From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C659B821B6 for ; Wed, 1 Mar 2017 10:37:02 -0800 (PST) Received: by mail-io0-x22b.google.com with SMTP id 90so37333495ios.1 for ; Wed, 01 Mar 2017 10:37:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=90EOulctVuIkQnW+EaTWvDertuYztpbskFHlbxlbN9g=; b=E1IGYsgYs3/KykTpW/LP6a3xvMzRvou8aRGA0+pkw/dgV+KPwMP+p1jzxdSMzhHeek n0I7NVauGiiTaRPqd2ZOGTnwAVDHT+Cp2N39DfSeFfUEA22a1edWg4R5w+yabZ3IPfpT Zx4D6/5g79uYfEX4Z1g2yHsmXYsefspzemQ1Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=90EOulctVuIkQnW+EaTWvDertuYztpbskFHlbxlbN9g=; b=RoTXCsSavndPCJo3d2BR4DZRI4zusejGoSPy+DDBrrbv/6GVDRwj45s0XeTOqPO+eb h8Xo84bbppCy4U+9IUhoQuqEBE+z3/kv5266hwidvsQ4GsFHJzNspsc4l2kflfl2C/c9 /qoIZySLd70YJCZmwjLU4ngESTTuUL8aTyJXk0BY84Zw5DG3C3ZX5ddHounVTpT3rFA9 Jpe5SXJ/wg9+mV8B9jxao75MKEoL7ElHZvg7qEmuIOY4P+iHL6akBNxhPhd7jxATjJ6+ SaDYB5PxohC2N9fgBdH+Z9bRc3VfpknN5N1p6tvcPW//b6tjefPDuHHe8gn7j5Z1mXwU 8uZQ== X-Gm-Message-State: AMke39lJHJ4Lw3Qepn0WXVrqHW7xa75cWPiOyCrxoDhvLrULV0xfu1bMhz6LU0JoEV5iML3/dQUZLrXAcIZJvsca X-Received: by 10.107.13.130 with SMTP id 124mr9333976ion.83.1488393422161; Wed, 01 Mar 2017 10:37:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.10.27 with HTTP; Wed, 1 Mar 2017 10:37:01 -0800 (PST) In-Reply-To: <6d185b29-8917-72ce-9484-84cb03435701@redhat.com> References: <1488378977-15398-1-git-send-email-ard.biesheuvel@linaro.org> <6d185b29-8917-72ce-9484-84cb03435701@redhat.com> From: Ard Biesheuvel Date: Wed, 1 Mar 2017 18:37:01 +0000 Message-ID: To: Laszlo Ersek Cc: "edk2-devel@lists.01.org" , Leif Lindholm Subject: Re: [PATCH v2] ArmVirtPkg AARCH64: enable NX memory protection for all platforms X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2017 18:37:03 -0000 Content-Type: text/plain; charset=UTF-8 On 1 March 2017 at 18:32, Laszlo Ersek wrote: > On 03/01/17 15:36, Ard Biesheuvel wrote: >> This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to >> a value that protects all memory regions except code regions against >> inadvertent execution. >> >> Note that this does not [yet] protect EfiLoaderData regions, due to >> compatibility issues with shim and GRUB. >> >> Contributed-under: TianoCore Contribution Agreement 1.0 >> Signed-off-by: Ard Biesheuvel >> Reviewed-by: Jiewen Yao >> --- >> v2: leave EfiLoaderData executable for the time being >> >> ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc >> index 2b0a44e14d24..a91b27f13cf2 100644 >> --- a/ArmVirtPkg/ArmVirt.dsc.inc >> +++ b/ArmVirtPkg/ArmVirt.dsc.inc >> @@ -383,6 +383,13 @@ [PcdsFixedAtBuild.AARCH64] >> # >> gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 >> >> + # >> + # Enable NX memory protection for all non-code regions, including OEM and OS >> + # reserved ones, with the exception of LoaderData regions, of which OS loaders >> + # (i.e., GRUB) may assume that its contents are executable. >> + # >> + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1 >> + >> [Components.common] >> # >> # Networking stack >> > > Reviewed-by: Laszlo Ersek > Tested-by: Laszlo Ersek Pushed, thanks.