>From a security perspective, having any memory with both write and execute
permissions is undesirable, and EDK2 at boot time has all of memory mapped
RWX by default, so there is obviously some room for improvement here.
This series aims to reduce the attack surface, by mapping the whole of
system RAM without executable permissions by default, and only giving
such permissions on PE/COFF sections containing executable code, while
revoking the write permissions on such regions at the same time [to the
extent possible].
Patch #1 implements a PeCoffExtraActionLib that remaps executable PE/COFF
sections with execute permissions, and removes the writable permissions at
at the same time as well.
Patch #2 enables this functionality for ArmVirtQemu, by mapping system
memory as non-exec, and using the library from patch #1. Also, it increases
the PE/COFF section alignment to 4 KB for DXE_CORE, DXE_DRIVER and
UEFI_DRIVER modules.
Comments welcome.
Ard Biesheuvel (2):
ArmPkg/PermissionsPeCoffExtraActionLib: introduce new library
ArmVirtQemu: restrict RWX mappings
ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.c
| 202 ++++++++++++++++++++
ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.inf
| 45 +++++
ArmVirtPkg/ArmVirtQemu.dsc
| 9 +-
ArmVirtPkg/Library/ArmVirtMemoryInitPeiLib/ArmVirtMemoryInitPeiLib.c
| 3 +
4 files changed, 258 insertions(+), 1 deletion(-)
create mode 100644
ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.c
create mode 100644
ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.inf
--
2.7.4
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
