Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for NX (W^X) mitigations. #459

Merged
merged 6 commits into from
May 17, 2022
Merged

Add support for NX (W^X) mitigations. #459

merged 6 commits into from
May 17, 2022

Conversation

vathpela
Copy link
Contributor

@vathpela vathpela commented Apr 12, 2022
edited
Loading

Resolves #432 .

frozencemetery
frozencemetery reviewed Apr 12, 2022
View reviewed changes
Copy link
Member

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing jumps out as obviously incorrect.

@vathpela vathpela marked this pull request as ready for review May 3, 2022 20:41
@vathpela
Copy link
Contributor Author

I've got an issue with x86_64 kernel loading in grub that I want to understand better before I push this.

@vathpela
post-process-pe: there is no 's' argument.
5aca36c 
There is no 's' argument to post-process-pe, so we shouldn't tell getopt
that there is.

This patch takes the 's' out of the getopt short option list.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
gnu-efi: Add EFI_MEMORY_ATTRIBUTE protocol
7abca5e 
This patch adds the EFI_MEMORY_ATTRIBUTE protocol to gnu-efi, as well as
some associated missing definitions.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
Add some missing PE image flag definitions
a6b9a05 
This patch adds some missing definitions for PE header flags.  We don't
use all of them, but it's less confusing with the list matching the
spec, except where the spec is obviously wrong.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
PE Loader: support and require NX
825d993 
This adds support in our PE loader for NX support utilizing the
EFI_MEMORY_ATTRIBUTE protocol.  Specifically, it changes the loader such
that:

- binaries without the EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag set
  in the Optional Header are rejected as EFI_UNSUPPORTED
- binaries with non-discardable sections that have both the
  EFI_SCN_MEM_WRITE and EFI_SCN_MEM_EXECUTE flags set are rejected as
  EFI_UNSUPPORTED
- if the EFI_MEMORY_ATTRIBUTE protocol is installed, then:
  - sections without the EFI_SCN_MEM_READ flag set will be marked with
    EFI_MEMORY_RP
  - sections without the EFI_SCN_MEM_WRITE flag set will be marked with
    EFI_MEMORY_RO
  - sections without the EFI_SCN_MEM_EXECUTE flag set will be marked
    with EFI_MEMORY_XP

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
c84000e 
This adds a new MoK variable, MokPolicy (&MokPolicyRT) that's intended
as a bitmask of machine owner policy choices, and the bit
MOK_POLICY_REQUIRE_NX.  This bit specifies whether it is permissible to
load binaries which do not support NX mitigations, and it currently
defaults to allowing such binaries to be loaded.

The broader intention here is to migrate all of the MoK policy variables
that are really just on/off flags to this variable.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
99a8d19 
Currently, system firmware has no means to discover that an EFI
Application is compatible with the security feature variously known as
NX or w^x.

Since at least Revision 8.1, the PE spec supports setting a flag the
Optional Header's DllCharacteristics field to inform loaders that an
application supports being loaded with NX enabled.

In the case of UEFI, there are several things that should be enabled if
this flag is set:

- EFI_BOOT_SERVICES.AllocatePages() with MemoryType = EfiLoaderCode,
  EfiBootServicesCode, EfiRuntimeServicesCode, etc, currently must set
  memory as rwx.  This flag set implies that rw- is appropriate, and
  that the application knows how to use the EFI_MEMORY_ATTRIBUTE
  protocol to change that to r-x.
- EFI_BOOT_SERVICES.AllocatePool() - same as AllocatePages()
- EFI_BOOT_SERVICES.LoadImage()
  - currently must set the stack as rwx. This flag states that it is
    allowed to be rw-
  - currently a binary can probably have writable PLTs?  This flag
    allows the loader to not set them writable
- I have heard that some firmwares have the 0 page mapped rwx.
  Obviously this should not be done.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela vathpela merged commit b104fc4 into rhboot:main May 17, 2022
@vathpela vathpela deleted the nx branch May 17, 2022 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frozencemetery frozencemetery frozencemetery approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement NX (w^x) support
2 participants
@vathpela @frozencemetery