This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to
a value that protects all memory regions except code regions against
inadvertent execution.
Note that this does not [yet] protect EfiLoaderData regions, due to
compatibility issues with shim and GRUB.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
#\r
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3\r
\r
+ #\r
+ # Enable NX memory protection for all non-code regions, including OEM and OS\r
+ # reserved ones, with the exception of LoaderData regions, of which OS loaders\r
+ # (i.e., GRUB) may assume that its contents are executable.\r
+ #\r
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1\r
+\r
[Components.common]\r
#\r
# Networking stack\r