On Mon, 17 Jul 2023 at 18:15, Pedro Falcato <pedro.falc...@gmail.com> wrote: > > On Wed, Jul 12, 2023 at 12:53 AM Taylor Beebe <t...@taylorbeebe.com> wrote: > > > > In the past, memory protection settings were configured via FixedAtBuild > > PCDs, > > which resulted in a build-time configuration of memory mitigations. This > > approach limited the flexibility of applying mitigations to the > > system and made it difficult to update or adjust the settings post-build. > > How do you mitigate the possibility of an attack overwriting the > dynamic configuration data (the HOBs)? > It seems most dangerous to me to publish this sort of > security-sensitive configuration knobs dynamically such that an > attacker can change them. >
That is a very good point. One of the things I have on my TODO list for the memory attributes PEI work is to remap HOB memory read-only before entering DXE. They are conceptually read-only anyway when PEI completes, so they should never be modified afterwards. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106966): https://edk2.groups.io/g/devel/message/106966 Mute This Topic: https://groups.io/mt/100090629/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-