ArmVirtPkg AARCH64: enable NX memory protection for all platforms

This sets the recently introduced PCD PcdDxeNxMemoryProtectionPolicy to
a value that protects all memory regions except code regions against
inadvertent execution.

Note that this does not [yet] protect EfiLoaderData regions, due to
compatibility issues with shim and GRUB.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by:  Laszlo Ersek <lersek@redhat.com>

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 2b0a44e14d24dd120b435c02728f6067094bc0d5..a91b27f13cf274f6a69f4858948cc215eccd5836 100644 (file)
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -383,6 +383,13 @@
   #\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3\r
 \r
+  #\r
+  # Enable NX memory protection for all non-code regions, including OEM and OS\r
+  # reserved ones, with the exception of LoaderData regions, of which OS loaders\r
+  # (i.e., GRUB) may assume that its contents are executable.\r
+  #\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1\r
+\r
 [Components.common]\r
   #\r
   # Networking stack\r