BTI support

Ard Biesheuvel Fri, 03 Feb 2023 04:11:15 -0800

Add an internal helper that detects whether or not a loaded PE/COFF
image was built with support for forward edge control flow guards.


The default implementation will return FALSE, architectures can
specialize this based on arch specific criteria.

Signed-off-by: Ard Biesheuvel <a...@kernel.org>
---
 MdePkg/Include/Library/PeCoffLib.h                      |  5 +++++
 MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c       | 16 ++++++++++++++++
 MdePkg/Library/BasePeCoffLib/BasePeCoff.c               |  7 +++++--
 MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h   | 13 +++++++++++++
 MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c | 16 ++++++++++++++++
 MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c           | 16 ++++++++++++++++
 MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c     | 16 ++++++++++++++++
 7 files changed, 87 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Include/Library/PeCoffLib.h 
b/MdePkg/Include/Library/PeCoffLib.h
index b45879453785..98988e566001 100644
--- a/MdePkg/Include/Library/PeCoffLib.h
+++ b/MdePkg/Include/Library/PeCoffLib.h
@@ -182,6 +182,11 @@ typedef struct {
   ///
   BOOLEAN                     IsTeImage;
   ///
+  /// Set by PeCoffLoaderGetImageInfo() to TRUE if the image's entrypoint has
+  /// a forward control flow guard instruction, such as ENDBR on X86 for IBT.
+  ///
+  BOOLEAN                     HasForwardControlFlowGuards;
+  ///
   /// Set by PeCoffLoaderLoadImage() to the HII resource offset
   /// if the image contains a custom PE/COFF resource with the type 'HII'.
   /// Otherwise, the entry remains to be 0.
diff --git a/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c 
b/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
index 595377bed661..82d9f548ca54 100644
--- a/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/Arm/PeCoffLoaderEx.c
@@ -234,3 +234,19 @@ PeHotRelocateImageEx (
 
   return RETURN_SUCCESS;
 }
+
+/**
+  Returns whether the image implements forward control flow guards.
+
+  @param  ImageContext      The context of the image being loaded.
+
+  @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+  IN  CONST PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext,
+  )
+{
+  return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c 
b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
index 85ada399e303..8886b3d3feff 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
@@ -545,8 +545,9 @@ PeCoffLoaderGetPeHeader (
   Retrieves information about a PE/COFF image.
 
   Computes the PeCoffHeaderOffset, IsTeImage, ImageType, ImageAddress, 
ImageSize,
-  DestinationAddress, RelocationsStripped, SectionAlignment, SizeOfHeaders, and
-  DebugDirectoryEntryRva fields of the ImageContext structure.
+  DestinationAddress, RelocationsStripped, SectionAlignment, SizeOfHeaders,
+  DebugDirectoryEntryRva and HasForwardControlFlowGuards fields of the
+  ImageContext structure.
   If ImageContext is NULL, then return RETURN_INVALID_PARAMETER.
   If the PE/COFF image accessed through the ImageRead service in the 
ImageContext
   structure is not a supported PE/COFF image type, then return 
RETURN_UNSUPPORTED.
@@ -1429,6 +1430,8 @@ PeCoffLoaderLoadImage (
                                                           );
   }
 
+  ImageContext->HasForwardControlFlowGuards = 
PeCoffLoaderCheckForwardControlFlowGuards (ImageContext);
+
   //
   // Determine the size of the fixup data
   //
diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h 
b/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
index a29a6febe98f..3bf1b7f535fd 100644
--- a/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoffLibInternals.h
@@ -119,4 +119,17 @@ PeCoffLoaderImageAddress (
   IN     UINTN                         TeStrippedOffset
   );
 
+/**
+  Returns whether the image implements forward control flow guards.
+
+  @param  ImageContext      The context of the image being loaded.
+
+  @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+  IN  CONST PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext
+  );
+
 #endif
diff --git a/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c 
b/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
index 417096f33493..b3d01f0a4be9 100644
--- a/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/LoongArch/PeCoffLoaderEx.c
@@ -135,3 +135,19 @@ PeHotRelocateImageEx (
   // To check
   return PeCoffLoaderRelocateImageEx (Reloc, Fixup, FixupData, Adjust);
 }
+
+/**
+  Returns whether the image implements forward control flow guards.
+
+  @param  ImageContext      The context of the image being loaded.
+
+  @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+  IN  CONST PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext,
+  )
+{
+  return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c 
b/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
index f7cade4d7d4e..43f346e0aadb 100644
--- a/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/PeCoffLoaderEx.c
@@ -80,3 +80,19 @@ PeHotRelocateImageEx (
 {
   return RETURN_UNSUPPORTED;
 }
+
+/**
+  Returns whether the image implements forward control flow guards.
+
+  @param  ImageContext      The context of the image being loaded.
+
+  @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+  IN  CONST PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext,
+  )
+{
+  return FALSE;
+}
diff --git a/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c 
b/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
index 71daf7fe4554..88dc9bd9b89e 100644
--- a/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
+++ b/MdePkg/Library/BasePeCoffLib/RiscV/PeCoffLoaderEx.c
@@ -143,3 +143,19 @@ PeHotRelocateImageEx (
 {
   return RETURN_UNSUPPORTED;
 }
+
+/**
+  Returns whether the image implements forward control flow guards.
+
+  @param  ImageContext      The context of the image being loaded.
+
+  @return TRUE if the image implements forward control flow guards
+
+**/
+BOOLEAN
+PeCoffLoaderCheckForwardControlFlowGuards (
+  IN  CONST PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext,
+  )
+{
+  return FALSE;
+}
-- 
2.39.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99570): https://edk2.groups.io/g/devel/message/99570
Mute This Topic: https://groups.io/mt/96721186/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [RFC PATCH v2 4/7] MdePkg/BasePeCoffLib: Add generic plumbing to detect IBT/BTI support

Reply via email to