x86 efistub stable backports for v6.6

x86 efistub stable backports for v6.6

[Ard Biesheuvel]

(cc stakeholders from various distros - apologies if I missed anyone)

Please consider the patches below for backporting to the linux-6.6.y
stable tree.

These are prerequisites for building a signed x86 efistub kernel image
that complies with the tightened UEFI boot requirements imposed by
MicroSoft, and this is the condition under which it is willing to sign
future Linux secure boot shim builds with its 3rd party CA
certificate. (Such builds must enforce a strict separation between
executable and writable code, among other things)

The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig
build that boots as expected under OVMF/KVM.

5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section
7e50262229fa x86/efi: Disregard setup header of loaded image
bfab35f552ab x86/efi: Drop alignment flags from PE section headers
768171d7ebbc x86/boot: Remove the 'bugger off' message
8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image
memory footprint
7448e8e5d15a x86/boot: Drop redundant code setting the root device
b618d31f112b x86/boot: Drop references to startup_64
2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly
eac956345f99 x86/boot: Set EFI handover offset directly in header asm
093ab258e3fb x86/boot: Define setup size in linker script
aeb92067f6ae x86/boot: Derive file size from _edata symbol
efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler
fa5750521e0a x86/boot: Drop PE/COFF .reloc section
34951f3c28bd x86/boot: Split off PE/COFF .data section
3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512

1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF
.compat section


 arch/x86/boot/Makefile                  |   2 +-
 arch/x86/boot/compressed/vmlinux.lds.S  |   6 +-
 arch/x86/boot/header.S                  | 211 ++++++++++--------------
 arch/x86/boot/setup.ld                  |  14 +-
 arch/x86/boot/tools/build.c             | 273 ++------------------------------
 drivers/firmware/efi/libstub/Makefile   |   7 -
 drivers/firmware/efi/libstub/x86-stub.c |  46 +-----
 7 files changed, 112 insertions(+), 447 deletions(-)

Re: x86 efistub stable backports for v6.6

[Greg KH]

On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> (cc stakeholders from various distros - apologies if I missed anyone)
> 
> Please consider the patches below for backporting to the linux-6.6.y
> stable tree.
> 
> These are prerequisites for building a signed x86 efistub kernel image
> that complies with the tightened UEFI boot requirements imposed by
> MicroSoft, and this is the condition under which it is willing to sign
> future Linux secure boot shim builds with its 3rd party CA
> certificate. (Such builds must enforce a strict separation between
> executable and writable code, among other things)
> 
> The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig
> build that boots as expected under OVMF/KVM.
> 
> 5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section
> 7e50262229fa x86/efi: Disregard setup header of loaded image
> bfab35f552ab x86/efi: Drop alignment flags from PE section headers
> 768171d7ebbc x86/boot: Remove the 'bugger off' message
> 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image
> memory footprint
> 7448e8e5d15a x86/boot: Drop redundant code setting the root device
> b618d31f112b x86/boot: Drop references to startup_64
> 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly
> eac956345f99 x86/boot: Set EFI handover offset directly in header asm
> 093ab258e3fb x86/boot: Define setup size in linker script
> aeb92067f6ae x86/boot: Derive file size from _edata symbol
> efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler
> fa5750521e0a x86/boot: Drop PE/COFF .reloc section
> 34951f3c28bd x86/boot: Split off PE/COFF .data section
> 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
> 
> 1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF
> .compat section

Is the list here the order in which they should be applied in?

And is this not an issue for 6.1.y as well?

thanks,

greg k-h

Re: x86 efistub stable backports for v6.6

[Ard Biesheuvel]

