diff mbox

[edk2] ArmVirtPkg/ArmVirt.dsc.inc: AARCH64: enable DXE image protection feature

Message ID 1487764485-18631-1-git-send-email-ard.biesheuvel@linaro.org
State Accepted
Commit 7b30036b5edc907c4bc2ec40b224e0266530207d
Headers show

Commit Message

Ard Biesheuvel Feb. 22, 2017, 11:54 a.m. UTC
Enable the new DXE image protection for all image, i.e., FV images but
also external images that originate from disk or the network, such as
OS loaders.

This complements work that is underway on the arm64/Linux kernel side,
to emit the OS loader with 4 KB section alignment, and a suitable split
between code and data.

http://marc.info/?l=linux-arm-kernel&m=148655557227819

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

---
 ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.7.4

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Comments

Laszlo Ersek Feb. 23, 2017, 9:36 a.m. UTC | #1
On 02/22/17 12:54, Ard Biesheuvel wrote:
> Enable the new DXE image protection for all image, i.e., FV images but

> also external images that originate from disk or the network, such as

> OS loaders.

> 

> This complements work that is underway on the arm64/Linux kernel side,

> to emit the OS loader with 4 KB section alignment, and a suitable split

> between code and data.

> 

> http://marc.info/?l=linux-arm-kernel&m=148655557227819

> 

> Contributed-under: TianoCore Contribution Agreement 1.0

> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---

>  ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++

>  1 file changed, 10 insertions(+)

> 

> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc

> index dbd6678accde..c0d5e7c6aa6d 100644

> --- a/ArmVirtPkg/ArmVirt.dsc.inc

> +++ b/ArmVirtPkg/ArmVirt.dsc.inc

> @@ -17,6 +17,9 @@ [Defines]

>    DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F

>    DEFINE TTY_TERMINAL            = FALSE

>  

> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]

> +  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000

> +

>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]

>    GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000

>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000

> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common]

>  [PcdsFixedAtBuild.ARM]

>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40

>  

> +[PcdsFixedAtBuild.AARCH64]

> +  #

> +  # Enable strict image permissions for all images. (This applies

> +  # only to images that were built with >= 4 KB section alignment.)

> +  #

> +  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3

> +

>  [Components.common]

>    #

>    # Networking stack

> 


So, if I understand correctly, setting BIT0 will not break external
images with unaligned sections, they just won't be protected, and
they'll trigger loud warnings. OK.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>


Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Ard Biesheuvel Feb. 24, 2017, 3:17 p.m. UTC | #2
On 23 February 2017 at 09:36, Laszlo Ersek <lersek@redhat.com> wrote:
> On 02/22/17 12:54, Ard Biesheuvel wrote:

>> Enable the new DXE image protection for all image, i.e., FV images but

>> also external images that originate from disk or the network, such as

>> OS loaders.

>>

>> This complements work that is underway on the arm64/Linux kernel side,

>> to emit the OS loader with 4 KB section alignment, and a suitable split

>> between code and data.

>>

>> http://marc.info/?l=linux-arm-kernel&m=148655557227819

>>

>> Contributed-under: TianoCore Contribution Agreement 1.0

>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

>> ---

>>  ArmVirtPkg/ArmVirt.dsc.inc | 10 ++++++++++

>>  1 file changed, 10 insertions(+)

>>

>> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc

>> index dbd6678accde..c0d5e7c6aa6d 100644

>> --- a/ArmVirtPkg/ArmVirt.dsc.inc

>> +++ b/ArmVirtPkg/ArmVirt.dsc.inc

>> @@ -17,6 +17,9 @@ [Defines]

>>    DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F

>>    DEFINE TTY_TERMINAL            = FALSE

>>

>> +[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]

>> +  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000

>> +

>>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]

>>    GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000

>>    GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000

>> @@ -380,6 +383,13 @@ [PcdsFixedAtBuild.common]

>>  [PcdsFixedAtBuild.ARM]

>>    gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40

>>

>> +[PcdsFixedAtBuild.AARCH64]

>> +  #

>> +  # Enable strict image permissions for all images. (This applies

>> +  # only to images that were built with >= 4 KB section alignment.)

>> +  #

>> +  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3

>> +

>>  [Components.common]

>>    #

>>    # Networking stack

>>

>

> So, if I understand correctly, setting BIT0 will not break external

> images with unaligned sections, they just won't be protected, and

> they'll trigger loud warnings. OK.

>


Indeed.

> Reviewed-by: Laszlo Ersek <lersek@redhat.com>

>


Pushed, thanks.
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
diff mbox

Patch

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index dbd6678accde..c0d5e7c6aa6d 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -17,6 +17,9 @@  [Defines]
   DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x8000004F
   DEFINE TTY_TERMINAL            = FALSE
 
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+  GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_ARM_DLINK_FLAGS = -z common-page-size=0x1000
   GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
@@ -380,6 +383,13 @@  [PcdsFixedAtBuild.common]
 [PcdsFixedAtBuild.ARM]
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuMemorySize|40
 
+[PcdsFixedAtBuild.AARCH64]
+  #
+  # Enable strict image permissions for all images. (This applies
+  # only to images that were built with >= 4 KB section alignment.)
+  #
+  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
 [Components.common]
   #
   # Networking stack