Call for action
In order to support UEFI memory protection, the firmware need configure UEFI driver to be page aligned:
- Override link flags below to support UEFI runtime attribute table, so that OS can protect the runtime memory.
[BuildOptions.IA32.EDKII.DXE_RUNTIME_DRIVER, BuildOptions.X64.EDKII.DXE_RUNTIME_DRIVER] MSFT:*_*_*_DLINK_FLAGS = /ALIGN:4096 GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
Override link flags below to support UEFI memory protection.
[BuildOptions.common.EDKII.DXE_DRIVER, BuildOptions.common.EDKII.DXE_CORE, BuildOptions.common.EDKII.UEFI_DRIVER, BuildOptions.common.EDKII.UEFI_APPLICATION] MSFT:*_*_*_DLINK_FLAGS = /ALIGN:4096 GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
Evaluate if the UEFI memory size is big enough to hold the split page table.
- Evaluate if the DXE image can be protected.
- Set proper
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy
. - Set proper
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy
.
Summary
This section introduces the memory protection in UEFI.