Re: [edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
I'm fine with them too. So we have two minor changes:
1. Change EnableNonExec to IsEnableNonExecNeeded
2. Move IsExecuteDisableBitAvailable() to VirtualMemory.c
I think v3 is not necessary. I'll push the patch after enough test.
Regards,
Jian
> -Original Message-
> From: Laszlo Ersek [mailto:ler...@redhat.com]
> Sent: Friday, September 21, 2018 6:14 PM
> To: Zeng, Star ; Wang, Jian J ;
> edk2-devel@lists.01.org
> Cc: Ni, Ruiyu ; Yao, Jiewen
> Subject: Re: [edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX
> related PCDs
>
> On 09/21/18 10:42, Zeng, Star wrote:
> > Another minor suggestion is to move IsExecuteDisableBitAvailable() to
> > VirtualMemory.c, then there will be no need to declare it in
> > VirtualMemeory.h.
>
> I'm fine with both ideas (name change as you see fit, and code movement).
>
> Thanks
> Laszlo
>
> >
> >
> > Thanks,
> > Star
> > On 2018/9/21 14:00, Zeng, Star wrote:
> >> Jian and Laszlo,
> >>
> >> There is also a superficial comment at below.
> >>
> >> On 2018/9/20 14:02, Jian J Wang wrote:
> >>>> v2 changes:
> >>>> a. remove macros no longer needed
> >>>> b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
> >>>> c. change ToEnableExecuteDisableFeature to EnableNonExec
> >>>
> >>> BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
> >>>
> >>> Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
> >>> confuses developers because following two other PCDs also need NXE
> >>> to be set, but actually not.
> >>>
> >>> PcdDxeNxMemoryProtectionPolicy
> >>> PcdImageProtectionPolicy
> >>>
> >>> This patch solves this issue by adding logic to enable IA32_EFER.NXE
> >>> if any of those PCDs have anything enabled.
> >>>
> >>> Cc: Star Zeng
> >>> Cc: Laszlo Ersek
> >>> Cc: Ard Biesheuvel
> >>> Cc: Ruiyu Ni
> >>> Cc: Jiewen Yao
> >>> Contributed-under: TianoCore Contribution Agreement 1.1
> >>> Signed-off-by: Jian J Wang
> >>> ---
> >>> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
> >>> MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
> >>> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30
> >>> +++-
> >>> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24
> >>> +++
> >>> 4 files changed, 57 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> >>> b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> >>> index fd82657404..068e700074 100644
> >>> --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> >>> +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> >>> @@ -117,6 +117,8 @@
> >>> [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
> >>> gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
> >>> SOMETIMES_CONSUMES
> >>> + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy
> ##
> >>> SOMETIMES_CONSUMES
> >>> + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
> >>> SOMETIMES_CONSUMES
> >>> [Depex]
> >>> gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
> >>> diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> >>> b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> >>> index d28baa3615..ccd30f964b 100644
> >>> --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> >>> +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
> >>> @@ -245,7 +245,7 @@ ToBuildPageTable (
> >>> return TRUE;
> >>> }
> >>> - if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable
> >>> ()) {
> >>> + if (EnableNonExec ()) {
> >>> return TRUE;
> >>> }
> >>> @@ -436,7 +436,7 @@ HandOffToDxeCore (
> >>> BuildPageTablesIa32Pae = ToBuildPageTable ();
> >>> if (BuildPageTablesIa32Pae) {
> >>> PageTables = Create4GPageTablesIa32Pae (BaseOfStack,
> >>> STACK_SIZE);
> >>> - if (IsExecuteDisableBitAvailable ()) {
> >>> + if (EnableNonExec ()) {
> >>> EnableExecuteDisableBit();
> >>> }
> >>> }
> &g
Re: [edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
On 09/21/18 10:42, Zeng, Star wrote:
> Another minor suggestion is to move IsExecuteDisableBitAvailable() to
> VirtualMemory.c, then there will be no need to declare it in
> VirtualMemeory.h.
