[REBASE && FF] Add Stack Cookie Support for IA32, ARM, and AARCH64 #714
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
language:python
5 tasks
This comment was marked as outdated.
This comment was marked as outdated.
Javagedes
reviewed
Feb 2, 2024
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
2 times, most recently
from
ef7dfd6
to
e3db6fe
Compare
This comment was marked as outdated.
This comment was marked as outdated.
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
from
e3db6fe
to
4a75a32
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/202302 #714 +/- ##
==================================================
- Coverage 1.01% 1.01% -0.01%
==================================================
Files 1277 1278 +1
Lines 325202 325231 +29
Branches 4774 4774
==================================================
Hits 3316 3316
- Misses 321847 321876 +29
Partials 39 39
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
9 times, most recently
from
8cc57c8
to
4d0657d
Compare
TaylorBeebe
added
impact:breaking-change
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
4 times, most recently
from
5e15da9
to
f93e12d
Compare
Javagedes
reviewed
Feb 22, 2024
Javagedes
reviewed
Feb 22, 2024
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
from
f93e12d
to
f09e506
Compare
apop5
approved these changes
Feb 27, 2024
Javagedes
approved these changes
Feb 27, 2024
os-d
approved these changes
Feb 27, 2024
MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf
Outdated
Show resolved
Hide resolved
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
from
f09e506
to
1c39ff6
Compare
makubacki
reviewed
Feb 27, 2024
makubacki
reviewed
Feb 27, 2024
makubacki
approved these changes
Feb 27, 2024
Removes edk2-basetools from pip-requirements.txt and any usage of it in
the CISettings.py. The is done as there are changes in the build tools
python source code that are available locally in BaseTools (as it is
managed by Project Mu) that is not available in edk2-basetools.
- [ ] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware
functions?
- Examples: Add a new library, publish a new PPI, update an algorithm,
...
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an
application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a
break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo,
call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation
additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to
documentation
on an a separate Web page, ...
Verified the build system continues to use the local python source
N/A - only effects this repository's CI system.
Description
When parsing INF files, Basetools treats both
libraries and modules the same. When the library
dependencies are being collected for a
module/library, libraries linked via:
`NULL|Path/To/Library`
would be included in the list of dependencies for
libraries which does not match how these expressions
are expected to be interpreted.
This update changes the evaluation loop to skip
NULL links when collecting dependencies for
libraries.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested in pipelines
Integration Instructions
N/A
Description
MSVC IA32 requires the __security_check_cookie function to specify
byte size (@__security_check_cookie@4). This change also declares
__stack_chk_fail() in StackCheckLibNull.c to support GCC.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested on Q35 GCC and MSVC builds and an SBSA GCC build
by purposefully overflowing the stack when the NULL library
is in use.
Integration Instructions
N/A
Description
This PR updates the GenC logic to generate a random stack cookie value
for the stack check libraries. These random values improve security
for modules which cannot update the global intrinsics.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested on MSVC and GCC builds of Q35 and a GCC build of SBSA
by purposefully overflowing the stack.
Integration Instructions
N/A
Description
This update replaces StackCheckLib with StackCheckLibStaticInit and
StackCheckLibDynamicInit. The new libraries have GCC support for ARM,
AARCH64, IA32 and X64 builds. The libraries have MSVC support for IA32
and X64 builds.
StackCheckLibStaticInit does not have a library constructor and
should be used whenever the stack cookie value cannot be updated
during driver execution (i.e. when the stack cookie is not in a
writable or no RNG library is available).
StackCheckLibDynamicInit has a library constructor and should be used
whenever the stack cookie value can be updated at runtime (i.e. for
DXE modules and shadowed PEIMs).
This update also removes the stack cookie library definitions from
MdeLibs.dsc.inc due to GCC build issues when the instanced versions are
used during CI builds. The instanced versions will need to be explicitly
added to the platform DSC files, and this is acceptable because
platforms will likely want to mix and match the static and dynamic
versions of the library for each module type.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [x] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [x] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested on a Q35 GCC and MSVC builds, and on an SBSA GCC build
by purposefully performing a stack overflow.
Integration Instructions
Platforms will need to explicitly declare the
StackCheckLib and StackCheckFailureLib instances for
their platforms.
EXAMPLE:
```
StackCheckFailureLib|MdePkg/Library/StackCheckFailureLibNull/StackCheckFailureLibNull.inf
[LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE]
NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf
[LibraryClasses.common.PEIM, LibraryClasses.common.MM_CORE_STANDALONE, LibraryClasses.common.MM_STANDALONE]
NULL|MdePkg/Library/StackCheckLib/StackCheckLibStaticInit.inf
[LibraryClasses.common.DXE_CORE, LibraryClasses.common.SMM_CORE, LibraryClasses.common.DXE_SMM_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.DXE_SAL_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
NULL|MdePkg/Library/StackCheckLib/StackCheckLibDynamicInit.inf
```
…Address as Argument
Description
To clarify the purpose of StackCheckFailureLib, this PR renames it to
StackCheckFailureHookLib. Also, the failure address is passed
as an argument to the hook function to allow the hook to trace the
fault. An interrupt will still be called after the hook returns.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [x] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [x] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested on MSVC and GCC builds of Q35 and a GCC build of SBSA
by purposefully corrupting the stack.
Integration Instructions
Platforms will need to update their StackCheckFailureLib instance
to the new StackCheckFailureHookLib.
EXAMPLE:
```
StackCheckFailureHookLib|MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf
```
…ARCH64
Description
This change adds stack cookies to the build commands for IA32 modules
built with VS2019 and VS2022. It also adds stack cookies to GCC5
AARCH64 builds.
- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an application,
flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- [x] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a break
in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
- **Tests** - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation additions
outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
How This Was Tested
Tested by on Q35 GCC and MSVC builds and an SBSA GCC build by
purposefully overflowing the stack.
Integration Instructions
Platforms will need to update to ensure that all modules have a
StackCheckLib instanced linked. The instances are:
StackCheckLibNull: Used to provide the cookie definitions but not
actually check the stack.
StackCheckLibBuildInit: Used to provide the cookie definitions where
the stack cookie value is initialized at
build time.
StackCheckLibRuntimeInit: Used to provide the cookie definitions where
the stack cookie value is initialized at
runtime.
TaylorBeebe
force-pushed
the
test_cookie_updates
branch
from
1c39ff6
to
c0fe779
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This update changes the following:
Basetools update
CI builds would use the basetools installed via pip if available. Because we have Project Mu edits to basetools and the project has little support in EDK2, this update causes all builds to use our in-tree basetools.
Fix NULL lib parsing
When parsing INF files, Basetools treats both libraries and modules the same. When the library dependencies are being collected for a module/library, libraries linked via:
NULL|Path/To/Librarywould be included in the list of dependencies for libraries which does not match how these expressions are expected to be interpreted. This update changes the evaluation loop to skip NULL links when collecting dependencies for libraries.
Add GCC ARM, AARCH64, IA32 support and MSVC IA32 support for StackCheckLibNull
MSVC IA32 requires the __security_check_cookie function to specify byte size (@__security_check_cookie@4). This change also declares __stack_chk_fail() in StackCheckLibNull.c to support GCC.
Implement Stack Cookie Support for MSVC IA32 and GCC IA32, ARM, and AARCH64
This update replaces StackCheckLib with StackCheckLibStaticInit and StackCheckLibDynamicInit. The new libraries have GCC support for ARM, AARCH64, IA32 and X64 builds. The libraries have MSVC support for IA32 and X64 builds.
StackCheckLibStaticInit does not have a library constructor and should be used whenever the stack cookie value cannot be updated during driver execution (i.e. when the stack cookie is not in a writable or no RNG library is available). The value of the stack cookie is generated at buildtime via a Basetools update.
StackCheckLibDynamicInit has a library constructor and should be used whenever the stack cookie value can be updated at runtime (i.e. for DXE modules and shadowed PEIMs).
Update StackCheckFailureLib to StackCheckFailureHookLib
To clarify the purpose of StackCheckFailureLib, this PR renames it to StackCheckFailureHookLib. Also, the failure address is passed as an argument to the hook function to allow the hook to trace the fault. An interrupt will still be called after the hook returns.
How This Was Tested
Tested on a Q35 GCC and MSVC builds by purposefully performing a stack overflow and verifying the stack check failure hook was called followed by the stack check failure interrupt.
Integration Instructions
Platforms will need to explicitly declare the StackCheckLib and StackCheckFailureLib instances for their platforms.
EXAMPLE: