From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 89E9181FEA
 for <edk2-devel@ml01.01.org>; Mon, 27 Feb 2017 01:56:04 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
 (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 090B061BAB;
 Mon, 27 Feb 2017 09:56:05 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-99.phx2.redhat.com
 [10.3.116.99])
 by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1R9u2m8005026; Mon, 27 Feb 2017 04:56:02 -0500
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>, edk2-devel@ml01.01.org,
 jiewen.yao@intel.com, leif.lindholm@linaro.org
References: <1488133805-4773-1-git-send-email-ard.biesheuvel@linaro.org>
 <1488133805-4773-7-git-send-email-ard.biesheuvel@linaro.org>
Cc: feng.tian@intel.com, afish@apple.com, liming.gao@intel.com,
 michael.d.kinney@intel.com, star.zeng@intel.com
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <28c66a26-0415-c84d-b2c1-6aa29174afcf@redhat.com>
Date: Mon, 27 Feb 2017 10:56:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <1488133805-4773-7-git-send-email-ard.biesheuvel@linaro.org>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.39]); Mon, 27 Feb 2017 09:56:05 +0000 (UTC)
Subject: Re: [PATCH v3 6/6] MdeModulePkg/DxeCore: implement memory protection policy
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2017 09:56:04 -0000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

On 02/26/17 19:30, Ard Biesheuvel wrote:
> This implements a DXE memory protection policy that ensure that regions
> that don't require executable permissions are mapped with the non-exec
> attribute set.
> 
> First of all, it iterates over all entries in the UEFI memory map, and
> removes executable permissions according to the configured DXE memory
> protection policy, as recorded in PcdDxeMemoryProtectionPolicy.
> 
> Secondly, it sets or clears the non-executable attribute when allocating
> or freeing pages, both for page based or pool based allocations.
> 
> Note that this complements the image protection facility, which applies
> strict permissions to BootServicesCode/RuntimeServicesCode regions when
> the section alignment allows it. The memory protection configured by this
> patch operates on non-code regions only.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  MdeModulePkg/Core/Dxe/DxeMain.h               |  24 ++
>  MdeModulePkg/Core/Dxe/DxeMain.inf             |   1 +
>  MdeModulePkg/Core/Dxe/Mem/Page.c              |   4 +
>  MdeModulePkg/Core/Dxe/Mem/Pool.c              |   7 +
>  MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 306 +++++++++++++++++++-
>  5 files changed, 341 insertions(+), 1 deletion(-)

[snip]

> diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf
> index 371e91cb0d7e..30d5984f7c1f 100644
> --- a/MdeModulePkg/Core/Dxe/DxeMain.inf
> +++ b/MdeModulePkg/Core/Dxe/DxeMain.inf
> @@ -191,6 +191,7 @@ [Pcd]
>    gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryProfileDriverPath                 ## CONSUMES
>    gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable                   ## CONSUMES
>    gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy                   ## CONSUMES
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy             ## CONSUMES
>  
>  # [Hob]
>  # RESOURCE_DESCRIPTOR   ## CONSUMES

The series doesn't build for  me:

.../MdeModulePkg/Core/Dxe/DxeMain.inf(194): error 3000: PCD
[gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy] in
[.../MdeModulePkg/Core/Dxe/DxeMain.inf] is not found in dependent packages:
                .../MdePkg/MdePkg.dec
        .../MdeModulePkg/MdeModulePkg.dec

I think you forgot to add the .dec hunk to this patch.

Thanks
Laszlo