From 2f8b51d6af6fd2eda2516030f1713dac171e0896 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ardb@kernel.org>
Date: Mon, 26 Jun 2023 10:30:16 +0200
Subject: ArmPkg/OpteeLib: Map shared communication buffer non-executable

The OP-TEE secure OS exposes a non-secure memory region for
communication between the secure OS itself and any clients in the
non-secure firmware. This memory is writable by non-secure and is not
used for code only data, and so it should be mapped non-executable.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
---
 ArmPkg/Library/OpteeLib/Optee.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'ArmPkg')

diff --git a/ArmPkg/Library/OpteeLib/Optee.c b/ArmPkg/Library/OpteeLib/Optee.c
index 46464f1..3acf172 100644
--- a/ArmPkg/Library/OpteeLib/Optee.c
+++ b/ArmPkg/Library/OpteeLib/Optee.c
@@ -86,7 +86,12 @@ OpteeSharedMemoryRemap (
     return EFI_BUFFER_TOO_SMALL;
   }
 
-  Status = ArmSetMemoryAttributes (PhysicalAddress, Size, EFI_MEMORY_WB, 0);
+  Status = ArmSetMemoryAttributes (
+             PhysicalAddress,
+             Size,
+             EFI_MEMORY_WB | EFI_MEMORY_XP,
+             0
+             );
   if (EFI_ERROR (Status)) {
     return Status;
   }
-- 
cgit v1.1