PE/COFF images that can tolerate running under a strict W^X policy when it comes to firmware provided allocations should indicate so, by setting the associated bit in the PE/COFF header. Today, this makes little difference, but going forward, restricted policies regarding secure boot and measured boot (e.g., MS Secured-core) may refuse to run such images altogether. Given that the zboot and arm64 EFI stub implementations do not rely on firmware provided mappings being writable and executable at the same time, let's set this bit. Note that a change landed in v6.3 where we no longer tolerate this unless we remap the relocated kernel code read-only/executable explicitly (patch #2) Cc: Peter Jones <pjones@xxxxxxxxxx> Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx> Cc: Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Ard Biesheuvel (3): efi/libstub: zboot: Mark zboot EFI application as NX compatible efi/libstub: arm64: Remap relocated image with strict permissions arm64: efi: Set NX compat flag in PE/COFF header arch/arm64/kernel/efi-header.S | 2 +- drivers/firmware/efi/libstub/arm64-stub.c | 1 + drivers/firmware/efi/libstub/zboot-header.S | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) -- 2.39.2
