> On Oct 20, 2014, at 9:27 AM, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>
>> Thanks for your reply.
>>
>> However, the question was about write-protected and execute-protected
>> data. While the UEFI spec describes those bits, it is unclear to me if
>> I can legally map the runtime code sections as read-only and the
>> runtime data sections as execute protected, which is preferable from
>> security point of view. Currently, all regions (except the MMIO ones)
>> are mapped read-write-execute, which means an exploit can cause much
>> more damage than necessary, especially considering the fact that Linux
>> has kexec(), which implements reboot without going through a firmware
>> reset.
>>
>
> After reading more carefully (apologies), I suppose mapping code as
> write protected may cause trouble for static read-write data then?
> But mapping data as execute protected should be feasible ...
>
Yes. For code you would have to lower and raise protections around an EFI call,
which may be OK since the calls are infrequent and not performance critical.
Thanks,
Andrew Fish
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
