Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add features for the Host Security ID program #660

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add features for the Host Security ID program #660

wants to merge 3 commits into from

Conversation

vathpela
Copy link
Contributor

No description provided.

vathpela added 2 commits May 15, 2024 16:23
@vathpela
mok: add MOK_VARIABLE_CONFIG_ONLY
2f8268d 
This adds a mok variable flag "MOK_VARIABLE_CONFIG_ONLY" to specify that
the data should be added to our UEFI config table, but shim should not
create a legacy UEFI variable.

Signed-off-by: Peter Jones <[email protected]>
@vathpela
mok variables: add a format callback
1774e0f 
This adds a member to the mok_state_variable struct to provide a
callback function for formatting external data.  It basically has
snprintf()-like semantics for filling the buffer, but without the actual
printf-like formatting bits.

Signed-off-by: Peter Jones <[email protected]>
@vathpela vathpela force-pushed the hsi branch 2 times, most recently from f75a896 to b446211 Compare May 15, 2024 20:39
@kukrimate
Copy link

Shouldn't this also explicitly expose if data sections of the image are executable or is that implied by heap is executable flag?

@vathpela
shim: add HSIStatus feature
d20c801 
hughsie asked me if I can make shim tell userland what kinds of accesses
are allowed to the heap, stack, and allocations on the running platform,
so that these could be reported up through fwupd's Host Security ID
program (see https://fwupd.github.io/libfwupdplugin/hsi.html ).

This adds a new config-only (i.e. not a UEFI variable) variable
generated during boot, "/sys/firmware/efi/mok-variables/HSIStatus",
which tells us those properties as well as if the EFI Memory Attribute
Protocol is present.

Signed-off-by: Peter Jones <[email protected]>
@dennis-tseng99
Copy link
Contributor

May I suggest you could put error codes on the bottom of get_hsi_mem_info() ?

void
get_hsi_mem_info(void)
{
	EFI_STATUS efi_status;
	uintptr_t addr;
	uint64_t attrs = 0;
	uint32_t *tmp_alloc;

	addr = ((uintptr_t)&get_hsi_mem_info) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
                goto error;
        }

	hsi_status = SHIM_HSI_STATUS_HASMAP;
	if (attrs & MEM_ATTR_W) {
		hsi_status |= SHIM_HSI_STATUS_ROW;
	}

	addr = ((uintptr_t)&addr) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}

	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_STACKX;
	}

	tmp_alloc = AllocatePool(EFI_PAGE_SIZE);
	if (!tmp_alloc) {
		goto error;
	}

	addr = ((uintptr_t)tmp_alloc) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_MASK, &attrs);
	FreePool(tmp_alloc);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}
	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_HEAPX;
	}
	return;
	
error:
        /*
	 * In this case we can't actually tell anything, so assume
	 * and report the worst case scenario.
	 */
	hsi_status = SHIM_HSI_STATUS_HEAPX |
			     SHIM_HSI_STATUS_STACKX |
			     SHIM_HSI_STATUS_ROW;
}

@vathpela
Copy link
Contributor Author

Shouldn't this also explicitly expose if data sections of the image are executable or is that implied by heap is executable flag?

I'd rather 1) make that never happen and 2) make post-process-pe reject it. This should be reporting primarily about what firmware does.

@vathpela
Copy link
Contributor Author

May I suggest you could put error codes on the bottom of get_hsi_mem_info() ?

...

hsi_status = SHIM_HSI_STATUS_HEAPX |
SHIM_HSI_STATUS_STACKX |
SHIM_HSI_STATUS_ROW;
}

What's the improvement? Seems the same to me, but my habit is to put a series of 'undo' blocks in gotos at the end, but if it's just reporting an error, to do it at the first place it occurs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vathpela @kukrimate @dennis-tseng99