[edk2-devel] [PATCH v3 03/16] ArmVirtPkg: make EFI_LOADER_DATA non-executable
Gerd Hoffmann
kraxel at redhat.com
Fri Jan 6 08:44:33 UTC 2023
Hi,
> Hopefully sometime in the next few weeks we can prepare a comprehensive set
> of patches and changes needed in edk2 to implement this strict environment.
> One of the relevant changes to this discussion and patch series is we
> switched the configuration from PCD to hob
> (mu_basecore/DxeMemoryProtectionSettings.h at release/202208 ·
> microsoft/mu_basecore (github.com) <https://github.com/microsoft/mu_basecore/blob/release/202208/MdeModulePkg/Include/Guid/DxeMemoryProtectionSettings.h>).
> This allows our platforms complete control of the config per boot.
Why a HOB? I guess because dynamic PCDs are available too late in the
boot process?
> Some platforms have compatibility requirements and have implemented
> code so that when a PF is triggered by incompatible software, it is
> recorded and then the system rebooted. On the next boot the platform
> changes the HOB configuration to be in a more compatible mode (this
> mode could be measured in a PCR and/or other hints to the user/system
> of degraded security).
Where is the configuration stored?
> Anyway, rather than a patchwork of changes going into different platforms
> and components of edk2 I would like to see alignment between x86/arm64 in
> edk2 and a complete set of changes for edk2.
Sure, it totally makes sense to have that as core edk2 feature instead
of adding this to each platform individually.
Looking forward to see the patches.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98079): https://edk2.groups.io/g/devel/message/98079
Mute This Topic: https://groups.io/mt/93922691/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list