Hi Ard,

Talked to the team and I think the appropriate answer to this is to follow
what is currently done through the MSVC FLAGS, i.e. that any PE that
knowingly does not meet these requirements manually opts out of NXCOMPAT
via the /NXCOMPAT:no flag. That means adding a flag to GENFW: "--nxcompat
no". Then this can be appended to existing flags in the INF of any
incompatible component.

Invalid PEs could be reviewed after this patch is in, or as a part of it.
We have a list of modules that modules that are potentially non-nx compat,
but would need to be evaluated by package owners and may not be all
encompassing.

Thanks,
Joey

On Fri, Jun 23, 2023 at 9:11 AM Ard Biesheuvel <ardb@kernel.org> wrote:

> On Fri, 23 Jun 2023 at 18:03, Joey Vagedes <joey.vagedes@gmail.com> wrote:
> >
> > Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> Characteristics
> > field of the Optional Header if the following requirements are met:
> >
> > 1. It is a 64bit PE
> > 2. The section alignment is evently divisible by 4K
> > 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> EFI_IMAGE_SCN_MEM_WRITE
> >
>
> Is this sufficient? For example, the EBC DXE driver creates code
> trampolines in page allocations, and expects them to be executable.
> However, this change would flag that driver as NX compat too.
>