[PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening

[PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening

[Ard Biesheuvel]

This is the ARM counterpart of the changes now in v4.12 to clean up
the PE/COFF header that makes the kernel zImage loadable directly from
UEFI, and to enhance it with hardening and debug features.

First of all, the cleanup consists of making the header comply with the
PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
open coded constants with #defines from linux/pe.h

Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
may get pulled in inadvertently when the decompressor is built with EFI
support. Note that these sections are tiny and harmless by themselves, but
the linker may dump them in unexpected places if they are not placed
explicitly, which may interfere with the image layout. This is especially
important when signing zImages for UEFI secure boot.

Patch #5 changes the description of the decompressor in memory, so that the
UEFI firmware can apply strict ro/nx protections, resulting in a more secure
execution environment for the UEFI stub.

Patch #6 splits the decompressor .start and .text output sections, so that
the ELF view aligns with the PE/COFF view of the binary. This is useful for
debugging, but has no other benefits (or downsides, for that matter)

Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
This is another debug feature that allows seamless source level single step
debugging of the UEFI stub while executing in the context of the firmware.

Ard Biesheuvel (7):
  arm: efi: remove forbidden values from the PE/COFF header
  arm: efi: remove pointless dummy .reloc section
  arm: efi: replace open coded constants with symbolic ones
  arm: compressed: discard ksymtab/kcrctab sections
  arm: efi: split zImage code and data into separate PE/COFF sections
  arm: compressed: put zImage header and EFI header in dedicated section
  arm: efi: add PE/COFF debug table to EFI header

 arch/arm/boot/compressed/Makefile      |   4 +
 arch/arm/boot/compressed/efi-header.S  | 247 ++++++++++++--------
 arch/arm/boot/compressed/vmlinux.lds.S |  39 +++-
 3 files changed, 180 insertions(+), 110 deletions(-)

-- 
2.9.3

[PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening

[Ard Biesheuvel]

This is the ARM counterpart of the changes now in v4.12 to clean up
the PE/COFF header that makes the kernel zImage loadable directly from
UEFI, and to enhance it with hardening and debug features.

First of all, the cleanup consists of making the header comply with the
PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
open coded constants with #defines from linux/pe.h

Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
may get pulled in inadvertently when the decompressor is built with EFI
support. Note that these sections are tiny and harmless by themselves, but
the linker may dump them in unexpected places if they are not placed
explicitly, which may interfere with the image layout. This is especially
important when signing zImages for UEFI secure boot.

Patch #5 changes the description of the decompressor in memory, so that the
UEFI firmware can apply strict ro/nx protections, resulting in a more secure
execution environment for the UEFI stub.

Patch #6 splits the decompressor .start and .text output sections, so that
the ELF view aligns with the PE/COFF view of the binary. This is useful for
debugging, but has no other benefits (or downsides, for that matter)

Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
This is another debug feature that allows seamless source level single step
debugging of the UEFI stub while executing in the context of the firmware.

Ard Biesheuvel (7):
  arm: efi: remove forbidden values from the PE/COFF header
  arm: efi: remove pointless dummy .reloc section
  arm: efi: replace open coded constants with symbolic ones
  arm: compressed: discard ksymtab/kcrctab sections
  arm: efi: split zImage code and data into separate PE/COFF sections
  arm: compressed: put zImage header and EFI header in dedicated section
  arm: efi: add PE/COFF debug table to EFI header

 arch/arm/boot/compressed/Makefile      |   4 +
 arch/arm/boot/compressed/efi-header.S  | 247 ++++++++++++--------
 arch/arm/boot/compressed/vmlinux.lds.S |  39 +++-
 3 files changed, 180 insertions(+), 110 deletions(-)

-- 
2.9.3

[PATCH 1/7] arm: efi: remove forbidden values from the PE/COFF header

[Ard Biesheuvel]

Bring the PE/COFF header in line with the PE/COFF spec, by setting
NumberOfSymbols to 0, and removing the section alignment flags.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/efi-header.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 3f7d1b74c5e0..f9e91ba4d0b1 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -43,7 +43,7 @@ coff_header:
 		.short	2			@ nr_sections
 		.long	0 			@ TimeDateStamp
 		.long	0			@ PointerToSymbolTable
-		.long	1			@ NumberOfSymbols
+		.long	0			@ NumberOfSymbols
 		.short	section_table - optional_header
 						@ SizeOfOptionalHeader
 		.short	0x306			@ Characteristics.
@@ -109,7 +109,7 @@ section_table:
 		.long	0			@ PointerToLineNumbers
 		.short	0			@ NumberOfRelocations
 		.short	0			@ NumberOfLineNumbers
-		.long	0x42100040		@ Characteristics
+		.long	0x42000040		@ Characteristics
 
 		.ascii	".text\0\0\0"
 		.long	_end - __efi_start	@ VirtualSize
@@ -120,7 +120,7 @@ section_table:
 		.long	0			@ PointerToLineNumbers
 		.short	0			@ NumberOfRelocations
 		.short	0			@ NumberOfLineNumbers
-		.long	0xe0500020		@ Characteristics
+		.long	0xe0000020		@ Characteristics
 
 		.align	9
 __efi_start:
-- 
2.9.3

[PATCH 1/7] arm: efi: remove forbidden values from the PE/COFF header

[Ard Biesheuvel]

Bring the PE/COFF header in line with the PE/COFF spec, by setting
NumberOfSymbols to 0, and removing the section alignment flags.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/efi-header.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 3f7d1b74c5e0..f9e91ba4d0b1 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -43,7 +43,7 @@ coff_header:
 		.short	2			@ nr_sections
 		.long	0 			@ TimeDateStamp
 		.long	0			@ PointerToSymbolTable
-		.long	1			@ NumberOfSymbols
+		.long	0			@ NumberOfSymbols
 		.short	section_table - optional_header
 						@ SizeOfOptionalHeader
 		.short	0x306			@ Characteristics.
@@ -109,7 +109,7 @@ section_table:
 		.long	0			@ PointerToLineNumbers
 		.short	0			@ NumberOfRelocations
 		.short	0			@ NumberOfLineNumbers
-		.long	0x42100040		@ Characteristics
+		.long	0x42000040		@ Characteristics
 
 		.ascii	".text\0\0\0"
 		.long	_end - __efi_start	@ VirtualSize
@@ -120,7 +120,7 @@ section_table:
 		.long	0			@ PointerToLineNumbers
 		.short	0			@ NumberOfRelocations
 		.short	0			@ NumberOfLineNumbers
-		.long	0xe0500020		@ Characteristics
+		.long	0xe0000020		@ Characteristics
 
 		.align	9
 __efi_start:
-- 
2.9.3

[PATCH 2/7] arm: efi: remove pointless dummy .reloc section

[Ard Biesheuvel]

The kernel's EFI PE/COFF header contains a dummy .reloc section, and
an explanatory comment that claims that this is required for the EFI
application loader to accept the Image as a relocatable image (i.e.,
one that can be loaded at any offset and fixed up in place)

This was inherited from the x86 implementation, which has elaborate host
tooling to mangle the PE/COFF header post-link time, and which populates
the .reloc section with a single dummy base relocation. On ARM, no such
tooling exists, and the .reloc section remains empty, and is never even
exposed via the BaseRelocationTable directory entry, which is where the
PE/COFF loader looks for it.

