[PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature
@ 2017-02-22 11:54 Ard Biesheuvel
  2017-02-23  9:36 ` Laszlo Ersek
  0 siblings, 1 reply; 3+ messages in thread
From: Ard Biesheuvel @ 2017-02-22 11:54 UTC (permalink / raw)
  To: edk2-devel, lersek; +Cc: leif.lindholm, Ard Biesheuvel

Enable the new DXE image protection for all image, i.e., FV images but
also external images that originate from disk or the network, such as
OS loaders.

This complements work that is underway on the arm64/Linux kernel side,
to emit the OS loader with 4 KB section alignment, and a suitable split
between code and data.

http://marc.info/?l=linux-arm-kernel&m=148655557227819

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index dbd6678accde..c0d5e7c6aa6d 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -17,6 +17,9 @@ [Defines]
   DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F
   DEFINE TTY_TERMINAL            = FALSE
 
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000
   GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
@@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common]
 [PcdsFixedAtBuild.ARM]
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
 
+[PcdsFixedAtBuild.AARCH64]
+  #
+  # Enable strict image permissions for all images. (This applies
+  # only to images that were built with >= 4 KB section alignment.)
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
 [Components.common]
   #
   # Networking stack
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature
  2017-02-22 11:54 [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature Ard Biesheuvel
@ 2017-02-23  9:36 ` Laszlo Ersek
  2017-02-24 15:17   ` Ard Biesheuvel
  0 siblings, 1 reply; 3+ messages in thread
From: Laszlo Ersek @ 2017-02-23  9:36 UTC (permalink / raw)
  To: Ard Biesheuvel, edk2-devel; +Cc: leif.lindholm

On 02/22/17 12:54, Ard Biesheuvel wrote:
> Enable the new DXE image protection for all image, i.e., FV images but
> also external images that originate from disk or the network, such as
> OS loaders.
> 
> This complements work that is underway on the arm64/Linux kernel side,
> to emit the OS loader with 4 KB section alignment, and a suitable split
> between code and data.
> 
> http://marc.info/?l=linux-arm-kernel&m=148655557227819
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index dbd6678accde..c0d5e7c6aa6d 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -17,6 +17,9 @@ [Defines]
>    DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F
>    DEFINE TTY_TERMINAL            = FALSE
>  
> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
> +  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
> +
>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
>    GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000
>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common]
>  [PcdsFixedAtBuild.ARM]
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>  
> +[PcdsFixedAtBuild.AARCH64]
> +  #
> +  # Enable strict image permissions for all images. (This applies
> +  # only to images that were built with >= 4 KB section alignment.)
> +  #
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
> +
>  [Components.common]
>    #
>    # Networking stack
> 

So, if I understand correctly, setting BIT0 will not break external
images with unaligned sections, they just won't be protected, and
they'll trigger loud warnings. OK.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature
  2017-02-23  9:36 ` Laszlo Ersek
@ 2017-02-24 15:17   ` Ard Biesheuvel
  0 siblings, 0 replies; 3+ messages in thread
From: Ard Biesheuvel @ 2017-02-24 15:17 UTC (permalink / raw)
  To: Laszlo Ersek; +Cc: edk2-devel@lists.01.org, Leif Lindholm

On 23 February 2017 at 09:36, Laszlo Ersek <lersek@redhat.com> wrote:
> On 02/22/17 12:54, Ard Biesheuvel wrote:
>> Enable the new DXE image protection for all image, i.e., FV images but
>> also external images that originate from disk or the network, such as
>> OS loaders.
>>
>> This complements work that is underway on the arm64/Linux kernel side,
>> to emit the OS loader with 4 KB section alignment, and a suitable split
>> between code and data.
>>
>> http://marc.info/?l=linux-arm-kernel&m=148655557227819
>>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>>  ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++
>>  1 file changed, 10 insertions(+)
>>
>> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
>> index dbd6678accde..c0d5e7c6aa6d 100644
>> --- a/ArmVirtPkg/ArmVirt.dsc.inc
>> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
>> @@ -17,6 +17,9 @@ [Defines]
>>    DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F
>>    DEFINE TTY_TERMINAL            = FALSE
>>
>> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
>> +  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
>> +
>>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
>>    GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000
>>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
>> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common]
>>  [PcdsFixedAtBuild.ARM]
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>>
>> +[PcdsFixedAtBuild.AARCH64]
>> +  #
>> +  # Enable strict image permissions for all images. (This applies
>> +  # only to images that were built with >= 4 KB section alignment.)
>> +  #
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
>> +
>>  [Components.common]
>>    #
>>    # Networking stack
>>
>
> So, if I understand correctly, setting BIT0 will not break external
> images with unaligned sections, they just won't be protected, and
> they'll trigger loud warnings. OK.
>

Indeed.

> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>

Pushed, thanks.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-02-24 15:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-22 11:54 [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature Ard Biesheuvel
2017-02-23  9:36 ` Laszlo Ersek
2017-02-24 15:17   ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox