From nobody Sat Nov 2 12:29:13 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1488378989669296.11097189233317; Wed, 1 Mar 2017 06:36:29 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 22B2E821CF; Wed, 1 Mar 2017 06:36:26 -0800 (PST) Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C4BB81F37 for ; Wed, 1 Mar 2017 06:36:24 -0800 (PST) Received: by mail-wr0-x22c.google.com with SMTP id l37so31530396wrc.1 for ; Wed, 01 Mar 2017 06:36:24 -0800 (PST) Received: from localhost.localdomain ([105.147.1.203]) by smtp.gmail.com with ESMTPSA id n2sm22575829wmd.10.2017.03.01.06.36.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Mar 2017 06:36:21 -0800 (PST) X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=9m3F8iiN3s9n0kQJwhUMpY+CTEDRREIuV0PwH0nqsY0=; b=ErvJd1XKqEq6USV5NVfEUZ00/AAx0IVaOO7d+UOK9UZyNDUMaDtd2iJfnovhVwcU1B Qpl5TDnWZLoUyDhzcm0csnbyWvgYdccgWIXD4ZPQrDDMbmzwZcS+GbMEb0ZOqIUDf5Dm aAOVOmqYsWCGayEbHUJKJjGSL5AOAodkabfsY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=9m3F8iiN3s9n0kQJwhUMpY+CTEDRREIuV0PwH0nqsY0=; b=KopvgV4tJl5IXVacdAdrXrgXI+k1y+/0sWiL+P543qhpQEvOIwVK157TJ+7p8lZp8F sL5LU+ICIz67JgLE+Vh8dmQfNhoHPX0kr3+aOV9nlI6rgRoxl61lbd4NHQbBz8F7NmJj qKB2Q34vAyOovm8ZkYK6gKe7QbAe1jdTpkNpYEzjOKmOvFGYVOrbLj68DV8dIFPU7vv+ MlKw9GWABP6A1pIGERF5s7Jf0s7zO+w6YXp95IGwbXg4WEL+NwzWl4qP3eg/+ZpT4mOJ xYRo4hfDYTakYBwE9kNT6Aev+rHmn+SzVVkFolQuJ3lLGrg4J03Ef8wcEJrwxGKjRpgJ bTow== X-Gm-Message-State: AMke39kQGvEVp+TlAUOgsFGr8GS/Wm1bLHkfEVBi+BKFasddjnl6j4YwbyRYTW7c7GZtoF17 X-Received: by 10.223.162.133 with SMTP id s5mr8133174wra.157.1488378982758; Wed, 01 Mar 2017 06:36:22 -0800 (PST) From: Ard Biesheuvel To: lersek@redhat.com, edk2-devel@lists.01.org Date: Wed, 1 Mar 2017 14:36:17 +0000 Message-Id: <1488378977-15398-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [edk2] [PATCH v2] ArmVirtPkg AARCH64: enable NX memory protection for all platforms X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: leif.lindholm@linaro.org, Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to a value that protects all memory regions except code regions against inadvertent execution. Note that this does not [yet] protect EfiLoaderData regions, due to compatibility issues with shim and GRUB. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel Reviewed-by: Jiewen Yao Reviewed-by: Laszlo Ersek Tested-by: Laszlo Ersek --- v2: leave EfiLoaderData executable for the time being ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 2b0a44e14d24..a91b27f13cf2 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -383,6 +383,13 @@ [PcdsFixedAtBuild.AARCH64] # gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 =20 + # + # Enable NX memory protection for all non-code regions, including OEM an= d OS + # reserved ones, with the exception of LoaderData regions, of which OS l= oaders + # (i.e., GRUB) may assume that its contents are executable. + # + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000= 00007FD1 + [Components.common] # # Networking stack --=20 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel