From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web11.5163.1687816753317717490 for ; Mon, 26 Jun 2023 14:59:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20221208 header.b=aCQ9aThI; spf=pass (domain: gmail.com, ip: 209.85.216.45, mailfrom: joey.vagedes@gmail.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-262e89a3ee2so988823a91.1 for ; Mon, 26 Jun 2023 14:59:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687816753; x=1690408753; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xHamSo9NYiic2rgLwY4KrWMydRV7Eb+aeXjX3Ay/xd0=; b=aCQ9aThI3+wCxlTYIaJvlHPI0pXrDmLyxLe4+Hou385+MHU8jy1NCsKYSzFzIuaKnx jZTcsfmFueGnv5TUAwmfoutJ2QF+8pbrSQXm8FmijvNNqWAalwquEx1M9Ecb7W3Lv8wB M/5xw2YBImVhab7xr6wwQWyq4ocZl6Rk7kBHiJwprXL34HCvUismC0BdCcV6GnoxUydU c2YYOHojxulNuX9Ogl82LPFIlD9ylPOHNwB6zvF5dZ6aEnADN5+Xveuqo47ScP5FKoEF CHYF0q+OLtv9jvZHG7xl6fYYvD0qUPbcIx8yqBqGjtNtJDzmMKwRnldjLeBKz8NAFFvH rBzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687816753; x=1690408753; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xHamSo9NYiic2rgLwY4KrWMydRV7Eb+aeXjX3Ay/xd0=; b=k9nxkZNB06lbpPJdq5ioKtc+gQVx0VukOLjICK5NiABkkEZOscaLErXXg7+6kxrW1A YQrX7nl5pRe2pNthp8Hok0TZ6SJxO36PIGfZn5gT4dHbAoz+4wzd+LpPYT9mUgKSQH3X Mx6a4txI3MbN41MSIBoFHSS87jkTFpqHV4v3BGlgjRimak/KRRvIBmwzRe/BWh3ElXA6 3+w3VSKTtcPSSVwSoBDSH6l27VbxNN+wcfSIKCeeyUz1NPewg4rJeZMBd5CgZRCf9U3W 7JDVrrPjocafnzL544hlD25mPZdXL66oQXt7PKQFpFlIFeD6Z/xgMBm8T8Nyu+aoxY4c sKOw== X-Gm-Message-State: AC+VfDyrsKUWUe6xYPuZrkSq17xLNnUFreeIMwuAzndvQhW9D5NHEc5Y 7e4lx9/MmbZIh21ExwEJzcdgHaxQJ21wOb/nSxw= X-Google-Smtp-Source: ACHHUZ4eXXKUKtRMvsQfjU47k7UE5YzrxbCCHm0Yee634Vqp89sTrAYQL7Rppt/A673vf1iHpm58beIHJK4cJhdADmk= X-Received: by 2002:a17:90a:6f83:b0:25b:fbdc:434e with SMTP id e3-20020a17090a6f8300b0025bfbdc434emr24925268pjk.32.1687816752634; Mon, 26 Jun 2023 14:59:12 -0700 (PDT) MIME-Version: 1.0 References: <20230623154442.799-1-joey.vagedes@gmail.com> <03da01d9a70f$0038a2c0$00a9e840$@byosoft.com.cn> In-Reply-To: <03da01d9a70f$0038a2c0$00a9e840$@byosoft.com.cn> From: Joey Vagedes Date: Mon, 26 Jun 2023 14:58:59 -0700 Message-ID: Subject: Re: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOMPAT bit if requirements are met To: gaoliming Cc: devel@edk2.groups.io, Michael D Kinney , Zhiguang Liu , Rebecca Cran , Bob Feng , Yuwei Chen Content-Type: multipart/alternative; boundary="000000000000fca26c05ff0f75ef" --000000000000fca26c05ff0f75ef Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Liming, This is being done as a part of the memory protections work which can be reviewed here: Task Table =C2=B7 Memory Protections (github.com) Overall, DxeCore will ingest the NX_COMPAT flag on image load. In the base case, when modules make allocations of type EfiLoaderCode, EfiBootServicesCode, and EfiRuntimeServicesCode, the EFI_MEMORY_XP access attribute will be applied with the expectation that the allocating modules will remove the EFI_MEMORY_XP attribute and apply the EFI_MEMORY_RO attribute once they have loaded their code into the buffer for execution. In the exception case, if an EFI_APPLICATION type image is loaded without the NX_COMPAT flag then allocations of type EfiLoaderCode, EfiBootServicesCode, and EfiRuntimeServicesCode will no longer have EFI_MEMORY_XP applied for the remainder of boot. Note that a patch series for the supporting DxeCore logic has not yet been submitted. Thanks, Joey On Sat, Jun 24, 2023 at 7:46=E2=80=AFPM gaoliming wrote: > Joey: > Can you describe the full usage of NXCOMPAT bit? This patch sets NXCOMP= AT > bit. And, which module will consume NXCOMPAT bit, how use it? DxeCore? > > Thanks > Liming > > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > > =E5=8F=91=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io =E4=BB=A3=E8=A1=A8 Joey Vagedes > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2023=E5=B9=B46=E6=9C=8823=E6=97= =A5 23:45 > > =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io > > =E6=8A=84=E9=80=81: Michael D Kinney ; Limi= ng Gao > > ; Zhiguang Liu ; > > Rebecca Cran ; Bob Feng ; > > Yuwei Chen > > =E4=B8=BB=E9=A2=98: [edk2-devel] [PATCH v1 0/2] Automatically set NXCOM= PAT bit if > > requirements are met > > > > Utilize GenFw to automatically set the NXCOMPAT bit of the DLL > > Characteristics > > field of the Optional Header if the following requirements are met: > > > > 1. It is a 64bit PE > > 2. The section alignment is evently divisible by 4K > > 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and > > EFI_IMAGE_SCN_MEM_WRITE > > > > Cc: Michael D Kinney > > Cc: Liming Gao > > Cc: Zhiguang Liu > > Cc: Rebecca Cran > > Cc: Bob Feng > > Cc: Yuwei Chen > > > > Joey Vagedes (2): > > MdePkg: IndustryStandard: Add DLL Characteristics > > BaseTools: GenFw: auto-set nxcompat flag > > > > MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++ > > BaseTools/Source/C/GenFw/GenFw.c | 59 > > ++++++++++++++++++++ > > 2 files changed, 74 insertions(+) > > > > -- > > 2.41.0.windows.1 > > > > > > > >=20 > > > > > > --000000000000fca26c05ff0f75ef Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Liming,