The PE/COFF spec is unclear about relocatable images that do not require
any fixups, but the EDK2 implementation, which is the de facto reference
for PE/COFF in the UEFI space, clearly does not care, and explicitly
mentions (in a comment) that relocatable images with no base relocations
are perfectly fine, as long as they don't have the RELOCS_STRIPPED
attribute set (which is not the case for our PE/COFF image)

So simply remove the .reloc section altogether.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/efi-header.S | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index f9e91ba4d0b1..97f595970916 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -40,7 +40,7 @@ pe_header:
 
 coff_header:
 		.short	0x01c2			@ ARM or Thumb
-		.short	2			@ nr_sections
+		.short	1			@ nr_sections
 		.long	0 			@ TimeDateStamp
 		.long	0			@ PointerToSymbolTable
 		.long	0			@ NumberOfSymbols
@@ -95,22 +95,6 @@ extra_header_fields:
 		.quad	0			@ BaseRelocationTable
 
 section_table:
-		@
-		@ The EFI application loader requires a relocation section
-		@ because EFI applications must be relocatable. This is a
-		@ dummy section as far as we are concerned.
-		@
-		.ascii	".reloc\0\0"
-		.long	0			@ VirtualSize
-		.long	0			@ VirtualAddress
-		.long	0			@ SizeOfRawData
-		.long	0			@ PointerToRawData
-		.long	0			@ PointerToRelocations
-		.long	0			@ PointerToLineNumbers
-		.short	0			@ NumberOfRelocations
-		.short	0			@ NumberOfLineNumbers
-		.long	0x42000040		@ Characteristics
-
 		.ascii	".text\0\0\0"
 		.long	_end - __efi_start	@ VirtualSize
 		.long	__efi_start		@ VirtualAddress
-- 
2.9.3

[PATCH 2/7] arm: efi: remove pointless dummy .reloc section

[Ard Biesheuvel]

The kernel's EFI PE/COFF header contains a dummy .reloc section, and
an explanatory comment that claims that this is required for the EFI
application loader to accept the Image as a relocatable image (i.e.,
one that can be loaded at any offset and fixed up in place)

This was inherited from the x86 implementation, which has elaborate host
tooling to mangle the PE/COFF header post-link time, and which populates
the .reloc section with a single dummy base relocation. On ARM, no such
tooling exists, and the .reloc section remains empty, and is never even
exposed via the BaseRelocationTable directory entry, which is where the
PE/COFF loader looks for it.

The PE/COFF spec is unclear about relocatable images that do not require
any fixups, but the EDK2 implementation, which is the de facto reference
for PE/COFF in the UEFI space, clearly does not care, and explicitly
mentions (in a comment) that relocatable images with no base relocations
are perfectly fine, as long as they don't have the RELOCS_STRIPPED
attribute set (which is not the case for our PE/COFF image)

So simply remove the .reloc section altogether.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/efi-header.S | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index f9e91ba4d0b1..97f595970916 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -40,7 +40,7 @@ pe_header:
 
 coff_header:
 		.short	0x01c2			@ ARM or Thumb
-		.short	2			@ nr_sections
+		.short	1			@ nr_sections
 		.long	0 			@ TimeDateStamp
 		.long	0			@ PointerToSymbolTable
 		.long	0			@ NumberOfSymbols
@@ -95,22 +95,6 @@ extra_header_fields:
 		.quad	0			@ BaseRelocationTable
 
 section_table:
-		@
-		@ The EFI application loader requires a relocation section
-		@ because EFI applications must be relocatable. This is a
-		@ dummy section as far as we are concerned.
-		@
-		.ascii	".reloc\0\0"
-		.long	0			@ VirtualSize
-		.long	0			@ VirtualAddress
-		.long	0			@ SizeOfRawData
-		.long	0			@ PointerToRawData
-		.long	0			@ PointerToRelocations
-		.long	0			@ PointerToLineNumbers
-		.short	0			@ NumberOfRelocations
-		.short	0			@ NumberOfLineNumbers
-		.long	0x42000040		@ Characteristics
-
 		.ascii	".text\0\0\0"
 		.long	_end - __efi_start	@ VirtualSize
 		.long	__efi_start		@ VirtualAddress
-- 
2.9.3

[PATCH 3/7] arm: efi: replace open coded constants with symbolic ones

[Ard Biesheuvel]

Replace the various open coded constants in the EFI PE/COFF header with
definitions from pe.h, or expressions based on local symbols.

Note that this patch also changes the indentation to make room for the
symbolic constant names.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/efi-header.S | 172 ++++++++++----------
 1 file changed, 89 insertions(+), 83 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 97f595970916..4699c432a2e2 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015 Linaro Ltd
+ * Copyright (C) 2013-2017 Linaro Ltd
  * Authors: Roy Franz <roy.franz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
  *          Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
  *
@@ -8,105 +8,111 @@
  * published by the Free Software Foundation.
  */
 
-		.macro	__nop
+#include <linux/pe.h>
+#include <linux/sizes.h>
+
+	.macro	__nop
 #ifdef CONFIG_EFI_STUB
-		@ This is almost but not quite a NOP, since it does clobber the
-		@ condition flags. But it is the best we can do for EFI, since
-		@ PE/COFF expects the magic string "MZ" at offset 0, while the
-		@ ARM/Linux boot protocol expects an executable instruction
-		@ there.
-		.inst	'M' | ('Z' << 8) | (0x1310 << 16)   @ tstne r0, #0x4d000
+	@ This is almost but not quite a NOP, since it does clobber the
+	@ condition flags. But it is the best we can do for EFI, since
+	@ PE/COFF expects the magic string "MZ" at offset 0, while the
+	@ ARM/Linux boot protocol expects an executable instruction
+	@ there.
+	.inst	MZ_MAGIC | (0x1310 << 16)		@ tstne r0, #0x4d000
 #else
-		W(mov)	r0, r0
+	W(mov)	r0, r0
 #endif
-		.endm
+	.endm
 
-		.macro	__EFI_HEADER
+	.macro	__EFI_HEADER
 #ifdef CONFIG_EFI_STUB
-		.set	start_offset, __efi_start - start
-		.org	start + 0x3c
-		@
-		@ The PE header can be anywhere in the file, but for
-		@ simplicity we keep it together with the MSDOS header
-		@ The offset to the PE/COFF header needs to be at offset
-		@ 0x3C in the MSDOS header.
-		@ The only 2 fields of the MSDOS header that are used are this
-		@ PE/COFF offset, and the "MZ" bytes at offset 0x0.
-		@
-		.long	pe_header - start	@ Offset to the PE header.
+	.set	start_offset, __efi_start - start
+	.org	start + 0x3c
+	@
+	@ The PE header can be anywhere in the file, but for
+	@ simplicity we keep it together with the MSDOS header
+	@ The offset to the PE/COFF header needs to be at offset
+	@ 0x3C in the MSDOS header.
+	@ The only 2 fields of the MSDOS header that are used are this
+	@ PE/COFF offset, and the "MZ" bytes at offset 0x0.
+	@
+	.long	pe_header - start		@ Offset to the PE header.
 
