From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171])
 by mx.groups.io with SMTP id smtpd.web11.2876.1687904649245097562
 for <devel@edk2.groups.io>;
 Tue, 27 Jun 2023 15:24:09 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20221208 header.b=bEezNgNO;
 spf=pass (domain: gmail.com, ip: 209.85.210.171, mailfrom: joey.vagedes@gmail.com)
Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-666e3b15370so3345978b3a.0
        for <devel@edk2.groups.io>; Tue, 27 Jun 2023 15:24:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1687904649; x=1690496649;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=ffr4Mish8IdomlhVfQemT4WUE9NErYbVwv4cPtq/7LQ=;
        b=bEezNgNOvAAH2U6D7zaZzZZdJYvrL4ZiHJ71gYKalrfRui57lpdffx794ofgraYNIx
         esoy52MAmAdxNhx4bpjJOgJrwrFWnkGZHqp5U+vh/JWK+/VEKkTcd0sEu4AT7s1eI344
         Vpie3vWSpGmXTthRDoMmkyktq59pJNb2/3kl60YHb9vL2nytb05KTixdM7liyBvXQWaD
         AdPHqsk1Vmpj4yo0jL97kEAoMc/S31rHTzVLd0jCWSD5g5mgGe4Q793ztdSaa2oa8t7F
         BWG7cUU9LWQSW5+pd26ZYVpYW3IsWr5HOPGO2ZlDw/NDXbOuMaUIp3S4EUKDxSiKiiUj
         vzFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687904649; x=1690496649;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ffr4Mish8IdomlhVfQemT4WUE9NErYbVwv4cPtq/7LQ=;
        b=lE2HBNeaBY6F+RoZOjsnIDm+ky3Yy7HDU9pCJXLx7Dp+HcX0fCrM2mWAk1ia9ZdS07
         r+AJmPXAbACzpcDSOwaXI8FTTSX3dn6qSJNL2a0LZuSHSu5d9HNp03iKeiPMX3VFHQ95
         lHcd0WY1TLlvpGpbIFEtASybr+9fdXtgkaEByXSgiwrVNu/zR8uXcsWC7XIXXIaQPPhS
         OnE9YdsvXAJOlYUZS7bX0nw0m5AekR6j8ZCU8R7VRjSpxXfR87o7b8IjVm84iJQRy4Fh
         eBoprTS4fIAQVd6P4Gq9oHza9BlqsfmBR47RL+ZVFuWEzAJXtNUp+IUcbqsIEo4c2prt
         4OKg==
X-Gm-Message-State: AC+VfDwSrT60s5gNln5D/V525VXv0MDL9OF0h7kw1q4F6Owx/xl5Ob2A
	dwYrg+qSpYJnrcWfiL0v2PC36+EHsbTS8sBV41M=
X-Google-Smtp-Source: ACHHUZ5XvFc8kI9irRnc6uyqBDfZgyzWLXcn4bWgz4woC3piZRUVKsJQEw0cdKCUYMr9xmaB9es8hfELmIwCL5MOiDs=
X-Received: by 2002:a05:6a00:1988:b0:675:8f71:28f1 with SMTP id
 d8-20020a056a00198800b006758f7128f1mr7040626pfl.30.1687904648405; Tue, 27 Jun
 2023 15:24:08 -0700 (PDT)
MIME-Version: 1.0
References: <20230623154442.799-1-joey.vagedes@gmail.com> <CAMj1kXFV4NEDe65_zGtz5NC9gq+L9-isZcfcdYTRyc-k5gxdzA@mail.gmail.com>
In-Reply-To: <CAMj1kXFV4NEDe65_zGtz5NC9gq+L9-isZcfcdYTRyc-k5gxdzA@mail.gmail.com>
From: Joey Vagedes <joey.vagedes@gmail.com>
Date: Tue, 27 Jun 2023 15:23:55 -0700
Message-ID: <CAKURc-9nLqeDrdXmNo6V+M1Kk=Mvr4QSagApMJhQ9XdGvyFamQ@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met
To: Ard Biesheuvel <ardb@kernel.org>
Cc: devel@edk2.groups.io, Michael D Kinney <michael.d.kinney@intel.com>, 
	Liming Gao <gaoliming@byosoft.com.cn>, Zhiguang Liu <zhiguang.liu@intel.com>, 
	Rebecca Cran <rebecca@bsdio.com>, Bob Feng <bob.c.feng@intel.com>, 
	Yuwei Chen <yuwei.chen@intel.com>
Content-Type: multipart/alternative; boundary="000000000000fba8a905ff23ecb7"

--000000000000fba8a905ff23ecb7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Ard,

Talked to the team and I think the appropriate answer to this is to follow
what is currently done through the MSVC FLAGS, i.e. that any PE that
knowingly does not meet these requirements manually opts out of NXCOMPAT
via the /NXCOMPAT:no flag. That means adding a flag to GENFW: "--nxcompat
no". Then this can be appended to existing flags in the INF of any
incompatible component.

Invalid PEs could be reviewed after this patch is in, or as a part of it.
We have a list of modules that modules that are potentially non-nx compat,
but would need to be evaluated by package owners and may not be all
encompassing.

