All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexander Graf <agraf@suse.de>
To: grub-devel@gnu.org
Cc: Daniel Kiper <dkiper@net-space.pl>,
	Leif Lindholm <leif.lindholm@linaro.org>,
	Peter Jones <pjones@redhat.com>, Jon Masters <jcm@redhat.com>
Subject: [PATCH v5 2/3] mkimage: Align efi sections on 4k boundary
Date: Fri, 25 Jan 2019 12:45:15 +0100	[thread overview]
Message-ID: <20190125114516.12127-3-agraf@suse.de> (raw)
In-Reply-To: <20190125114516.12127-1-agraf@suse.de>

There is UEFI firmware popping up in the wild now that implements stricter
permission checks using NX and write protect page table entry bits.

This means that firmware now may fail to load binaries if its individual
sections are not page aligned, as otherwise it can not ensure permission
boundaries.

So let's bump all efi section alignments up to 4k (EFI page size). That way
we will stay compatible going forward.

Unfortunately our internals can't deal very well with a mismatch of alignment
between the virtual and file offsets, so we have to also pad our target
binary a bit.

Signed-off-by: Alexander Graf <agraf@suse.de>

---

v4 -> v5:

  - Use GRUB_EFI_PAGE_SIZE
  - Add include to have above const defined
---
 include/grub/efi/pe32.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
index 7d44732d2..fe8a85ce6 100644
--- a/include/grub/efi/pe32.h
+++ b/include/grub/efi/pe32.h
@@ -20,6 +20,7 @@
 #define GRUB_EFI_PE32_HEADER	1
 
 #include <grub/types.h>
+#include <grub/efi/memory.h>
 
 /* The MSDOS compatibility stub. This was copied from the output of
    objcopy, and it is not necessary to care about what this means.  */
@@ -50,8 +51,13 @@
 /* According to the spec, the minimal alignment is 512 bytes...
    But some examples (such as EFI drivers in the Intel
    Sample Implementation) use 32 bytes (0x20) instead, and it seems
-   to be working. For now, GRUB uses 512 bytes for safety.  */
-#define GRUB_PE32_SECTION_ALIGNMENT	0x200
+   to be working.
+
+   However, there is firmware showing up in the field now with
+   page alignment constraints to guarantee that page protection
+   bits take effect. Because we can not easily distinguish between
+   in-memory and in-file layout, let's bump all alignment to 4k. */
+#define GRUB_PE32_SECTION_ALIGNMENT	GRUB_EFI_PAGE_SIZE
 #define GRUB_PE32_FILE_ALIGNMENT	GRUB_PE32_SECTION_ALIGNMENT
 
 struct grub_pe32_coff_header
-- 
2.12.3



  parent reply	other threads:[~2019-01-25 11:49 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-25 11:45 [PATCH v5 0/3] arm64: Support HP Envy X2 Alexander Graf
2019-01-25 11:45 ` [PATCH v5 1/3] mkimage: Use EFI32_HEADER_SIZE define in arm-efi case Alexander Graf
2019-01-28 12:18   ` Daniel Kiper
2019-01-25 11:45 ` Alexander Graf [this message]
2019-01-28 12:22   ` [PATCH v5 2/3] mkimage: Align efi sections on 4k boundary Daniel Kiper
2019-01-28 12:33     ` Alexander Graf
2019-01-28 13:03       ` Daniel Kiper
2019-01-25 11:45 ` [PATCH v5 3/3] mkimage: Clarify file alignment in efi case Alexander Graf
2019-01-28 12:27   ` Daniel Kiper
2019-01-28 12:34     ` Alexander Graf
2019-01-28 13:17       ` Daniel Kiper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190125114516.12127-3-agraf@suse.de \
    --to=agraf@suse.de \
    --cc=dkiper@net-space.pl \
    --cc=grub-devel@gnu.org \
    --cc=jcm@redhat.com \
    --cc=leif.lindholm@linaro.org \
    --cc=pjones@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.