On 2023-03-08 23:22, Ard Biesheuvel wrote:
This is a follow-up to work proposed by Evgeny to tighten memory
permissions used by the EFI stub and subsequently by the decompressor
on
x86.
Instead of going out of our way to make more space in the first 500
bytes of the image, and relying on non-1:1 mapped sections (which is
risky in the context of bespoke PE loaders), these patches reorganize
the header so the PE header comes after the x86 setup header, and can
be
extended at will.
I pushed a branch at [1] that combines this with v4 of Evgeny's series
(after some minor surgery, e.g., to reorder the text and rodata
sections
so they are contiguous)
We might split off the rodata section as well, and give it
read/non-exec
permissions, but I'd like to discuss the approach first, and perhaps
get
some testing data points.
Cc: Evgeniy Baskov <baskov@xxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
Cc: Peter Jones <pjones@xxxxxxxxxx>
Cc: "Limonciello, Mario" <mario.limonciello@xxxxxxx>
[0]
https://lore.kernel.org/linux-efi/cover.1671098103.git.baskov@xxxxxxxxx/
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-x86-nx-v4
Ard Biesheuvel (4):
efi: x86: Use private copy of struct setup_header
efi: x86: Move PE header after setup header
efi: x86: Drop alignment section header flags
efi: x86: Split PE/COFF .text section into .text and .data
arch/x86/boot/Makefile | 2 +-
arch/x86/boot/header.S | 52 +++++++++-----------
arch/x86/boot/setup.ld | 1 +
arch/x86/boot/tools/build.c | 38 +++++++++-----
drivers/firmware/efi/libstub/x86-stub.c | 43 +++-------------
5 files changed, 59 insertions(+), 77 deletions(-)
I've quickly looked through these patches but I'll do more testing
tomorrow.
This approach seems to be better than mine if it will work. I've tried
the similar thing but I did not think of creating the local copy of the
bootparams and the attempt to map them did not work since the PE loader
I am trying to get kernel booting with does not accept sections before
the PE header. But since the bootparams is inside the padding and is
not used, it should be fine.
But this will still need more changes to work properly with stricter PE
loaders like the one that I've mentioned in my patch series [1].
The image should also have 4K aligned section virtual addresses and
sizes
(even on .reloc and .compat AFAIK), otherwise UEFI will ignore memory
attributes (or refuse to load the kernel). Another desired thing is
having
adjacent section with no padding in between them, since [1] does have a
mode that requires sections them to be adjacent.
(SizeOfHeaders/header_size
should also be set to the size of setup since it is also checked to be
adjacent to the first section.)
I did not do the one-to-one mapping of file and virtual addresses since
it
would require almost 4K paddings for the auxiliary sections.
[1] https://github.com/acidanthera/audk/tree/secure_pe
Thanks,
Evgeniy Baskov
