On 7 March 2017 at 14:47, Leif Lindholm leif.lindholm@linaro.org wrote:
On Tue, Mar 07, 2017 at 12:25:17PM +0100, Ard Biesheuvel wrote:
This enables the recently added and/or enhanced memory protection features in upstream EDK2:
- strict code/data separation PE/COFF sections so that mappings can be made either read-only or non-executable
- remove exec permissions from all other (i.e., non-code) regions (as far as is feasible without breaking GRUB)
- remap the DXE stack as non-executable before entering DxeCore
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org
I'm theoretically quite keen on getting this enabled, but would definitely need a Tested-by from Ryan before I would want to see it merged.
... hence the cc :-)