Skip to content

Commit 4f15043

Browse files
os-dos-d
committed
come back to it
1 parent 6b678a5 commit 4f15043

1 file changed

Lines changed: 24 additions & 20 deletions

File tree

docs/WhatAndWhy/enhancedmemoryprotection.md

Lines changed: 24 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -52,15 +52,15 @@ least one of EFI_MEMORY_XP, EFI_MEMORY_RO, or EFI_MEMORY_RP set.
5252
5: PE Loaders must check the NX_COMPAT flag of loaded images to determine
5353
compatibility with the above memory protection requirements.
5454
6: MMIO ranges must be marked EFI_MEMORY_XP.
55-
7: Unallocated memory must be marked EFI_MEMORY_RP.
55+
7: All DMA accesses must go through an IOMMU/SMMU.
5656
8: Address space which is not present in the Global Coherency Domain must cause a
5757
CPU fault if accessed.
5858
9: Calls to EFI_BOOT_SERVICES.AllocatePages and EFI_BOOT_SERVICES.AllocatePool
5959
must return memory with the EFI_MEMORY_XP attribute.
6060
10: AP and BSP stacks must be marked EFI_MEMORY_XP.
6161
11: AP and BSP stacks must have an EFI_MEMORY_RP page at the bottom to catch overflow.
6262
12: Page 0 in physical system memory must be marked EFI_MEMORY_RP.
63-
13: The UEFI 2.10 Memory Attribute Protocol must be produced.
63+
13: The UEFI 2.10 Memory Attribute Protocol must be produced.
6464

6565
## Expanded Requirements List
6666

@@ -93,20 +93,29 @@ Image code sections must be read and executed, but must not be writeable. This i
9393
R/W/X Regions requirement and prevents the same problem of bad actors editing a running drivers memory to cause it
9494
to execute malicious code.
9595

96+
### PE Loaders Must Check the NX_COMPAT Flag for Compatibility
97+
98+
Many bootloaders and OPROMs will not have implemented support for enhanced protections on
99+
image memory, allocated buffers, and other memory ranges. To indicate support for enhanced
100+
protections, the PE/COFF IMAGE_DLLCHARACTERISTICS_NX_COMPAT DLL characteristic will be used.
101+
Modules with this characteristic are expected to be compliant with enhanced memory protection
102+
and should utilize the Memory Attribute Protocol to manipulate the attributes of memory they
103+
allocate. If a module is loaded without this characteristic, the platform should enter
104+
[compatibility mode](#compatibility-mode) if the platform chooses to support compatibility
105+
mode.
106+
96107
### MMIO Ranges Must Be EFI_MEMORY_XP
97108

98109
All devices connected to a system should be considered untrusted and must not be allowed to execute code. This is also
99110
a common attack vector for a bad actor to connect a compromised device and force the host system to execute malicious
100111
code from it.
101112

102-
### Unallocated Memory Must Be EFI_MEMORY_RP
103-
104-
This is a safety as well as security requirement. By marking unallocated memory EFI_MEMORY_RP, any access outside of
105-
legitimately allocated memory will cause a CPU fault, catching a large set of buffer under/overflows and use-after-free
106-
cases, which are both functional concerns as well as attack vectors.
113+
### All DMA Accesses Must Go Through An IOMMU/SMMU
107114

108-
This adds a new potential crash to code that may have "just worked" before, but it allows a platform to discover the
109-
safety and security issues pre-production and enforces defined behavior where before there was undefined behavior.
115+
As noted above, all devices must be considered untrusted and should not have full access to a platform's memory. This
116+
has been the source of countless attacks. A hardware protection mechanism through the IOMMU/SMMU is required to limit
117+
what memory a device may access. The IOMMU/SMMU must be programmed with proper distinction between which memory a
118+
device is allowed to read only vs also have write access to.
110119

111120
### Memory Not in the GCD Must Cause a CPU Fault on Access
112121

@@ -139,23 +148,18 @@ common attack vectors and common programming errors that require being caught du
139148
This also adds a new potential crash during execution in code that may have "just worked" before, but similarly allows
140149
these problems to be solved pre-production and enforces defined behavior instead of undefined.
141150

151+
### Page 0 Must Be EFI_MEMORY_RP For Null Pointer Detection
152+
153+
Null pointer dereferencing is a common class of bug in C programs. In order to catch these bugs, which can lead to
154+
safety and security issues, UEFI must mark page 0 as EFI_MEMORY_RP in order to cause faults when a NULL pointer is
155+
dereferenced.
156+
142157
### EFI Memory Attributes Protocol Must Be Installed
143158

144159
The Memory Attributes Protocol, added in UEFI spec 2.10, provides a method for bootloaders to interact with UEFI's page
145160
tables before they create their own page tables. This allows them to enforce memory protections on their own images and
146161
allocations, closing further attack vectors.
147162

148-
### PE Loaders Must Check the NX_COMPAT Flag for Compatibility
149-
150-
Many bootloaders and OPROMs will not have implemented support for enhanced protections on
151-
image memory, allocated buffers, and other memory ranges. To indicate support for enhanced
152-
protections, the PE/COFF IMAGE_DLLCHARACTERISTICS_NX_COMPAT DLL characteristic will be used.
153-
Modules with this characteristic are expected to be compliant with enhanced memory protection
154-
and should utilize the Memory Attribute Protocol to manipulate the attributes of memory they
155-
allocate. If a module is loaded without this characteristic, the platform should enter
156-
[compatibility mode](#compatibility-mode) if the platform chooses to support compatibility
157-
mode.
158-
159163
![Example of Loaded Image Ranges](../img/loaded_images.png)
160164

161165
Applying these page protections requires loaded images to meet the following criteria, signified by setting the

0 commit comments

Comments
 (0)