Changeset 106925 in vbox for trunk

Timestamp:

Nov 11, 2024 11:59:38 AM (6 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

165851

Message:

/Config.kmk,SUPDrv: Introduced a VBOX_WITH_MINIMAL_HARDENING build config for windows hosts where we only require the process image and any r0 modules to be signed with the same certificate as the driver. This changeset implements the latter part. jiraref:VBP-1449

Location:

trunk

Files:

• Config.kmk (modified) (5 diffs)
• src/VBox/HostDrivers/Support/Makefile.kmk (modified) (2 diffs)
• src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (modified) (7 diffs)

trunk/Config.kmk

@@ -1147 +1147 @@
 ## @name Hardening
 ## @{
+
 # Enables hardening.
-# Most developers will want to disable this in their LocalConfig.kmk.
-VBOX_WITH_HARDENING = 1
+# Most developers will want to disable this in their LocalConfig.kmk (VBOX_WITHOUT_HARDENING := 1).
+ifndef VBOX_WITH_DRIVERLESS_FORCED # No need for hardening when not using the driver.
+ VBOX_WITH_HARDENING := 1
+endif
+# Enables minimal driver hardening (windows only).
+if !defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITH_DRIVERLESS_FORCED)
+ if1of ($(KBUILD_TARGET).$(KBUILD_TARGET_ARCH), win.arm64)
+  VBOX_WITH_MINIMAL_HARDENING := 1
+ endif
+endif
 # Where the application files are (going to be) installed.
 #VBOX_PATH_APP_PRIVATE       = /usr/lib/virtualbox
@@ -1365 +1374 @@
   VBOX_WITH_JXPCOM :=
  endif
-
- ifdef VBOX_WITH_DRIVERLESS_FORCED
-  # No need for hardening when not using the driver.
-  VBOX_WITH_HARDENING :=
- endif
 endif
 
@@ -1392 +1396 @@
  VBOX_WITH_INTERNAL_NETWORKING =
  VBOX_WITH_PDM_ASYNC_COMPLETION =
- VBOX_WITH_HARDENING =
+ VBOX_WITHOUT_HARDENING = 1
 endif
 
@@ -1407 +1411 @@
  VBOX_WITH_DOCS =
  VBOX_WITH_PDM_ASYNC_COMPLETION =
- VBOX_WITH_HARDENING =
+ VBOX_WITHOUT_HARDENING = 1
 endif
 
@@ -1419 +1423 @@
  VBOX_WITH_DOCS =
  VBOX_WITH_EHCI =
- VBOX_WITH_HARDENING =
+ VBOX_WITHOUT_HARDENING = 1
  VBOX_WITH_HEADLESS =
  VBOX_WITH_HGCM =

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -716 +716 @@
 
   VBoxDrv_DEFS           := IN_RT_R0 IN_SUP_R0 SUPDRV_WITH_RELEASE_LOGGER VBOX_SVN_REV=$(VBOX_SVN_REV)
+  ifdef VBOX_WITH_MINIMAL_R0
+   VBoxDrv_DEFS          += VBOX_WITH_MINIMAL_R0
+  endif
+  ifdef VBOX_WITH_MINIMAL_HARDENING
+   VBoxDrv_DEFS          += VBOX_WITH_MINIMAL_HARDENING
+  endif
   ifdef VBOX_WITH_DTRACE_R0DRV
    VBoxDrv_DEFS          += VBOX_WITH_DTRACE VBOX_WITH_DTRACE_R0DRV
@@ -798 +804 @@
   VBoxDrv_SOURCES.win.amd64 = \
         win/SUPDrvA-win.asm
-  ifdef VBOX_WITH_HARDENING
+  if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
    VBoxDrv_SOURCES.win   += \
         win/SUPHardenedVerifyImage-win.cpp \
-        win/SUPHardenedVerifyProcess-win.cpp \
         $(VBOX_SUP_WIN_CERTS_FILE)
+   ifdef VBOX_WITH_HARDENING
+    VBoxDrv_SOURCES.win  += \
+        win/SUPHardenedVerifyProcess-win.cpp
+   endif
    ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
     VBoxDrv_DEFS.win     += VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -71 +71 @@
 #endif
 
