On 4/17/2024 9:52 AM, Ard Biesheuvel wrote:
So the purpose of the MAT is to describe RT code (and to a lesser extent, RT data) regions where we cannot apply either RO or XP to the whole thing. IIRC there was never an intent to exhaustively describe all memory runtime regions. Also note that RO was introduced at this point, because WP was already being used in the ordinary memory map in a deviating manner. RO is defined both for the memory map and the MAT, and so it can occur in either.
At the principle level, I think we can say that we want all runtime code regions to RO and all runtime data regions to be XP. Regardless of whatever situation we have today, I think this is a reasonable principle to maintain. If you don't want those attributes, a different memory type should be allocated. If we agree on this principle, I think we should put it into practice. Again, the UEFI spec calls out that EfiRuntimeServicesCode is for image code. From a security and safety standpoint, we know we want image code to be RO. To help with any existing (mis)use of EfiRuntimeServicesCode, I do think we should put a big old assert in the MAT generation logic that says I found a EfiRuntimeServicesCode section that is not described in an image record, something is wrong with your configuration, you are not using EfiRuntimeServicesCode correctly. If I am missing a legitimate use of EfiRuntimeServicesCode, please help educate me. Also, I know that modern Windows security features rely on the MAT describing all EfiRuntimeServicesCode and EfiRuntimeServicesData regions. Here is an MSDN link that makes a statement towards that: https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/unified-extensible-firmware-interface In a more actionable way, the Windows testing infrastructure will test to ensure that there are no EfiRuntimeServices[Code|Data] sections in the EFI memory map that are not described in the MAT. Again, there are various security features that rely on this. Thanks, Oliver -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117935): https://edk2.groups.io/g/devel/message/117935 Mute This Topic: https://groups.io/mt/105570114/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
