From: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
To: "linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Russell King <linux-I+IVW8TIWO2tmTQ+vhA3Yw@public.gmane.org>
Cc: "linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org"
<linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org>,
Matt Fleming
<matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>,
Leif Lindholm
<leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Ard Biesheuvel
<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening
Date: Wed, 21 Jun 2017 14:20:13 +0200 [thread overview]
Message-ID: <CAKv+Gu86ceMjb0oVWCSMC8V+BJ0D7nFFiRSSEk6bk4wfJKS2rQ@mail.gmail.com> (raw)
In-Reply-To: <20170530183647.28557-1-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
On 30 May 2017 at 20:36, Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
> This is the ARM counterpart of the changes now in v4.12 to clean up
> the PE/COFF header that makes the kernel zImage loadable directly from
> UEFI, and to enhance it with hardening and debug features.
>
> First of all, the cleanup consists of making the header comply with the
> PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
> open coded constants with #defines from linux/pe.h
>
> Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
> may get pulled in inadvertently when the decompressor is built with EFI
> support. Note that these sections are tiny and harmless by themselves, but
> the linker may dump them in unexpected places if they are not placed
> explicitly, which may interfere with the image layout. This is especially
> important when signing zImages for UEFI secure boot.
>
> Patch #5 changes the description of the decompressor in memory, so that the
> UEFI firmware can apply strict ro/nx protections, resulting in a more secure
> execution environment for the UEFI stub.
>
> Patch #6 splits the decompressor .start and .text output sections, so that
> the ELF view aligns with the PE/COFF view of the binary. This is useful for
> debugging, but has no other benefits (or downsides, for that matter)
>
> Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
> referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
> This is another debug feature that allows seamless source level single step
> debugging of the UEFI stub while executing in the context of the firmware.
>
> Ard Biesheuvel (7):
> arm: efi: remove forbidden values from the PE/COFF header
> arm: efi: remove pointless dummy .reloc section
If nobody objects, I am going to queue these first 2 for v4.13. The
remaining ones need acks and/or need to be rebased once v4.13-rc1 is
out, but I've been sitting on these for a while now, so I'd like to
have some movement here.
--
Ard.
> arm: efi: replace open coded constants with symbolic ones
> arm: compressed: discard ksymtab/kcrctab sections
> arm: efi: split zImage code and data into separate PE/COFF sections
> arm: compressed: put zImage header and EFI header in dedicated section
> arm: efi: add PE/COFF debug table to EFI header
>
> arch/arm/boot/compressed/Makefile | 4 +
> arch/arm/boot/compressed/efi-header.S | 247 ++++++++++++--------
> arch/arm/boot/compressed/vmlinux.lds.S | 39 +++-
> 3 files changed, 180 insertions(+), 110 deletions(-)
>
> --
> 2.9.3
>
WARNING: multiple messages have this Message-ID (diff)
From: ard.biesheuvel@linaro.org (Ard Biesheuvel)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening
Date: Wed, 21 Jun 2017 14:20:13 +0200 [thread overview]
Message-ID: <CAKv+Gu86ceMjb0oVWCSMC8V+BJ0D7nFFiRSSEk6bk4wfJKS2rQ@mail.gmail.com> (raw)
In-Reply-To: <20170530183647.28557-1-ard.biesheuvel@linaro.org>
On 30 May 2017 at 20:36, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> This is the ARM counterpart of the changes now in v4.12 to clean up
> the PE/COFF header that makes the kernel zImage loadable directly from
> UEFI, and to enhance it with hardening and debug features.
>
> First of all, the cleanup consists of making the header comply with the
> PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
> open coded constants with #defines from linux/pe.h
>
> Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
> may get pulled in inadvertently when the decompressor is built with EFI
> support. Note that these sections are tiny and harmless by themselves, but
> the linker may dump them in unexpected places if they are not placed
> explicitly, which may interfere with the image layout. This is especially
> important when signing zImages for UEFI secure boot.
>
> Patch #5 changes the description of the decompressor in memory, so that the
> UEFI firmware can apply strict ro/nx protections, resulting in a more secure
> execution environment for the UEFI stub.
>
> Patch #6 splits the decompressor .start and .text output sections, so that
> the ELF view aligns with the PE/COFF view of the binary. This is useful for
> debugging, but has no other benefits (or downsides, for that matter)
>
> Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
> referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
> This is another debug feature that allows seamless source level single step
> debugging of the UEFI stub while executing in the context of the firmware.
>
> Ard Biesheuvel (7):
> arm: efi: remove forbidden values from the PE/COFF header
> arm: efi: remove pointless dummy .reloc section
If nobody objects, I am going to queue these first 2 for v4.13. The
remaining ones need acks and/or need to be rebased once v4.13-rc1 is
out, but I've been sitting on these for a while now, so I'd like to
have some movement here.
--
Ard.
> arm: efi: replace open coded constants with symbolic ones
> arm: compressed: discard ksymtab/kcrctab sections
> arm: efi: split zImage code and data into separate PE/COFF sections
> arm: compressed: put zImage header and EFI header in dedicated section
> arm: efi: add PE/COFF debug table to EFI header
>
> arch/arm/boot/compressed/Makefile | 4 +
> arch/arm/boot/compressed/efi-header.S | 247 ++++++++++++--------
> arch/arm/boot/compressed/vmlinux.lds.S | 39 +++-
> 3 files changed, 180 insertions(+), 110 deletions(-)
>
> --
> 2.9.3
>
next prev parent reply other threads:[~2017-06-21 12:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 18:36 [PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
[not found] ` <20170530183647.28557-1-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-05-30 18:36 ` [PATCH 1/7] arm: efi: remove forbidden values from the PE/COFF header Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 2/7] arm: efi: remove pointless dummy .reloc section Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 3/7] arm: efi: replace open coded constants with symbolic ones Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 4/7] arm: compressed: discard ksymtab/kcrctab sections Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 5/7] arm: efi: split zImage code and data into separate PE/COFF sections Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 6/7] arm: compressed: put zImage header and EFI header in dedicated section Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-05-30 18:36 ` [PATCH 7/7] arm: efi: add PE/COFF debug table to EFI header Ard Biesheuvel
2017-05-30 18:36 ` Ard Biesheuvel
2017-06-21 12:20 ` Ard Biesheuvel [this message]
2017-06-21 12:20 ` [PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu86ceMjb0oVWCSMC8V+BJ0D7nFFiRSSEk6bk4wfJKS2rQ@mail.gmail.com \
--to=ard.biesheuvel-qsej5fyqhm4dnm+yrofe0a@public.gmane.org \
--cc=leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=linux-I+IVW8TIWO2tmTQ+vhA3Yw@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.