 pe_header:
-		.ascii	"PE\0\0"
+	.long	PE_MAGIC
 
 coff_header:
-		.short	0x01c2			@ ARM or Thumb
-		.short	1			@ nr_sections
-		.long	0 			@ TimeDateStamp
-		.long	0			@ PointerToSymbolTable
-		.long	0			@ NumberOfSymbols
-		.short	section_table - optional_header
-						@ SizeOfOptionalHeader
-		.short	0x306			@ Characteristics.
-						@ IMAGE_FILE_32BIT_MACHINE |
-						@ IMAGE_FILE_DEBUG_STRIPPED |
-						@ IMAGE_FILE_EXECUTABLE_IMAGE |
-						@ IMAGE_FILE_LINE_NUMS_STRIPPED
+	.short	IMAGE_FILE_MACHINE_THUMB		@ Machine
+	.short	section_count				@ NumberOfSections
+	.long	0 					@ TimeDateStamp
+	.long	0					@ PointerToSymbolTable
+	.long	0					@ NumberOfSymbols
+	.short	section_table - optional_header		@ SizeOfOptionalHeader
+	.short	IMAGE_FILE_32BIT_MACHINE | \
+		IMAGE_FILE_DEBUG_STRIPPED | \
+		IMAGE_FILE_EXECUTABLE_IMAGE | \
+		IMAGE_FILE_LINE_NUMS_STRIPPED		@ Characteristics
 
 optional_header:
-		.short	0x10b			@ PE32 format
-		.byte	0x02			@ MajorLinkerVersion
-		.byte	0x14			@ MinorLinkerVersion
-		.long	_end - __efi_start	@ SizeOfCode
-		.long	0			@ SizeOfInitializedData
-		.long	0			@ SizeOfUninitializedData
-		.long	efi_stub_entry - start	@ AddressOfEntryPoint
-		.long	start_offset		@ BaseOfCode
-		.long	0			@ data
+	.short	PE_OPT_MAGIC_PE32			@ PE32 format
+	.byte	0x02					@ MajorLinkerVersion
+	.byte	0x14					@ MinorLinkerVersion
+	.long	_end - __efi_start			@ SizeOfCode
+	.long	0					@ SizeOfInitializedData
+	.long	0					@ SizeOfUninitializedData
+	.long	efi_stub_entry - start			@ AddressOfEntryPoint
+	.long	start_offset				@ BaseOfCode
+	.long	0					@ BaseOfData
 
 extra_header_fields:
-		.long	0			@ ImageBase
-		.long	0x200			@ SectionAlignment
-		.long	0x200			@ FileAlignment
-		.short	0			@ MajorOperatingSystemVersion
-		.short	0			@ MinorOperatingSystemVersion
-		.short	0			@ MajorImageVersion
-		.short	0			@ MinorImageVersion
-		.short	0			@ MajorSubsystemVersion
-		.short	0			@ MinorSubsystemVersion
-		.long	0			@ Win32VersionValue
+	.long	0					@ ImageBase
+	.long	SZ_512					@ SectionAlignment
+	.long	SZ_512					@ FileAlignment
+	.short	0					@ MajorOsVersion
+	.short	0					@ MinorOsVersion
+	.short	0					@ MajorImageVersion
+	.short	0					@ MinorImageVersion
+	.short	0					@ MajorSubsystemVersion
+	.short	0					@ MinorSubsystemVersion
+	.long	0					@ Win32VersionValue
 
-		.long	_end - start		@ SizeOfImage
-		.long	start_offset		@ SizeOfHeaders
-		.long	0			@ CheckSum
-		.short	0xa			@ Subsystem (EFI application)
-		.short	0			@ DllCharacteristics
-		.long	0			@ SizeOfStackReserve
-		.long	0			@ SizeOfStackCommit
-		.long	0			@ SizeOfHeapReserve
-		.long	0			@ SizeOfHeapCommit
-		.long	0			@ LoaderFlags
-		.long	0x6			@ NumberOfRvaAndSizes
+	.long	_end - start				@ SizeOfImage
+	.long	start_offset				@ SizeOfHeaders
+	.long	0					@ CheckSum
+	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		@ Subsystem
+	.short	0					@ DllCharacteristics
+	.long	0					@ SizeOfStackReserve
+	.long	0					@ SizeOfStackCommit
+	.long	0					@ SizeOfHeapReserve
+	.long	0					@ SizeOfHeapCommit
+	.long	0					@ LoaderFlags
+	.long	(section_table - .) / 8			@ NumberOfRvaAndSizes
 
-		.quad	0			@ ExportTable
-		.quad	0			@ ImportTable
-		.quad	0			@ ResourceTable
-		.quad	0			@ ExceptionTable
-		.quad	0			@ CertificationTable
-		.quad	0			@ BaseRelocationTable
+	.quad	0					@ ExportTable
+	.quad	0					@ ImportTable
+	.quad	0					@ ResourceTable
+	.quad	0					@ ExceptionTable
+	.quad	0					@ CertificationTable
+	.quad	0					@ BaseRelocationTable
 
 section_table:
-		.ascii	".text\0\0\0"
-		.long	_end - __efi_start	@ VirtualSize
-		.long	__efi_start		@ VirtualAddress
-		.long	_edata - __efi_start	@ SizeOfRawData
-		.long	__efi_start		@ PointerToRawData
-		.long	0			@ PointerToRelocations
-		.long	0			@ PointerToLineNumbers
-		.short	0			@ NumberOfRelocations
-		.short	0			@ NumberOfLineNumbers
-		.long	0xe0000020		@ Characteristics
+	.ascii	".text\0\0\0"
+	.long	_end - __efi_start			@ VirtualSize
+	.long	__efi_start				@ VirtualAddress
+	.long	_edata - __efi_start			@ SizeOfRawData
+	.long	__efi_start				@ PointerToRawData
+	.long	0					@ PointerToRelocations
+	.long	0					@ PointerToLineNumbers
+	.short	0					@ NumberOfRelocations
+	.short	0					@ NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_CODE | \
+		IMAGE_SCN_MEM_READ | \
+		IMAGE_SCN_MEM_WRITE | \
+		IMAGE_SCN_MEM_EXECUTE			@ Characteristics
+
+	.set	section_count, (. - section_table) / 40
 
-		.align	9
+	.align	9
 __efi_start:
 #endif
-		.endm
+	.endm
-- 
2.9.3

[PATCH 3/7] arm: efi: replace open coded constants with symbolic ones

[Ard Biesheuvel]

Replace the various open coded constants in the EFI PE/COFF header with
definitions from pe.h, or expressions based on local symbols.

