[Linaro-uefi,v2,4/4] Platforms/AMD/Cello: enable strict memory permission policy

Message ID 1488294680-1884-5-git-send-email-ard.biesheuvel@linaro.org
State Accepted
Commit a80bc48bfea0eb90476fabd81072d6c1c51181ba
Headers show
Series
  • AMD/Styx: enable strict memory permissions
Related show

Commit Message

Ard Biesheuvel Feb. 28, 2017, 3:11 p.m.
Implement a strict separation between writable and executable memory,
by enabling the new core features that
- map PE/COFF code and data sections with either executable or writable
  permissions, but never both;
- map all other regions with the XN attributes set.

Note that the former requires 4 KB section alignment, which is not the
default when using the tiny code model, so set the section alignment
explicitly both for DEBUG and RELEASE builds.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Comments

Leif Lindholm March 7, 2017, 4:27 p.m. | #1
On Tue, Feb 28, 2017 at 03:11:20PM +0000, Ard Biesheuvel wrote:
> Implement a strict separation between writable and executable memory,
> by enabling the new core features that
> - map PE/COFF code and data sections with either executable or writable
>   permissions, but never both;
> - map all other regions with the XN attributes set.
> 
> Note that the former requires 4 KB section alignment, which is not the
> default when using the tiny code model, so set the section alignment
> explicitly both for DEBUG and RELEASE builds.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>

> ---
>  Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc b/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
> index d7e1a538f863..cb8b6cd0d822 100644
> --- a/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
> +++ b/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
> @@ -266,6 +266,9 @@ DEFINE DO_KCS    = 0
>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
>  
> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
> +  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
> +
>  ################################################################################
>  #
>  # Pcd Section - list of all EDK II PCD Entries defined by this Platform
> @@ -430,6 +433,19 @@ DEFINE DO_KCS    = 0
>    ## ACPI (no tables < 4GB)
>    gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
>  
> +  #
> +  # Enable strict image permissions for all images. (This applies
> +  # only to images that were built with >= 4 KB section alignment.)
> +  #
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
> +
> +  #
> +  # Enable NX memory protection for all non-code regions, including OEM and OS
> +  # reserved ones, with the exception of LoaderData regions, of which OS loaders
> +  # (i.e., GRUB) may assume that its contents are executable.
> +  #
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
> +
>    gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE
>    gAmdStyxTokenSpaceGuid.PcdIscpSupport|TRUE
>  
> -- 
> 2.7.4
>

Patch

diff --git a/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc b/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
index d7e1a538f863..cb8b6cd0d822 100644
--- a/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
+++ b/Platforms/AMD/Styx/CelloBoard/CelloBoard.dsc
@@ -266,6 +266,9 @@  DEFINE DO_KCS    = 0
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
 
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
 ################################################################################
 #
 # Pcd Section - list of all EDK II PCD Entries defined by this Platform
@@ -430,6 +433,19 @@  DEFINE DO_KCS    = 0
   ## ACPI (no tables < 4GB)
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
 
+  #
+  # Enable strict image permissions for all images. (This applies
+  # only to images that were built with >= 4 KB section alignment.)
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
+  #
+  # Enable NX memory protection for all non-code regions, including OEM and OS
+  # reserved ones, with the exception of LoaderData regions, of which OS loaders
+  # (i.e., GRUB) may assume that its contents are executable.
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
+
   gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE
   gAmdStyxTokenSpaceGuid.PcdIscpSupport|TRUE