From nobody Tue Dec 24 13:01:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1511945208629743.1694594701131; Wed, 29 Nov 2017 00:46:48 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id C51F6203564D1; Wed, 29 Nov 2017 00:42:23 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8CB8621B00DC4 for ; Wed, 29 Nov 2017 00:42:20 -0800 (PST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Nov 2017 00:46:44 -0800 Received: from jwang36-mobl2.ccr.corp.intel.com ([10.239.192.50]) by orsmga002.jf.intel.com with ESMTP; 29 Nov 2017 00:46:43 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,472,1505804400"; d="scan'208";a="13253647" From: Jian J Wang To: edk2-devel@lists.01.org Date: Wed, 29 Nov 2017 16:46:39 +0800 Message-Id: <20171129084640.20076-2-jian.j.wang@intel.com> X-Mailer: git-send-email 2.14.1.windows.1 In-Reply-To: <20171129084640.20076-1-jian.j.wang@intel.com> References: <20171129084640.20076-1-jian.j.wang@intel.com> Subject: [edk2] [PATCH 1/2] UefiCpuPkg/CpuDxe: Check CR0.WP before changing page table X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laszlo Ersek , Jiewen Yao , Eric Dong MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The CPU driver will always set CR0.WP if paging is enabled. GetCurrentPagingContext(): if ((AsmReadCr0 () & BIT31) !=3D 0) { PagingContext->ContextData.X64.PageTableBase =3D (AsmReadCr3 () & PAGING_4K_ADDRESS_MASK_64); if ((AsmReadCr0 () & BIT16) =3D=3D 0) { AsmWriteCr0 (AsmReadCr0 () | BIT16); SyncMemoryPageAttributesAp (SyncCpuEnableWriteProtection); } } else { Before this patch, there's no driver to set page attribute of memory used for page table to be "read-only". CR0.WP will not prevent the page attributes from updating. Since this patch, the pages used for page table will be set as "read-only" to protect them from corruption caused by buffer overflow issue. In this situation, CR0.WP must be cleared before updating page table. CR0.WP must be set again afterwards. Cc: Jiewen Yao Cc: Eric Dong Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang --- UefiCpuPkg/CpuDxe/CpuPageTable.c | 65 ++++++++++++++++++++++++++++++++++++= +--- 1 file changed, 61 insertions(+), 4 deletions(-) diff --git a/UefiCpuPkg/CpuDxe/CpuPageTable.c b/UefiCpuPkg/CpuDxe/CpuPageTa= ble.c index 9658ed74c5..dd0debb448 100644 --- a/UefiCpuPkg/CpuDxe/CpuPageTable.c +++ b/UefiCpuPkg/CpuDxe/CpuPageTable.c @@ -561,6 +561,43 @@ SplitPage ( } } =20 +/** + Check the WP status in CR0 register. This bit is used to lock or unlock w= rite + access to pages marked as read-only. + + @retval TRUE Write protection is enabled. + @retval FALSE Write protection is disabled. +**/ +BOOLEAN +IsReadOnlyPageWriteProtected ( + VOID + ) +{ + return ((AsmReadCr0 () & BIT16) !=3D 0); +} + +/** + Disable Write Protect on pages marked as read-only. =20 +**/ +VOID +DisableReadOnlyPageWriteProtect ( + VOID + ) +{ + AsmWriteCr0 (AsmReadCr0() & ~BIT16); +} + +/** + Enable Write Protect on pages marked as read-only. +**/ +VOID +EnableReadOnlyPageWriteProtect ( + VOID + ) +{ + AsmWriteCr0 (AsmReadCr0() | BIT16); +} + /** This function modifies the page attributes for the memory region specifi= ed by BaseAddress and Length from their current attributes to the attributes specified by Attr= ibutes. @@ -609,6 +646,7 @@ ConvertMemoryPageAttributes ( PAGE_ATTRIBUTE SplitAttribute; RETURN_STATUS Status; BOOLEAN IsEntryModified; + BOOLEAN IsWpEnabled; =20 if ((BaseAddress & (SIZE_4KB - 1)) !=3D 0) { DEBUG ((DEBUG_ERROR, "BaseAddress(0x%lx) is not aligned!\n", BaseAddre= ss)); @@ -666,13 +704,23 @@ ConvertMemoryPageAttributes ( *IsModified =3D FALSE; } =20 + // + // Make sure that the page table is changeable. + // + IsWpEnabled =3D IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { + DisableReadOnlyPageWriteProtect (); + } + // // Below logic is to check 2M/4K page to make sure we donot waist memory. // + Status =3D EFI_SUCCESS; while (Length !=3D 0) { PageEntry =3D GetPageTableEntry (&CurrentPagingContext, BaseAddress, &= PageAttribute); if (PageEntry =3D=3D NULL) { - return RETURN_UNSUPPORTED; + Status =3D RETURN_UNSUPPORTED; + goto Done; } PageEntryLength =3D PageAttributeToLength (PageAttribute); SplitAttribute =3D NeedSplitPage (BaseAddress, Length, PageEntry, Page= Attribute); @@ -690,11 +738,13 @@ ConvertMemoryPageAttributes ( Length -=3D PageEntryLength; } else { if (AllocatePagesFunc =3D=3D NULL) { - return RETURN_UNSUPPORTED; + Status =3D RETURN_UNSUPPORTED; + goto Done; } Status =3D SplitPage (PageEntry, PageAttribute, SplitAttribute, Allo= catePagesFunc); if (RETURN_ERROR (Status)) { - return RETURN_UNSUPPORTED; + Status =3D RETURN_UNSUPPORTED; + goto Done; } if (IsSplitted !=3D NULL) { *IsSplitted =3D TRUE; @@ -709,7 +759,14 @@ ConvertMemoryPageAttributes ( } } =20 - return RETURN_SUCCESS; +Done: + // + // Restore page table write protection, if any. + // + if (IsWpEnabled) { + EnableReadOnlyPageWriteProtect (); + } + return Status; } =20 /** --=20 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Tue Dec 24 13:01:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1511945210144744.6700634783648; Wed, 29 Nov 2017 00:46:50 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 073A1203564D5; Wed, 29 Nov 2017 00:42:24 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8AD92203564A6 for ; Wed, 29 Nov 2017 00:42:22 -0800 (PST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Nov 2017 00:46:46 -0800 Received: from jwang36-mobl2.ccr.corp.intel.com ([10.239.192.50]) by orsmga002.jf.intel.com with ESMTP; 29 Nov 2017 00:46:44 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,472,1505804400"; d="scan'208";a="13253653" From: Jian J Wang To: edk2-devel@lists.01.org Date: Wed, 29 Nov 2017 16:46:40 +0800 Message-Id: <20171129084640.20076-3-jian.j.wang@intel.com> X-Mailer: git-send-email 2.14.1.windows.1 In-Reply-To: <20171129084640.20076-1-jian.j.wang@intel.com> References: <20171129084640.20076-1-jian.j.wang@intel.com> Subject: [edk2] [PATCH 2/2] MdeModulePkg/DxeIpl: Mark page table as read-only X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jiewen Yao , Eric Dong , Star Zeng MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This patch will set the memory pages used for page table as read-only memory after the paging is setup. CR0.WP must set to let it take into effect. Cc: Jiewen Yao Cc: Star