From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A9260821B6
 for <edk2-devel@ml01.01.org>; Wed,  1 Mar 2017 11:10:03 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com
 [10.5.11.28])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 3F4F8C049D5C;
 Wed,  1 Mar 2017 19:10:04 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-249.phx2.redhat.com
 [10.3.116.249])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 5C5D32D5C0;
 Wed,  1 Mar 2017 19:10:03 +0000 (UTC)
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>, edk2-devel@ml01.01.org,
 leif.lindholm@linaro.org
References: <1488385903-30267-1-git-send-email-ard.biesheuvel@linaro.org>
 <1488385903-30267-6-git-send-email-ard.biesheuvel@linaro.org>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <e60623d9-9400-f2d8-398b-f2e2e5ee29f6@redhat.com>
Date: Wed, 1 Mar 2017 20:10:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <1488385903-30267-6-git-send-email-ard.biesheuvel@linaro.org>
X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.31]); Wed, 01 Mar 2017 19:10:04 +0000 (UTC)
Subject: Re: [PATCH 5/5] ArmVirtPkg: enable non-executable DXE stack for all platforms
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 19:10:03 -0000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

On 03/01/17 17:31, Ard Biesheuvel wrote:
> Now that ARM has grown support for managing memory permissions in
> ArmMmuLib, we can enable the non-executable DXE stack for all virt
> platforms.
> 
> Note that this is not [entirely] redundant: the non-executable stack
> is configured before DxeCore is invoked. The image and memory protection
> features configured during DXE only take affect when the CPU arch
> protocol implementation is registered.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  ArmVirtPkg/ArmVirt.dsc.inc       | 5 +++++
>  ArmVirtPkg/ArmVirtQemu.dsc       | 2 --
>  ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 --
>  3 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index acfb71d3ff6c..e2d3dcce7945 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -386,6 +386,11 @@ [PcdsFixedAtBuild.common]
>    #
>    gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
>  
> +  #
> +  # Enable the non-executable DXE stack. (This gets set up by DxeIpl)
> +  #
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
> +
>  [PcdsFixedAtBuild.ARM]
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
>  
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 615e1fca4877..477dfdcfc764 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -152,8 +152,6 @@ [PcdsFixedAtBuild.common]
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
>  
>  [PcdsFixedAtBuild.AARCH64]
> -  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
> -
>    # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
>    # support anything bigger, even if the host hardware does
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index e4902690123c..fd39c2802a85 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -163,8 +163,6 @@ [PcdsFixedAtBuild.AARCH64]
>    #
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
>  
> -  gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
> -
>    # KVM limits it IPA space to 40 bits (1 TB), so there is no need to
>    # support anything bigger, even if the host hardware does
>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
> 

This doesn't just extend PcdSetNxForStack from AARCH64 from ARM, but
also from QEMU to Xen. Is that your intent? If so,

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo