Message ID | 1487764485-18631-1-git-send-email-ard.biesheuvel@linaro.org |
---|---|
State | Accepted |
Commit | 7b30036b5edc907c4bc2ec40b224e0266530207d |
Headers | show |
On 02/22/17 12:54, Ard Biesheuvel wrote: > Enable the new DXE image protection for all image, i.e., FV images but > also external images that originate from disk or the network, such as > OS loaders. > > This complements work that is underway on the arm64/Linux kernel side, > to emit the OS loader with 4 KB section alignment, and a suitable split > between code and data. > > http://marc.info/?l=linux-arm-kernel&m=148655557227819 > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc > index dbd6678accde..c0d5e7c6aa6d 100644 > --- a/ArmVirtPkg/ArmVirt.dsc.inc > +++ b/ArmVirtPkg/ArmVirt.dsc.inc > @@ -17,6 +17,9 @@ [Defines] > DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F > DEFINE TTY_TERMINAL = FALSE > > +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION] > + GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000 > + > [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] > GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 > GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 > @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common] > [PcdsFixedAtBuild.ARM] > gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40 > > +[PcdsFixedAtBuild.AARCH64] > + # > + # Enable strict image permissions for all images. (This applies > + # only to images that were built with >= 4 KB section alignment.) > + # > + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 > + > [Components.common] > # > # Networking stack > So, if I understand correctly, setting BIT0 will not break external images with unaligned sections, they just won't be protected, and they'll trigger loud warnings. OK. Reviewed-by: Laszlo Ersek <lersek@redhat.com> Thanks Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
On 23 February 2017 at 09:36, Laszlo Ersek <lersek@redhat.com> wrote: > On 02/22/17 12:54, Ard Biesheuvel wrote: >> Enable the new DXE image protection for all image, i.e., FV images but >> also external images that originate from disk or the network, such as >> OS loaders. >> >> This complements work that is underway on the arm64/Linux kernel side, >> to emit the OS loader with 4 KB section alignment, and a suitable split >> between code and data. >> >> http://marc.info/?l=linux-arm-kernel&m=148655557227819 >> >> Contributed-under: TianoCore Contribution Agreement 1.0 >> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> >> --- >> ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++ >> 1 file changed, 10 insertions(+) >> >> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc >> index dbd6678accde..c0d5e7c6aa6d 100644 >> --- a/ArmVirtPkg/ArmVirt.dsc.inc >> +++ b/ArmVirtPkg/ArmVirt.dsc.inc >> @@ -17,6 +17,9 @@ [Defines] >> DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F >> DEFINE TTY_TERMINAL = FALSE >> >> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION] >> + GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000 >> + >> [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] >> GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 >> GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 >> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common] >> [PcdsFixedAtBuild.ARM] >> gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40 >> >> +[PcdsFixedAtBuild.AARCH64] >> + # >> + # Enable strict image permissions for all images. (This applies >> + # only to images that were built with >= 4 KB section alignment.) >> + # >> + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 >> + >> [Components.common] >> # >> # Networking stack >> > > So, if I understand correctly, setting BIT0 will not break external > images with unaligned sections, they just won't be protected, and > they'll trigger loud warnings. OK. > Indeed. > Reviewed-by: Laszlo Ersek <lersek@redhat.com> > Pushed, thanks. _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index dbd6678accde..c0d5e7c6aa6d 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -17,6 +17,9 @@ [Defines] DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F DEFINE TTY_TERMINAL = FALSE +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION] + GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000 + [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000 GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000 @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common] [PcdsFixedAtBuild.ARM] gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40 +[PcdsFixedAtBuild.AARCH64] + # + # Enable strict image permissions for all images. (This applies + # only to images that were built with >= 4 KB section alignment.) + # + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 + [Components.common] # # Networking stack
Enable the new DXE image protection for all image, i.e., FV images but also external images that originate from disk or the network, such as OS loaders. This complements work that is underway on the arm64/Linux kernel side, to emit the OS loader with 4 KB section alignment, and a suitable split between code and data. http://marc.info/?l=linux-arm-kernel&m=148655557227819 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel