Changeset 97188 in vbox

Timestamp:

Oct 18, 2022 7:42:50 AM (2 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

154163

Message:

Support/SUPR3HardenedEntitlementsVM.plist,VMM/NEMR3Native-darwin: Remove the Catalina workaround, as it turns out setting the com.apple.security.cs.allow-unsigned-executable-memory and com.apple.security.cs.disable-executable-page-protection entitlements are enough to make it work, bugref:9044

Location:

trunk/src/VBox

Files:

• HostDrivers/Support/darwin/SUPR3HardenedEntitlementsVM.plist (modified) (1 diff)
• VMM/VMMAll/VMXAllTemplate.cpp.h (modified) (1 diff)
• VMM/VMMR3/NEMR3.cpp (modified) (1 diff)
• VMM/VMMR3/NEMR3Native-darwin.cpp (modified) (12 diffs)

trunk/src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlementsVM.plist

@@ -4 +4 @@
 <dict>
     <!-- <key>com.apple.security.cs.allow-jit</key>                          <true/> -->
-    <!-- <key>com.apple.security.cs.allow-unsigned-executable-memory</key>   <true/> -->
-    <!-- <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> -->
+    <!--
+      The following two entitlements are required for using AppleHV on Catalina.
+      The first entitlement allows us to have unsigned executable memory in the guests
+      address space like the BIOS code (and essentially all the guests address space which
+      is mapped as RWX).
+      The second entitlement is required in order to map guest memory as RWX into the
+      guests address space.
+      These entitlements are not required starting with BigSur+ where Apple has clearly
+      changed something in their entitlement scheme without properly documenting it.
+    -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>   <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key> <true/>
     <!-- For audio input -->
     <key>com.apple.security.device.audio-input</key>                    <true/>

trunk/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h

@@ -9423 +9423 @@
      */
     NEMHCDARWINHMACPCCSTATE State = { RT_BOOL(pVmxTransient->uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_WRITE),
-                                      RT_BOOL(pVmxTransient->uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_INSTR_FETCH),
                                       false,
                                       false };

trunk/src/VBox/VMM/VMMR3/NEMR3.cpp

@@ -101 +101 @@
                                   "|VmxPleWindow"
                                   "|VmxLbr"
-                                  "|CatalinaWxWorkaround"
 #endif
                                   ,

trunk/src/VBox/VMM/VMMR3/NEMR3Native-darwin.cpp

@@ -293 +293 @@
 /** VMX: Set if swapping EFER is supported.  */
 static bool             g_fHmVmxSupportsVmcsEfer = false;
-/** Flag whether the AppleHV code suffers from a bug preventing WX mappings and we need to
- * ping pong between RX and RW mappings depending on what the guest is doing. */
-static bool             g_fAppleHvNoWX = false;
 /** @name APIs imported from Hypervisor.framework.
  * @{ */
@@ -562 +559 @@
     if (fPageProt & NEM_PAGE_PROT_WRITE)
         fHvMemProt |= HV_MEMORY_WRITE;
-    if (   fPageProt & NEM_PAGE_PROT_EXECUTE
-        && (   !g_fAppleHvNoWX
-            || !(fPageProt & NEM_PAGE_PROT_WRITE)))
+    if (fPageProt & NEM_PAGE_PROT_EXECUTE)
         fHvMemProt |= HV_MEMORY_EXEC;
 
     hv_return_t hrc;
-#if 0 /* Simulates the error path on Catalina without requiring signed binaries. */
-    if (   (fHvMemProt & HV_MEMORY_WRITE)
-        && (fHvMemProt & HV_MEMORY_EXEC))
-        hrc = HV_ERROR;
-    else
-    {
-        if (pVM->nem.s.fCreatedAsid)
-            hrc = hv_vm_map_space(pVM->nem.s.uVmAsid, pvRam, GCPhys, cb, fHvMemProt);
-        else
-            hrc = hv_vm_map(pvRam, GCPhys, cb, fHvMemProt);
-    }
-#else
     if (pVM->nem.s.fCreatedAsid)
         hrc = hv_vm_map_space(pVM->nem.s.uVmAsid, pvRam, GCPhys, cb, fHvMemProt);
     else
         hrc = hv_vm_map(pvRam, GCPhys, cb, fHvMemProt);
-#endif
     if (hrc == HV_SUCCESS)
     {
@@ -594 +576 @@
     }
 
