Revision: 18360
http://sourceforge.net/p/edk2/code/18360
Author: lersek
Date: 2015-08-28 08:12:51 +0000 (Fri, 28 Aug 2015)
Log Message:
-----------
OvmfPkg: prevent code execution from DXE stack
SVN rev 18166 ("MdeModulePkg DxeIpl: Add stack NX support") enables
platforms to request non-executable stack for the DXE phase, by setting
PcdSetNxForStack to TRUE.
The PCD defaults to FALSE, because:
(a) A non-executable DXE stack is a new feature and causes changes in
behavior. Some platform could rely on executing code from the stack.
(b) The code enabling NX in the DXE IPL PEIM enforces the
PcdSetNxForStack ==> PcdDxeIplBuildPageTables
implication for "64-bit PEI + 64-bit DXE" platforms, with a new
ASSERT(). Some platform might not comply with this requirement
immediately.
Regarding (a), in none of the OVMF builds do we try to execute code from
the stack.
Regarding (b):
- In the OvmfPkgX64.dsc build (which is where (b) applies) we simply
inherit the PcdDxeIplBuildPageTables|TRUE default from
"MdeModulePkg/MdeModulePkg.dec". Therefore we can set PcdSetNxForStack
to TRUE.
- In OvmfPkgIa32X64.dsc, page tables are built by default for DXE. Hence
we can set PcdSetNxForStack to TRUE.
- In OvmfPkgIa32.dsc, page tables used not to be necessary until now.
After we set PcdSetNxForStack to TRUE in this patch, the DXE IPL will
construct page tables even when it is built as part of OvmfPkgIa32.dsc,
provided the (virtual) hardware supports both PAE mode and the XD bit.
Should this setting cause problems in a GPU (or other device) passthru
scenario, with a UEFI_DRIVER in the PCI option rom attempting to execute
code from the stack, the feature can be dynamically disabled on the QEMU
command line, with "-cpu <MODEL>,-nx".
Cc: Paolo Bonzini <[email protected]>
Cc: Jordan Justen <[email protected]>
Cc: "Zeng, Star" <[email protected]>
Suggested-by: Paolo Bonzini <[email protected]>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <[email protected]>
Reviewed-by: Star Zeng <[email protected]>
Revision Links:
--------------
http://sourceforge.net/p/edk2/code/18166
Modified Paths:
--------------
trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc
trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc
trunk/edk2/OvmfPkg/OvmfPkgX64.dsc
Modified: trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc 2015-08-28 08:12:42 UTC (rev 18359)
+++ trunk/edk2/OvmfPkg/OvmfPkgIa32.dsc 2015-08-28 08:12:51 UTC (rev 18360)
@@ -308,6 +308,7 @@
!endif
[PcdsFixedAtBuild]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
Modified: trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc 2015-08-28 08:12:42 UTC (rev
18359)
+++ trunk/edk2/OvmfPkg/OvmfPkgIa32X64.dsc 2015-08-28 08:12:51 UTC (rev
18360)
@@ -313,6 +313,7 @@
!endif
[PcdsFixedAtBuild]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
Modified: trunk/edk2/OvmfPkg/OvmfPkgX64.dsc
===================================================================
--- trunk/edk2/OvmfPkg/OvmfPkgX64.dsc 2015-08-28 08:12:42 UTC (rev 18359)
+++ trunk/edk2/OvmfPkg/OvmfPkgX64.dsc 2015-08-28 08:12:51 UTC (rev 18360)
@@ -313,6 +313,7 @@
!endif
[PcdsFixedAtBuild]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10
------------------------------------------------------------------------------
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