On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> > (cc stakeholders from various distros - apologies if I missed anyone)
> >
> > Please consider the patches below for backporting to the linux-6.6.y
> > stable tree.
> >
> > These are prerequisites for building a signed x86 efistub kernel image
> > that complies with the tightened UEFI boot requirements imposed by
> > MicroSoft, and this is the condition under which it is willing to sign
> > future Linux secure boot shim builds with its 3rd party CA
> > certificate. (Such builds must enforce a strict separation between
> > executable and writable code, among other things)
> >
> > The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig
> > build that boots as expected under OVMF/KVM.
> >
> > 5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section
> > 7e50262229fa x86/efi: Disregard setup header of loaded image
> > bfab35f552ab x86/efi: Drop alignment flags from PE section headers
> > 768171d7ebbc x86/boot: Remove the 'bugger off' message
> > 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image
> > memory footprint
> > 7448e8e5d15a x86/boot: Drop redundant code setting the root device
> > b618d31f112b x86/boot: Drop references to startup_64
> > 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly
> > eac956345f99 x86/boot: Set EFI handover offset directly in header asm
> > 093ab258e3fb x86/boot: Define setup size in linker script
> > aeb92067f6ae x86/boot: Derive file size from _edata symbol
> > efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler
> > fa5750521e0a x86/boot: Drop PE/COFF .reloc section
> > 34951f3c28bd x86/boot: Split off PE/COFF .data section
> > 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
> >
> > 1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF
> > .compat section
>
> Is the list here the order in which they should be applied in?
>

Yes. These are all from v6.7 except the last one, but that has been
queued for v6.7 already.

> And is this not an issue for 6.1.y as well?
>

It is, but there are many more changes that would need to go into v6.1:

 Documentation/x86/boot.rst                     |   2 +-
 arch/x86/Kconfig                               |  17 +
 arch/x86/boot/Makefile                         |   2 +-
 arch/x86/boot/compressed/Makefile              |  13 +-
 arch/x86/boot/compressed/efi_mixed.S           | 328 ++++++++++++++
 arch/x86/boot/compressed/efi_thunk_64.S        | 195 --------
 arch/x86/boot/compressed/head_32.S             |  38 +-
 arch/x86/boot/compressed/head_64.S             | 593 +++++--------------------
 arch/x86/boot/compressed/mem_encrypt.S         | 152 ++++++-
 arch/x86/boot/compressed/misc.c                |  61 ++-
 arch/x86/boot/compressed/misc.h                |   2 -
 arch/x86/boot/compressed/pgtable.h             |  10 +-
 arch/x86/boot/compressed/pgtable_64.c          |  87 ++--
 arch/x86/boot/compressed/sev.c                 | 112 +++--
 arch/x86/boot/compressed/vmlinux.lds.S         |   6 +-
 arch/x86/boot/header.S                         | 215 ++++-----
 arch/x86/boot/setup.ld                         |  14 +-
 arch/x86/boot/tools/build.c                    | 271 +----------
 arch/x86/include/asm/boot.h                    |   8 +
 arch/x86/include/asm/efi.h                     |  14 +-
 arch/x86/include/asm/sev.h                     |   7 +
 drivers/firmware/efi/libstub/Makefile          |   8 +-
 drivers/firmware/efi/libstub/alignedmem.c      |   5 +-
 drivers/firmware/efi/libstub/arm64-stub.c      |   6 +-
 drivers/firmware/efi/libstub/efi-stub-helper.c |   2 +
 drivers/firmware/efi/libstub/efistub.h         |  28 +-
 drivers/firmware/efi/libstub/mem.c             |   3 +-
 drivers/firmware/efi/libstub/randomalloc.c     |  13 +-
 drivers/firmware/efi/libstub/x86-5lvl.c        |  95 ++++
 drivers/firmware/efi/libstub/x86-stub.c        | 327 +++++++-------
 drivers/firmware/efi/libstub/x86-stub.h        |  17 +
 include/linux/efi.h                            |   1 +
 32 files changed, 1204 insertions(+), 1448 deletions(-)

(Note: the commit hashes below are bogus, they are from my tree [0])

If you're happy to take these too, I can give you the proper list, but
perhaps we should deal with v6.6 first?

