The memory attributes table has been extended with a flag that indicates
whether or not the OS is permitted to map the EFI runtime code regions
with strict enforcement for IBT/BTI landing pad instructions.

The PE/COFF loader will now keep track of whether loaded images are
constructed in the expected manner, so set the new flag if all loaded
runtime images were constructed with forward edge control flow guards.

Signed-off-by: Ard Biesheuvel <a...@kernel.org>
---
 MdeModulePkg/Core/Dxe/DxeMain.h                    | 2 ++
 MdeModulePkg/Core/Dxe/Image/Image.c                | 9 +++++++++
 MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c | 8 +++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h
index 815a6b4bd844..427a5fc78f72 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.h
+++ b/MdeModulePkg/Core/Dxe/DxeMain.h
@@ -280,6 +280,8 @@ extern EFI_MEMORY_TYPE_INFORMATION  
gMemoryTypeInformation[EfiMaxMemoryType + 1]
 extern BOOLEAN                    gDispatcherRunning;
 extern EFI_RUNTIME_ARCH_PROTOCOL  gRuntimeTemplate;
 
+extern BOOLEAN                    gMemoryAttributesTableForwardCfi;
+
 extern EFI_LOAD_FIXED_ADDRESS_CONFIGURATION_TABLE  
gLoadModuleAtFixAddressConfigurationTable;
 extern BOOLEAN                                     
gLoadFixedAddressCodeMemoryReady;
 //
diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c 
b/MdeModulePkg/Core/Dxe/Image/Image.c
index 06cc6744b8c6..eac0b859a7f7 100644
--- a/MdeModulePkg/Core/Dxe/Image/Image.c
+++ b/MdeModulePkg/Core/Dxe/Image/Image.c
@@ -1398,6 +1398,15 @@ CoreLoadImageCommon (
     CoreNewDebugImageInfoEntry (EFI_DEBUG_IMAGE_INFO_TYPE_NORMAL, 
&Image->Info, Image->Handle);
   }
 
+  //
+  // If we loaded a runtime DXE driver, take into account whether or not it 
was built
+  // with forward edge control flow guards. We can only expose support for 
forward edge
+  // control flow to the OS if all loaded runtime images support it.
+  //
+  if (Image->ImageContext.ImageCodeMemoryType == EfiRuntimeServicesCode) {
+    gMemoryAttributesTableForwardCfi &= 
Image->ImageContext.HasForwardControlFlowGuards;
+  }
+
   //
   // Reinstall loaded image protocol to fire any notifications
   //
diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c 
b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
index 82fa026bceb9..d6983f830452 100644
--- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
+++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
@@ -89,6 +89,7 @@ BOOLEAN                      mMemoryAttributesTableEnable     
 = TRUE;
 BOOLEAN                      mMemoryAttributesTableEndOfDxe    = FALSE;
 EFI_MEMORY_ATTRIBUTES_TABLE  *mMemoryAttributesTable           = NULL;
 BOOLEAN                      mMemoryAttributesTableReadyToBoot = FALSE;
+BOOLEAN                      gMemoryAttributesTableForwardCfi  = TRUE;
 
 /**
   Install MemoryAttributesTable.
@@ -182,11 +183,16 @@ InstallMemoryAttributesTable (
   MemoryAttributesTable->Version         = EFI_MEMORY_ATTRIBUTES_TABLE_VERSION;
   MemoryAttributesTable->NumberOfEntries = RuntimeEntryCount;
   MemoryAttributesTable->DescriptorSize  = (UINT32)DescriptorSize;
-  MemoryAttributesTable->Flags           = 0;
+  if (gMemoryAttributesTableForwardCfi) {
+    MemoryAttributesTable->Flags         = 
EFI_MEMORY_ATTRIBUTES_FLAGS_RT_FORWARD_CONTROL_FLOW_GUARD;
+  } else {
+    MemoryAttributesTable->Flags         = 0;
+  }
   DEBUG ((DEBUG_VERBOSE, "MemoryAttributesTable:\n"));
   DEBUG ((DEBUG_VERBOSE, "  Version              - 0x%08x\n", 
MemoryAttributesTable->Version));
   DEBUG ((DEBUG_VERBOSE, "  NumberOfEntries      - 0x%08x\n", 
MemoryAttributesTable->NumberOfEntries));
   DEBUG ((DEBUG_VERBOSE, "  DescriptorSize       - 0x%08x\n", 
MemoryAttributesTable->DescriptorSize));
+  DEBUG ((DEBUG_VERBOSE, "  Flags                - 0x%08x\n", 
MemoryAttributesTable->Flags));
   MemoryAttributesEntry = (EFI_MEMORY_DESCRIPTOR *)(MemoryAttributesTable + 1);
   MemoryMap             = MemoryMapStart;
   for (Index = 0; Index < MemoryMapSize/DescriptorSize; Index++) {
-- 
2.39.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99573): https://edk2.groups.io/g/devel/message/99573
Mute This Topic: https://groups.io/mt/96721190/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to