[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] OVMF/Xen, Debian wheezy can't boot with NX on stack (Was: Re: [edk2] [PATCH] OvmfPkg: prevent code execution from DXE stack)
On 09/09/15 14:08, Jan Beulich wrote: >>>> On 09.09.15 at 12:48, <lersek@xxxxxxxxxx> wrote: >> Personally I think that this dynamic approach is overkill (mainly >> because I'm fine with being unable to install Debian Wheezy guests, both >> wearing and not wearing my red fedora; and because the properties table >> feature is not active for *any* OVMF guests anyway, in practice). > > I can only guess that PCD stands for "Platform Configuration Data". Yes, PCD stands for Platform Configuration Database. > However, I would want to suggest an even more dynamic approach: > Assuming that within the core UEFI code it ought to be possible to > flip between executable and non-executable mapping of the stack, > and considering that PE headers can carry target version numbers, > how about reverting to an executable stack as long as there's at > least one binary loaded that isn't claiming to be 2.5 compatible? This would require very intrusive changes (to be implemented by people other than me). Other concerns I have: - I'm not sure if UEFI applications have any means to advertize what revision of the specification they target. (As you mention.) - I could be mistaken, but this looks like it could weaken the protection offered by the platform feature. UEFI applications and UEFI drivers are expected to come from third parties. It could be argued that a non-compatible UEFI app or driver (like Wheezy's grub in this case) *should* preferably crash, immediately, in a controlled manner, instead of silently downgrading the protection for the stack, and thereby opening up an avenue for attacks. I'm not fully convinced about this, but it appears this should be controlled somewhere in the platform code. (Like a knob in the BIOS setup on physical platforms, or some enlighted info channel in guests.) Assuming we'd like it dynamic. Thanks Laszlo _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |