From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web08.25929.1664180724031195019 for ; Mon, 26 Sep 2022 01:25:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PhCo+Qz2; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9C9F3B8199F; Mon, 26 Sep 2022 08:25:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 52652C433D6; Mon, 26 Sep 2022 08:25:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664180722; bh=dmKALCy6ArbN9wuLnR6ObC9lne/0JwTMDMyAAZSCoWE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PhCo+Qz2EV4P7VrRf4ad2E1MkUFGQLUBMjkuT9iOTbDEJuwAsonyfKgAcV2H8l8rM xuD91yWW/wNI85jjD26NXWDGPjpp8AhzZ6xU41jicAquAE1a7Hrf0iDcIwtPshBcvD SmPSKBHmAKU4O4JNSuFu/+U2sVKbaqdwF95nyHv2GCd74rpKDBpkMPe2yb63g+Sm/P Ry7xss9a+8UW6DKZpjxcY8zPdiEBtpQi2Wgjw5oYR7yjUDXvkNqBgY+lPQaribxRsk xF7NBudRVcL4sxp1WqArchBRA1t1LprGsCWeggb1pMpQ8ZqQC/uAxOCCGAd8d4Ajk/ AGOxqTdbnsFqA== From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Leif Lindholm , Alexander Graf Subject: [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable Date: Mon, 26 Sep 2022 10:24:58 +0200 Message-Id: <20220926082511.2110797-4-ardb@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220926082511.2110797-1-ardb@kernel.org> References: <20220926082511.2110797-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable When the memory protections were implemented and enabled on ArmVirtQemu 5+ years ago, we had to work around the fact that GRUB at the time expected EFI_LOADER_DATA to be executable, as that is the memory type it allocates when loading its modules. This has been fixed in GRUB in August 2017, so by now, we should be able to tighten this, and remove execute permissions from EFI_LOADER_DATA allocations. Signed-off-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirt.dsc.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 34575585adbb..462073517a22 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -368,7 +368,7 @@ [PcdsFixedAtBuild.common] # reserved ones, with the exception of LoaderData regions, of which OS l= oaders=0D # (i.e., GRUB) may assume that its contents are executable.=0D #=0D - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000= 00007FD1=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000= 00007FD5=0D =0D [Components.common]=0D #=0D --=20 2.35.1