Hi, On 02/22/17 19:24, Ard Biesheuvel wrote: > Hello all, > > This is a proof of concept implementation that removes all executable > permissions from writable memory regions, which greatly enhances security. > It is based on Jiewen's recent work, which is a step in the right direction, > but still leaves most of memory exploitable due to the default R+W+X > permissions. > > The idea is that the implementation of the CPU arch protocol goes over the > memory map and removes exec permissions from all regions that are not already > marked as 'code. This requires some preparatory work to ensure that the > DxeCore > itself is covered by a BootServicesCode region, not a BootServicesData region. > Exec permissions are re-granted selectively, when the PE/COFF loader allocates > the space for it. Combined with Jiewen's code/data split, this removes all > RWX mapped regions. > > There is a caveat, though (and there are likely more of that kind): the EBC > driver will need some work to ensure the thunk buffers have the noexec > restriction lifted. This could be done in the EBC driver, but perhaps it is > better to either > a) modify the DXE core so it always removes noexec restrictions when > allocating > code pages, or > b) add AllocateExecPages/AllocateExecPool() functions to the > MemoryAllocationLib > API > > Comments please!
My only comment is "good idea, as long as it doesn't regress anything". :) I haven't done any testing with this; once you think the series is mature enough for that, I could run my usual tests. Feel free to ping me for that whenever. Thanks! Laszlo > Ard Biesheuvel (4): > MdeModulePkg/DxeCore: allow BootServicesData->BootServicesCode > conversion > MdeModulePkg/DxeCore: convert the DxeCore memory region to > BootServicesCode > MdeModulePkg/DxeCore: lift non-exec permissions on loaded images > ArmPkg/CpuDxe: remap all data regions non-executable > > ArmPkg/Drivers/CpuDxe/CpuDxe.c | 76 ++++++++++++++++++++ > MdeModulePkg/Core/Dxe/DxeMain.h | 8 +++ > MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 2 + > MdeModulePkg/Core/Dxe/Image/Image.c | 8 +++ > MdeModulePkg/Core/Dxe/Mem/Page.c | 18 ++++- > 5 files changed, 111 insertions(+), 1 deletion(-) > _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