9d2df639ec41 x86/boot/compressed: Rename efi_thunk_64.S to efi-mixed.S
4dae7beb5530 x86/boot/compressed: Move 32-bit entrypoint code into .text section
8b6ddf82c1e7 x86/boot/compressed: Move bootargs parsing out of 32-bit
startup code
31d3e51c565f x86/boot/compressed: Move efi32_pe_entry into .text section
4099d7a76e86 x86/boot/compressed: Move efi32_entry out of head_64.S
7bed86e158bf x86/boot/compressed: Move efi32_pe_entry() out of head_64.S
d808c48f53d1 x86/boot/compressed, efi: Merge multiple definitions of
image_offset into one
bb183fa754f7 x86/boot/compressed: Simplify IDT/GDT preserve/restore in
the EFI thunk
b78d930f51c9 x86/boot/compressed: Avoid touching ECX in
startup32_set_idt_entry()
8c69f96fe1df x86/boot/compressed: Pull global variable reference into
startup32_load_idt()
6b84fc96784b x86/boot/compressed: Move startup32_load_idt() into .text section
6dd53426e8ef x86/boot/compressed: Move startup32_load_idt() out of head_64.S
82db0efabd4a x86/boot/compressed: Move startup32_check_sev_cbit() into .text
7aaa10f2f01a x86/boot/compressed: Move startup32_check_sev_cbit() out
of head_64.S
6b5a2ab4d783 x86/boot/compressed: Adhere to calling convention in
get_sev_encryption_bit()
bdd9c458fdf8 x86/boot/compressed: Only build mem_encrypt.S if AMD_MEM_ENCRYPT=y
a249efa7500c efi/libstub: Add memory attribute protocol definitions
1bbd66011e5e x86/efi: Make the deprecated EFI handover protocol optional
763512bf9ff8 x86/boot: Robustify calling startup_{32,64}() from the
decompressor code
3cfd94f97c8d x86/efistub: Branch straight to kernel entry point from C code
2684d78d8bdc x86/efistub: Simplify and clean up handover entry code
9ef61120b2ab x86/decompressor: Avoid magic offsets for EFI handover entrypoint
067f18102a11 x86/efistub: Clear BSS in EFI handover protocol entrypoint
c674fa468fa6 x86/decompressor: Store boot_params pointer in callee save register
ed871fc7d947 x86/decompressor: Assign paging related global variables earlier
63915dd5a8fc x86/decompressor: Call trampoline as a normal function
3f6e9fe794ea x86/decompressor: Use standard calling convention for trampoline
eef60ef496f6 x86/decompressor: Avoid the need for a stack in the
32-bit trampoline
1f328cfb5700 x86/decompressor: Call trampoline directly from C code
49e67636077d x86/decompressor: Only call the trampoline when changing
paging levels
a4b6bdff1065 x86/decompressor: Pass pgtable address to trampoline directly
fe802898e7a4 x86/decompressor: Merge trampoline cleanup with switching code
bd1fd32fdce1 x86/efistub: Perform 4/5 level paging switch from the stub
a0bfe7904515 x86/decompressor: Move global symbol references to C code
a0731d919a4b x86/decompressor: Factor out kernel decompression and relocation
402e20d21f65 x86/efistub: Prefer EFI memory attributes protocol over
DXE services
4eda5ae9b321 efi: libstub: use EFI_LOADER_CODE region when moving the
kernel in memory
e09c5817b3bb efi/libstub: Add limit argument to efi_random_alloc()
b31fdf98b3c0 x86/efistub: Perform SNP feature test while running in the firmware
03c9bd02cbc8 x86/efistub: Avoid legacy decompressor when doing EFI boot

[0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=x86-efi-peheader-backport

Re: x86 efistub stable backports for v6.6

[Greg KH]

