diff options
author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-02-28 15:11:19 +0000 |
---|---|---|
committer | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2017-03-08 09:40:38 +0100 |
commit | af33429b7978638c5f9d92f88503098f0e40c1e7 (patch) | |
tree | 5a28ebd00cf5a686c9fa3d0ad2862847ca2eb9b4 | |
parent | 70e19a5790a6039d78c0975d01b8356a279a9a61 (diff) |
Platforms/AMD/Overdrive: enable strict memory permission policy
Implement a strict separation between writable and executable memory,
by enabling the new core features that
- map PE/COFF code and data sections with either executable or writable
permissions, but never both;
- map all other regions with the XN attributes set.
Note that the former requires 4 KB section alignment, which is not the
default when using the tiny code model, so set the section alignment
explicitly both for DEBUG and RELEASE builds.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
-rw-r--r-- | Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc index a236836..dcab8fb 100644 --- a/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc +++ b/Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc @@ -273,6 +273,9 @@ DEFINE DO_KCS = 1 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+ GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform
@@ -440,6 +443,19 @@ DEFINE DO_KCS = 1 ## ACPI (no tables < 4GB)
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
+ #
+ # Enable strict image permissions for all images. (This applies
+ # only to images that were built with >= 4 KB section alignment.)
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
+ #
+ # Enable NX memory protection for all non-code regions, including OEM and OS
+ # reserved ones, with the exception of LoaderData regions, of which OS loaders
+ # (i.e., GRUB) may assume that its contents are executable.
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
+
!if $(DO_PSCI)
gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE
!else
|