diff options
| author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-03-07 12:25:17 +0100 |
|---|---|---|
| committer | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-03-16 14:02:51 +0000 |
| commit | 015ac218cfef6d399b05996e4f6072c7cd195861 (patch) | |
| tree | 893e5db7e2cf5f40e1178113823350a24150bbe3 | |
| parent | 6a2aff6f395725de2d29007fdf65a4cd02115710 (diff) | |
Platforms/ARM: enable memory protection featuresarmlt-20170317-001
This enables the recently added and/or enhanced memory protection
features in upstream EDK2:
- strict code/data separation PE/COFF sections so that mappings can
be made either read-only or non-executable
- remove exec permissions from all other (i.e., non-code) regions (as
far as is feasible without breaking GRUB)
- remap the DXE stack as non-executable before entering DxeCore
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Ryan Harkin <ryan.harkin@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
| -rw-r--r-- | Platforms/ARM/VExpress/ArmVExpress.dsc.inc | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/Platforms/ARM/VExpress/ArmVExpress.dsc.inc b/Platforms/ARM/VExpress/ArmVExpress.dsc.inc index c94001b..431d6d0 100644 --- a/Platforms/ARM/VExpress/ArmVExpress.dsc.inc +++ b/Platforms/ARM/VExpress/ArmVExpress.dsc.inc @@ -14,6 +14,9 @@ [Defines]
SECURE_BOOT_ENABLE = FALSE
+[BuildOptions.common.EDKII.DXE_CORE,BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+ GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
+
[BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000
GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
@@ -437,6 +440,24 @@ # GUID of the UI app
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
+ #
+ # Enable strict image permissions for all images. (This applies
+ # only to images that were built with >= 4 KB section alignment.)
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
+ #
+ # Enable NX memory protection for all non-code regions, including OEM and OS
+ # reserved ones, with the exception of LoaderData regions, of which OS loaders
+ # (i.e., GRUB) may assume that its contents are executable.
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
+
+ #
+ # Enable the non-executable DXE stack. (This gets set up by DxeIpl)
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
+
[Components.common]
MdeModulePkg/Universal/PCD/Dxe/Pcd.inf {
<LibraryClasses>
|