On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
> On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> > > (cc stakeholders from various distros - apologies if I missed anyone)
> > >
> > > Please consider the patches below for backporting to the linux-6.6.y
> > > stable tree.
> > >
> > > These are prerequisites for building a signed x86 efistub kernel image
> > > that complies with the tightened UEFI boot requirements imposed by
> > > MicroSoft, and this is the condition under which it is willing to sign
> > > future Linux secure boot shim builds with its 3rd party CA
> > > certificate. (Such builds must enforce a strict separation between
> > > executable and writable code, among other things)
> > >
> > > The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig
> > > build that boots as expected under OVMF/KVM.
> > >
> > > 5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section
> > > 7e50262229fa x86/efi: Disregard setup header of loaded image
> > > bfab35f552ab x86/efi: Drop alignment flags from PE section headers
> > > 768171d7ebbc x86/boot: Remove the 'bugger off' message
> > > 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image
> > > memory footprint
> > > 7448e8e5d15a x86/boot: Drop redundant code setting the root device
> > > b618d31f112b x86/boot: Drop references to startup_64
> > > 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly
> > > eac956345f99 x86/boot: Set EFI handover offset directly in header asm
> > > 093ab258e3fb x86/boot: Define setup size in linker script
> > > aeb92067f6ae x86/boot: Derive file size from _edata symbol
> > > efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler
> > > fa5750521e0a x86/boot: Drop PE/COFF .reloc section
> > > 34951f3c28bd x86/boot: Split off PE/COFF .data section
> > > 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
> > >
> > > 1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF
> > > .compat section
> >
> > Is the list here the order in which they should be applied in?
> >
> 
> Yes. These are all from v6.7 except the last one, but that has been
> queued for v6.7 already.
> 
> > And is this not an issue for 6.1.y as well?
> >
> 
> It is, but there are many more changes that would need to go into v6.1:
> 
>  Documentation/x86/boot.rst                     |   2 +-
>  arch/x86/Kconfig                               |  17 +
>  arch/x86/boot/Makefile                         |   2 +-
>  arch/x86/boot/compressed/Makefile              |  13 +-
>  arch/x86/boot/compressed/efi_mixed.S           | 328 ++++++++++++++
>  arch/x86/boot/compressed/efi_thunk_64.S        | 195 --------
>  arch/x86/boot/compressed/head_32.S             |  38 +-
>  arch/x86/boot/compressed/head_64.S             | 593 +++++--------------------
>  arch/x86/boot/compressed/mem_encrypt.S         | 152 ++++++-
>  arch/x86/boot/compressed/misc.c                |  61 ++-
>  arch/x86/boot/compressed/misc.h                |   2 -
>  arch/x86/boot/compressed/pgtable.h             |  10 +-
>  arch/x86/boot/compressed/pgtable_64.c          |  87 ++--
>  arch/x86/boot/compressed/sev.c                 | 112 +++--
>  arch/x86/boot/compressed/vmlinux.lds.S         |   6 +-
>  arch/x86/boot/header.S                         | 215 ++++-----
>  arch/x86/boot/setup.ld                         |  14 +-
>  arch/x86/boot/tools/build.c                    | 271 +----------
>  arch/x86/include/asm/boot.h                    |   8 +
>  arch/x86/include/asm/efi.h                     |  14 +-
>  arch/x86/include/asm/sev.h                     |   7 +
>  drivers/firmware/efi/libstub/Makefile          |   8 +-
>  drivers/firmware/efi/libstub/alignedmem.c      |   5 +-
>  drivers/firmware/efi/libstub/arm64-stub.c      |   6 +-
>  drivers/firmware/efi/libstub/efi-stub-helper.c |   2 +
>  drivers/firmware/efi/libstub/efistub.h         |  28 +-
>  drivers/firmware/efi/libstub/mem.c             |   3 +-
>  drivers/firmware/efi/libstub/randomalloc.c     |  13 +-
>  drivers/firmware/efi/libstub/x86-5lvl.c        |  95 ++++
>  drivers/firmware/efi/libstub/x86-stub.c        | 327 +++++++-------
>  drivers/firmware/efi/libstub/x86-stub.h        |  17 +
>  include/linux/efi.h                            |   1 +
>  32 files changed, 1204 insertions(+), 1448 deletions(-)
> 
> (Note: the commit hashes below are bogus, they are from my tree [0])
> 
> If you're happy to take these too, I can give you the proper list, but
> perhaps we should deal with v6.6 first?

Yeah, let's deal with 6.6 first :)

What distros are going to need/want this for 6.1.y?  Will normal users
care as this is only for a new requirement by Microsoft, not for older
releases, right?

thanks,

greg k-h

Re: x86 efistub stable backports for v6.6

[Ard Biesheuvel]

