From: "Zeng, Star" <star.zeng@intel.com>
To: Jian J Wang <jian.j.wang@intel.com>, edk2-devel@lists.01.org
Cc: Ruiyu Ni <ruiyu.ni@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
star.zeng@intel.com
Subject: Re: [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
Date: Fri, 21 Sep 2018 14:00:18 +0800 [thread overview]
Message-ID: <cbcf47d6-eecc-6e89-c6b8-c9552bac519b@intel.com> (raw)
In-Reply-To: <20180920060247.7764-3-jian.j.wang@intel.com>
Jian and Laszlo,
There is also a superficial comment at below.
On 2018/9/20 14:02, Jian J Wang wrote:
>> v2 changes:
>> a. remove macros no longer needed
>> b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
>> c. change ToEnableExecuteDisableFeature to EnableNonExec
>
> BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
>
> Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
> confuses developers because following two other PCDs also need NXE
> to be set, but actually not.
>
> PcdDxeNxMemoryProtectionPolicy
> PcdImageProtectionPolicy
>
> This patch solves this issue by adding logic to enable IA32_EFER.NXE
> if any of those PCDs have anything enabled.
>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
> MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30 +++++++++++++++++++++++-
> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24 +++++++++++++++++++
> 4 files changed, 57 insertions(+), 3 deletions(-)
>
> diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> index fd82657404..068e700074 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> @@ -117,6 +117,8 @@
>
> [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
> gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## SOMETIMES_CONSUMES
> + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ## SOMETIMES_CONSUMES
> + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ## SOMETIMES_CONSUMES
>
> [Depex]
> gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
> diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> index d28baa3615..ccd30f964b 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> @@ -245,7 +245,7 @@ ToBuildPageTable (
> return TRUE;
> }
>
> - if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable ()) {
> + if (EnableNonExec ()) {
> return TRUE;
> }
>
> @@ -436,7 +436,7 @@ HandOffToDxeCore (
> BuildPageTablesIa32Pae = ToBuildPageTable ();
> if (BuildPageTablesIa32Pae) {
> PageTables = Create4GPageTablesIa32Pae (BaseOfStack, STACK_SIZE);
> - if (IsExecuteDisableBitAvailable ()) {
> + if (EnableNonExec ()) {
> EnableExecuteDisableBit();
> }
> }
> diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> index 496e219913..73b0f67c6b 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
> @@ -106,6 +106,31 @@ IsNullDetectionEnabled (
> return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
> }
>
> +/**
> + Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
> +
> + @retval TRUE IA32_EFER.NXE should be enabled.
> + @retval FALSE IA32_EFER.NXE should not be enabled.
> +
> +**/
> +BOOLEAN
> +EnableNonExec (
> + VOID
> + )
> +{
> + if (!IsExecuteDisableBitAvailable ()) {
> + return FALSE;
> + }
> +
> + //
> + // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set.
> + // Features controlled by Following PCDs need this feature to be enabled.
> + //
> + return (PcdGetBool (PcdSetNxForStack) ||
> + PcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
> + PcdGet32 (PcdImageProtectionPolicy) != 0);
> +}
I am a little confused by this function name compared with
EnableExecuteDisableBit(). This function is not really to enable NX, but
just to check whether enable NX is needed or not. How about using name
IsEnableNonExecNeeded or IsEnableNxNeeded or IsDisableExecuteNeeded?
Sorry I did not raise this comment in V1 patch thread.
If you agree with the name changing, Reviewed-by: Star Zeng
<star.zeng@intel.com>.
Thanks,
Star
> +
> /**
> Enable Execute Disable Bit.
>
> @@ -755,7 +780,10 @@ CreateIdentityMappingPageTables (
> //
> EnablePageTableProtection ((UINTN)PageMap, TRUE);
>
> - if (PcdGetBool (PcdSetNxForStack)) {
> + //
> + // Set IA32_EFER.NXE if necessary.
> + //
> + if (EnableNonExec ()) {
> EnableExecuteDisableBit ();
> }
>
> diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
> index 85457ff937..09085312aa 100644
> --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
> +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
> @@ -179,6 +179,30 @@ typedef struct {
> UINTN FreePages;
> } PAGE_TABLE_POOL;
>
> +/**
> + Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
> +
> + @retval TRUE IA32_EFER.NXE should be enabled.
> + @retval FALSE IA32_EFER.NXE should not be enabled.
> +
> +**/
> +BOOLEAN
> +EnableNonExec (
> + VOID
> + );
> +
> +/**
> + The function will check if Execute Disable Bit is available.
> +
> + @retval TRUE Execute Disable Bit is available.
> + @retval FALSE Execute Disable Bit is not available.
> +
> +**/
> +BOOLEAN
> +IsExecuteDisableBitAvailable (
> + VOID
> + );
> +
> /**
> Enable Execute Disable Bit.
>
>
next prev parent reply other threads:[~2018-09-21 6:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-20 6:02 [PATCH v2 0/2] clarify NXE enabling logic Jian J Wang
2018-09-20 6:02 ` [PATCH v2 1/2] MdeModulePkg/MdeModulePkg.dec/.uni: clarify PCDs usage Jian J Wang
2018-09-21 5:49 ` Zeng, Star
2018-09-20 6:02 ` [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs Jian J Wang
2018-09-21 6:00 ` Zeng, Star [this message]
2018-09-21 8:42 ` Zeng, Star
2018-09-21 10:14 ` Laszlo Ersek
2018-09-25 3:23 ` Wang, Jian J
2018-09-20 11:31 ` [PATCH v2 0/2] clarify NXE enabling logic Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cbcf47d6-eecc-6e89-c6b8-c9552bac519b@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox