"For the DxeIpl and the DxeCore are both X64, set NX for stack feature also require PcdDxeIplBuildPageTables be TRUE.<BR>"\r
"For the DxeIpl and the DxeCore are both IA32 (PcdDxeIplSwitchToLongMode is FALSE), set NX for stack feature also require"\r
"IA32 PAE is supported and Execute Disable Bit is available.<BR>"\r
- "TRUE - to set NX for stack.<BR>"\r
- "FALSE - Not to set NX for stack.<BR>"\r
+ "TRUE - Set NX for stack.<BR>"\r
+ "FALSE - Do nothing for stack.<BR>"\r
+ "Note: If this PCD is set to FALSE, NX could be still applied to stack due to PcdDxeNxMemoryProtectionPolicy enabled for EfiBootServicesData.<BR>"\r
\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiS3Enable_PROMPT #language en-US "ACPI S3 Enable"\r
\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdImageProtectionPolicy_HELP #language en-US "Set image protection policy. The policy is bitwise.\n"\r
"If a bit is set, the image will be protected by DxeCore if it is aligned.\n"\r
"The code section becomes read-only, and the data section becomes non-executable.\n"\r
- "If a bit is clear, the image will not be protected.<BR><BR>\n"\r
+ "If a bit is clear, nothing will be done to image code/data sections.<BR><BR>\n"\r
"BIT0 - Image from unknown device. <BR>\n"\r
"BIT1 - Image from firmware volume.<BR>"\r
+ "Note: If a bit is cleared, the data section could be still non-executable if\n"\r
+ "PcdDxeNxMemoryProtectionPolicy is enabled for EfiLoaderData, EfiBootServicesData\n"\r
+ "and/or EfiRuntimeServicesData.<BR>"\r
\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdDxeNxMemoryProtectionPolicy_PROMPT #language en-US "Set DXE memory protection policy."\r
\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdDxeNxMemoryProtectionPolicy_HELP #language en-US "Set DXE memory protection policy. The policy is bitwise.\n"\r
"If a bit is set, memory regions of the associated type will be mapped\n"\r
- "non-executable.<BR><BR>\n"\r
+ "non-executable.<BR>\n"\r
+ "If a bit is cleared, nothing will be done to associated type of memory.<BR><BR>\n"\r
"\n"\r
"Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>\n"\r
"EfiReservedMemoryType 0x0001<BR>\n"\r
" before and after corresponding type of pages allocated if there's enough\n"\r
" free pages for all of them. The page allocation for the type related to\n"\r
" cleared bits keeps the same as ususal.\n\n"\r
+ " This PCD is only valid if BIT0 and/or BIT2 are set in PcdHeapGuardPropertyMask.\n\n"\r
" Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>\n"\r
" EfiReservedMemoryType 0x0000000000000001\n"\r
" EfiLoaderCode 0x0000000000000002\n"\r
" before and after corresponding type of pages which the allocated pool occupies,\n"\r
" if there's enough free memory for all of them. The pool allocation for the\n"\r
" type related to cleared bits keeps the same as ususal.\n\n"\r
+ " This PCD is only valid if BIT1 and/or BIT3 are set in PcdHeapGuardPropertyMask.\n\n"\r
" Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>\n"\r
" EfiReservedMemoryType 0x0000000000000001\n"\r
" EfiLoaderCode 0x0000000000000002\n"\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdHeapGuardPropertyMask_PROMPT #language en-US "The Heap Guard feature mask"\r
\r
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdHeapGuardPropertyMask_HELP #language en-US "This mask is to control Heap Guard behavior.\n"\r
- "Note that due to the limit of pool memory implementation and the alignment\n"\r
- "requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee\n"\r
- "that the returned pool is exactly adjacent to head guard page or tail guard\n"\r
- "page.\n"\r
+ " Note:\n"\r
+ " a) Heap Guard is for debug purpose and should not be enabled in product"\r
+ " BIOS.\n"\r
+ " b) Due to the limit of pool memory implementation and the alignment"\r
+ " requirement of UEFI spec, BIT7 is a try-best setting which cannot"\r
+ " guarantee that the returned pool is exactly adjacent to head guard"\r
+ " page or tail guard page.\n"\r
+ " c) UEFI freed-memory guard and UEFI pool/page guard cannot be enabled"\r
+ " at the same time.\n"\r
" BIT0 - Enable UEFI page guard.<BR>\n"\r
" BIT1 - Enable UEFI pool guard.<BR>\n"\r
" BIT2 - Enable SMM page guard.<BR>\n"\r
" BIT3 - Enable SMM pool guard.<BR>\n"\r
+ " BIT4 - Enable UEFI freed-memory guard (Use-After-Free memory detection).<BR>\n"\r
" BIT7 - The direction of Guard Page for Pool Guard.\n"\r
" 0 - The returned pool is near the tail guard page.<BR>\n"\r
" 1 - The returned pool is near the head guard page.<BR>"\r