Thanks,
Joey

On Fri, Jun 23, 2023 at 9:11=E2=80=AFAM Ard Biesheuvel <ardb@kernel.org> wr=
ote:

> On Fri, 23 Jun 2023 at 18:03, Joey Vagedes <joey.vagedes@gmail.com> wrote=
:
> >
> > Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> Characteristics
> > field of the Optional Header if the following requirements are met:
> >
> > 1. It is a 64bit PE
> > 2. The section alignment is evently divisible by 4K
> > 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> EFI_IMAGE_SCN_MEM_WRITE
> >
>
> Is this sufficient? For example, the EBC DXE driver creates code
> trampolines in page allocations, and expects them to be executable.
> However, this change would flag that driver as NX compat too.
>

--000000000000fba8a905ff23ecb7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Ard,<div><br></div><div><span class=3D"gmail-ui-provide=
r gmail-a gmail-b gmail-c gmail-d gmail-e gmail-f gmail-g gmail-h gmail-i g=
mail-j gmail-k gmail-l gmail-m gmail-n gmail-o gmail-p gmail-q gmail-r gmai=
l-s gmail-t gmail-u gmail-v gmail-w gmail-x gmail-y gmail-z gmail-ab gmail-=
ac gmail-ae gmail-af gmail-ag gmail-ah gmail-ai gmail-aj gmail-ak" dir=3D"l=
tr">Talked to the team and I think the appropriate answer to this is to fol=
low what is currently done through the MSVC FLAGS, i.e. that any PE that kn=
owingly does not meet these requirements manually opts out of NXCOMPAT via =
the /NXCOMPAT:no flag. That means adding a flag to GENFW: &quot;--nxcompat =
no&quot;. Then this can be appended to existing flags in the INF of any inc=
ompatible component.</span><br></div><div><span class=3D"gmail-ui-provider =
gmail-a gmail-b gmail-c gmail-d gmail-e gmail-f gmail-g gmail-h gmail-i gma=
il-j gmail-k gmail-l gmail-m gmail-n gmail-o gmail-p gmail-q gmail-r gmail-=
s gmail-t gmail-u gmail-v gmail-w gmail-x gmail-y gmail-z gmail-ab gmail-ac=
 gmail-ae gmail-af gmail-ag gmail-ah gmail-ai gmail-aj gmail-ak" dir=3D"ltr=
"><br></span></div><div><span class=3D"gmail-ui-provider gmail-a gmail-b gm=
ail-c gmail-d gmail-e gmail-f gmail-g gmail-h gmail-i gmail-j gmail-k gmail=
-l gmail-m gmail-n gmail-o gmail-p gmail-q gmail-r gmail-s gmail-t gmail-u =
gmail-v gmail-w gmail-x gmail-y gmail-z gmail-ab gmail-ac gmail-ae gmail-af=
 gmail-ag gmail-ah gmail-ai gmail-aj gmail-ak" dir=3D"ltr">Invalid PEs coul=
d be reviewed after this patch is in, or as a part of it. We have a list of=
 modules that modules that are potentially non-nx compat, but would need to=
 be evaluated by package owners and may not be all encompassing.</span></di=
v><div><span class=3D"gmail-ui-provider gmail-a gmail-b gmail-c gmail-d gma=
il-e gmail-f gmail-g gmail-h gmail-i gmail-j gmail-k gmail-l gmail-m gmail-=
n gmail-o gmail-p gmail-q gmail-r gmail-s gmail-t gmail-u gmail-v gmail-w g=
mail-x gmail-y gmail-z gmail-ab gmail-ac gmail-ae gmail-af gmail-ag gmail-a=
h gmail-ai gmail-aj gmail-ak" dir=3D"ltr"><br></span></div><div><span class=
=3D"gmail-ui-provider gmail-a gmail-b gmail-c gmail-d gmail-e gmail-f gmail=
-g gmail-h gmail-i gmail-j gmail-k gmail-l gmail-m gmail-n gmail-o gmail-p =
gmail-q gmail-r gmail-s gmail-t gmail-u gmail-v gmail-w gmail-x gmail-y gma=
il-z gmail-ab gmail-ac gmail-ae gmail-af gmail-ag gmail-ah gmail-ai gmail-a=
j gmail-ak" dir=3D"ltr">Thanks,</span></div><div><span class=3D"gmail-ui-pr=
ovider gmail-a gmail-b gmail-c gmail-d gmail-e gmail-f gmail-g gmail-h gmai=
l-i gmail-j gmail-k gmail-l gmail-m gmail-n gmail-o gmail-p gmail-q gmail-r=
 gmail-s gmail-t gmail-u gmail-v gmail-w gmail-x gmail-y gmail-z gmail-ab g=
mail-ac gmail-ae gmail-af gmail-ag gmail-ah gmail-ai gmail-aj gmail-ak" dir=
=3D"ltr">Joey</span></div></div><br><div class=3D"gmail_quote"><div dir=3D"=
ltr" class=3D"gmail_attr">On Fri, Jun 23, 2023 at 9:11=E2=80=AFAM Ard Biesh=
euvel &lt;<a href=3D"mailto:ardb@kernel.org">ardb@kernel.org</a>&gt; wrote:=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 23 Jun =
2023 at 18:03, Joey Vagedes &lt;<a href=3D"mailto:joey.vagedes@gmail.com" t=
arget=3D"_blank">joey.vagedes@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Utilize GenFw to automatically set the NXCOMPAT bit of the DLL Charact=
eristics<br>
&gt; field of the Optional Header if the following requirements are met:<br=
>
&gt;<br>
&gt; 1. It is a 64bit PE<br>
&gt; 2. The section alignment is evently divisible by 4K<br>
&gt; 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and EFI_IMAGE_SCN_MEM_=
WRITE<br>
&gt;<br>
<br>
Is this sufficient? For example, the EBC DXE driver creates code<br>
trampolines in page allocations, and expects them to be executable.<br>
However, this change would flag that driver as NX compat too.<br>
</blockquote></div>

--000000000000fba8a905ff23ecb7--