From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by mx.groups.io with SMTP id smtpd.web10.4300.1664231315278835207 for ; Mon, 26 Sep 2022 15:28:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=AaiZrLgp; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: quicinc.com, ip: 205.220.180.131, mailfrom: quic_llindhol@quicinc.com) Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28QMEHuL016399; Mon, 26 Sep 2022 22:28:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=qcppdkim1; bh=lXFxXq0R9LbaRvAn6/ToMxyG4TC0WDgw8jbCEd3BG68=; b=AaiZrLgp9XaE7rIdLchum45Y+Uv6H01FzuUdlWwdQwCO6EDOZMjzDfq/WiyRxumWwgkX 6/LzoxjB6fUZTeR3sw4WPgUsuIod/+YCzyxMnkPwGvL0eY/ZE5SGFhztDQxLcWl8JjTs ZGTvKps4kjX6H0pJA89QTk5SyvdmrdKd5FjIvGqDotWtcpCDcgW8cEvERA+f40+vhkjJ 6KL+IyZDnhipsnpvoh06+n5eQShzvblNN10ScmHEK/lIfHpyy8zptbr+T5kbuvXweiHC bmxudymd/sGB00Z6pg29pxTPA+4ekOhvZoa8ZhHk22JIhGifspp5GYAuPVWGUVRRzP81 wg== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3jssg6vrt2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Sep 2022 22:28:30 +0000 Received: from nasanex01c.na.qualcomm.com (corens_vlan604_snip.qualcomm.com [10.53.140.1]) by NASANPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 28QMST5B025127 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Sep 2022 22:28:29 GMT Received: from [10.110.26.2] (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Mon, 26 Sep 2022 15:28:28 -0700 Message-ID: <87ac5d08-4c9d-b618-1c8e-4175d9f0cf7c@quicinc.com> Date: Mon, 26 Sep 2022 15:28:27 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: [edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable To: , CC: Alexander Graf References: <20220926082511.2110797-1-ardb@kernel.org> <20220926082511.2110797-4-ardb@kernel.org> From: "Leif Lindholm" In-Reply-To: <20220926082511.2110797-4-ardb@kernel.org> X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: jzJ9ddIBGUNmEIF-tubq81RLN5sgp4kb X-Proofpoint-ORIG-GUID: jzJ9ddIBGUNmEIF-tubq81RLN5sgp4kb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-26_11,2022-09-22_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 spamscore=0 clxscore=1011 priorityscore=1501 lowpriorityscore=0 malwarescore=0 suspectscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2209260138 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit On 2022-09-26 01:24, Ard Biesheuvel wrote: > When the memory protections were implemented and enabled on ArmVirtQemu > 5+ years ago, we had to work around the fact that GRUB at the time > expected EFI_LOADER_DATA to be executable, as that is the memory type it > allocates when loading its modules. > > This has been fixed in GRUB in August 2017, so by now, we should be able > to tighten this, and remove execute permissions from EFI_LOADER_DATA > allocations. > > Signed-off-by: Ard Biesheuvel > --- > ArmVirtPkg/ArmVirt.dsc.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc > index 34575585adbb..462073517a22 100644 > --- a/ArmVirtPkg/ArmVirt.dsc.inc > +++ b/ArmVirtPkg/ArmVirt.dsc.inc > @@ -368,7 +368,7 @@ [PcdsFixedAtBuild.common] > # reserved ones, with the exception of LoaderData regions, of which OS loaders > > # (i.e., GRUB) may assume that its contents are executable. > Should the comment be updated too ("old versions of GRUB")? Regardless: Reviewed-by: Leif Lindholm / Leif > # > > - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1 > > + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5 > > > > [Components.common] > > # >