Policy Control
Stack Guard: Detect Stack Overflow
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard
## Indicates if UEFI Stack Guard will be enabled.
# If enabled, stack overflow in UEFI can be caught, preventing chaotic consequences.<BR><BR>
# TRUE - UEFI Stack Guard will be enabled.<BR>
# FALSE - UEFI Stack Guard will be disabled.<BR>
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard
## Indicates if SMM Stack Guard will be enabled.
# If enabled, stack overflow in SMM can be caught, preventing chaotic consequences.<BR><BR>
# TRUE - SMM Stack Guard will be enabled.<BR>
# FALSE - SMM Stack Guard will be disabled.<BR>
NULL pointer detection: Detect NULL pointer access
gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask
## Mask to control the NULL address detection in code for different phases.
# If enabled, accessing NULL address in UEFI or SMM code can be caught.<BR><BR>
# BIT0 - Enable NULL pointer detection for UEFI.<BR>
# BIT1 - Enable NULL pointer detection for SMM.<BR>
# BIT2..6 - Reserved for future uses.<BR>
# BIT7 - Disable NULL pointer detection just after EndOfDxe. <BR>
# This is a workaround for those unsolvable NULL access issues in
# OptionROM, boot loader, etc. It can also help to avoid unnecessary
# exception caused by legacy memory (0-4095) access after EndOfDxe,
# such as Windows 7 boot on Qemu.<BR>
Heap Guard: Detect Heap Overflow.
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPageType
## Indicates which type allocation need guard page.
#
# If a bit is set, a head guard page and a tail guard page will be added just
# before and after corresponding type of pages allocated if there's enough
# free pages for all of them. The page allocation for the type related to
# cleared bits keeps the same as ususal.
#
# Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>
# EfiReservedMemoryType 0x0000000000000001<BR>
# EfiLoaderCode 0x0000000000000002<BR>
# EfiLoaderData 0x0000000000000004<BR>
# EfiBootServicesCode 0x0000000000000008<BR>
# EfiBootServicesData 0x0000000000000010<BR>
# EfiRuntimeServicesCode 0x0000000000000020<BR>
# EfiRuntimeServicesData 0x0000000000000040<BR>
# EfiConventionalMemory 0x0000000000000080<BR>
# EfiUnusableMemory 0x0000000000000100<BR>
# EfiACPIReclaimMemory 0x0000000000000200<BR>
# EfiACPIMemoryNVS 0x0000000000000400<BR>
# EfiMemoryMappedIO 0x0000000000000800<BR>
# EfiMemoryMappedIOPortSpace 0x0000000000001000<BR>
# EfiPalCode 0x0000000000002000<BR>
# EfiPersistentMemory 0x0000000000004000<BR>
# OEM Reserved 0x4000000000000000<BR>
# OS Reserved 0x8000000000000000<BR>
# e.g. LoaderCode+LoaderData+BootServicesCode+BootServicesData are needed, 0x1E should be used.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPoolType
## Indicates which type allocation need guard page.
#
# If a bit is set, a head guard page and a tail guard page will be added just
# before and after corresponding type of pages which the allocated pool occupies,
# if there's enough free memory for all of them. The pool allocation for the
# type related to cleared bits keeps the same as ususal.
#
# Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>
# EfiReservedMemoryType 0x0000000000000001<BR>
# EfiLoaderCode 0x0000000000000002<BR>
# EfiLoaderData 0x0000000000000004<BR>
# EfiBootServicesCode 0x0000000000000008<BR>
# EfiBootServicesData 0x0000000000000010<BR>
# EfiRuntimeServicesCode 0x0000000000000020<BR>
# EfiRuntimeServicesData 0x0000000000000040<BR>
# EfiConventionalMemory 0x0000000000000080<BR>
# EfiUnusableMemory 0x0000000000000100<BR>
# EfiACPIReclaimMemory 0x0000000000000200<BR>
# EfiACPIMemoryNVS 0x0000000000000400<BR>
# EfiMemoryMappedIO 0x0000000000000800<BR>
# EfiMemoryMappedIOPortSpace 0x0000000000001000<BR>
# EfiPalCode 0x0000000000002000<BR>
# EfiPersistentMemory 0x0000000000004000<BR>
# OEM Reserved 0x4000000000000000<BR>
# OS Reserved 0x8000000000000000<BR>
# e.g. LoaderCode+LoaderData+BootServicesCode+BootServicesData are needed, 0x1E should be used.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask
## This mask is to control Heap Guard behavior.
# Note that due to the limit of pool memory implementation and the alignment
# requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee
# that the returned pool is exactly adjacent to head guard page or tail guard
# page.
# BIT0 - Enable UEFI page guard.<BR>
# BIT1 - Enable UEFI pool guard.<BR>
# BIT2 - Enable SMM page guard.<BR>
# BIT3 - Enable SMM pool guard.<BR>
# BIT7 - The direction of Guard Page for Pool Guard.
# 0 - The returned pool is near the tail guard page.<BR>
# 1 - The returned pool is near the head guard page.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryProfilePropertyMask
## The mask is used to control memory profile behavior.<BR><BR>
# BIT0 - Enable UEFI memory profile.<BR>
# BIT1 - Enable SMRAM profile.<BR>
# BIT7 - Disable recording at the start.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryProfileMemoryType
## This flag is to control which memory types of alloc info will be recorded by DxeCore & SmmCore.<BR><BR>
# For SmmCore, only EfiRuntimeServicesCode and EfiRuntimeServicesData are valid.<BR>
#
# Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>
# EfiReservedMemoryType 0x0001<BR>
# EfiLoaderCode 0x0002<BR>
# EfiLoaderData 0x0004<BR>
# EfiBootServicesCode 0x0008<BR>
# EfiBootServicesData 0x0010<BR>
# EfiRuntimeServicesCode 0x0020<BR>
# EfiRuntimeServicesData 0x0040<BR>
# EfiConventionalMemory 0x0080<BR>
# EfiUnusableMemory 0x0100<BR>
# EfiACPIReclaimMemory 0x0200<BR>
# EfiACPIMemoryNVS 0x0400<BR>
# EfiMemoryMappedIO 0x0800<BR>
# EfiMemoryMappedIOPortSpace 0x1000<BR>
# EfiPalCode 0x2000<BR>
# EfiPersistentMemory 0x4000<BR>
# OEM Reserved 0x4000000000000000<BR>
# OS Reserved 0x8000000000000000<BR>
#
# e.g. Reserved+ACPINvs+ACPIReclaim+RuntimeCode+RuntimeData are needed, 0x661 should be used.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdMemoryProfileDriverPath
## This PCD is to control which drivers need memory profile data.<BR><BR>
# For example:<BR>
# One image only (Shell):<BR>
# Header GUID<BR>
# {0x04, 0x06, 0x14, 0x00, 0x83, 0xA5, 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1,<BR>
# 0x7F, 0xFF, 0x04, 0x00}<BR>
# Two or more images (Shell + WinNtSimpleFileSystem):<BR>
# {0x04, 0x06, 0x14, 0x00, 0x83, 0xA5, 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1,<BR>
# 0x7F, 0x01, 0x04, 0x00,<BR>
# 0x04, 0x06, 0x14, 0x00, 0x8B, 0xE1, 0x25, 0x9C, 0xBA, 0x76, 0xDA, 0x43, 0xA1, 0x32, 0xDB, 0xB0, 0x99, 0x7C, 0xEF, 0xEF,<BR>
# 0x7F, 0xFF, 0x04, 0x00}<BR>
NX stack: Prevent code execution in stack
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
## Indicates if to set NX for stack.<BR><BR>
# For the DxeIpl and the DxeCore are both X64, set NX for stack feature also require PcdDxeIplBuildPageTables be TRUE.<BR>
# For the DxeIpl and the DxeCore are both IA32 (PcdDxeIplSwitchToLongMode is FALSE), set NX for stack feature also require
# IA32 PAE is supported and Execute Disable Bit is available.<BR>
# TRUE - to set NX for stack.<BR>
# FALSE - Not to set NX for stack.<BR>
DXE NX/RO Protection: Prevent code injection
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy
## Set DXE memory protection policy. The policy is bitwise.
# If a bit is set, memory regions of the associated type will be mapped
# non-executable.<BR><BR>
#
# Below is bit mask for this PCD: (Order is same as UEFI spec)<BR>
# EfiReservedMemoryType 0x0001<BR>
# EfiLoaderCode 0x0002<BR>
# EfiLoaderData 0x0004<BR>
# EfiBootServicesCode 0x0008<BR>
# EfiBootServicesData 0x0010<BR>
# EfiRuntimeServicesCode 0x0020<BR>
# EfiRuntimeServicesData 0x0040<BR>
# EfiConventionalMemory 0x0080<BR>
# EfiUnusableMemory 0x0100<BR>
# EfiACPIReclaimMemory 0x0200<BR>
# EfiACPIMemoryNVS 0x0400<BR>
# EfiMemoryMappedIO 0x0800<BR>
# EfiMemoryMappedIOPortSpace 0x1000<BR>
# EfiPalCode 0x2000<BR>
# EfiPersistentMemory 0x4000<BR>
# OEM Reserved 0x4000000000000000<BR>
# OS Reserved 0x8000000000000000<BR>
#
# NOTE: User must NOT set NX protection for EfiLoaderCode / EfiBootServicesCode / EfiRuntimeServicesCode. <BR>
# User MUST set the same NX protection for EfiBootServicesData and EfiConventionalMemory. <BR>
#
# e.g. 0x7FD5 can be used for all memory except Code. <BR>
# e.g. 0x7BD4 can be used for all memory except Code and ACPINVS/Reserved. <BR>
DXE image Protection: Prevent code injection
gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy
## Set image protection policy. The policy is bitwise.
# If a bit is set, the image will be protected by DxeCore if it is aligned.
# The code section becomes read-only, and the data section becomes non-executable.
# If a bit is clear, the image will not be protected.<BR><BR>
# BIT0 - Image from unknown device. <BR>
# BIT1 - Image from firmware volume.<BR>
System Management Mode (SMM) static paging: Provide code injection in SMM
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStaticPageTable
## Indicates if SMM uses static page table.
# If enabled, SMM will not use on-demand paging. SMM will build static page table for all memory.
# This flag only impacts X64 build, because SMM always builds static page table for IA32.
# It could not be enabled at the same time with SMM profile feature (PcdCpuSmmProfileEnable).
# It could not be enabled also at the same time with heap guard feature for SMM
# (PcdHeapGuardPropertyMask in MdeModulePkg).<BR><BR>
# TRUE - SMM uses static page table for all memory.<BR>
# FALSE - SMM uses static page table for below 4G memory and use on-demand paging for above 4G memory.<BR>
gEfiMdeModulePkgTokenSpaceGuid.PcdSmiHandlerProfilePropertyMask
## The mask is used to control SmiHandlerProfile behavior.<BR><BR>
# BIT0 - Enable SmiHandlerProfile.<BR>
SMM Profile: Provide non-SMRAM access in SMM
gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmProfileEnable
## Indicates if SMM Profile will be enabled.