From: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
To: linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
linux-I+IVW8TIWO2tmTQ+vhA3Yw@public.gmane.org
Cc: matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org,
leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org,
Ard Biesheuvel
<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Subject: [PATCH v2 0/7] ARM: efi: PE/COFF cleanup/hardening
Date: Thu, 29 Jun 2017 08:18:42 +0000 [thread overview]
Message-ID: <20170629081849.15081-1-ard.biesheuvel@linaro.org> (raw)
This is the ARM counterpart of the changes now in v4.12 to clean up
the PE/COFF header (which makes the kernel zImage loadable directly from
UEFI), and to enhance it with hardening and debug features.
Russell: patches #4 - #7 need your ack before I can take them via the EFI
tree. Please let me know if you have any objections, either to the patches
themselves, or to them going via another tree. Thanks.
v1 blurb:
First of all, the cleanup consists of making the header comply with the
PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
open coded constants with #defines from linux/pe.h (#3)
Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
may get pulled in inadvertently when the decompressor is built with EFI
support. Note that these sections are tiny and harmless by themselves, but
the linker may dump them in unexpected places if they are not placed
explicitly, which may interfere with the image layout. This is especially
important when signing zImages for UEFI secure boot.
Patch #5 changes the description of the decompressor in memory, so that the
UEFI firmware can apply strict ro/nx protections, resulting in a more secure
execution environment for the UEFI stub.
Patch #6 splits the decompressor .start and .text output sections, so that
the ELF view aligns with the PE/COFF view of the binary. This is necessary
for patch #7 to work as expected.
Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
This is a debug feature that allows seamless source level single step debugging
of the UEFI stub while executing in the context of the firmware.
v2: - rebase onto v4.12-rc7+
- simplify #3
Ard Biesheuvel (7):
arm: efi: remove forbidden values from the PE/COFF header
arm: efi: remove pointless dummy .reloc section
arm: efi: replace open coded constants with symbolic ones
arm: compressed: discard ksymtab/kcrctab sections
arm: efi: split zImage code and data into separate PE/COFF sections
arm: compressed: put zImage header and EFI header in dedicated section
arm: efi: add PE/COFF debug table to EFI header
arch/arm/boot/compressed/Makefile | 4 +
arch/arm/boot/compressed/efi-header.S | 214 ++++++++++++--------
arch/arm/boot/compressed/vmlinux.lds.S | 39 +++-
3 files changed, 168 insertions(+), 89 deletions(-)
--
2.9.3
WARNING: multiple messages have this Message-ID (diff)
From: ard.biesheuvel@linaro.org (Ard Biesheuvel)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 0/7] ARM: efi: PE/COFF cleanup/hardening
Date: Thu, 29 Jun 2017 08:18:42 +0000 [thread overview]
Message-ID: <20170629081849.15081-1-ard.biesheuvel@linaro.org> (raw)
This is the ARM counterpart of the changes now in v4.12 to clean up
the PE/COFF header (which makes the kernel zImage loadable directly from
UEFI), and to enhance it with hardening and debug features.
Russell: patches #4 - #7 need your ack before I can take them via the EFI
tree. Please let me know if you have any objections, either to the patches
themselves, or to them going via another tree. Thanks.
v1 blurb:
First of all, the cleanup consists of making the header comply with the
PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
open coded constants with #defines from linux/pe.h (#3)
Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
may get pulled in inadvertently when the decompressor is built with EFI
support. Note that these sections are tiny and harmless by themselves, but
the linker may dump them in unexpected places if they are not placed
explicitly, which may interfere with the image layout. This is especially
important when signing zImages for UEFI secure boot.
Patch #5 changes the description of the decompressor in memory, so that the
UEFI firmware can apply strict ro/nx protections, resulting in a more secure
execution environment for the UEFI stub.
Patch #6 splits the decompressor .start and .text output sections, so that
the ELF view aligns with the PE/COFF view of the binary. This is necessary
for patch #7 to work as expected.
Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
This is a debug feature that allows seamless source level single step debugging
of the UEFI stub while executing in the context of the firmware.
v2: - rebase onto v4.12-rc7+
- simplify #3
Ard Biesheuvel (7):
arm: efi: remove forbidden values from the PE/COFF header
arm: efi: remove pointless dummy .reloc section
arm: efi: replace open coded constants with symbolic ones
arm: compressed: discard ksymtab/kcrctab sections
arm: efi: split zImage code and data into separate PE/COFF sections
arm: compressed: put zImage header and EFI header in dedicated section
arm: efi: add PE/COFF debug table to EFI header
arch/arm/boot/compressed/Makefile | 4 +
arch/arm/boot/compressed/efi-header.S | 214 ++++++++++++--------
arch/arm/boot/compressed/vmlinux.lds.S | 39 +++-
3 files changed, 168 insertions(+), 89 deletions(-)
--
2.9.3
next reply other threads:[~2017-06-29 8:18 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-29 8:18 Ard Biesheuvel [this message]
2017-06-29 8:18 ` [PATCH v2 0/7] ARM: efi: PE/COFF cleanup/hardening Ard Biesheuvel
[not found] ` <20170629081849.15081-1-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-06-29 8:18 ` [PATCH v2 1/7] arm: efi: remove forbidden values from the PE/COFF header Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 2/7] arm: efi: remove pointless dummy .reloc section Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 3/7] arm: efi: replace open coded constants with symbolic ones Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 4/7] arm: compressed: discard ksymtab/kcrctab sections Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 5/7] arm: efi: split zImage code and data into separate PE/COFF sections Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
[not found] ` <20170629081849.15081-6-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-09-08 13:50 ` Gregory CLEMENT
2017-09-08 13:50 ` Gregory CLEMENT
[not found] ` <87r2vhs3il.fsf-wi1+55ScJUtKEb57/3fJTNBPR1lH4CV8@public.gmane.org>
2017-09-08 13:54 ` Ard Biesheuvel
2017-09-08 13:54 ` Ard Biesheuvel
[not found] ` <CAKv+Gu9DVRE6jGEvdkfWwaJDhmTeaF2-CMi=JdFx3GS2Qqdy3A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-08 14:28 ` Ard Biesheuvel
2017-09-08 14:28 ` Ard Biesheuvel
[not found] ` <CAKv+Gu9UF7-Dyjijvbc97yEF6zehQMyjOcV=RxFEJkNEebakUw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-08 14:33 ` Gregory CLEMENT
2017-09-08 14:33 ` Gregory CLEMENT
[not found] ` <87mv65s1iu.fsf-wi1+55ScJUtKEb57/3fJTNBPR1lH4CV8@public.gmane.org>
2017-09-08 14:48 ` Ard Biesheuvel
2017-09-08 14:48 ` Ard Biesheuvel
[not found] ` <CAKv+Gu8e49ZmB6X=H2vE_dw1HA3CyOq0GN7cZOYJ+JpkTftGWA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-08 14:56 ` Gregory CLEMENT
2017-09-08 14:56 ` Gregory CLEMENT
[not found] ` <87efrhs0gj.fsf-wi1+55ScJUtKEb57/3fJTNBPR1lH4CV8@public.gmane.org>
2017-09-08 14:57 ` Ard Biesheuvel
2017-09-08 14:57 ` Ard Biesheuvel
[not found] ` <CAKv+Gu8Aa7Y8SK2nJM2DXZzHbzZT6aq2Rt1wsgaLwz7_C3otJA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-08 15:11 ` Ard Biesheuvel
2017-09-08 15:11 ` Ard Biesheuvel
[not found] ` <CAKv+Gu8hcT=_1iF4gaS==uGQWAb9-i0Y=XJ-MqgfQQyn1RmGtQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-08 15:17 ` Gregory CLEMENT
2017-09-08 15:17 ` Gregory CLEMENT
[not found] ` <87a825rzio.fsf-wi1+55ScJUtKEb57/3fJTNBPR1lH4CV8@public.gmane.org>
2017-09-08 15:18 ` Ard Biesheuvel
2017-09-08 15:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 6/7] arm: compressed: put zImage header and EFI header in dedicated section Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
2017-06-29 8:18 ` [PATCH v2 7/7] arm: efi: add PE/COFF debug table to EFI header Ard Biesheuvel
2017-06-29 8:18 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170629081849.15081-1-ard.biesheuvel@linaro.org \
--to=ard.biesheuvel-qsej5fyqhm4dnm+yrofe0a@public.gmane.org \
--cc=leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=linux-I+IVW8TIWO2tmTQ+vhA3Yw@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.