On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> > > > (cc stakeholders from various distros - apologies if I missed anyone)
> > > >
> > > > Please consider the patches below for backporting to the linux-6.6.y
> > > > stable tree.
> > > >
> > > > These are prerequisites for building a signed x86 efistub kernel image
> > > > that complies with the tightened UEFI boot requirements imposed by
> > > > MicroSoft, and this is the condition under which it is willing to sign
> > > > future Linux secure boot shim builds with its 3rd party CA
> > > > certificate. (Such builds must enforce a strict separation between
> > > > executable and writable code, among other things)
> > > >
...
> > > And is this not an issue for 6.1.y as well?
> > >
> >
> > It is, but there are many more changes that would need to go into v6.1:
> >
> >  Documentation/x86/boot.rst                     |   2 +-
> >  arch/x86/Kconfig                               |  17 +
> >  arch/x86/boot/Makefile                         |   2 +-
> >  arch/x86/boot/compressed/Makefile              |  13 +-
> >  arch/x86/boot/compressed/efi_mixed.S           | 328 ++++++++++++++
> >  arch/x86/boot/compressed/efi_thunk_64.S        | 195 --------
> >  arch/x86/boot/compressed/head_32.S             |  38 +-
> >  arch/x86/boot/compressed/head_64.S             | 593 +++++--------------------
> >  arch/x86/boot/compressed/mem_encrypt.S         | 152 ++++++-
> >  arch/x86/boot/compressed/misc.c                |  61 ++-
> >  arch/x86/boot/compressed/misc.h                |   2 -
> >  arch/x86/boot/compressed/pgtable.h             |  10 +-
> >  arch/x86/boot/compressed/pgtable_64.c          |  87 ++--
> >  arch/x86/boot/compressed/sev.c                 | 112 +++--
> >  arch/x86/boot/compressed/vmlinux.lds.S         |   6 +-
> >  arch/x86/boot/header.S                         | 215 ++++-----
> >  arch/x86/boot/setup.ld                         |  14 +-
> >  arch/x86/boot/tools/build.c                    | 271 +----------
> >  arch/x86/include/asm/boot.h                    |   8 +
> >  arch/x86/include/asm/efi.h                     |  14 +-
> >  arch/x86/include/asm/sev.h                     |   7 +
> >  drivers/firmware/efi/libstub/Makefile          |   8 +-
> >  drivers/firmware/efi/libstub/alignedmem.c      |   5 +-
> >  drivers/firmware/efi/libstub/arm64-stub.c      |   6 +-
> >  drivers/firmware/efi/libstub/efi-stub-helper.c |   2 +
> >  drivers/firmware/efi/libstub/efistub.h         |  28 +-
> >  drivers/firmware/efi/libstub/mem.c             |   3 +-
> >  drivers/firmware/efi/libstub/randomalloc.c     |  13 +-
> >  drivers/firmware/efi/libstub/x86-5lvl.c        |  95 ++++
> >  drivers/firmware/efi/libstub/x86-stub.c        | 327 +++++++-------
> >  drivers/firmware/efi/libstub/x86-stub.h        |  17 +
> >  include/linux/efi.h                            |   1 +
> >  32 files changed, 1204 insertions(+), 1448 deletions(-)
> >
...
> > If you're happy to take these too, I can give you the proper list, but
> > perhaps we should deal with v6.6 first?
>
> Yeah, let's deal with 6.6 first :)
>
> What distros are going to need/want this for 6.1.y?  Will normal users
> care as this is only for a new requirement by Microsoft, not for older
> releases, right?
>

I will let the distro folks on cc answer this one.

Re: x86 efistub stable backports for v6.6

[xnox]

Ard Biesheuvel <ardb@kernel.org> writes:

