From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.11249.1672836994749809786 for ; Wed, 04 Jan 2023 04:56:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ee1MSJ/v; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1672836993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fRfSgdhAnJ4VHPMO/0oGctj8W1YwTa7qNGBNNXFhIOY=; b=Ee1MSJ/vn2WGicrpiH6LakXoBhcE6aFPXb93xafGIwxIMDGzVst71JzJpXT/Lf8Oj7xut+ fZeY6kkTsysepr3L+vgiLCUB2DXBaP8B3jjNIt0az5gt2kCQPdC97LNTdU9UyUxV5xZ2k6 utNH8kjykF+LtBWk7wfQEmKnhzoUGSY= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-176-roFM5UcQO4Ksmhbj82PQ-g-1; Wed, 04 Jan 2023 07:56:32 -0500 X-MC-Unique: roFM5UcQO4Ksmhbj82PQ-g-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B2B9585C6E1; Wed, 4 Jan 2023 12:56:31 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.238]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 712FD1121314; Wed, 4 Jan 2023 12:56:31 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id D159E18003AA; Wed, 4 Jan 2023 13:56:28 +0100 (CET) Date: Wed, 4 Jan 2023 13:56:28 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, ardb@kernel.org Cc: dann frazier , Alexander Graf , Leif Lindholm Subject: Re: [edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable Message-ID: <20230104125628.w4e365cph3yxodyn@sirius.home.kraxel.org> References: <20220926082511.2110797-1-ardb@kernel.org> <20220926082511.2110797-4-ardb@kernel.org> <20221128154610.wik3f65bhbfrdpva@sirius.home.kraxel.org> <7bba7344-fc37-abde-a792-5ae40621c70f@csgraf.de> <20230104111134.ewioietmprrrprad@sirius.home.kraxel.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 04, 2023 at 01:04:41PM +0100, Ard Biesheuvel wrote: > On Wed, 4 Jan 2023 at 12:11, Gerd Hoffmann wrote: > > > > Hi, > > > > > > > > --pcd PcdDxeNxMemoryProtectionPolicy=0xC000000000007FD1 > > > > Can this also be flipped at runtime? > > Currently, it is fixed or patchable, which means that you can override > it at build time only. I don't think making this a dynamic PCD would > be difficult, and on QEMU, we can set the value early enough if we key > it off fw_cfg or something like that. > > But that implies that you need a 'permissive' mode to invoke QEMU, > which ends up being always enabled, most likely, so I'm not sure this > is an improvement. It works both ways. Being able to enable nx protection at runtime on builds which have it disabled by default would be quite useful. Write test cases. Write reproducer instructions which don't include building edk2 yourself. take care, Gerd