@@ -273,6 +273,9 @@ DEFINE DO_KCS = 1
[BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x10000
+[BuildOptions.common.EDKII.DXE_DRIVER,BuildOptions.common.EDKII.UEFI_DRIVER,BuildOptions.common.EDKII.UEFI_APPLICATION]
+ GCC:*_*_AARCH64_DLINK_FLAGS = -z common-page-size=0x1000
+
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform
@@ -440,6 +443,18 @@ DEFINE DO_KCS = 1
## ACPI (no tables < 4GB)
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiExposedTableVersions|0x20
+ #
+ # Enable strict image permissions for all images. (This applies
+ # only to images that were built with >= 4 KB section alignment.)
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x3
+
+ #
+ # Enable NX memory protection for all non-code regions, including OEM and OS
+ # reserved ones.
+ #
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
+
!if $(DO_PSCI)
gAmdStyxTokenSpaceGuid.PcdPsciOsSupport|TRUE
!else
Implement a strict separation between writable and executable memory, by enabling the new core features that - map PE/COFF code and data sections with either executable or writable permissions, but never both; - map all other regions with the XN attributes set. Note that the former requires 4 KB section alignment, which is not the default when using the tiny code model, so set the section alignment explicitly both for DEBUG and RELEASE builds. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- Platforms/AMD/Styx/OverdriveBoard/OverdriveBoard.dsc | 15 +++++++++++++++ 1 file changed, 15 insertions(+)