Write Protect feature (CR0.WP) is always enabled in driver UefiCpuPkg/CpuDxe. But the memory pages used for page table are not set as read-only in the driver DxeIplPeim, after the paging is setup. This might jeopardize the page table integrity if there's buffer overflow occured in other part of system.
This patch series will change this situation by clearing R/W bit in page attribute of the pages used as page table. Validation works include booting Windows (10/server 2016) and Linux (Fedora/Ubuntu) on OVMF and Intel real platform. Jian J Wang (2): UefiCpuPkg/CpuDxe: Check CR0.WP before changing page table MdeModulePkg/DxeIpl: Mark page table as read-only MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 166 +++++++++++++++++++++++ MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 14 ++ UefiCpuPkg/CpuDxe/CpuPageTable.c | 65 ++++++++- 3 files changed, 241 insertions(+), 4 deletions(-) -- 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel