On Tue, Mar 07, 2017 at 12:25:17PM +0100, Ard Biesheuvel wrote:
This enables the recently added and/or enhanced memory protection features in upstream EDK2:
- strict code/data separation PE/COFF sections so that mappings can be made either read-only or non-executable
- remove exec permissions from all other (i.e., non-code) regions (as far as is feasible without breaking GRUB)
- remap the DXE stack as non-executable before entering DxeCore
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org
I'm theoretically quite keen on getting this enabled, but would definitely need a Tested-by from Ryan before I would want to see it merged.
/ Leif
Platforms/ARM/VExpress/ArmVExpress.dsc.inc | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+)
diff --git a/Platforms/ARM/VExpress/ArmVExpress.dsc.inc b/Platforms/ARM/VExpress/ArmVExpress.dsc.inc index c94001b3bcdb..431d6d0f76ce 100644 --- a/Platforms/ARM/VExpress/ArmVExpress.dsc.inc +++ b/Platforms/ARM/VExpress/ArmVExpress.dsc.inc @@ -14,6 +14,9 @@ [Defines] SECURE_BOOT_ENABLE = FALSE +[BuildOptions.common.EDKII.DXE_CORE,BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
- GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
[BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 @@ -437,6 +440,24 @@ # GUID of the UI app gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
- #
- # Enable strict image permissions for all images. (This applies
- # only to images that were built with >= 4 KB section alignment.)
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
- #
- # Enable NX memory protection for all non-code regions, including OEM and OS
- # reserved ones, with the exception of LoaderData regions, of which OS loaders
- # (i.e., GRUB) may assume that its contents are executable.
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
- #
- # Enable the non-executable DXE stack. (This gets set up by DxeIpl)
- #
- gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
[Components.common] MdeModulePkg/Universal/PCD/Dxe/Pcd.inf { <LibraryClasses> -- 2.7.4