ty0u4v7G23RujhtwFedhdtDUDeCNaSy60AdPVk+q8+WlObzSU4tjifMbRwGMAxUVbz3n kqu4cC9pXGoz12t75Xe5NrMQwArri3F4prCcgEIVu52IETwm1jyftkJ2fp1xYqjYR77s am1i94Hu+2xI0IeE9MQuoSLE4Q4C3gQhYbbSzj4bzlr7Qxo2MzNldT+EvbxX6/heo8VG A2Q94vMVggPag4/vzT5HoPYgAsTIHcjvTQ1gGCP3rfIkpHjNwn1I6Cl0Yf3mklo7fqYS Ztsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=ZzBzR79Z; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id b6si61397730pgg.2.2019.01.06.23.15.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=ZzBzR79Z; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 85CE7211B112A; Sun, 6 Jan 2019 23:15:24 -0800 (PST) X-Original-To: edk2-devel@lists.01.org Delivered-To: edk2-devel@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:4864:20::541; helo=mail-ed1-x541.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 81C052119BAC9 for ; Sun, 6 Jan 2019 23:15:22 -0800 (PST) Received: by mail-ed1-x541.google.com with SMTP id b3so37028255ede.1 for ; Sun, 06 Jan 2019 23:15:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ym3HCbWnebZkZogeGxEhQyYMaJDsMynjVeOMWSFFg0s=; b=ZzBzR79Zw7IAI5SAJEDRHuHDHJJpMEDpDsNDOuQzvjjOywPljctlIUdsxsBQGLY1mj 9CHAXOkd81JkmWnciQD8nyEcn9UXd31iX02LwvpxAEqdFRbREk0HSV344ibilXFtsByN jwfup2et7PxaSE6T8MEOAMQoyBiKQSUDAq+vc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ym3HCbWnebZkZogeGxEhQyYMaJDsMynjVeOMWSFFg0s=; b=szHcp1WqbYPmUsVHEE8wUeHvk3wgtJODIRUCdRXrW9WYLcy2BloQY6WWFNTPf5AYYi E9V2pYUGZ74m8ARzg8NCEFBYpF0Vo5dr1lNnMK8xhAmzEWHCbM9xVsKp+M5H91hPDXbE MGp/Vis4rTsbCD36EH/zYPdKHnCO1P1uYQs/ro//TMvviFU/Gd06uCd7K7KqLMRh5bcF 6HzIOjTwe9PDnHSc1rY0yj0C9S6fJqI0Znqzf2xPwdK7MKb777cuG4nkdvvk9wTxUK2u Y3U95hudnA5wsSfaMbdSN0B3Vr+ILc+ceYYQvLsZOffVZYXi2XkoNQ54iTRpy2ZyxUE5 UWgA== X-Gm-Message-State: AA+aEWa5jF3Pvs7b/MRwsWC4y/wrwsc8r6Oi8BHZlXbleRKGhEElBZ05 0D2x4Q7hORVFT44Pvt+gNuhoDMZAXzEaYQ== X-Received: by 2002:a17:906:798e:: with SMTP id c14-v6mr46517860ejo.123.1546845320457; Sun, 06 Jan 2019 23:15:20 -0800 (PST) Received: from chuckie.home ([2a01:cb1d:112:6f00:58f2:776e:9e23:a7ca]) by smtp.gmail.com with ESMTPSA id t9sm30263693edd.25.2019.01.06.23.15.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 23:15:19 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org Date: Mon, 7 Jan 2019 08:14:59 +0100 Message-Id: <20190107071504.2431-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [edk2] [PATCH 0/5] memory/MMU hardening for AArch64 X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Now that we are getting more serious about implementing secure boot on ARM systems, by putting the code that manipulated the variable store in a secure partition, it makes sense to give some attention to the non-secure side as well, since having secure authenticated variables is moot if we can just nop out the authentication check in the image loader. Patch #1 fixes an issue in ArmMmuLib that is triggered when HeapGuard is enabled. Patch #2 optimizes TLB management so that we don't flush all of it every time. This is a performance optimization as well as a hardening measure, since it makes it more difficult to trigger a flush of all TLBs, which is needed when abusing a write exploit to change memory permissions. Patch #3 is a prerequisite for enabling StackGuard and HeapGuard, which make use of the EFI_MEMORY_RP attribute and this wasn't wired up yet. Patch #4 adds support to ArmMmuLib to remap all page tables read-only, so that they are no longer vulnerable to rogue writes. Patch #5 enables the feature added in #4 at EndOfDxe. Ard Biesheuvel (5): ArmPkg/ArmMmuLib AARCH64: fix out of bounds access ArmPkg/ArmMmuLib AARCH64: get rid of needless TLB invalidation ArmPkg/ArmMmuLib AARCH64: implement support for EFI_MEMORY_RP permissions ArmPkg/ArmMmuLib AARCH64: add support for read-only page tables ArmPkg/CpuDxe: switch to read-only page tables at EndOfDxe ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c | 5 +- ArmPkg/Drivers/CpuDxe/CpuDxe.c | 23 +++ ArmPkg/Drivers/CpuDxe/CpuDxe.inf | 1 + ArmPkg/Include/Library/ArmMmuLib.h | 9 +- ArmPkg/Library/ArmLib/AArch64/ArmLibSupport.S | 6 +- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 149 +++++++++++++++++--- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibReplaceEntry.S | 14 +- ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c | 8 ++ 8 files changed, 181 insertions(+), 34 deletions(-) -- 2.20.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel