* [PATCH 0/3] efi: arm64: Set NX compat flag where appropriate
@ 2023-03-10 12:50 ` Ard Biesheuvel
0 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook
PE/COFF images that can tolerate running under a strict W^X policy when
it comes to firmware provided allocations should indicate so, by setting
the associated bit in the PE/COFF header.
Today, this makes little difference, but going forward, restricted
policies regarding secure boot and measured boot (e.g., MS Secured-core)
may refuse to run such images altogether.
Given that the zboot and arm64 EFI stub implementations do not rely on
firmware provided mappings being writable and executable at the same
time, let's set this bit.
Note that a change landed in v6.3 where we no longer tolerate this
unless we remap the relocated kernel code read-only/executable
explicitly (patch #2)
Cc: Peter Jones <pjones@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Kees Cook <keescook@chromium.org>
Ard Biesheuvel (3):
efi/libstub: zboot: Mark zboot EFI application as NX compatible
efi/libstub: arm64: Remap relocated image with strict permissions
arm64: efi: Set NX compat flag in PE/COFF header
arch/arm64/kernel/efi-header.S | 2 +-
drivers/firmware/efi/libstub/arm64-stub.c | 1 +
drivers/firmware/efi/libstub/zboot-header.S | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
--
2.39.2
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 0/3] efi: arm64: Set NX compat flag where appropriate
@ 2023-03-10 12:50 ` Ard Biesheuvel
0 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook
PE/COFF images that can tolerate running under a strict W^X policy when
it comes to firmware provided allocations should indicate so, by setting
the associated bit in the PE/COFF header.
Today, this makes little difference, but going forward, restricted
policies regarding secure boot and measured boot (e.g., MS Secured-core)
may refuse to run such images altogether.
Given that the zboot and arm64 EFI stub implementations do not rely on
firmware provided mappings being writable and executable at the same
time, let's set this bit.
Note that a change landed in v6.3 where we no longer tolerate this
unless we remap the relocated kernel code read-only/executable
explicitly (patch #2)
Cc: Peter Jones <pjones@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Kees Cook <keescook@chromium.org>
Ard Biesheuvel (3):
efi/libstub: zboot: Mark zboot EFI application as NX compatible
efi/libstub: arm64: Remap relocated image with strict permissions
arm64: efi: Set NX compat flag in PE/COFF header
arch/arm64/kernel/efi-header.S | 2 +-
drivers/firmware/efi/libstub/arm64-stub.c | 1 +
drivers/firmware/efi/libstub/zboot-header.S | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/3] efi/libstub: zboot: Mark zboot EFI application as NX compatible
2023-03-10 12:50 ` Ard Biesheuvel
@ 2023-03-10 12:50 ` Ard Biesheuvel
-1 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook, stable
Now that the zboot loader will invoke the EFI memory attributes protocol
to remap the decompressed code and rodata as read-only/executable, we
can set the PE/COFF header flag that indicates to the firmware that the
application does not rely on writable memory being executable at the
same time.
Cc: <stable@vger.kernel.org> # v6.2+
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S
index ec4525d40e0cf6d6..445cb646eaaaf1c6 100644
--- a/drivers/firmware/efi/libstub/zboot-header.S
+++ b/drivers/firmware/efi/libstub/zboot-header.S
@@ -63,7 +63,7 @@ __efistub_efi_zboot_header:
.long .Lefi_header_end - .Ldoshdr
.long 0
.short IMAGE_SUBSYSTEM_EFI_APPLICATION
- .short 0
+ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
#ifdef CONFIG_64BIT
.quad 0, 0, 0, 0
#else
--
2.39.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 1/3] efi/libstub: zboot: Mark zboot EFI application as NX compatible
@ 2023-03-10 12:50 ` Ard Biesheuvel
0 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook, stable
Now that the zboot loader will invoke the EFI memory attributes protocol
to remap the decompressed code and rodata as read-only/executable, we
can set the PE/COFF header flag that indicates to the firmware that the
application does not rely on writable memory being executable at the
same time.
Cc: <stable@vger.kernel.org> # v6.2+
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S
index ec4525d40e0cf6d6..445cb646eaaaf1c6 100644
--- a/drivers/firmware/efi/libstub/zboot-header.S
+++ b/drivers/firmware/efi/libstub/zboot-header.S
@@ -63,7 +63,7 @@ __efistub_efi_zboot_header:
.long .Lefi_header_end - .Ldoshdr
.long 0
.short IMAGE_SUBSYSTEM_EFI_APPLICATION
- .short 0
+ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
#ifdef CONFIG_64BIT
.quad 0, 0, 0, 0
#else
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] efi/libstub: arm64: Remap relocated image with strict permissions
2023-03-10 12:50 ` Ard Biesheuvel
@ 2023-03-10 12:50 ` Ard Biesheuvel
-1 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook
After relocating the executable image, use the EFI memory attributes
protocol to remap the code and data regions with the appropriate
permissions.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
drivers/firmware/efi/libstub/arm64-stub.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c
index d4a6b12a87413024..b996553cdb4c3587 100644
--- a/drivers/firmware/efi/libstub/arm64-stub.c
+++ b/drivers/firmware/efi/libstub/arm64-stub.c
@@ -139,6 +139,7 @@ efi_status_t handle_kernel_image(unsigned long *image_addr,
*image_addr = *reserve_addr;
memcpy((void *)*image_addr, _text, kernel_size);
caches_clean_inval_pou(*image_addr, *image_addr + kernel_codesize);
+ efi_remap_image(*image_addr, *reserve_size, kernel_codesize);
return EFI_SUCCESS;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] efi/libstub: arm64: Remap relocated image with strict permissions
@ 2023-03-10 12:50 ` Ard Biesheuvel
0 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook
After relocating the executable image, use the EFI memory attributes
protocol to remap the code and data regions with the appropriate
permissions.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
drivers/firmware/efi/libstub/arm64-stub.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c
index d4a6b12a87413024..b996553cdb4c3587 100644
--- a/drivers/firmware/efi/libstub/arm64-stub.c
+++ b/drivers/firmware/efi/libstub/arm64-stub.c
@@ -139,6 +139,7 @@ efi_status_t handle_kernel_image(unsigned long *image_addr,
*image_addr = *reserve_addr;
memcpy((void *)*image_addr, _text, kernel_size);
caches_clean_inval_pou(*image_addr, *image_addr + kernel_codesize);
+ efi_remap_image(*image_addr, *reserve_size, kernel_codesize);
return EFI_SUCCESS;
}
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] arm64: efi: Set NX compat flag in PE/COFF header
2023-03-10 12:50 ` Ard Biesheuvel
@ 2023-03-10 12:50 ` Ard Biesheuvel
-1 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook, stable
The PE/COFF header has a NX compat flag which informs the firmware that
the application does not rely on memory regions being mapped with both
executable and writable permissions at the same time.
This is typically used by the firmware to decide whether it can set the
NX attribute on all allocations it returns, but going forward, it may be
used to enforce a policy that only permits applications with the NX flag
set to be loaded to begin wiht in some configurations, e.g., when Secure
Boot is in effect.
Even though the arm64 version of the EFI stub may relocate the kernel
before executing it, it always did so after disabling the MMU, and so we
were always in line with what the NX compat flag conveys, we just never
bothered to set it.
So let's set the flag now.
Cc: <stable@vger.kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
index 28d8a5dca5f12978..d731b4655df8eb27 100644
--- a/arch/arm64/kernel/efi-header.S
+++ b/arch/arm64/kernel/efi-header.S
@@ -66,7 +66,7 @@
.long .Lefi_header_end - .L_head // SizeOfHeaders
.long 0 // CheckSum
.short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem
- .short 0 // DllCharacteristics
+ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics
.quad 0 // SizeOfStackReserve
.quad 0 // SizeOfStackCommit
.quad 0 // SizeOfHeapReserve
--
2.39.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] arm64: efi: Set NX compat flag in PE/COFF header
@ 2023-03-10 12:50 ` Ard Biesheuvel
0 siblings, 0 replies; 8+ messages in thread
From: Ard Biesheuvel @ 2023-03-10 12:50 UTC (permalink / raw)
To: linux-efi
Cc: linux-arm-kernel, Ard Biesheuvel, Peter Jones, Gerd Hoffmann,
Ilias Apalodimas, Kees Cook, stable
The PE/COFF header has a NX compat flag which informs the firmware that
the application does not rely on memory regions being mapped with both
executable and writable permissions at the same time.
This is typically used by the firmware to decide whether it can set the
NX attribute on all allocations it returns, but going forward, it may be
used to enforce a policy that only permits applications with the NX flag
set to be loaded to begin wiht in some configurations, e.g., when Secure
Boot is in effect.
Even though the arm64 version of the EFI stub may relocate the kernel
before executing it, it always did so after disabling the MMU, and so we
were always in line with what the NX compat flag conveys, we just never
bothered to set it.
So let's set the flag now.
Cc: <stable@vger.kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
index 28d8a5dca5f12978..d731b4655df8eb27 100644
--- a/arch/arm64/kernel/efi-header.S
+++ b/arch/arm64/kernel/efi-header.S
@@ -66,7 +66,7 @@
.long .Lefi_header_end - .L_head // SizeOfHeaders
.long 0 // CheckSum
.short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem
- .short 0 // DllCharacteristics
+ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics
.quad 0 // SizeOfStackReserve
.quad 0 // SizeOfStackCommit
.quad 0 // SizeOfHeapReserve
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-03-10 12:51 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-10 12:50 [PATCH 0/3] efi: arm64: Set NX compat flag where appropriate Ard Biesheuvel
2023-03-10 12:50 ` Ard Biesheuvel
2023-03-10 12:50 ` [PATCH 1/3] efi/libstub: zboot: Mark zboot EFI application as NX compatible Ard Biesheuvel
2023-03-10 12:50 ` Ard Biesheuvel
2023-03-10 12:50 ` [PATCH 2/3] efi/libstub: arm64: Remap relocated image with strict permissions Ard Biesheuvel
2023-03-10 12:50 ` Ard Biesheuvel
2023-03-10 12:50 ` [PATCH 3/3] arm64: efi: Set NX compat flag in PE/COFF header Ard Biesheuvel
2023-03-10 12:50 ` Ard Biesheuvel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.