+++ This bug was initially created as a clone of Bug #2031288 +++

Feature: NX Protection during Preboot

• 'No Execute' Protection has been available in RHEL and Linux overall at the OS level for many years; now there is an effort to enable this in the preboot phase, which therefore requires shim and bootloader support

2. Feature Details:

a) Architecture:

Intel / AMD (x86_64)

b) Bugzilla dependencies:

c) Drivers or hardware dependencies:

d) Upstream acceptance information: RH is understood to be already in development - not part of Linux kernel

e) External links:

f) Severity (H,M,L): High

g) Feature required by date (for example, the date on which hardware requiring this feature is planned for launch): Current target at Dell is too aggressive and we expect it to be pushed, but do not have ETA at this time

3. Business Justification:

Feature is needed to close vulnerabilities that could be present during preboot phase, for example, a rogue EFI driver could execute certain attacks without this sort of protection

4. QE Test Plan:

We will provide HW with modified BIOS w/NX enabled, at which point the handshakes between UEFI/Shim/Bootloader can be verified largely through the observation of successful boot.

5. Primary contact at Red Hat, email, phone (chat)

Karl Hastings

karl@redhat.com

(917) 720-7097

6. Primary contact at Partner, email

Zorro Zhang

zorro_zhang@dell.com