For in-depth technical details on Memory Protection in Project Mu, see feature_memory_protection.md
Memory protections are important because Unified Extensible Firmware Interface (UEFI) standard accounts for the firmware design implemented in 80 to 90 percent of the of PCs and servers sold worldwide. Developed and supported by more than 250 industry-leading companies, UEFI firmware is responsible for booting and securing billions of devices spanning device classes from embedded applications to multi-role server systems.
While considerable attention has been devoted to hardware trust anchors and operating system security, attackers have discovered that UEFI firmware is lacking basic memory protections that have been present in other system software for over a decade. Coupled with the inconsistency of security capabilities inherit to vendor firmware implementations, UEFI firmware has become an increasingly attractive system attack vector.
QemuSbsaPkg allow experimentation with the memory protections being offered in physical platforms.
Memory protections are ON by default on Q35 and SBSA. To disable memory protection add
stuart_build command. Example:
stuart_build -c .\Platforms\<Platform>\PlatformBuild.py BLD_*_MEMORY_PROTECTION=FALSE --FlashRom
MEMORY_PROTECTION is a build flag, the platform will need to be rebuilt for a change to the value to take
--FlashOnly will not work).