Introduce a new bit in the NX memory protection policy PCD mask that specifies that the platform enters DXE with all unused and all non-code regions mapped with non-execute permissions.
This removes the need to do a pass over all memory regions to update their NX memory attributes. Signed-off-by: Ard Biesheuvel <a...@kernel.org> --- MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 7 +++++++ MdeModulePkg/MdeModulePkg.dec | 3 +++ 2 files changed, 10 insertions(+) diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c index 7cc829b17402c2bc..983ed450f143d62d 100644 --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c @@ -861,6 +861,13 @@ InitializeDxeNxMemoryProtectionPolicy ( ASSERT (StackBase != 0); } + // + // If the platform maps all DRAM non-execute by default, we are done here. + // + if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) & BIT61) != 0) { + return; + } + DEBUG (( DEBUG_INFO, "%a: applying strict permissions to active memory regions\n", diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 2d72ac733d82195e..d2bd0cbb40300889 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -1416,12 +1416,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # EfiMemoryMappedIOPortSpace 0x1000<BR> # EfiPalCode 0x2000<BR> # EfiPersistentMemory 0x4000<BR> + # Default state 0x2000000000000000<BR> # OEM Reserved 0x4000000000000000<BR> # OS Reserved 0x8000000000000000<BR> # # NOTE: User must NOT set NX protection for EfiLoaderCode / EfiBootServicesCode / EfiRuntimeServicesCode. <BR> # User MUST set the same NX protection for EfiBootServicesData and EfiConventionalMemory. <BR> # + # If the platform enters DXE with all unused and non-code regions mapped NX, bit 61 should be set.<BR> + # # e.g. 0x7FD5 can be used for all memory except Code. <BR> # e.g. 0x7BD4 can be used for all memory except Code and ACPINVS/Reserved. <BR> # -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#105371): https://edk2.groups.io/g/devel/message/105371 Mute This Topic: https://groups.io/mt/99197143/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-