This is a follow-up to work proposed by Evgeny to tighten memory permissions used by the EFI stub and subsequently by the decompressor on x86. Instead of going out of our way to make more space in the first 500 bytes of the image, and relying on non-1:1 mapped sections (which is risky in the context of bespoke PE loaders), these patches reorganize the header so the PE header comes after the x86 setup header, and can be extended at will. I pushed a branch at [1] that combines this with v4 of Evgeny's series (after some minor surgery, e.g., to reorder the text and rodata sections so they are contiguous) We might split off the rodata section as well, and give it read/non-exec permissions, but I'd like to discuss the approach first, and perhaps get some testing data points. Cc: Evgeniy Baskov <baskov@xxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxxxx> Cc: Alexey Khoroshilov <khoroshilov@xxxxxxxxx> Cc: Peter Jones <pjones@xxxxxxxxxx> Cc: "Limonciello, Mario" <mario.limonciello@xxxxxxx> [0] https://lore.kernel.org/linux-efi/cover.1671098103.git.baskov@xxxxxxxxx/ [1] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-x86-nx-v4 Ard Biesheuvel (4): efi: x86: Use private copy of struct setup_header efi: x86: Move PE header after setup header efi: x86: Drop alignment section header flags efi: x86: Split PE/COFF .text section into .text and .data arch/x86/boot/Makefile | 2 +- arch/x86/boot/header.S | 52 +++++++++----------- arch/x86/boot/setup.ld | 1 + arch/x86/boot/tools/build.c | 38 +++++++++----- drivers/firmware/efi/libstub/x86-stub.c | 43 +++------------- 5 files changed, 59 insertions(+), 77 deletions(-) -- 2.39.2
