[Req]: Properly Install EFI_MEMORY_ATTRIBUTE_PROTOCOL when NX support is enabled.

[TBOpen]

VirtualBoxAudit.txt

Component

CPU NX Support

What problem are you facing?

I need to test NX support and be nice under VirtualBox. However, even though I enabled PAE/NX support the EFI_MEMORY_ATTRIBUTE_PROTOCOL was not available within my EFI application that supports NX.

How can we fix this?

Properly build in full NX support. AI says (so you need to check it) to use the following in your platform .dsc:

[PcdsFixedAtBuild]

NX / Memory Protection

gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x03
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE

Extra hardening

gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard|TRUE

What alternatives or workarounds exist?

use a machine that support NX.

Anything else we should know?

I added the results of a couple of the the mu_plus audit tools to perhaps help. If you need the two .efi audit tools I built, I can send it (just ask), it wasn't easy to build since I built using EDK2 not the mu_base - also they have a bunch of NULL libs so to get output had to go find and adjust them.

[AlexanderEichner]

This is done deliberately in 2fca0b6 because there are Linux guests with a buggy grub out there causing issues later on.

[TBOpen]

Wouldn't it be better to just have users disable NX support on the VM if they want to run a buggy GRUB (they would have the same problem on a real machine).

[AlexanderEichner]

Sure, but that needs the appropriate infrastructure on the host and UEFI side for which we don't just have the engineering capacity right now.

[TBOpen]

wouldn't you just enable it again in the EDK modules build and tie in something like a Pcd to indicate if should be enabled or not?