> On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@linuxfoundation.org> wrote:
>>
>> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
>> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
>> > >
>> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
>> > > > (cc stakeholders from various distros - apologies if I missed anyone)
>> > > >
>> > > > Please consider the patches below for backporting to the linux-6.6.y
>> > > > stable tree.
>> > > >
>> > > > These are prerequisites for building a signed x86 efistub kernel image
>> > > > that complies with the tightened UEFI boot requirements imposed by
>> > > > MicroSoft, and this is the condition under which it is willing to sign
>> > > > future Linux secure boot shim builds with its 3rd party CA
>> > > > certificate. (Such builds must enforce a strict separation between
>> > > > executable and writable code, among other things)
>> > > >
> ...
>> > > And is this not an issue for 6.1.y as well?
>> > >
>> >
>> > It is, but there are many more changes that would need to go into v6.1:
>> >
>> >  Documentation/x86/boot.rst                     |   2 +-
>> >  arch/x86/Kconfig                               |  17 +
>> >  arch/x86/boot/Makefile                         |   2 +-
>> >  arch/x86/boot/compressed/Makefile              |  13 +-
>> >  arch/x86/boot/compressed/efi_mixed.S           | 328 ++++++++++++++
>> >  arch/x86/boot/compressed/efi_thunk_64.S        | 195 --------
>> >  arch/x86/boot/compressed/head_32.S             |  38 +-
>> >  arch/x86/boot/compressed/head_64.S             | 593 +++++--------------------
>> >  arch/x86/boot/compressed/mem_encrypt.S         | 152 ++++++-
>> >  arch/x86/boot/compressed/misc.c                |  61 ++-
>> >  arch/x86/boot/compressed/misc.h                |   2 -
>> >  arch/x86/boot/compressed/pgtable.h             |  10 +-
>> >  arch/x86/boot/compressed/pgtable_64.c          |  87 ++--
>> >  arch/x86/boot/compressed/sev.c                 | 112 +++--
>> >  arch/x86/boot/compressed/vmlinux.lds.S         |   6 +-
>> >  arch/x86/boot/header.S                         | 215 ++++-----
>> >  arch/x86/boot/setup.ld                         |  14 +-
>> >  arch/x86/boot/tools/build.c                    | 271 +----------
>> >  arch/x86/include/asm/boot.h                    |   8 +
>> >  arch/x86/include/asm/efi.h                     |  14 +-
>> >  arch/x86/include/asm/sev.h                     |   7 +
>> >  drivers/firmware/efi/libstub/Makefile          |   8 +-
>> >  drivers/firmware/efi/libstub/alignedmem.c      |   5 +-
>> >  drivers/firmware/efi/libstub/arm64-stub.c      |   6 +-
>> >  drivers/firmware/efi/libstub/efi-stub-helper.c |   2 +
>> >  drivers/firmware/efi/libstub/efistub.h         |  28 +-
>> >  drivers/firmware/efi/libstub/mem.c             |   3 +-
>> >  drivers/firmware/efi/libstub/randomalloc.c     |  13 +-
>> >  drivers/firmware/efi/libstub/x86-5lvl.c        |  95 ++++
>> >  drivers/firmware/efi/libstub/x86-stub.c        | 327 +++++++-------
>> >  drivers/firmware/efi/libstub/x86-stub.h        |  17 +
>> >  include/linux/efi.h                            |   1 +
>> >  32 files changed, 1204 insertions(+), 1448 deletions(-)
>> >
> ...
>> > If you're happy to take these too, I can give you the proper list, but
>> > perhaps we should deal with v6.6 first?
>>
>> Yeah, let's deal with 6.6 first :)
>>
>> What distros are going to need/want this for 6.1.y?  Will normal users
>> care as this is only for a new requirement by Microsoft, not for older
>> releases, right?
>>
>
> I will let the distro folks on cc answer this one.

Canonical will want to backport this at least as far back as v4.15 for
Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be
apperiated by everybody involved. Since if/when firmware (VMs or
Hardware) starts to require NX compat, it will be desired to have all
stable supported kernels with this support built-in.

Regards,

Dimitri.

Re: x86 efistub stable backports for v6.6

[Ard Biesheuvel]

On Tue, 20 Feb 2024 at 02:03, xnox <dimitri.ledkov@canonical.com> wrote:
>
> Ard Biesheuvel <ardb@kernel.org> writes:
>
> > On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@linuxfoundation.org> wrote:
> >>
> >> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
> >> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
> >> > >
> >> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> >> > > > (cc stakeholders from various distros - apologies if I missed anyone)
> >> > > >
> >> > > > Please consider the patches below for backporting to the linux-6.6.y
> >> > > > stable tree.
> >> > > >
> >> > > > These are prerequisites for building a signed x86 efistub kernel image
> >> > > > that complies with the tightened UEFI boot requirements imposed by
> >> > > > MicroSoft, and this is the condition under which it is willing to sign
> >> > > > future Linux secure boot shim builds with its 3rd party CA
> >> > > > certificate. (Such builds must enforce a strict separation between
> >> > > > executable and writable code, among other things)
> >> > > >
> > ...
> >> > > And is this not an issue for 6.1.y as well?
> >> > >
> >> >
> >> > It is, but there are many more changes that would need to go into v6.1:
> >> >
...
> >> >  32 files changed, 1204 insertions(+), 1448 deletions(-)
> >> >
> > ...
> >> > If you're happy to take these too, I can give you the proper list, but
> >> > perhaps we should deal with v6.6 first?
> >>
> >> Yeah, let's deal with 6.6 first :)
> >>
> >> What distros are going to need/want this for 6.1.y?  Will normal users
> >> care as this is only for a new requirement by Microsoft, not for older
> >> releases, right?
> >>
> >
> > I will let the distro folks on cc answer this one.
>
> Canonical will want to backport this at least as far back as v4.15 for
> Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be
> apperiated by everybody involved. Since if/when firmware (VMs or
> Hardware) starts to require NX compat, it will be desired to have all
> stable supported kernels with this support built-in.
>

Thanks for the data point, and good luck with backporting this to
v4.15 or earlier. If it helps, I have a branch that backports
LoadFile2 initrd loading support to v5.4 (below), which you will need
to backport first. Going further back than v5.4 is going to be very
messy IMHO.

