From 91a2ce53f75d7fb75d3c181ba5873b43daaca39c Mon Sep 17 00:00:00 2001
From: Jiaqi Gao <jiaqi.gao@intel.com>
Date: Thu, 9 Dec 2021 10:17:30 +0800
Subject: [PATCH] OvmfPkg: set image protection to be default

The default value of PcdImageProtectionPolicy is 2, which will enable the
protection policy on image from firmware volume. Then the code section
will be set to read-only, and the data section will be set to
non-executable.

Signed-off-by: Jiaqi Gao <jiaqi.gao@intel.com>
---
 OvmfPkg/OvmfPkgX64.dsc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 8449fe221a1..56c18ab3189 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -631,7 +631,7 @@
 
   # Noexec settings for DXE.
   # TDX doesn't allow us to change EFER so make sure these are disabled
-  gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000000
+  #gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy|0x00000000
   gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0x00000000
   # Noexec settings for DXE.
   # TDX doesn't allow us to change EFER so make sure these are disabled