[PATCH v3 0/2] Handle UEFI NX-restricted page tables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



UEFI specification does not guarantee all memory to executable and/or
writable. There are some firmware implementations that enforce stricter
memory protection attributes and that prevents Linux kernel from booting
normally causing page fault during boot process.

This patch uses DXE services to check and modified memory attributes
while booting via EFISTUB, in such way that memory regions used
by the kernel until extraction and are expected to be executable
have appropriate attributes.

Unlike v2 of the patch this version only modifies memory attributes
if it is really required to reduce the probability of facing firmware
bugs. "Really required" in this case means:

 - DXE services table is published by EFI;
 - GetMemorySpaceDescriptor() works can return descriptor(s)
   of regions, where attributes modification might be required;
 - EFI_MEMORY_RO or EFI_MEMORY_XP is set for these regions;
 - Region describes system memory, i.e. generic RAM.

Also we cannot simply replace EFI_LOADER_DATA with EFI_LOADER_CODE
to mitigate the issue, since:

 - It is not guaranteed by specification that memory allocated
   with loader code type is executable. And firmware where
   this issue is present is modified in such way that
   memory EFI_LOADER_CODE is not executable;
 - Linux still uses memory not allocated via EFI boot
   services for trampoline code placement, that would
   remain non-executable after replacement of EFI_LOADER_DATA with
   EFI_LOADER_CODE.

Baskov Evgeniy (2):
       efi: declare DXE services table
       libstub: ensure allocated memory to be executable

 arch/x86/include/asm/efi.h              |    5 +
 drivers/firmware/efi/Kconfig            |   12 ++
 drivers/firmware/efi/libstub/efistub.h  |   74 ++++++++++++++
 drivers/firmware/efi/libstub/x86-stub.c |   10 +-
 include/linux/efi.h                     |    2 
 drivers/firmware/efi/libstub/x86-stub.c |  110 +++++++++++++++++++++-
 6 files changed, 208 insertions(+), 5 deletions(-)



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux