- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_ERROR,\r
- "%a: Failed to add System RAM @ 0x%lx - 0x%lx (%r)\n",\r
- __FUNCTION__, CurBase, CurBase + CurSize - 1, Status));\r
- continue;\r
- }\r
+ //\r
+ // Due to the ambiguous nature of the RO/XP GCD memory space attributes,\r
+ // it is impossible to add a memory space with the XP attribute in a way\r
+ // that does not result in the XP attribute being set on *all* UEFI\r
+ // memory map entries that are carved from it, including code regions\r
+ // that require executable permissions.\r
+ //\r
+ // So instead, we never set the RO/XP attributes in the GCD memory space\r
+ // capabilities or attribute fields, and apply any protections directly\r
+ // on the page table mappings by going through the cpu arch protocol.\r
+ //\r
+ Attributes = EFI_MEMORY_WB;\r
+ if ((PcdGet64 (PcdDxeNxMemoryProtectionPolicy) &\r
+ (1U << (UINT32)EfiConventionalMemory)) != 0) {\r
+ Attributes |= EFI_MEMORY_XP;\r
+ }\r