-#ifdef VBOX_WITH_HARDENING
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
 # include "SUPHardenedVerify-win.h"
 #endif
@@ -458 +458 @@
 #endif
 
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
+/** Combined windows NT version number.  See SUP_MAKE_NT_VER_COMBINED. */
+uint32_t                            g_uNtVerCombined = 0;
+#endif
 #ifdef VBOX_WITH_HARDENING
 /** Pointer to the stub device instance. */
@@ -468 +472 @@
 /** Cookie returned by ObRegisterCallbacks for the callbacks. */
 static PVOID                        g_pvObCallbacksCookie = NULL;
-/** Combined windows NT version number.  See SUP_MAKE_NT_VER_COMBINED. */
-uint32_t                            g_uNtVerCombined = 0;
 /** Pointer to ObGetObjectType if available.. */
 static PFNOBGETOBJECTTYPE           g_pfnObGetObjectType = NULL;
@@ -653 +655 @@
 
     /*
-     * Figure out if we can use NonPagedPoolNx or not.
+     * Initialize the Nt version and figure out if we can use NonPagedPoolNx or not.
      */
     ULONG ulMajorVersion, ulMinorVersion, ulBuildNumber;
     PsGetVersion(&ulMajorVersion, &ulMinorVersion, &ulBuildNumber, NULL);
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
+    g_uNtVerCombined = SUP_MAKE_NT_VER_COMBINED(ulMajorVersion, ulMinorVersion, ulBuildNumber, 0, 0);
+#endif
     if (ulMajorVersion > 6 || (ulMajorVersion == 6 && ulMinorVersion >= 2)) /* >= 6.2 (W8)*/
         g_enmNonPagedPoolType = NonPagedPoolNx;
@@ -2200 +2205 @@
 