I'm fine with both ideas (name change as you see fit, and code movement).
Thanks
Laszlo
>
>
> Thanks,
> Star
> On 2018/9/21 14:00, Zeng, Star wrote:
>> Jian and Laszlo,
>>
>> There is also a superficial comment at below.
>>
>> On 2018/9/20 14:02, Jian J Wang wrote:
v2 changes:
a. remove macros no longer needed
b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
c. change ToEnableExecuteDisableFeature to EnableNonExec
>>>
>>> BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
>>>
>>> Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
>>> confuses developers because following two other PCDs also need NXE
>>> to be set, but actually not.
>>>
>>> PcdDxeNxMemoryProtectionPolicy
>>> PcdImageProtectionPolicy
>>>
>>> This patch solves this issue by adding logic to enable IA32_EFER.NXE
>>> if any of those PCDs have anything enabled.
>>>
>>> Cc: Star Zeng
>>> Cc: Laszlo Ersek
>>> Cc: Ard Biesheuvel
>>> Cc: Ruiyu Ni
>>> Cc: Jiewen Yao
>>> Contributed-under: TianoCore Contribution Agreement 1.1
>>> Signed-off-by: Jian J Wang
>>> ---
>>> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
>>> MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
>>> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30
>>> +++-
>>> MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24
>>> +++
>>> 4 files changed, 57 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>>> b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>>> index fd82657404..068e700074 100644
>>> --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>>> +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>>> @@ -117,6 +117,8 @@
>>> [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
>>> gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
>>> SOMETIMES_CONSUMES
>>> + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ##
>>> SOMETIMES_CONSUMES
>>> + gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
>>> SOMETIMES_CONSUMES
>>> [Depex]
>>> gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
>>> diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
>>> b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
>>> index d28baa3615..ccd30f964b 100644
>>> --- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
>>> +++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
>>> @@ -245,7 +245,7 @@ ToBuildPageTable (
>>> return TRUE;
>>> }
>>> - if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable
>>> ()) {
>>> + if (EnableNonExec ()) {
>>> return TRUE;
>>> }
>>> @@ -436,7 +436,7 @@ HandOffToDxeCore (
>>> BuildPageTablesIa32Pae = ToBuildPageTable ();
>>> if (BuildPageTablesIa32Pae) {
>>> PageTables = Create4GPageTablesIa32Pae (BaseOfStack,
>>> STACK_SIZE);
>>> - if (IsExecuteDisableBitAvailable ()) {
>>> + if (EnableNonExec ()) {
>>> EnableExecuteDisableBit();
>>> }
>>> }
>>> diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
>>> b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
>>> index 496e219913..73b0f67c6b 100644
>>> --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
>>> +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
>>> @@ -106,6 +106,31 @@ IsNullDetectionEnabled (
>>> return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) !=
>>> 0);
>>> }
>>> +/**
>>> + Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or
>>> not.
>>> +
>>> + @retval TRUE IA32_EFER.NXE should be enabled.
>>> + @retval FALSE IA32_EFER.NXE should not be enabled.
>>> +
>>> +**/
>>> +BOOLEAN
>>> +EnableNonExec (
>>> + VOID
>>> + )
>>> +{
>>> + if (!IsExecuteDisableBitAvailable ()) {
>>> + return FALSE;
>>> + }
>>> +
>>> + //
>>> + // XD flag (BIT63) in page table entry is only valid if
>>> IA32_EFER.NXE is set.
>>> + // Features controlled by Following PCDs need this feature to be
>>> enabled.
>>> + //
>>> + return (PcdGetBool (PcdSetNxForStack) ||
>>> + PcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
>>> + PcdGet32 (PcdImageProtectionPolicy) != 0);
>>> +}
>>
>> I am a little confused by this function name compared with
>> EnableExecuteDisableBit(). This function is not really to enable NX,
>> but just to check whether enable NX is needed or not. How about using
>> name IsEnableNonExecNeeded or IsEnableNxNeeded or IsDisableExecuteNeeded?
