On Fri, 3 Feb 2023 at 13:33, Michael Brown <mc...@ipxe.org> wrote: > > On 03/02/2023 12:10, Ard Biesheuvel wrote: > > +[BuildOptions] > > +!if $(RUNTIME_BTI_ENABLE) == TRUE > > + GCC:*_*_AARCH64_CC_FLAGS = -mbranch-protection=bti > > +!endif > > Question: as a producer of externally loaded UEFI binaries (e.g. > ipxe.efi): what would I need to do to take advantage of BTI? > > I'm assuming: > > - enable -mbranch-protection=bti in my builds (easy) > > - wait for PE/COFF specification change and then update my produced > images to include whatever flag gets decided upon. > > Is that correct? >
First of all, in case you missed this, the series in question only covers runtime DXE drivers, i.e., the code that persists after ExitBootServices() and gets mapped by the OS and called to access the variable store. So iPXE should not be affected at all by these changes. So building your code with branch protection enabled is not going to have any benefit until we decide how to deploy this at boot time, and I think the conclusion on this thread is already that the only meaningful way to do this is to introduce a PE/COFF image flag that indicates whether or not a certain image was built with indirect branch protection. I could also imagine that, at boot time, it would be feasible to apply these protections at image granularity, rather than as a global switch, given that (at least on ARM) these mitigations can be enabled on a per-page basis, and there is no need to turn it off completely when, say, the GOP driver on the video card does not support it. I am not aware of any discussion around this, though - I hope we can get the right folks at MS involved to drive the PE/COFF side of this and then, I am more than happy to take (joint) ownership of this on the Tianocore side, and hammer something out that works for everyone. Jiewen, Mike; could you comment on the IBT side? Does x86 permit IBT enforcement on a per-page basis as well? Could we feasibly add this to the code/data rx/rw remapping code, to enable indirect branch protection as each image is loaded by the DXE core? So to answer your question: yes. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#99580): https://edk2.groups.io/g/devel/message/99580 Mute This Topic: https://groups.io/mt/96721191/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