-    if (   hrc == HV_ERROR
-        && (fHvMemProt & HV_MEMORY_WRITE)
-        && (fHvMemProt & HV_MEMORY_EXEC))
-    {
-        /*
-         * On Catalina 10.15.7 it is impossible to have WX permissions with a properly signed
-         * process due to some bug(?), it works starting with BigSur. So to work around that
-         * we will never have WX mappings but only RW and RX and switch between them on demand for the
-         * guest region in question. This can have a huge negative performance impact if the guest
-         * writes to the same page frequently and executes code there.
-         */
-        Assert(!g_fAppleHvNoWX); /* We should come here only once. */
-
-        /*
-         * Try unmapping the region first (the code on Catalina doesn't remove it form the map if vm_map_protect() fails and
-         * causes the following hv_vm_map call to fail...).
-         */
-        hv_vm_unmap(GCPhys, cb);
-
-         /* Start with an RW mapping (most of the time the guest needs to write something there before it can execute code). */
-        fHvMemProt &= ~HV_MEMORY_EXEC;
-        g_fAppleHvNoWX = true;
-        LogRel(("NEM: AppleHV refuses RWX mappings for the guest, activating workaround, expect decreased performance\n"));
-        if (pVM->nem.s.fCreatedAsid)
-            hrc = hv_vm_map_space(pVM->nem.s.uVmAsid, pvRam, GCPhys, cb, fHvMemProt);
-        else
-            hrc = hv_vm_map(pvRam, GCPhys, cb, fHvMemProt);
-        if (hrc == HV_SUCCESS)
-        {
-            if (pu2State)
-                *pu2State = NEM_DARWIN_PAGE_STATE_WRITABLE; /* Writable without exec. */
-            return VINF_SUCCESS;
-        }
-    }
-
     return nemR3DarwinHvSts2Rc(hrc);
 }
 
-
+#if 0 /* unused */
 DECLINLINE(int) nemR3DarwinProtectPage(PVM pVM, RTGCPHYS GCPhys, size_t cb, uint32_t fPageProt)
 {
-    Assert(   !g_fAppleHvNoWX
-           || (   (fPageProt & NEM_PAGE_PROT_WRITE)
-               && !(fPageProt & NEM_PAGE_PROT_EXECUTE))
-           || (   !(fPageProt & NEM_PAGE_PROT_WRITE)
-               && (fPageProt & NEM_PAGE_PROT_EXECUTE)));
-
     hv_memory_flags_t fHvMemProt = 0;
     if (fPageProt & NEM_PAGE_PROT_READ)
@@ -657 +598 @@
     return nemR3DarwinHvSts2Rc(hrc);
 }
-
+#endif
 
 DECLINLINE(int) nemR3NativeGCPhys2R3PtrReadOnly(PVM pVM, RTGCPHYS GCPhys, const void **ppv)
@@ -1210 +1151 @@
 /**
  * State to pass between vmxHCExitEptViolation
- * and nemHCWinHandleMemoryAccessPageCheckerCallback.
+ * and nemR3DarwinHandleMemoryAccessPageCheckerCallback.
  */
 typedef struct NEMHCDARWINHMACPCCSTATE
@@ -1216 +1157 @@
     /** Input: Write access. */
     bool    fWriteAccess;
-    /** Input: Instruction fetch access. */
-    bool    fInsnFetch;
     /** Output: Set if we did something. */
     bool    fDidSomething;
@@ -1264 +1203 @@
 
