/**@file Copyright (c) 2006 - 2009, Intel Corporation. All rights reserved.
Portions copyright (c) 2008 - 2010, Apple Inc. All rights reserved.
Portions copyright (c) 2011 - 2018, ARM Ltd. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include #include #include #include #include #include #include #include typedef RETURN_STATUS (*REGION_PERMISSION_UPDATE_FUNC) ( IN EFI_PHYSICAL_ADDRESS BaseAddress, IN UINT64 Length ); STATIC RETURN_STATUS UpdatePeCoffPermissions ( IN CONST PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext, IN REGION_PERMISSION_UPDATE_FUNC NoExecUpdater, IN REGION_PERMISSION_UPDATE_FUNC ReadOnlyUpdater ) { RETURN_STATUS Status; EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr; EFI_IMAGE_OPTIONAL_HEADER_UNION HdrData; UINTN Size; UINTN ReadSize; UINT32 SectionHeaderOffset; UINTN NumberOfSections; UINTN Index; EFI_IMAGE_SECTION_HEADER SectionHeader; PE_COFF_LOADER_IMAGE_CONTEXT TmpContext; EFI_PHYSICAL_ADDRESS Base; // // We need to copy ImageContext since PeCoffLoaderGetImageInfo () // will mangle the ImageAddress field // CopyMem (&TmpContext, ImageContext, sizeof (TmpContext)); if (TmpContext.PeCoffHeaderOffset == 0) { Status = PeCoffLoaderGetImageInfo (&TmpContext); if (RETURN_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "%a: PeCoffLoaderGetImageInfo () failed (Status = %r)\n", __FUNCTION__, Status)); return Status; } } if (TmpContext.IsTeImage && TmpContext.ImageAddress == ImageContext->ImageAddress) { DEBUG ((DEBUG_INFO, "%a: ignoring XIP TE image at 0x%lx\n", __FUNCTION__, ImageContext->ImageAddress)); return RETURN_SUCCESS; } if (TmpContext.SectionAlignment < EFI_PAGE_SIZE) { // // The sections need to be at least 4 KB aligned, since that is the // granularity at which we can tighten permissions. So just clear the // noexec permissions on the entire region. // if (!TmpContext.IsTeImage) { DEBUG ((DEBUG_WARN, "%a: non-TE Image at 0x%lx has SectionAlignment < 4 KB (%lu)\n", __FUNCTION__, ImageContext->ImageAddress, TmpContext.SectionAlignment)); } Base = ImageContext->ImageAddress & ~(EFI_PAGE_SIZE - 1); Size = ImageContext->ImageAddress - Base + ImageContext->ImageSize; return NoExecUpdater (Base, ALIGN_VALUE (Size, EFI_PAGE_SIZE)); } // // Read the PE/COFF Header. For PE32 (32-bit) this will read in too much // data, but that should not hurt anything. Hdr.Pe32->OptionalHeader.Magic // determines if this is a PE32 or PE32+ image. The magic is in the same // location in both images. // Hdr.Union = &HdrData; Size = sizeof (EFI_IMAGE_OPTIONAL_HEADER_UNION); ReadSize = Size; Status = TmpContext.ImageRead (TmpContext.Handle, TmpContext.PeCoffHeaderOffset, &Size, Hdr.Pe32); if (RETURN_ERROR (Status) || (Size != ReadSize)) { DEBUG ((DEBUG_ERROR, "%a: TmpContext.ImageRead () failed (Status = %r)\n", __FUNCTION__, Status)); return Status; } ASSERT (Hdr.Pe32->Signature == EFI_IMAGE_NT_SIGNATURE); SectionHeaderOffset = TmpContext.PeCoffHeaderOffset + sizeof (UINT32) + sizeof (EFI_IMAGE_FILE_HEADER); NumberOfSections = (UINTN)(Hdr.Pe32->FileHeader.NumberOfSections); switch (Hdr.Pe32->OptionalHeader.Magic) { case EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC: SectionHeaderOffset += Hdr.Pe32->FileHeader.SizeOfOptionalHeader; break; case EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC: SectionHeaderOffset += Hdr.Pe32Plus->FileHeader.SizeOfOptionalHeader; break; default: ASSERT (FALSE); } // // Iterate over the sections // for (Index = 0; Index < NumberOfSections; Index++) { // // Read section header from file // Size = sizeof (EFI_IMAGE_SECTION_HEADER); ReadSize = Size; Status = TmpContext.ImageRead (TmpContext.Handle, SectionHeaderOffset, &Size, &SectionHeader); if (RETURN_ERROR (Status) || (Size != ReadSize)) { DEBUG ((DEBUG_ERROR, "%a: TmpContext.ImageRead () failed (Status = %r)\n", __FUNCTION__, Status)); return Status; } Base = TmpContext.ImageAddress + SectionHeader.VirtualAddress; if ((SectionHeader.Characteristics & EFI_IMAGE_SCN_MEM_EXECUTE) == 0) { if ((SectionHeader.Characteristics & EFI_IMAGE_SCN_MEM_WRITE) == 0) { DEBUG ((DEBUG_INFO, "%a: Mapping section %d of image at 0x%lx with RO-XN permissions and size 0x%x\n", __FUNCTION__, Index, Base, SectionHeader.Misc.VirtualSize)); ReadOnlyUpdater (Base, SectionHeader.Misc.VirtualSize); } else { DEBUG ((DEBUG_WARN, "%a: Mapping section %d of image at 0x%lx with RW-XN permissions and size 0x%x\n", __FUNCTION__, Index, Base, SectionHeader.Misc.VirtualSize)); } } else { DEBUG ((DEBUG_INFO, "%a: Mapping section %d of image at 0x%lx with RO-X permissions and size 0x%x\n", __FUNCTION__, Index, Base, SectionHeader.Misc.VirtualSize)); ReadOnlyUpdater (Base, SectionHeader.Misc.VirtualSize); NoExecUpdater (Base, SectionHeader.Misc.VirtualSize); } SectionHeaderOffset += sizeof (EFI_IMAGE_SECTION_HEADER); } return RETURN_SUCCESS; } /** Performs additional actions after a PE/COFF image has been loaded and relocated. If ImageContext is NULL, then ASSERT(). @param ImageContext Pointer to the image context structure that describes the PE/COFF image that has already been loaded and relocated. **/ VOID EFIAPI PeCoffLoaderRelocateImageExtraAction ( IN OUT PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext ) { UpdatePeCoffPermissions ( ImageContext, ArmClearMemoryRegionNoExec, ArmSetMemoryRegionReadOnly ); } /** Performs additional actions just before a PE/COFF image is unloaded. Any resources that were allocated by PeCoffLoaderRelocateImageExtraAction() must be freed. If ImageContext is NULL, then ASSERT(). @param ImageContext Pointer to the image context structure that describes the PE/COFF image that is being unloaded. **/ VOID EFIAPI PeCoffLoaderUnloadImageExtraAction ( IN OUT PE_COFF_LOADER_IMAGE_CONTEXT *ImageContext ) { UpdatePeCoffPermissions ( ImageContext, ArmSetMemoryRegionNoExec, ArmClearMemoryRegionReadOnly ); }