* Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > From: Ard Biesheuvel <ardb@xxxxxxxxxx> > > Now that the EFI stub boot flow no longer relies on memory that is > executable and writable at the same time, we can reorganize the PE/COFF > view of the kernel image and expose the decompressor binary's code and > r/o data as a .text section and data/bss as a .data section, using 4k > alignment and limited permissions. > > Doing so is necessary for compatibility with hardening measures that are > being rolled out on x86 PCs built to run Windows (i.e., the majority of > them). The EFI boot environment that the Linux EFI stub executes in is > especially sensitive to safety issues, given that a vulnerability in the > loader of one OS can be abused to attack another. > > In true x86 fashion, this is a lot more complicated than on other > architectures, which have implemented this code/data split with 4k > alignment from the beginning. The complicating factor here is that the > boot image consists of two different parts, which are stitched together > and fixed up using a special build tool. > > After this series is applied, the only remaining task performed by the > build tool is generating the CRC-32. Even though this checksum is > usually wrong (given that distro kernels are signed for secure boot in a > way that corrupts the CRC), this feature is retained as we cannot be > sure that nobody is relying on this. > > This supersedes the work proposed by Evgeniy last year, which did a > major rewrite of the build tool in order to clean it up, before updating > it to generate the new 4k aligned image layout. As this series proves, > the build tool is mostly unnecessary, and we have too many of those > already. > > Changes since v2: > - rebase onto tip/master > - drop patches that have been picked up already > - fix issue in the linker script that resulted in a bogus setup_size in > some cases when using ld.bfd > - fix comment capitalization > > Changes since v1: > - drop patch that removed the CRC and the build tool > - do not use fixed setup_size but derive it in the setup.ld linker > script > - reorganize the PE header so the .compat section only covers its > payload and the padding that follows it > - add hpa's ack to patch #4 > > Cc: Evgeniy Baskov <baskov@xxxxxxxxx> > Cc: Borislav Petkov <bp@xxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Peter Jones <pjones@xxxxxxxxxx> > Cc: Matthew Garrett <mjg59@xxxxxxxxxxxxx> > Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> > > > Ard Biesheuvel (8): > x86/boot: Grab kernel_info offset from zoffset header directly > x86/boot: Set EFI handover offset directly in header asm > x86/boot: Define setup size in linker script > x86/boot: Derive file size from _edata symbol > x86/boot: Construct PE/COFF .text section from assembler > x86/boot: Drop PE/COFF .reloc section > x86/boot: Split off PE/COFF .data section > x86/boot: Increase section and file alignment to 4k/512 > > arch/x86/boot/Makefile | 2 +- > arch/x86/boot/compressed/vmlinux.lds.S | 5 +- > arch/x86/boot/header.S | 146 +++++++------ > arch/x86/boot/setup.ld | 7 +- > arch/x86/boot/tools/build.c | 223 +------------------- > 5 files changed, 97 insertions(+), 286 deletions(-) Applied to tip:x86/boot, thanks! Ingo
