[PATCH V4 0/3] DXE Memory Protection

[Jiewen Yao <jiewen.yao@intel.com>]

==== V4 ====
1) Remove ARM patch. (Which was already submitted by Ard Biesheuvel in another series)
2) Unprotect RT image at ExitBootServices (feedback from Ard Biesheuvel)
3) Round up the ImageSize on protection (feedback from Ard Biesheuvel)

==== V3 ====
1) Add PCD for policy control (feedback from Ard Biesheuvel)
(Discussed with Mike Kinney)
+  #    BIT0       - Image from unknown device. <BR>
+  #    BIT1       - Image from firmware volume.<BR>
+  # @Prompt Set image protection policy.
+  # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000002|UINT32|0x00001047

2) Remove unused function in CpuDxe.(feedback from Liming Gao)
3) Add commit log on link option assumption (feedback from Feng Tian)
4) Rename file PageTableLib.h/.c to CpuPageTable.h/.c file (from Jeff Fan)
5) Remove multi-entrypoint usage (from Liming Gao/Mike Kinney)

==== V2 ====
1) Clean up ArmPkg, (feedback from Leif Lindholm)

==== V1 ====
This series patch provides capability to protect PE/COFF image
in DXE memory.
If the UEFI image is page aligned, the image code section is set to read
only and the image data section is set to non-executable.

The DxeCore calls CpuArchProtocol->SetMemoryAttributes() to protect
the image.

Tested platform: NT32/Quark IA32/OVMF IA32/OVMF IA32X64/Intel internal X64/
Tested OS: UEFI Win10, UEFI Ubuntu 16.04.

Untested platform: ARM/AARCH64.
Can ARM/AARCH64 owner help to take a look and try the ARM platform?


Cc: Jeff Fan <jeff.fan@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>


Jiewen Yao (3):
  UefiCpuPkg/CpuDxe: Add memory attribute setting.
  MdeModulePkg/dec: add PcdImageProtectionPolicy.
  MdeModulePkg/DxeCore: Add UEFI image protection.

 MdeModulePkg/Core/Dxe/DxeMain.h               |  61 ++
 MdeModulePkg/Core/Dxe/DxeMain.inf             |   5 +-
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c       |   5 +-
 MdeModulePkg/Core/Dxe/Image/Image.c           |   7 +-
 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 769 +++++++++++++++++++
 MdeModulePkg/Core/Dxe/Misc/PropertiesTable.c  |  24 +-
 MdeModulePkg/MdeModulePkg.dec                 |  10 +
 UefiCpuPkg/CpuDxe/CpuDxe.c                    | 141 ++--
 UefiCpuPkg/CpuDxe/CpuDxe.inf                  |   5 +-
 UefiCpuPkg/CpuDxe/CpuPageTable.c              | 779 ++++++++++++++++++++
 UefiCpuPkg/CpuDxe/CpuPageTable.h              | 113 +++
 11 files changed, 1832 insertions(+), 87 deletions(-)
 create mode 100644 MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
 create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.c
 create mode 100644 UefiCpuPkg/CpuDxe/CpuPageTable.h

-- 
2.7.4.windows.1