>>
>>
>> Sorry I did not raise this comment in V1 patch thread.
>> If you agree with the name changing, Reviewed-by: Star Zeng
>> .
>>
>>
>> Thanks,
>> Star
>>> +
>>> /**
>>> Enable Execute Disable Bit.
>>> @@ -755,7 +780,10 @@ CreateIdentityMappingPageTables (
>>> //
>>> EnablePageTableProtection ((UINTN
Re: [edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
Another minor suggestion is to move IsExecuteDisableBitAvailable() to
VirtualMemory.c, then there will be no need to declare it in
VirtualMemeory.h.
Thanks,
Star
On 2018/9/21 14:00, Zeng, Star wrote:
Jian and Laszlo,
There is also a superficial comment at below.
On 2018/9/20 14:02, Jian J Wang wrote:
v2 changes:
a. remove macros no longer needed
b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
c. change ToEnableExecuteDisableFeature to EnableNonExec
BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
confuses developers because following two other PCDs also need NXE
to be set, but actually not.
PcdDxeNxMemoryProtectionPolicy
PcdImageProtectionPolicy
This patch solves this issue by adding logic to enable IA32_EFER.NXE
if any of those PCDs have anything enabled.
Cc: Star Zeng
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Cc: Ruiyu Ni
Cc: Jiewen Yao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang
---
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30
+++-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24
+++
4 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
index fd82657404..068e700074 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
@@ -117,6 +117,8 @@
[Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
SOMETIMES_CONSUMES
[Depex]
gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
index d28baa3615..ccd30f964b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
+++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
@@ -245,7 +245,7 @@ ToBuildPageTable (
return TRUE;
}
- if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable
()) {
+ if (EnableNonExec ()) {
return TRUE;
}
@@ -436,7 +436,7 @@ HandOffToDxeCore (
BuildPageTablesIa32Pae = ToBuildPageTable ();
if (BuildPageTablesIa32Pae) {
PageTables = Create4GPageTablesIa32Pae (BaseOfStack, STACK_SIZE);
- if (IsExecuteDisableBitAvailable ()) {
+ if (EnableNonExec ()) {
EnableExecuteDisableBit();
}
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
index 496e219913..73b0f67c6b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
@@ -106,6 +106,31 @@ IsNullDetectionEnabled (
return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
}
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @retval TRUE IA32_EFER.NXE should be enabled.
+ @retval FALSE IA32_EFER.NXE should not be enabled.
+
+**/
+BOOLEAN
+EnableNonExec (
+ VOID
+ )
+{
+ if (!IsExecuteDisableBitAvailable ()) {
+ return FALSE;
+ }
+
+ //
+ // XD flag (BIT63) in page table entry is only valid if
IA32_EFER.NXE is set.
+ // Features controlled by Following PCDs need this feature to be
enabled.
+ //
+ return (PcdGetBool (PcdSetNxForStack) ||
+ PcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
+ PcdGet32 (PcdImageProtectionPolicy) != 0);
+}
I am a little confused by this function name compared with
EnableExecuteDisableBit(). This function is not really to enable NX, but
just to check whether enable NX is needed or not. How about using name
IsEnableNonExecNeeded or IsEnableNxNeeded or IsDisableExecuteNeeded?
Sorry I did not raise this comment in V1 patch thread.
If you agree with the name changing, Reviewed-by: Star Zeng
.
Thanks,
Star
+
/**
Enable Execute Disable Bit.
@@ -755,7 +780,10 @@ CreateIdentityMappingPageTables (
//
EnablePageTableProtection ((UINTN)PageMap, TRUE);
- if (PcdGetBool (PcdSetNxForStack)) {
+ //
+ // Set IA32_EFER.NXE if necessary.
+ //
+ if (EnableNonExec ()) {
EnableExecuteDisableBit ();
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
index 85457ff937..09085312aa 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
@@ -179,6 +179,30 @@ typedef struct {
UINTN FreePages;
} PAGE_TABLE_POOL;
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @re
Re: [edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
Jian and Laszlo,
There is also a superficial comment at below.
On 2018/9/20 14:02, Jian J Wang wrote:
v2 changes:
a. remove macros no longer needed
b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
c. change ToEnableExecuteDisableFeature to EnableNonExec
BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
confuses developers because following two other PCDs also need NXE
to be set, but actually not.
PcdDxeNxMemoryProtectionPolicy
PcdImageProtectionPolicy
This patch solves this issue by adding logic to enable IA32_EFER.NXE
if any of those PCDs have anything enabled.
Cc: Star Zeng
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Cc: Ruiyu Ni
Cc: Jiewen Yao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang
---
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30 +++-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24 +++
4 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
index fd82657404..068e700074 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
@@ -117,6 +117,8 @@
[Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
SOMETIMES_CONSUMES
[Depex]
gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
index d28baa3615..ccd30f964b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
+++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
@@ -245,7 +245,7 @@ ToBuildPageTable (
return TRUE;
}
- if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable ()) {
+ if (EnableNonExec ()) {
return TRUE;
}
@@ -436,7 +436,7 @@ HandOffToDxeCore (
BuildPageTablesIa32Pae = ToBuildPageTable ();
if (BuildPageTablesIa32Pae) {
PageTables = Create4GPageTablesIa32Pae (BaseOfStack, STACK_SIZE);
- if (IsExecuteDisableBitAvailable ()) {
+ if (EnableNonExec ()) {
EnableExecuteDisableBit();
}
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
index 496e219913..73b0f67c6b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
@@ -106,6 +106,31 @@ IsNullDetectionEnabled (
return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
}
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @retval TRUEIA32_EFER.NXE should be enabled.
+ @retval FALSE IA32_EFER.NXE should not be enabled.
+
+**/
+BOOLEAN
+EnableNonExec (
+ VOID
+ )
+{
+ if (!IsExecuteDisableBitAvailable ()) {
+return FALSE;
+ }
+
+ //
+ // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set.
+ // Features controlled by Following PCDs need this feature to be enabled.
+ //
+ return (PcdGetBool (PcdSetNxForStack) ||
+ PcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
+ PcdGet32 (PcdImageProtectionPolicy) != 0);
+}
I am a little confused by this function name compared with
EnableExecuteDisableBit(). This function is not really to enable NX, but
just to check whether enable NX is needed or not. How about using name
IsEnableNonExecNeeded or IsEnableNxNeeded or IsDisableExecuteNeeded?
Sorry I did not raise this comment in V1 patch thread.
If you agree with the name changing, Reviewed-by: Star Zeng
.
Thanks,
Star
+
/**
Enable Execute Disable Bit.
@@ -755,7 +780,10 @@ CreateIdentityMappingPageTables (
//
EnablePageTableProtection ((UINTN)PageMap, TRUE);
- if (PcdGetBool (PcdSetNxForStack)) {
+ //
+ // Set IA32_EFER.NXE if necessary.
+ //
+ if (EnableNonExec ()) {
EnableExecuteDisableBit ();
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
index 85457ff937..09085312aa 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
@@ -179,6 +179,30 @@ typedef struct {
UINTN FreePages;
} PAGE_TABLE_POOL;
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @retval TRUEIA32_EFER.NXE should be enabled.
+ @retval FALSE IA32_EFER.NXE should not be enabled.
+
+**/
+BOOLEAN
+EnableNonExec (
+ VOID
+ );
+
+/**
+ The function will check
[edk2] [PATCH v2 2/2] MdeModulePkg/DxeIpl: support more NX related PCDs
> v2 changes:
>a. remove macros no longer needed
>b. remove DEBUG and ASSERT in ToEnableExecuteDisableFeature()
>c. change ToEnableExecuteDisableFeature to EnableNonExec
BZ#1116: https://bugzilla.tianocore.org/show_bug.cgi?id=1116
Currently IA32_EFER.NXE is only set against PcdSetNxForStack. This
confuses developers because following two other PCDs also need NXE
to be set, but actually not.
