On Tue, Feb 28, 2017 at 03:11:19PM +0000, Ard Biesheuvel wrote:
Implement a strict separation between writable and executable memory, by enabling the new core features that
- map PE/COFF code and data sections with either executable or writable permissions, but never both;
- map all other regions with the XN attributes set.
Note that the former requires 4 KB section alignment, which is not the default when using the tiny code model, so set the section alignment explicitly both for DEBUG and RELEASE builds.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org
Reviewed-by: Leif Lindholm leif.lindholm@linaro.org
Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc index a236836db691..dcab8fb43cec 100644 --- a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc +++ b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc @@ -273,6 +273,9 @@ DEFINE DO_KCS = 1 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
- GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform @@ -440,6 +443,19 @@ DEFINE DO_KCS = 1 ## ACPI (no tables < 4GB) gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
- #
- # Enable strict image permissions for all images. (This applies
- # only to images that were built with >= 4 KB section alignment.)
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
- #
- # Enable NX memory protection for all non-code regions, including OEM and OS
- # reserved ones, with the exception of LoaderData regions, of which OS loaders
- # (i.e., GRUB) may assume that its contents are executable.
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
!if $(DO_PSCI) gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE !else -- 2.7.4