On 7/17/23 9:49 AM, Pedro Falcato wrote:
On Mon, Jul 17, 2023 at 5:26 PM Ard Biesheuvel <a...@kernel.org> wrote:
On Mon, 17 Jul 2023 at 18:15, Pedro Falcato <pedro.falc...@gmail.com> wrote:
On Wed, Jul 12, 2023 at 12:53 AM Taylor Beebe <t...@taylorbeebe.com> wrote:
In the past, memory protection settings were configured via FixedAtBuild PCDs,
which resulted in a build-time configuration of memory mitigations. This
approach limited the flexibility of applying mitigations to the
system and made it difficult to update or adjust the settings post-build.
How do you mitigate the possibility of an attack overwriting the
dynamic configuration data (the HOBs)?
It seems most dangerous to me to publish this sort of
security-sensitive configuration knobs dynamically such that an
attacker can change them.
That is a very good point. One of the things I have on my TODO list
for the memory attributes PEI work is to remap HOB memory read-only
before entering DXE. They are conceptually read-only anyway when PEI
completes, so they should never be modified afterwards.
I agree, but it also seems that this patch set needs some sort of
__ro_after_init capabilities. For example, in
https://github.com/tianocore/edk2/pull/4566/commits/e485459b6efb1e49591c6f3011d9da14746c52bc#diff-02c0ef19d024b43162043efdd9ed95e0eef1653bcb5bef1e2f2b77587aee2622R101
(DxeMemoryProtectionHobLibConstructor), a copy of this same HOB is
made onto .data, while it should be RO-protected as well.
With both the HOB list and this sort of __ro_after_init protected, the
only remaining exploits would be to DMA over those pages (addressed by
IOMMU, not in this scope), to remap those pages (requires ring 0
access, therefore irrelevant) or to toggle some sort of WP-like bit
(CR0.WP, other archs may have equivalents), which already bypasses
most of the memory protections and therefore isn't all that concerning
to me.
Thank you both for you time and feedback.
Ard, do you think it's sufficient to use the Memory Attribute PPI to
mark HOB list memory as RO before handoff, or should the HOB list
memory be marked RO upon memory discovery and the PEI core
HOB logic be updated to manipulate protection attributes
with the PPI as it manipulates the HOB list?
-Taylor
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106976): https://edk2.groups.io/g/devel/message/106976
Mute This Topic: https://groups.io/mt/100090629/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
