On Mon, 15 Aug 2022 at 21:46, Borislav Petkov <bp@xxxxxxxxx> wrote: > > On Mon, Aug 15, 2022 at 03:20:28PM +0200, Ard Biesheuvel wrote: > > Move the EFI mixed mode return trampoline RET into .rodata, so it is > > normally mapped without executable permissions. And given that this > > snippet of code is really the only kernel code that we ever execute via > > this 1:1 mapping, let's unmap the 1:1 mapping of the kernel .text, and > > only map the page that covers the return trampoline with executable > > permissions. > > > > Note that the remainder of .rodata needs to remain mapped into the 1:1 > > mapping with RO/NX permissions, as literal GUIDs and strings may be > > passed to the variable routines. > > > > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > > --- > > arch/x86/platform/efi/efi_64.c | 18 +++++++++++++----- > > arch/x86/platform/efi/efi_thunk_64.S | 8 +++++--- > > 2 files changed, 18 insertions(+), 8 deletions(-) > > Acked-by: Borislav Petkov <bp@xxxxxxx> > > For some reason, objtool is not happy here: > > vmlinux.o: warning: objtool: efi_thunk_query_variable_info_nonblocking+0x1ba: unreachable instruction > I'm not seeing that warning. Any config in particular beyond x86_64_defconfig that you have enabled? I'm using Debian GCC 12.1.0 btw
