The OP-TEE secure OS exposes a non-secure memory region for communication between the secure OS itself and any clients in the non-secure firmware. This memory is writable by non-secure and is not used for code only data, and so it should be mapped non-executable.
Signed-off-by: Ard Biesheuvel <a...@kernel.org> --- ArmPkg/Library/OpteeLib/Optee.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ArmPkg/Library/OpteeLib/Optee.c b/ArmPkg/Library/OpteeLib/Optee.c index 46464f17ef06653e..3acf172b68a2d34c 100644 --- a/ArmPkg/Library/OpteeLib/Optee.c +++ b/ArmPkg/Library/OpteeLib/Optee.c @@ -86,7 +86,12 @@ OpteeSharedMemoryRemap ( return EFI_BUFFER_TOO_SMALL; } - Status = ArmSetMemoryAttributes (PhysicalAddress, Size, EFI_MEMORY_WB, 0); + Status = ArmSetMemoryAttributes ( + PhysicalAddress, + Size, + EFI_MEMORY_WB | EFI_MEMORY_XP, + 0 + ); if (EFI_ERROR (Status)) { return Status; } -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106350): https://edk2.groups.io/g/devel/message/106350 Mute This Topic: https://groups.io/mt/99783775/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-