Describe the compatibility challenges that must be overcome to enable memory protections.
This might include adding/removing certain configuration settings (#4498), adding a new configuration profile (#4497), adjusting the default settings (#4496), and so on.
Option ROMs (OPROMs)
OPROMs may not be compatible with memory protections. Many OPROM images are not built with page-aligned sections, for example.
The NX_COMPAT PE/COFF flag can be used to designate compatibility. Presence of the flag indicates, that the EFI image expects code buffers to be allocated RW- and the Memory Attribute Protocol will be used to update code buffer attributes to R-X. This is only proposed as a temporary compatibility option that should be revoked in the future (tracked in tianocore/projects#13).
For now, it is proposed that if an image of subsystem type EFI_APPLICATION is loaded without the flag, code memory types will be allocated as RWX for the remainder of boot.
Note that the Windows bootloader was updated to be built as NX_COMPAT.
Overview
Describe the compatibility challenges that must be overcome to enable memory protections.
This might include adding/removing certain configuration settings (#4498), adding a new configuration profile (#4497), adjusting the default settings (#4496), and so on.
Option ROMs (OPROMs)
OPROMs may not be compatible with memory protections. Many OPROM images are not built with page-aligned sections, for example.
The
NX_COMPATPE/COFF flag can be used to designate compatibility. Presence of the flag indicates, that the EFI image expects code buffers to be allocatedRW-and the Memory Attribute Protocol will be used to update code buffer attributes toR-X. This is only proposed as a temporary compatibility option that should be revoked in the future (tracked in tianocore/projects#13).For now, it is proposed that if an image of subsystem type
EFI_APPLICATIONis loaded without the flag, code memory types will be allocated asRWXfor the remainder of boot.