Skip to content

[Rebase&FF] Apply memory protections#1660

Merged
apop5 merged 3 commits intomicrosoft:release/202511from
apop5:personal/apop5/missedmemoryprotections
Mar 6, 2026
Merged

[Rebase&FF] Apply memory protections#1660
apop5 merged 3 commits intomicrosoft:release/202511from
apop5:personal/apop5/missedmemoryprotections

Conversation

@apop5
Copy link
Collaborator

@apop5 apop5 commented Feb 26, 2026
edited
Loading

Description

During removal of Rp on Freed memory, some corner cases were also removed.

Apply the corner cases to allow for clean dxe paging audit.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

Q35 DxePagingAuditTestApp was reporting missing memory protection regions.
After fixes, DxePagingAuditTestApp reports passing.

Integration Instructions

No integration necessary.

@apop5 apop5 requested review from makubacki and os-d February 26, 2026 21:57
os-d
os-d reviewed Feb 26, 2026
View reviewed changes
@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release/202511@d7a4319). Learn more about missing BASE report.

Files with missing lines Patch % Lines
MdeModulePkg/Core/Dxe/Mem/HeapGuard.c 0.00% 14 Missing ⚠️
Additional details and impacted files 
@@                Coverage Diff                @@
##             release/202511    #1660   +/-   ##
=================================================
  Coverage                  ?    1.84%           
=================================================
  Files                     ?     1150           
  Lines                     ?   375774           
  Branches                  ?     3196           
=================================================
  Hits                      ?     6936           
  Misses                    ?   368782           
  Partials                  ?       56
Flag Coverage Δ
FmpDevicePkg 9.53% <ø> (?)
MdeModulePkg 1.58% <0.00%> (?)
NetworkPkg 0.55% <ø> (?)
PolicyServicePkg 30.42% <ø> (?)
SecurityPkg 1.61% <ø> (?)
UefiCpuPkg 4.78% <ø> (?)
UnitTestFrameworkPkg 11.70% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch 2 times, most recently from 6aaa066 to cdd4b3c Compare March 2, 2026 22:13
os-d
os-d reviewed Mar 2, 2026
View reviewed changes
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch from cdd4b3c to 47050b7 Compare March 2, 2026 23:33
os-d
os-d reviewed Mar 3, 2026
View reviewed changes
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch 2 times, most recently from 2c97b9a to 97df7ab Compare March 3, 2026 21:04
@makubacki
Copy link
Member

makubacki commented Mar 3, 2026

@apop5, can you please notify me when you have pushed the final set of expected changes to the PR?

@apop5
Copy link
Collaborator Author

apop5 commented Mar 4, 2026

@makubacki

this PR is ready, and there is another one in mu_plus to get paging audit working on arm 5 level page tables.

os-d
os-d approved these changes Mar 4, 2026
View reviewed changes
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch from 97df7ab to 5d3c7bf Compare March 5, 2026 00:41
@apop5 apop5 enabled auto-merge (rebase) March 5, 2026 00:46
makubacki
makubacki approved these changes Mar 5, 2026
View reviewed changes
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch 2 times, most recently from 086f854 to 7d16163 Compare March 5, 2026 02:32
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch from 7d16163 to 196843a Compare March 5, 2026 16:43
@apop5 apop5 disabled auto-merge March 5, 2026 18:46
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch from 196843a to 9c36998 Compare March 5, 2026 23:32
apop5 added 3 commits March 6, 2026 10:23
@apop5
Revert "MdeModulePkg: Sync settings when gEdkiiGcdSyncCompleteProtoco…
1e2540f 
…lGuid is installed."

This reverts commit 815bce9.

gEdkiiGcdSyncCompleteProtocolGuid, in 202502, was installed
by CpuDxe after CpuArchProtocol was installed and the Page Tables
and Gcd has been sycned. This was done to delay memory protections
from being fully enabled until CpuArchProtocol was available, which
was required for enabling RP on free memory.

With the removal of RP on free, gEdkiiGcdSyncCompleteProtocolGuid
is no longer notified, and it not necessary. Reducing an override
by removing this.
@apop5
Revert "ArmPkg: Install Empty GCD Sync Protocol After SyncCacheConfig…
057678b 
…() (microsoft#228)"

This reverts commit 9d19f88.

gEdkiiGcdSyncCompleteProtocolGuid, in 202502, was installed
by CpuDxe after CpuArchProtocol was installed and the Page Tables
and Gcd has been sycned. This was done to delay memory protections
from being fully enabled until CpuArchProtocol was available, which
was required for enabling RP on free memory.

With the removal of RP on free, gEdkiiGcdSyncCompleteProtocolGuid
is no longer notified, and it not necessary. Reducing an override
by removing this.
@apop5
MdeModulePkg: Fix Memory Protections.
9c9e6ac 
Apply memory protections to newly allocated memory in guard pages.
Missed during integration removal of RP on free.

When calling UnProtectUefiImage, instead of setting back to RWX,
ensure XP is applied to freed memory region.

When calling GetPermissionAttributeForMemoryType, add back the
region's Nx bit setting by default. Missed during integration
removal of RP on free.
@apop5 apop5 force-pushed the personal/apop5/missedmemoryprotections branch from 9c36998 to 9c9e6ac Compare March 6, 2026 18:24
@apop5 apop5 enabled auto-merge (rebase) March 6, 2026 19:10
@apop5 apop5 merged commit 67136f1 into microsoft:release/202511 Mar 6, 2026
51 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@makubacki makubacki makubacki approved these changes

@os-d os-d os-d approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@apop5 @codecov-commenter @makubacki @os-d