This is being done as a part= of the memory protections work which can be reviewed here:=C2=A0Task Table =C2=B7 Memory Pro= tections (github.com)

Overall, DxeCore will in= gest the NX_COMPAT flag on image load.

In the base case, when modu= les make allocations of type EfiLoaderCode, EfiBootServicesCode, and EfiRun= timeServicesCode, the EFI_MEMORY_XP access attribute will be applied with t= he expectation that the allocating modules will remove the EFI_MEMORY_XP at= tribute and apply the EFI_MEMORY_RO attribute once they have loaded their c= ode into the buffer for execution.

In the exception case, if an EFI_= APPLICATION type image is loaded without the NX_COMPAT flag then allocation= s of type EfiLoaderCode, EfiBootServicesCode, and EfiRuntimeServicesCode wi= ll no longer have EFI_MEMORY_XP applied for the remainder of boot.

N= ote that a patch series for the supporting DxeCore logic has not yet been s= ubmitted.

Thanks,
Joey

On Sat, Jun 24, 20= 23 at 7:46=E2=80=AFPM gaoliming <gaoliming@byosoft.com.cn> wrote:
Joey:
=C2=A0 Can you describe the full usage of NXCOMPAT bit? This patch sets NXC= OMPAT
bit. And, which module will consume NXCOMPAT bit, how use it? DxeCore?

Thanks
Liming
> -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6-----
> =E5=8F=91=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io <devel@edk2.groups.io> =E4=BB=A3=E8=A1= =A8 Joey Vagedes
> =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2023=E5=B9=B46=E6=9C=8823=E6=97= =A5 23:45
> =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io
> =E6=8A=84=E9=80=81: Michael D Kinney <michael.d.kinney@intel.com>; Limi= ng Gao
> <gaol= iming@byosoft.com.cn>; Zhiguang Liu <zhiguang.liu@intel.com>;
> Rebecca Cran <rebecca@bsdio.com>; Bob Feng <bob.c.feng@intel.com>;
> Yuwei Chen <yuwei.chen@intel.com>
> =E4=B8=BB=E9=A2=98: [edk2-devel] [PATCH v1 0/2] Automatically set NXCO= MPAT bit if
> requirements are met
>
> Utilize GenFw to automatically set the NXCOMPAT bit of the DLL
> Characteristics
> field of the Optional Header if the following requirements are met: >
> 1. It is a 64bit PE
> 2. The section alignment is evently divisible by 4K
> 3. No section is both EFI_IMAGE_SCN_MEM_EXECUTE and
> EFI_IMAGE_SCN_MEM_WRITE
>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
>
> Joey Vagedes (2):
>=C2=A0 =C2=A0MdePkg: IndustryStandard: Add DLL Characteristics
>=C2=A0 =C2=A0BaseTools: GenFw: auto-set nxcompat flag
>
>=C2=A0 MdePkg/Include/IndustryStandard/PeImage.h | 15 +++++
>=C2=A0 BaseTools/Source/C/GenFw/GenFw.c=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 | 59
> ++++++++++++++++++++
>=C2=A0 2 files changed, 74 insertions(+)
>
> --
> 2.41.0.windows.1
>
>
>
>
>



--000000000000fca26c05ff0f75ef--