From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
 by mx.groups.io with SMTP id smtpd.web08.5942.1666171350032450064
 for <devel@edk2.groups.io>;
 Wed, 19 Oct 2022 02:22:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WD3WMI9m;
 spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id 8ACDF617DF;
	Wed, 19 Oct 2022 09:22:29 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F102C43143;
	Wed, 19 Oct 2022 09:22:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1666171349;
	bh=dmKALCy6ArbN9wuLnR6ObC9lne/0JwTMDMyAAZSCoWE=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=WD3WMI9mADJKcZ60eMpdHE+cPW3scT3BCygfKFfrGIDivVs9z9cyqO06ElUpuYRo6
	 WsBXpvGMnwMTpI2jplzARJxXhCufV7I5tqAvPFWKgY/NsudY2gWwfR8Gv0e4BD2PPb
	 h/pdbYbS/IlN5/EF1VHaHXhqm3fsbxWUVnfQ1VEpXrL3y7EjpxuCvTjUC40fq1T7Gn
	 eTDah8FnDMIbcGY6H6pwMhfT3Jybc0niziJDVJrmPwBDoPHyZbqvrzZlilz7O0LqUn
	 26bb8lDlRubbrgGnh9VhsDypdbrO3mPsIMNBsrc0XPQAvtV40qsF7TwwpWmojZkn1Y
	 lbGxPSg+hVxdg==
From: "Ard Biesheuvel" <ardb@kernel.org>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Leif Lindholm <quic_llindhol@quicinc.com>,
	Alexander Graf <agraf@csgraf.de>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Sami Mujawar <Sami.Mujawar@arm.com>
Subject: [PATCH v3 resend 03/11] ArmVirtPkg: make EFI_LOADER_DATA non-executable
Date: Wed, 19 Oct 2022 11:22:03 +0200
Message-Id: <20221019092211.465699-4-ardb@kernel.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20221019092211.465699-1-ardb@kernel.org>
References: <20221019092211.465699-1-ardb@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

When the memory protections were implemented and enabled on ArmVirtQemu
5+ years ago, we had to work around the fact that GRUB at the time
expected EFI_LOADER_DATA to be executable, as that is the memory type it
allocates when loading its modules.

This has been fixed in GRUB in August 2017, so by now, we should be able
to tighten this, and remove execute permissions from EFI_LOADER_DATA
allocations.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 34575585adbb..462073517a22 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -368,7 +368,7 @@ [PcdsFixedAtBuild.common]
   # reserved ones, with the exception of LoaderData regions, of which OS l=
oaders=0D
   # (i.e., GRUB) may assume that its contents are executable.=0D
   #=0D
-  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000=
00007FD1=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC0000000=
00007FD5=0D
 =0D
 [Components.common]=0D
   #=0D
--=20
2.35.1