From nobody Mon Feb  9 11:28:35 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+106297+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+106297+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1687536230; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BIu95LPwdQUn/LAAZTgrSfUAOqr+rV0opmuRviae89LdU3T+niaS3YpDoDUtSl3TqH9qce/Oo/fXHnwTnbsg/DooXz468xWKnanx99dRunIYDYTk5UgPOdO+DV9StORXz8MNSw79LWDHkb32WO+qDo+cflVUM4Jc7VLY/SK8ULY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1687536230;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=meNjIlqTddhHjIfBVeuVUKFdecPOyj7rQwbzV4hQgUs=;
	b=GMmSWCg7+AhEzZHJ9Gr+BHOivbluqPcmjXeRZBBLCrvto0ixKNYUFCQdmgbwUfvxUwyJ/WkoZ32F6cXC0D+2jIH1Z5Zn+h2NjcsIAB91qc6Jw4Uyfp7tji4OU6a9z0ry/aWyKBm4aaOeu59HS1Q4VKH3/Fx0IbolIIjkezjxmuM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+106297+1787277+3901457@groups.io;
	dmarc=fail header.from=<joey.vagedes@gmail.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1687536230574222.6559743921074;
 Fri, 23 Jun 2023 09:03:50 -0700 (PDT)
Return-Path: <bounce+27952+106297+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id M31hYY1788612xNZjju8Vs1W;
 Fri, 23 Jun 2023 09:03:50 -0700
X-Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
 by mx.groups.io with SMTP id smtpd.web10.1839.1687535096829629396
 for <devel@edk2.groups.io>;
 Fri, 23 Jun 2023 08:44:56 -0700
X-Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-54fd6aa3b0dso550553a12.2
        for <devel@edk2.groups.io>; Fri, 23 Jun 2023 08:44:56 -0700 (PDT)
X-Gm-Message-State: fGXLAAv6TH3TKY06vqyE5Pmux1787277AA=
X-Google-Smtp-Source: 
 ACHHUZ4loA/pluBCzBSjH50DyJmUzHViJq8TBSILDMvtkCZabO6AXUIBmxgcMnFMkM3DqlCIikFokQ==
X-Received: by 2002:a17:90a:28a3:b0:255:c829:b638 with SMTP id
 f32-20020a17090a28a300b00255c829b638mr14315742pjd.9.1687535095848;
        Fri, 23 Jun 2023 08:44:55 -0700 (PDT)
X-Received: from localhost.localdomain ([174.164.102.13])
        by smtp.gmail.com with ESMTPSA id
 e14-20020a17090ac20e00b0025bb1bdb989sm1654192pjt.29.2023.06.23.08.44.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jun 2023 08:44:55 -0700 (PDT)
From: Joey Vagedes <joey.vagedes@gmail.com>
To: devel@edk2.groups.io
Cc: Rebecca Cran <rebecca@bsdio.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Bob Feng <bob.c.feng@intel.com>,
	Yuwei Chen <yuwei.chen@intel.com>
Subject: [edk2-devel] [PATCH v1 2/2] BaseTools: GenFw: auto-set nxcompat flag
Date: Fri, 23 Jun 2023 08:44:42 -0700
Message-ID: <20230623154442.799-3-joey.vagedes@gmail.com>
In-Reply-To: <20230623154442.799-1-joey.vagedes@gmail.com>
References: <20230623154442.799-1-joey.vagedes@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,joey.vagedes@gmail.com
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1687536230;
 bh=U/3A1OvXNJbOlImSY92KoyjrrZcuEsT6xf+zrWp/cSE=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=KlMGfXuvK85aLqUKJj2nZXEiA/mxOBMEgbmJvGflsWAOHuFaMKVfkUjFrZKBnSCn/Y/
 5NZhOAoUTe1WW5SiO/0aYnT77elvaAT/8WUi0OCt4+fhpHwo/HvZLS6W9VsNVmwSJeDf0
 DWtVQmJVb4ZcEMmoklQv1n6iOUak3ErYD4A=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1687536232475100008
Content-Type: text/plain; charset="utf-8"

Automatically set the nxcompat flag in the DLL Characteristics field of
the Optional Header of the PE32+ image. For this flag to be set
automatically, it must, the section alignment must be evenly divisible
by 4K (EFI_PAGE_SIZE) and no section must be executable and writable.

Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Signed-off-by: Joey Vagedes <joeyvagedes@gmail.com>
---
 BaseTools/Source/C/GenFw/GenFw.c | 59 ++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/BaseTools/Source/C/GenFw/GenFw.c b/BaseTools/Source/C/GenFw/Ge=
nFw.c
index 0289c8ef8a5c..4581c4233c14 100644
--- a/BaseTools/Source/C/GenFw/GenFw.c
+++ b/BaseTools/Source/C/GenFw/GenFw.c
@@ -441,6 +441,60 @@ Returns:
   return STATUS_SUCCESS;
 }
=20
+STATIC
+BOOLEAN
+IsNxCompatCompliant (
+  EFI_IMAGE_OPTIONAL_HEADER_UNION  *PeHdr
+  )
+/*++
+
+Routine Description:
+
+  Checks if the Pe image is nxcompat. i.e. PE is 64bit, section alignment =
is
+  evenly divisible by 4k, and no section is writable and executable.
+
+Arguments:
+
+  PeHdr      The Pe header
+
+Returns:
+  TRUE       The PE is nx compat compliant
+  FALSE      The PE is not nx compat compliant
+
+--*/
+{
+  EFI_IMAGE_SECTION_HEADER     *SectionHeader;
+  UINT32                       Index;
+  UINT32                       Mask;
+
+  // Must have an optional header to perform verification
+  if (PeHdr->Pe32.FileHeader.SizeOfOptionalHeader =3D=3D 0) {
+    return FALSE;
+  }
+
+  // Verify PE is 64 bit
+  if (!(PeHdr->Pe32.OptionalHeader.Magic =3D=3D EFI_IMAGE_NT_OPTIONAL_HDR6=
4_MAGIC)) {
+    return FALSE;
+  }
+
+  // Verify Section Alignment is divisible by 4K
+  if (!((PeHdr->Pe32Plus.OptionalHeader.SectionAlignment % EFI_PAGE_SIZE) =
=3D=3D 0)) {
+    return FALSE;
+  }
+
+  // Verify sections are not Write & Execute
+  Mask =3D EFI_IMAGE_SCN_MEM_EXECUTE | EFI_IMAGE_SCN_MEM_WRITE;
+  SectionHeader =3D (EFI_IMAGE_SECTION_HEADER *) ((UINT8 *) &(PeHdr->Pe32P=
lus.OptionalHeader) + PeHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader);
+  for (Index =3D 0; Index < PeHdr->Pe32Plus.FileHeader.NumberOfSections; I=
ndex ++, SectionHeader ++) {
+    if ((SectionHeader->Characteristics & Mask) =3D=3D Mask) {
+      return FALSE;
+    }
+  }
+
+  // Passed all requirements, return TRUE
+  return TRUE;
+}
+
 VOID
 SetHiiResourceHeader (
   UINT8   *HiiBinData,
@@ -2458,6 +2512,11 @@ Returns:
     TEImageHeader.BaseOfCode          =3D Optional64->BaseOfCode;
     TEImageHeader.ImageBase           =3D (UINT64) (Optional64->ImageBase);
=20
+    // Set NxCompat flag
+    if (IsNxCompatCompliant (PeHdr)) {
+      Optional64->DllCharacteristics |=3D IMAGE_DLLCHARACTERISTICS_NX_COMP=
AT;
+    }
+
     if (Optional64->NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_BASERE=
LOC) {
       TEImageHeader.DataDirectory[EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC].=
VirtualAddress =3D Optional64->DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASE=
RELOC].VirtualAddress;
       TEImageHeader.DataDirectory[EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC].=
Size =3D Optional64->DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC].Siz=
e;
--=20
2.41.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#106297): https://edk2.groups.io/g/devel/message/106297
Mute This Topic: https://groups.io/mt/99721320/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-