[edk2-devel] [PATCH 00/14] Implement Dynamic Memory Protections
Pedro Falcato
pedro.falcato at gmail.com
Mon Jul 17 16:49:17 UTC 2023
On Mon, Jul 17, 2023 at 5:26 PM Ard Biesheuvel <ardb at kernel.org> wrote:
>
> On Mon, 17 Jul 2023 at 18:15, Pedro Falcato <pedro.falcato at gmail.com> wrote:
> >
> > On Wed, Jul 12, 2023 at 12:53 AM Taylor Beebe <t at taylorbeebe.com> wrote:
> > >
> > > In the past, memory protection settings were configured via FixedAtBuild PCDs,
> > > which resulted in a build-time configuration of memory mitigations. This
> > > approach limited the flexibility of applying mitigations to the
> > > system and made it difficult to update or adjust the settings post-build.
> >
> > How do you mitigate the possibility of an attack overwriting the
> > dynamic configuration data (the HOBs)?
> > It seems most dangerous to me to publish this sort of
> > security-sensitive configuration knobs dynamically such that an
> > attacker can change them.
> >
>
> That is a very good point. One of the things I have on my TODO list
> for the memory attributes PEI work is to remap HOB memory read-only
> before entering DXE. They are conceptually read-only anyway when PEI
> completes, so they should never be modified afterwards.
I agree, but it also seems that this patch set needs some sort of
__ro_after_init capabilities. For example, in
https://github.com/tianocore/edk2/pull/4566/commits/e485459b6efb1e49591c6f3011d9da14746c52bc#diff-02c0ef19d024b43162043efdd9ed95e0eef1653bcb5bef1e2f2b77587aee2622R101
(DxeMemoryProtectionHobLibConstructor), a copy of this same HOB is
made onto .data, while it should be RO-protected as well.
With both the HOB list and this sort of __ro_after_init protected, the
only remaining exploits would be to DMA over those pages (addressed by
IOMMU, not in this scope), to remap those pages (requires ring 0
access, therefore irrelevant) or to toggle some sort of WP-like bit
(CR0.WP, other archs may have equivalents), which already bypasses
most of the memory protections and therefore isn't all that concerning
to me.
--
Pedro
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106967): https://edk2.groups.io/g/devel/message/106967
Mute This Topic: https://groups.io/mt/100090629/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list