From: Ard Biesheuvel <ardb@kernel.org>
To: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: x86@kernel.org, linux-efi@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Jones <pjones@redhat.com>,
Daniel Berrange <berrange@redhat.com>,
Emanuele Giuseppe Esposito <eesposit@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Greg KH <gregkh@linuxfoundation.org>,
Luca Boccassi <bluca@debian.org>,
Peter Zijlstra <peterz@infradead.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] x86/efi: Implement support for embedding SBAT data for x86
Date: Fri, 2 May 2025 15:59:41 +0200 [thread overview]
Message-ID: <CAMj1kXH00miQoZcPygSz+C5dWN0U2AhjTn+HfRki2smfMwjWEQ@mail.gmail.com> (raw)
In-Reply-To: <877c2z9lbw.fsf@redhat.com>
On Fri, 2 May 2025 at 15:46, Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
>
> Ard Biesheuvel <ardb@kernel.org> writes:
>
> > On Fri, 2 May 2025 at 14:10, Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
> >>
> >> Ard Biesheuvel <ardb@kernel.org> writes:
> >>
> >> > On Mon, 28 Apr 2025 at 12:59, Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
> >> >>
> >> >> Ard Biesheuvel <ardb@kernel.org> writes:
> >> >>
> >> >> > On Thu, 24 Apr 2025 at 10:10, Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
> >>
> >> ...
> >>
> >> >> >> $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE
> >> >> >> $(call if_changed,ld)
> >> >> >>
> >> >> >> diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
> >> >> >> index 3b2bc61c9408..d0a27905de90 100644
> >> >> >> --- a/arch/x86/boot/compressed/vmlinux.lds.S
> >> >> >> +++ b/arch/x86/boot/compressed/vmlinux.lds.S
> >> >> >> @@ -49,9 +49,22 @@ SECTIONS
> >> >> >> *(.data.*)
> >> >> >>
> >> >> >> /* Add 4 bytes of extra space for the obsolete CRC-32 checksum */
> >> >> >> +#ifndef CONFIG_EFI_SBAT
> >> >> >> . = ALIGN(. + 4, 0x200);
> >> >> >> +#else
> >> >> >> + /* Avoid gap between '.data' and '.sbat' */
> >> >> >> + . = ALIGN(. + 4, 0x1000);
> >> >> >> +#endif
> >> >> >> _edata = . ;
> >> >> >> }
> >> >> >> +#ifdef CONFIG_EFI_SBAT
> >> >> >> + .sbat : ALIGN(0x1000) {
> >> >> >> + _sbat = . ;
> >> >> >> + *(.sbat)
> >> >> >> + _esbat = ALIGN(0x200);
> >> >> >> + . = _esbat;
> >> >> >> + }
> >> >> >> +#endif
> >> >> >> . = ALIGN(L1_CACHE_BYTES);
> >> >> >> .bss : {
> >> >> >> _bss = . ;
> >> >> >
> >> >> > This looks a bit odd - see below
> >> >> >
> >> >> >> diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
> >> >> >> index b5c79f43359b..ab851490ef74 100644
> >> >> >> --- a/arch/x86/boot/header.S
> >> >> >> +++ b/arch/x86/boot/header.S
> >> >> >> @@ -207,6 +207,19 @@ pecompat_fstart:
> >> >> >> IMAGE_SCN_MEM_READ | \
> >> >> >> IMAGE_SCN_MEM_WRITE # Characteristics
> >> >> >>
> >> >> >> +#ifdef CONFIG_EFI_SBAT
> >> >> >> + .ascii ".sbat\0\0\0"
> >> >> >> + .long ZO__esbat - ZO__sbat # VirtualSize
> >> >> >> + .long setup_size + ZO__sbat # VirtualAddress
> >> >> >> + .long ZO__esbat - ZO__sbat # SizeOfRawData
> >> >> >> + .long setup_size + ZO__sbat # PointerToRawData
> >> >> >> +
> >> >> >> + .long 0, 0, 0
> >> >> >> + .long IMAGE_SCN_CNT_INITIALIZED_DATA | \
> >> >> >> + IMAGE_SCN_MEM_READ | \
> >> >> >> + IMAGE_SCN_MEM_DISCARDABLE # Characteristics
> >> >> >> +#endif
> >> >> >> +
> >> >> >
> >> >> > This puts the .sbat section at the very end of the file. However, the
> >> >> > virtual size of .data is 'ZO__end - ZO__data' not 'ZO__edata -
> >> >> > ZO__data', and so the .sbat section will overlap with .bss in the
> >> >> > memory view of the image.
