Re: [RFC] MemoryProtectionLib for Dynamic Memory Guard Settings


Taylor Beebe
 

Thanks for your feedback, Jian.

In option 2, a most basic implementation would returning the current FixedAtBuild PCDs assuming they are kept. If they aren't, the library implementer could simply hard-code the return value for each memory protection setting.

In option 1, the HOB would be published in pre-mem and I'm not an expert on exploiting the pre-mem environment. Jiewen may have more to say on this.

-Taylor

On 7/28/2021 7:18 PM, Wang, Jian J wrote:
Thanks for the RFC. I'm not object to this idea. The only concern from me
is the potential security holes introduced by the changes. According to your
description, it allows 3rd party software to violate memory protection policy.
I'd like to see more explanations on how to avoid it to be exploited.
+Jiewen, what's current process to evaluate the security threat?
Regards,
Jian

-----Original Message-----
From: Taylor Beebe <t@taylorbeebe.com>
Sent: Friday, July 23, 2021 8:33 AM
To: devel@edk2.groups.io
Cc: spbrogan@outlook.com; Dong, Eric <eric.dong@intel.com>; Ni, Ray
<ray.ni@intel.com>; Kumar, Rahul1 <Rahul1.Kumar@intel.com>;
mikuback@linux.microsoft.com; Wang, Jian J <jian.j.wang@intel.com>; Wu,
Hao A <hao.a.wu@intel.com>; Bi, Dandan <dandan.bi@intel.com>;
gaoliming@byosoft.com.cn; Dong, Guo <guo.dong@intel.com>; Ma, Maurice
<maurice.ma@intel.com>; You, Benjamin <benjamin.you@intel.com>
Subject: [RFC] MemoryProtectionLib for Dynamic Memory Guard Settings

Current memory protection settings rely on FixedAtBuild PCD values
(minus PcdSetNxForStack). Because of this, the memory protection
configuration interface is fixed in nature. Cases arise in which memory
protections might need to be adjusted between boots (if platform design
allows) to avoid disabling a system. For example, platforms might choose
to allow the user to control their protection policies such as allow
execution of critical 3rd party software that might violate memory
protections.

This RFC seeks your feedback regarding introducing an interface that
allows dynamic configuration of memory protection settings.

I would like to propose two options:
1. Describing the memory protection setting configuration in a HOB that
is produced by the platform.
2. Introducing a library class (e.g. MemoryProtectionLib) that allows
abstraction of the memory protection setting configuration data source.

In addition, I would like to know if the memory protection FixedAtBuild
PCDs currently in MdeModulePkg can be removed so we can move the
configuration interface entirely to an option above.

In any case, I would like the settings to be visible to environments
such as Standalone MM where dynamic PCDs are not accessible.

I am seeking your feedback on this proposal in preparation for sending
an edk2 patch series.

--
Taylor Beebe
Software Engineer @ Microsoft
--
Taylor Beebe
Software Engineer @ Microsoft

Join devel@edk2.groups.io to automatically receive all group messages.