PcdDxeNxMemoryProtectionPolicy
PcdImageProtectionPolicy
This patch solves this issue by adding logic to enable IA32_EFER.NXE
if any of those PCDs have anything enabled.
Cc: Star Zeng
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Cc: Ruiyu Ni
Cc: Jiewen Yao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang
---
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 ++
MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 ++--
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c | 30 +++-
MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h | 24 +++
4 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
index fd82657404..068e700074 100644
--- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
@@ -117,6 +117,8 @@
[Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64]
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy ##
SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy ##
SOMETIMES_CONSUMES
[Depex]
gEfiPeiLoadFilePpiGuid AND gEfiPeiMasterBootModePpiGuid
diff --git a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
index d28baa3615..ccd30f964b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
+++ b/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
@@ -245,7 +245,7 @@ ToBuildPageTable (
return TRUE;
}
- if (PcdGetBool (PcdSetNxForStack) && IsExecuteDisableBitAvailable ()) {
+ if (EnableNonExec ()) {
return TRUE;
}
@@ -436,7 +436,7 @@ HandOffToDxeCore (
BuildPageTablesIa32Pae = ToBuildPageTable ();
if (BuildPageTablesIa32Pae) {
PageTables = Create4GPageTablesIa32Pae (BaseOfStack, STACK_SIZE);
- if (IsExecuteDisableBitAvailable ()) {
+ if (EnableNonExec ()) {
EnableExecuteDisableBit();
}
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
index 496e219913..73b0f67c6b 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
@@ -106,6 +106,31 @@ IsNullDetectionEnabled (
return ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & BIT0) != 0);
}
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @retval TRUEIA32_EFER.NXE should be enabled.
+ @retval FALSE IA32_EFER.NXE should not be enabled.
+
+**/
+BOOLEAN
+EnableNonExec (
+ VOID
+ )
+{
+ if (!IsExecuteDisableBitAvailable ()) {
+return FALSE;
+ }
+
+ //
+ // XD flag (BIT63) in page table entry is only valid if IA32_EFER.NXE is set.
+ // Features controlled by Following PCDs need this feature to be enabled.
+ //
+ return (PcdGetBool (PcdSetNxForStack) ||
+ PcdGet64 (PcdDxeNxMemoryProtectionPolicy) != 0 ||
+ PcdGet32 (PcdImageProtectionPolicy) != 0);
+}
+
/**
Enable Execute Disable Bit.
@@ -755,7 +780,10 @@ CreateIdentityMappingPageTables (
//
EnablePageTableProtection ((UINTN)PageMap, TRUE);
- if (PcdGetBool (PcdSetNxForStack)) {
+ //
+ // Set IA32_EFER.NXE if necessary.
+ //
+ if (EnableNonExec ()) {
EnableExecuteDisableBit ();
}
diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
index 85457ff937..09085312aa 100644
--- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
+++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h
@@ -179,6 +179,30 @@ typedef struct {
UINTN FreePages;
} PAGE_TABLE_POOL;
+/**
+ Check if Execute Disable Bit (IA32_EFER.NXE) should be enabled or not.
+
+ @retval TRUEIA32_EFER.NXE should be enabled.
+ @retval FALSE IA32_EFER.NXE should not be enabled.
+
+**/
+BOOLEAN
+EnableNonExec (
+ VOID
+ );
+
+/**
+ The function will check if Execute Disable Bit is available.
+
+ @retval TRUE Execute Disable Bit is available.
+ @retval FALSE Execute Disable Bit is not available.
+
+**/
+BOOLEAN
+IsExecuteDisableBitAvailable (
+ VOID
+ );
+
/**
Enable Execute Disable Bit.
--
2.16.2.windows.1
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
