From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177])
 by mx.groups.io with SMTP id smtpd.web10.1839.1687535096829629396
 for <devel@edk2.groups.io>;
 Fri, 23 Jun 2023 08:44:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20221208 header.b=VoS2SQte;
 spf=pass (domain: gmail.com, ip: 209.85.215.177, mailfrom: joey.vagedes@gmail.com)
Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-54fd6aa3b0dso550553a12.2
        for <devel@edk2.groups.io>; Fri, 23 Jun 2023 08:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1687535096; x=1690127096;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HPkMIM7rrTDsD+TmN1IqZY0lh3uv036jrm9V9kk2KPM=;
        b=VoS2SQte4frY46iXz/pr6P6mvrGkcK97UBbM7LB5zFhGEZU3wKUyZHSWeKPdTA5bV4
         VFTqnQTmH0HF+rJXPLxPjFqVlnXOk67gb/fRvhOHJBYmDjo8dcqzCobO9bziFoe0m0L0
         3R3Dg9UspJxvYNu8AnmngELljJder0gmcb9K8hImKNbZdHTt8Q6QIln1tLGImEEXsnia
         +7qeVrzjwAiqohCcr/S531zSXUAW9k/zVRQtmVXog++TOZYREkWXLOev76VYsUxENa0m
         S1GAmIuH9TQaUjNU0Ql7eeMVybk79Fu2kVw8v8U794rMCpC5j+IW2mRdyYv/wiv8ntZC
         os8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687535096; x=1690127096;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=HPkMIM7rrTDsD+TmN1IqZY0lh3uv036jrm9V9kk2KPM=;
        b=K809PoOO+B2SaPhUNSkBV0hDAHY5QWPXlmG7D17FyNRMY6ICQv1r4Kjk8paaBQ4+1d
         HrMM/lWHnpiF5Isrq7QRHbQwg8Fq4KT9MZwOFECP26BmJRiaJ+Sp8M/u3/r+JmNL4G/W
         pI5inOYHmj1ox0vsx7g4j2qX5U017DTrYcSTUdNTaE/YTzTdU7qlm29Ef5WWpUiXcXRo
         4/TnEG4xVTCpPVu/+gvmSA7oYRAnbqqY8GWjZx9SukAdp3zR3vVl3+9l0NK2iqIizCoo
         5GBrlle2qnjkAxqMsHuxQLwq6Dl3y9Y/D0Wk9+47V2rR8nl2KsykzXpUPbgip7PhILfw
         UJmQ==
X-Gm-Message-State: AC+VfDzMBY0HLWbrAWDAr1ktFKva67vhcAGDLHOwm+a6GBlghZeNq6fm
	y8LlAMWn3gGicN/Zi1ZJ0AU1yr6GcnmKouvc
X-Google-Smtp-Source: ACHHUZ4loA/pluBCzBSjH50DyJmUzHViJq8TBSILDMvtkCZabO6AXUIBmxgcMnFMkM3DqlCIikFokQ==
X-Received: by 2002:a17:90a:28a3:b0:255:c829:b638 with SMTP id f32-20020a17090a28a300b00255c829b638mr14315742pjd.9.1687535095848;
        Fri, 23 Jun 2023 08:44:55 -0700 (PDT)
Return-Path: <joey.vagedes@gmail.com>
Received: from localhost.localdomain ([174.164.102.13])
        by smtp.gmail.com with ESMTPSA id e14-20020a17090ac20e00b0025bb1bdb989sm1654192pjt.29.2023.06.23.08.44.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jun 2023 08:44:55 -0700 (PDT)
From: Joey Vagedes <joey.vagedes@gmail.com>
To: devel@edk2.groups.io
Cc: Rebecca Cran <rebecca@bsdio.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Bob Feng <bob.c.feng@intel.com>,
	Yuwei Chen <yuwei.chen@intel.com>
Subject: [PATCH v1 2/2] BaseTools: GenFw: auto-set nxcompat flag
Date: Fri, 23 Jun 2023 08:44:42 -0700
Message-ID: <20230623154442.799-3-joey.vagedes@gmail.com>
X-Mailer: git-send-email 2.41.0.windows.1
In-Reply-To: <20230623154442.799-1-joey.vagedes@gmail.com>
References: <20230623154442.799-1-joey.vagedes@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Automatically set the nxcompat flag in the DLL Characteristics field of
the Optional Header of the PE32+ image. For this flag to be set
automatically, it must, the section alignment must be evenly divisible
by 4K (EFI_PAGE_SIZE) and no section must be executable and writable.

Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Signed-off-by: Joey Vagedes <joeyvagedes@gmail.com>
---
 BaseTools/Source/C/GenFw/GenFw.c | 59 ++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/BaseTools/Source/C/GenFw/GenFw.c b/BaseTools/Source/C/GenFw/Ge=
nFw.c
index 0289c8ef8a5c..4581c4233c14 100644
--- a/BaseTools/Source/C/GenFw/GenFw.c
+++ b/BaseTools/Source/C/GenFw/GenFw.c
@@ -441,6 +441,60 @@ Returns:
   return STATUS_SUCCESS;=0D
 }=0D
 =0D
+STATIC=0D
+BOOLEAN=0D
+IsNxCompatCompliant (=0D
+  EFI_IMAGE_OPTIONAL_HEADER_UNION  *PeHdr=0D
+  )=0D
+/*++=0D
+=0D
+Routine Description:=0D
+=0D
+  Checks if the Pe image is nxcompat. i.e. PE is 64bit, section alignment =
is=0D
+  evenly divisible by 4k, and no section is writable and executable.=0D
+=0D
+Arguments:=0D
+=0D
+  PeHdr      The Pe header=0D
+=0D
+Returns:=0D
+  TRUE       The PE is nx compat compliant=0D
+  FALSE      The PE is not nx compat compliant=0D
+=0D
+--*/=0D
+{=0D
+  EFI_IMAGE_SECTION_HEADER     *SectionHeader;=0D
+  UINT32                       Index;=0D
+  UINT32                       Mask;=0D
+=0D
+  // Must have an optional header to perform verification=0D
+  if (PeHdr->Pe32.FileHeader.SizeOfOptionalHeader =3D=3D 0) {=0D
+    return FALSE;=0D
+  }=0D
+=0D
+  // Verify PE is 64 bit=0D
+  if (!(PeHdr->Pe32.OptionalHeader.Magic =3D=3D EFI_IMAGE_NT_OPTIONAL_HDR6=
4_MAGIC)) {=0D
+    return FALSE;=0D
+  }=0D
+=0D
+  // Verify Section Alignment is divisible by 4K=0D
+  if (!((PeHdr->Pe32Plus.OptionalHeader.SectionAlignment % EFI_PAGE_SIZE) =
=3D=3D 0)) {=0D
+    return FALSE;=0D
+  }=0D
+=0D
+  // Verify sections are not Write & Execute=0D
+  Mask =3D EFI_IMAGE_SCN_MEM_EXECUTE | EFI_IMAGE_SCN_MEM_WRITE;=0D
+  SectionHeader =3D (EFI_IMAGE_SECTION_HEADER *) ((UINT8 *) &(PeHdr->Pe32P=
lus.OptionalHeader) + PeHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader);=0D
+  for (Index =3D 0; Index < PeHdr->Pe32Plus.FileHeader.NumberOfSections; I=
ndex ++, SectionHeader ++) {=0D
+    if ((SectionHeader->Characteristics & Mask) =3D=3D Mask) {=0D
+      return FALSE;=0D
+    }=0D
+  }=0D
+=0D
+  // Passed all requirements, return TRUE=0D
+  return TRUE;=0D
+}=0D
+=0D
 VOID=0D
 SetHiiResourceHeader (=0D
   UINT8   *HiiBinData,=0D
@@ -2458,6 +2512,11 @@ Returns:
     TEImageHeader.BaseOfCode          =3D Optional64->BaseOfCode;=0D
     TEImageHeader.ImageBase           =3D (UINT64) (Optional64->ImageBase)=
;=0D
 =0D
+    // Set NxCompat flag=0D
+    if (IsNxCompatCompliant (PeHdr)) {=0D
+      Optional64->DllCharacteristics |=3D IMAGE_DLLCHARACTERISTICS_NX_COMP=
AT;=0D
+    }=0D
+=0D
     if (Optional64->NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_BASERE=
LOC) {=0D
       TEImageHeader.DataDirectory[EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC].=
VirtualAddress =3D Optional64->DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASE=
RELOC].VirtualAddress;=0D
       TEImageHeader.DataDirectory[EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC].=
Size =3D Optional64->DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC].Siz=
e;=0D
--=20
2.41.0.windows.1