[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] OVMF/Xen, Debian wheezy can't boot with NX on stack (Was: Re: [edk2] [PATCH] OvmfPkg: prevent code execution from DXE stack)
- To: Ian Campbell <ian.campbell@xxxxxxxxxx>, Laszlo Ersek <lersek@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Jordan L Justen <jordan.l.justen@xxxxxxxxx>, Star Zeng <star.zeng@xxxxxxxxx>
- From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
- Date: Wed, 9 Sep 2015 13:30:54 +0200
- Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, edk2-devel-01 <edk2-devel@xxxxxxxxxxx>, Gary Ching-Pang Lin <glin@xxxxxxxx>, "Gabriel L. Somlo \(GMail\)" <gsomlo@xxxxxxxxx>, Xen Devel <xen-devel@xxxxxxxxxxxxx>
- Delivery-date: Wed, 09 Sep 2015 11:31:10 +0000
- List-id: Xen developer discussion <xen-devel.lists.xen.org>
On 09/09/2015 13:07, Ian Campbell wrote:
> I have a question: What attack vector is setting the stack as Nx in OVMF
> (or even UEFI generally) trying to protect against? Or is this being done
> for a reason other than security?
>
> I understand why it is done for kernels and apps, but where does the
> untrusted element which is being protected against come from when running
> UEFI?
I guess something could attack shim.efi or GRUB, and subvert secure
boot's chain of trust.
Paolo
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
