From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 45ACE8222D for ; Wed, 22 Feb 2017 03:54:54 -0800 (PST) Received: by mail-wm0-x236.google.com with SMTP id r141so182823wmg.1 for ; Wed, 22 Feb 2017 03:54:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=P96npwtwPDvNr2skcallEW/4hcWz31veF5mlyfDkPb0=; b=kAiGYzyH5NVTdEz9FKdYKhptO+uZMiarSVkkBqAJVgo4QwKmElxIFsYhznj8Dqd28n 7vWtbWFhcp8si0IXP9+Lb7+4pxzXfD8QRem/w9Bc3FNaLR+pEZgq9YVxgtU4US6setHs OkUJBOwwMcXXzOt20KV4I/qWswVsWmDzdxb08= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=P96npwtwPDvNr2skcallEW/4hcWz31veF5mlyfDkPb0=; b=IR6EmCe826D1AXrsg4xvkY5qGLGUtX8afbrVZLqKAkjTYVhSnhod/wTfeVW79hKRYN gYSruYZHc59/0UG8OwnTzCk+wYrd2lgQKtRdTZCTo0js7ZTjqZqButtY6J7Oebee4Yx1 sZDLhxUM562k9L2nW4O1mXJ9FvIIOHuH8lBvrtEG0gH0Nj9kfkNwNTdUpnFrjaMwhTFl CM902oKxQGP1JhcSguSu/Y71MutnJUQQ3VYtqbKg8z6oaxXs8UalpZc6X8osYcMS2JtZ 2j99T6YZqifbxKqywJy4b2IulAQfIWAxLOBrBIT/wg5zY1r/CwGa8CXhvsT51drf+OnA y9Pw== X-Gm-Message-State: AMke39nHA0Kg5qkedeJrG/xHYLGw9xXs9G53YurfVRyv+6KBMd1G7Gwn2egUBbt4Ojx94R+B X-Received: by 10.28.184.198 with SMTP id i189mr1936194wmf.26.1487764492867; Wed, 22 Feb 2017 03:54:52 -0800 (PST) Received: from localhost.localdomain ([160.163.32.105]) by smtp.gmail.com with ESMTPSA id j80sm1795385wmd.14.2017.02.22.03.54.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Feb 2017 03:54:52 -0800 (PST) From: Ard Biesheuvel To: edk2-devel@lists.01.org, lersek@redhat.com Cc: leif.lindholm@linaro.org, Ard Biesheuvel Date: Wed, 22 Feb 2017 11:54:45 +0000 Message-Id: <1487764485-18631-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 11:54:54 -0000 Enable the new DXE image protection for all image, i.e., FV images but also external images that originate from disk or the network, such as OS loaders. This complements work that is underway on the arm64/Linux kernel side, to emit the OS loader with 4 KB section alignment, and a suitable split between code and data. http://marc.info/?l=linux-arm-kernel&m=148655557227819 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index dbd6678accde..c0d5e7c6aa6d 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -17,6 +17,9 @@ [Defines] DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F DEFINE TTY_TERMINAL = FALSE +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION] + GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000 + [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common] [PcdsFixedAtBuild.ARM] gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40 +[PcdsFixedAtBuild.AARCH64] + # + # Enable strict image permissions for all images. (This applies + # only to images that were built with >= 4 KB section alignment.) + # + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 + [Components.common] # # Networking stack -- 2.7.4