https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf2-backport-x86

Re: x86 efistub stable backports for v6.6

[Dimitri John Ledkov]

On Tue, 20 Feb 2024 at 08:37, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Tue, 20 Feb 2024 at 02:03, xnox <dimitri.ledkov@canonical.com> wrote:
> >
> > Ard Biesheuvel <ardb@kernel.org> writes:
> >
> > > On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@linuxfoundation.org> wrote:
> > >>
> > >> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
> > >> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@linuxfoundation.org> wrote:
> > >> > >
> > >> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> > >> > > > (cc stakeholders from various distros - apologies if I missed anyone)
> > >> > > >
> > >> > > > Please consider the patches below for backporting to the linux-6.6.y
> > >> > > > stable tree.
> > >> > > >
> > >> > > > These are prerequisites for building a signed x86 efistub kernel image
> > >> > > > that complies with the tightened UEFI boot requirements imposed by
> > >> > > > MicroSoft, and this is the condition under which it is willing to sign
> > >> > > > future Linux secure boot shim builds with its 3rd party CA
> > >> > > > certificate. (Such builds must enforce a strict separation between
> > >> > > > executable and writable code, among other things)
> > >> > > >
> > > ...
> > >> > > And is this not an issue for 6.1.y as well?
> > >> > >
> > >> >
> > >> > It is, but there are many more changes that would need to go into v6.1:
> > >> >
> ...
> > >> >  32 files changed, 1204 insertions(+), 1448 deletions(-)
> > >> >
> > > ...
> > >> > If you're happy to take these too, I can give you the proper list, but
> > >> > perhaps we should deal with v6.6 first?
> > >>
> > >> Yeah, let's deal with 6.6 first :)
> > >>
> > >> What distros are going to need/want this for 6.1.y?  Will normal users
> > >> care as this is only for a new requirement by Microsoft, not for older
> > >> releases, right?
> > >>
> > >
> > > I will let the distro folks on cc answer this one.
> >
> > Canonical will want to backport this at least as far back as v4.15 for
> > Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be
> > apperiated by everybody involved. Since if/when firmware (VMs or
> > Hardware) starts to require NX compat, it will be desired to have all
> > stable supported kernels with this support built-in.
> >
>
> Thanks for the data point, and good luck with backporting this to
> v4.15 or earlier. If it helps, I have a branch that backports
> LoadFile2 initrd loading support to v5.4 (below), which you will need
> to backport first. Going further back than v5.4 is going to be very
> messy IMHO.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf2-backport-x86

Yeah, we are not yet sure how far back we will actually manage to get
to. And things will need to move one series/generation at the time. As
other pieces need to land too.
And yes, the above repo is helpful.

-- 
Dimitri

Sent from Ubuntu Pro
https://ubuntu.com/pro

Re: x86 efistub stable backports for v6.6

[Greg KH]

On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
> (cc stakeholders from various distros - apologies if I missed anyone)
> 
> Please consider the patches below for backporting to the linux-6.6.y
> stable tree.
> 
> These are prerequisites for building a signed x86 efistub kernel image
> that complies with the tightened UEFI boot requirements imposed by
> MicroSoft, and this is the condition under which it is willing to sign
> future Linux secure boot shim builds with its 3rd party CA
> certificate. (Such builds must enforce a strict separation between
> executable and writable code, among other things)
> 
> The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig
> build that boots as expected under OVMF/KVM.
> 
> 5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section
> 7e50262229fa x86/efi: Disregard setup header of loaded image
> bfab35f552ab x86/efi: Drop alignment flags from PE section headers
> 768171d7ebbc x86/boot: Remove the 'bugger off' message
> 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image
> memory footprint
> 7448e8e5d15a x86/boot: Drop redundant code setting the root device
> b618d31f112b x86/boot: Drop references to startup_64
> 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly
> eac956345f99 x86/boot: Set EFI handover offset directly in header asm
> 093ab258e3fb x86/boot: Define setup size in linker script
> aeb92067f6ae x86/boot: Derive file size from _edata symbol
> efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler
> fa5750521e0a x86/boot: Drop PE/COFF .reloc section
> 34951f3c28bd x86/boot: Split off PE/COFF .data section
> 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
> 
> 1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF
> .compat section

All now queued up, thanks!

greg k-h