On Mon, Aug 15, 2022 at 03:20:28PM +0200, Ard Biesheuvel wrote:
> Move the EFI mixed mode return trampoline RET into .rodata, so it is
> normally mapped without executable permissions. And given that this
> snippet of code is really the only kernel code that we ever execute via
> this 1:1 mapping, let's unmap the 1:1 mapping of the kernel .text, and
> only map the page that covers the return trampoline with executable
> permissions.
>
> Note that the remainder of .rodata needs to remain mapped into the 1:1
> mapping with RO/NX permissions, as literal GUIDs and strings may be
> passed to the variable routines.
>
> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> ---
> arch/x86/platform/efi/efi_64.c | 18 +++++++++++++-----
> arch/x86/platform/efi/efi_thunk_64.S | 8 +++++---
> 2 files changed, 18 insertions(+), 8 deletions(-)
Acked-by: Borislav Petkov <bp@xxxxxxx>
For some reason, objtool is not happy here:
vmlinux.o: warning: objtool: efi_thunk_query_variable_info_nonblocking+0x1ba: unreachable instruction
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
