MdeModulePkg: Enable forward edge CFI in mem attributes table

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4405

The memory attributes table has been extended with a flag that indicates
whether or not the OS is permitted to map the EFI runtime code regions
with strict enforcement for IBT/BTI landing pad instructions.

Given that the PE/COFF spec now defines a DllCharacteristicsEx flag that
indicates whether or not a loaded image is compatible with this, we can
wire this up to the flag in the memory attributes table, and set it if
all loaded runtime image are compatible with it.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Reviewed-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Reviewed-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h
index 815a6b4bd844a452ace09c2e3932cfa03e3ecf2e..43daa037be44115018ccd67c8e840480f1fc6752 100644 (file)
--- a/MdeModulePkg/Core/Dxe/DxeMain.h
+++ b/MdeModulePkg/Core/Dxe/DxeMain.h
@@ -280,6 +280,8 @@ extern EFI_MEMORY_TYPE_INFORMATION  gMemoryTypeInformation[EfiMaxMemoryType + 1]
 extern BOOLEAN                    gDispatcherRunning;\r
 extern EFI_RUNTIME_ARCH_PROTOCOL  gRuntimeTemplate;\r
 \r
+extern BOOLEAN  gMemoryAttributesTableForwardCfi;\r
+\r
 extern EFI_LOAD_FIXED_ADDRESS_CONFIGURATION_TABLE  gLoadModuleAtFixAddressConfigurationTable;\r
 extern BOOLEAN                                     gLoadFixedAddressCodeMemoryReady;\r
 //\r

diff --git a/MdeModulePkg/Core/Dxe/Image/Image.c b/MdeModulePkg/Core/Dxe/Image/Image.c
index 8704ebea9a7c88c0bbf2555ec051845e5618c078..9dbfb2a1fad22ced1fd6a707d1e9d946e7dc848c 100644 (file)
--- a/MdeModulePkg/Core/Dxe/Image/Image.c
+++ b/MdeModulePkg/Core/Dxe/Image/Image.c
@@ -1399,6 +1399,16 @@ CoreLoadImageCommon (
     CoreNewDebugImageInfoEntry (EFI_DEBUG_IMAGE_INFO_TYPE_NORMAL, &Image->Info, Image->Handle);\r
   }\r
 \r
+  //\r
+  // Check whether we are loading a runtime image that lacks support for\r
+  // IBT/BTI landing pads.\r
+  //\r
+  if ((Image->ImageContext.ImageCodeMemoryType == EfiRuntimeServicesCode) &&\r
+      ((Image->ImageContext.DllCharacteristicsEx & EFI_IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT) == 0))\r
+  {\r
+    gMemoryAttributesTableForwardCfi = FALSE;\r
+  }\r
+\r
   //\r
   // Reinstall loaded image protocol to fire any notifications\r
   //\r

diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
index 82fa026bceb990e5c44c12fffac2f9c05f885e6d..fd127ee167e1ac9ac9682d16124daa85c194547d 100644 (file)
--- a/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
+++ b/MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c
@@ -89,6 +89,7 @@ BOOLEAN                      mMemoryAttributesTableEnable      = TRUE;
 BOOLEAN                      mMemoryAttributesTableEndOfDxe    = FALSE;\r
 EFI_MEMORY_ATTRIBUTES_TABLE  *mMemoryAttributesTable           = NULL;\r
 BOOLEAN                      mMemoryAttributesTableReadyToBoot = FALSE;\r
+BOOLEAN                      gMemoryAttributesTableForwardCfi  = TRUE;\r
 \r
 /**\r
   Install MemoryAttributesTable.\r
@@ -182,7 +183,12 @@ InstallMemoryAttributesTable (
   MemoryAttributesTable->Version         = EFI_MEMORY_ATTRIBUTES_TABLE_VERSION;\r
   MemoryAttributesTable->NumberOfEntries = RuntimeEntryCount;\r
   MemoryAttributesTable->DescriptorSize  = (UINT32)DescriptorSize;\r
-  MemoryAttributesTable->Flags           = 0;\r
+  if (gMemoryAttributesTableForwardCfi) {\r
+    MemoryAttributesTable->Flags = EFI_MEMORY_ATTRIBUTES_FLAGS_RT_FORWARD_CONTROL_FLOW_GUARD;\r
+  } else {\r
+    MemoryAttributesTable->Flags = 0;\r
+  }\r
+\r
   DEBUG ((DEBUG_VERBOSE, "MemoryAttributesTable:\n"));\r
   DEBUG ((DEBUG_VERBOSE, "  Version              - 0x%08x\n", MemoryAttributesTable->Version));\r
   DEBUG ((DEBUG_VERBOSE, "  NumberOfEntries      - 0x%08x\n", MemoryAttributesTable->NumberOfEntries));\r