From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ard.biesheuvel@linaro.org>
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com
 [IPv6:2a00:1450:400c:c09::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 37D5780354
 for <edk2-devel@lists.01.org>; Tue,  7 Mar 2017 00:42:17 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id v186so83433295wmd.0
 for <edk2-devel@lists.01.org>; Tue, 07 Mar 2017 00:42:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=3+RThqt92MW5pnVcCKlJsKIdiir8EPBqT09lJeTAoi4=;
 b=DNbAjZBNlkIYLvCk2Ww+CCgX2xkZEDeqiXWO3WGPmxMtLQC8K6PoRNns+snrlF76GI
 yAharAolKVGxxSdQW/EjjoszrcIVI3CW7WfdADBOfasDP9zBvzYmzu+oCrU+hPvpAdy8
 nQFPb8EUWWT5kFCD2R7RHgThNXxl4mg7ynppQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=3+RThqt92MW5pnVcCKlJsKIdiir8EPBqT09lJeTAoi4=;
 b=IB8mmxqQmcPNstqYJ6AY1VF4YjGS3ObrvMZH0GlnpXkBiYLj43Q1PVhnGAos3lf30u
 u2kZ98uXGybEZmTWRfaeWyPnYXJCEudnBKkyi7FmPLWeZerv77r9hqulZJPbdpKBPFQd
 lt0I+GccqCod6IWR4rGOJbmT4akAdgNPkCRmTrrBrAoYWrkgLoM6eDO/9kwvfkwFuCBJ
 v2fb5DzxHdLTyOmJXDl4MB35hDbRd6ocuMCoVxLeltSm5GpDMTrc+uhNgmxZ69d1A+KF
 si0plxPhcDh4OWnmfGnp3h0GelA0IBDSJ/Dvsdlwq2sNsKQJt0zwRjIYmMgSt3GqdPA5
 /nYA==
X-Gm-Message-State: AMke39nP+dWnQLjwNOLRiUzsbw4mYquoObTH9fk3y8G9ALTSZZbLX2CfCB6hLr2F1+zSLK7z
X-Received: by 10.28.144.65 with SMTP id s62mr1101139wmd.141.1488876135851;
 Tue, 07 Mar 2017 00:42:15 -0800 (PST)
Received: from ards-macbook-pro.c.hoisthospitality.com ([109.74.56.122])
 by smtp.gmail.com with ESMTPSA id u41sm30097838wrc.24.2017.03.07.00.42.14
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 07 Mar 2017 00:42:15 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: edk2-devel@lists.01.org,
	leif.lindholm@linaro.org
Cc: lersek@redhat.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue,  7 Mar 2017 09:42:05 +0100
Message-Id: <1488876125-24396-5-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1488876125-24396-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1488876125-24396-1-git-send-email-ard.biesheuvel@linaro.org>
Subject: [PATCH v2 4/4] ArmVirtPkg: enable non-executable DXE stack for all platforms
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 08:42:17 -0000

Now that ARM has grown support for managing memory permissions in
ArmMmuLib, we can enable the non-executable DXE stack for all virt
platforms. Note that this includes the AARCH64 Xen platform as well.

Note that this is not [entirely] redundant: the non-executable stack
is configured before DxeCore is invoked. The image and memory protection
features configured during DXE only take affect when the CPU arch
protocol implementation is registered.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
 ArmVirtPkg/ArmVirt.dsc.inc       | 5 +++++
 ArmVirtPkg/ArmVirtQemu.dsc       | 2 --
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 --
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index acfb71d3ff6c..e2d3dcce7945 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -386,6 +386,11 @@ [PcdsFixedAtBuild.common]
   #
   gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
 
+  #
+  # Enable the non-executable DXE stack. (This gets set up by DxeIpl)
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
+
 [PcdsFixedAtBuild.ARM]
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
 
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 615e1fca4877..477dfdcfc764 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -152,8 +152,6 @@ [PcdsFixedAtBuild.common]
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
 
 [PcdsFixedAtBuild.AARCH64]
-  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
-
   # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
   # support anything bigger, even if the host hardware does
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index e4902690123c..fd39c2802a85 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -163,8 +163,6 @@ [PcdsFixedAtBuild.AARCH64]
   #
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
 
-  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
-
   # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
   # support anything bigger, even if the host hardware does
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
-- 
2.7.4