wouldn't it be even better to map everything (the whole 32/64bit addr range) without any permissions(fault on read, write or exec), and then require the platforms to map IO-registers properly?
Michael On Tue, May 3, 2016 at 2:45 PM, Ard Biesheuvel <[email protected]> wrote: > From a security perspective, having any memory with both write and execute > permissions is undesirable, and EDK2 at boot time has all of memory mapped > RWX by default, so there is obviously some room for improvement here. > > This series aims to reduce the attack surface, by mapping the whole of > system RAM without executable permissions by default, and only giving > such permissions on PE/COFF sections containing executable code, while > revoking the write permissions on such regions at the same time [to the > extent possible]. > > Patch #1 implements a PeCoffExtraActionLib that remaps executable PE/COFF > sections with execute permissions, and removes the writable permissions at > at the same time as well. > > Patch #2 enables this functionality for ArmVirtQemu, by mapping system > memory as non-exec, and using the library from patch #1. Also, it increases > the PE/COFF section alignment to 4 KB for DXE_CORE, DXE_DRIVER and > UEFI_DRIVER modules. > > Comments welcome. > > Ard Biesheuvel (2): > ArmPkg/PermissionsPeCoffExtraActionLib: introduce new library > ArmVirtQemu: restrict RWX mappings > > > ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.c > | 202 ++++++++++++++++++++ > > ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.inf > | 45 +++++ > ArmVirtPkg/ArmVirtQemu.dsc > | 9 +- > ArmVirtPkg/Library/ArmVirtMemoryInitPeiLib/ArmVirtMemoryInitPeiLib.c > | 3 + > 4 files changed, 258 insertions(+), 1 deletion(-) > create mode 100644 > ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.c > create mode 100644 > ArmPkg/Library/PermissionsPeCoffExtraActionLib/PermissionsPeCoffExtraActionLib.inf > > -- > 2.7.4 > > _______________________________________________ > edk2-devel mailing list > [email protected] > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
