On 10/9/23 02:07, Taylor Beebe wrote: > Now that the transition to use SetMemoryProtectionsLib and > GetMemoryProtectionsLib is complete, delete the memory protection PCDs > to avoid confusing the interface. All memory protection settings > will now be set and consumed via the libraries. > > Signed-off-by: Taylor Beebe <taylor.d.be...@gmail.com> > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Cc: Gerd Hoffmann <kra...@redhat.com> > Cc: Rebecca Cran <rebe...@bsdio.com> > Cc: Peter Grehan <gre...@freebsd.org> > Cc: Corvin Köhne <corv...@freebsd.org> > Cc: Jianyong Wu <jianyong...@arm.com> > Cc: Anatol Belski <anbel...@linux.microsoft.com> > Cc: Anthony Perard <anthony.per...@citrix.com> > Cc: Julien Grall <jul...@xen.org> > Cc: Erdem Aktas <erdemak...@google.com> > Cc: James Bottomley <j...@linux.ibm.com> > Cc: Min Xu <min.m...@intel.com> > Cc: Tom Lendacky <thomas.lenda...@amd.com> > Cc: Michael Roth <michael.r...@amd.com> > Cc: Sunil V L <suni...@ventanamicro.com> > Cc: Andrei Warkentin <andrei.warken...@intel.com> > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 3 --- > OvmfPkg/Bhyve/BhyveX64.dsc | 3 --- > OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf | 1 - > OvmfPkg/CloudHv/CloudHvX64.dsc | 3 --- > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 --- > OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf | 1 - > OvmfPkg/Microvm/MicrovmX64.dsc | 3 --- > OvmfPkg/OvmfPkgIa32.dsc | 3 --- > OvmfPkg/OvmfPkgIa32X64.dsc | 3 --- > OvmfPkg/OvmfPkgX64.dsc | 3 --- > OvmfPkg/OvmfXen.dsc | 3 --- > OvmfPkg/PlatformPei/PlatformPei.inf | 1 - > OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc | 13 ------------- > OvmfPkg/TdxDxe/TdxDxe.inf | 1 - > 14 files changed, 44 deletions(-) > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > index b67b50b833b9..46a74e4f8ee8 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -516,9 +516,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc > index 5af5831196f6..21baa47d2526 100644 > --- a/OvmfPkg/Bhyve/BhyveX64.dsc > +++ b/OvmfPkg/Bhyve/BhyveX64.dsc > @@ -550,9 +550,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000 > diff --git a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > index 07570d4e30ca..07f032941404 100644 > --- a/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/Bhyve/PlatformPei/PlatformPei.inf > @@ -89,7 +89,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask > gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc > index c550ebcd659e..b8d643dfda3c 100644 > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc > @@ -600,9 +600,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > index a3370f45940c..513727ae98ff 100644 > --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > @@ -511,9 +511,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > index a6d7b53f52cf..009bee69e405 100644 > --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf > @@ -79,7 +79,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplBuildPageTables ## CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable ## > SOMETIMES_CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ## > CONSUMES > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## > CONSUMES > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize > gUefiOvmfPkgTokenSpaceGuid.PcdSecureBootSupported > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc > index da5a4862bfdc..78f2ab64a60d 100644 > --- a/OvmfPkg/Microvm/MicrovmX64.dsc > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc > @@ -623,9 +623,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index d4d14b69ef1d..0f2b1812a821 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -634,9 +634,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index 674010323df1..6180d267067a 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -652,9 +652,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 08b70d76d292..937488b043f4 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -670,9 +670,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # UefiCpuPkg PCDs related to initial AP bringup and general AP management. > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 > gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber|0 > diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc > index d80e20a151d7..e3631202238b 100644 > --- a/OvmfPkg/OvmfXen.dsc > +++ b/OvmfPkg/OvmfXen.dsc > @@ -506,9 +506,6 @@ [PcdsDynamicDefault] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > - # Noexec settings for DXE. > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|FALSE > - > # Set memory encryption mask > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf > b/OvmfPkg/PlatformPei/PlatformPei.inf > index fbaa6bdc8ee5..3085f4f46a50 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -104,7 +104,6 @@ [Pcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode > gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask > gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase > diff --git a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > index fe320525153f..57304c40766a 100644 > --- a/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > +++ b/OvmfPkg/RiscVVirt/RiscVVirt.dsc.inc > @@ -271,19 +271,6 @@ [PcdsFixedAtBuild.common] > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderCode|20 > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiLoaderData|0 > > - # > - # Enable strict image permissions for all images. (This applies > - # only to images that were built with >= 4 KB section alignment.) > - # > - gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3 > - > - # > - # Enable NX memory protection for all non-code regions, including OEM and > OS > - # reserved ones, with the exception of LoaderData regions, of which OS > loaders > - # (i.e., GRUB) may assume that its contents are executable. > - # > - > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5 > - > [Components.common] > # > # Ramdisk support > diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf > index 9793562884c7..42317228c1aa 100644 > --- a/OvmfPkg/TdxDxe/TdxDxe.inf > +++ b/OvmfPkg/TdxDxe/TdxDxe.inf > @@ -68,6 +68,5 @@ [Pcd] > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFdBaseAddress > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr > gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask > - gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved > gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
Seems reasonable, superficially; whether the new / default profile settings will ensure identical behavior (wherever needed for compatibility), I can't say. Of course if we can restrict the policies and everything just continues working, that's ideal; I can't tell whether that's the case though. Acked-by: Laszlo Ersek <ler...@redhat.com> Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109451): https://edk2.groups.io/g/devel/message/109451 Mute This Topic: https://groups.io/mt/101843370/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
