ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature

Enable the new DXE image protection for all image, i.e., FV images but
also external images that originate from disk or the network, such as
OS loaders.

This complements work that is underway on the arm64/Linux kernel side,
to emit the OS loader with 4 KB section alignment, and a suitable split
between code and data.

http://marc.info/?l=linux-arm-kernel&m=148655557227819

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 43699cb9bd..61d4a6642e 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -17,6 +17,9 @@
   DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F

   DEFINE TTY_TERMINAL            = FALSE

 

+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]

+  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000

+

 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]

   GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000

   GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000

@@ -378,6 +381,13 @@
 [PcdsFixedAtBuild.ARM]

   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40

 

+[PcdsFixedAtBuild.AARCH64]

+  #

+  # Enable strict image permissions for all images. (This applies

+  # only to images that were built with >= 4 KB section alignment.)

+  #

+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3

+

 [Components.common]

   #

   # Networking stack