On 21 October 2015 at 15:24, Borislav Petkov <bp@xxxxxxxxx> wrote: > On Wed, Oct 21, 2015 at 02:57:47PM +0200, Ard Biesheuvel wrote: >> ... For the remaining cases, which is the vast majority, no such >> assumptions can be made, and since the UEFI runtime regions are >> typically populated with a bunch of PE/COFF images (each of which >> consists of text + data), inferring where the boundaries are between >> them does not seem tractable (for instance, to only map 'boundary' >> pages RWX) > > How much of a problem would it be if we still do the on-demand page > faulting and map a trailing piece of code together with the data in a > page RWX? > > Still better than mapping the *whole* thing RWX, no? > In theory, yes. In practice, since this is supposed to be a security enhancement, we need some kind of ground truth to tell us which pages can be legally modified *and* executed, so that we can detect the illegal cases. My point was that, since a multitude of PE/COFF images can be covered by a single EfiRuntimeServicesCode region, the UEFI memory map does not give us enough information to make the distinction between a page that sits on the text/data boundary of some PE/COFF image and a page that sits wholly in either. -- Ard. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
