From nobody Tue Feb 10 23:01:17 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+94326+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+94326+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=kernel.org
ARC-Seal: i=1; a=rsa-sha256; t=1664180726; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BK4I/xq9ALdnxa0azAMpPUSxYorQPZE7k1PvhoUnoXk1hgSC22OBNAVERaRBQBbjmrjgTlre/+Ska/Sp1BloKVD13rH/e240bYrd/zdjMvYpzUecWykm8+HNZ82TOqI+HDLbC+x6nsXoUMILUoM0aaudD/E8OeO1cdBzef6wHx4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1664180726;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=J2U9NTGy/vT6yZ+1NdLtwbhUczDq9Ns8OTJyqguNalk=;
	b=BUG02qUwyV/8P+FFEYfc2+cI3LGUltIsx1GTgzU6rmm/zcRRrde1LCmrfrM8b3Dgb8dC5bpU4+g5n7ykaBEsiQS/vzjbMPkl10L7PU4JQYfHgi5XJblICh6XhZIuxIYcoETxgM0T5fwunTkfU52lqZYHARR1jgPYjlgA9PlIQuM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+94326+1787277+3901457@groups.io;
	dmarc=fail header.from=<ardb@kernel.org> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 166418072669749.189237935274946;
 Mon, 26 Sep 2022 01:25:26 -0700 (PDT)
Return-Path: <bounce+27952+94326+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id mDtEYY1788612xwz6euVfwj9;
 Mon, 26 Sep 2022 01:25:24 -0700
X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
 by mx.groups.io with SMTP id smtpd.web08.25929.1664180724031195019
 for <devel@edk2.groups.io>;
 Mon, 26 Sep 2022 01:25:24 -0700
X-Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id 9C9F3B8199F;
	Mon, 26 Sep 2022 08:25:22 +0000 (UTC)
X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 52652C433D6;
	Mon, 26 Sep 2022 08:25:21 +0000 (UTC)
From: "Ard Biesheuvel" <ardb@kernel.org>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Alexander Graf <agraf@csgraf.de>
Subject: [edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA
 non-executable
Date: Mon, 26 Sep 2022 10:24:58 +0200
Message-Id: <20220926082511.2110797-4-ardb@kernel.org>
In-Reply-To: <20220926082511.2110797-1-ardb@kernel.org>
References: <20220926082511.2110797-1-ardb@kernel.org>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,ardb@kernel.org
X-Gm-Message-State: YUiDHxh4TSNAZtScsNJ5qiIax1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1664180724;
 bh=u+iq2BvciEXnblkqXPflJ/8r6gk9bHagQs0iq+Uqh70=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=GRVcQNOnxi+40yOczZ6e2XBUijuKheB9Zh3pGiWCp5SjPfJ+tdc9h+bUA885GLb2BmY
 InXuahE2H3KovJOhPdecXGZj7LONLJ1t0BAvTJ49EWUEKOXOerD8zEaecCZQcGRIDFph3
 pMBIKGYfMj2Z2Q+QteV1UfVIjgAg01n1Sko=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1664180728204100014
Content-Type: text/plain; charset="utf-8"

When the memory protections were implemented and enabled on ArmVirtQemu
5+ years ago, we had to work around the fact that GRUB at the time
expected EFI_LOADER_DATA to be executable, as that is the memory type it
allocates when loading its modules.

This has been fixed in GRUB in August 2017, so by now, we should be able
to tighten this, and remove execute permissions from EFI_LOADER_DATA
allocations.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
---
 ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 34575585adbb..462073517a22 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -368,7 +368,7 @@ [PcdsFixedAtBuild.common]
   # reserved ones, with the exception of LoaderData regions, of which OS l=
oaders
   # (i.e., GRUB) may assume that its contents are executable.
   #
-  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000=
00007FD1
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000=
00007FD5
=20
 [Components.common]
   #
--=20
2.35.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94326): https://edk2.groups.io/g/devel/message/94326
Mute This Topic: https://groups.io/mt/93922691/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-