On 24 March 2017 at 09:40, Borislav Petkov <bp@xxxxxxxxx> wrote: > On Fri, Mar 24, 2017 at 09:37:36AM +0000, Ard Biesheuvel wrote: >> No. It is the firmware's EFI code, and the virtual translation applied >> by the OS is made known to the firmware by means of a call into the >> runtime service SetVirtualAddressMap(). > > We can still randomize within those 64G before calling > SetVirtualAddressMap(). The question is, do we want to or need to, even? > That is a different matter. If the regions are only mapped while runtime services invocations are in progress (as we do on ARM), I am not sure if it matters that much, given how rarely that occurs in normal use.