From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Peter Jones <pjones@redhat.com>,
"Limonciello, Mario" <mario.limonciello@amd.com>
Subject: [RFC PATCH 0/4] efi: x86: Use strict W^X mappings in PE/COFF header
Date: Wed, 8 Mar 2023 21:22:05 +0100 [thread overview]
Message-ID: <20230308202209.2980947-1-ardb@kernel.org> (raw)
This is a follow-up to work proposed by Evgeny to tighten memory
permissions used by the EFI stub and subsequently by the decompressor on
x86.
Instead of going out of our way to make more space in the first 500
bytes of the image, and relying on non-1:1 mapped sections (which is
risky in the context of bespoke PE loaders), these patches reorganize
the header so the PE header comes after the x86 setup header, and can be
extended at will.
I pushed a branch at [1] that combines this with v4 of Evgeny's series
(after some minor surgery, e.g., to reorder the text and rodata sections
so they are contiguous)
We might split off the rodata section as well, and give it read/non-exec
permissions, but I'd like to discuss the approach first, and perhaps get
some testing data points.
Cc: Evgeniy Baskov <baskov@ispras.ru>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Peter Jones <pjones@redhat.com>
Cc: "Limonciello, Mario" <mario.limonciello@amd.com>
[0] https://lore.kernel.org/linux-efi/cover.1671098103.git.baskov@ispras.ru/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-x86-nx-v4
Ard Biesheuvel (4):
efi: x86: Use private copy of struct setup_header
efi: x86: Move PE header after setup header
efi: x86: Drop alignment section header flags
efi: x86: Split PE/COFF .text section into .text and .data
arch/x86/boot/Makefile | 2 +-
arch/x86/boot/header.S | 52 +++++++++-----------
arch/x86/boot/setup.ld | 1 +
arch/x86/boot/tools/build.c | 38 +++++++++-----
drivers/firmware/efi/libstub/x86-stub.c | 43 +++-------------
5 files changed, 59 insertions(+), 77 deletions(-)
--
2.39.2
next reply other threads:[~2023-03-08 20:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-08 20:22 Ard Biesheuvel [this message]
2023-03-08 20:22 ` [RFC PATCH 1/4] efi: x86: Use private copy of struct setup_header Ard Biesheuvel
2023-03-08 20:22 ` [RFC PATCH 2/4] efi: x86: Move PE header after setup header Ard Biesheuvel
2023-03-09 17:45 ` Ard Biesheuvel
2023-03-08 20:22 ` [RFC PATCH 3/4] efi: x86: Drop alignment section header flags Ard Biesheuvel
2023-03-08 20:22 ` [RFC PATCH 4/4] efi: x86: Split PE/COFF .text section into .text and .data Ard Biesheuvel
2023-03-09 18:02 ` Evgeniy Baskov
2023-03-09 18:03 ` Ard Biesheuvel
2023-03-09 17:59 ` [RFC PATCH 0/4] efi: x86: Use strict W^X mappings in PE/COFF header Evgeniy Baskov
2023-03-09 18:09 ` Ard Biesheuvel
2023-03-09 18:37 ` Evgeniy Baskov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230308202209.2980947-1-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=baskov@ispras.ru \
--cc=bp@alien8.de \
--cc=khoroshilov@ispras.ru \
--cc=linux-efi@vger.kernel.org \
--cc=mario.limonciello@amd.com \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox