From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C4BB81F37 for ; Wed, 1 Mar 2017 06:36:24 -0800 (PST) Received: by mail-wr0-x22c.google.com with SMTP id l37so31530396wrc.1 for ; Wed, 01 Mar 2017 06:36:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=9m3F8iiN3s9n0kQJwhUMpY+CTEDRREIuV0PwH0nqsY0=; b=ErvJd1XKqEq6USV5NVfEUZ00/AAx0IVaOO7d+UOK9UZyNDUMaDtd2iJfnovhVwcU1B Qpl5TDnWZLoUyDhzcm0csnbyWvgYdccgWIXD4ZPQrDDMbmzwZcS+GbMEb0ZOqIUDf5Dm aAOVOmqYsWCGayEbHUJKJjGSL5AOAodkabfsY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=9m3F8iiN3s9n0kQJwhUMpY+CTEDRREIuV0PwH0nqsY0=; b=KopvgV4tJl5IXVacdAdrXrgXI+k1y+/0sWiL+P543qhpQEvOIwVK157TJ+7p8lZp8F sL5LU+ICIz67JgLE+Vh8dmQfNhoHPX0kr3+aOV9nlI6rgRoxl61lbd4NHQbBz8F7NmJj qKB2Q34vAyOovm8ZkYK6gKe7QbAe1jdTpkNpYEzjOKmOvFGYVOrbLj68DV8dIFPU7vv+ MlKw9GWABP6A1pIGERF5s7Jf0s7zO+w6YXp95IGwbXg4WEL+NwzWl4qP3eg/+ZpT4mOJ xYRo4hfDYTakYBwE9kNT6Aev+rHmn+SzVVkFolQuJ3lLGrg4J03Ef8wcEJrwxGKjRpgJ bTow== X-Gm-Message-State: AMke39kQGvEVp+TlAUOgsFGr8GS/Wm1bLHkfEVBi+BKFasddjnl6j4YwbyRYTW7c7GZtoF17 X-Received: by 10.223.162.133 with SMTP id s5mr8133174wra.157.1488378982758; Wed, 01 Mar 2017 06:36:22 -0800 (PST) Received: from localhost.localdomain ([105.147.1.203]) by smtp.gmail.com with ESMTPSA id n2sm22575829wmd.10.2017.03.01.06.36.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Mar 2017 06:36:21 -0800 (PST) From: Ard Biesheuvel To: lersek@redhat.com, edk2-devel@lists.01.org Cc: leif.lindholm@linaro.org, Ard Biesheuvel Date: Wed, 1 Mar 2017 14:36:17 +0000 Message-Id: <1488378977-15398-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [PATCH v2] ArmVirtPkg AARCH64: enable NX memory protection for all platforms X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2017 14:36:24 -0000 This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to a value that protects all memory regions except code regions against inadvertent execution. Note that this does not [yet] protect EfiLoaderData regions, due to compatibility issues with shim and GRUB. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel Reviewed-by: Jiewen Yao --- v2: leave EfiLoaderData executable for the time being ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 2b0a44e14d24..a91b27f13cf2 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -383,6 +383,13 @@ [PcdsFixedAtBuild.AARCH64] # gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 + # + # Enable NX memory protection for all non-code regions, including OEM and OS + # reserved ones, with the exception of LoaderData regions, of which OS loaders + # (i.e., GRUB) may assume that its contents are executable. + # + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1 + [Components.common] # # Networking stack -- 2.7.4