 
+# ifdef VBOX_WITH_MINIMAL_HARDENING
+/** 
+ * Performs pre-opening of .r0 image checks. 
+ *  
+ * When minimal hardening is enabled, we require the images loaded to be signed 
+ * by the build certificate, thus liminiting what we load to things we have 
+ * built ourselves.
+ */
+static int supdrvOSLdrCheckBeforeOpen(PUNICODE_STRING pUniStrPath, HANDLE *phImage)
+{
+    /* 
+     * Open the image file, denying write accesses.
+     */
+    *phImage = RTNT_INVALID_HANDLE_VALUE;
+    IO_STATUS_BLOCK     Ios   = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+
+    OBJECT_ATTRIBUTES   ObjAttr;
+    InitializeObjectAttributes(&ObjAttr, pUniStrPath, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
+    ObjAttr.Attributes |= OBJ_KERNEL_HANDLE;
+
+    NTSTATUS rcNt = NtCreateFile(phImage,
+                                 GENERIC_READ | SYNCHRONIZE,
+                                 &ObjAttr,
+                                 &Ios,
+                                 NULL /* Allocation Size*/,
+                                 FILE_ATTRIBUTE_NORMAL,
+                                 FILE_SHARE_READ,
+                                 FILE_OPEN,
+                                 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+                                 NULL /*EaBuffer*/,
+                                 0 /*EaLength*/);
+    if (NT_SUCCESS(rcNt))
+        rcNt = Ios.Status;
+    int rc;
+    if (NT_SUCCESS(rcNt))
+    {
+        /*
+         * Verify the image, requiring the a build certificate.
+         */
+        PRTERRINFOSTATIC pErrInfo = (PRTERRINFOSTATIC)RTMemAllocZ(sizeof(*pErrInfo));
+        bool             fIgnored = false;
+        rc = supHardenedWinVerifyImageByHandle(*phImage, pUniStrPath->Buffer, SUPHNTVI_F_REQUIRE_BUILD_CERT,
+                                               fIgnored, &fIgnored, pErrInfo ? RTErrInfoInitStatic(pErrInfo) : NULL);
+        if (RT_SUCCESS(rc))
+            Log(("VBoxDrv: '%ls' checks out fine (%d)\n", pUniStrPath->Buffer, rc));
+        else
+            SUPR0Printf("VBoxDrv: Checking '%ls' failed: %Rrc%#RTeim\n", pUniStrPath->Buffer, rc, &pErrInfo->Core);
+        RTMemFree(pErrInfo);
+
+        if (RT_FAILURE(rc))
+        {
+            NtClose(*phImage);
+            *phImage = RTNT_INVALID_HANDLE_VALUE;
+        }
+    }
+    else
+        rc = RTErrConvertFromNtStatus(rcNt);
+    return rc;
+}
+# endif /* VBOX_WITH_MINIMAL_HARDENING */
+
+
 #define MY_SystemLoadGdiDriverInSystemSpaceInformation  54
 #define MY_SystemUnloadGdiDriverInformation             27
@@ -2249 +2316 @@
     {
         /*
-         * Try load it.
+         * Pre-screen it.
          */
         MYSYSTEMGDIDRIVERINFO Info;
         RtlInitUnicodeString(&Info.Name, pwcsFilename);
-        Info.ImageAddress           = NULL;
-        Info.SectionPointer         = NULL;
-        Info.EntryPointer           = NULL;
-        Info.ExportSectionPointer   = NULL;
-        Info.ImageLength            = 0;
-
-        NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemLoadGdiDriverInSystemSpaceInformation, &Info, sizeof(Info));
-        if (NT_SUCCESS(rcNt))
-        {
-            pImage->pvImage = Info.ImageAddress;
-            pImage->pvNtSectionObj = Info.SectionPointer;
-            Log(("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
-                 Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer));
+# ifdef VBOX_WITH_MINIMAL_HARDENING
+        HANDLE hImage = NULL;
+        rc = supdrvOSLdrCheckBeforeOpen(&Info.Name, &hImage);
+        if (RT_SUCCESS(rc))
+# endif
+        {
+            /*
+             * Try load it.
+             */
+            Info.ImageAddress           = NULL;
+            Info.SectionPointer         = NULL;
+            Info.EntryPointer           = NULL;
+            Info.ExportSectionPointer   = NULL;
+            Info.ImageLength            = 0;
+
+            NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemLoadGdiDriverInSystemSpaceInformation, &Info, sizeof(Info));
+            if (NT_SUCCESS(rcNt))
+            {
+                pImage->pvImage = Info.ImageAddress;
+                pImage->pvNtSectionObj = Info.SectionPointer;
+                Log(("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
+                     Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer));
 # ifdef DEBUG_bird
-            SUPR0Printf("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
-                        Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer);
+                SUPR0Printf("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
+                            Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer);
 # endif
-            if (pImage->cbImageBits == Info.ImageLength)
-            {
-                /*
-                 * Lock down the entire image, just to be on the safe side.
-                 */