Zeng Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang --- MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 166 +++++++++++++++++++= ++++ MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 14 ++ 2 files changed, 180 insertions(+) diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c b/MdeModulePk= g/Core/DxeIplPeim/X64/VirtualMemory.c index 29b6205e88..7a859606c6 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c @@ -234,6 +234,166 @@ Split1GPageTo2M ( } } =20 +/** + Set one page (4KB) of memory to be read-only. + + @param[in] PageTableBase Base address of page table (CR3). + @param[in] Address Start address of a page to be set as read-on= ly. + +**/ +VOID +SetPageReadOnly ( + IN UINTN PageTableBase, + IN PHYSICAL_ADDRESS Address + ) +{ + UINTN Index; + UINTN Index1; + UINTN Index2; + UINTN Index3; + UINTN Index4; + UINT64 *L1PageTable; + UINT64 *L2PageTable; + UINT64 *L3PageTable; + UINT64 *L4PageTable; + UINT64 AddressEncMask; + PHYSICAL_ADDRESS PhysicalAddress; + + ASSERT (PageTableBase !=3D 0); + + Index4 =3D ((UINTN)RShiftU64 (Address, PAGING_L4_ADDRESS_SHIFT)) & + PAGING_PAE_INDEX_MASK; + ASSERT (Index4 < PAGING_PML4E_NUMBER); + + Index3 =3D ((UINTN)Address >> PAGING_L3_ADDRESS_SHIFT) & PAGING_PAE_INDE= X_MASK; + Index2 =3D ((UINTN)Address >> PAGING_L2_ADDRESS_SHIFT) & PAGING_PAE_INDE= X_MASK; + Index1 =3D ((UINTN)Address >> PAGING_L1_ADDRESS_SHIFT) & PAGING_PAE_INDE= X_MASK; + + // + // Make sure AddressEncMask is contained to smallest supported address f= ield. + // + AddressEncMask =3D PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & + PAGING_1G_ADDRESS_MASK_64; + + L4PageTable =3D (UINT64 *)(UINTN)PageTableBase; + L3PageTable =3D (UINT64 *)(UINTN)(L4PageTable[Index4] & ~AddressEncMask & + PAGING_4K_ADDRESS_MASK_64); + if ((L3PageTable[Index3] & IA32_PG_PS) !=3D 0) { + // 1G page. Split to 2M. + L2PageTable =3D AllocatePages (1); + ASSERT (L2PageTable !=3D NULL); + + PhysicalAddress =3D L3PageTable[Index3] & PAGING_1G_ADDRESS_MASK_64; + for (Index =3D 0; Index < EFI_PAGE_SIZE/sizeof (UINT64); ++Index) { + L2PageTable[Index] =3D PhysicalAddress | AddressEncMask | + IA32_PG_PS | IA32_PG_P | IA32_PG_RW; + PhysicalAddress +=3D SIZE_2MB; + } + + L3PageTable[Index3] =3D (UINT64) (UINTN) L2PageTable | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L2PageTab= le); + } + + L2PageTable =3D (UINT64 *)(UINTN)(L3PageTable[Index3] & ~AddressEncMask & + PAGING_4K_ADDRESS_MASK_64); + if ((L2PageTable[Index2] & IA32_PG_PS) !=3D 0) { + // 2M page. Split to 4K. + L1PageTable =3D AllocatePages (1); + ASSERT (L1PageTable !=3D NULL); + + PhysicalAddress =3D L2PageTable[Index2] & PAGING_2M_ADDRESS_MASK_64; + for (Index =3D 0; Index < EFI_PAGE_SIZE/sizeof (UINT64); ++Index) { + L1PageTable[Index] =3D PhysicalAddress | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + PhysicalAddress +=3D SIZE_4KB; + } + + L2PageTable[Index2] =3D (UINT64)(UINTN)L1PageTable | AddressEncMask | + IA32_PG_P | IA32_PG_RW; + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L1PageTab= le); + } + + // 4k + L1PageTable =3D (UINT64 *)(UINTN)(L2PageTable[Index2] & ~AddressEncMask & + PAGING_4K_ADDRESS_MASK_64); + L1PageTable[Index1] &=3D ~IA32_PG_RW; +} + +/** + Prevent the memory pages used for page table from been overwritten. + + @param[in] PageTableBase Base address of page table (CR3). + +**/ +VOID +EnablePageTableProtection ( + IN UINTN PageTableBase + ) +{ + UINTN Index2; + UINTN Index3; + UINTN Index4; + UINT64 *L1PageTable; + UINT64 *L2PageTable; + UINT64 *L3PageTable; + UINT64 *L4PageTable; + UINT64 AddressEncMask; + + // + // Disable write protection, because we need to mark page table to be wr= ite=20 + // protected. + // + AsmWriteCr0 (AsmReadCr0() & ~CR0_WP); + + AddressEncMask =3D PcdGet64 (PcdPteMemoryEncryptionAddressOrMask) & + PAGING_1G_ADDRESS_MASK_64; + L4PageTable =3D (UINT64 *)PageTableBase; + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L4PageTable= ); + + for (Index4 =3D 0; Index4 < PAGING_PML4E_NUMBER; Index4++) { + L3PageTable =3D (UINT64 *)(UINTN)(L4PageTable[Index4] & ~AddressEncMas= k & + PAGING_4K_ADDRESS_MASK_64); + if (L3PageTable =3D=3D NULL) { + continue; + } + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L3PageTab= le); + + for (Index3 =3D 0; Index3 < EFI_PAGE_SIZE/sizeof(UINT64); Index3++) { + if ((L3PageTable[Index3] & IA32_PG_PS) !=3D 0) { + // 1G + continue; + } + + L2PageTable =3D (UINT64 *)(UINTN)(L3PageTable[Index3] & ~AddressEncM= ask & + PAGING_4K_ADDRESS_MASK_64); + if (L2PageTable =3D=3D NULL) { + continue; + } + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L2PageT= able); + + for (Index2 =3D 0; Index2 < EFI_PAGE_SIZE/sizeof(UINT64); Index2++) { + if ((L2PageTable[Index2] & IA32_PG_PS) !=3D 0) { + // 2M + continue; + } + + L1PageTable =3D (UINT64 *)(UINTN)(L2PageTable[Index2] & ~AddressEn= cMask & + PAGING_4K_ADDRESS_MASK_64); + if (L1PageTable =3D=3D NULL) { + continue; + } + SetPageReadOnly (PageTableBase, (EFI_PHYSICAL_ADDRESS)(UINTN)L1Pag= eTable); + } + } + } + + // + // Enable write protection, after page table updated. + // + AsmWriteCr0 (AsmReadCr0() | CR0_WP); +} + /** Allocates and fills in the Page Directory and Page Table Entries to establish a 1:1 Virtual to Physical mapping. @@ -430,6 +590,12 @@ CreateIdentityMappingPageTables ( ); } =20 + // + // Protect the page table by marking the memory used for page table to be + // read-only. + // + EnablePageTableProtection ((UINTN)PageMap); + if (PcdGetBool (PcdSetNxForStack)) { EnableExecuteDisableBit (); } diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePk= g/Core/DxeIplPeim/X64/VirtualMemory.h index 7c9bb49e3e..6d1961b6f8 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h @@ -148,11 +148,25 @@ typedef union { =20 #pragma pack() =20 +#define CR0_WP BIT16 + #define IA32_PG_P BIT0 #define IA32_PG_RW BIT1 +#define IA32_PG_PS BIT7 + +#define PAGING_PAE_INDEX_MASK 0x1FF =20 +#define PAGING_4K_ADDRESS_MASK_64 0x000FFFFFFFFFF000ull +#define PAGING_2M_ADDRESS_MASK_64 0x000FFFFFFFE00000ull #define PAGING_1G_ADDRESS_MASK_64 0x000FFFFFC0000000ull =20 +#define PAGING_L1_ADDRESS_SHIFT 12 +#define PAGING_L2_ADDRESS_SHIFT 21 +#define PAGING_L3_ADDRESS_SHIFT 30 +#define PAGING_L4_ADDRESS_SHIFT 39 + +#define PAGING_PML4E_NUMBER 4 + /** Enable Execute Disable Bit. =20 --=20 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel