| Line 61: | Line 61: | ||
Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec | Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec | ||
This will partly enforce the NX requirements for secure boot binaries which are in place since 2022, see | |||
https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916 | |||
This will also catch NULL pointer dereferences. | |||
The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds. Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supported still should provide | |||
The changes will be applied to the edk2 builds which have saecure boot support turned on. | |||
== Feedback == | == Feedback == | ||
Revision as of 13:06, 13 January 2025
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
For details on how to fill out this form, see the documentation.
To report an issue with this template, file an issue in the pgm_docs repo.
Improve edk2 security
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Turn on a few security-related build time options to improve edk2 security.
Owner
- Name: Gerd Hoffmann
- Email: kraxel@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2025-01-13
- [<link to devel-announce post will be added by Wrangler> Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Turn on strict NX checking:
PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5 PcdSetNxForStack = TRUE PcdImageProtectionPolicy = 0x03
Unmap zero page:
PcdNullPointerDetectionPropertyMask = 0x03
Detailed description of these PCDs (aka edk2 config options) is here: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/MdeModulePkg.dec
This will partly enforce the NX requirements for secure boot binaries which are in place since 2022, see https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916
This will also catch NULL pointer dereferences.
The big linux NX mess (https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/) was finally sorted roughly one year ago, so linux kernels and boot loaders released in 2024 should work without any problems with the new firmware builds. Given we had security updates due to a bug in shim versions older than 15.8 all linux distros which are supported still should provide
The changes will be applied to the edk2 builds which have saecure boot support turned on.
Feedback
Benefit to Fedora
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)