> >> >>
> >> >> Missed that, will fix, thanks! A stupid question though: does this
> >> >> matter in practice for SBAT? I don't think anyone needs SBAT data after
> >> >> kernel starts booting so we can consider it 'discarded'. BSS data can
> >> >> then do whatever it wants.
> >> >>
> >> >
> >> > It violates the PE/COFF spec, and some PE loaders and signing tools
> >> > are very pedantic about the layout.
> >>
> >> Turns out it the problem is slightly harder to address then I initially
> >> thought.
> >
> > Yeah I was afraid this was going to be tricky.
> >
> > ...
> >
> >> The problem is similar for zboot.
> >
> > How so?
> >
>
> zboot-header.S has:
>
> .ascii ".data\0\0\0"
> .long __data_size
> .long _etext - .Ldoshdr
> .long __data_rawsize
> .long _etext - .Ldoshdr
>
> where the difference between '__data_rawsize' and '__data_size' is:
>
> PROVIDE(__data_rawsize = ABSOLUTE(_edata - _etext));
> PROVIDE(__data_size = ABSOLUTE(_end - _etext));
>
> and "_end" is the end of BSS. So if we put '.sbat' right after '.data'
> then '.data' will cover it too (so we will get an overlap). If we put
> if after '.bss' then we're going to get a hole (size of '.bss') upon
> (aarch64 example):
>
> objcopy -O binary arch/arm64/boot/vmlinuz.efi.elf arch/arm64/boot/vmlinuz.efi
>
> as AFAIU it won't be able to squeeze the binary, it only truncates the
> tail throwing away secions without content (in particular, '.sbat').
>
Ah I misread your patch - I thought .sbat was between .text and .data,
which arguably makes more sense.
next prev parent reply other threads:[~2025-05-02 13:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 8:09 [PATCH 0/2] efi: Add a mechanism for embedding SBAT section Vitaly Kuznetsov
2025-04-24 8:09 ` [PATCH 1/2] efi/libstub: zboot specific " Vitaly Kuznetsov
2025-04-24 16:37 ` Ard Biesheuvel
2025-04-28 10:54 ` Vitaly Kuznetsov
2025-04-28 14:54 ` Ard Biesheuvel
2025-04-24 8:09 ` [PATCH 2/2] x86/efi: Implement support for embedding SBAT data for x86 Vitaly Kuznetsov
2025-04-25 6:03 ` Ard Biesheuvel
2025-04-28 10:59 ` Vitaly Kuznetsov
2025-04-28 15:16 ` Ard Biesheuvel
2025-05-02 12:09 ` Vitaly Kuznetsov
2025-05-02 13:01 ` Ard Biesheuvel
2025-05-02 13:46 ` Vitaly Kuznetsov
2025-05-02 13:59 ` Ard Biesheuvel [this message]
2025-04-29 9:55 ` Vitaly Kuznetsov
2025-04-29 10:08 ` Ard Biesheuvel
2025-04-29 10:24 ` Vitaly Kuznetsov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMj1kXH00miQoZcPygSz+C5dWN0U2AhjTn+HfRki2smfMwjWEQ@mail.gmail.com \
--to=ardb@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=berrange@redhat.com \
--cc=bluca@debian.org \
--cc=dave.hansen@linux.intel.com \
--cc=eesposit@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=kraxel@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=mingo@redhat.com \
--cc=mjg59@srcf.ucam.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).