Note that this patch also changes the indentation to make room for the
symbolic constant names.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/efi-header.S | 172 ++++++++++----------
 1 file changed, 89 insertions(+), 83 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 97f595970916..4699c432a2e2 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015 Linaro Ltd
+ * Copyright (C) 2013-2017 Linaro Ltd
  * Authors: Roy Franz <roy.franz@linaro.org>
  *          Ard Biesheuvel <ard.biesheuvel@linaro.org>
  *
@@ -8,105 +8,111 @@
  * published by the Free Software Foundation.
  */
 
-		.macro	__nop
+#include <linux/pe.h>
+#include <linux/sizes.h>
+
+	.macro	__nop
 #ifdef CONFIG_EFI_STUB
-		@ This is almost but not quite a NOP, since it does clobber the
-		@ condition flags. But it is the best we can do for EFI, since
-		@ PE/COFF expects the magic string "MZ" at offset 0, while the
-		@ ARM/Linux boot protocol expects an executable instruction
-		@ there.
-		.inst	'M' | ('Z' << 8) | (0x1310 << 16)   @ tstne r0, #0x4d000
+	@ This is almost but not quite a NOP, since it does clobber the
+	@ condition flags. But it is the best we can do for EFI, since
+	@ PE/COFF expects the magic string "MZ" at offset 0, while the
+	@ ARM/Linux boot protocol expects an executable instruction
+	@ there.
+	.inst	MZ_MAGIC | (0x1310 << 16)		@ tstne r0, #0x4d000
 #else
-		W(mov)	r0, r0
+	W(mov)	r0, r0
 #endif
-		.endm
+	.endm
 
-		.macro	__EFI_HEADER
+	.macro	__EFI_HEADER
 #ifdef CONFIG_EFI_STUB
-		.set	start_offset, __efi_start - start
-		.org	start + 0x3c
-		@
-		@ The PE header can be anywhere in the file, but for
-		@ simplicity we keep it together with the MSDOS header
-		@ The offset to the PE/COFF header needs to be at offset
-		@ 0x3C in the MSDOS header.
-		@ The only 2 fields of the MSDOS header that are used are this
-		@ PE/COFF offset, and the "MZ" bytes at offset 0x0.
-		@
-		.long	pe_header - start	@ Offset to the PE header.
+	.set	start_offset, __efi_start - start
+	.org	start + 0x3c
+	@
+	@ The PE header can be anywhere in the file, but for
+	@ simplicity we keep it together with the MSDOS header
+	@ The offset to the PE/COFF header needs to be at offset
+	@ 0x3C in the MSDOS header.
+	@ The only 2 fields of the MSDOS header that are used are this
+	@ PE/COFF offset, and the "MZ" bytes@offset 0x0.
+	@
+	.long	pe_header - start		@ Offset to the PE header.
 
 pe_header:
-		.ascii	"PE\0\0"
+	.long	PE_MAGIC
 
 coff_header:
-		.short	0x01c2			@ ARM or Thumb
-		.short	1			@ nr_sections
-		.long	0 			@ TimeDateStamp
-		.long	0			@ PointerToSymbolTable
-		.long	0			@ NumberOfSymbols
-		.short	section_table - optional_header
-						@ SizeOfOptionalHeader
-		.short	0x306			@ Characteristics.
-						@ IMAGE_FILE_32BIT_MACHINE |
-						@ IMAGE_FILE_DEBUG_STRIPPED |
-						@ IMAGE_FILE_EXECUTABLE_IMAGE |
-						@ IMAGE_FILE_LINE_NUMS_STRIPPED
+	.short	IMAGE_FILE_MACHINE_THUMB		@ Machine
+	.short	section_count				@ NumberOfSections
+	.long	0 					@ TimeDateStamp
+	.long	0					@ PointerToSymbolTable
+	.long	0					@ NumberOfSymbols
+	.short	section_table - optional_header		@ SizeOfOptionalHeader
+	.short	IMAGE_FILE_32BIT_MACHINE | \
+		IMAGE_FILE_DEBUG_STRIPPED | \
+		IMAGE_FILE_EXECUTABLE_IMAGE | \
+		IMAGE_FILE_LINE_NUMS_STRIPPED		@ Characteristics
 
 optional_header:
-		.short	0x10b			@ PE32 format
-		.byte	0x02			@ MajorLinkerVersion
-		.byte	0x14			@ MinorLinkerVersion
-		.long	_end - __efi_start	@ SizeOfCode
-		.long	0			@ SizeOfInitializedData
-		.long	0			@ SizeOfUninitializedData
-		.long	efi_stub_entry - start	@ AddressOfEntryPoint
-		.long	start_offset		@ BaseOfCode
-		.long	0			@ data
+	.short	PE_OPT_MAGIC_PE32			@ PE32 format
+	.byte	0x02					@ MajorLinkerVersion
+	.byte	0x14					@ MinorLinkerVersion
+	.long	_end - __efi_start			@ SizeOfCode
+	.long	0					@ SizeOfInitializedData
+	.long	0					@ SizeOfUninitializedData
+	.long	efi_stub_entry - start			@ AddressOfEntryPoint
+	.long	start_offset				@ BaseOfCode
+	.long	0					@ BaseOfData
 
 extra_header_fields:
-		.long	0			@ ImageBase
-		.long	0x200			@ SectionAlignment
-		.long	0x200			@ FileAlignment
-		.short	0			@ MajorOperatingSystemVersion
-		.short	0			@ MinorOperatingSystemVersion
-		.short	0			@ MajorImageVersion
-		.short	0			@ MinorImageVersion
-		.short	0			@ MajorSubsystemVersion
-		.short	0			@ MinorSubsystemVersion
-		.long	0			@ Win32VersionValue
+	.long	0					@ ImageBase
+	.long	SZ_512					@ SectionAlignment
+	.long	SZ_512					@ FileAlignment
+	.short	0					@ MajorOsVersion
+	.short	0					@ MinorOsVersion
+	.short	0					@ MajorImageVersion
+	.short	0					@ MinorImageVersion
+	.short	0					@ MajorSubsystemVersion
+	.short	0					@ MinorSubsystemVersion
+	.long	0					@ Win32VersionValue
 
-		.long	_end - start		@ SizeOfImage
-		.long	start_offset		@ SizeOfHeaders
-		.long	0			@ CheckSum
-		.short	0xa			@ Subsystem (EFI application)
-		.short	0			@ DllCharacteristics
-		.long	0			@ SizeOfStackReserve
-		.long	0			@ SizeOfStackCommit
-		.long	0			@ SizeOfHeapReserve
-		.long	0			@ SizeOfHeapCommit
-		.long	0			@ LoaderFlags
-		.long	0x6			@ NumberOfRvaAndSizes
+	.long	_end - start				@ SizeOfImage
+	.long	start_offset				@ SizeOfHeaders
+	.long	0					@ CheckSum
+	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		@ Subsystem
+	.short	0					@ DllCharacteristics
+	.long	0					@ SizeOfStackReserve
+	.long	0					@ SizeOfStackCommit
+	.long	0					@ SizeOfHeapReserve
+	.long	0					@ SizeOfHeapCommit
+	.long	0					@ LoaderFlags
+	.long	(section_table - .) / 8			@ NumberOfRvaAndSizes
 
