Life cycle of the protection

The UEFI image protection starts when the CpuArch protocol is ready. The UEFI runtime image protection is torn down at ExitBootServices(), the runtime image code relocation need write code segment at SetVirtualAddressMap(). We cannot assume OS/Loader has taken over page table at that time.

The UEFI heap protection also starts when the CpuArch protocol is ready.

The UEFI stack protection starts in DxeIpl, because the region is fixed and it can set directly.

The UEFI firmware does not own page tables after ExitBootServices(), so the OS would have to relax protection of runtime code pages across SetVirtualAddressMap(), or delay setting protections on runtime code pages until after SetVirtualAddressMap(). OS may set protection on runtime memory based upon EFI_MEMORY_ATTRIBUTES_TABLE later.