diff options
| author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-02-27 14:10:59 +0000 |
|---|---|---|
| committer | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-03-01 18:35:40 +0000 |
| commit | 1acd7c54a72418918d7aaa859884e72bd4933473 (patch) | |
| tree | f7edc10edaf10bb891ad724747b93256044a811f /ArmVirtPkg | |
| parent | dd320e633a8a80c93c9c43535d3bec7606c45b12 (diff) | |
| download | edk2-1acd7c54a72418918d7aaa859884e72bd4933473.tar.gz edk2-1acd7c54a72418918d7aaa859884e72bd4933473.tar.bz2 edk2-1acd7c54a72418918d7aaa859884e72bd4933473.zip | |
ArmVirtPkg AARCH64: enable NX memory protection for all platforms
This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to
a value that protects all memory regions except code regions against
inadvertent execution.
Note that this does not [yet] protect EfiLoaderData regions, due to
compatibility issues with shim and GRUB.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Diffstat (limited to 'ArmVirtPkg')
| -rw-r--r-- | ArmVirtPkg/ArmVirt.dsc.inc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 2b0a44e14d..a91b27f13c 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -383,6 +383,13 @@ #
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+ #
+ # Enable NX memory protection for all non-code regions, including OEM and OS
+ # reserved ones, with the exception of LoaderData regions, of which OS loaders
+ # (i.e., GRUB) may assume that its contents are executable.
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
+
[Components.common]
#
# Networking stack
|