-		.quad	0			@ ExportTable
-		.quad	0			@ ImportTable
-		.quad	0			@ ResourceTable
-		.quad	0			@ ExceptionTable
-		.quad	0			@ CertificationTable
-		.quad	0			@ BaseRelocationTable
+	.quad	0					@ ExportTable
+	.quad	0					@ ImportTable
+	.quad	0					@ ResourceTable
+	.quad	0					@ ExceptionTable
+	.quad	0					@ CertificationTable
+	.quad	0					@ BaseRelocationTable
 
 section_table:
-		.ascii	".text\0\0\0"
-		.long	_end - __efi_start	@ VirtualSize
-		.long	__efi_start		@ VirtualAddress
-		.long	_edata - __efi_start	@ SizeOfRawData
-		.long	__efi_start		@ PointerToRawData
-		.long	0			@ PointerToRelocations
-		.long	0			@ PointerToLineNumbers
-		.short	0			@ NumberOfRelocations
-		.short	0			@ NumberOfLineNumbers
-		.long	0xe0000020		@ Characteristics
+	.ascii	".text\0\0\0"
+	.long	_end - __efi_start			@ VirtualSize
+	.long	__efi_start				@ VirtualAddress
+	.long	_edata - __efi_start			@ SizeOfRawData
+	.long	__efi_start				@ PointerToRawData
+	.long	0					@ PointerToRelocations
+	.long	0					@ PointerToLineNumbers
+	.short	0					@ NumberOfRelocations
+	.short	0					@ NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_CODE | \
+		IMAGE_SCN_MEM_READ | \
+		IMAGE_SCN_MEM_WRITE | \
+		IMAGE_SCN_MEM_EXECUTE			@ Characteristics
+
+	.set	section_count, (. - section_table) / 40
 
-		.align	9
+	.align	9
 __efi_start:
 #endif
-		.endm
+	.endm
-- 
2.9.3

[PATCH 4/7] arm: compressed: discard ksymtab/kcrctab sections

[Ard Biesheuvel]

With UEFI support added to the decompressor, we may end up including
C code that is part of the kernel proper, but is rebuilt for the
decompressor. This may result in ksymtab/kcrctab metadata being
duplicated into the decompressor, so discard such regions explicitly.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/vmlinux.lds.S | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index 81c493156ce8..1fa62432e283 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -29,6 +29,11 @@ SECTIONS
      * of the text/got segments.
      */
     *(.data)
+    /*
+     * C code that is shared with the kernel proper (but rebuilt for the
+     * decompressor) may contain exports that we have no use for here.
+     */
+    *(*ksymtab* *kcrctab*)
   }
 
   . = TEXT_START;
-- 
2.9.3

[PATCH 4/7] arm: compressed: discard ksymtab/kcrctab sections

[Ard Biesheuvel]

With UEFI support added to the decompressor, we may end up including
C code that is part of the kernel proper, but is rebuilt for the
decompressor. This may result in ksymtab/kcrctab metadata being
duplicated into the decompressor, so discard such regions explicitly.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/vmlinux.lds.S | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index 81c493156ce8..1fa62432e283 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -29,6 +29,11 @@ SECTIONS
      * of the text/got segments.
      */
     *(.data)
+    /*
+     * C code that is shared with the kernel proper (but rebuilt for the
+     * decompressor) may contain exports that we have no use for here.
+     */
+    *(*ksymtab* *kcrctab*)
   }
 
   . = TEXT_START;
-- 
2.9.3

[PATCH 5/7] arm: efi: split zImage code and data into separate PE/COFF sections

[Ard Biesheuvel]

To prevent unintended modifications to the kernel text (malicious or
otherwise) while running the EFI stub, describe the kernel image as
two separate sections: a .text section with read-execute permissions,
covering .text, .rodata, .piggytext and the GOT sections (which the
stub does not care about anyway), and a .data section with read-write
permissions, covering .data and .bss.

This relies on the firmware to actually take the section permission
flags into account, but this is something that is currently being
implemented in EDK2, which means we will likely start seeing it in
the wild between one and two years from now.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/efi-header.S  | 30 ++++++++++++++------
 arch/arm/boot/compressed/vmlinux.lds.S | 30 +++++++++++++++-----
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 4699c432a2e2..3b1d95f43f2b 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -57,16 +57,16 @@ optional_header:
 	.short	PE_OPT_MAGIC_PE32			@ PE32 format
 	.byte	0x02					@ MajorLinkerVersion
 	.byte	0x14					@ MinorLinkerVersion
-	.long	_end - __efi_start			@ SizeOfCode
-	.long	0					@ SizeOfInitializedData
+	.long	__pecoff_data_start - __efi_start	@ SizeOfCode
+	.long	__pecoff_data_size			@ SizeOfInitializedData
 	.long	0					@ SizeOfUninitializedData
 	.long	efi_stub_entry - start			@ AddressOfEntryPoint
 	.long	start_offset				@ BaseOfCode
-	.long	0					@ BaseOfData
+	.long	__pecoff_data_start - start		@ BaseOfData
 
 extra_header_fields:
 	.long	0					@ ImageBase
-	.long	SZ_512					@ SectionAlignment
+	.long	SZ_4K					@ SectionAlignment
 	.long	SZ_512					@ FileAlignment
 	.short	0					@ MajorOsVersion
 	.short	0					@ MinorOsVersion
@@ -76,7 +76,7 @@ extra_header_fields:
 	.short	0					@ MinorSubsystemVersion
 	.long	0					@ Win32VersionValue
 
-	.long	_end - start				@ SizeOfImage
+	.long	__pecoff_end - start			@ SizeOfImage
 	.long	start_offset				@ SizeOfHeaders
 	.long	0					@ CheckSum
 	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		@ Subsystem
@@ -97,9 +97,9 @@ extra_header_fields:
 
 section_table:
 	.ascii	".text\0\0\0"
-	.long	_end - __efi_start			@ VirtualSize
+	.long	__pecoff_data_start - __efi_start	@ VirtualSize
 	.long	__efi_start				@ VirtualAddress
-	.long	_edata - __efi_start			@ SizeOfRawData
+	.long	__pecoff_data_start - __efi_start	@ SizeOfRawData
 	.long	__efi_start				@ PointerToRawData
 	.long	0					@ PointerToRelocations
 	.long	0					@ PointerToLineNumbers
@@ -107,12 +107,24 @@ section_table:
 	.short	0					@ NumberOfLineNumbers
 	.long	IMAGE_SCN_CNT_CODE | \
 		IMAGE_SCN_MEM_READ | \
-		IMAGE_SCN_MEM_WRITE | \
 		IMAGE_SCN_MEM_EXECUTE			@ Characteristics
 
+	.ascii	".data\0\0\0"
+	.long	__pecoff_data_size			@ VirtualSize
+	.long	__pecoff_data_start - start		@ VirtualAddress
+	.long	__pecoff_data_rawsize			@ SizeOfRawData
+	.long	__pecoff_data_start - start		@ PointerToRawData
+	.long	0					@ PointerToRelocations
+	.long	0					@ PointerToLineNumbers
+	.short	0					@ NumberOfRelocations
+	.short	0					@ NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_INITIALIZED_DATA | \
+		IMAGE_SCN_MEM_READ | \
+		IMAGE_SCN_MEM_WRITE			@ Characteristics
+
 	.set	section_count, (. - section_table) / 40
 
-	.align	9
+	.align	12
 __efi_start:
 #endif
 	.endm
diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index 1fa62432e283..dfcc2baa0077 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -53,13 +53,6 @@ SECTIONS
     *(.rodata)
     *(.rodata.*)
   }
-  .data : {
-    /*
-     * The EFI stub always executes from RAM, and runs strictly before the
-     * decompressor, so we can make an exception for its r/w data, and keep it
-     */
-    *(.data.efistub)
-  }
   .piggydata : {
     *(.piggydata)
   }
@@ -75,6 +68,26 @@ SECTIONS
   /* ensure the zImage file size is always a multiple of 64 bits */
   /* (without a dummy byte, ld just ignores the empty section) */
   .pad			: { BYTE(0); . = ALIGN(8); }
+
+#ifdef CONFIG_EFI_STUB
+  .data : ALIGN(4096) {
+    __pecoff_data_start = .;
+    /*
+     * The EFI stub always executes from RAM, and runs strictly before the
+     * decompressor, so we can make an exception for its r/w data, and keep it
+     */
+    *(.data.efistub)
+    __pecoff_data_end = .;
+
+    /*
+     * PE/COFF mandates a file size which is a multiple of 512 bytes if the
+     * section size equals or exceeds 4 KB
+     */
+    . = ALIGN(512);
+  }
+  __pecoff_data_rawsize = . - ADDR(.data);
+#endif
+
   _edata = .;
 
   _magic_sig = ZIMAGE_MAGIC(0x016f2818);
@@ -89,6 +102,9 @@ SECTIONS
   . = ALIGN(8);		/* the stack must be 64-bit aligned */
   .stack		: { *(.stack) }
 
+  PROVIDE(__pecoff_data_size = ALIGN(512) - ADDR(.data));
+  PROVIDE(__pecoff_end = ALIGN(512));
+
   .stab 0		: { *(.stab) }
   .stabstr 0		: { *(.stabstr) }
   .stab.excl 0		: { *(.stab.excl) }
-- 
2.9.3

[PATCH 5/7] arm: efi: split zImage code and data into separate PE/COFF sections

[Ard Biesheuvel]

To prevent unintended modifications to the kernel text (malicious or
otherwise) while running the EFI stub, describe the kernel image as
two separate sections: a .text section with read-execute permissions,
covering .text, .rodata, .piggytext and the GOT sections (which the
stub does not care about anyway), and a .data section with read-write
permissions, covering .data and .bss.

This relies on the firmware to actually take the section permission
flags into account, but this is something that is currently being
implemented in EDK2, which means we will likely start seeing it in
the wild between one and two years from now.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/efi-header.S  | 30 ++++++++++++++------
 arch/arm/boot/compressed/vmlinux.lds.S | 30 +++++++++++++++-----
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 4699c432a2e2..3b1d95f43f2b 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -57,16 +57,16 @@ optional_header:
 	.short	PE_OPT_MAGIC_PE32			@ PE32 format
 	.byte	0x02					@ MajorLinkerVersion
 	.byte	0x14					@ MinorLinkerVersion
-	.long	_end - __efi_start			@ SizeOfCode
-	.long	0					@ SizeOfInitializedData
+	.long	__pecoff_data_start - __efi_start	@ SizeOfCode
+	.long	__pecoff_data_size			@ SizeOfInitializedData
 	.long	0					@ SizeOfUninitializedData
 	.long	efi_stub_entry - start			@ AddressOfEntryPoint
 	.long	start_offset				@ BaseOfCode
-	.long	0					@ BaseOfData
+	.long	__pecoff_data_start - start		@ BaseOfData
 
 extra_header_fields:
 	.long	0					@ ImageBase
-	.long	SZ_512					@ SectionAlignment
+	.long	SZ_4K					@ SectionAlignment
 	.long	SZ_512					@ FileAlignment
 	.short	0					@ MajorOsVersion
 	.short	0					@ MinorOsVersion
@@ -76,7 +76,7 @@ extra_header_fields:
 	.short	0					@ MinorSubsystemVersion
 	.long	0					@ Win32VersionValue
 
-	.long	_end - start				@ SizeOfImage
+	.long	__pecoff_end - start			@ SizeOfImage
 	.long	start_offset				@ SizeOfHeaders
 	.long	0					@ CheckSum
 	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		@ Subsystem
@@ -97,9 +97,9 @@ extra_header_fields:
 
 section_table:
 	.ascii	".text\0\0\0"
-	.long	_end - __efi_start			@ VirtualSize
+	.long	__pecoff_data_start - __efi_start	@ VirtualSize
 	.long	__efi_start				@ VirtualAddress
-	.long	_edata - __efi_start			@ SizeOfRawData
+	.long	__pecoff_data_start - __efi_start	@ SizeOfRawData
 	.long	__efi_start				@ PointerToRawData
 	.long	0					@ PointerToRelocations
 	.long	0					@ PointerToLineNumbers
@@ -107,12 +107,24 @@ section_table:
 	.short	0					@ NumberOfLineNumbers
 	.long	IMAGE_SCN_CNT_CODE | \
 		IMAGE_SCN_MEM_READ | \
-		IMAGE_SCN_MEM_WRITE | \
 		IMAGE_SCN_MEM_EXECUTE			@ Characteristics
 
+	.ascii	".data\0\0\0"
+	.long	__pecoff_data_size			@ VirtualSize
+	.long	__pecoff_data_start - start		@ VirtualAddress
+	.long	__pecoff_data_rawsize			@ SizeOfRawData
+	.long	__pecoff_data_start - start		@ PointerToRawData
+	.long	0					@ PointerToRelocations
+	.long	0					@ PointerToLineNumbers
+	.short	0					@ NumberOfRelocations
+	.short	0					@ NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_INITIALIZED_DATA | \
+		IMAGE_SCN_MEM_READ | \
+		IMAGE_SCN_MEM_WRITE			@ Characteristics
+
 	.set	section_count, (. - section_table) / 40
 
