lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 03 Mar 2022 17:15:46 +0300
From:   baskov@...ras.ru
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Matthew Garrett <mjg59@...f.ucam.org>,
        Peter Jones <pjones@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        X86 ML <x86@...nel.org>, linux-efi <linux-efi@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH RFC v2 0/2] Handle UEFI NX-restricted page tables

On 2022-02-28 19:45, Ard Biesheuvel wrote:
> (cc Matt and Peter)
> 
> 
> Thanks for exploring my suggestion to use the DXE services for this.
> 
> Given that this is a workaround for a very specific issue arising on
> PI based implementations of UEFI, I consider this a quirk, and so I
> think this approach is reasonable. I'd still like to gate it on some
> kind of identification, though - perhaps something related to DMI like
> the x86 core kernel does as well.
> 
> I've cc'ed Peter and Matt, who have much more experience dealing with
> these kinds of things on x86 - my experience is mostly based on ARM,
> which tends to be less quirky when it comes to UEFI support, given
> that vendors that implement EFI actually care about being compliant
> (instead of only about getting a windows sticker)
> 
> Matt, Peter, any thoughts?
> 
> 
>> Baskov Evgeniy (2):
>>        efi: declare DXE services table
>>        libstub: ensure allocated memory to be executable
>> 
>>  arch/x86/include/asm/efi.h              |  5 ++
>>  drivers/firmware/efi/libstub/efistub.h  | 53 ++++++++++++++++++++
>>  drivers/firmware/efi/libstub/x86-stub.c | 73 
>> ++++++++++++++++++++++++++--
>>  include/linux/efi.h                     |  2 +
>>  4 files changed, 128 insertions(+), 5 deletions(-)

We now have tested the patch on major platforms, and it works without 
any
issues. But in case of firmware bugs I have changed the code to only
modify attributes if either EFI_MEMORY_RO or EFI_MEMORY_WP is set and
the memory has type EfiGcdMemoryTypeSystemMemory.

I also added option CONFIG_EFI_DXE_MEM_ATTRIBUTES (enabled by default),
to allow this code to be disabled at compile time.

These changes will be sent in version 3 of the patch.

Thanks,
Baskov Evgeniy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