On Mon, 22 Aug 2022 at 21:58, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Mon, Aug 22, 2022 at 07:29:53PM +0200, Ard Biesheuvel wrote: > > The EFI stub is a wrapper around the core kernel that makes it look like > > a EFI compatible PE/COFF application to the EFI firmware. EFI > > applications run on top of the EFI runtime, which is heavily based on > > so-called protocols, which are struct types consisting [mostly] of > > function pointer members that are instantiated and recorded in a > > protocol database. > > > > These structs look like the ideal randomization candidates to the > > randstruct plugin (as they only carry function pointers), but of course, > > these protocols are contracts between the firmware that exposes them, > > and the EFI applications (including our stubbed kernel) that invoke > > them. This means that struct randomization for EFI protocols is not a > > great idea, and given that the stub shares very little data with the > > core kernel that is represented as a randomizable struct, we're better > > off just disabling it completely here. > > > > Reported-by: Daniel Marth <daniel.marth@xxxxxxxxxxxxxxxxx> > > Tested-by: Daniel Marth <daniel.marth@xxxxxxxxxxxxxxxxx> > > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> > I've queued this up as a fix with a cc:stable Thanks all, Ard.