-	.align	9
+	.align	12
 __efi_start:
 #endif
 	.endm
diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index 1fa62432e283..dfcc2baa0077 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -53,13 +53,6 @@ SECTIONS
     *(.rodata)
     *(.rodata.*)
   }
-  .data : {
-    /*
-     * The EFI stub always executes from RAM, and runs strictly before the
-     * decompressor, so we can make an exception for its r/w data, and keep it
-     */
-    *(.data.efistub)
-  }
   .piggydata : {
     *(.piggydata)
   }
@@ -75,6 +68,26 @@ SECTIONS
   /* ensure the zImage file size is always a multiple of 64 bits */
   /* (without a dummy byte, ld just ignores the empty section) */
   .pad			: { BYTE(0); . = ALIGN(8); }
+
+#ifdef CONFIG_EFI_STUB
+  .data : ALIGN(4096) {
+    __pecoff_data_start = .;
+    /*
+     * The EFI stub always executes from RAM, and runs strictly before the
+     * decompressor, so we can make an exception for its r/w data, and keep it
+     */
+    *(.data.efistub)
+    __pecoff_data_end = .;
+
+    /*
+     * PE/COFF mandates a file size which is a multiple of 512 bytes if the
+     * section size equals or exceeds 4 KB
+     */
+    . = ALIGN(512);
+  }
+  __pecoff_data_rawsize = . - ADDR(.data);
+#endif
+
   _edata = .;
 
   _magic_sig = ZIMAGE_MAGIC(0x016f2818);
@@ -89,6 +102,9 @@ SECTIONS
   . = ALIGN(8);		/* the stack must be 64-bit aligned */
   .stack		: { *(.stack) }
 
+  PROVIDE(__pecoff_data_size = ALIGN(512) - ADDR(.data));
+  PROVIDE(__pecoff_end = ALIGN(512));
+
   .stab 0		: { *(.stab) }
   .stabstr 0		: { *(.stabstr) }
   .stab.excl 0		: { *(.stab.excl) }
-- 
2.9.3

[PATCH 6/7] arm: compressed: put zImage header and EFI header in dedicated section

[Ard Biesheuvel]

To align the PE/COFF and the ELF headers of the decompressor binary, put
the zImage header and the EFI header in a separate .start section, and
emit it at the start of the Image. This change is necessary for UEFI
based debug tooling to be able to use the vmlinux ELF binary, since it
gets confused if the PE/COFF .text section and the ELF .text section live
at different offsets.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/efi-header.S  | 1 +
 arch/arm/boot/compressed/vmlinux.lds.S | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 3b1d95f43f2b..a0567ed366c6 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -126,5 +126,6 @@ section_table:
 
 	.align	12
 __efi_start:
+	.text
 #endif
 	.endm
diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index dfcc2baa0077..aa0ee9b5affe 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -39,9 +39,11 @@ SECTIONS
   . = TEXT_START;
   _text = .;
 
-  .text : {
+  .start : {
     _start = .;
     *(.start)
+  }
+  .text : {
     *(.text)
     *(.text.*)
     *(.fixup)
-- 
2.9.3

[PATCH 6/7] arm: compressed: put zImage header and EFI header in dedicated section

[Ard Biesheuvel]

To align the PE/COFF and the ELF headers of the decompressor binary, put
the zImage header and the EFI header in a separate .start section, and
emit it at the start of the Image. This change is necessary for UEFI
based debug tooling to be able to use the vmlinux ELF binary, since it
gets confused if the PE/COFF .text section and the ELF .text section live
at different offsets.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/efi-header.S  | 1 +
 arch/arm/boot/compressed/vmlinux.lds.S | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index 3b1d95f43f2b..a0567ed366c6 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -126,5 +126,6 @@ section_table:
 
 	.align	12
 __efi_start:
+	.text
 #endif
 	.endm
diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
index dfcc2baa0077..aa0ee9b5affe 100644
--- a/arch/arm/boot/compressed/vmlinux.lds.S
+++ b/arch/arm/boot/compressed/vmlinux.lds.S
@@ -39,9 +39,11 @@ SECTIONS
   . = TEXT_START;
   _text = .;
 
-  .text : {
+  .start : {
     _start = .;
     *(.start)
+  }
+  .text : {
     *(.text)
     *(.text.*)
     *(.fixup)
-- 
2.9.3

[PATCH 7/7] arm: efi: add PE/COFF debug table to EFI header

[Ard Biesheuvel]

This updates the PE/COFF header to emit the absolute path to the
decompressor vmlinux ELF file into a so-called NB10 Codeview entry.
This is hugely helpful when debugging the firmware->stub handover.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm/boot/compressed/Makefile     |  4 ++
 arch/arm/boot/compressed/efi-header.S | 40 ++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
index d50430c40045..6b978bdbac3e 100644
--- a/arch/arm/boot/compressed/Makefile
+++ b/arch/arm/boot/compressed/Makefile
@@ -196,3 +196,7 @@ AFLAGS_hyp-stub.o := -Wa,-march=armv7-a
 
 $(obj)/hyp-stub.S: $(srctree)/arch/$(SRCARCH)/kernel/hyp-stub.S
 	$(call cmd,shipped)
+
+ifeq ($(CONFIG_EFI)$(CONFIG_DEBUG_INFO),yy)
+AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(obj)/vmlinux)\""
+endif
diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index a0567ed366c6..3dedaab49cb8 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -124,6 +124,46 @@ section_table:
 
 	.set	section_count, (. - section_table) / 40
 
+#ifdef CONFIG_DEBUG_INFO
+	/*
+	 * The debug table is referenced via its Relative Virtual Address (RVA),
+	 * which is only defined for those parts of the image that are covered
+	 * by a section declaration. Since this header is not covered by any
+	 * section, the debug table must be emitted elsewhere. So stick it in
+	 * the .init.rodata section instead.
+	 *
+	 * Note that the EFI debug entry itself may legally have a zero RVA,
+	 * which means we can simply put it right after the section headers.
+	 */
+	.section	".rodata", #alloc
+
+	.align	2
+efi_debug_table:
+	// EFI_IMAGE_DEBUG_DIRECTORY_ENTRY
+	.long	0					@ Characteristics
+	.long	0					@ TimeDateStamp
+	.short	0					@ MajorVersion
+	.short	0					@ MinorVersion
+	.long	IMAGE_DEBUG_TYPE_CODEVIEW		@ Type
+	.long	efi_debug_entry_size			@ SizeOfData
+	.long	0					@ RVA
+	.long	efi_debug_entry - start			@ FileOffset
+
+	.set	efi_debug_table_size, . - efi_debug_table
+	.previous
+
+efi_debug_entry:
+	// EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY
+	.ascii	"NB10"					@ Signature
+	.long	0					@ Unknown
+	.long	0					@ Unknown2
+	.long	0					@ Unknown3
+
+	.asciz	VMLINUX_PATH
+
+	.set	efi_debug_entry_size, . - efi_debug_entry
+#endif
+
 	.align	12
 __efi_start:
 	.text
-- 
2.9.3

[PATCH 7/7] arm: efi: add PE/COFF debug table to EFI header

[Ard Biesheuvel]

This updates the PE/COFF header to emit the absolute path to the
decompressor vmlinux ELF file into a so-called NB10 Codeview entry.
This is hugely helpful when debugging the firmware->stub handover.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/boot/compressed/Makefile     |  4 ++
 arch/arm/boot/compressed/efi-header.S | 40 ++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
index d50430c40045..6b978bdbac3e 100644
--- a/arch/arm/boot/compressed/Makefile
+++ b/arch/arm/boot/compressed/Makefile
@@ -196,3 +196,7 @@ AFLAGS_hyp-stub.o := -Wa,-march=armv7-a
 
