From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 89E9181FEA for ; Mon, 27 Feb 2017 01:56:04 -0800 (PST) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 090B061BAB; Mon, 27 Feb 2017 09:56:05 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-99.phx2.redhat.com [10.3.116.99]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1R9u2m8005026; Mon, 27 Feb 2017 04:56:02 -0500 To: Ard Biesheuvel , edk2-devel@ml01.01.org, jiewen.yao@intel.com, leif.lindholm@linaro.org References: <1488133805-4773-1-git-send-email-ard.biesheuvel@linaro.org> <1488133805-4773-7-git-send-email-ard.biesheuvel@linaro.org> Cc: feng.tian@intel.com, afish@apple.com, liming.gao@intel.com, michael.d.kinney@intel.com, star.zeng@intel.com From: Laszlo Ersek Message-ID: <28c66a26-0415-c84d-b2c1-6aa29174afcf@redhat.com> Date: Mon, 27 Feb 2017 10:56:00 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <1488133805-4773-7-git-send-email-ard.biesheuvel@linaro.org> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 27 Feb 2017 09:56:05 +0000 (UTC) Subject: Re: [PATCH v3 6/6] MdeModulePkg/DxeCore: implement memory protection policy X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 09:56:04 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 02/26/17 19:30, Ard Biesheuvel wrote: > This implements a DXE memory protection policy that ensure that regions > that don't require executable permissions are mapped with the non-exec > attribute set. > > First of all, it iterates over all entries in the UEFI memory map, and > removes executable permissions according to the configured DXE memory > protection policy, as recorded in PcdDxeMemoryProtectionPolicy. > > Secondly, it sets or clears the non-executable attribute when allocating > or freeing pages, both for page based or pool based allocations. > > Note that this complements the image protection facility, which applies > strict permissions to BootServicesCode/RuntimeServicesCode regions when > the section alignment allows it. The memory protection configured by this > patch operates on non-code regions only. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Ard Biesheuvel > --- > MdeModulePkg/Core/Dxe/DxeMain.h | 24 ++ > MdeModulePkg/Core/Dxe/DxeMain.inf | 1 + > MdeModulePkg/Core/Dxe/Mem/Page.c | 4 + > MdeModulePkg/Core/Dxe/Mem/Pool.c | 7 + > MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 306 +++++++++++++++++++- > 5 files changed, 341 insertions(+), 1 deletion(-) [snip] > diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf > index 371e91cb0d7e..30d5984f7c1f 100644 > --- a/MdeModulePkg/Core/Dxe/DxeMain.inf > +++ b/MdeModulePkg/Core/Dxe/DxeMain.inf > @@ -191,6 +191,7 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryProfileDriverPath ## CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable ## CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## CONSUMES > + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ## CONSUMES > > # [Hob] > # RESOURCE_DESCRIPTOR ## CONSUMES The series doesn't build for me: .../MdeModulePkg/Core/Dxe/DxeMain.inf(194): error 3000: PCD [gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy] in [.../MdeModulePkg/Core/Dxe/DxeMain.inf] is not found in dependent packages: .../MdePkg/MdePkg.dec .../MdeModulePkg/MdeModulePkg.dec I think you forgot to add the .dec hunk to this patch. Thanks Laszlo