Hi, > > What number would you expect? I'd hope that we get to <100 realistically. > > > > I'm happy to hear about alternatives to this approach. I'm very confident > > that forcing NX on always is going to have the opposite effect of what we > > want: Everyone who ships AAVMF binaries will disable NX because they > > eventually get bug reports from users that their shiny update regressed > > some legit use case. > > > > The only alternative I can think of would be logic similar to the patch I > > sent without any grub hash check: Exclude AllocatePages for LoaderData from > > the NX logic. Keep NX for any other non-code memory type as well as > > LoaderData pool allocations.
> Another thing we might consider is trapping exec permission violations > and switching the pages in question from rw- to r-x. That sounds neat, especially as we can print a big'n'fat warning in that case, so the problem gets attention without actually breaking users. Looking at the efi calls it looks like edk2 doesn't track the owner of an allocation (say by image handle), so I suspect it is not possible to automatically figure who is to blame? > Does GRUB generally load/map executable modules at page granularity? I don't think so, at least the code handles modules not being page aligned. But I think it's not grub modules, that fix was actually picked up meanwhile. But there are downstream patches for image loader code which look suspicious to me ... take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#97982): https://edk2.groups.io/g/devel/message/97982 Mute This Topic: https://groups.io/mt/93922691/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
