[Linaro-uefi,3/3] Platforms/AMD/Styx: enable strict memory permission policy

Message ID 1488218551-6372-4-git-send-email-ard.biesheuvel@linaro.org
State Superseded
Headers show
Series
  • AMD/Styx: enable strict memory permissions
Related show

Commit Message

Ard Biesheuvel Feb. 27, 2017, 6:02 p.m.
Implement a strict separation between writable and executable memory,
by enabling the new core features that
- map PE/COFF code and data sections with either executable or writable
  permissions, but never both;
- map all other regions with the XN attributes set.

Note that the former requires 4 KB section alignment, which is not the
default when using the tiny code model, so set the section alignment
explicitly both for DEBUG and RELEASE builds.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Patch

diff --git a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc
index a236836db691..03ca1ffae2e5 100644
--- a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc
+++ b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc
@@ -273,6 +273,9 @@  DEFINE DO_KCS       = 1
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
 
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
 ################################################################################
 #
 # Pcd Section - list of all EDK II PCD Entries defined by this Platform
@@ -440,6 +443,18 @@  DEFINE DO_KCS       = 1
   ## ACPI (no tables < 4GB)
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
 
+  #
+  # Enable strict image permissions for all images. (This applies
+  # only to images that were built with >= 4 KB section alignment.)
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
+  #
+  # Enable NX memory protection for all non-code regions, including OEM and OS
+  # reserved ones.
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
+
 !if $(DO_PSCI)
   gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE
 !else