From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 888318215F for ; Fri, 24 Feb 2017 07:17:44 -0800 (PST) Received: by mail-it0-x22b.google.com with SMTP id 203so25113913ith.0 for ; Fri, 24 Feb 2017 07:17:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eAAh+VbGZ6p5qRzO1JV+F6sAgBIkH6ShAuqwSjEIe3Y=; b=WrqHvhGk23yxcC8xmaWd2hlKIrtC9DxMvZE8DwSRRqa1XXlLzvxpb5EIzI3l1iG2YW UzvqLTmESQF14wHnx/Lk0Lw+aU1/a6YFfK+LzOtutCYqT9sFB0+ByuN1vFU721fQ4yNM b/CaIrEvX5vSWYSNNVGTB2RGw/fHa+3GcRogY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eAAh+VbGZ6p5qRzO1JV+F6sAgBIkH6ShAuqwSjEIe3Y=; b=IxQ8OhO78EDo3vQyicRibvPrjndi3PSZ/njlgnQzUf5gBXUrUjxG8Nt0aNRv86MNVZ PwnXhylnsBFhn/5mS4M6bF9zXD/7p+w8MOFI2ap//qbyr5nYoc4ch46YO7Jg4d3zBlNC 3cC0AOjSmenWV59uvWg6rTme83tR+FsA0YiHMx4XHIU4jv5egGgjiiB1DNeI3de0qIe4 DDLnA7kj4jrxCBlMFsop9RIcWi9Nm0IsBMGTbxTPVQddFDnweHXP9T7ui1m2vefQb3bR BU8g+Fprc81dQaaAkIlnKUBBsiEWOPovp4tXXMeGXElTJ65mnBiSoaoDtV3dlGpJD6uY WCkw== X-Gm-Message-State: AMke39kQEU9gCndPVMNdhV9AOok5Lk4bjk2YsY0+NanAInmZpf+2HA+uKylcTaEkbRna6VG50QmjBeTiMPzA7g+6 X-Received: by 10.36.77.10 with SMTP id l10mr2728589itb.59.1487949461220; Fri, 24 Feb 2017 07:17:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.198.134 with HTTP; Fri, 24 Feb 2017 07:17:40 -0800 (PST) In-Reply-To: <8f8f4c91-0114-0b38-f1f8-d653253b9fb0@redhat.com> References: <1487764485-18631-1-git-send-email-ard.biesheuvel@linaro.org> <8f8f4c91-0114-0b38-f1f8-d653253b9fb0@redhat.com> From: Ard Biesheuvel Date: Fri, 24 Feb 2017 15:17:40 +0000 Message-ID: To: Laszlo Ersek Cc: "edk2-devel@lists.01.org" , Leif Lindholm Subject: Re: [PATCH] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2017 15:17:44 -0000 Content-Type: text/plain; charset=UTF-8 On 23 February 2017 at 09:36, Laszlo Ersek wrote: > On 02/22/17 12:54, Ard Biesheuvel wrote: >> Enable the new DXE image protection for all image, i.e., FV images but >> also external images that originate from disk or the network, such as >> OS loaders. >> >> This complements work that is underway on the arm64/Linux kernel side, >> to emit the OS loader with 4 KB section alignment, and a suitable split >> between code and data. >> >> http://marc.info/?l=linux-arm-kernel&m=148655557227819 >> >> Contributed-under: TianoCore Contribution Agreement 1.0 >> Signed-off-by: Ard Biesheuvel >> --- >> ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++ >> 1 file changed, 10 insertions(+) >> >> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc >> index dbd6678accde..c0d5e7c6aa6d 100644 >> --- a/ArmVirtPkg/ArmVirt.dsc.inc >> +++ b/ArmVirtPkg/ArmVirt.dsc.inc >> @@ -17,6 +17,9 @@ [Defines] >> DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F >> DEFINE TTY_TERMINAL = FALSE >> >> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION] >> + GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000 >> + >> [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] >> GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 >> GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 >> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common] >> [PcdsFixedAtBuild.ARM] >> gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40 >> >> +[PcdsFixedAtBuild.AARCH64] >> + # >> + # Enable strict image permissions for all images. (This applies >> + # only to images that were built with >= 4 KB section alignment.) >> + # >> + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 >> + >> [Components.common] >> # >> # Networking stack >> > > So, if I understand correctly, setting BIT0 will not break external > images with unaligned sections, they just won't be protected, and > they'll trigger loud warnings. OK. > Indeed. > Reviewed-by: Laszlo Ersek > Pushed, thanks.