             int rc = VINF_SUCCESS;
-            if (   pInfo->fNemProt & NEM_PAGE_PROT_WRITE
-                && !pState->fInsnFetch)
+            if (pInfo->fNemProt & NEM_PAGE_PROT_WRITE)
             {
                 void *pvPage;
                 rc = nemR3NativeGCPhys2R3PtrWriteable(pVM, GCPhys, &pvPage);
                 if (RT_SUCCESS(rc))
-                {
-                    uint32_t fProt = pInfo->fNemProt;
-                    if (g_fAppleHvNoWX)
-                        fProt &= ~NEM_PAGE_PROT_EXECUTE; /* Start with RW mapping. */
-                    rc = nemR3DarwinMap(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, pvPage, X86_PAGE_SIZE, fProt, &u2State);
-                }
+                    rc = nemR3DarwinMap(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, pvPage, X86_PAGE_SIZE, pInfo->fNemProt, &u2State);
             }
             else if (pInfo->fNemProt & NEM_PAGE_PROT_READ)
@@ -1282 +1215 @@
                 rc = nemR3NativeGCPhys2R3PtrReadOnly(pVM, GCPhys, &pvPage);
                 if (RT_SUCCESS(rc))
-                    rc = nemR3DarwinMap(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, pvPage, X86_PAGE_SIZE, pInfo->fNemProt & ~NEM_PAGE_PROT_WRITE, &u2State);
+                    rc = nemR3DarwinMap(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, pvPage, X86_PAGE_SIZE, pInfo->fNemProt, &u2State);
             }
             else /* Only EXECUTE doesn't work. */
@@ -1295 +1228 @@
         }
         case NEM_DARWIN_PAGE_STATE_READABLE:
-            if (   g_fAppleHvNoWX
-                && pState->fWriteAccess
-                && (pInfo->fNemProt & NEM_PAGE_PROT_WRITE))
-            {
-                /* Write access to an RWX page which we set to RX due to Catalina woes, convert to RW. */
-                int rc = nemR3DarwinProtectPage(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, X86_PAGE_SIZE, NEM_PAGE_PROT_READ | NEM_PAGE_PROT_WRITE);
-
-                pInfo->u2NemState = NEM_DARWIN_PAGE_STATE_WRITABLE;
-                Log4(("nemR3DarwinHandleMemoryAccessPageCheckerCallback: %RGp - RX => RW + %Rrc\n", GCPhys, rc));
-                pState->fDidSomething = true;
-                /*
-                 * We will emulate that single instruction in case the instruction writes to the same page as it executes from to avoid
-                 * an endless loop switching between RW and RX mappings without making any progress.
-                 */
-                pState->fCanResume    = false;
-                return rc;
-            }
-
             if (   !(pInfo->fNemProt & NEM_PAGE_PROT_WRITE)
                 && (pInfo->fNemProt & (NEM_PAGE_PROT_READ | NEM_PAGE_PROT_EXECUTE)))
@@ -1323 +1238 @@
 
         case NEM_DARWIN_PAGE_STATE_WRITABLE:
-            if (   g_fAppleHvNoWX
-                && pState->fInsnFetch
-                && (pInfo->fNemProt & NEM_PAGE_PROT_EXECUTE))
-            {
-                /* Write access to an RWX page which we set to RW due to Catalina woes, convert to RX. */
-                int rc = nemR3DarwinProtectPage(pVM, GCPhys & ~(RTGCPHYS)X86_PAGE_OFFSET_MASK, X86_PAGE_SIZE, NEM_PAGE_PROT_READ | NEM_PAGE_PROT_EXECUTE);
-
-                pInfo->u2NemState = NEM_DARWIN_PAGE_STATE_READABLE;
-                Log4(("nemR3DarwinHandleMemoryAccessPageCheckerCallback: %RGp - RW => RX + %Rrc\n", GCPhys, rc));
-                pState->fDidSomething = true;
-                /* Just resume with execution, no emulation in case the instruction being executed is something we don't emulate right now (AVX for example). */
-                pState->fCanResume    = true;
-                return rc;
-            }
-
             if (pInfo->fNemProt & NEM_PAGE_PROT_WRITE)
             {
@@ -1345 +1245 @@
                 return VINF_SUCCESS;
             }
-
             break;
 
@@ -2993 +2892 @@
      * useful while debugging and enabling it causes a noticeable performance hit. */
     rc = CFGMR3QueryBoolDef(pCfgNem, "VmxLbr", &pVM->nem.s.fLbr, false);
-    AssertRCReturn(rc, rc);
-
-    /** @cfgm{/NEM/CatalinaWxWorkaround, bool, false}
-     * Whether to allow only W^X guest mappings due to a bug in the Catalina AppleHV
-     * driver refusing RWX when a properly signed binary is used.
-     */
-    rc = CFGMR3QueryBoolDef(pCfgNem, "CatalinaWxWorkaround", &g_fAppleHvNoWX, false);
     AssertRCReturn(rc, rc);