From: Ard Biesheuvel <ardb+git@google.com>
To: stable@vger.kernel.org
Subject: [PATCH for-stable-6.1 23/23] x86/efistub: Remap kernel text read-only before dropping NX attribute
Date: Fri, 19 Apr 2024 10:11:29 +0200 [thread overview]
Message-ID: <20240419081105.3817596-48-ardb+git@google.com> (raw)
In-Reply-To: <20240419081105.3817596-25-ardb+git@google.com>
From: Ard Biesheuvel <ardb@kernel.org>
[ Commit 9c55461040a9264b7e44444c53d26480b438eda6 upstream ]
Currently, the EFI stub invokes the EFI memory attributes protocol to
strip any NX restrictions from the entire loaded kernel, resulting in
all code and data being mapped read-write-execute.
The point of the EFI memory attributes protocol is to remove the need
for all memory allocations to be mapped with both write and execute
permissions by default, and make it the OS loader's responsibility to
transition data mappings to code mappings where appropriate.
Even though the UEFI specification does not appear to leave room for
denying memory attribute changes based on security policy, let's be
cautious and avoid relying on the ability to create read-write-execute
mappings. This is trivially achievable, given that the amount of kernel
code executing via the firmware's 1:1 mapping is rather small and
limited to the .head.text region. So let's drop the NX restrictions only
on that subregion, but not before remapping it as read-only first.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/x86/boot/compressed/Makefile | 2 +-
arch/x86/boot/compressed/misc.c | 1 +
arch/x86/include/asm/boot.h | 1 +
drivers/firmware/efi/libstub/x86-stub.c | 11 ++++++++++-
4 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 3965b2c9efee..6e61baff223f 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -84,7 +84,7 @@ LDFLAGS_vmlinux += -T
hostprogs := mkpiggy
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
-sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
+sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__start_rodata\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
quiet_cmd_voffset = VOFFSET $@
cmd_voffset = $(NM) $< | sed -n $(sed-voffset) > $@
diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index 8ae7893d712f..45435ff88363 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -330,6 +330,7 @@ static size_t parse_elf(void *output)
return ehdr.e_entry - LOAD_PHYSICAL_ADDR;
}
+const unsigned long kernel_text_size = VO___start_rodata - VO__text;
const unsigned long kernel_total_size = VO__end - VO__text;
static u8 boot_heap[BOOT_HEAP_SIZE] __aligned(4);
diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
index a38cc0afc90a..a3e0be0470a4 100644
--- a/arch/x86/include/asm/boot.h
+++ b/arch/x86/include/asm/boot.h
@@ -81,6 +81,7 @@
#ifndef __ASSEMBLY__
extern unsigned int output_len;
+extern const unsigned long kernel_text_size;
extern const unsigned long kernel_total_size;
unsigned long decompress_kernel(unsigned char *outbuf, unsigned long virt_addr,
diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
index 1f5edcb6339a..55468debd55d 100644
--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -227,6 +227,15 @@ efi_status_t efi_adjust_memory_range_protection(unsigned long start,
rounded_end = roundup(start + size, EFI_PAGE_SIZE);
if (memattr != NULL) {
+ status = efi_call_proto(memattr, set_memory_attributes,
+ rounded_start,
+ rounded_end - rounded_start,
+ EFI_MEMORY_RO);
+ if (status != EFI_SUCCESS) {
+ efi_warn("Failed to set EFI_MEMORY_RO attribute\n");
+ return status;
+ }
+
status = efi_call_proto(memattr, clear_memory_attributes,
rounded_start,
rounded_end - rounded_start,
@@ -778,7 +787,7 @@ static efi_status_t efi_decompress_kernel(unsigned long *kernel_entry)
*kernel_entry = addr + entry;
- return efi_adjust_memory_range_protection(addr, kernel_total_size);
+ return efi_adjust_memory_range_protection(addr, kernel_text_size);
}
static void __noreturn enter_kernel(unsigned long kernel_addr,
--
2.44.0.769.g3c40516874-goog
next prev parent reply other threads:[~2024-04-19 8:12 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-19 8:11 [PATCH for-stable-6.1 00/23] x86/efistub backports Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 01/23] x86/efi: Drop EFI stub .bss from .data section Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 02/23] x86/efi: Disregard setup header of loaded image Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 03/23] x86/efistub: Reinstate soft limit for initrd loading Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 04/23] x86/efi: Drop alignment flags from PE section headers Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 05/23] x86/boot: Remove the 'bugger off' message Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 06/23] x86/boot: Omit compression buffer from PE/COFF image memory footprint Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 07/23] x86/boot: Drop redundant code setting the root device Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 08/23] x86/boot: Drop references to startup_64 Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 09/23] x86/boot: Grab kernel_info offset from zoffset header directly Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 10/23] x86/boot: Set EFI handover offset directly in header asm Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 11/23] x86/boot: Define setup size in linker script Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 12/23] x86/boot: Derive file size from _edata symbol Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 13/23] x86/boot: Construct PE/COFF .text section from assembler Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 14/23] x86/boot: Drop PE/COFF .reloc section Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 15/23] x86/boot: Split off PE/COFF .data section Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 16/23] x86/boot: Increase section and file alignment to 4k/512 Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 17/23] x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 18/23] x86/mm: Remove P*D_PAGE_MASK and P*D_PAGE_SIZE macros Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 19/23] x86/head/64: Add missing __head annotation to startup_64_load_idt() Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 20/23] x86/head/64: Move the __head definition to <asm/init.h> Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 21/23] x86/sme: Move early SME kernel encryption handling into .head.text Ard Biesheuvel
2024-04-19 8:11 ` [PATCH for-stable-6.1 22/23] x86/sev: Move early startup code into .head.text section Ard Biesheuvel
2024-04-19 8:11 ` Ard Biesheuvel [this message]
2024-04-19 10:47 ` [PATCH for-stable-6.1 00/23] x86/efistub backports Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240419081105.3817596-48-ardb+git@google.com \
--to=ardb+git@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.