 $(obj)/hyp-stub.S: $(srctree)/arch/$(SRCARCH)/kernel/hyp-stub.S
 	$(call cmd,shipped)
+
+ifeq ($(CONFIG_EFI)$(CONFIG_DEBUG_INFO),yy)
+AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(obj)/vmlinux)\""
+endif
diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
index a0567ed366c6..3dedaab49cb8 100644
--- a/arch/arm/boot/compressed/efi-header.S
+++ b/arch/arm/boot/compressed/efi-header.S
@@ -124,6 +124,46 @@ section_table:
 
 	.set	section_count, (. - section_table) / 40
 
+#ifdef CONFIG_DEBUG_INFO
+	/*
+	 * The debug table is referenced via its Relative Virtual Address (RVA),
+	 * which is only defined for those parts of the image that are covered
+	 * by a section declaration. Since this header is not covered by any
+	 * section, the debug table must be emitted elsewhere. So stick it in
+	 * the .init.rodata section instead.
+	 *
+	 * Note that the EFI debug entry itself may legally have a zero RVA,
+	 * which means we can simply put it right after the section headers.
+	 */
+	.section	".rodata", #alloc
+
+	.align	2
+efi_debug_table:
+	// EFI_IMAGE_DEBUG_DIRECTORY_ENTRY
+	.long	0					@ Characteristics
+	.long	0					@ TimeDateStamp
+	.short	0					@ MajorVersion
+	.short	0					@ MinorVersion
+	.long	IMAGE_DEBUG_TYPE_CODEVIEW		@ Type
+	.long	efi_debug_entry_size			@ SizeOfData
+	.long	0					@ RVA
+	.long	efi_debug_entry - start			@ FileOffset
+
+	.set	efi_debug_table_size, . - efi_debug_table
+	.previous
+
+efi_debug_entry:
+	// EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY
+	.ascii	"NB10"					@ Signature
+	.long	0					@ Unknown
+	.long	0					@ Unknown2
+	.long	0					@ Unknown3
+
+	.asciz	VMLINUX_PATH
+
+	.set	efi_debug_entry_size, . - efi_debug_entry
+#endif
+
 	.align	12
 __efi_start:
 	.text
-- 
2.9.3

Re: [PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening

[Ard Biesheuvel]

On 30 May 2017 at 20:36, Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
> This is the ARM counterpart of the changes now in v4.12 to clean up
> the PE/COFF header that makes the kernel zImage loadable directly from
> UEFI, and to enhance it with hardening and debug features.
>
> First of all, the cleanup consists of making the header comply with the
> PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
> open coded constants with #defines from linux/pe.h
>
> Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
> may get pulled in inadvertently when the decompressor is built with EFI
> support. Note that these sections are tiny and harmless by themselves, but
> the linker may dump them in unexpected places if they are not placed
> explicitly, which may interfere with the image layout. This is especially
> important when signing zImages for UEFI secure boot.
>
> Patch #5 changes the description of the decompressor in memory, so that the
> UEFI firmware can apply strict ro/nx protections, resulting in a more secure
> execution environment for the UEFI stub.
>
> Patch #6 splits the decompressor .start and .text output sections, so that
> the ELF view aligns with the PE/COFF view of the binary. This is useful for
> debugging, but has no other benefits (or downsides, for that matter)
>
> Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
> referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
> This is another debug feature that allows seamless source level single step
> debugging of the UEFI stub while executing in the context of the firmware.
>
> Ard Biesheuvel (7):
>   arm: efi: remove forbidden values from the PE/COFF header
>   arm: efi: remove pointless dummy .reloc section

If nobody objects, I am going to queue these first 2 for v4.13. The
remaining ones need acks and/or need to be rebased once v4.13-rc1 is
out, but I've been sitting on these for a while now, so I'd like to
have some movement here.

-- 
Ard.


>   arm: efi: replace open coded constants with symbolic ones
>   arm: compressed: discard ksymtab/kcrctab sections
>   arm: efi: split zImage code and data into separate PE/COFF sections
>   arm: compressed: put zImage header and EFI header in dedicated section
>   arm: efi: add PE/COFF debug table to EFI header
>
>  arch/arm/boot/compressed/Makefile      |   4 +
>  arch/arm/boot/compressed/efi-header.S  | 247 ++++++++++++--------
>  arch/arm/boot/compressed/vmlinux.lds.S |  39 +++-
>  3 files changed, 180 insertions(+), 110 deletions(-)
>
> --
> 2.9.3
>

[PATCH 0/7] ARM: efi: PE/COFF cleanup/hardening

[Ard Biesheuvel]

On 30 May 2017 at 20:36, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> This is the ARM counterpart of the changes now in v4.12 to clean up
> the PE/COFF header that makes the kernel zImage loadable directly from
> UEFI, and to enhance it with hardening and debug features.
>
> First of all, the cleanup consists of making the header comply with the
> PE/COFF spec (#1), removing the .reloc section (#2) and replacing all
> open coded constants with #defines from linux/pe.h
>
> Patch #4 is a standalone patch that removes ksymtab/kcrctab sections that
> may get pulled in inadvertently when the decompressor is built with EFI
> support. Note that these sections are tiny and harmless by themselves, but
> the linker may dump them in unexpected places if they are not placed
> explicitly, which may interfere with the image layout. This is especially
> important when signing zImages for UEFI secure boot.
>
> Patch #5 changes the description of the decompressor in memory, so that the
> UEFI firmware can apply strict ro/nx protections, resulting in a more secure
> execution environment for the UEFI stub.
>
> Patch #6 splits the decompressor .start and .text output sections, so that
> the ELF view aligns with the PE/COFF view of the binary. This is useful for
> debugging, but has no other benefits (or downsides, for that matter)
>
> Patch #7 enhances the decompressor binary with a NB10 Codeview debug entry
> referring to the path to arch/arm/boot/compressed/vmlinux on the build host.
> This is another debug feature that allows seamless source level single step
> debugging of the UEFI stub while executing in the context of the firmware.
>
> Ard Biesheuvel (7):
>   arm: efi: remove forbidden values from the PE/COFF header
>   arm: efi: remove pointless dummy .reloc section

If nobody objects, I am going to queue these first 2 for v4.13. The
remaining ones need acks and/or need to be rebased once v4.13-rc1 is
out, but I've been sitting on these for a while now, so I'd like to
have some movement here.

-- 
Ard.


>   arm: efi: replace open coded constants with symbolic ones
>   arm: compressed: discard ksymtab/kcrctab sections
>   arm: efi: split zImage code and data into separate PE/COFF sections
>   arm: compressed: put zImage header and EFI header in dedicated section
>   arm: efi: add PE/COFF debug table to EFI header
>
>  arch/arm/boot/compressed/Makefile      |   4 +
>  arch/arm/boot/compressed/efi-header.S  | 247 ++++++++++++--------
>  arch/arm/boot/compressed/vmlinux.lds.S |  39 +++-
>  3 files changed, 180 insertions(+), 110 deletions(-)
>
> --
> 2.9.3
>