On Wed, Oct 21, 2015 at 7:36 AM, Borislav Petkov <bp@xxxxxxxxx> wrote: > On Wed, Oct 21, 2015 at 03:28:56PM +0200, Ard Biesheuvel wrote: >> In theory, yes. In practice, since this is supposed to be a security >> enhancement, we need some kind of ground truth to tell us which pages >> can be legally modified *and* executed, so that we can detect the >> illegal cases. My point was that, since a multitude of PE/COFF images >> can be covered by a single EfiRuntimeServicesCode region, the UEFI >> memory map does not give us enough information to make the distinction >> between a page that sits on the text/data boundary of some PE/COFF >> image and a page that sits wholly in either. > > Well, we're going to simply allow the accesses to in-kernel users which > fault on those ranges, assuming that in-kernel modifiers are legit and > DTRT. Which means, we don't really need to know which pages can be > legally modified - we simply trust the in-kernel users. > > The moment you're able to load an evil kernel module, guarding against > those writes is the last thing you need to worry about... I don't think we can do a whole lot to help against broken UEFI code, but having anything mapped RWX is a nice target for people trying to exploit kernel bugs. Hence my suggestion to clear W except when actually running UEFI code. If the UEFI stuff is mapped in its own PGD entry, we could just RO that entire PGD entry everywhere except the UEFI pgd (and make sure to clear G so that the TLB entries get zapped). --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html