-                rc = RTR0MemObjLockKernel(&pImage->hMemLock, pImage->pvImage, pImage->cbImageBits, RTMEM_PROT_READ);
-                if (RT_FAILURE(rc))
+                if (pImage->cbImageBits == Info.ImageLength)
                 {
-                    pImage->hMemLock = NIL_RTR0MEMOBJ;
+                    /*
+                     * Lock down the entire image, just to be on the safe side.
+                     */
+                    rc = RTR0MemObjLockKernel(&pImage->hMemLock, pImage->pvImage, pImage->cbImageBits, RTMEM_PROT_READ);
+                    if (RT_FAILURE(rc))
+                    {
+                        pImage->hMemLock = NIL_RTR0MEMOBJ;
+                        supdrvOSLdrUnload(pDevExt, pImage);
+                    }
+                }
+                else
+                {
                     supdrvOSLdrUnload(pDevExt, pImage);
+                    rc = VERR_LDR_MISMATCH_NATIVE;
                 }
             }
             else
             {
-                supdrvOSLdrUnload(pDevExt, pImage);
-                rc = VERR_LDR_MISMATCH_NATIVE;
-            }
-        }
-        else
-        {
-            Log(("rcNt=%#x '%ls'\n", rcNt, pwcsFilename));
-            SUPR0Printf("VBoxDrv: rcNt=%x '%ws'\n", rcNt, pwcsFilename);
-            switch (rcNt)
-            {
-                case /* 0xc0000003 */ STATUS_INVALID_INFO_CLASS:
+                Log(("rcNt=%#x '%ls'\n", rcNt, pwcsFilename));
+                SUPR0Printf("VBoxDrv: rcNt=%x '%ws'\n", rcNt, pwcsFilename);
+                switch (rcNt)
+                {
+                    case /* 0xc0000003 */ STATUS_INVALID_INFO_CLASS:
 # ifdef RT_ARCH_AMD64
-                    /* Unwind will crash and BSOD, so no fallback here! */
-                    rc = VERR_NOT_IMPLEMENTED;
+                        /* Unwind will crash and BSOD, so no fallback here! */
+                        rc = VERR_NOT_IMPLEMENTED;
 # else
-                    /*
-                     * Use the old way of loading the modules.
-                     *
-                     * Note! We do *NOT* try class 26 because it will probably
-                     *       not work correctly on terminal servers and such.
-                     */
-                    rc = VERR_NOT_SUPPORTED;
+                        /*
+                         * Use the old way of loading the modules.
+                         *
+                         * Note! We do *NOT* try class 26 because it will probably
+                         *       not work correctly on terminal servers and such.
+                         */
+                        rc = VERR_NOT_SUPPORTED;
 # endif
-                    break;
-                case /* 0xc0000034 */ STATUS_OBJECT_NAME_NOT_FOUND:
-                    rc = VERR_MODULE_NOT_FOUND;
-                    break;
-                case /* 0xC0000263 */ STATUS_DRIVER_ENTRYPOINT_NOT_FOUND:
-                    rc = VERR_LDR_IMPORTED_SYMBOL_NOT_FOUND;
-                    break;
-                case /* 0xC0000428 */ STATUS_INVALID_IMAGE_HASH:
-                    rc = VERR_LDR_IMAGE_HASH;
-                    break;
-                case /* 0xC000010E */ STATUS_IMAGE_ALREADY_LOADED:
-                    Log(("WARNING: see @bugref{4853} for cause of this failure on Windows 7 x64\n"));
-                    rc = VERR_ALREADY_LOADED;
-                    break;
-                default:
-                    rc = VERR_LDR_GENERAL_FAILURE;
-                    break;
-            }
-
-            pImage->pvNtSectionObj = NULL;
+                        break;
+                    case /* 0xc0000034 */ STATUS_OBJECT_NAME_NOT_FOUND:
+                        rc = VERR_MODULE_NOT_FOUND;
+                        break;
+                    case /* 0xC0000263 */ STATUS_DRIVER_ENTRYPOINT_NOT_FOUND:
+                        rc = VERR_LDR_IMPORTED_SYMBOL_NOT_FOUND;
+                        break;
+                    case /* 0xC0000428 */ STATUS_INVALID_IMAGE_HASH:
+                        rc = VERR_LDR_IMAGE_HASH;
+                        break;
+                    case /* 0xC000010E */ STATUS_IMAGE_ALREADY_LOADED:
+                        Log(("WARNING: see @bugref{4853} for cause of this failure on Windows 7 x64\n"));
+                        rc = VERR_ALREADY_LOADED;
+                        break;
+                    default:
+                        rc = VERR_LDR_GENERAL_FAILURE;
+                        break;
+                }
+
+                pImage->pvNtSectionObj = NULL;
+            }
+# ifdef VBOX_WITH_MINIMAL_HARDENING
+            NtClose(hImage);
+# endif
         }
     }
@@ -5470 +5550 @@
      */
 
-    /* The NT version. */
-    ULONG uMajor, uMinor, uBuild;
-    PsGetVersion(&uMajor, &uMinor, &uBuild, NULL);
-    g_uNtVerCombined = SUP_MAKE_NT_VER_COMBINED(uMajor, uMinor, uBuild, 0, 0);
-
     /* Resolve methods we want but isn't available everywhere. */
     UNICODE_STRING RoutineName;