From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ard.biesheuvel@linaro.org>
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com
 [IPv6:2607:f8b0:4001:c06::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 619BC821B6
 for <edk2-devel@ml01.01.org>; Wed,  1 Mar 2017 11:10:45 -0800 (PST)
Received: by mail-io0-x236.google.com with SMTP id l7so37941197ioe.3
 for <edk2-devel@ml01.01.org>; Wed, 01 Mar 2017 11:10:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=jLCt77LsOHjme6q6KpaG21yBvOrChBUvfFHeq50OPSY=;
 b=agt5L0VGPKW1MF5Q0p5nVEv3fbXkaeZFcY6VBMcK5r2kuGv8f2f270av/kYriIs8B/
 BFpzMJQbwMjbk/N0m/aroOu9jlR9ZWJcqG8wcLDlWWFQHdTPS8yNFnDq2JF3+xVu7Ovc
 8QLHyvzY2laajWgkoVxt/f5GlJrHRtYe1mPR0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=jLCt77LsOHjme6q6KpaG21yBvOrChBUvfFHeq50OPSY=;
 b=DMcXFU2WEjJcguvWmZYYpUQ4yUP31zV5MjlcZGC2q4IdTfi0JVsIoiZWYObN2klb1+
 74f7g4bEck1kghWTG1yz0wJouCku6cpjXp4PCqvGhz0SEHCWRIghWi7HGaE6hQenyEI3
 s1qCMLBcp/sjiXwJpfG0W1BYaiL1bKBMZ1yGkFXb9wY87ZD1PS4q74Kbke6JPdAPdyr1
 DJBti4jA1Fwc7lTgaf5qHMDduBvhivBKJuPal7ffPKFVlUdGcDXM32xxIOnzYjlD69XV
 M7+02mZujxjODmkmR6kl+sysZHI8BULMJXMnvzeleZhIQpE/zy0GYeUnZypXXLHNqG4J
 5G7A==
X-Gm-Message-State: AMke39mRuuGVJNQ1tWZOnkjqWQvvS+AN48s1AEx2xnr0nui1rXvALJya2Pdgyk82edNzKJbQJaT4CxywgukcjYAA
X-Received: by 10.107.168.21 with SMTP id r21mr9740837ioe.45.1488395444690;
 Wed, 01 Mar 2017 11:10:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.10.27 with HTTP; Wed, 1 Mar 2017 11:10:44 -0800 (PST)
In-Reply-To: <e60623d9-9400-f2d8-398b-f2e2e5ee29f6@redhat.com>
References: <1488385903-30267-1-git-send-email-ard.biesheuvel@linaro.org>
 <1488385903-30267-6-git-send-email-ard.biesheuvel@linaro.org>
 <e60623d9-9400-f2d8-398b-f2e2e5ee29f6@redhat.com>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Wed, 1 Mar 2017 19:10:44 +0000
Message-ID: <CAKv+Gu8wm9A+DjvxLnybTExTVWYmkO08tp5Mp1v3dp=ykoVqjQ@mail.gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "edk2-devel@lists.01.org" <edk2-devel@ml01.01.org>,
 Leif Lindholm <leif.lindholm@linaro.org>
Subject: Re: [PATCH 5/5] ArmVirtPkg: enable non-executable DXE stack for all platforms
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 19:10:45 -0000
Content-Type: text/plain; charset=UTF-8

On 1 March 2017 at 19:10, Laszlo Ersek <lersek@redhat.com> wrote:
> On 03/01/17 17:31, Ard Biesheuvel wrote:
>> Now that ARM has grown support for managing memory permissions in
>> ArmMmuLib, we can enable the non-executable DXE stack for all virt
>> platforms.
>>
>> Note that this is not [entirely] redundant: the non-executable stack
>> is configured before DxeCore is invoked. The image and memory protection
>> features configured during DXE only take affect when the CPU arch
>> protocol implementation is registered.
>>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>>  ArmVirtPkg/ArmVirt.dsc.inc       | 5 +++++
>>  ArmVirtPkg/ArmVirtQemu.dsc       | 2 --
>>  ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 --
>>  3 files changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
>> index acfb71d3ff6c..e2d3dcce7945 100644
>> --- a/ArmVirtPkg/ArmVirt.dsc.inc
>> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
>> @@ -386,6 +386,11 @@ [PcdsFixedAtBuild.common]
>>    #
>>    gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
>>
>> +  #
>> +  # Enable the non-executable DXE stack. (This gets set up by DxeIpl)
>> +  #
>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
>> +
>>  [PcdsFixedAtBuild.ARM]
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>>
>> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
>> index 615e1fca4877..477dfdcfc764 100644
>> --- a/ArmVirtPkg/ArmVirtQemu.dsc
>> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
>> @@ -152,8 +152,6 @@ [PcdsFixedAtBuild.common]
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
>>
>>  [PcdsFixedAtBuild.AARCH64]
>> -  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
>> -
>>    # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
>>    # support anything bigger, even if the host hardware does
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
>> index e4902690123c..fd39c2802a85 100644
>> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
>> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
>> @@ -163,8 +163,6 @@ [PcdsFixedAtBuild.AARCH64]
>>    #
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
>>
>> -  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
>> -
>>    # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
>>    # support anything bigger, even if the host hardware does
>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>>
>
> This doesn't just extend PcdSetNxForStack from AARCH64 from ARM, but
> also from QEMU to Xen. Is that your intent? If so,
>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>

Yes, it is, but I will mention that in the commit log

Thanks,
Ard.